xred | 5b6b0147b11173d46870635b7cd79a92dc2f37975abdd153cda1c7703f7ad113

General

Target

5b6b0147b11173d46870635b7cd79a92dc2f37975abdd153cda1c7703f7ad113.exe
Size

1.2MB
MD5

710dc70cd131408097567322309f14f7
SHA1

617c27fff28e0350c2251557258a6756ccd1a4e2
SHA256

5b6b0147b11173d46870635b7cd79a92dc2f37975abdd153cda1c7703f7ad113
SHA512

a99ad9c375f7b05231260080ec46f38a0843f3bf29d9b2234e8c6e709991ea98d358438c439e6150e643daf75154c90a03bbc0fa05a567a94836664f5c259b97
SSDEEP

24576:0nsJ39LyjbJkQFMhmC+6GD9lDZfB6VLBp:0nsHyjtk2MYC5GDLDTMH

Score

10^/10

xred backdoor discovery macro persistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Suspicious Office macro 2 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x0007000000019551-78.dat
behavioral1/files/0x000800000001a495-113.dat

Executes dropped EXE 3 IoCs

pid	Process
1528	._cache_5b6b0147b11173d46870635b7cd79a92dc2f37975abdd153cda1c7703f7ad113.exe
2788	Synaptics.exe
2920	._cache_Synaptics.exe

Loads dropped DLL 7 IoCs

pid	Process
2496	5b6b0147b11173d46870635b7cd79a92dc2f37975abdd153cda1c7703f7ad113.exe
2496	5b6b0147b11173d46870635b7cd79a92dc2f37975abdd153cda1c7703f7ad113.exe
2496	5b6b0147b11173d46870635b7cd79a92dc2f37975abdd153cda1c7703f7ad113.exe
2496	5b6b0147b11173d46870635b7cd79a92dc2f37975abdd153cda1c7703f7ad113.exe
2788	Synaptics.exe
2788	Synaptics.exe
2788	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SS CRACK RETRIX = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	5b6b0147b11173d46870635b7cd79a92dc2f37975abdd153cda1c7703f7ad113.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5b6b0147b11173d46870635b7cd79a92dc2f37975abdd153cda1c7703f7ad113.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1240	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1240	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 1528	2496	5b6b0147b11173d46870635b7cd79a92dc2f37975abdd153cda1c7703f7ad113.exe	31
PID 2496 wrote to memory of 1528	2496	5b6b0147b11173d46870635b7cd79a92dc2f37975abdd153cda1c7703f7ad113.exe	31
PID 2496 wrote to memory of 1528	2496	5b6b0147b11173d46870635b7cd79a92dc2f37975abdd153cda1c7703f7ad113.exe	31
PID 2496 wrote to memory of 1528	2496	5b6b0147b11173d46870635b7cd79a92dc2f37975abdd153cda1c7703f7ad113.exe	31
PID 2496 wrote to memory of 2788	2496	5b6b0147b11173d46870635b7cd79a92dc2f37975abdd153cda1c7703f7ad113.exe	33
PID 2496 wrote to memory of 2788	2496	5b6b0147b11173d46870635b7cd79a92dc2f37975abdd153cda1c7703f7ad113.exe	33
PID 2496 wrote to memory of 2788	2496	5b6b0147b11173d46870635b7cd79a92dc2f37975abdd153cda1c7703f7ad113.exe	33
PID 2496 wrote to memory of 2788	2496	5b6b0147b11173d46870635b7cd79a92dc2f37975abdd153cda1c7703f7ad113.exe	33
PID 2788 wrote to memory of 2920	2788	Synaptics.exe	34
PID 2788 wrote to memory of 2920	2788	Synaptics.exe	34
PID 2788 wrote to memory of 2920	2788	Synaptics.exe	34
PID 2788 wrote to memory of 2920	2788	Synaptics.exe	34

C:\Users\Admin\AppData\Local\Temp\5b6b0147b11173d46870635b7cd79a92dc2f37975abdd153cda1c7703f7ad113.exe
"C:\Users\Admin\AppData\Local\Temp\5b6b0147b11173d46870635b7cd79a92dc2f37975abdd153cda1c7703f7ad113.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Users\Admin\AppData\Local\Temp\._cache_5b6b0147b11173d46870635b7cd79a92dc2f37975abdd153cda1c7703f7ad113.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_5b6b0147b11173d46870635b7cd79a92dc2f37975abdd153cda1c7703f7ad113.exe"
  2⤵
  - Executes dropped EXE
  PID:1528
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    PID:2920

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.2MB

MD5
710dc70cd131408097567322309f14f7

SHA1
617c27fff28e0350c2251557258a6756ccd1a4e2

SHA256
5b6b0147b11173d46870635b7cd79a92dc2f37975abdd153cda1c7703f7ad113

SHA512
a99ad9c375f7b05231260080ec46f38a0843f3bf29d9b2234e8c6e709991ea98d358438c439e6150e643daf75154c90a03bbc0fa05a567a94836664f5c259b97

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_5b6b0147b11173d46870635b7cd79a92dc2f37975abdd153cda1c7703f7ad113.exe

Filesize
477KB

MD5
aba9ec2175f445d4e1d5a806f8876ab6

SHA1
070780439cab86e8c6a99286dadcf098426f5505

SHA256
8882a23ecbe323f319738856896b87a347fbac51ebf7b50b194547c7887e7a10

SHA512
16243a1480dde66cf03e396012e5c409d1d336a6782c96b950090b10599bba41e6db3c20660f2d41fa52ccbbfd30466643e5f601f3b1e36222c0485d801c0c6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\VGDKGstd.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\VGDKGstd.xlsm

Filesize
25KB

MD5
ce7534fd27596423dd36b21969817ee8

SHA1
0c5a89fe6a42a720ffea0f05aebe811a64df7d08

SHA256
ad295af714e0c4580e4bca547e222e422d7a15711a61510284249b9d2c5b01fb

SHA512
2f0f7bbaa2d665bdbc9ee623a1aef3f9d4cc60075ab804db3505469d3e99e8af2bbc9e516298d8e8d990e2148a18aa23a2e0ce8e9d909afdf4a3698792fd6bb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\VGDKGstd.xlsm

Filesize
21KB

MD5
0624ba2b9081da7159ce836ff6851788

SHA1
7c706402bee3f825f786a3b41683a905a759899e

SHA256
784db1b5a5869f4e3e5870ddc58be80ae15e5bdd35614186606877c9c49b70fb

SHA512
3db20e2be263008fe0f1fa48e9078d72f451660de1f0d7a50f6b23cb5250a94825647dd5ac4f772ec975c8a91ac8eeb15f7d7edea28a42a601ce28e43cda5894

Download Submit
C:\Users\Admin\AppData\Local\Temp\VGDKGstd.xlsm

Filesize
27KB

MD5
336a153734bc40f40ce19325f1400d57

SHA1
263d7196d59f4b158d249b79c856bcceb065a1e6

SHA256
05f875de1ae11340a2e16992bd7657fecc3931b4f7dd95eae0e810112368a5a8

SHA512
f678364bcbe6933823ce559a79cda63bf355cc57b562dea16012fccc9ab24286480ee569dbc3a1b391de341580c7dce3a72c76c610c9272c89e50e58bce50420

Download Submit
C:\Users\Admin\AppData\Local\Temp\VGDKGstd.xlsm

Filesize
25KB

MD5
f9d8593b3024ee05aa3a9e5738543294

SHA1
0db2f635d8be43d6be04f1cf00be88345dd68447

SHA256
922ca9f5e746d5b89fd34b3a8f55e48018fa63c45f63d82e31d7f9a60a6fb502

SHA512
54e5938d7a5cb9472275ce96146ea7f99cdd373142dfcba1f5d307682964b096869dc665892e98ea3f71ea4300fc17c7d563d4bbc666b269813c2e402b550e9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~$VGDKGstd.xlsm

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
memory/1240-117-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1240-43-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1528-31-0x0000000000E30000-0x0000000000EB0000-memory.dmp

Filesize
512KB

Download
memory/2496-0-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2496-28-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/2788-118-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/2788-119-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/2788-151-0x0000000000400000-0x0000000000539000-memory.dmp

Filesize
1.2MB

Download
memory/2920-42-0x0000000000A80000-0x0000000000B00000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads