Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 21:51
Behavioral task
behavioral1
Sample
371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe
Resource
win10v2004-20241007-en
General
-
Target
371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe
-
Size
998KB
-
MD5
f6285298e09929244eb9721e78f1369a
-
SHA1
0bd100e7a55810b3d9dbd2c302c246c867d20852
-
SHA256
371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5
-
SHA512
8139a473deda14e651566f03868c2bd5c760994e749982ae9ad16576040d4098f3985d7979cbc306e91d8c628434ab96337c3f4d11658b58cef6d73a77a5e7fa
-
SSDEEP
12288:fMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9VXKFUoanL:fnsJ39LyjbJkQFMhmC+6GD96yL
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Njrat family
-
Xred family
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2036 netsh.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exeSynaptics.exe._cache_Synaptics.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation 371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Synaptics.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation ._cache_Synaptics.exe -
Drops startup file 2 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4eb37852a0eff3d12ee195891381805c.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4eb37852a0eff3d12ee195891381805c.exe server.exe -
Executes dropped EXE 4 IoCs
Processes:
._cache_371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exeSynaptics.exe._cache_Synaptics.exeserver.exepid process 1748 ._cache_371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe 1332 Synaptics.exe 2308 ._cache_Synaptics.exe 4468 server.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exeserver.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" 371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4eb37852a0eff3d12ee195891381805c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\4eb37852a0eff3d12ee195891381805c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe._cache_371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exeSynaptics.exe._cache_Synaptics.exeserver.exenetsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 2 IoCs
Processes:
Synaptics.exe371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Synaptics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3936 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
._cache_371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe._cache_Synaptics.exeserver.exepid process 1748 ._cache_371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe 2308 ._cache_Synaptics.exe 4468 server.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
._cache_371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe._cache_Synaptics.exeserver.exedescription pid process Token: SeDebugPrivilege 1748 ._cache_371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe Token: SeDebugPrivilege 2308 ._cache_Synaptics.exe Token: SeDebugPrivilege 4468 server.exe Token: 33 4468 server.exe Token: SeIncBasePriorityPrivilege 4468 server.exe Token: 33 4468 server.exe Token: SeIncBasePriorityPrivilege 4468 server.exe Token: 33 4468 server.exe Token: SeIncBasePriorityPrivilege 4468 server.exe Token: 33 4468 server.exe Token: SeIncBasePriorityPrivilege 4468 server.exe Token: 33 4468 server.exe Token: SeIncBasePriorityPrivilege 4468 server.exe Token: 33 4468 server.exe Token: SeIncBasePriorityPrivilege 4468 server.exe Token: 33 4468 server.exe Token: SeIncBasePriorityPrivilege 4468 server.exe Token: 33 4468 server.exe Token: SeIncBasePriorityPrivilege 4468 server.exe Token: 33 4468 server.exe Token: SeIncBasePriorityPrivilege 4468 server.exe Token: 33 4468 server.exe Token: SeIncBasePriorityPrivilege 4468 server.exe Token: 33 4468 server.exe Token: SeIncBasePriorityPrivilege 4468 server.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
EXCEL.EXEpid process 3936 EXCEL.EXE 3936 EXCEL.EXE 3936 EXCEL.EXE 3936 EXCEL.EXE 3936 EXCEL.EXE 3936 EXCEL.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exeSynaptics.exe._cache_Synaptics.exeserver.exedescription pid process target process PID 3800 wrote to memory of 1748 3800 371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe ._cache_371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe PID 3800 wrote to memory of 1748 3800 371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe ._cache_371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe PID 3800 wrote to memory of 1748 3800 371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe ._cache_371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe PID 3800 wrote to memory of 1332 3800 371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe Synaptics.exe PID 3800 wrote to memory of 1332 3800 371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe Synaptics.exe PID 3800 wrote to memory of 1332 3800 371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe Synaptics.exe PID 1332 wrote to memory of 2308 1332 Synaptics.exe ._cache_Synaptics.exe PID 1332 wrote to memory of 2308 1332 Synaptics.exe ._cache_Synaptics.exe PID 1332 wrote to memory of 2308 1332 Synaptics.exe ._cache_Synaptics.exe PID 2308 wrote to memory of 4468 2308 ._cache_Synaptics.exe server.exe PID 2308 wrote to memory of 4468 2308 ._cache_Synaptics.exe server.exe PID 2308 wrote to memory of 4468 2308 ._cache_Synaptics.exe server.exe PID 4468 wrote to memory of 2036 4468 server.exe netsh.exe PID 4468 wrote to memory of 2036 4468 server.exe netsh.exe PID 4468 wrote to memory of 2036 4468 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe"C:\Users\Admin\AppData\Local\Temp\371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Users\Admin\AppData\Local\Temp\._cache_371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe"C:\Users\Admin\AppData\Local\Temp\._cache_371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1748
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2036
-
-
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3936
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
998KB
MD5f6285298e09929244eb9721e78f1369a
SHA10bd100e7a55810b3d9dbd2c302c246c867d20852
SHA256371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5
SHA5128139a473deda14e651566f03868c2bd5c760994e749982ae9ad16576040d4098f3985d7979cbc306e91d8c628434ab96337c3f4d11658b58cef6d73a77a5e7fa
-
C:\Users\Admin\AppData\Local\Temp\._cache_371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe
Filesize244KB
MD50ae9347f02737113842f37809172da96
SHA1242a20e1ffdf9fef0b5682cd2bb6738fe8097600
SHA2567de73d47d9a917d4ebf25264af7144794f69c2046fa2412f4af1f93eb71be032
SHA51278cc2b7372c5a5c21d9759311772e1b4e82627da278ee9d2d759d2ecceaf9db09ec20bff3f998b3966b6533d860d0c3828581d169ec163fa6bf941955afa9690
-
Filesize
23KB
MD54285fcba861f9bd887b989b0ee688038
SHA16785b1cb775b571455b0fb8ca52ea310b27dbfd2
SHA256dff78339ec76d1ffdb78291852a77eec2d2be4b489c0c59435b2508838bc0c19
SHA512a1d8474dca425b2c1d115d6a6280bde0a378bc0bd6f2a70f7a25c3441657cfeefafe0191be24149cf1c502e0c301e2041795e0cf208b3ce2f2e5f3e03118c88b
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04