xred | 26b267e0cb8636fe564969255b9b40e8aa3636c5084406d47bd538085e32651e

Analysis

max time kernel
16s
max time network
18s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
07-01-2025 14:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Sena.exe
Size

1.7MB
MD5

c87016453266c49b5c7b0d7abaf6801f
SHA1

0230da2215ae2f918d52bf5c6a80fb3e09356395
SHA256

26b267e0cb8636fe564969255b9b40e8aa3636c5084406d47bd538085e32651e
SHA512

cbae59449af7e35c5b5bd068f75a6bd58c88500af6971057f72c83565f11052a9d3a517d98cb59c6f4e2f7576e73e58d981cb6f7e3a1f6b5f33bd842a699265f
SSDEEP

24576:2nsJ39LyjbJkQFMhmC+6GD9qEoScovLgGCJv+gy4xwpdvGzk+kKufpFr:2nsHyjtk2MYC5GD8UcoDTCBtxCdeQ+y

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	Sena.exe

Executes dropped EXE 2 IoCs

pid	Process
4868	._cache_Sena.exe
3328	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	Sena.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1076	4868	WerFault.exe	80

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sena.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Sena.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Sena.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe
4868	._cache_Sena.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4868	._cache_Sena.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4592 wrote to memory of 4868	4592	Sena.exe	80
PID 4592 wrote to memory of 4868	4592	Sena.exe	80
PID 4592 wrote to memory of 4868	4592	Sena.exe	80
PID 4592 wrote to memory of 3328	4592	Sena.exe	81
PID 4592 wrote to memory of 3328	4592	Sena.exe	81
PID 4592 wrote to memory of 3328	4592	Sena.exe	81

C:\Users\Admin\AppData\Local\Temp\Sena.exe
"C:\Users\Admin\AppData\Local\Temp\Sena.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4592
- C:\Users\Admin\AppData\Local\Temp\._cache_Sena.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_Sena.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4868
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 2976
    3⤵
    - Program crash
    PID:1076
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 256 -p 4868 -ip 4868
1⤵
PID:3144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
753KB

MD5
0ba8f2b61f6c68772b289750e15eaead

SHA1
d21cbf10499dceaed861faf65904ce9c4aa7b118

SHA256
8e368f4036a825184120334525e46fddd3e37d0a16ccc0d52d29bc4031a8ab18

SHA512
8872b0256630df08f62ee855d3e7efa4ccba5e9e5d2e1f9217500542d18bcaa0ce7586cd86b3e9fa15ddbd317a669dc7fe3ee7d30a831210863ee5873116b35d

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Sena.exe

Filesize
1.0MB

MD5
9872c633ef83d043cfca1609c7668719

SHA1
116579be25c526f3fb21620263467717e52db237

SHA256
553cfbf1aec44f3baf003f3a095e9638d4c3ec4aa387e07cf64ff69601353306

SHA512
93bc495d230f8198e573275c037db8b3487ef8cf1ae7029a01998018f4694e2a793bc9bc73e776e171870f0ac1ebbaf3a917ec8da5be235586569989dd0be0e1

Download Submit
memory/3328-147-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3328-146-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/3328-131-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/4592-0-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/4592-129-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/4868-133-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/4868-132-0x00000000078C0000-0x0000000007ABA000-memory.dmp

Filesize
2.0MB

Download
memory/4868-134-0x0000000006FF0000-0x0000000006FF8000-memory.dmp

Filesize
32KB

Download
memory/4868-135-0x00000000073C0000-0x00000000073F8000-memory.dmp

Filesize
224KB

Download
memory/4868-136-0x0000000007380000-0x000000000738E000-memory.dmp

Filesize
56KB

Download
memory/4868-137-0x0000000009320000-0x0000000009386000-memory.dmp

Filesize
408KB

Download
memory/4868-141-0x000000007298E000-0x000000007298F000-memory.dmp

Filesize
4KB

Download
memory/4868-126-0x00000000006E0000-0x00000000007EA000-memory.dmp

Filesize
1.0MB

Download
memory/4868-97-0x000000007298E000-0x000000007298F000-memory.dmp

Filesize
4KB

Download