Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
submitted
05/08/2024, 21:23
Static task
static1
Behavioral task
behavioral1
Sample
0aeb1cb71bfe51c1e50d92d6471af370N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
0aeb1cb71bfe51c1e50d92d6471af370N.exe
Resource
win10v2004-20240802-en
General
-
Target
0aeb1cb71bfe51c1e50d92d6471af370N.exe
-
Size
917KB
-
MD5
0aeb1cb71bfe51c1e50d92d6471af370
-
SHA1
6c50f5017e1f09c0bc6ffb05840ddb2529230f77
-
SHA256
62edc73eb9d18f60b28e98b66eb7e3e1adb0d414d58bc9c6f96fd4fda0b47300
-
SHA512
f5c83000d6628a41965572f3cfe0a81f14e97f7956a19f847ec6674ea8d7bd14cb3d53f678b2e09150e9086c55d680ef4d9568e3de59b4bb2c4846531d7f1ed3
-
SSDEEP
12288:UMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9QvFUNDaVs2:UnsJ39LyjbJkQFMhmC+6GD9IFOaVh
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Xred family
-
Executes dropped EXE 5 IoCs
pid Process 2836 ._cache_0aeb1cb71bfe51c1e50d92d6471af370N.exe 2904 Synaptics.exe 2772 ._cache_0aeb1cb71bfe51c1e50d92d6471af370n.exe 3008 ._cache_Synaptics.exe 536 ._cache_synaptics.exe -
Loads dropped DLL 7 IoCs
pid Process 2160 0aeb1cb71bfe51c1e50d92d6471af370N.exe 2160 0aeb1cb71bfe51c1e50d92d6471af370N.exe 2160 0aeb1cb71bfe51c1e50d92d6471af370N.exe 2836 ._cache_0aeb1cb71bfe51c1e50d92d6471af370N.exe 2904 Synaptics.exe 2904 Synaptics.exe 3008 ._cache_Synaptics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" 0aeb1cb71bfe51c1e50d92d6471af370N.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe ._cache_Synaptics.exe File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe ._cache_0aeb1cb71bfe51c1e50d92d6471af370N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0aeb1cb71bfe51c1e50d92d6471af370N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_0aeb1cb71bfe51c1e50d92d6471af370N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3024 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 2836 ._cache_0aeb1cb71bfe51c1e50d92d6471af370N.exe 2836 ._cache_0aeb1cb71bfe51c1e50d92d6471af370N.exe 2836 ._cache_0aeb1cb71bfe51c1e50d92d6471af370N.exe 2836 ._cache_0aeb1cb71bfe51c1e50d92d6471af370N.exe 2836 ._cache_0aeb1cb71bfe51c1e50d92d6471af370N.exe 2836 ._cache_0aeb1cb71bfe51c1e50d92d6471af370N.exe 2836 ._cache_0aeb1cb71bfe51c1e50d92d6471af370N.exe 2836 ._cache_0aeb1cb71bfe51c1e50d92d6471af370N.exe 2836 ._cache_0aeb1cb71bfe51c1e50d92d6471af370N.exe 2836 ._cache_0aeb1cb71bfe51c1e50d92d6471af370N.exe 2836 ._cache_0aeb1cb71bfe51c1e50d92d6471af370N.exe 2836 ._cache_0aeb1cb71bfe51c1e50d92d6471af370N.exe 2836 ._cache_0aeb1cb71bfe51c1e50d92d6471af370N.exe 2836 ._cache_0aeb1cb71bfe51c1e50d92d6471af370N.exe 2836 ._cache_0aeb1cb71bfe51c1e50d92d6471af370N.exe 2836 ._cache_0aeb1cb71bfe51c1e50d92d6471af370N.exe 3008 ._cache_Synaptics.exe 3008 ._cache_Synaptics.exe 3008 ._cache_Synaptics.exe 3008 ._cache_Synaptics.exe 3008 ._cache_Synaptics.exe 3008 ._cache_Synaptics.exe 3008 ._cache_Synaptics.exe 3008 ._cache_Synaptics.exe 3008 ._cache_Synaptics.exe 3008 ._cache_Synaptics.exe 3008 ._cache_Synaptics.exe 3008 ._cache_Synaptics.exe 3008 ._cache_Synaptics.exe 3008 ._cache_Synaptics.exe 3008 ._cache_Synaptics.exe 3008 ._cache_Synaptics.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2836 ._cache_0aeb1cb71bfe51c1e50d92d6471af370N.exe 2836 ._cache_0aeb1cb71bfe51c1e50d92d6471af370N.exe 3008 ._cache_Synaptics.exe 3008 ._cache_Synaptics.exe 3024 EXCEL.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2160 wrote to memory of 2836 2160 0aeb1cb71bfe51c1e50d92d6471af370N.exe 30 PID 2160 wrote to memory of 2836 2160 0aeb1cb71bfe51c1e50d92d6471af370N.exe 30 PID 2160 wrote to memory of 2836 2160 0aeb1cb71bfe51c1e50d92d6471af370N.exe 30 PID 2160 wrote to memory of 2836 2160 0aeb1cb71bfe51c1e50d92d6471af370N.exe 30 PID 2160 wrote to memory of 2904 2160 0aeb1cb71bfe51c1e50d92d6471af370N.exe 31 PID 2160 wrote to memory of 2904 2160 0aeb1cb71bfe51c1e50d92d6471af370N.exe 31 PID 2160 wrote to memory of 2904 2160 0aeb1cb71bfe51c1e50d92d6471af370N.exe 31 PID 2160 wrote to memory of 2904 2160 0aeb1cb71bfe51c1e50d92d6471af370N.exe 31 PID 2836 wrote to memory of 2772 2836 ._cache_0aeb1cb71bfe51c1e50d92d6471af370N.exe 32 PID 2836 wrote to memory of 2772 2836 ._cache_0aeb1cb71bfe51c1e50d92d6471af370N.exe 32 PID 2836 wrote to memory of 2772 2836 ._cache_0aeb1cb71bfe51c1e50d92d6471af370N.exe 32 PID 2836 wrote to memory of 2772 2836 ._cache_0aeb1cb71bfe51c1e50d92d6471af370N.exe 32 PID 2904 wrote to memory of 3008 2904 Synaptics.exe 33 PID 2904 wrote to memory of 3008 2904 Synaptics.exe 33 PID 2904 wrote to memory of 3008 2904 Synaptics.exe 33 PID 2904 wrote to memory of 3008 2904 Synaptics.exe 33 PID 3008 wrote to memory of 536 3008 ._cache_Synaptics.exe 35 PID 3008 wrote to memory of 536 3008 ._cache_Synaptics.exe 35 PID 3008 wrote to memory of 536 3008 ._cache_Synaptics.exe 35 PID 3008 wrote to memory of 536 3008 ._cache_Synaptics.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\0aeb1cb71bfe51c1e50d92d6471af370N.exe"C:\Users\Admin\AppData\Local\Temp\0aeb1cb71bfe51c1e50d92d6471af370N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Users\Admin\AppData\Local\Temp\._cache_0aeb1cb71bfe51c1e50d92d6471af370N.exe"C:\Users\Admin\AppData\Local\Temp\._cache_0aeb1cb71bfe51c1e50d92d6471af370N.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\users\admin\appdata\local\temp\._cache_0aeb1cb71bfe51c1e50d92d6471af370n.exec:\users\admin\appdata\local\temp\._cache_0aeb1cb71bfe51c1e50d92d6471af370n.exe3⤵
- Executes dropped EXE
PID:2772
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3008 -
\??\c:\users\admin\appdata\local\temp\._cache_synaptics.exec:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate4⤵
- Executes dropped EXE
PID:536
-
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3024
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
917KB
MD50aeb1cb71bfe51c1e50d92d6471af370
SHA16c50f5017e1f09c0bc6ffb05840ddb2529230f77
SHA25662edc73eb9d18f60b28e98b66eb7e3e1adb0d414d58bc9c6f96fd4fda0b47300
SHA512f5c83000d6628a41965572f3cfe0a81f14e97f7956a19f847ec6674ea8d7bd14cb3d53f678b2e09150e9086c55d680ef4d9568e3de59b4bb2c4846531d7f1ed3
-
Filesize
29KB
MD5dbd2194b7a5b38636edf7112ebc6fe91
SHA16fea8daee367fbdee5a299a214c0419ef04ea7bb
SHA256927004a7ed771954853acfd331baf0a2d74c84037d4adff5a4a65fb1b287e586
SHA512238cf410957b64bc0f8997fb3669b6f362e6b170c942fecca43ddc72a73ebffe75d829f0bade82cc712ca6786d6083921df9648d8c7a19ddc1e0de55cc526d42
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
135KB
MD5ae8d0e6d33bf6fd32d89b984937ece4c
SHA1a180790d7dcdbaad7e631c95b1d5cbb6d53a6954
SHA256fe17ad94604121f51e09fde81e3fcf92184ae4647f059203bbd9df1ab395b0e5
SHA5129371e2405e2bf598161b77487691ba3b4672ba90238e114d4a901653e0b71dfdc0dd3d9d5f24510ae4f170b9dfdcfdfb560bd22cee32cc144b27ccb3cfe0c578
-
Filesize
164KB
MD551e9530b1ec13b565affb0a896b8dac7
SHA1ab6b5bb75958e5a0676028b2d108a259c45d04b2
SHA256c7c5ca459d3f5618631f1296f3d5d986d50a038fbb5ea00e7bf5a8f80bd4255f
SHA512b97947dc27af04d42f51b4ffc8f977828543bdcb2b9f59b34cf63c19b71ef5eed72d4c72d532e2f558fe69d3f4179db64a8d22042929a2eb67bc664ba2d0dee0