Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

RUN ME FIRST.exe

windows7-x64

10

RUN ME FIRST.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    158s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • submitted
    23/04/2024, 20:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RUN ME FIRST.exe

  • Size

    30.2MB

  • MD5

    1a1d3ccdb446065c89c44b67105a48c1

  • SHA1

    6a045b2be0a524d2e46e1a158fa9f5768d539470

  • SHA256

    76be196c4deabfcb66820dbc30df22421bd2940a68993272eea691cad86092fc

  • SHA512

    83b47897b5a958ba3d915caf631c1971445fcdb38b1fc344867126ffb2b94068ed447a280a7d330b3b2cd7a7d82171f5abce29bb36a11f7f9f371e20eb02ddb2

  • SSDEEP

    786432:TZ/Z/rp+Ty2SfUfnbu+zMFy/7zYgWXRLTArzttOaaFH:1Rzp+Ty2SfWnPzMFO7zYgWBLbFH

Score
10/10
xredbackdoordiscoveryevasionpersistencethemidatrojan

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 18 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 1 IoCs
  • Themida packer 31 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 9 IoCs
    evasiontrojan
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RUN ME FIRST.exe
    "C:\Users\Admin\AppData\Local\Temp\RUN ME FIRST.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3292
    • \??\c:\users\admin\appdata\local\temp\run me first.exe 
      "c:\users\admin\appdata\local\temp\run me first.exe "
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3032
      • C:\ProgramData\Synaptics\Synaptics.exe
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:4400
        • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
          "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3132
          • \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe 
            c:\users\admin\appdata\local\temp\._cache_synaptics.exe  InjUpdate
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1892
            • C:\Windows\Temp\{E9336254-3570-472F-AC66-DA96A765D6CB}\.cr\._cache_synaptics.exe 
              "C:\Windows\Temp\{E9336254-3570-472F-AC66-DA96A765D6CB}\.cr\._cache_synaptics.exe " -burn.clean.room="c:\users\admin\appdata\local\temp\._cache_synaptics.exe " -burn.filehandle.attached=648 -burn.filehandle.self=656 InjUpdate
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              PID:4888
          • C:\Windows\Resources\Themes\icsys.icn.exe
            C:\Windows\Resources\Themes\icsys.icn.exe
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3232
            • \??\c:\windows\resources\themes\explorer.exe
              c:\windows\resources\themes\explorer.exe
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:3484
    • C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5012
      • \??\c:\windows\resources\themes\explorer.exe
        c:\windows\resources\themes\explorer.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops file in System32 directory
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:5056
        • \??\c:\windows\resources\spoolsv.exe
          c:\windows\resources\spoolsv.exe SE
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3980
          • \??\c:\windows\resources\svchost.exe
            c:\windows\resources\svchost.exe
            5⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Drops file in System32 directory
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4432
            • \??\c:\windows\resources\spoolsv.exe
              c:\windows\resources\spoolsv.exe PR
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:1696
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4056 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:208

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      Filesize

      26.8MB

      MD5

      295a5c23bd7d75fb93c29d301461999e

      SHA1

      fe574720ca812f4cf0523efc7bd65c2b9e1cd006

      SHA256

      f12b9927989c46a741e1b6dba0cdca4d6da86852cefd9cdb08204e26caac53e7

      SHA512

      e08857e8fd4f3a2e501add77e7a2326693b97283a03106f4e60fcdfa1dd148009681134895b6285f328549ab24172effd9c5ee09aa5283f170a6c62bfa6efc3e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\run me first.exe 
      Filesize

      27.6MB

      MD5

      d91e55db411d487e8311d12596327ac4

      SHA1

      e0104af553bf10a7bd178b41d1026fee4393d90c

      SHA256

      f5c8914376373c7c48658ee56adf44ba3157c4ca5fbba82f7794c3b820687128

      SHA512

      fe016a2c18f69f36c0c9ce9d1dda3a1a3b6e701c32f3fbb57ca4ba74ffe53edddb09ad2849da206509faa0e7a1af8d606c0c55ab803fe8987e5fb7d8e7a6887d

      Download Submit

    • C:\Windows\Resources\Themes\explorer.exe
      Filesize

      2.6MB

      MD5

      89c4c85a9c88ef50389b022428aa867a

      SHA1

      4c82f4c1b48ad34d22c796584e90e29f97731b07

      SHA256

      4725240fb096b184817c7ded0e2dd679c89c18a783839aea4357c2e83b64c125

      SHA512

      1d725e2a0b1b0ca4f28364f13443f20f487f60c31876a5c214d655e7d050b28e86b5a7f788cef72382ecaeddcc63f34be3abd626c8ddc75ad228a75048114e78

      Download Submit

    • C:\Windows\Resources\Themes\icsys.icn.exe
      Filesize

      2.6MB

      MD5

      a7d44128dcb01d3d19a1ef4213f70062

      SHA1

      958e7e8688e020f97ed58d271510c3fa31f581fa

      SHA256

      20f97327231090b3d3231195923ff1e2e1955824bc7b73bee506a2f7fe152cd9

      SHA512

      75659f857d97fd372185dd806c2fdff94500c670d5774c803a79a0a6d9d6be10c5aab58a8afec6e9e4d750a5de7eeeb4ef664101a379f3dfb97b3a7c34979ebb

      Download Submit

    • C:\Windows\Resources\Themes\icsys.icn.exe
      Filesize

      2.6MB

      MD5

      8f56db780a95e5ce300362e20acbc444

      SHA1

      44ae525decdb38b1d75336a0ed4b00650b207da3

      SHA256

      747b5aacd446eb0a76ed4ff9323a5eb97e4ae3260ea17924e9e39d7da90f8400

      SHA512

      7186f3a8a9ba81703eafc0f673952ce424c0c3b774eb0b09f073246d35549aad21486d5b782e64330dbaf3c06e368f0c48b602c8ca6acd2427e10a88d77f0cbe

      Download Submit

    • C:\Windows\Resources\spoolsv.exe
      Filesize

      2.6MB

      MD5

      9f4a273cd4ed4fb9959bfde11f1c3121

      SHA1

      0379b3bda7effa0e8fcbdbd5b7004ddf7ea354c6

      SHA256

      19c3d5e713337763f4ea5212bd1d5bda150977269391686fe8c799574ba43de3

      SHA512

      2f93cb5a2dfef4d59606aa703bce4b68b63f38e2aff05130f3c867a9520dd18ca70f485f063c2fe27e959c08c3c423c04b5cee0dbf15e62b28f4afdeafd29ce4

      Download Submit

    • C:\Windows\Resources\svchost.exe
      Filesize

      2.6MB

      MD5

      013be5c9c3e5be91b0fbc119a5442815

      SHA1

      03b1b9aa054820450c2b42cf8344a9efacefd6d9

      SHA256

      a2421d85783024823feeca0a72dfa0f97f47c580b4eec84ed356bdb7665c06e5

      SHA512

      25f24fc56a73d636ef39a82503c43ee3c0529cc5158282188f54f7dc7e6476e923568a5bb32734903a3614062708bc5ada32c8f63b7a3315012ceb39ec96e8fb

      Download Submit

    • C:\Windows\Temp\{41B18707-632A-480E-B6BC-10DD4CC71CD7}\.ba\logo.png
      Filesize

      1KB

      MD5

      d6bd210f227442b3362493d046cea233

      SHA1

      ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

      SHA256

      335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

      SHA512

      464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

      Download Submit

    • C:\Windows\Temp\{41B18707-632A-480E-B6BC-10DD4CC71CD7}\.ba\wixstdba.dll
      Filesize

      191KB

      MD5

      eab9caf4277829abdf6223ec1efa0edd

      SHA1

      74862ecf349a9bedd32699f2a7a4e00b4727543d

      SHA256

      a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

      SHA512

      45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

      Download Submit

    • C:\Windows\Temp\{E9336254-3570-472F-AC66-DA96A765D6CB}\.cr\._cache_synaptics.exe 
      Filesize

      635KB

      MD5

      53e9222bc438cbd8b7320f800bef2e78

      SHA1

      c4f295d8855b4b16c7450a4a9150eb95046f6390

      SHA256

      0e49026767420229afd23b1352cf9f97f24e0768c3d527000d449ffdb4ca6888

      SHA512

      7533f9791e1807072a4dbb6ca03c696b12dfa5337678fab53aceea0e4b7e5ffefb90c9b450ac80878e1e9a4bce549f619da4cd2d06eb2554c9add5b4ec838b4a

      Download Submit

    • \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe 
      Filesize

      24.2MB

      MD5

      101b0b9f74cdc6cdbd2570bfe92e302c

      SHA1

      2e6bae42c2842b4f558bd68099479b929bb7d910

      SHA256

      4dfe83c91124cd542f4222fe2c396cabeac617bb6f59bdcbdf89fd6f0df0a32f

      SHA512

      ccf4fd7da2c3440f1bc7fcac67c8a12599eab8d5c015affdc2e439fa30f5c7868ef5f52ede058361faae37ccc4af2c17c0adf30b8e1f852bb7106d0ec7162506

      Download Submit

    • memory/1696-132-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/1696-130-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3032-11-0x0000000003E40000-0x0000000003E41000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3032-114-0x0000000000400000-0x0000000001F97000-memory.dmp

      Filesize

      27.6MB

      Download

    • memory/3032-116-0x0000000000400000-0x0000000001F97000-memory.dmp

      Filesize

      27.6MB

      Download

    • memory/3132-266-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3132-251-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3132-193-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3132-272-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3232-258-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3232-271-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3292-23-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3292-0-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3292-1-0x0000000077914000-0x0000000077916000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3292-7-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3484-265-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3484-270-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3980-133-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3980-46-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4400-131-0x0000000003C00000-0x0000000003C01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4400-204-0x0000000000400000-0x0000000001F97000-memory.dmp

      Filesize

      27.6MB

      Download

    • memory/4400-259-0x0000000003C00000-0x0000000003C01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4400-306-0x0000000000400000-0x0000000001F97000-memory.dmp

      Filesize

      27.6MB

      Download

    • memory/4432-102-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4432-203-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4432-280-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/5012-17-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/5012-134-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/5056-27-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/5056-279-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/5056-304-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/5056-199-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/5056-322-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

      Download