xred | 26b267e0cb8636fe564969255b9b40e8aa3636c5084406d47bd538085e32651e

Analysis

max time kernel
145s
max time network
144s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
06-12-2024 15:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Sena.exe
Size

1.7MB
MD5

c87016453266c49b5c7b0d7abaf6801f
SHA1

0230da2215ae2f918d52bf5c6a80fb3e09356395
SHA256

26b267e0cb8636fe564969255b9b40e8aa3636c5084406d47bd538085e32651e
SHA512

cbae59449af7e35c5b5bd068f75a6bd58c88500af6971057f72c83565f11052a9d3a517d98cb59c6f4e2f7576e73e58d981cb6f7e3a1f6b5f33bd842a699265f
SSDEEP

24576:2nsJ39LyjbJkQFMhmC+6GD9qEoScovLgGCJv+gy4xwpdvGzk+kKufpFr:2nsHyjtk2MYC5GD8UcoDTCBtxCdeQ+y

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 3 IoCs

pid	Process
2312	._cache_Sena.exe
2956	Synaptics.exe
2812	._cache_Synaptics.exe

Loads dropped DLL 10 IoCs

pid	Process
1700	Sena.exe
1700	Sena.exe
1700	Sena.exe
2956	Synaptics.exe
2956	Synaptics.exe
1772	WerFault.exe
1772	WerFault.exe
1772	WerFault.exe
1772	WerFault.exe
1772	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	Sena.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1772	2312	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sena.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Sena.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2764	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2812	._cache_Synaptics.exe
2312	._cache_Sena.exe
2812	._cache_Synaptics.exe
2312	._cache_Sena.exe
2312	._cache_Sena.exe
2312	._cache_Sena.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe
2812	._cache_Synaptics.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2764	EXCEL.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 2312	1700	Sena.exe	30
PID 1700 wrote to memory of 2312	1700	Sena.exe	30
PID 1700 wrote to memory of 2312	1700	Sena.exe	30
PID 1700 wrote to memory of 2312	1700	Sena.exe	30
PID 1700 wrote to memory of 2956	1700	Sena.exe	31
PID 1700 wrote to memory of 2956	1700	Sena.exe	31
PID 1700 wrote to memory of 2956	1700	Sena.exe	31
PID 1700 wrote to memory of 2956	1700	Sena.exe	31
PID 2956 wrote to memory of 2812	2956	Synaptics.exe	32
PID 2956 wrote to memory of 2812	2956	Synaptics.exe	32
PID 2956 wrote to memory of 2812	2956	Synaptics.exe	32
PID 2956 wrote to memory of 2812	2956	Synaptics.exe	32
PID 2312 wrote to memory of 1772	2312	._cache_Sena.exe	34
PID 2312 wrote to memory of 1772	2312	._cache_Sena.exe	34
PID 2312 wrote to memory of 1772	2312	._cache_Sena.exe	34
PID 2312 wrote to memory of 1772	2312	._cache_Sena.exe	34

C:\Users\Admin\AppData\Local\Temp\Sena.exe
"C:\Users\Admin\AppData\Local\Temp\Sena.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Users\Admin\AppData\Local\Temp\._cache_Sena.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_Sena.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1264
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1772
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2812

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.7MB

MD5
c87016453266c49b5c7b0d7abaf6801f

SHA1
0230da2215ae2f918d52bf5c6a80fb3e09356395

SHA256
26b267e0cb8636fe564969255b9b40e8aa3636c5084406d47bd538085e32651e

SHA512
cbae59449af7e35c5b5bd068f75a6bd58c88500af6971057f72c83565f11052a9d3a517d98cb59c6f4e2f7576e73e58d981cb6f7e3a1f6b5f33bd842a699265f

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Sena.exe

Filesize
1.0MB

MD5
9872c633ef83d043cfca1609c7668719

SHA1
116579be25c526f3fb21620263467717e52db237

SHA256
553cfbf1aec44f3baf003f3a095e9638d4c3ec4aa387e07cf64ff69601353306

SHA512
93bc495d230f8198e573275c037db8b3487ef8cf1ae7029a01998018f4694e2a793bc9bc73e776e171870f0ac1ebbaf3a917ec8da5be235586569989dd0be0e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\U7rgSaum.xlsm

Filesize
21KB

MD5
6be7d42c276d9ffcdad6194f8d47d889

SHA1
277a51c22b7d29f9137c98e5da91ae45e0ce7423

SHA256
70dc01de8d2874abbb6df474aa010425834fdbc7358f41a90ab2c8d1b91f94ee

SHA512
f333e95a927a1f02092e973cf3c8f18fde0fbe5dd19b24546e7f42a39a5ed7682dae4fde4f0b4e56d186155b304bbc2b3383e3189b13bc3afa2efa5b93214550

Download Submit
C:\Users\Admin\AppData\Local\Temp\U7rgSaum.xlsm

Filesize
25KB

MD5
735086385f16fa1daa48fbb756a88728

SHA1
0a799b9cfa9bc7413e4b6bcb0e30832a00010c13

SHA256
49394e4811dba1a6db00279674b6da8b473ad5620fa33ad37235766fe6922ed6

SHA512
33982cb5326afa432909441989e42197141c476ba337352f0a53daa8bba97a497fa32bc75602ccbfaf4ac59283b1cff9529f118c6368de59a04e6a1548c29d17

Download Submit
C:\Users\Admin\AppData\Local\Temp\U7rgSaum.xlsm

Filesize
23KB

MD5
5394ae155d585c1d7230d3a42326c020

SHA1
1b65c8f9a48598325df86723abf3040a490d814a

SHA256
72e5c43d11b84e72e77320b27757e14428260ebe56b0698b218c44876a201ada

SHA512
00d1c617be1a4f02cfb5be813905e82c0fd4856395de27a5bc882f1f10249d6344ad1bd2864fae980bd4e23f9ce590f97aac52065b5f8747b700850216ae54e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\U7rgSaum.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\U7rgSaum.xlsm

Filesize
21KB

MD5
e36052364fdd2f949e2da34013d996d9

SHA1
310fab232c7ed00589c85ccae4466e6f60c4e7dc

SHA256
a8e228ba01d8be2481da899ea594ae24ffa8fc1259f069244abd04d097c0049c

SHA512
643f0cae17a23f64ca54545292d0486a496e43ddeb67210cf3723792c25816c0244bd6370d60c47e7c5949629eb287490a5a792a429ab298d91a566080fe9c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\U7rgSaum.xlsm

Filesize
26KB

MD5
1fd9f31e5cfdf1ad20686a14d233ae2e

SHA1
a867922b67fb6dbfd0de0ea085a8d686069477b3

SHA256
f97953027d2e09f346b94b0d811130fbf4ddda37cdff79d612b6512ae6bc87f9

SHA512
41c11d8619659328845dda77e51d6c29317de9f8250c285181c1389ba4684ec117a7e439081855c244d0155a411170328750116bc78fdd109afc16a4719aabb7

Download Submit
C:\Users\Admin\Desktop\~$OpenBackup.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
memory/1700-26-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/1700-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2312-39-0x0000000006F20000-0x000000000711A000-memory.dmp

Filesize
2.0MB

Download
memory/2312-41-0x0000000000330000-0x000000000033A000-memory.dmp

Filesize
40KB

Download
memory/2312-29-0x00000000000E0000-0x00000000001EA000-memory.dmp

Filesize
1.0MB

Download
memory/2312-40-0x0000000000330000-0x000000000033A000-memory.dmp

Filesize
40KB

Download
memory/2764-140-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2764-53-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2812-52-0x0000000000360000-0x000000000036A000-memory.dmp

Filesize
40KB

Download
memory/2812-42-0x0000000000360000-0x000000000036A000-memory.dmp

Filesize
40KB

Download
memory/2812-43-0x0000000000360000-0x000000000036A000-memory.dmp

Filesize
40KB

Download
memory/2812-38-0x0000000000D80000-0x0000000000E8A000-memory.dmp

Filesize
1.0MB

Download
memory/2956-51-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/2956-141-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/2956-142-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/2956-174-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download