xred | 208b4906cf3f4c3efac88ed4d509679a8b0f59ad62ae01ed05aa72c05f0a057c

General

Target

208b4906cf3f4c3efac88ed4d509679a8b0f59ad62ae01ed05aa72c05f0a057c.exe
Size

764KB
MD5

265352ea1fda4cbeac79ce8ee2b45486
SHA1

2e7c7e40bb705649c44522acbef13112a1501985
SHA256

208b4906cf3f4c3efac88ed4d509679a8b0f59ad62ae01ed05aa72c05f0a057c
SHA512

6245fea31c66dc8adedd06536509f9fc8c347f231c8f27d8ef34ff18e6947450b323364f7f1a168c7494e71274093430c4d439619419b4dd855e832e68fe569a
SSDEEP

12288:6MSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9Ublj:6nsJ39LyjbJkQFMhmC+6GD9+

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 3 IoCs

pid	Process
2176	._cache_208b4906cf3f4c3efac88ed4d509679a8b0f59ad62ae01ed05aa72c05f0a057c.exe
3016	Synaptics.exe
2704	._cache_Synaptics.exe

Loads dropped DLL 15 IoCs

pid	Process
2244	208b4906cf3f4c3efac88ed4d509679a8b0f59ad62ae01ed05aa72c05f0a057c.exe
2244	208b4906cf3f4c3efac88ed4d509679a8b0f59ad62ae01ed05aa72c05f0a057c.exe
2244	208b4906cf3f4c3efac88ed4d509679a8b0f59ad62ae01ed05aa72c05f0a057c.exe
2800	WerFault.exe
2800	WerFault.exe
2800	WerFault.exe
2800	WerFault.exe
3016	Synaptics.exe
3016	Synaptics.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2800	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	208b4906cf3f4c3efac88ed4d509679a8b0f59ad62ae01ed05aa72c05f0a057c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2800	2176	WerFault.exe	30
2780	2704	WerFault.exe	34

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	208b4906cf3f4c3efac88ed4d509679a8b0f59ad62ae01ed05aa72c05f0a057c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_208b4906cf3f4c3efac88ed4d509679a8b0f59ad62ae01ed05aa72c05f0a057c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1848	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1848	EXCEL.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2176	2244	208b4906cf3f4c3efac88ed4d509679a8b0f59ad62ae01ed05aa72c05f0a057c.exe	30
PID 2244 wrote to memory of 2176	2244	208b4906cf3f4c3efac88ed4d509679a8b0f59ad62ae01ed05aa72c05f0a057c.exe	30
PID 2244 wrote to memory of 2176	2244	208b4906cf3f4c3efac88ed4d509679a8b0f59ad62ae01ed05aa72c05f0a057c.exe	30
PID 2244 wrote to memory of 2176	2244	208b4906cf3f4c3efac88ed4d509679a8b0f59ad62ae01ed05aa72c05f0a057c.exe	30
PID 2244 wrote to memory of 3016	2244	208b4906cf3f4c3efac88ed4d509679a8b0f59ad62ae01ed05aa72c05f0a057c.exe	32
PID 2244 wrote to memory of 3016	2244	208b4906cf3f4c3efac88ed4d509679a8b0f59ad62ae01ed05aa72c05f0a057c.exe	32
PID 2244 wrote to memory of 3016	2244	208b4906cf3f4c3efac88ed4d509679a8b0f59ad62ae01ed05aa72c05f0a057c.exe	32
PID 2244 wrote to memory of 3016	2244	208b4906cf3f4c3efac88ed4d509679a8b0f59ad62ae01ed05aa72c05f0a057c.exe	32
PID 2176 wrote to memory of 2800	2176	._cache_208b4906cf3f4c3efac88ed4d509679a8b0f59ad62ae01ed05aa72c05f0a057c.exe	33
PID 2176 wrote to memory of 2800	2176	._cache_208b4906cf3f4c3efac88ed4d509679a8b0f59ad62ae01ed05aa72c05f0a057c.exe	33
PID 2176 wrote to memory of 2800	2176	._cache_208b4906cf3f4c3efac88ed4d509679a8b0f59ad62ae01ed05aa72c05f0a057c.exe	33
PID 2176 wrote to memory of 2800	2176	._cache_208b4906cf3f4c3efac88ed4d509679a8b0f59ad62ae01ed05aa72c05f0a057c.exe	33
PID 3016 wrote to memory of 2704	3016	Synaptics.exe	34
PID 3016 wrote to memory of 2704	3016	Synaptics.exe	34
PID 3016 wrote to memory of 2704	3016	Synaptics.exe	34
PID 3016 wrote to memory of 2704	3016	Synaptics.exe	34
PID 2704 wrote to memory of 2780	2704	._cache_Synaptics.exe	36
PID 2704 wrote to memory of 2780	2704	._cache_Synaptics.exe	36
PID 2704 wrote to memory of 2780	2704	._cache_Synaptics.exe	36
PID 2704 wrote to memory of 2780	2704	._cache_Synaptics.exe	36

C:\Users\Admin\AppData\Local\Temp\208b4906cf3f4c3efac88ed4d509679a8b0f59ad62ae01ed05aa72c05f0a057c.exe
"C:\Users\Admin\AppData\Local\Temp\208b4906cf3f4c3efac88ed4d509679a8b0f59ad62ae01ed05aa72c05f0a057c.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Users\Admin\AppData\Local\Temp\._cache_208b4906cf3f4c3efac88ed4d509679a8b0f59ad62ae01ed05aa72c05f0a057c.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_208b4906cf3f4c3efac88ed4d509679a8b0f59ad62ae01ed05aa72c05f0a057c.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 532
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2800
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 516
      4⤵
      Loads dropped DLL
      Program crash
      PID:2780

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
764KB

MD5
265352ea1fda4cbeac79ce8ee2b45486

SHA1
2e7c7e40bb705649c44522acbef13112a1501985

SHA256
208b4906cf3f4c3efac88ed4d509679a8b0f59ad62ae01ed05aa72c05f0a057c

SHA512
6245fea31c66dc8adedd06536509f9fc8c347f231c8f27d8ef34ff18e6947450b323364f7f1a168c7494e71274093430c4d439619419b4dd855e832e68fe569a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMabj57j.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMabj57j.xlsm

Filesize
24KB

MD5
ec01811b5bd592ab2107c5be7e260312

SHA1
c2840c91d200d2b7244913b29c12c48a05f1d045

SHA256
eaa5a5b81152a6fe019513126eafe6333f395a49251da9f971a6ddc1eecc12e3

SHA512
33d761f6bc74478b38c9d704ad752c14b807f492de2f014dfa3a78b513e2733c22bb7147eb43f20ac6a060447fff1a24e5b5f6e5d52773a19ccd9a78d81ecfb1

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_208b4906cf3f4c3efac88ed4d509679a8b0f59ad62ae01ed05aa72c05f0a057c.exe

Filesize
10KB

MD5
599f677bba5509ec69ddbdfa49fb5ca2

SHA1
4cab3991325b6bbd7af49d2b1d39efa66d5a796c

SHA256
6b926253e602c271cecfd8400b1d0b492da62cd80a9c6cf58316ac19a91e2c0b

SHA512
0bd65a0eea8f8afa832339a24a548a32edca84808ef3cb98b26669eac9a1524fc8f40920c0ecc8326df7e4547a3fd0b1881b4ece99ec3abf2517bbaff8cb01e5

Download Submit
memory/1848-52-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2176-18-0x0000000073D2E000-0x0000000073D2F000-memory.dmp

Filesize
4KB

Download
memory/2176-19-0x0000000000BA0000-0x0000000000BA8000-memory.dmp

Filesize
32KB

Download
memory/2176-51-0x0000000073D2E000-0x0000000073D2F000-memory.dmp

Filesize
4KB

Download
memory/2244-28-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2244-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2704-43-0x0000000000970000-0x0000000000978000-memory.dmp

Filesize
32KB

Download
memory/3016-50-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3016-95-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3016-97-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3016-102-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3016-130-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads