xred | 70ffbbb4f81899a81663ef55cbc40a5ea35560f16c5bc2a03f5fbaebc233e579

General

Target

70ffbbb4f81899a81663ef55cbc40a5ea35560f16c5bc2a03f5fbaebc233e579.exe
Size

867KB
MD5

cb6e4d914c367f41340787f23a364fdb
SHA1

faaab8129e6fe3edb95c6409448ec8b9ff4ebb83
SHA256

70ffbbb4f81899a81663ef55cbc40a5ea35560f16c5bc2a03f5fbaebc233e579
SHA512

55d1f8972148518d1893af14e7ddbadf2c9bf259cf133e2960a48122d4236dcf139675ed94b2a5e6062d104ca414c4e662efdad52c35e7298f0c4a764bc48107
SSDEEP

12288:ZMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9tBU72:ZnsJ39LyjbJkQFMhmC+6GD9UK

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Downloads MZ/PE file 1 IoCs

flow	pid	Process
5	2212	._cache_70ffbbb4f81899a81663ef55cbc40a5ea35560f16c5bc2a03f5fbaebc233e579.exe

Executes dropped EXE 3 IoCs

pid	Process
2212	._cache_70ffbbb4f81899a81663ef55cbc40a5ea35560f16c5bc2a03f5fbaebc233e579.exe
2920	Synaptics.exe
2752	._cache_Synaptics.exe

Loads dropped DLL 5 IoCs

pid	Process
2376	70ffbbb4f81899a81663ef55cbc40a5ea35560f16c5bc2a03f5fbaebc233e579.exe
2376	70ffbbb4f81899a81663ef55cbc40a5ea35560f16c5bc2a03f5fbaebc233e579.exe
2376	70ffbbb4f81899a81663ef55cbc40a5ea35560f16c5bc2a03f5fbaebc233e579.exe
2920	Synaptics.exe
2920	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	70ffbbb4f81899a81663ef55cbc40a5ea35560f16c5bc2a03f5fbaebc233e579.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	70ffbbb4f81899a81663ef55cbc40a5ea35560f16c5bc2a03f5fbaebc233e579.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_70ffbbb4f81899a81663ef55cbc40a5ea35560f16c5bc2a03f5fbaebc233e579.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies system certificate store 2 TTPs 2 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	._cache_70ffbbb4f81899a81663ef55cbc40a5ea35560f16c5bc2a03f5fbaebc233e579.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	._cache_70ffbbb4f81899a81663ef55cbc40a5ea35560f16c5bc2a03f5fbaebc233e579.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2712	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2712	EXCEL.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2212	2376	70ffbbb4f81899a81663ef55cbc40a5ea35560f16c5bc2a03f5fbaebc233e579.exe	30
PID 2376 wrote to memory of 2212	2376	70ffbbb4f81899a81663ef55cbc40a5ea35560f16c5bc2a03f5fbaebc233e579.exe	30
PID 2376 wrote to memory of 2212	2376	70ffbbb4f81899a81663ef55cbc40a5ea35560f16c5bc2a03f5fbaebc233e579.exe	30
PID 2376 wrote to memory of 2212	2376	70ffbbb4f81899a81663ef55cbc40a5ea35560f16c5bc2a03f5fbaebc233e579.exe	30
PID 2376 wrote to memory of 2212	2376	70ffbbb4f81899a81663ef55cbc40a5ea35560f16c5bc2a03f5fbaebc233e579.exe	30
PID 2376 wrote to memory of 2212	2376	70ffbbb4f81899a81663ef55cbc40a5ea35560f16c5bc2a03f5fbaebc233e579.exe	30
PID 2376 wrote to memory of 2212	2376	70ffbbb4f81899a81663ef55cbc40a5ea35560f16c5bc2a03f5fbaebc233e579.exe	30
PID 2376 wrote to memory of 2920	2376	70ffbbb4f81899a81663ef55cbc40a5ea35560f16c5bc2a03f5fbaebc233e579.exe	31
PID 2376 wrote to memory of 2920	2376	70ffbbb4f81899a81663ef55cbc40a5ea35560f16c5bc2a03f5fbaebc233e579.exe	31
PID 2376 wrote to memory of 2920	2376	70ffbbb4f81899a81663ef55cbc40a5ea35560f16c5bc2a03f5fbaebc233e579.exe	31
PID 2376 wrote to memory of 2920	2376	70ffbbb4f81899a81663ef55cbc40a5ea35560f16c5bc2a03f5fbaebc233e579.exe	31
PID 2920 wrote to memory of 2752	2920	Synaptics.exe	32
PID 2920 wrote to memory of 2752	2920	Synaptics.exe	32
PID 2920 wrote to memory of 2752	2920	Synaptics.exe	32
PID 2920 wrote to memory of 2752	2920	Synaptics.exe	32
PID 2920 wrote to memory of 2752	2920	Synaptics.exe	32
PID 2920 wrote to memory of 2752	2920	Synaptics.exe	32
PID 2920 wrote to memory of 2752	2920	Synaptics.exe	32

C:\Users\Admin\AppData\Local\Temp\70ffbbb4f81899a81663ef55cbc40a5ea35560f16c5bc2a03f5fbaebc233e579.exe
"C:\Users\Admin\AppData\Local\Temp\70ffbbb4f81899a81663ef55cbc40a5ea35560f16c5bc2a03f5fbaebc233e579.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Users\Admin\AppData\Local\Temp\._cache_70ffbbb4f81899a81663ef55cbc40a5ea35560f16c5bc2a03f5fbaebc233e579.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_70ffbbb4f81899a81663ef55cbc40a5ea35560f16c5bc2a03f5fbaebc233e579.exe"
  2⤵
  - Downloads MZ/PE file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  PID:2212
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2752

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
867KB

MD5
cb6e4d914c367f41340787f23a364fdb

SHA1
faaab8129e6fe3edb95c6409448ec8b9ff4ebb83

SHA256
70ffbbb4f81899a81663ef55cbc40a5ea35560f16c5bc2a03f5fbaebc233e579

SHA512
55d1f8972148518d1893af14e7ddbadf2c9bf259cf133e2960a48122d4236dcf139675ed94b2a5e6062d104ca414c4e662efdad52c35e7298f0c4a764bc48107

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
17b4281e7d2145abc55f53d7645e57cb

SHA1
67b0fb122223d830efe509c29d24120bb0e900ab

SHA256
53bddbde7e18a2e94fbc28da7434b21e33f224628b04a0f3db1554478d3d811d

SHA512
781cfee79c06081d88edd1c9a0736252f2f74055a350beb481f1e8d69bcf352645f850c194f190c4db7a0c2f8eaf22b59c888244bdda88c4507fe49f98ad2c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA5A2.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\inqukKXH.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\inqukKXH.xlsm

Filesize
27KB

MD5
a9ae0c6f59f21e55badf5ed10bf61815

SHA1
be32c3e705315673c88cc33f9e78a9cfcc4ea2cd

SHA256
7fb02eafe23c047016d6421bf53f999fd5239310a36fad97ee45384d9413b229

SHA512
c50a9fde1bc88c1868c6a3be2a187e03e6ab0263549b932dfc81e0868e0108d0fad13afbc69617d40cc9d9fd472e0f517bd083bb7fd212be94baad4399659b8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\inqukKXH.xlsm

Filesize
35KB

MD5
68e0193a900520a1b8901fb838b284fd

SHA1
bc3ce77a19f2ca35e21bd1e0cd27d1a0b1e929cc

SHA256
4f50308824ee4e1dc83e07219d043455caeeb970e529c9117c86b0cd5a98979d

SHA512
26e2c1ec8265be0ae3b56428486fa638bb432ed3e498748b20457cf6faf75ed8787992157d50a1f4acd9d3be7a30af33fbfafe65f4a347e1ab1697c33f23cf9b

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_70ffbbb4f81899a81663ef55cbc40a5ea35560f16c5bc2a03f5fbaebc233e579.exe

Filesize
113KB

MD5
9ce7a259d55fa6604fd08eb4a933abc4

SHA1
ce3baf55a6d2daca3abee0d2cfc785b5704f5ffe

SHA256
76f696c241eb55fc4a1de6df3d12877fa25d94ca378ea76aef128559ff4023fb

SHA512
707321bc69ad578a79435e44ccbd38ae58ae806be6604f491dcb0986e9f1a9fc9a230e6584d28f6be81e06323cbb947535bc004b91c56262a4b96545f10846ca

Download Submit
memory/2212-103-0x0000000000AD0000-0x0000000000AF0000-memory.dmp

Filesize
128KB

Download
memory/2376-25-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2376-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2712-98-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2712-35-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2752-105-0x00000000003E0000-0x0000000000400000-memory.dmp

Filesize
128KB

Download
memory/2920-104-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2920-107-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2920-152-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads