Analysis
-
max time kernel
119s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240903-en -
submitted
13-09-2024 21:23
Static task
static1
Behavioral task
behavioral1
Sample
cb9dc4606ac85050ceec95e649100000N.exe
Resource
win7-20240903-en
General
-
Target
cb9dc4606ac85050ceec95e649100000N.exe
-
Size
829KB
-
MD5
cb9dc4606ac85050ceec95e649100000
-
SHA1
9398495b08379335b9166ed0a941b0cff6ca429f
-
SHA256
b1492690bba76715a0b60aacfe75bfb7876f3b7d8f03a5a32172b084be81ba7d
-
SHA512
4f2d7905205a0fafc09f5f9b8f072baa07d2f3c91d4e176dd785db2089e80d225fe58fb548c58bf01d144cf410b392fa14b50bc4890fab287a3d07e8b65709b2
-
SSDEEP
12288:DMSApJVYG5lhULyjsb0eOzkv4R7QnvUUilQ35+6G75V9IWhBjvrEH7uc:DnsJ30LyjbJkQFMhmC+6Gb9BrEH79
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Floxif family
-
Xred family
-
Detects Floxif payload 1 IoCs
Processes:
resource yara_rule behavioral1/files/0x000a000000012280-1.dat floxif -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule behavioral1/files/0x000a000000012280-1.dat acprotect -
Executes dropped EXE 1 IoCs
Processes:
Synaptics.exepid Process 2560 Synaptics.exe -
Loads dropped DLL 6 IoCs
Processes:
cb9dc4606ac85050ceec95e649100000N.exeSynaptics.exepid Process 2380 cb9dc4606ac85050ceec95e649100000N.exe 2380 cb9dc4606ac85050ceec95e649100000N.exe 2380 cb9dc4606ac85050ceec95e649100000N.exe 2380 cb9dc4606ac85050ceec95e649100000N.exe 2560 Synaptics.exe 2560 Synaptics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
cb9dc4606ac85050ceec95e649100000N.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" cb9dc4606ac85050ceec95e649100000N.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Synaptics.exedescription ioc Process File opened (read-only) \??\e: Synaptics.exe -
Processes:
resource yara_rule behavioral1/memory/2380-3-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/files/0x000a000000012280-1.dat upx behavioral1/memory/2560-31-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2380-29-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2560-113-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2560-117-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2560-121-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2560-125-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2560-129-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral1/memory/2560-133-0x0000000010000000-0x0000000010030000-memory.dmp upx -
Drops file in Program Files directory 5 IoCs
Processes:
cb9dc4606ac85050ceec95e649100000N.exeSynaptics.exedescription ioc Process File created C:\Program Files\Common Files\System\symsrv.dll cb9dc4606ac85050ceec95e649100000N.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\gfx.dll Synaptics.exe File created C:\Program Files (x86)\Microsoft Office\Office14\gfx.dll.tmp Synaptics.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\gfx.dll.dat Synaptics.exe File created \??\c:\program files\common files\system\symsrv.dll.000 Synaptics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cb9dc4606ac85050ceec95e649100000N.exeSynaptics.exeEXCEL.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cb9dc4606ac85050ceec95e649100000N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid Process 2668 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
cb9dc4606ac85050ceec95e649100000N.exeSynaptics.exepid Process 2380 cb9dc4606ac85050ceec95e649100000N.exe 2560 Synaptics.exe 2560 Synaptics.exe 2560 Synaptics.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
cb9dc4606ac85050ceec95e649100000N.exeSynaptics.exedescription pid Process Token: SeDebugPrivilege 2380 cb9dc4606ac85050ceec95e649100000N.exe Token: SeDebugPrivilege 2560 Synaptics.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
EXCEL.EXEpid Process 2668 EXCEL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
cb9dc4606ac85050ceec95e649100000N.exedescription pid Process procid_target PID 2380 wrote to memory of 2560 2380 cb9dc4606ac85050ceec95e649100000N.exe 30 PID 2380 wrote to memory of 2560 2380 cb9dc4606ac85050ceec95e649100000N.exe 30 PID 2380 wrote to memory of 2560 2380 cb9dc4606ac85050ceec95e649100000N.exe 30 PID 2380 wrote to memory of 2560 2380 cb9dc4606ac85050ceec95e649100000N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb9dc4606ac85050ceec95e649100000N.exe"C:\Users\Admin\AppData\Local\Temp\cb9dc4606ac85050ceec95e649100000N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2560
-
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2668
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175B
MD51130c911bf5db4b8f7cf9b6f4b457623
SHA148e734c4bc1a8b5399bff4954e54b268bde9d54c
SHA256eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1
SHA51294e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0
-
Filesize
829KB
MD5cb9dc4606ac85050ceec95e649100000
SHA19398495b08379335b9166ed0a941b0cff6ca429f
SHA256b1492690bba76715a0b60aacfe75bfb7876f3b7d8f03a5a32172b084be81ba7d
SHA5124f2d7905205a0fafc09f5f9b8f072baa07d2f3c91d4e176dd785db2089e80d225fe58fb548c58bf01d144cf410b392fa14b50bc4890fab287a3d07e8b65709b2
-
Filesize
24KB
MD58851c4a9f95491db21856be6adeae1a0
SHA1f649482cff91a044b40ec09f9569c26b4bbeba2b
SHA256548d9266f0c70ef1df63742f4c32316ac7e544ef8cd67b818f269449dbca3d52
SHA5127d77760962f803128b5fdbf25615d6f5436201cc22ec4c6fc11368ec40164d00f2994b62cf2eef4b3dafd6f213eaf28b28dcaf62fd9151d53561644e5ebde429
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
20KB
MD599a18dfb742a40016fdc37fbc599e0cf
SHA1f5502769f8e9f694404aaf5a9b9d830dced2dd5e
SHA2560820f783a2899d73a48fb5b5daa5470e19d4bd3252ebfb34b65ec661ca525a3e
SHA51279ecb9878fc403d5156aa04e254680311bfc54d15ad872b7c8ee918fde1245236e877f7078a068b9ff2b02fda411504acd34960f3067d247d767f45bc3db0b91
-
Filesize
28KB
MD573f10c5c93825ba78bb8dd5e3844ebc3
SHA1ed8eda737eeb28e54e861e12e9280d7adc832a28
SHA256525db427b076f8bbc1bf82ccd37a75b3ffafe6ff25c0cc450f853be9d21e7198
SHA512039aabb025faf6f0f6b334883f79802afc6cbf93f1cd926ad98af968ffc6e6ce8206204417d09627d84d31b008f6e2150ad94af5f1ff40f5210e376160d8c868
-
Filesize
23KB
MD5ff427854f7475fccd73e99d8c02a47a4
SHA1a7aa9fbc26e3c34a08769b2cf24dcac782904c51
SHA2565e984d418b7379ec263da7bec3c2dd79a8bbc98dce35d39e96db957082315c80
SHA5124d99c09fc84645a45d3c8372e3e39e09e3627397f372cef60c8d23654cf04cb3b50eb79f7fee6f44edbfa9201c719c1fb6787570c033b838b4570ed069ab166d
-
Filesize
165B
MD5ff09371174f7c701e75f357a187c06e8
SHA157f9a638fd652922d7eb23236c80055a91724503
SHA256e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8
SHA512e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882
-
Filesize
1.7MB
MD5929da7b631e3883432c8a9cc3800b2ef
SHA1439d90e32f1a95a18667fb054eee707d8da171c6
SHA2569877f6b53fbdd0977697aacced41d856bca4fb80bda072a9d77f9f84dadb2217
SHA512010d08bdba82f5901cb52560f9f595650cb1920f02aa5244ef42c58a8e98b3450731b5ab53fddc3211c8497a49e31747a8e21858df294321ff8737b196728b45
-
Filesize
67KB
MD57574cf2c64f35161ab1292e2f532aabf
SHA114ba3fa927a06224dfe587014299e834def4644f
SHA256de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA5124db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab
-
Filesize
753KB
MD5d9167c0e9e27b90a13965cdcdcf05e0c
SHA1cae0b273832c2ae23d4aad128de5f7ac1bfb896f
SHA25693262f54fb78e6b875c2b196dc376fec7f38d1064df02cec5cbade3c55255987
SHA512ae0e9fb3c903e1754a3b23b8d3de48816993a44e2be6cacc87799a59e133d20017d667ca476ccc2e67f228322e815cf87ce1b3f1918114f630f29e98cb6c521e