xred | 941c9d80c8c221e6bd33d75d01b8404027ca98e344279c8b94d5c639f94118a0

General

Target

941c9d80c8c221e6bd33d75d01b8404027ca98e344279c8b94d5c639f94118a0.exe
Size

1.1MB
MD5

9dfca0b4a10e24e0b2c8f1fd35a035e1
SHA1

56a525fe9a4fdd1c69c09cc78114d15bc8b04c46
SHA256

941c9d80c8c221e6bd33d75d01b8404027ca98e344279c8b94d5c639f94118a0
SHA512

16c30294ba741571e00905d95a62eccd81391ebaa029849142186986b452f17d92366bddc4ce05db64edca9aa8abacb554ad0cfb21eaa7df7ad3567608d119b9
SSDEEP

24576:tnsJ39LyjbJkQFMhmC+6GD9ICnzZSpz8LkQ:tnsHyjtk2MYC5GDHzk0V

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 3 IoCs

pid	Process
2712	._cache_941c9d80c8c221e6bd33d75d01b8404027ca98e344279c8b94d5c639f94118a0.exe
2668	Synaptics.exe
2564	._cache_Synaptics.exe

Loads dropped DLL 5 IoCs

pid	Process
2872	941c9d80c8c221e6bd33d75d01b8404027ca98e344279c8b94d5c639f94118a0.exe
2872	941c9d80c8c221e6bd33d75d01b8404027ca98e344279c8b94d5c639f94118a0.exe
2872	941c9d80c8c221e6bd33d75d01b8404027ca98e344279c8b94d5c639f94118a0.exe
2668	Synaptics.exe
2668	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	941c9d80c8c221e6bd33d75d01b8404027ca98e344279c8b94d5c639f94118a0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	941c9d80c8c221e6bd33d75d01b8404027ca98e344279c8b94d5c639f94118a0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2496	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2496	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2712	2872	941c9d80c8c221e6bd33d75d01b8404027ca98e344279c8b94d5c639f94118a0.exe	30
PID 2872 wrote to memory of 2712	2872	941c9d80c8c221e6bd33d75d01b8404027ca98e344279c8b94d5c639f94118a0.exe	30
PID 2872 wrote to memory of 2712	2872	941c9d80c8c221e6bd33d75d01b8404027ca98e344279c8b94d5c639f94118a0.exe	30
PID 2872 wrote to memory of 2712	2872	941c9d80c8c221e6bd33d75d01b8404027ca98e344279c8b94d5c639f94118a0.exe	30
PID 2872 wrote to memory of 2668	2872	941c9d80c8c221e6bd33d75d01b8404027ca98e344279c8b94d5c639f94118a0.exe	32
PID 2872 wrote to memory of 2668	2872	941c9d80c8c221e6bd33d75d01b8404027ca98e344279c8b94d5c639f94118a0.exe	32
PID 2872 wrote to memory of 2668	2872	941c9d80c8c221e6bd33d75d01b8404027ca98e344279c8b94d5c639f94118a0.exe	32
PID 2872 wrote to memory of 2668	2872	941c9d80c8c221e6bd33d75d01b8404027ca98e344279c8b94d5c639f94118a0.exe	32
PID 2668 wrote to memory of 2564	2668	Synaptics.exe	33
PID 2668 wrote to memory of 2564	2668	Synaptics.exe	33
PID 2668 wrote to memory of 2564	2668	Synaptics.exe	33
PID 2668 wrote to memory of 2564	2668	Synaptics.exe	33

C:\Users\Admin\AppData\Local\Temp\941c9d80c8c221e6bd33d75d01b8404027ca98e344279c8b94d5c639f94118a0.exe
"C:\Users\Admin\AppData\Local\Temp\941c9d80c8c221e6bd33d75d01b8404027ca98e344279c8b94d5c639f94118a0.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Users\Admin\AppData\Local\Temp\._cache_941c9d80c8c221e6bd33d75d01b8404027ca98e344279c8b94d5c639f94118a0.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_941c9d80c8c221e6bd33d75d01b8404027ca98e344279c8b94d5c639f94118a0.exe"
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2564

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.1MB

MD5
9dfca0b4a10e24e0b2c8f1fd35a035e1

SHA1
56a525fe9a4fdd1c69c09cc78114d15bc8b04c46

SHA256
941c9d80c8c221e6bd33d75d01b8404027ca98e344279c8b94d5c639f94118a0

SHA512
16c30294ba741571e00905d95a62eccd81391ebaa029849142186986b452f17d92366bddc4ce05db64edca9aa8abacb554ad0cfb21eaa7df7ad3567608d119b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_941c9d80c8c221e6bd33d75d01b8404027ca98e344279c8b94d5c639f94118a0.exe

Filesize
369KB

MD5
5fcfe9a4da55421bda55959ebb67b1b2

SHA1
42cae4b098a43c725048036ba0eb65ac992254e5

SHA256
50e22fd9d37c6b1e14a86b5e4440aaaa4d2a20d1dd8f83d2c9e19915f45b61ff

SHA512
dfc69fa7508c1b08c233988eff0d4b4479c6548a1e489d3be8d2f185a4b8993cda159e4979ca94359e11c039e8bd7f2e660e6a7df5c032c64400b64e03ef4457

Download Submit
C:\Users\Admin\AppData\Local\Temp\JpkzfNt3.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\JpkzfNt3.xlsm

Filesize
30KB

MD5
f6ce11d514139f7ec14fe3b4e0a97c14

SHA1
9c9128d1f9bd89c0a6a7d6a36fad0191c92f108d

SHA256
d6dbd86bcfe6f42188b8bd76a2749d8ccb856e685a123e861511345a65909908

SHA512
35be48338a3605a69a9aead4f05c11f49899a2dd5f503675de7cb1ef75eb2106d48fd85dedda7916b15c06f9051ced3c6c002d19d9eee45b8f764b88c11bf15d

Download Submit
C:\Users\Admin\AppData\Local\Temp\JpkzfNt3.xlsm

Filesize
28KB

MD5
cd73597b30881ca29a6d4d807fa038d5

SHA1
818593c9de55c1215883df0b5d27c169f54a3b82

SHA256
d0fa871822eb5211e225c163e393312447d6dd054df0985b507b3df23c643790

SHA512
f25842594973bbf6082da9b0fc0972a54fe702024feea2f66ae0bda85050f14d99fc7d7166db98c9f8c287f931b49365abe06ce0372e261822cd347c146b307f

Download Submit
C:\Users\Admin\AppData\Local\Temp\JpkzfNt3.xlsm

Filesize
22KB

MD5
8b411f6111209176a4ad6e2eef1f5c37

SHA1
f4dd451b0576eee50ea77ae694fd2a0124d0675f

SHA256
2d0c14d530388800e2cb8540cabeb10520010c15879419e07449e0a12e7be069

SHA512
8ff2edbe69a04e04b5e2a56078098355aac05f5a136b3290c0e4789f144d17762b6002e3e94672504707ab0117ca790db74927cc944466a9b17b8005bb573655

Download Submit
C:\Users\Admin\AppData\Local\Temp\JpkzfNt3.xlsm

Filesize
26KB

MD5
c377d6261e36675bbbf47425011ef703

SHA1
d5c434ec31f92dda922496c1d8d144742b0fa825

SHA256
16ef170e3a5191c182685e0587f7ea3a7410294ba62c0197f60df830c1bebe45

SHA512
e6a1f6c7810f05c16a0e550cc1f91481cb2fd0490c89620375d11239e38d5361f00c8a7f22f07e254c5368d101897dffeca8ce983ef4a8676af7c82ec676d83c

Download Submit
C:\Users\Admin\AppData\Local\Temp\~$JpkzfNt3.xlsm

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
memory/2496-35-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2496-111-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2668-112-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/2668-113-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/2668-147-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/2872-0-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2872-25-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads