Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
112s -
max time network
102s -
platform
windows7_x64 -
resource
win7-20241010-en -
submitted
15/10/2024, 00:06
Static task
static1
Behavioral task
behavioral1
Sample
2ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0eN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
2ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0eN.exe
Resource
win10v2004-20241007-en
General
-
Target
2ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0eN.exe
-
Size
1.5MB
-
MD5
9f7a3c3256e066947edd71c6abf7b700
-
SHA1
a297cfefa3b4d541d2a6e3ed8f8424e3bb2642f4
-
SHA256
2ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0e
-
SHA512
4c799f788a811b8b16b8cebb5de740d5853e58f05b0b7115cd5ae5547797de805df8d335ea3c18442a4a5509a20048c91f43ff15a78d7747a30f848f95d80c40
-
SSDEEP
24576:UnsJ39LyjbJkQFMhmC+6GD94vd6CY55xx1rhaWXET2Tr+uf3EKmnx:UnsHyjtk2MYC5GD7xO72TF3EKmnx
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Xred family
-
resource behavioral1/files/0x0006000000019515-83.dat -
Executes dropped EXE 3 IoCs
pid Process 2532 ._cache_2ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0eN.exe 2952 Synaptics.exe 2224 ._cache_Synaptics.exe -
Loads dropped DLL 5 IoCs
pid Process 2104 2ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0eN.exe 2104 2ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0eN.exe 2104 2ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0eN.exe 2952 Synaptics.exe 2952 Synaptics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" 2ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0eN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0eN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_2ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0eN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2712 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2532 ._cache_2ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0eN.exe 2224 ._cache_Synaptics.exe 2712 EXCEL.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2104 wrote to memory of 2532 2104 2ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0eN.exe 29 PID 2104 wrote to memory of 2532 2104 2ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0eN.exe 29 PID 2104 wrote to memory of 2532 2104 2ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0eN.exe 29 PID 2104 wrote to memory of 2532 2104 2ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0eN.exe 29 PID 2104 wrote to memory of 2952 2104 2ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0eN.exe 30 PID 2104 wrote to memory of 2952 2104 2ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0eN.exe 30 PID 2104 wrote to memory of 2952 2104 2ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0eN.exe 30 PID 2104 wrote to memory of 2952 2104 2ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0eN.exe 30 PID 2952 wrote to memory of 2224 2952 Synaptics.exe 31 PID 2952 wrote to memory of 2224 2952 Synaptics.exe 31 PID 2952 wrote to memory of 2224 2952 Synaptics.exe 31 PID 2952 wrote to memory of 2224 2952 Synaptics.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0eN.exe"C:\Users\Admin\AppData\Local\Temp\2ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0eN.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Users\Admin\AppData\Local\Temp\._cache_2ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0eN.exe"C:\Users\Admin\AppData\Local\Temp\._cache_2ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0eN.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2532
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2224
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2712
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD59f7a3c3256e066947edd71c6abf7b700
SHA1a297cfefa3b4d541d2a6e3ed8f8424e3bb2642f4
SHA2562ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0e
SHA5124c799f788a811b8b16b8cebb5de740d5853e58f05b0b7115cd5ae5547797de805df8d335ea3c18442a4a5509a20048c91f43ff15a78d7747a30f848f95d80c40
-
Filesize
25KB
MD5b3c9162c2f96b23a18d3affd701fcdff
SHA1462bdb0cba00867b30b42443c2a28b206178e611
SHA25648319e699d7c258812263f0a967f843fcaa73c706e6493a816b4c180bd6e8b1b
SHA51252284f679ca1e2f9e36ffc9e75f335841cde704e229c8989d1cf5659883b27f2c93d282b59472b0a77dbad016985bb432f453ff03bfe0d631d4aaba448a650d6
-
Filesize
28KB
MD503d35873d1eea73777654453031c23c5
SHA16801964b2db5de9d8f392c77d4e6aa2956f3ea10
SHA2563e5e9eb84d4f97eddc777bb221566feaa1ee9cc8136a8d9c3d0939b6c3d6ca50
SHA51246b71fe48875d328bd380f6558f47e9da1b689f469e548675c27bc36ab86c2a194525b7ccb29827ff35aca32a63cc35bdf9562547f2954e688c438d6cbc81e94
-
Filesize
28KB
MD5f1725c0d786133248310a47c6d0a79c7
SHA1b6c8dfcafa8efc80c5b5bad59ccce99e2293c14a
SHA25643e9d4ea01a9efd8a1f33c969c0d9dc5a8cd6ec46b59346f0542fb8c73c740be
SHA512de99a436e775732acb21eb907f2be8733e530037b210ed01a857901baa2609d758f24edf6a8459976b1d4bd09eea9a24a6741b88bccb7144b67c79518ee922b2
-
Filesize
30KB
MD57dd5d9edc5f9e5eee315d272e8941208
SHA11c247b3d4cc11cd989b5ffe658ce01ea68e9bafe
SHA25634f10f419ddb7b4891cba60e3dcaee8c645cfd3b7a4452ab3f9d32eb45f053ac
SHA5124e296c1fb1e3609435b0c40ced7dfd928ab8f2cdcc18f09849c1602a20f62f234a6f1401b615f6f442f2ce4be1c070a02951fe7503d7ff400f0ea9343360bdb0
-
Filesize
27KB
MD550b7bfbd247f19a47a166d97ae12b16a
SHA176cc7ebc80f7b8634990bb56c0f491057ce6618c
SHA256b0216b70ab5ae233df843d3da7f8e88639c4d571a6ffca558d843ac8885eab18
SHA512ab2bc2ae57e0f6e208f78bcd7ded3f150b7d10451f0f4e3dc3a1e28a4867fa9e913d2251aa014f25b5e6b7fb8bd48c6b6fc58591d419ebfef23f6fc90adbbc3d
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
165B
MD5ff09371174f7c701e75f357a187c06e8
SHA157f9a638fd652922d7eb23236c80055a91724503
SHA256e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8
SHA512e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882
-
\Users\Admin\AppData\Local\Temp\._cache_2ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0eN.exe
Filesize819KB
MD534b9d1b339abb10378640ed848577b08
SHA142614668fe79692789338895df82721fbbeac376
SHA2563f08a7361b2d7964392f23a7d40fdda17aa525ad3d0f1bf68a4906a0fcb451c7
SHA5129e5a6a2be9c31984a08c83bbe0ba71bc70a2321a7c1e69432cdb695c46a62d7180dcf4aa92622d74cb1a7684259ffb5c77f2b5212a0187a03531c86fadfa0446