xred | 26b267e0cb8636fe564969255b9b40e8aa3636c5084406d47bd538085e32651e

Analysis

max time kernel
134s
max time network
152s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-12-2024 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Sena.exe
Size

1.7MB
MD5

c87016453266c49b5c7b0d7abaf6801f
SHA1

0230da2215ae2f918d52bf5c6a80fb3e09356395
SHA256

26b267e0cb8636fe564969255b9b40e8aa3636c5084406d47bd538085e32651e
SHA512

cbae59449af7e35c5b5bd068f75a6bd58c88500af6971057f72c83565f11052a9d3a517d98cb59c6f4e2f7576e73e58d981cb6f7e3a1f6b5f33bd842a699265f
SSDEEP

24576:2nsJ39LyjbJkQFMhmC+6GD9qEoScovLgGCJv+gy4xwpdvGzk+kKufpFr:2nsHyjtk2MYC5GD8UcoDTCBtxCdeQ+y

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 3 IoCs

pid	Process
1320	._cache_Sena.exe
2708	Synaptics.exe
1644	._cache_Synaptics.exe

Loads dropped DLL 10 IoCs

pid	Process
2008	Sena.exe
2008	Sena.exe
2008	Sena.exe
2708	Synaptics.exe
2708	Synaptics.exe
1296	WerFault.exe
1296	WerFault.exe
1296	WerFault.exe
1296	WerFault.exe
1296	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	Sena.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1296	1644	WerFault.exe	33

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sena.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Sena.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1936	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1320	._cache_Sena.exe
1644	._cache_Synaptics.exe
1644	._cache_Synaptics.exe
1320	._cache_Sena.exe
1644	._cache_Synaptics.exe
1644	._cache_Synaptics.exe
1320	._cache_Sena.exe
1320	._cache_Sena.exe
1320	._cache_Sena.exe
1320	._cache_Sena.exe
1320	._cache_Sena.exe
1320	._cache_Sena.exe
1320	._cache_Sena.exe
1320	._cache_Sena.exe
1320	._cache_Sena.exe
1320	._cache_Sena.exe
1320	._cache_Sena.exe
1320	._cache_Sena.exe
1320	._cache_Sena.exe
1320	._cache_Sena.exe
1320	._cache_Sena.exe
1320	._cache_Sena.exe
1320	._cache_Sena.exe
1320	._cache_Sena.exe
1320	._cache_Sena.exe
1320	._cache_Sena.exe
1320	._cache_Sena.exe
1320	._cache_Sena.exe
1320	._cache_Sena.exe
1320	._cache_Sena.exe
1320	._cache_Sena.exe
1320	._cache_Sena.exe
1320	._cache_Sena.exe
1320	._cache_Sena.exe
1320	._cache_Sena.exe
1320	._cache_Sena.exe
1320	._cache_Sena.exe
1320	._cache_Sena.exe
1320	._cache_Sena.exe
1320	._cache_Sena.exe
1320	._cache_Sena.exe
1320	._cache_Sena.exe
1320	._cache_Sena.exe
1320	._cache_Sena.exe
1320	._cache_Sena.exe
1320	._cache_Sena.exe
1320	._cache_Sena.exe
1320	._cache_Sena.exe
1320	._cache_Sena.exe
1320	._cache_Sena.exe
1320	._cache_Sena.exe
1320	._cache_Sena.exe
1320	._cache_Sena.exe
1320	._cache_Sena.exe
1320	._cache_Sena.exe
1320	._cache_Sena.exe
1320	._cache_Sena.exe
1320	._cache_Sena.exe
1320	._cache_Sena.exe
1320	._cache_Sena.exe
1320	._cache_Sena.exe
1320	._cache_Sena.exe
1320	._cache_Sena.exe
1320	._cache_Sena.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1320	._cache_Sena.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1936	EXCEL.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 1320	2008	Sena.exe	30
PID 2008 wrote to memory of 1320	2008	Sena.exe	30
PID 2008 wrote to memory of 1320	2008	Sena.exe	30
PID 2008 wrote to memory of 1320	2008	Sena.exe	30
PID 2008 wrote to memory of 2708	2008	Sena.exe	31
PID 2008 wrote to memory of 2708	2008	Sena.exe	31
PID 2008 wrote to memory of 2708	2008	Sena.exe	31
PID 2008 wrote to memory of 2708	2008	Sena.exe	31
PID 2708 wrote to memory of 1644	2708	Synaptics.exe	33
PID 2708 wrote to memory of 1644	2708	Synaptics.exe	33
PID 2708 wrote to memory of 1644	2708	Synaptics.exe	33
PID 2708 wrote to memory of 1644	2708	Synaptics.exe	33
PID 1644 wrote to memory of 1296	1644	._cache_Synaptics.exe	35
PID 1644 wrote to memory of 1296	1644	._cache_Synaptics.exe	35
PID 1644 wrote to memory of 1296	1644	._cache_Synaptics.exe	35
PID 1644 wrote to memory of 1296	1644	._cache_Synaptics.exe	35

C:\Users\Admin\AppData\Local\Temp\Sena.exe
"C:\Users\Admin\AppData\Local\Temp\Sena.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Users\Admin\AppData\Local\Temp\._cache_Sena.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_Sena.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1320
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1644
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 1300
      4⤵
      Loads dropped DLL
      Program crash
      PID:1296

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.7MB

MD5
c87016453266c49b5c7b0d7abaf6801f

SHA1
0230da2215ae2f918d52bf5c6a80fb3e09356395

SHA256
26b267e0cb8636fe564969255b9b40e8aa3636c5084406d47bd538085e32651e

SHA512
cbae59449af7e35c5b5bd068f75a6bd58c88500af6971057f72c83565f11052a9d3a517d98cb59c6f4e2f7576e73e58d981cb6f7e3a1f6b5f33bd842a699265f

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAUf71LD.xlsm

Filesize
24KB

MD5
dc79fe1b3d305a6ab26ac66fe21feb33

SHA1
629ad4aac6919082f47fc1c1ab028173f9f82075

SHA256
ed314d9c4f4b44eede80ad224efdc59b572e4aed786c97aff75ba05effe2d51b

SHA512
afe000b5a2f15ece99c06f1f6e9aa2caef4606fccebf366a1c8464f4476e8c8b008b66c071a92d1015601f887ab2d6f1357e0a04fc7963d30d1918656c207caa

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAUf71LD.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_Sena.exe

Filesize
1.0MB

MD5
9872c633ef83d043cfca1609c7668719

SHA1
116579be25c526f3fb21620263467717e52db237

SHA256
553cfbf1aec44f3baf003f3a095e9638d4c3ec4aa387e07cf64ff69601353306

SHA512
93bc495d230f8198e573275c037db8b3487ef8cf1ae7029a01998018f4694e2a793bc9bc73e776e171870f0ac1ebbaf3a917ec8da5be235586569989dd0be0e1

Download Submit
memory/1320-29-0x0000000000E10000-0x0000000000F1A000-memory.dmp

Filesize
1.0MB

Download
memory/1320-41-0x00000000004A0000-0x00000000004AA000-memory.dmp

Filesize
40KB

Download
memory/1320-94-0x00000000004A0000-0x00000000004AA000-memory.dmp

Filesize
40KB

Download
memory/1644-42-0x00000000004E0000-0x00000000004EA000-memory.dmp

Filesize
40KB

Download
memory/1644-38-0x0000000001240000-0x000000000134A000-memory.dmp

Filesize
1.0MB

Download
memory/1644-40-0x00000000004E0000-0x00000000004EA000-memory.dmp

Filesize
40KB

Download
memory/1644-39-0x0000000006F10000-0x000000000710A000-memory.dmp

Filesize
2.0MB

Download
memory/1936-50-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2008-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2008-26-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/2708-93-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/2708-95-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/2708-104-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/2708-128-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download