xred | 669a6882f8eb838fa1d76ac2e8d1f652c41581d6ef54c47b5e165cf201c2c617

General

Target

669a6882f8eb838fa1d76ac2e8d1f652c41581d6ef54c47b5e165cf201c2c617N.exe
Size

1.1MB
MD5

60a58fb1d15ebfed20e84a634367a850
SHA1

3042289e9f2c8163f0085712a2a58dd4bb6adce2
SHA256

669a6882f8eb838fa1d76ac2e8d1f652c41581d6ef54c47b5e165cf201c2c617
SHA512

0bce7f462880fe16d968948ad01bc5256d154a0b66788d41c338cae04eeea873c30da45d20884409ba930c1cadecde688b0d02b8cd1dbb6d512aed62b2b09a6b
SSDEEP

24576:tnsJ39LyjbJkQFMhmC+6GD9ICnzZSpz8Lkg:tnsHyjtk2MYC5GDHzk0v

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 3 IoCs

pid	Process
1436	._cache_669a6882f8eb838fa1d76ac2e8d1f652c41581d6ef54c47b5e165cf201c2c617N.exe
2772	Synaptics.exe
2600	._cache_Synaptics.exe

Loads dropped DLL 5 IoCs

pid	Process
2672	669a6882f8eb838fa1d76ac2e8d1f652c41581d6ef54c47b5e165cf201c2c617N.exe
2672	669a6882f8eb838fa1d76ac2e8d1f652c41581d6ef54c47b5e165cf201c2c617N.exe
2672	669a6882f8eb838fa1d76ac2e8d1f652c41581d6ef54c47b5e165cf201c2c617N.exe
2772	Synaptics.exe
2772	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	669a6882f8eb838fa1d76ac2e8d1f652c41581d6ef54c47b5e165cf201c2c617N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	669a6882f8eb838fa1d76ac2e8d1f652c41581d6ef54c47b5e165cf201c2c617N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1952	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1952	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 1436	2672	669a6882f8eb838fa1d76ac2e8d1f652c41581d6ef54c47b5e165cf201c2c617N.exe	30
PID 2672 wrote to memory of 1436	2672	669a6882f8eb838fa1d76ac2e8d1f652c41581d6ef54c47b5e165cf201c2c617N.exe	30
PID 2672 wrote to memory of 1436	2672	669a6882f8eb838fa1d76ac2e8d1f652c41581d6ef54c47b5e165cf201c2c617N.exe	30
PID 2672 wrote to memory of 1436	2672	669a6882f8eb838fa1d76ac2e8d1f652c41581d6ef54c47b5e165cf201c2c617N.exe	30
PID 2672 wrote to memory of 2772	2672	669a6882f8eb838fa1d76ac2e8d1f652c41581d6ef54c47b5e165cf201c2c617N.exe	32
PID 2672 wrote to memory of 2772	2672	669a6882f8eb838fa1d76ac2e8d1f652c41581d6ef54c47b5e165cf201c2c617N.exe	32
PID 2672 wrote to memory of 2772	2672	669a6882f8eb838fa1d76ac2e8d1f652c41581d6ef54c47b5e165cf201c2c617N.exe	32
PID 2672 wrote to memory of 2772	2672	669a6882f8eb838fa1d76ac2e8d1f652c41581d6ef54c47b5e165cf201c2c617N.exe	32
PID 2772 wrote to memory of 2600	2772	Synaptics.exe	33
PID 2772 wrote to memory of 2600	2772	Synaptics.exe	33
PID 2772 wrote to memory of 2600	2772	Synaptics.exe	33
PID 2772 wrote to memory of 2600	2772	Synaptics.exe	33

C:\Users\Admin\AppData\Local\Temp\669a6882f8eb838fa1d76ac2e8d1f652c41581d6ef54c47b5e165cf201c2c617N.exe
"C:\Users\Admin\AppData\Local\Temp\669a6882f8eb838fa1d76ac2e8d1f652c41581d6ef54c47b5e165cf201c2c617N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Users\Admin\AppData\Local\Temp\._cache_669a6882f8eb838fa1d76ac2e8d1f652c41581d6ef54c47b5e165cf201c2c617N.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_669a6882f8eb838fa1d76ac2e8d1f652c41581d6ef54c47b5e165cf201c2c617N.exe"
  2⤵
  - Executes dropped EXE
  PID:1436
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2600

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.1MB

MD5
60a58fb1d15ebfed20e84a634367a850

SHA1
3042289e9f2c8163f0085712a2a58dd4bb6adce2

SHA256
669a6882f8eb838fa1d76ac2e8d1f652c41581d6ef54c47b5e165cf201c2c617

SHA512
0bce7f462880fe16d968948ad01bc5256d154a0b66788d41c338cae04eeea873c30da45d20884409ba930c1cadecde688b0d02b8cd1dbb6d512aed62b2b09a6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_669a6882f8eb838fa1d76ac2e8d1f652c41581d6ef54c47b5e165cf201c2c617N.exe

Filesize
369KB

MD5
5fcfe9a4da55421bda55959ebb67b1b2

SHA1
42cae4b098a43c725048036ba0eb65ac992254e5

SHA256
50e22fd9d37c6b1e14a86b5e4440aaaa4d2a20d1dd8f83d2c9e19915f45b61ff

SHA512
dfc69fa7508c1b08c233988eff0d4b4479c6548a1e489d3be8d2f185a4b8993cda159e4979ca94359e11c039e8bd7f2e660e6a7df5c032c64400b64e03ef4457

Download Submit
C:\Users\Admin\AppData\Local\Temp\OTsFXjqD.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
memory/1952-35-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2672-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2672-24-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/2772-55-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/2772-56-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/2772-88-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads