xred | 26b267e0cb8636fe564969255b9b40e8aa3636c5084406d47bd538085e32651e

Analysis

max time kernel
40s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2024 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Sena.exe
Size

1.7MB
MD5

c87016453266c49b5c7b0d7abaf6801f
SHA1

0230da2215ae2f918d52bf5c6a80fb3e09356395
SHA256

26b267e0cb8636fe564969255b9b40e8aa3636c5084406d47bd538085e32651e
SHA512

cbae59449af7e35c5b5bd068f75a6bd58c88500af6971057f72c83565f11052a9d3a517d98cb59c6f4e2f7576e73e58d981cb6f7e3a1f6b5f33bd842a699265f
SSDEEP

24576:2nsJ39LyjbJkQFMhmC+6GD9qEoScovLgGCJv+gy4xwpdvGzk+kKufpFr:2nsHyjtk2MYC5GD8UcoDTCBtxCdeQ+y

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Sena.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 18 IoCs

pid	Process
3900	._cache_Sena.exe
2540	Synaptics.exe
4032	._cache_Synaptics.exe
2196	amide.exe
3824	amide.exe
4712	amide.exe
4876	amide.exe
4928	amide.exe
4436	amide.exe
3900	._cache_Sena.exe
2540	Synaptics.exe
4032	._cache_Synaptics.exe
2196	amide.exe
3824	amide.exe
4712	amide.exe
4876	amide.exe
4928	amide.exe
4436	amide.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	Sena.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sena.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Sena.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sena.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2852	EXCEL.EXE
2852	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4032	._cache_Synaptics.exe
4032	._cache_Synaptics.exe
3900	._cache_Sena.exe
3900	._cache_Sena.exe
3900	._cache_Sena.exe
3900	._cache_Sena.exe
3900	._cache_Sena.exe
3900	._cache_Sena.exe
3900	._cache_Sena.exe
3900	._cache_Sena.exe
3900	._cache_Sena.exe
3900	._cache_Sena.exe
3900	._cache_Sena.exe
3900	._cache_Sena.exe
3900	._cache_Sena.exe
3900	._cache_Sena.exe
3900	._cache_Sena.exe
3900	._cache_Sena.exe
3900	._cache_Sena.exe
3900	._cache_Sena.exe
3900	._cache_Sena.exe
3900	._cache_Sena.exe
3900	._cache_Sena.exe
3900	._cache_Sena.exe
3900	._cache_Sena.exe
3900	._cache_Sena.exe
4032	._cache_Synaptics.exe
4032	._cache_Synaptics.exe
3900	._cache_Sena.exe
3900	._cache_Sena.exe
3900	._cache_Sena.exe
3900	._cache_Sena.exe
4032	._cache_Synaptics.exe
4032	._cache_Synaptics.exe
4032	._cache_Synaptics.exe
4032	._cache_Synaptics.exe
3900	._cache_Sena.exe
3900	._cache_Sena.exe
3900	._cache_Sena.exe
3900	._cache_Sena.exe
4032	._cache_Synaptics.exe
4032	._cache_Synaptics.exe
3900	._cache_Sena.exe
3900	._cache_Sena.exe
4032	._cache_Synaptics.exe
3900	._cache_Sena.exe
3900	._cache_Sena.exe
4032	._cache_Synaptics.exe
3900	._cache_Sena.exe
3900	._cache_Sena.exe
4032	._cache_Synaptics.exe
4032	._cache_Synaptics.exe
3900	._cache_Sena.exe
3900	._cache_Sena.exe
4032	._cache_Synaptics.exe
4032	._cache_Synaptics.exe
3900	._cache_Sena.exe
3900	._cache_Sena.exe
4032	._cache_Synaptics.exe
4032	._cache_Synaptics.exe
4032	._cache_Synaptics.exe
4032	._cache_Synaptics.exe
3900	._cache_Sena.exe
3900	._cache_Sena.exe

Suspicious behavior: LoadsDriver 12 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3900	._cache_Sena.exe
Token: SeIncreaseQuotaPrivilege	4584	WMIC.exe
Token: SeSecurityPrivilege	4584	WMIC.exe
Token: SeTakeOwnershipPrivilege	4584	WMIC.exe
Token: SeLoadDriverPrivilege	4584	WMIC.exe
Token: SeSystemProfilePrivilege	4584	WMIC.exe
Token: SeSystemtimePrivilege	4584	WMIC.exe
Token: SeProfSingleProcessPrivilege	4584	WMIC.exe
Token: SeIncBasePriorityPrivilege	4584	WMIC.exe
Token: SeCreatePagefilePrivilege	4584	WMIC.exe
Token: SeBackupPrivilege	4584	WMIC.exe
Token: SeRestorePrivilege	4584	WMIC.exe
Token: SeShutdownPrivilege	4584	WMIC.exe
Token: SeDebugPrivilege	4584	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4584	WMIC.exe
Token: SeRemoteShutdownPrivilege	4584	WMIC.exe
Token: SeUndockPrivilege	4584	WMIC.exe
Token: SeManageVolumePrivilege	4584	WMIC.exe
Token: 33	4584	WMIC.exe
Token: 34	4584	WMIC.exe
Token: 35	4584	WMIC.exe
Token: 36	4584	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4584	WMIC.exe
Token: SeSecurityPrivilege	4584	WMIC.exe
Token: SeTakeOwnershipPrivilege	4584	WMIC.exe
Token: SeLoadDriverPrivilege	4584	WMIC.exe
Token: SeSystemProfilePrivilege	4584	WMIC.exe
Token: SeSystemtimePrivilege	4584	WMIC.exe
Token: SeProfSingleProcessPrivilege	4584	WMIC.exe
Token: SeIncBasePriorityPrivilege	4584	WMIC.exe
Token: SeCreatePagefilePrivilege	4584	WMIC.exe
Token: SeBackupPrivilege	4584	WMIC.exe
Token: SeRestorePrivilege	4584	WMIC.exe
Token: SeShutdownPrivilege	4584	WMIC.exe
Token: SeDebugPrivilege	4584	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4584	WMIC.exe
Token: SeRemoteShutdownPrivilege	4584	WMIC.exe
Token: SeUndockPrivilege	4584	WMIC.exe
Token: SeManageVolumePrivilege	4584	WMIC.exe
Token: 33	4584	WMIC.exe
Token: 34	4584	WMIC.exe
Token: 35	4584	WMIC.exe
Token: 36	4584	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2748	WMIC.exe
Token: SeSecurityPrivilege	2748	WMIC.exe
Token: SeTakeOwnershipPrivilege	2748	WMIC.exe
Token: SeLoadDriverPrivilege	2748	WMIC.exe
Token: SeSystemProfilePrivilege	2748	WMIC.exe
Token: SeSystemtimePrivilege	2748	WMIC.exe
Token: SeProfSingleProcessPrivilege	2748	WMIC.exe
Token: SeIncBasePriorityPrivilege	2748	WMIC.exe
Token: SeCreatePagefilePrivilege	2748	WMIC.exe
Token: SeBackupPrivilege	2748	WMIC.exe
Token: SeRestorePrivilege	2748	WMIC.exe
Token: SeShutdownPrivilege	2748	WMIC.exe
Token: SeDebugPrivilege	2748	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2748	WMIC.exe
Token: SeRemoteShutdownPrivilege	2748	WMIC.exe
Token: SeUndockPrivilege	2748	WMIC.exe
Token: SeManageVolumePrivilege	2748	WMIC.exe
Token: 33	2748	WMIC.exe
Token: 34	2748	WMIC.exe
Token: 35	2748	WMIC.exe
Token: 36	2748	WMIC.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2852	EXCEL.EXE
2852	EXCEL.EXE
2852	EXCEL.EXE
2852	EXCEL.EXE
2852	EXCEL.EXE
2852	EXCEL.EXE
2852	EXCEL.EXE
2852	EXCEL.EXE
2852	EXCEL.EXE
2852	EXCEL.EXE
2852	EXCEL.EXE
2852	EXCEL.EXE
2852	EXCEL.EXE
2852	EXCEL.EXE
2852	EXCEL.EXE
2852	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4100 wrote to memory of 3900	4100	Sena.exe	84
PID 4100 wrote to memory of 3900	4100	Sena.exe	84
PID 4100 wrote to memory of 3900	4100	Sena.exe	84
PID 4100 wrote to memory of 2540	4100	Sena.exe	85
PID 4100 wrote to memory of 2540	4100	Sena.exe	85
PID 4100 wrote to memory of 2540	4100	Sena.exe	85
PID 2540 wrote to memory of 4032	2540	Synaptics.exe	86
PID 2540 wrote to memory of 4032	2540	Synaptics.exe	86
PID 2540 wrote to memory of 4032	2540	Synaptics.exe	86
PID 3900 wrote to memory of 2196	3900	._cache_Sena.exe	105
PID 3900 wrote to memory of 2196	3900	._cache_Sena.exe	105
PID 3900 wrote to memory of 3824	3900	._cache_Sena.exe	107
PID 3900 wrote to memory of 3824	3900	._cache_Sena.exe	107
PID 3900 wrote to memory of 4712	3900	._cache_Sena.exe	109
PID 3900 wrote to memory of 4712	3900	._cache_Sena.exe	109
PID 3900 wrote to memory of 4876	3900	._cache_Sena.exe	111
PID 3900 wrote to memory of 4876	3900	._cache_Sena.exe	111
PID 3900 wrote to memory of 4928	3900	._cache_Sena.exe	113
PID 3900 wrote to memory of 4928	3900	._cache_Sena.exe	113
PID 3900 wrote to memory of 4436	3900	._cache_Sena.exe	115
PID 3900 wrote to memory of 4436	3900	._cache_Sena.exe	115
PID 3900 wrote to memory of 1056	3900	._cache_Sena.exe	120
PID 3900 wrote to memory of 1056	3900	._cache_Sena.exe	120
PID 3900 wrote to memory of 1056	3900	._cache_Sena.exe	120
PID 1056 wrote to memory of 2776	1056	cmd.exe	122
PID 1056 wrote to memory of 2776	1056	cmd.exe	122
PID 1056 wrote to memory of 2776	1056	cmd.exe	122
PID 2776 wrote to memory of 4584	2776	cmd.exe	123
PID 2776 wrote to memory of 4584	2776	cmd.exe	123
PID 2776 wrote to memory of 4584	2776	cmd.exe	123
PID 2776 wrote to memory of 1260	2776	cmd.exe	124
PID 2776 wrote to memory of 1260	2776	cmd.exe	124
PID 2776 wrote to memory of 1260	2776	cmd.exe	124
PID 1056 wrote to memory of 2424	1056	cmd.exe	125
PID 1056 wrote to memory of 2424	1056	cmd.exe	125
PID 1056 wrote to memory of 2424	1056	cmd.exe	125
PID 1056 wrote to memory of 1252	1056	cmd.exe	126
PID 1056 wrote to memory of 1252	1056	cmd.exe	126
PID 1056 wrote to memory of 1252	1056	cmd.exe	126
PID 1056 wrote to memory of 912	1056	cmd.exe	127
PID 1056 wrote to memory of 912	1056	cmd.exe	127
PID 1056 wrote to memory of 912	1056	cmd.exe	127
PID 1056 wrote to memory of 4376	1056	cmd.exe	128
PID 1056 wrote to memory of 4376	1056	cmd.exe	128
PID 1056 wrote to memory of 4376	1056	cmd.exe	128
PID 1056 wrote to memory of 4544	1056	cmd.exe	129
PID 1056 wrote to memory of 4544	1056	cmd.exe	129
PID 1056 wrote to memory of 4544	1056	cmd.exe	129
PID 4544 wrote to memory of 2748	4544	cmd.exe	130
PID 4544 wrote to memory of 2748	4544	cmd.exe	130
PID 4544 wrote to memory of 2748	4544	cmd.exe	130
PID 4544 wrote to memory of 4324	4544	cmd.exe	131
PID 4544 wrote to memory of 4324	4544	cmd.exe	131
PID 4544 wrote to memory of 4324	4544	cmd.exe	131
PID 1056 wrote to memory of 4332	1056	cmd.exe	132
PID 1056 wrote to memory of 4332	1056	cmd.exe	132
PID 1056 wrote to memory of 4332	1056	cmd.exe	132
PID 1056 wrote to memory of 2032	1056	cmd.exe	133
PID 1056 wrote to memory of 2032	1056	cmd.exe	133
PID 1056 wrote to memory of 2032	1056	cmd.exe	133
PID 1056 wrote to memory of 956	1056	cmd.exe	134
PID 1056 wrote to memory of 956	1056	cmd.exe	134
PID 1056 wrote to memory of 956	1056	cmd.exe	134
PID 4100 wrote to memory of 3900	4100	Sena.exe	84

C:\Users\Admin\AppData\Local\Temp\Sena.exe
"C:\Users\Admin\AppData\Local\Temp\Sena.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4100
- C:\Users\Admin\AppData\Local\Temp\._cache_Sena.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_Sena.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3900
- - C:\Users\Admin\AppData\Local\Sena\bin\amide.exe
    "C:\Users\Admin\AppData\Local\Sena\bin\amide.exe" /BM "ASUSTeK Computer Inc"
    3⤵
    - Executes dropped EXE
    PID:2196
- - C:\Users\Admin\AppData\Local\Sena\bin\amide.exe
    "C:\Users\Admin\AppData\Local\Sena\bin\amide.exe" /BP "B450M-Plus II"
    3⤵
    - Executes dropped EXE
    PID:3824
- - C:\Users\Admin\AppData\Local\Sena\bin\amide.exe
    "C:\Users\Admin\AppData\Local\Sena\bin\amide.exe" /SM "ASUSTeK Computer Inc"
    3⤵
    - Executes dropped EXE
    PID:4712
- - C:\Users\Admin\AppData\Local\Sena\bin\amide.exe
    "C:\Users\Admin\AppData\Local\Sena\bin\amide.exe" /SP "B450M-Plus II"
    3⤵
    - Executes dropped EXE
    PID:4876
- - C:\Users\Admin\AppData\Local\Sena\bin\amide.exe
    "C:\Users\Admin\AppData\Local\Sena\bin\amide.exe" /SV "American Megatrends International, LLC."
    3⤵
    - Executes dropped EXE
    PID:4928
- - C:\Users\Admin\AppData\Local\Sena\bin\amide.exe
    "C:\Users\Admin\AppData\Local\Sena\bin\amide.exe" /BV "American Megatrends International, LLC."
    3⤵
    - Executes dropped EXE
    PID:4436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Sena\bin\mac_changer.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1056
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2776
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic nic where physicaladapter=true get deviceid
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4584
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr [0-9]
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1260
  - - C:\Windows\SysWOW64\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01
      4⤵
      System Location Discovery: System Language Discovery
      PID:2424
  - - C:\Windows\SysWOW64\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001
      4⤵
      System Location Discovery: System Language Discovery
      PID:1252
  - - C:\Windows\SysWOW64\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001
      4⤵
      System Location Discovery: System Language Discovery
      PID:912
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v NetworkAddress /t REG_SZ /d 72A4C0A677A8 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:4376
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4544
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic nic where physicaladapter=true get deviceid
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr [0-9]
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4324
  - - C:\Windows\SysWOW64\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\01
      4⤵
      System Location Discovery: System Language Discovery
      PID:4332
  - - C:\Windows\SysWOW64\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\001
      4⤵
      System Location Discovery: System Language Discovery
      PID:2032
  - - C:\Windows\SysWOW64\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001
      4⤵
      System Location Discovery: System Language Discovery
      PID:956
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v PnPCapabilities /t REG_DWORD /d 24 /f
      4⤵
      PID:1220
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv"
      4⤵
      PID:320
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv
        5⤵
        
        PID:4684
  - - C:\Windows\SysWOW64\netsh.exe
      netsh interface set interface name="Ethernet" disable
      4⤵
      PID:4464
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4032

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2852

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.7MB

MD5
c87016453266c49b5c7b0d7abaf6801f

SHA1
0230da2215ae2f918d52bf5c6a80fb3e09356395

SHA256
26b267e0cb8636fe564969255b9b40e8aa3636c5084406d47bd538085e32651e

SHA512
cbae59449af7e35c5b5bd068f75a6bd58c88500af6971057f72c83565f11052a9d3a517d98cb59c6f4e2f7576e73e58d981cb6f7e3a1f6b5f33bd842a699265f

Download Submit
C:\Users\Admin\AppData\Local\Sena\bin\amide.exe

Filesize
453KB

MD5
7f118633f542014d65ee13eb8d4f702a

SHA1
a59117813003390187a45eec4116337d5b695b09

SHA256
e27be45f00bce92b6f3c12e37723295e5a5959ecb8185f06028f3cfb88de3bb6

SHA512
cf004560d6e3ce5cbb142a91445427dce58199dd3d1a254d2ae6d2e41df709c90844edfe9eff711c0a042f05338d72588da25591149edfd90860a76e2b0c9ff8

Download Submit
C:\Users\Admin\AppData\Local\Sena\bin\mac_changer.bat

Filesize
2KB

MD5
86630f471a1c7f40e8494347f9ab8249

SHA1
10a2139adfb884f01799de89bf9b9ccb2a8bb460

SHA256
c15faade0e71acd4abcb60a7e9f3f002a46d3d47bd294f7b12d811c871d1292c

SHA512
666fe7866c2bedc78aad081bddf7e4dc8a9038b173527dc9464dd9c0776314a8c3e1ec7f4d0f34aff0d946b94ed1178a5c665d79173d1bfe0a0a611f6af65369

Download Submit
C:\Users\Admin\AppData\Local\Sena\system_info.txt

Filesize
59B

MD5
3644e728468af34d2a050ae86a13b4da

SHA1
4ad4da04795c32e12857d8ba1a63f3d114f59469

SHA256
57b8020525c631eb2fd27b87887d56755bb2b008d0b22861929e55f175081058

SHA512
d7550f9ebc2809f78e2b24c452eb0cee2c261e3da8c069697fc342c422e23e62823e51882ed8132a3db043a4e9ce775aed7a8e523803dfafe1ad46db63a35377

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Sena.exe

Filesize
1.0MB

MD5
9872c633ef83d043cfca1609c7668719

SHA1
116579be25c526f3fb21620263467717e52db237

SHA256
553cfbf1aec44f3baf003f3a095e9638d4c3ec4aa387e07cf64ff69601353306

SHA512
93bc495d230f8198e573275c037db8b3487ef8cf1ae7029a01998018f4694e2a793bc9bc73e776e171870f0ac1ebbaf3a917ec8da5be235586569989dd0be0e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\17B75E00

Filesize
23KB

MD5
a52febe4c6542e9ccc0045ca3e948dae

SHA1
346fcdd058a5439fcf321b64572d0f9e910bc831

SHA256
778d0fb48b1a2f7b8a48b93ffdc9c07a994f071d78dcff599ce849dfe849c904

SHA512
fe7ce7d7923ad720b1426d40a65e91a9009333ca30d614ec542ffee01a33e71b8fd1b4a6042f2aefb42672e14f0175d29bccb7bde2c56183381004699d9c302b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CVXNNacm.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
memory/2540-130-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/2540-130-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/2540-257-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/2540-258-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/2540-258-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/2540-257-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/2852-195-0x00007FFA26970000-0x00007FFA26980000-memory.dmp

Filesize
64KB

Download
memory/2852-193-0x00007FFA26970000-0x00007FFA26980000-memory.dmp

Filesize
64KB

Download
memory/2852-199-0x00007FFA24880000-0x00007FFA24890000-memory.dmp

Filesize
64KB

Download
memory/2852-198-0x00007FFA24880000-0x00007FFA24890000-memory.dmp

Filesize
64KB

Download
memory/2852-197-0x00007FFA26970000-0x00007FFA26980000-memory.dmp

Filesize
64KB

Download
memory/2852-196-0x00007FFA26970000-0x00007FFA26980000-memory.dmp

Filesize
64KB

Download
memory/2852-198-0x00007FFA24880000-0x00007FFA24890000-memory.dmp

Filesize
64KB

Download
memory/2852-197-0x00007FFA26970000-0x00007FFA26980000-memory.dmp

Filesize
64KB

Download
memory/2852-196-0x00007FFA26970000-0x00007FFA26980000-memory.dmp

Filesize
64KB

Download
memory/2852-199-0x00007FFA24880000-0x00007FFA24890000-memory.dmp

Filesize
64KB

Download
memory/2852-194-0x00007FFA26970000-0x00007FFA26980000-memory.dmp

Filesize
64KB

Download
memory/2852-193-0x00007FFA26970000-0x00007FFA26980000-memory.dmp

Filesize
64KB

Download
memory/2852-195-0x00007FFA26970000-0x00007FFA26980000-memory.dmp

Filesize
64KB

Download
memory/2852-194-0x00007FFA26970000-0x00007FFA26980000-memory.dmp

Filesize
64KB

Download
memory/3900-256-0x00000000728FE000-0x00000000728FF000-memory.dmp

Filesize
4KB

Download
memory/3900-201-0x0000000006B40000-0x0000000006B78000-memory.dmp

Filesize
224KB

Download
memory/3900-128-0x00000000728FE000-0x00000000728FF000-memory.dmp

Filesize
4KB

Download
memory/3900-134-0x0000000000DA0000-0x0000000000EAA000-memory.dmp

Filesize
1.0MB

Download
memory/3900-134-0x0000000000DA0000-0x0000000000EAA000-memory.dmp

Filesize
1.0MB

Download
memory/3900-182-0x0000000007BC0000-0x0000000007DBA000-memory.dmp

Filesize
2.0MB

Download
memory/3900-256-0x00000000728FE000-0x00000000728FF000-memory.dmp

Filesize
4KB

Download
memory/3900-201-0x0000000006B40000-0x0000000006B78000-memory.dmp

Filesize
224KB

Download
memory/3900-182-0x0000000007BC0000-0x0000000007DBA000-memory.dmp

Filesize
2.0MB

Download
memory/3900-128-0x00000000728FE000-0x00000000728FF000-memory.dmp

Filesize
4KB

Download
memory/3900-203-0x0000000007240000-0x00000000072A6000-memory.dmp

Filesize
408KB

Download
memory/3900-202-0x00000000067E0000-0x00000000067EE000-memory.dmp

Filesize
56KB

Download
memory/3900-200-0x0000000006790000-0x0000000006798000-memory.dmp

Filesize
32KB

Download
memory/3900-200-0x0000000006790000-0x0000000006798000-memory.dmp

Filesize
32KB

Download
memory/3900-202-0x00000000067E0000-0x00000000067EE000-memory.dmp

Filesize
56KB

Download
memory/3900-203-0x0000000007240000-0x00000000072A6000-memory.dmp

Filesize
408KB

Download
memory/4100-0-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/4100-0-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/4100-129-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/4100-129-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download