xred | 183ac70aa719ee42293766685f5777a4e8bbf5e3c29dd584064779849e1c874b

General

Target

0x0008000000016c56-20.exe
Size

939KB
MD5

758b53a6eef2a3a811f3271e92c72e2f
SHA1

a813953f2b23cb5fae59b2248bafa6e16c80e9ef
SHA256

183ac70aa719ee42293766685f5777a4e8bbf5e3c29dd584064779849e1c874b
SHA512

479c789815e185d9985d42d528e2bb8f677d3dfcbef5dd7b80fa74a3b981928cdf2e9f6ee049acdaa67832ccc82f7c9d9835bb370cac2163e56d4cd45d1d7eb0
SSDEEP

12288:vMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9N9or++FxY:vnsJ39LyjbJkQFMhmC+6GD97Kg

Score

10^/10

xred xworm backdoor discovery macro persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

209.50.250.24:4562

Attributes

install_file
USB.exe

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Detect Xworm Payload 8 IoCs

resource	yara_rule
behavioral1/files/0x0007000000012117-4.dat	family_xworm
behavioral1/files/0x0007000000016c4a-12.dat	family_xworm
behavioral1/memory/2588-25-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm
behavioral1/memory/2396-28-0x0000000000060000-0x0000000000098000-memory.dmp	family_xworm
behavioral1/memory/2728-37-0x0000000000030000-0x0000000000068000-memory.dmp	family_xworm
behavioral1/memory/2756-103-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm
behavioral1/memory/2756-104-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm
behavioral1/memory/2756-136-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Suspicious Office macro 2 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x0008000000016d18-72.dat
behavioral1/files/0x00080000000173a9-85.dat

Executes dropped EXE 3 IoCs

pid	Process
2396	._cache_0x0008000000016c56-20.exe
2756	Synaptics.exe
2728	._cache_Synaptics.exe

Loads dropped DLL 5 IoCs

pid	Process
2588	0x0008000000016c56-20.exe
2588	0x0008000000016c56-20.exe
2588	0x0008000000016c56-20.exe
2756	Synaptics.exe
2756	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\????? = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	0x0008000000016c56-20.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0x0008000000016c56-20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2648	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2728	._cache_Synaptics.exe
Token: SeDebugPrivilege	2396	._cache_0x0008000000016c56-20.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2648	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 2396	2588	0x0008000000016c56-20.exe	30
PID 2588 wrote to memory of 2396	2588	0x0008000000016c56-20.exe	30
PID 2588 wrote to memory of 2396	2588	0x0008000000016c56-20.exe	30
PID 2588 wrote to memory of 2396	2588	0x0008000000016c56-20.exe	30
PID 2588 wrote to memory of 2756	2588	0x0008000000016c56-20.exe	31
PID 2588 wrote to memory of 2756	2588	0x0008000000016c56-20.exe	31
PID 2588 wrote to memory of 2756	2588	0x0008000000016c56-20.exe	31
PID 2588 wrote to memory of 2756	2588	0x0008000000016c56-20.exe	31
PID 2756 wrote to memory of 2728	2756	Synaptics.exe	32
PID 2756 wrote to memory of 2728	2756	Synaptics.exe	32
PID 2756 wrote to memory of 2728	2756	Synaptics.exe	32
PID 2756 wrote to memory of 2728	2756	Synaptics.exe	32

C:\Users\Admin\AppData\Local\Temp\0x0008000000016c56-20.exe
"C:\Users\Admin\AppData\Local\Temp\0x0008000000016c56-20.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Users\Admin\AppData\Local\Temp\._cache_0x0008000000016c56-20.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_0x0008000000016c56-20.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2396
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2728

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
939KB

MD5
758b53a6eef2a3a811f3271e92c72e2f

SHA1
a813953f2b23cb5fae59b2248bafa6e16c80e9ef

SHA256
183ac70aa719ee42293766685f5777a4e8bbf5e3c29dd584064779849e1c874b

SHA512
479c789815e185d9985d42d528e2bb8f677d3dfcbef5dd7b80fa74a3b981928cdf2e9f6ee049acdaa67832ccc82f7c9d9835bb370cac2163e56d4cd45d1d7eb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\79jAujAl.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\79jAujAl.xlsm

Filesize
22KB

MD5
f69e0a168137805b8c027644ff748145

SHA1
d75ac1acd99794c438ed62dfe07a38cfbc1e7595

SHA256
2788e3f65acbd2903ca98e44506a69c80390f1eb53c496d1da6287c10e590c4e

SHA512
71a578c4baf09468cee7d493c9cd1806d77dc58e598e58c919bbd22f6c577ba1c355e02b816b2c24a1a65d207a3a95e82df8f853bffd428dc22b50d73772ad9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\79jAujAl.xlsm

Filesize
24KB

MD5
95447db3bbf5647088cb370b9b9e438d

SHA1
a7e6cf95ba7b10f998f7d5195435faf30ae4df9a

SHA256
afd2b029bfe97904511eb70e58566875b77fd23daff3ecd8cdfc3357ae6c2645

SHA512
3bac27bb21e65745021e31f829f39085a81034006168fd8173c418eb5660cf8703069e2b0687606c757726587cfdcc6d5e33431c8d81733b7da6c07f31ae7dab

Download Submit
C:\Users\Admin\AppData\Local\Temp\79jAujAl.xlsm

Filesize
24KB

MD5
3d6261484470980cad33a14085e2c268

SHA1
29fd6dfe146a818d166d87c4914610edb4c7ec73

SHA256
dd8bf11014f6c246fc879338f6da1ceb7bae49205e2d0d6081ffadfef79807d5

SHA512
78d38b4ea19b81bf057cd0d132ddd552b23b5abbff3727f81530741418a0faba18169bd36493d9cd341c98d4d1c97fd7e09b03e3c4d93aa814c02e73b6d81d0f

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_0x0008000000016c56-20.exe

Filesize
194KB

MD5
d3e22b66b78acdd2d894bba7f51e54bc

SHA1
059aeaea70858f4202f71d82d5742b7e923411fa

SHA256
8533ddb25eef736be61b3e3ec0cea6ea7eefd121120ffb971b7ea1b1f1f863de

SHA512
b9ca1fd07f2fbc92a66ddac1f767bd05a94062cbad61de49f02b5688bb94fa0e7a0de0d4cd6539146a3e83c0558441fbd82a5c195a564b90d299228273fd79fd

Download Submit
memory/2396-28-0x0000000000060000-0x0000000000098000-memory.dmp

Filesize
224KB

Download
memory/2588-25-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2588-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2648-36-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2648-102-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2728-37-0x0000000000030000-0x0000000000068000-memory.dmp

Filesize
224KB

Download
memory/2756-103-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2756-104-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2756-136-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads