xred | 26b267e0cb8636fe564969255b9b40e8aa3636c5084406d47bd538085e32651e

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 23:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Sena.exe
Size

1.7MB
MD5

c87016453266c49b5c7b0d7abaf6801f
SHA1

0230da2215ae2f918d52bf5c6a80fb3e09356395
SHA256

26b267e0cb8636fe564969255b9b40e8aa3636c5084406d47bd538085e32651e
SHA512

cbae59449af7e35c5b5bd068f75a6bd58c88500af6971057f72c83565f11052a9d3a517d98cb59c6f4e2f7576e73e58d981cb6f7e3a1f6b5f33bd842a699265f
SSDEEP

24576:2nsJ39LyjbJkQFMhmC+6GD9qEoScovLgGCJv+gy4xwpdvGzk+kKufpFr:2nsHyjtk2MYC5GD8UcoDTCBtxCdeQ+y

Score

10^/10

xred backdoor discovery macro persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x000800000001950e-120.dat

Executes dropped EXE 3 IoCs

pid	Process
2796	._cache_Sena.exe
2828	Synaptics.exe
2592	._cache_Synaptics.exe

Loads dropped DLL 5 IoCs

pid	Process
2668	Sena.exe
2668	Sena.exe
2668	Sena.exe
2828	Synaptics.exe
2828	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	Sena.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sena.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Sena.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2368	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2796	._cache_Sena.exe
2592	._cache_Synaptics.exe
2592	._cache_Synaptics.exe
2796	._cache_Sena.exe
2592	._cache_Synaptics.exe
2592	._cache_Synaptics.exe
2592	._cache_Synaptics.exe
2592	._cache_Synaptics.exe
2592	._cache_Synaptics.exe
2592	._cache_Synaptics.exe
2592	._cache_Synaptics.exe
2592	._cache_Synaptics.exe
2592	._cache_Synaptics.exe
2592	._cache_Synaptics.exe
2592	._cache_Synaptics.exe
2592	._cache_Synaptics.exe
2592	._cache_Synaptics.exe
2592	._cache_Synaptics.exe
2592	._cache_Synaptics.exe
2592	._cache_Synaptics.exe
2592	._cache_Synaptics.exe
2592	._cache_Synaptics.exe
2796	._cache_Sena.exe
2796	._cache_Sena.exe
2796	._cache_Sena.exe
2796	._cache_Sena.exe
2796	._cache_Sena.exe
2796	._cache_Sena.exe
2796	._cache_Sena.exe
2796	._cache_Sena.exe
2592	._cache_Synaptics.exe
2592	._cache_Synaptics.exe
2796	._cache_Sena.exe
2796	._cache_Sena.exe
2796	._cache_Sena.exe
2796	._cache_Sena.exe
2796	._cache_Sena.exe
2796	._cache_Sena.exe
2796	._cache_Sena.exe
2796	._cache_Sena.exe
2796	._cache_Sena.exe
2796	._cache_Sena.exe
2592	._cache_Synaptics.exe
2592	._cache_Synaptics.exe
2796	._cache_Sena.exe
2796	._cache_Sena.exe
2796	._cache_Sena.exe
2796	._cache_Sena.exe
2796	._cache_Sena.exe
2796	._cache_Sena.exe
2796	._cache_Sena.exe
2796	._cache_Sena.exe
2592	._cache_Synaptics.exe
2592	._cache_Synaptics.exe
2796	._cache_Sena.exe
2796	._cache_Sena.exe
2796	._cache_Sena.exe
2796	._cache_Sena.exe
2796	._cache_Sena.exe
2796	._cache_Sena.exe
2796	._cache_Sena.exe
2796	._cache_Sena.exe
2592	._cache_Synaptics.exe
2592	._cache_Synaptics.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2368	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2796	2668	Sena.exe	30
PID 2668 wrote to memory of 2796	2668	Sena.exe	30
PID 2668 wrote to memory of 2796	2668	Sena.exe	30
PID 2668 wrote to memory of 2796	2668	Sena.exe	30
PID 2668 wrote to memory of 2828	2668	Sena.exe	31
PID 2668 wrote to memory of 2828	2668	Sena.exe	31
PID 2668 wrote to memory of 2828	2668	Sena.exe	31
PID 2668 wrote to memory of 2828	2668	Sena.exe	31
PID 2828 wrote to memory of 2592	2828	Synaptics.exe	32
PID 2828 wrote to memory of 2592	2828	Synaptics.exe	32
PID 2828 wrote to memory of 2592	2828	Synaptics.exe	32
PID 2828 wrote to memory of 2592	2828	Synaptics.exe	32

C:\Users\Admin\AppData\Local\Temp\Sena.exe
"C:\Users\Admin\AppData\Local\Temp\Sena.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Users\Admin\AppData\Local\Temp\._cache_Sena.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_Sena.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2796
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2592

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.7MB

MD5
c87016453266c49b5c7b0d7abaf6801f

SHA1
0230da2215ae2f918d52bf5c6a80fb3e09356395

SHA256
26b267e0cb8636fe564969255b9b40e8aa3636c5084406d47bd538085e32651e

SHA512
cbae59449af7e35c5b5bd068f75a6bd58c88500af6971057f72c83565f11052a9d3a517d98cb59c6f4e2f7576e73e58d981cb6f7e3a1f6b5f33bd842a699265f

Download Submit
C:\Users\Admin\AppData\Local\Sena\system_info.txt

Filesize
59B

MD5
be8dcd68f8c769443dd8a5613ec75360

SHA1
6dbc2b9c82f333c762b2d7c069675cb7ba2c09f6

SHA256
f025248aaaca6934a58315a41bde2b09dc94a08317bee1c3dd166361b41625cd

SHA512
a36530d37b77e1b84385dc4e36f183f6e9d63df0ffb0753a04b07fe86712f70623f2cee0e2841a4fe1f3aab307a2a4e85e92e91e31441cddfeeb42bd87e2eb97

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Sena.exe

Filesize
1.0MB

MD5
9872c633ef83d043cfca1609c7668719

SHA1
116579be25c526f3fb21620263467717e52db237

SHA256
553cfbf1aec44f3baf003f3a095e9638d4c3ec4aa387e07cf64ff69601353306

SHA512
93bc495d230f8198e573275c037db8b3487ef8cf1ae7029a01998018f4694e2a793bc9bc73e776e171870f0ac1ebbaf3a917ec8da5be235586569989dd0be0e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\EqtJIEpX.xlsm

Filesize
28KB

MD5
8bdba173bafd4784bdca22045f87ac9e

SHA1
5a521cc6430ff48e7eed0935abbc3f0684c12281

SHA256
b45132b803ff6b00abe0c66fd9f81d8d4c4f9474be7320b3cff94cf93b39f7c5

SHA512
1ff39135af859e835e9d8276d98e2ced8d0a9d9ee044ec8c9c3e132553384f8a3809747173ab7ee42808dd0904e50a13aea2c345dce05e74f717f384d95a96ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\EqtJIEpX.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\EqtJIEpX.xlsm

Filesize
32KB

MD5
94296ae5e51dbd97832ed185c0c6aa25

SHA1
6d6a691076c29167c7c8dffd770856ca8352fa94

SHA256
f6d8d3bfd4ed2c6ec79dd69250b69d74752d15f324a89756814c1a5686d5a2a3

SHA512
131f927940852ad0ed23966cad5b0db3c80db2b7564f41571b0dc9871a694347eeadf405f7585f1728dd9307ba446ad556787cdc5762e497d8c7dab668d21f2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EqtJIEpX.xlsm

Filesize
31KB

MD5
d2dd57696ae2a365721a6106fef96808

SHA1
f9f75a17c7df6557fa77ecf1f19ee3b6d77c5f73

SHA256
f1155fd46e6e59bc0a95eb700bfa7386e0eb3fd91f0b8553aaeb3e4a9e6bf74f

SHA512
b7ba17cfd16a960c13d22e88381d44a93fecb4a5498ef9f99521cb723af7c2c2c5d8c4c448192c7f24ef5f2fa6f4767cdca3c7322cf2411c63464a8d91a5857f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EqtJIEpX.xlsm

Filesize
31KB

MD5
ba710b6a740bb2211466c400adbe9db9

SHA1
2595435607fe803c8c862cba3e3455a3a0e63b86

SHA256
ffb2f02c07e2619643d7a0a604cb8cb4574de6175ec9e856318a63ba80c294d8

SHA512
3aec96db63d5266c8d8f19b5a99f012422509a126e226ad825d6178c334be4a166555fcca16a15efe97e8925cdb55ce905cd6779d102e22f7d7cf0a94e7cdc8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EqtJIEpX.xlsm

Filesize
33KB

MD5
8b6afab37629cf2e3e8d54f9026da75e

SHA1
02eb658858d05ff8adeef40253131e8816a2c1ec

SHA256
79615de7839046b0e9c095e89a834270ec2ac007cd1142959dd4b4e02d239f6c

SHA512
00f8e21400f0c72ad9ccda3392b32261629246fc774529ec17ba4e60591ee9fdd749fc84b83f3b908be29e002d76317340c684eff4b14c7a657b552e85a0d7ed

Download Submit
C:\Users\Admin\Desktop\~$UseStart.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
memory/2368-48-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2592-38-0x0000000000210000-0x000000000031A000-memory.dmp

Filesize
1.0MB

Download
memory/2592-142-0x0000000000460000-0x000000000046A000-memory.dmp

Filesize
40KB

Download
memory/2592-143-0x0000000000460000-0x000000000046A000-memory.dmp

Filesize
40KB

Download
memory/2592-42-0x0000000000460000-0x000000000046A000-memory.dmp

Filesize
40KB

Download
memory/2592-43-0x0000000000460000-0x000000000046A000-memory.dmp

Filesize
40KB

Download
memory/2592-39-0x0000000006EA0000-0x000000000709A000-memory.dmp

Filesize
2.0MB

Download
memory/2668-26-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/2668-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2796-29-0x0000000000C60000-0x0000000000D6A000-memory.dmp

Filesize
1.0MB

Download
memory/2796-40-0x0000000000390000-0x000000000039A000-memory.dmp

Filesize
40KB

Download
memory/2796-41-0x0000000000390000-0x000000000039A000-memory.dmp

Filesize
40KB

Download
memory/2796-141-0x0000000000390000-0x000000000039A000-memory.dmp

Filesize
40KB

Download
memory/2796-140-0x0000000000390000-0x000000000039A000-memory.dmp

Filesize
40KB

Download
memory/2828-139-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/2828-144-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/2828-178-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download