xred | 9864c3c9370df98e922ee49c7c20e0ee9104e7635a4cb04f5d5cc80f0d462d46

General

Target

9864c3c9370df98e922ee49c7c20e0ee9104e7635a4cb04f5d5cc80f0d462d46.exe
Size

759KB
MD5

cf90abd81f691b634c161da5ad4624be
SHA1

f48426b860d13fe9711d619c96b2852450cd8316
SHA256

9864c3c9370df98e922ee49c7c20e0ee9104e7635a4cb04f5d5cc80f0d462d46
SHA512

168d6491a2c4eb6671c2fbdaced849856fd54ce4de7b8f7d6c1efd594515c1852bd0830b51f2032f4d1a32043ff31b75a138fac26c65dcee4e6c7dae60a9a766
SSDEEP

12288:SMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9YKj:SnsJ39LyjbJkQFMhmC+6GD99

Score

10^/10

xred backdoor discovery macro persistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Suspicious Office macro 2 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x00060000000191f6-97.dat
behavioral1/files/0x00080000000191f6-121.dat

Executes dropped EXE 3 IoCs

pid	Process
2788	._cache_9864c3c9370df98e922ee49c7c20e0ee9104e7635a4cb04f5d5cc80f0d462d46.exe
2812	Synaptics.exe
2604	._cache_Synaptics.exe

Loads dropped DLL 15 IoCs

pid	Process
1316	9864c3c9370df98e922ee49c7c20e0ee9104e7635a4cb04f5d5cc80f0d462d46.exe
1316	9864c3c9370df98e922ee49c7c20e0ee9104e7635a4cb04f5d5cc80f0d462d46.exe
1316	9864c3c9370df98e922ee49c7c20e0ee9104e7635a4cb04f5d5cc80f0d462d46.exe
2812	Synaptics.exe
2812	Synaptics.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe
1252	WerFault.exe
1252	WerFault.exe
1252	WerFault.exe
1252	WerFault.exe
2648	WerFault.exe
1252	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	9864c3c9370df98e922ee49c7c20e0ee9104e7635a4cb04f5d5cc80f0d462d46.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2648	2788	WerFault.exe	30
1252	2604	WerFault.exe	33

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9864c3c9370df98e922ee49c7c20e0ee9104e7635a4cb04f5d5cc80f0d462d46.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_9864c3c9370df98e922ee49c7c20e0ee9104e7635a4cb04f5d5cc80f0d462d46.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3048	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3048	EXCEL.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 2788	1316	9864c3c9370df98e922ee49c7c20e0ee9104e7635a4cb04f5d5cc80f0d462d46.exe	30
PID 1316 wrote to memory of 2788	1316	9864c3c9370df98e922ee49c7c20e0ee9104e7635a4cb04f5d5cc80f0d462d46.exe	30
PID 1316 wrote to memory of 2788	1316	9864c3c9370df98e922ee49c7c20e0ee9104e7635a4cb04f5d5cc80f0d462d46.exe	30
PID 1316 wrote to memory of 2788	1316	9864c3c9370df98e922ee49c7c20e0ee9104e7635a4cb04f5d5cc80f0d462d46.exe	30
PID 1316 wrote to memory of 2812	1316	9864c3c9370df98e922ee49c7c20e0ee9104e7635a4cb04f5d5cc80f0d462d46.exe	32
PID 1316 wrote to memory of 2812	1316	9864c3c9370df98e922ee49c7c20e0ee9104e7635a4cb04f5d5cc80f0d462d46.exe	32
PID 1316 wrote to memory of 2812	1316	9864c3c9370df98e922ee49c7c20e0ee9104e7635a4cb04f5d5cc80f0d462d46.exe	32
PID 1316 wrote to memory of 2812	1316	9864c3c9370df98e922ee49c7c20e0ee9104e7635a4cb04f5d5cc80f0d462d46.exe	32
PID 2812 wrote to memory of 2604	2812	Synaptics.exe	33
PID 2812 wrote to memory of 2604	2812	Synaptics.exe	33
PID 2812 wrote to memory of 2604	2812	Synaptics.exe	33
PID 2812 wrote to memory of 2604	2812	Synaptics.exe	33
PID 2788 wrote to memory of 2648	2788	._cache_9864c3c9370df98e922ee49c7c20e0ee9104e7635a4cb04f5d5cc80f0d462d46.exe	34
PID 2788 wrote to memory of 2648	2788	._cache_9864c3c9370df98e922ee49c7c20e0ee9104e7635a4cb04f5d5cc80f0d462d46.exe	34
PID 2788 wrote to memory of 2648	2788	._cache_9864c3c9370df98e922ee49c7c20e0ee9104e7635a4cb04f5d5cc80f0d462d46.exe	34
PID 2788 wrote to memory of 2648	2788	._cache_9864c3c9370df98e922ee49c7c20e0ee9104e7635a4cb04f5d5cc80f0d462d46.exe	34
PID 2604 wrote to memory of 1252	2604	._cache_Synaptics.exe	37
PID 2604 wrote to memory of 1252	2604	._cache_Synaptics.exe	37
PID 2604 wrote to memory of 1252	2604	._cache_Synaptics.exe	37
PID 2604 wrote to memory of 1252	2604	._cache_Synaptics.exe	37

C:\Users\Admin\AppData\Local\Temp\9864c3c9370df98e922ee49c7c20e0ee9104e7635a4cb04f5d5cc80f0d462d46.exe
"C:\Users\Admin\AppData\Local\Temp\9864c3c9370df98e922ee49c7c20e0ee9104e7635a4cb04f5d5cc80f0d462d46.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Users\Admin\AppData\Local\Temp\._cache_9864c3c9370df98e922ee49c7c20e0ee9104e7635a4cb04f5d5cc80f0d462d46.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_9864c3c9370df98e922ee49c7c20e0ee9104e7635a4cb04f5d5cc80f0d462d46.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 540
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2648
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 544
      4⤵
      Loads dropped DLL
      Program crash
      PID:1252

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
759KB

MD5
cf90abd81f691b634c161da5ad4624be

SHA1
f48426b860d13fe9711d619c96b2852450cd8316

SHA256
9864c3c9370df98e922ee49c7c20e0ee9104e7635a4cb04f5d5cc80f0d462d46

SHA512
168d6491a2c4eb6671c2fbdaced849856fd54ce4de7b8f7d6c1efd594515c1852bd0830b51f2032f4d1a32043ff31b75a138fac26c65dcee4e6c7dae60a9a766

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_9864c3c9370df98e922ee49c7c20e0ee9104e7635a4cb04f5d5cc80f0d462d46.exe

Filesize
5KB

MD5
4624ab4bce4ccc53eb7c0d4f1788447d

SHA1
1d495243614d075d924d68d84c3f8901b3fc553c

SHA256
a222c177c52c07014542abced00feae38889f9aef7cfac7227c3f5feeb7d1eae

SHA512
cff66d49968e33a191ebc9f73740a93cd3823680d828cdbd9c4752920f50dd1b2c8b501a82eb2efc3d86aa1a31b293dc0df088da62a89ffa72fbb5829cf70af3

Download Submit
C:\Users\Admin\AppData\Local\Temp\9hCo3TPv.xlsm

Filesize
25KB

MD5
0b8207499904a6679c95a128a7b15d7d

SHA1
0d07adcb736d19c40103b3a6dbb5497c99beba5f

SHA256
b9d3dbf06eaa841fced496d39587334cbd7e28939c123806a9ee453da53a3b05

SHA512
c02d580f6dea9d0ea0c3249f8880aa83c620560d2d54a7d7c8d5812cd07c12fb8a537b922ed80098fdaa9fd1c1cd67e3443f67870f33dfb26c987e7507c5cf97

Download Submit
C:\Users\Admin\AppData\Local\Temp\9hCo3TPv.xlsm

Filesize
25KB

MD5
9e259453940bdd581becf6b2deb5c928

SHA1
1a224f4f18360715b34daeaa69c4904aabfd8648

SHA256
458628e158449bf2a31455ad335e1e7625826d8f18c518f914945c5e5e864ccc

SHA512
bf4025fb39b8c334e01d0a3bdfb5442a548864c98cd195a96545a20dc461578b217db2e6d61880fd5494c85da0555988a1a9543c2f3dfe95f12222f9a902a370

Download Submit
C:\Users\Admin\AppData\Local\Temp\9hCo3TPv.xlsm

Filesize
20KB

MD5
30a34ed25d32b7c62ebadc8be1f2af2c

SHA1
cad1dbd2839c7c8af4fcb529b57a7d253cdf3d80

SHA256
5d9008eb710f5086ec1394e3beebb41daf70ff4a67653e4c49b87ec47bc30643

SHA512
60b3e98473edd84da8ba515c93480bdb1d4be919109e861eefb74ba98bf03919b8c7b117d793cef8612351d398afc6b78308abe4128c356fc52a6c5e0dc030a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\9hCo3TPv.xlsm

Filesize
24KB

MD5
8f7f22410e0585808191a0d76ba2f1f4

SHA1
72c8e596b1a41b870d35e7b757ed597593725b62

SHA256
14193c65b8c8f84690ef1bafe6ac27d422bf6ca8e5b406c8f52eb48a5658a98c

SHA512
419069a57c6a2b7a4d4a66732daaa99c84d937481e17937ca483c0351df2e13e2bca124aeb4a36342d2f1a7bf2884967e229efdd0a02a08b4c77bab55fdcaee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\9hCo3TPv.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\Downloads\~$SaveRedo.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
memory/1316-26-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1316-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2604-42-0x00000000009A0000-0x00000000009A8000-memory.dmp

Filesize
32KB

Download
memory/2788-29-0x0000000000240000-0x0000000000248000-memory.dmp

Filesize
32KB

Download
memory/2812-129-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2812-164-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/3048-47-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads