Analysis
-
max time kernel
110s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06-11-2024 12:04
Behavioral task
behavioral1
Sample
c4eb0fde141d85f36309251d0a006723d71503a5f5c0b5ec1d577c78256d94d3N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c4eb0fde141d85f36309251d0a006723d71503a5f5c0b5ec1d577c78256d94d3N.exe
Resource
win10v2004-20241007-en
General
-
Target
c4eb0fde141d85f36309251d0a006723d71503a5f5c0b5ec1d577c78256d94d3N.exe
-
Size
848KB
-
MD5
b587fb78d3363dfcd5fc656d51b73a40
-
SHA1
2ed25a221704a7014571c22b9a9cb85d2786a7bd
-
SHA256
c4eb0fde141d85f36309251d0a006723d71503a5f5c0b5ec1d577c78256d94d3
-
SHA512
5ebd2e0568a9e5f194960e3bd08b84a0fe096986f8a3c5b7b3206e9408cd9a7b856889da1906b78f7ded2857079b4c4b4c41d9316f00a39b53b96c81f76bdd6b
-
SSDEEP
12288:5MSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9YCG5ucAVXL7KoanqughtB:5nsJ39LyjbJkQFMhmC+6GD9X
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Xred family
-
Executes dropped EXE 3 IoCs
pid Process 1796 ._cache_c4eb0fde141d85f36309251d0a006723d71503a5f5c0b5ec1d577c78256d94d3N.exe 2480 Synaptics.exe 2948 ._cache_Synaptics.exe -
Loads dropped DLL 5 IoCs
pid Process 2600 c4eb0fde141d85f36309251d0a006723d71503a5f5c0b5ec1d577c78256d94d3N.exe 2600 c4eb0fde141d85f36309251d0a006723d71503a5f5c0b5ec1d577c78256d94d3N.exe 2600 c4eb0fde141d85f36309251d0a006723d71503a5f5c0b5ec1d577c78256d94d3N.exe 2480 Synaptics.exe 2480 Synaptics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" c4eb0fde141d85f36309251d0a006723d71503a5f5c0b5ec1d577c78256d94d3N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c4eb0fde141d85f36309251d0a006723d71503a5f5c0b5ec1d577c78256d94d3N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_c4eb0fde141d85f36309251d0a006723d71503a5f5c0b5ec1d577c78256d94d3N.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2156 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1796 ._cache_c4eb0fde141d85f36309251d0a006723d71503a5f5c0b5ec1d577c78256d94d3N.exe 2948 ._cache_Synaptics.exe 2156 EXCEL.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2600 wrote to memory of 1796 2600 c4eb0fde141d85f36309251d0a006723d71503a5f5c0b5ec1d577c78256d94d3N.exe 30 PID 2600 wrote to memory of 1796 2600 c4eb0fde141d85f36309251d0a006723d71503a5f5c0b5ec1d577c78256d94d3N.exe 30 PID 2600 wrote to memory of 1796 2600 c4eb0fde141d85f36309251d0a006723d71503a5f5c0b5ec1d577c78256d94d3N.exe 30 PID 2600 wrote to memory of 1796 2600 c4eb0fde141d85f36309251d0a006723d71503a5f5c0b5ec1d577c78256d94d3N.exe 30 PID 2600 wrote to memory of 2480 2600 c4eb0fde141d85f36309251d0a006723d71503a5f5c0b5ec1d577c78256d94d3N.exe 31 PID 2600 wrote to memory of 2480 2600 c4eb0fde141d85f36309251d0a006723d71503a5f5c0b5ec1d577c78256d94d3N.exe 31 PID 2600 wrote to memory of 2480 2600 c4eb0fde141d85f36309251d0a006723d71503a5f5c0b5ec1d577c78256d94d3N.exe 31 PID 2600 wrote to memory of 2480 2600 c4eb0fde141d85f36309251d0a006723d71503a5f5c0b5ec1d577c78256d94d3N.exe 31 PID 2480 wrote to memory of 2948 2480 Synaptics.exe 32 PID 2480 wrote to memory of 2948 2480 Synaptics.exe 32 PID 2480 wrote to memory of 2948 2480 Synaptics.exe 32 PID 2480 wrote to memory of 2948 2480 Synaptics.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4eb0fde141d85f36309251d0a006723d71503a5f5c0b5ec1d577c78256d94d3N.exe"C:\Users\Admin\AppData\Local\Temp\c4eb0fde141d85f36309251d0a006723d71503a5f5c0b5ec1d577c78256d94d3N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Users\Admin\AppData\Local\Temp\._cache_c4eb0fde141d85f36309251d0a006723d71503a5f5c0b5ec1d577c78256d94d3N.exe"C:\Users\Admin\AppData\Local\Temp\._cache_c4eb0fde141d85f36309251d0a006723d71503a5f5c0b5ec1d577c78256d94d3N.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1796
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2948
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2156
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
848KB
MD5b587fb78d3363dfcd5fc656d51b73a40
SHA12ed25a221704a7014571c22b9a9cb85d2786a7bd
SHA256c4eb0fde141d85f36309251d0a006723d71503a5f5c0b5ec1d577c78256d94d3
SHA5125ebd2e0568a9e5f194960e3bd08b84a0fe096986f8a3c5b7b3206e9408cd9a7b856889da1906b78f7ded2857079b4c4b4c41d9316f00a39b53b96c81f76bdd6b
-
Filesize
25KB
MD5e67bd160b8f6403ecb48e44e52dbe2c7
SHA1c8c2e70c8ab81df83787ebb72642ce51b1f47a14
SHA2564a47bfd54ea91dc1f1e9d0f2aa055f870284afd4959e2c4358625136cc78d5ef
SHA51271f204481d52bafaba56b375ec6e12b658573055812bc5cebc46e1a4a60e6636b15aaf6578004fc70b2a0c6d27e3fff8219eb28a55c27de777a87fe9a6812f44
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
\Users\Admin\AppData\Local\Temp\._cache_c4eb0fde141d85f36309251d0a006723d71503a5f5c0b5ec1d577c78256d94d3N.exe
Filesize94KB
MD5d90819dc5dccbc23a1caf3896e6a5cc8
SHA1a8eca18583a4e220037f5d431ebb0879a202133e
SHA2560b54e5c30943e5d334138def5d47b38a6e74fb236fe58a8bc7c5dcff8e42370a
SHA51233fbe5e84a9f7880c33dde25591401b6cf02e13b14bb424ee9dcb3a9e9a194e19bd219495e2caf6e4b17e412cc6172fa82a8e7904ddd8f6ee28aa8b03738da83