xred | 7aa910536ef6062c71acdf7b3b1cb7954fe94ca06c1d6a642ee25a4a02958864

General

Target

chromedriver.exe
Size

12.4MB
MD5

bea3347c7c3091438f975697301ba879
SHA1

3c0ebf7bcc8f7c8e1be88f6cf9e31c869b51bd0b
SHA256

7aa910536ef6062c71acdf7b3b1cb7954fe94ca06c1d6a642ee25a4a02958864
SHA512

7d7751c0635599eb73abbf3a4b3d3a15a9ae0cd0e47119dd3b10067a9d087193dabe53bbdc65a47982aa5983a56dca6be32fb579b721ef883b4417ed5a524a62
SSDEEP

393216:fg/gfGhijo3hVoYYo/giRTxkS8uBb3V75rbQndRu23rR2kIiBRqGQ/VkCpuZj3Nr:vGhiGgwV75r4u239uvZoEo

Score

10^/10

xred backdoor discovery macro persistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x000a000000016855-94.dat

Executes dropped EXE 3 IoCs

pid	Process
2984	._cache_chromedriver.exe
2780	Synaptics.exe
1636	._cache_Synaptics.exe

Loads dropped DLL 5 IoCs

pid	Process
2636	chromedriver.exe
2636	chromedriver.exe
2636	chromedriver.exe
2780	Synaptics.exe
2780	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	chromedriver.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chromedriver.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2576	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2576	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 2984	2636	chromedriver.exe	30
PID 2636 wrote to memory of 2984	2636	chromedriver.exe	30
PID 2636 wrote to memory of 2984	2636	chromedriver.exe	30
PID 2636 wrote to memory of 2984	2636	chromedriver.exe	30
PID 2636 wrote to memory of 2780	2636	chromedriver.exe	32
PID 2636 wrote to memory of 2780	2636	chromedriver.exe	32
PID 2636 wrote to memory of 2780	2636	chromedriver.exe	32
PID 2636 wrote to memory of 2780	2636	chromedriver.exe	32
PID 2780 wrote to memory of 1636	2780	Synaptics.exe	33
PID 2780 wrote to memory of 1636	2780	Synaptics.exe	33
PID 2780 wrote to memory of 1636	2780	Synaptics.exe	33
PID 2780 wrote to memory of 1636	2780	Synaptics.exe	33

C:\Users\Admin\AppData\Local\Temp\chromedriver.exe
"C:\Users\Admin\AppData\Local\Temp\chromedriver.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Users\Admin\AppData\Local\Temp\._cache_chromedriver.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_chromedriver.exe"
  2⤵
  - Executes dropped EXE
  PID:2984
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    PID:1636

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
12.4MB

MD5
bea3347c7c3091438f975697301ba879

SHA1
3c0ebf7bcc8f7c8e1be88f6cf9e31c869b51bd0b

SHA256
7aa910536ef6062c71acdf7b3b1cb7954fe94ca06c1d6a642ee25a4a02958864

SHA512
7d7751c0635599eb73abbf3a4b3d3a15a9ae0cd0e47119dd3b10067a9d087193dabe53bbdc65a47982aa5983a56dca6be32fb579b721ef883b4417ed5a524a62

Download Submit
C:\Users\Admin\AppData\Local\Temp\8bfAOtGV.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\8bfAOtGV.xlsm

Filesize
32KB

MD5
bfad557a17cd6a1c643b71aa12f52d27

SHA1
005b3ab8569c28bff427858bdb30235536e90b4a

SHA256
bba0323947f3163cc42381adb0b1986820cdec0cbc12aa9f51143f65bbde2862

SHA512
69aa1e6ccbd254cd60661b088b01c949b3e3b678390c66c952281cc4b018f334bbe515553f5d4d45bf5942847ed6d61c8a2599fdae7c5e7c02e30386feccfd5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\8bfAOtGV.xlsm

Filesize
26KB

MD5
31c4f9f7a59a28174182f303e70e4553

SHA1
1bfbf8347a00a6fe5655769f6ab656a16bdff058

SHA256
697f1da8493325314cad0602284880737551c805c226408b509b612dc4b714fb

SHA512
ce1a27c028d6150985cfa6c451f2c54c1d6b9cbb3dbd4baa1ea5b68999eb7af53842bcdf4c86857aac0e7da7fa23e1bce03faabee6df540640179674a3b4f372

Download Submit
C:\Users\Admin\AppData\Local\Temp\8bfAOtGV.xlsm

Filesize
28KB

MD5
aa1ec9a16046a55261369d657690e555

SHA1
767a70cf4ae4cec8398656ef4be0dadac8f74720

SHA256
5409b392147454e4939afa77a0e885cf20fd45cf995d855efa05b0b91ad48edd

SHA512
7b16997b0dfa002986f8b8c8aa5d6fe302216668487a5e9e6984a4d2b952299bcab7d294aea1dd534f07b779d3b441b617bb33e78597fb43042a0eb4aa9b6714

Download Submit
C:\Users\Admin\AppData\Local\Temp\8bfAOtGV.xlsm

Filesize
32KB

MD5
29378097ef07856cf02f62557273fe07

SHA1
c873a2faa883a64c3a7d58b8835e261a2ac98e94

SHA256
9aaac207fb424ab8e6d2c8217c4568c86ac68a7e1cc73c511f20698b69713bc0

SHA512
0b4c25480ef4bc6479d2a82524a8f55ad0cf288b42c50bcf61d5f9a59217b74815e458aa3101486bed99a0d29332cc9821eb8a75a8988bef3fd78e8d18603e17

Download Submit
C:\Users\Admin\Downloads\~$DebugCopy.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_chromedriver.exe

Filesize
11.7MB

MD5
7f45280701af0b75eab76f41a39cb6a8

SHA1
e9c81ea041cd2187448f4e5560eafda1e229a0fd

SHA256
0a80a3bb252a5ce730a384ddb71d73799bd82d89144a73da930ca296e10be67e

SHA512
fd3487e8e65d5c86e06c38410d97030c47e3d8620eda36b92a60ee3234d3157989b40315e1eddfdcaae435d0f4386bdc8a97d6c2e703e25ce91319d72a07cc1e

Download Submit
memory/2576-35-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2636-27-0x0000000000400000-0x0000000001077000-memory.dmp

Filesize
12.5MB

Download
memory/2636-0-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2780-115-0x0000000000400000-0x0000000001077000-memory.dmp

Filesize
12.5MB

Download
memory/2780-116-0x0000000000400000-0x0000000001077000-memory.dmp

Filesize
12.5MB

Download
memory/2780-150-0x0000000000400000-0x0000000001077000-memory.dmp

Filesize
12.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads