xred | 22d71939ba6e7ed1949625c1ba4e8a40b1bf96c222445a94fd2a94bcb26cffb8

General

Target

Microsoft.exe
Size

759KB
MD5

a0faa0a41f33e6a28ffe564c5b256bd2
SHA1

9fa6b3d29ddd4034b1ec05a44b97941f0ae2ec34
SHA256

22d71939ba6e7ed1949625c1ba4e8a40b1bf96c222445a94fd2a94bcb26cffb8
SHA512

488ae540fa69204dd51ffea778619dbee42079d4768521c26e9d56aa089dbf4fbcbadc5682f41557efb21f536085aae64c0a265df3cce46aacebb55a26bf5165
SSDEEP

12288:WMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9e5j:WnsJ39LyjbJkQFMhmC+6GD90

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 3 IoCs

pid	Process
2368	._cache_Microsoft.exe
2748	Synaptics.exe
2392	._cache_Synaptics.exe

Loads dropped DLL 5 IoCs

pid	Process
264	Microsoft.exe
264	Microsoft.exe
264	Microsoft.exe
2748	Synaptics.exe
2748	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	Microsoft.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Microsoft.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
524	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2368	._cache_Microsoft.exe
2392	._cache_Synaptics.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2368	._cache_Microsoft.exe
Token: SeDebugPrivilege	2392	._cache_Synaptics.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
524	EXCEL.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 264 wrote to memory of 2368	264	Microsoft.exe	31
PID 264 wrote to memory of 2368	264	Microsoft.exe	31
PID 264 wrote to memory of 2368	264	Microsoft.exe	31
PID 264 wrote to memory of 2368	264	Microsoft.exe	31
PID 264 wrote to memory of 2748	264	Microsoft.exe	32
PID 264 wrote to memory of 2748	264	Microsoft.exe	32
PID 264 wrote to memory of 2748	264	Microsoft.exe	32
PID 264 wrote to memory of 2748	264	Microsoft.exe	32
PID 2368 wrote to memory of 2284	2368	._cache_Microsoft.exe	33
PID 2368 wrote to memory of 2284	2368	._cache_Microsoft.exe	33
PID 2368 wrote to memory of 2284	2368	._cache_Microsoft.exe	33
PID 2748 wrote to memory of 2392	2748	Synaptics.exe	34
PID 2748 wrote to memory of 2392	2748	Synaptics.exe	34
PID 2748 wrote to memory of 2392	2748	Synaptics.exe	34
PID 2748 wrote to memory of 2392	2748	Synaptics.exe	34
PID 2392 wrote to memory of 2636	2392	._cache_Synaptics.exe	35
PID 2392 wrote to memory of 2636	2392	._cache_Synaptics.exe	35
PID 2392 wrote to memory of 2636	2392	._cache_Synaptics.exe	35

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:264
- C:\Users\Admin\AppData\Local\Temp\._cache_Microsoft.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_Microsoft.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2368 -s 668
    3⤵
    PID:2284
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2392 -s 508
      4⤵
      PID:2636

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
759KB

MD5
a0faa0a41f33e6a28ffe564c5b256bd2

SHA1
9fa6b3d29ddd4034b1ec05a44b97941f0ae2ec34

SHA256
22d71939ba6e7ed1949625c1ba4e8a40b1bf96c222445a94fd2a94bcb26cffb8

SHA512
488ae540fa69204dd51ffea778619dbee42079d4768521c26e9d56aa089dbf4fbcbadc5682f41557efb21f536085aae64c0a265df3cce46aacebb55a26bf5165

Download Submit
C:\Users\Admin\AppData\Local\Temp\ItfiXQtL.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\ItfiXQtL.xlsm

Filesize
24KB

MD5
9347dd4533feb016070eb9ca49a02192

SHA1
5218e412f60ab9a3e4f4b715ae12f95466e25589

SHA256
5dd65c57f08527213b6fd84e9711982c880362bf1bffb4e9893308839b542298

SHA512
df5b4a94acb83bfe82666f9eba04482c09d7893be72d77ee0b461e964633403f917f7c9fcbd26b314e290435ce1495d721d37a8281e098dbae470490025e20dc

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_Microsoft.exe

Filesize
6KB

MD5
787207be9e9f2c773938e8f3c41f2bff

SHA1
8068e6f21c93e75579f9bca066d8fc5cdab79215

SHA256
c75dd6e6cf5dffcadf61c436971a97e5a768b90a2674b11c548f2975bc9c8529

SHA512
88eb905188432c21b149004a3407f002a9b48c8be8e4b8767987e9c0ab90e773ea7e06a355cf035dc2a574c8c95378496a180f43eb31d57e50cc978866d54a02

Download Submit
memory/264-0-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/264-25-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/524-38-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2368-26-0x00000000001A0000-0x00000000001A8000-memory.dmp

Filesize
32KB

Download
memory/2392-36-0x0000000000990000-0x0000000000998000-memory.dmp

Filesize
32KB

Download
memory/2748-37-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2748-81-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2748-82-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2748-114-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads