xred | 8ec1d3b1705ddf0a6148602e29bf815db9cf25bbf058662c79018ed60f2f237c

General

Target

8ec1d3b1705ddf0a6148602e29bf815db9cf25bbf058662c79018ed60f2f237cN.exe
Size

767KB
MD5

f28297af9fb9f8848faf151cd8608090
SHA1

73283932e1794ae42c7a90fba10f1c93a0f3fa0b
SHA256

8ec1d3b1705ddf0a6148602e29bf815db9cf25bbf058662c79018ed60f2f237c
SHA512

1a4500c84ff4b9c0aed509a412cee3000d3c1961d5e45f78c4d28d1c1f053a825a1d81f29277d502f7eb20d3773925fcb418387cfcd8310fc85ad6a389101512
SSDEEP

12288:2MSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9vzj:2nsJ39LyjbJkQFMhmC+6GD93

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 3 IoCs

pid	Process
2684	._cache_8ec1d3b1705ddf0a6148602e29bf815db9cf25bbf058662c79018ed60f2f237cN.exe
2700	Synaptics.exe
2652	._cache_Synaptics.exe

Loads dropped DLL 7 IoCs

pid	Process
3068	8ec1d3b1705ddf0a6148602e29bf815db9cf25bbf058662c79018ed60f2f237cN.exe
3068	8ec1d3b1705ddf0a6148602e29bf815db9cf25bbf058662c79018ed60f2f237cN.exe
3068	8ec1d3b1705ddf0a6148602e29bf815db9cf25bbf058662c79018ed60f2f237cN.exe
3068	8ec1d3b1705ddf0a6148602e29bf815db9cf25bbf058662c79018ed60f2f237cN.exe
2700	Synaptics.exe
2700	Synaptics.exe
2700	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	8ec1d3b1705ddf0a6148602e29bf815db9cf25bbf058662c79018ed60f2f237cN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ec1d3b1705ddf0a6148602e29bf815db9cf25bbf058662c79018ed60f2f237cN.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1296	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeBackupPrivilege	2684	._cache_8ec1d3b1705ddf0a6148602e29bf815db9cf25bbf058662c79018ed60f2f237cN.exe
Token: SeBackupPrivilege	2652	._cache_Synaptics.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1296	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2684	3068	8ec1d3b1705ddf0a6148602e29bf815db9cf25bbf058662c79018ed60f2f237cN.exe	28
PID 3068 wrote to memory of 2684	3068	8ec1d3b1705ddf0a6148602e29bf815db9cf25bbf058662c79018ed60f2f237cN.exe	28
PID 3068 wrote to memory of 2684	3068	8ec1d3b1705ddf0a6148602e29bf815db9cf25bbf058662c79018ed60f2f237cN.exe	28
PID 3068 wrote to memory of 2684	3068	8ec1d3b1705ddf0a6148602e29bf815db9cf25bbf058662c79018ed60f2f237cN.exe	28
PID 3068 wrote to memory of 2700	3068	8ec1d3b1705ddf0a6148602e29bf815db9cf25bbf058662c79018ed60f2f237cN.exe	30
PID 3068 wrote to memory of 2700	3068	8ec1d3b1705ddf0a6148602e29bf815db9cf25bbf058662c79018ed60f2f237cN.exe	30
PID 3068 wrote to memory of 2700	3068	8ec1d3b1705ddf0a6148602e29bf815db9cf25bbf058662c79018ed60f2f237cN.exe	30
PID 3068 wrote to memory of 2700	3068	8ec1d3b1705ddf0a6148602e29bf815db9cf25bbf058662c79018ed60f2f237cN.exe	30
PID 2700 wrote to memory of 2652	2700	Synaptics.exe	31
PID 2700 wrote to memory of 2652	2700	Synaptics.exe	31
PID 2700 wrote to memory of 2652	2700	Synaptics.exe	31
PID 2700 wrote to memory of 2652	2700	Synaptics.exe	31

C:\Users\Admin\AppData\Local\Temp\8ec1d3b1705ddf0a6148602e29bf815db9cf25bbf058662c79018ed60f2f237cN.exe
"C:\Users\Admin\AppData\Local\Temp\8ec1d3b1705ddf0a6148602e29bf815db9cf25bbf058662c79018ed60f2f237cN.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Users\Admin\AppData\Local\Temp\._cache_8ec1d3b1705ddf0a6148602e29bf815db9cf25bbf058662c79018ed60f2f237cN.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_8ec1d3b1705ddf0a6148602e29bf815db9cf25bbf058662c79018ed60f2f237cN.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2684
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2652

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
767KB

MD5
f28297af9fb9f8848faf151cd8608090

SHA1
73283932e1794ae42c7a90fba10f1c93a0f3fa0b

SHA256
8ec1d3b1705ddf0a6148602e29bf815db9cf25bbf058662c79018ed60f2f237c

SHA512
1a4500c84ff4b9c0aed509a412cee3000d3c1961d5e45f78c4d28d1c1f053a825a1d81f29277d502f7eb20d3773925fcb418387cfcd8310fc85ad6a389101512

Download Submit
C:\Users\Admin\AppData\Local\Temp\WrzmilkZ.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\WrzmilkZ.xlsm

Filesize
20KB

MD5
c3d86a0035568630d8f51c567342080f

SHA1
67841549ce0631f03fab42423c9bc128948507a2

SHA256
6bea928cda5f3db75dc34d2e12164ff191d0d349afba4ee98453058dd29f12e9

SHA512
4599068ed9d61a1eec629cc9e988ee2fc8613899ad1080614de313b85962950377d03c9dba7b562bb0f17d3fb8d345baeda721e5ee5b2b4fb492f9b23ec59e8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WrzmilkZ.xlsm

Filesize
24KB

MD5
6e621626f7ce30fb6d5fdde2708f4d80

SHA1
de3843a03f89f6468ea31bac2166fa4c0d223aea

SHA256
76f5782a16451c28e702066225f0b89050456c7e9d609f5ee810a9f46dd36f9e

SHA512
01d44692c0b78bd1dce1868457d9a3cc49623b05f6b219a61d190ee70d007715c42b008d8aac49c258682666109a38aaa0056cb00d7f5ba2035e28d4dc9f033e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WrzmilkZ.xlsm

Filesize
23KB

MD5
3c833df555fcc90fe003dd260bbd0a1f

SHA1
a7c2bde926167343480c635d99d09dc33e55d38b

SHA256
957d73c55a98d17adb29d237a4bcebaccd2f93f11eb2ee1b4f77a8df08aaa2a9

SHA512
60e26eb84700295b2019b45c2cc1169ae1434d5af49bcc9008a89c5479b56f8b64911fdbcc5b1133617b1bcf6baac9a1e09f783edfb37da2f91aa9926145d6a2

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_8ec1d3b1705ddf0a6148602e29bf815db9cf25bbf058662c79018ed60f2f237cN.exe

Filesize
14KB

MD5
f8aeb6e06cc807722b79785243f32c02

SHA1
472e9a557f8b8712b2fafd4519e0606e04ab4494

SHA256
0ff33155d9f99a20f7e401e2b9cf11ab1511ede365334bbaab2428e079913b9b

SHA512
70f0f5c208ef6a8a5f677ba5b55dbe7253adfe25a92392a1a7c528c30b4963f839aeb425c163008456970a6789357c5a7df688b42bedf3f66e8222a7122147f3

Download Submit
memory/1296-42-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1296-107-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2700-41-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/2700-108-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/2700-109-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/2700-143-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/3068-28-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/3068-0-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads