xred | 4b07f194b3dec3f31d74bf45b445502f79bd76956c5cb2e4c30eea0aa0efeecb

General

Target

4b07f194b3dec3f31d74bf45b445502f79bd76956c5cb2e4c30eea0aa0efeecb.exe
Size

2.6MB
MD5

0114727c340e4ff952938ff19491b098
SHA1

72bd39f695b9580c76382e5d91b337f27c951dca
SHA256

4b07f194b3dec3f31d74bf45b445502f79bd76956c5cb2e4c30eea0aa0efeecb
SHA512

43047984f8f8a391133194d7d203b2e5efb55410abc7e8faa057c2b7695513963a28bfb822775d68263934f20b2c8b73d43a4dc67208329e4d435f6e2ef9a4db
SSDEEP

49152:gnsHyjtk2MYC5GDnYolY+iOo7/PpGpL0oh6jgvp:gnsmtk2aDoCOqpG1fh6jgh

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 5 IoCs

pid	Process
2824	._cache_4b07f194b3dec3f31d74bf45b445502f79bd76956c5cb2e4c30eea0aa0efeecb.exe
1688	._cache_4b07f194b3dec3f31d74bf45b445502f79bd76956c5cb2e4c30eea0aa0efeecb.exe
2264	Synaptics.exe
3012	._cache_Synaptics.exe
2184	._cache_synaptics.exe

Loads dropped DLL 9 IoCs

pid	Process
2804	4b07f194b3dec3f31d74bf45b445502f79bd76956c5cb2e4c30eea0aa0efeecb.exe
2804	4b07f194b3dec3f31d74bf45b445502f79bd76956c5cb2e4c30eea0aa0efeecb.exe
2824	._cache_4b07f194b3dec3f31d74bf45b445502f79bd76956c5cb2e4c30eea0aa0efeecb.exe
2804	4b07f194b3dec3f31d74bf45b445502f79bd76956c5cb2e4c30eea0aa0efeecb.exe
2804	4b07f194b3dec3f31d74bf45b445502f79bd76956c5cb2e4c30eea0aa0efeecb.exe
2264	Synaptics.exe
2264	Synaptics.exe
2264	Synaptics.exe
3012	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	4b07f194b3dec3f31d74bf45b445502f79bd76956c5cb2e4c30eea0aa0efeecb.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1688	._cache_4b07f194b3dec3f31d74bf45b445502f79bd76956c5cb2e4c30eea0aa0efeecb.exe
2184	._cache_synaptics.exe
1688	._cache_4b07f194b3dec3f31d74bf45b445502f79bd76956c5cb2e4c30eea0aa0efeecb.exe
2184	._cache_synaptics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4b07f194b3dec3f31d74bf45b445502f79bd76956c5cb2e4c30eea0aa0efeecb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_4b07f194b3dec3f31d74bf45b445502f79bd76956c5cb2e4c30eea0aa0efeecb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2616	EXCEL.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2824	._cache_4b07f194b3dec3f31d74bf45b445502f79bd76956c5cb2e4c30eea0aa0efeecb.exe
2824	._cache_4b07f194b3dec3f31d74bf45b445502f79bd76956c5cb2e4c30eea0aa0efeecb.exe
3012	._cache_Synaptics.exe
3012	._cache_Synaptics.exe
2616	EXCEL.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 2824	2804	4b07f194b3dec3f31d74bf45b445502f79bd76956c5cb2e4c30eea0aa0efeecb.exe	30
PID 2804 wrote to memory of 2824	2804	4b07f194b3dec3f31d74bf45b445502f79bd76956c5cb2e4c30eea0aa0efeecb.exe	30
PID 2804 wrote to memory of 2824	2804	4b07f194b3dec3f31d74bf45b445502f79bd76956c5cb2e4c30eea0aa0efeecb.exe	30
PID 2804 wrote to memory of 2824	2804	4b07f194b3dec3f31d74bf45b445502f79bd76956c5cb2e4c30eea0aa0efeecb.exe	30
PID 2824 wrote to memory of 1688	2824	._cache_4b07f194b3dec3f31d74bf45b445502f79bd76956c5cb2e4c30eea0aa0efeecb.exe	31
PID 2824 wrote to memory of 1688	2824	._cache_4b07f194b3dec3f31d74bf45b445502f79bd76956c5cb2e4c30eea0aa0efeecb.exe	31
PID 2824 wrote to memory of 1688	2824	._cache_4b07f194b3dec3f31d74bf45b445502f79bd76956c5cb2e4c30eea0aa0efeecb.exe	31
PID 2824 wrote to memory of 1688	2824	._cache_4b07f194b3dec3f31d74bf45b445502f79bd76956c5cb2e4c30eea0aa0efeecb.exe	31
PID 2804 wrote to memory of 2264	2804	4b07f194b3dec3f31d74bf45b445502f79bd76956c5cb2e4c30eea0aa0efeecb.exe	32
PID 2804 wrote to memory of 2264	2804	4b07f194b3dec3f31d74bf45b445502f79bd76956c5cb2e4c30eea0aa0efeecb.exe	32
PID 2804 wrote to memory of 2264	2804	4b07f194b3dec3f31d74bf45b445502f79bd76956c5cb2e4c30eea0aa0efeecb.exe	32
PID 2804 wrote to memory of 2264	2804	4b07f194b3dec3f31d74bf45b445502f79bd76956c5cb2e4c30eea0aa0efeecb.exe	32
PID 2264 wrote to memory of 3012	2264	Synaptics.exe	33
PID 2264 wrote to memory of 3012	2264	Synaptics.exe	33
PID 2264 wrote to memory of 3012	2264	Synaptics.exe	33
PID 2264 wrote to memory of 3012	2264	Synaptics.exe	33
PID 3012 wrote to memory of 2184	3012	._cache_Synaptics.exe	35
PID 3012 wrote to memory of 2184	3012	._cache_Synaptics.exe	35
PID 3012 wrote to memory of 2184	3012	._cache_Synaptics.exe	35
PID 3012 wrote to memory of 2184	3012	._cache_Synaptics.exe	35

C:\Users\Admin\AppData\Local\Temp\4b07f194b3dec3f31d74bf45b445502f79bd76956c5cb2e4c30eea0aa0efeecb.exe
"C:\Users\Admin\AppData\Local\Temp\4b07f194b3dec3f31d74bf45b445502f79bd76956c5cb2e4c30eea0aa0efeecb.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Users\Admin\AppData\Local\Temp\._cache_4b07f194b3dec3f31d74bf45b445502f79bd76956c5cb2e4c30eea0aa0efeecb.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_4b07f194b3dec3f31d74bf45b445502f79bd76956c5cb2e4c30eea0aa0efeecb.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2824
- - \??\c:\users\admin\appdata\local\temp\._cache_4b07f194b3dec3f31d74bf45b445502f79bd76956c5cb2e4c30eea0aa0efeecb.exe
    c:\users\admin\appdata\local\temp\._cache_4b07f194b3dec3f31d74bf45b445502f79bd76956c5cb2e4c30eea0aa0efeecb.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:1688
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3012
  - - \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
      c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:2184

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
2.6MB

MD5
0114727c340e4ff952938ff19491b098

SHA1
72bd39f695b9580c76382e5d91b337f27c951dca

SHA256
4b07f194b3dec3f31d74bf45b445502f79bd76956c5cb2e4c30eea0aa0efeecb

SHA512
43047984f8f8a391133194d7d203b2e5efb55410abc7e8faa057c2b7695513963a28bfb822775d68263934f20b2c8b73d43a4dc67208329e4d435f6e2ef9a4db

Download Submit
C:\Users\Admin\AppData\Local\Temp\SeXs9wY6.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe

Filesize
206KB

MD5
370a09c146d6836b664651e7d92d3e8d

SHA1
eabeb391996a2eda0b30e088cdde381f4b737dd4

SHA256
7c0b05b33d7fdc83fb72b7fc9685666e24c7a3846cf33dabd83ab579a296fd40

SHA512
98faccdd90d5c9f5ef09ee1184e92d98e89585f7aec0a764af9e23dec0d8aba22bf8071fead54f4a68c60d82de77ff095782f33364cbaf0dddce5a94ce2740c1

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_4b07f194b3dec3f31d74bf45b445502f79bd76956c5cb2e4c30eea0aa0efeecb.exe

Filesize
1.9MB

MD5
6cab864533a299853f65a2c65d2c013b

SHA1
58d06ffffe4e4b14b7eb392a2ce8aa1e9ab27cf9

SHA256
2cd738461c8944a57780cbbc426c189599bd7c32ba8b38a56493fb3ba3e2624c

SHA512
a49273595d740c17f8b2a0d87e7f9ab89971edb70fe782178cecd44dda9c1a7690d4a777a22ffa98add482f5e538aeba7bfb4279883a1b6b6113513cd7e5814b

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_4b07f194b3dec3f31d74bf45b445502f79bd76956c5cb2e4c30eea0aa0efeecb.exe

Filesize
1.7MB

MD5
408e9726f1a063874b9b841f1a066e7a

SHA1
a7bde856807a58ff4278974b28aba0e0b475c6fd

SHA256
bc9f40641b7b1652a42939695a79f4b2b2cf109f0c6f7ebeae4a060915fea311

SHA512
0efa1d8bfdd881df71d68934898eb76c7e7672d80688aae4b9029c450900490e7fd3a5a801033edb919e05188b222246d1c418907b1b7f8624c3f909c400532b

Download Submit
memory/1688-47-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/1688-90-0x000000001B7C0000-0x000000001B862000-memory.dmp

Filesize
648KB

Download
memory/2184-91-0x000000001BBB0000-0x000000001BC52000-memory.dmp

Filesize
648KB

Download
memory/2264-128-0x0000000000400000-0x00000000006A2000-memory.dmp

Filesize
2.6MB

Download
memory/2264-123-0x0000000000400000-0x00000000006A2000-memory.dmp

Filesize
2.6MB

Download
memory/2264-56-0x0000000003DA0000-0x0000000003DE1000-memory.dmp

Filesize
260KB

Download
memory/2264-129-0x0000000003DA0000-0x0000000003DE1000-memory.dmp

Filesize
260KB

Download
memory/2264-93-0x0000000000400000-0x00000000006A2000-memory.dmp

Filesize
2.6MB

Download
memory/2264-50-0x0000000003DA0000-0x0000000003DE1000-memory.dmp

Filesize
260KB

Download
memory/2264-92-0x0000000000400000-0x00000000006A2000-memory.dmp

Filesize
2.6MB

Download
memory/2616-69-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2804-41-0x0000000000400000-0x00000000006A2000-memory.dmp

Filesize
2.6MB

Download
memory/2804-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2804-21-0x0000000003B40000-0x0000000003B81000-memory.dmp

Filesize
260KB

Download
memory/2804-20-0x0000000003B40000-0x0000000003B81000-memory.dmp

Filesize
260KB

Download
memory/2824-70-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2824-22-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3012-68-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads