Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
40s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20240729-en -
submitted
17/08/2024, 17:08
Static task
static1
Behavioral task
behavioral1
Sample
brr.exe
Resource
win7-20240729-en
General
-
Target
brr.exe
-
Size
827KB
-
MD5
92867f5de7d9de203c1f9f4781961863
-
SHA1
103fa7ef6a97862f568d410e7607e34f1c41da18
-
SHA256
4b90d4fb520d1deda7f182e1a19e7750979086bfbae6e2b44b276c8130e7c0c8
-
SHA512
818208e48ebc2797645dce2d79545215e5c4d32bed0ac65ae14f72d388a6179ebf2268690ec6c8f6923ef1a57d71bebc9e26e1906df16843b729f30b06746f34
-
SSDEEP
12288:xMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9nKas/fHmwj:xnsJ39LyjbJkQFMhmC+6GD9KTuA
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Crown
127.0.0.1:9090
127.0.0.1:5013
147.185.221.22:9090
147.185.221.22:5013
vopltdrmzkidmoli
-
delay
1
-
install
true
-
install_file
Windows.exe
-
install_folder
%Temp%
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Asyncrat family
-
Xred family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x000c00000001226d-15.dat family_asyncrat -
Executes dropped EXE 3 IoCs
pid Process 1916 ._cache_brr.exe 2148 Synaptics.exe 2740 ._cache_Synaptics.exe -
Loads dropped DLL 5 IoCs
pid Process 2112 brr.exe 2112 brr.exe 2112 brr.exe 2148 Synaptics.exe 2148 Synaptics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" brr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language brr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 800 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2740 ._cache_Synaptics.exe Token: SeDebugPrivilege 1916 ._cache_brr.exe Token: SeIncreaseQuotaPrivilege 1916 ._cache_brr.exe Token: SeSecurityPrivilege 1916 ._cache_brr.exe Token: SeTakeOwnershipPrivilege 1916 ._cache_brr.exe Token: SeLoadDriverPrivilege 1916 ._cache_brr.exe Token: SeSystemProfilePrivilege 1916 ._cache_brr.exe Token: SeSystemtimePrivilege 1916 ._cache_brr.exe Token: SeProfSingleProcessPrivilege 1916 ._cache_brr.exe Token: SeIncBasePriorityPrivilege 1916 ._cache_brr.exe Token: SeCreatePagefilePrivilege 1916 ._cache_brr.exe Token: SeBackupPrivilege 1916 ._cache_brr.exe Token: SeRestorePrivilege 1916 ._cache_brr.exe Token: SeShutdownPrivilege 1916 ._cache_brr.exe Token: SeDebugPrivilege 1916 ._cache_brr.exe Token: SeSystemEnvironmentPrivilege 1916 ._cache_brr.exe Token: SeRemoteShutdownPrivilege 1916 ._cache_brr.exe Token: SeUndockPrivilege 1916 ._cache_brr.exe Token: SeManageVolumePrivilege 1916 ._cache_brr.exe Token: 33 1916 ._cache_brr.exe Token: 34 1916 ._cache_brr.exe Token: 35 1916 ._cache_brr.exe Token: SeIncreaseQuotaPrivilege 1916 ._cache_brr.exe Token: SeSecurityPrivilege 1916 ._cache_brr.exe Token: SeTakeOwnershipPrivilege 1916 ._cache_brr.exe Token: SeLoadDriverPrivilege 1916 ._cache_brr.exe Token: SeSystemProfilePrivilege 1916 ._cache_brr.exe Token: SeSystemtimePrivilege 1916 ._cache_brr.exe Token: SeProfSingleProcessPrivilege 1916 ._cache_brr.exe Token: SeIncBasePriorityPrivilege 1916 ._cache_brr.exe Token: SeCreatePagefilePrivilege 1916 ._cache_brr.exe Token: SeBackupPrivilege 1916 ._cache_brr.exe Token: SeRestorePrivilege 1916 ._cache_brr.exe Token: SeShutdownPrivilege 1916 ._cache_brr.exe Token: SeDebugPrivilege 1916 ._cache_brr.exe Token: SeSystemEnvironmentPrivilege 1916 ._cache_brr.exe Token: SeRemoteShutdownPrivilege 1916 ._cache_brr.exe Token: SeUndockPrivilege 1916 ._cache_brr.exe Token: SeManageVolumePrivilege 1916 ._cache_brr.exe Token: 33 1916 ._cache_brr.exe Token: 34 1916 ._cache_brr.exe Token: 35 1916 ._cache_brr.exe Token: SeIncreaseQuotaPrivilege 2740 ._cache_Synaptics.exe Token: SeSecurityPrivilege 2740 ._cache_Synaptics.exe Token: SeTakeOwnershipPrivilege 2740 ._cache_Synaptics.exe Token: SeLoadDriverPrivilege 2740 ._cache_Synaptics.exe Token: SeSystemProfilePrivilege 2740 ._cache_Synaptics.exe Token: SeSystemtimePrivilege 2740 ._cache_Synaptics.exe Token: SeProfSingleProcessPrivilege 2740 ._cache_Synaptics.exe Token: SeIncBasePriorityPrivilege 2740 ._cache_Synaptics.exe Token: SeCreatePagefilePrivilege 2740 ._cache_Synaptics.exe Token: SeBackupPrivilege 2740 ._cache_Synaptics.exe Token: SeRestorePrivilege 2740 ._cache_Synaptics.exe Token: SeShutdownPrivilege 2740 ._cache_Synaptics.exe Token: SeDebugPrivilege 2740 ._cache_Synaptics.exe Token: SeSystemEnvironmentPrivilege 2740 ._cache_Synaptics.exe Token: SeRemoteShutdownPrivilege 2740 ._cache_Synaptics.exe Token: SeUndockPrivilege 2740 ._cache_Synaptics.exe Token: SeManageVolumePrivilege 2740 ._cache_Synaptics.exe Token: 33 2740 ._cache_Synaptics.exe Token: 34 2740 ._cache_Synaptics.exe Token: 35 2740 ._cache_Synaptics.exe Token: SeIncreaseQuotaPrivilege 2740 ._cache_Synaptics.exe Token: SeSecurityPrivilege 2740 ._cache_Synaptics.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 800 EXCEL.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2112 wrote to memory of 1916 2112 brr.exe 30 PID 2112 wrote to memory of 1916 2112 brr.exe 30 PID 2112 wrote to memory of 1916 2112 brr.exe 30 PID 2112 wrote to memory of 1916 2112 brr.exe 30 PID 2112 wrote to memory of 2148 2112 brr.exe 31 PID 2112 wrote to memory of 2148 2112 brr.exe 31 PID 2112 wrote to memory of 2148 2112 brr.exe 31 PID 2112 wrote to memory of 2148 2112 brr.exe 31 PID 2148 wrote to memory of 2740 2148 Synaptics.exe 32 PID 2148 wrote to memory of 2740 2148 Synaptics.exe 32 PID 2148 wrote to memory of 2740 2148 Synaptics.exe 32 PID 2148 wrote to memory of 2740 2148 Synaptics.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\brr.exe"C:\Users\Admin\AppData\Local\Temp\brr.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Users\Admin\AppData\Local\Temp\._cache_brr.exe"C:\Users\Admin\AppData\Local\Temp\._cache_brr.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1916
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2740
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:800
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
827KB
MD592867f5de7d9de203c1f9f4781961863
SHA1103fa7ef6a97862f568d410e7607e34f1c41da18
SHA2564b90d4fb520d1deda7f182e1a19e7750979086bfbae6e2b44b276c8130e7c0c8
SHA512818208e48ebc2797645dce2d79545215e5c4d32bed0ac65ae14f72d388a6179ebf2268690ec6c8f6923ef1a57d71bebc9e26e1906df16843b729f30b06746f34
-
Filesize
74KB
MD505a780ca5b8f32b1fbbc0b8e0012247f
SHA1518bbe68186667deda350cf3475bee4dee5e071c
SHA2564b685783cf16a471b5c4b8c117e9b12ad37b590b521a003167eb3692c9b66df0
SHA5124b52ec4a1dfb96fa5c6d4109c2bbc0d64ec130d5f52cca9ce947a3b371eb8a791c1b9687829f3fcb32946ebe8bdbf8055239c86a7b7e2c9bffa9256d74580243
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
8B
MD5cf759e4c5f14fe3eec41b87ed756cea8
SHA1c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b