Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    112s
  • max time network
    102s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • submitted
    15/10/2024, 00:06

General

  • Target

    2ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0eN.exe

  • Size

    1.5MB

  • MD5

    9f7a3c3256e066947edd71c6abf7b700

  • SHA1

    a297cfefa3b4d541d2a6e3ed8f8424e3bb2642f4

  • SHA256

    2ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0e

  • SHA512

    4c799f788a811b8b16b8cebb5de740d5853e58f05b0b7115cd5ae5547797de805df8d335ea3c18442a4a5509a20048c91f43ff15a78d7747a30f848f95d80c40

  • SSDEEP

    24576:UnsJ39LyjbJkQFMhmC+6GD94vd6CY55xx1rhaWXET2Tr+uf3EKmnx:UnsHyjtk2MYC5GD7xO72TF3EKmnx

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

  • Xred family
  • Suspicious Office macro 1 IoCs

    Office document equipped with macros.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0eN.exe
    "C:\Users\Admin\AppData\Local\Temp\2ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0eN.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2104
    • C:\Users\Admin\AppData\Local\Temp\._cache_2ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0eN.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_2ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0eN.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2532
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2952
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2224
  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2712

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe

    Filesize

    1.5MB

    MD5

    9f7a3c3256e066947edd71c6abf7b700

    SHA1

    a297cfefa3b4d541d2a6e3ed8f8424e3bb2642f4

    SHA256

    2ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0e

    SHA512

    4c799f788a811b8b16b8cebb5de740d5853e58f05b0b7115cd5ae5547797de805df8d335ea3c18442a4a5509a20048c91f43ff15a78d7747a30f848f95d80c40

  • C:\Users\Admin\AppData\Local\Temp\5HGZGzfr.xlsm

    Filesize

    25KB

    MD5

    b3c9162c2f96b23a18d3affd701fcdff

    SHA1

    462bdb0cba00867b30b42443c2a28b206178e611

    SHA256

    48319e699d7c258812263f0a967f843fcaa73c706e6493a816b4c180bd6e8b1b

    SHA512

    52284f679ca1e2f9e36ffc9e75f335841cde704e229c8989d1cf5659883b27f2c93d282b59472b0a77dbad016985bb432f453ff03bfe0d631d4aaba448a650d6

  • C:\Users\Admin\AppData\Local\Temp\5HGZGzfr.xlsm

    Filesize

    28KB

    MD5

    03d35873d1eea73777654453031c23c5

    SHA1

    6801964b2db5de9d8f392c77d4e6aa2956f3ea10

    SHA256

    3e5e9eb84d4f97eddc777bb221566feaa1ee9cc8136a8d9c3d0939b6c3d6ca50

    SHA512

    46b71fe48875d328bd380f6558f47e9da1b689f469e548675c27bc36ab86c2a194525b7ccb29827ff35aca32a63cc35bdf9562547f2954e688c438d6cbc81e94

  • C:\Users\Admin\AppData\Local\Temp\5HGZGzfr.xlsm

    Filesize

    28KB

    MD5

    f1725c0d786133248310a47c6d0a79c7

    SHA1

    b6c8dfcafa8efc80c5b5bad59ccce99e2293c14a

    SHA256

    43e9d4ea01a9efd8a1f33c969c0d9dc5a8cd6ec46b59346f0542fb8c73c740be

    SHA512

    de99a436e775732acb21eb907f2be8733e530037b210ed01a857901baa2609d758f24edf6a8459976b1d4bd09eea9a24a6741b88bccb7144b67c79518ee922b2

  • C:\Users\Admin\AppData\Local\Temp\5HGZGzfr.xlsm

    Filesize

    30KB

    MD5

    7dd5d9edc5f9e5eee315d272e8941208

    SHA1

    1c247b3d4cc11cd989b5ffe658ce01ea68e9bafe

    SHA256

    34f10f419ddb7b4891cba60e3dcaee8c645cfd3b7a4452ab3f9d32eb45f053ac

    SHA512

    4e296c1fb1e3609435b0c40ced7dfd928ab8f2cdcc18f09849c1602a20f62f234a6f1401b615f6f442f2ce4be1c070a02951fe7503d7ff400f0ea9343360bdb0

  • C:\Users\Admin\AppData\Local\Temp\5HGZGzfr.xlsm

    Filesize

    27KB

    MD5

    50b7bfbd247f19a47a166d97ae12b16a

    SHA1

    76cc7ebc80f7b8634990bb56c0f491057ce6618c

    SHA256

    b0216b70ab5ae233df843d3da7f8e88639c4d571a6ffca558d843ac8885eab18

    SHA512

    ab2bc2ae57e0f6e208f78bcd7ded3f150b7d10451f0f4e3dc3a1e28a4867fa9e913d2251aa014f25b5e6b7fb8bd48c6b6fc58591d419ebfef23f6fc90adbbc3d

  • C:\Users\Admin\AppData\Local\Temp\5HGZGzfr.xlsm

    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

  • C:\Users\Admin\Desktop\~$GrantSync.xlsx

    Filesize

    165B

    MD5

    ff09371174f7c701e75f357a187c06e8

    SHA1

    57f9a638fd652922d7eb23236c80055a91724503

    SHA256

    e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

    SHA512

    e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

  • \Users\Admin\AppData\Local\Temp\._cache_2ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0eN.exe

    Filesize

    819KB

    MD5

    34b9d1b339abb10378640ed848577b08

    SHA1

    42614668fe79692789338895df82721fbbeac376

    SHA256

    3f08a7361b2d7964392f23a7d40fdda17aa525ad3d0f1bf68a4906a0fcb451c7

    SHA512

    9e5a6a2be9c31984a08c83bbe0ba71bc70a2321a7c1e69432cdb695c46a62d7180dcf4aa92622d74cb1a7684259ffb5c77f2b5212a0187a03531c86fadfa0446

  • memory/2104-25-0x0000000000400000-0x000000000058F000-memory.dmp

    Filesize

    1.6MB

  • memory/2104-0-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

  • memory/2712-35-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/2952-124-0x0000000000400000-0x000000000058F000-memory.dmp

    Filesize

    1.6MB

  • memory/2952-125-0x0000000000400000-0x000000000058F000-memory.dmp

    Filesize

    1.6MB

  • memory/2952-147-0x0000000000400000-0x000000000058F000-memory.dmp

    Filesize

    1.6MB

  • memory/2952-155-0x0000000000400000-0x000000000058F000-memory.dmp

    Filesize

    1.6MB