xred | ee471566f4eedc108b201198cb8d0da4ada5b6c4e039ff591c3ca0adb9f63189

General

Target

ee471566f4eedc108b201198cb8d0da4ada5b6c4e039ff591c3ca0adb9f63189N.exe
Size

764KB
MD5

571d08ccfddffcec2843c61101b91ce0
SHA1

bab4c2187e02aae0e5471c320c1c7ba437b0677a
SHA256

ee471566f4eedc108b201198cb8d0da4ada5b6c4e039ff591c3ca0adb9f63189
SHA512

e5cdcde4775fd7dfc9203964ac7661c03d4e3c5f8f9dabecf342a846d86fad4d4e3ba7b762cb60dc9ff784b4656634028b5c520b22928a1ee6c572d0f7b4ff8c
SSDEEP

12288:6MSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9U8uj:6nsJ39LyjbJkQFMhmC+6GD9c

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 3 IoCs

pid	Process
2792	._cache_ee471566f4eedc108b201198cb8d0da4ada5b6c4e039ff591c3ca0adb9f63189N.exe
2868	Synaptics.exe
3040	._cache_Synaptics.exe

Loads dropped DLL 15 IoCs

pid	Process
2316	ee471566f4eedc108b201198cb8d0da4ada5b6c4e039ff591c3ca0adb9f63189N.exe
2316	ee471566f4eedc108b201198cb8d0da4ada5b6c4e039ff591c3ca0adb9f63189N.exe
2316	ee471566f4eedc108b201198cb8d0da4ada5b6c4e039ff591c3ca0adb9f63189N.exe
2860	WerFault.exe
2860	WerFault.exe
2860	WerFault.exe
2860	WerFault.exe
2868	Synaptics.exe
2868	Synaptics.exe
2860	WerFault.exe
404	WerFault.exe
404	WerFault.exe
404	WerFault.exe
404	WerFault.exe
404	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	ee471566f4eedc108b201198cb8d0da4ada5b6c4e039ff591c3ca0adb9f63189N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2860	2792	WerFault.exe	30
404	3040	WerFault.exe	34

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ee471566f4eedc108b201198cb8d0da4ada5b6c4e039ff591c3ca0adb9f63189N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_ee471566f4eedc108b201198cb8d0da4ada5b6c4e039ff591c3ca0adb9f63189N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
752	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
752	EXCEL.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2792	2316	ee471566f4eedc108b201198cb8d0da4ada5b6c4e039ff591c3ca0adb9f63189N.exe	30
PID 2316 wrote to memory of 2792	2316	ee471566f4eedc108b201198cb8d0da4ada5b6c4e039ff591c3ca0adb9f63189N.exe	30
PID 2316 wrote to memory of 2792	2316	ee471566f4eedc108b201198cb8d0da4ada5b6c4e039ff591c3ca0adb9f63189N.exe	30
PID 2316 wrote to memory of 2792	2316	ee471566f4eedc108b201198cb8d0da4ada5b6c4e039ff591c3ca0adb9f63189N.exe	30
PID 2316 wrote to memory of 2868	2316	ee471566f4eedc108b201198cb8d0da4ada5b6c4e039ff591c3ca0adb9f63189N.exe	32
PID 2316 wrote to memory of 2868	2316	ee471566f4eedc108b201198cb8d0da4ada5b6c4e039ff591c3ca0adb9f63189N.exe	32
PID 2316 wrote to memory of 2868	2316	ee471566f4eedc108b201198cb8d0da4ada5b6c4e039ff591c3ca0adb9f63189N.exe	32
PID 2316 wrote to memory of 2868	2316	ee471566f4eedc108b201198cb8d0da4ada5b6c4e039ff591c3ca0adb9f63189N.exe	32
PID 2792 wrote to memory of 2860	2792	._cache_ee471566f4eedc108b201198cb8d0da4ada5b6c4e039ff591c3ca0adb9f63189N.exe	33
PID 2792 wrote to memory of 2860	2792	._cache_ee471566f4eedc108b201198cb8d0da4ada5b6c4e039ff591c3ca0adb9f63189N.exe	33
PID 2792 wrote to memory of 2860	2792	._cache_ee471566f4eedc108b201198cb8d0da4ada5b6c4e039ff591c3ca0adb9f63189N.exe	33
PID 2792 wrote to memory of 2860	2792	._cache_ee471566f4eedc108b201198cb8d0da4ada5b6c4e039ff591c3ca0adb9f63189N.exe	33
PID 2868 wrote to memory of 3040	2868	Synaptics.exe	34
PID 2868 wrote to memory of 3040	2868	Synaptics.exe	34
PID 2868 wrote to memory of 3040	2868	Synaptics.exe	34
PID 2868 wrote to memory of 3040	2868	Synaptics.exe	34
PID 3040 wrote to memory of 404	3040	._cache_Synaptics.exe	37
PID 3040 wrote to memory of 404	3040	._cache_Synaptics.exe	37
PID 3040 wrote to memory of 404	3040	._cache_Synaptics.exe	37
PID 3040 wrote to memory of 404	3040	._cache_Synaptics.exe	37

C:\Users\Admin\AppData\Local\Temp\ee471566f4eedc108b201198cb8d0da4ada5b6c4e039ff591c3ca0adb9f63189N.exe
"C:\Users\Admin\AppData\Local\Temp\ee471566f4eedc108b201198cb8d0da4ada5b6c4e039ff591c3ca0adb9f63189N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Users\Admin\AppData\Local\Temp\._cache_ee471566f4eedc108b201198cb8d0da4ada5b6c4e039ff591c3ca0adb9f63189N.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_ee471566f4eedc108b201198cb8d0da4ada5b6c4e039ff591c3ca0adb9f63189N.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 532
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2860
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3040
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 528
      4⤵
      Loads dropped DLL
      Program crash
      PID:404

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
764KB

MD5
571d08ccfddffcec2843c61101b91ce0

SHA1
bab4c2187e02aae0e5471c320c1c7ba437b0677a

SHA256
ee471566f4eedc108b201198cb8d0da4ada5b6c4e039ff591c3ca0adb9f63189

SHA512
e5cdcde4775fd7dfc9203964ac7661c03d4e3c5f8f9dabecf342a846d86fad4d4e3ba7b762cb60dc9ff784b4656634028b5c520b22928a1ee6c572d0f7b4ff8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_ee471566f4eedc108b201198cb8d0da4ada5b6c4e039ff591c3ca0adb9f63189N.exe

Filesize
10KB

MD5
d6cc515af460a8eaaa15716772301659

SHA1
6168861e0633298e0be0d2fce572fdf1e244db69

SHA256
e71de20f637366d37723164a62bbfeafcfb08e0411b3f78ebcf13c8e8aae0e5c

SHA512
fbf2cea4716ef56c38ea31353b84b785b757942cc14a9c1bb3b1d83556b4e28c1f647cdd97d0db09d3c5e2d90c722b6f2c094e4e2070605f2f93dedb0a912943

Download Submit
C:\Users\Admin\AppData\Local\Temp\N9azaigA.xlsm

Filesize
28KB

MD5
a70f0f1485f65b347cdfe4d1144254dc

SHA1
bba331d78c21dbebe80994e5c4286ef9caf97d6f

SHA256
ada6cb223fe0ef7a831bd4b093bca9b341180c22edf935f30043dd94cdcc66ba

SHA512
0615a1ad7ee3e2bdcbb757ffcf9c0ff2024ec923e374474f8ffa981f235188d6ae846af00cd0a81889b12b014882171b5fc6a0957245d5c91f4c05dfb3d5f65a

Download Submit
C:\Users\Admin\AppData\Local\Temp\N9azaigA.xlsm

Filesize
22KB

MD5
b3b0d8d2f525fd2dad6e6b239293ad9d

SHA1
d4e9735398b2c200c4f9d7d5ae1ce8e44d4e8833

SHA256
b393823b2f6993e932535a337ae160b00defccef90470812ef536054513160db

SHA512
8be05f51df12d62f814bb354e91e5a91888f57596f8014f3cd19ecb850cc9ca0cd8783c60129f553e5777016f2e6ec8643e872ab86ab3ad318e864b8162161f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\N9azaigA.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
memory/752-48-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2316-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2316-26-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2792-29-0x0000000000F60000-0x0000000000F68000-memory.dmp

Filesize
32KB

Download
memory/2868-103-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2868-104-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2868-138-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3040-43-0x0000000000990000-0x0000000000998000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads