redosdru | 6fd9108779a2169de167db6fd0c463a7e7982b10b24af07a5e5223f7bf247ea2

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
02/11/2024, 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ReadPCIRegisters.exe
Size

1.3MB
MD5

ea24df042e732db0122de161be0dd8fc
SHA1

4a697d9a960f02c21d3e10e1a032867abe040db3
SHA256

0b5479411aa07c990ac5d4a5e5c1b2a5d2ea1e8347b49aba2aab225667270e9a
SHA512

5e0faa83fe6c9fb2fcacca96a3b4486e2ccb1894b20ff5e11d76fcf975dc6f3a232913668f3e89603e1088c41e6834989bcf6f715a0d1d678eebf463a423096e
SSDEEP

24576:xnsJ39LyjbJkQFMhmC+6GD95vhkEp3W8AD/Dhd+y4lqJ8QdCYDoDNb:xnsHyjtk2MYC5GDfvhsvD/DX+y4onCYm

Score

10^/10

redosdru discovery downloader loader persistence

Malware Config

Extracted

Family

redosdru

http://120.46.52.231/NetSyst96.dll

Signatures

Redosdru
Redosdru is a loader/downloader written in C++.
loader downloader redosdru
Redosdru family
redosdru

Executes dropped EXE 7 IoCs

pid	Process
1660	._cache_ReadPCIRegisters.exe
2872	temp1.tem
2820	temp2.tem
2696	Synaptics.exe
2740	._cache_Synaptics.exe
1836	temp1.tem
1736	temp2.tem

Loads dropped DLL 17 IoCs

pid	Process
2376	ReadPCIRegisters.exe
2376	ReadPCIRegisters.exe
1660	._cache_ReadPCIRegisters.exe
1660	._cache_ReadPCIRegisters.exe
2908	Process not Found
1660	._cache_ReadPCIRegisters.exe
1660	._cache_ReadPCIRegisters.exe
2376	ReadPCIRegisters.exe
2376	ReadPCIRegisters.exe
2696	Synaptics.exe
2696	Synaptics.exe
2696	Synaptics.exe
2740	._cache_Synaptics.exe
2740	._cache_Synaptics.exe
2740	._cache_Synaptics.exe
2740	._cache_Synaptics.exe
912	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	ReadPCIRegisters.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\AppPatch\NetSyst96.dll	temp2.tem

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ReadPCIRegisters.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_ReadPCIRegisters.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	temp2.tem
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	temp2.tem

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1080	EXCEL.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1660	._cache_ReadPCIRegisters.exe
1660	._cache_ReadPCIRegisters.exe
2740	._cache_Synaptics.exe
2740	._cache_Synaptics.exe
1080	EXCEL.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 1660	2376	ReadPCIRegisters.exe	29
PID 2376 wrote to memory of 1660	2376	ReadPCIRegisters.exe	29
PID 2376 wrote to memory of 1660	2376	ReadPCIRegisters.exe	29
PID 2376 wrote to memory of 1660	2376	ReadPCIRegisters.exe	29
PID 1660 wrote to memory of 2872	1660	._cache_ReadPCIRegisters.exe	30
PID 1660 wrote to memory of 2872	1660	._cache_ReadPCIRegisters.exe	30
PID 1660 wrote to memory of 2872	1660	._cache_ReadPCIRegisters.exe	30
PID 1660 wrote to memory of 2872	1660	._cache_ReadPCIRegisters.exe	30
PID 1660 wrote to memory of 2820	1660	._cache_ReadPCIRegisters.exe	32
PID 1660 wrote to memory of 2820	1660	._cache_ReadPCIRegisters.exe	32
PID 1660 wrote to memory of 2820	1660	._cache_ReadPCIRegisters.exe	32
PID 1660 wrote to memory of 2820	1660	._cache_ReadPCIRegisters.exe	32
PID 2376 wrote to memory of 2696	2376	ReadPCIRegisters.exe	33
PID 2376 wrote to memory of 2696	2376	ReadPCIRegisters.exe	33
PID 2376 wrote to memory of 2696	2376	ReadPCIRegisters.exe	33
PID 2376 wrote to memory of 2696	2376	ReadPCIRegisters.exe	33
PID 2696 wrote to memory of 2740	2696	Synaptics.exe	34
PID 2696 wrote to memory of 2740	2696	Synaptics.exe	34
PID 2696 wrote to memory of 2740	2696	Synaptics.exe	34
PID 2696 wrote to memory of 2740	2696	Synaptics.exe	34
PID 2740 wrote to memory of 1836	2740	._cache_Synaptics.exe	36
PID 2740 wrote to memory of 1836	2740	._cache_Synaptics.exe	36
PID 2740 wrote to memory of 1836	2740	._cache_Synaptics.exe	36
PID 2740 wrote to memory of 1836	2740	._cache_Synaptics.exe	36
PID 2740 wrote to memory of 1736	2740	._cache_Synaptics.exe	37
PID 2740 wrote to memory of 1736	2740	._cache_Synaptics.exe	37
PID 2740 wrote to memory of 1736	2740	._cache_Synaptics.exe	37
PID 2740 wrote to memory of 1736	2740	._cache_Synaptics.exe	37

C:\Users\Admin\AppData\Local\Temp\ReadPCIRegisters.exe
"C:\Users\Admin\AppData\Local\Temp\ReadPCIRegisters.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Users\Admin\AppData\Local\Temp\._cache_ReadPCIRegisters.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_ReadPCIRegisters.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Users\Admin\AppData\Local\Temp\temp1.tem
    C:\Users\Admin\AppData\Local\Temp\temp1.tem
    3⤵
    - Executes dropped EXE
    PID:2872
- - C:\Users\Admin\AppData\Local\Temp\temp2.tem
    C:\Users\Admin\AppData\Local\Temp\temp2.tem
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:2820
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Users\Admin\AppData\Local\Temp\temp1.tem
      C:\Users\Admin\AppData\Local\Temp\temp1.tem
      4⤵
      Executes dropped EXE
      PID:1836
  - - C:\Users\Admin\AppData\Local\Temp\temp2.tem
      C:\Users\Admin\AppData\Local\Temp\temp2.tem
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1736

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.3MB

MD5
ea24df042e732db0122de161be0dd8fc

SHA1
4a697d9a960f02c21d3e10e1a032867abe040db3

SHA256
0b5479411aa07c990ac5d4a5e5c1b2a5d2ea1e8347b49aba2aab225667270e9a

SHA512
5e0faa83fe6c9fb2fcacca96a3b4486e2ccb1894b20ff5e11d76fcf975dc6f3a232913668f3e89603e1088c41e6834989bcf6f715a0d1d678eebf463a423096e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9HG6v7Xo.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\9HG6v7Xo.xlsm

Filesize
24KB

MD5
f3dba5b3c01877f1531e6852b3ea18e9

SHA1
cd36ee70cf458657960a305a247d87dcfd4afe71

SHA256
996b9e7a764be1c9cf94d9d32c2ce2c22802cbf108d7e1f2d2b25742828f4a76

SHA512
be6b1560094b1f637deb76db9da21dc91c8850ad146c5b3007f85757e6a42b1c48a6d973a5c984d71204f4cb167a5f7501bc1101f622b3d5456e05bdcc078aea

Download Submit
C:\Users\Admin\AppData\Local\Temp\9HG6v7Xo.xlsm

Filesize
29KB

MD5
2cd1cdb9009e695c64efb575848707f3

SHA1
7e1cda67ec3a4ff855c76b325e93d4b2e161626d

SHA256
d82bbeab63e53c6e25228842124f41c159910007a2c10e97b3c2303c598e857c

SHA512
76a2fafeab76582371137a7cb999fc47e085717cbbab5e0a1fedd0d52113467e9163a3fc8327634b5ffd08a25c45186cf5fa00237db2594cc11839bc63b9b3a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\9HG6v7Xo.xlsm

Filesize
31KB

MD5
b1026d7824b8628a80a6be6ccb3e6fb1

SHA1
bd39078ca0988a0ff918aa0d57a36ef65a1ef7f4

SHA256
a08c90293247d34589e92c3591c5e1c7894a1da77f50ab01078150b2e9ca5cd2

SHA512
6b962b3f8694ead1efde38a30ec44ceed14946be50dc0d11ac1a8bba62c702b4b9b802acd3bdc0bba4b72caef27d5aa1c9e235252797c915c862604f83a0193c

Download Submit
C:\Users\Admin\AppData\Local\Temp\9HG6v7Xo.xlsm

Filesize
28KB

MD5
c93cc5790e18ad3e298f1125c49586af

SHA1
21a50743c7cf7c0c6f5af00a8f2b738710d6d146

SHA256
4c91f03bf53f759c60d429e5c146e7d0779c08352c7611cbc643f315a80f32fe

SHA512
8d8cc10869e646a8cfb3194792ead830a0bf1bca30a97fa55e728c7fcfcb0af5163d6892a508c96cfa6c4b87d3c84da3029a31b6ed4e8198ee2f67b5cb4795dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\9HG6v7Xo.xlsm

Filesize
26KB

MD5
86eb3db15fabd8522a8f2eba2e372f21

SHA1
1624b71005c61b893aab18c6b71432dc0c01247f

SHA256
023b2ca27fcc8850e8e244d4112fbb90747e5bb0ae6fb00860033748219f30c2

SHA512
5ae161c2c326c542309ec4db5915236cc090ac370327ef4e70e27af3357fa893230e3386d1c29e3320cb750778ba3c29349bee41ca8925c615f5e448aadf763d

Download Submit
C:\Users\Admin\Desktop\~$WatchGrant.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_ReadPCIRegisters.exe

Filesize
577KB

MD5
f8df45e23537c65a1cb3bcbd4f9cc47b

SHA1
de228508423fbf675a4798119d54ab0fa012e281

SHA256
b88c1c6242f784b0c40d9125dc0beba5c1534ad0fbcf9c09fb8ee96962b6f4d4

SHA512
e2f5bdadd1180ecd26d0a880db701337c8d9102fe409d3d1019f4c9bc22b3d4d43b58c4e1a133d20db185224cdae1e08969ea910b97f7e951297223f310e7e76

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

Filesize
1.1MB

MD5
97c8fe752e354b2945e4c593a87e4a8b

SHA1
03ab4c91535ecf14b13e0258f3a7be459a7957f9

SHA256
820d8dd49baed0da44d42555ad361d78e068115661dce72ae6578dcdab6baead

SHA512
af4492c08d6659d21ebfefe752b0d71210d2542c1788f1d2d9f86a85f01c3dd05eebf61c925e18b5e870aec7e9794e4a7050a04f4c58d90dca93324485690bcc

Download Submit
\Users\Admin\AppData\Local\Temp\temp1.tem

Filesize
14KB

MD5
c722de0f8e24711e2a27626dc1d3f5e3

SHA1
83171ba210c38db9f32dd59e41c2de9ecb6fdc55

SHA256
3b66f9c07d850e45ac68dc34d8d60b3b977ede7164557dd0ec5bf6fa22ebb49a

SHA512
3b214fe47889dc1e3bd11bf126f74a71d394b2589c1e13e8e384c3d89a41877ebb778de90044f2efa01101957434f8c320ec89aef36f1f6164cc5296139765dc

Download Submit
\Users\Admin\AppData\Local\Temp\temp2.tem

Filesize
28KB

MD5
d5a6815cadb238cccc79293b5375ca3b

SHA1
c7294e3ad20439376bfff217df17ff3cefcd6e91

SHA256
926b1b0e943bef7835ef8e45eeb75996cb45e179166948b0d2ce3ecabf656b62

SHA512
fd587e7915c4f8d2f56796e0262caf3f29674377bd68d1973e9a1eec4b17d3843f02fe37dbdf39656de57a0eab79ea85da816a9647d113531407445ad612f1e3

Download Submit
memory/1080-85-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1660-55-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1660-22-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2376-11-0x0000000003B20000-0x0000000003B2B000-memory.dmp

Filesize
44KB

Download
memory/2376-51-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2376-52-0x0000000003B20000-0x0000000003B2B000-memory.dmp

Filesize
44KB

Download
memory/2376-10-0x0000000003B20000-0x0000000003B2B000-memory.dmp

Filesize
44KB

Download
memory/2376-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2696-69-0x0000000003C10000-0x0000000003C1B000-memory.dmp

Filesize
44KB

Download
memory/2696-70-0x0000000003C10000-0x0000000003C1B000-memory.dmp

Filesize
44KB

Download
memory/2696-178-0x0000000003C10000-0x0000000003C1B000-memory.dmp

Filesize
44KB

Download
memory/2696-177-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2696-179-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2696-213-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2740-100-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2740-71-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2820-40-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads