Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
110s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
10/11/2024, 12:16
Behavioral task
behavioral1
Sample
4b2e71c3d737452a52a8bb5c2c728320060586a55278ce7c166633cd6c478646N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
4b2e71c3d737452a52a8bb5c2c728320060586a55278ce7c166633cd6c478646N.exe
Resource
win10v2004-20241007-en
General
-
Target
4b2e71c3d737452a52a8bb5c2c728320060586a55278ce7c166633cd6c478646N.exe
-
Size
841KB
-
MD5
4681b862ac362b8d270772d1ab658d30
-
SHA1
7a4bebd64e0320815ad3028c91ebfd2732289a6a
-
SHA256
4b2e71c3d737452a52a8bb5c2c728320060586a55278ce7c166633cd6c478646
-
SHA512
ee762d73051416edb9c96e2ad6916aee4e864e6dc5184200eb823db9303101a51efe01483ea9c836061ff416ad00952831b3eae6af6b689cd46a2750b3b4a187
-
SSDEEP
12288:hMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9MGEg5cS6lSxCvcD:hnsJ39LyjbJkQFMhmC+6GD93VRoZI
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Xred family
-
resource behavioral1/files/0x0006000000019dbf-89.dat -
Executes dropped EXE 3 IoCs
pid Process 2688 ._cache_4b2e71c3d737452a52a8bb5c2c728320060586a55278ce7c166633cd6c478646N.exe 2896 Synaptics.exe 2868 ._cache_Synaptics.exe -
Loads dropped DLL 7 IoCs
pid Process 2188 4b2e71c3d737452a52a8bb5c2c728320060586a55278ce7c166633cd6c478646N.exe 2188 4b2e71c3d737452a52a8bb5c2c728320060586a55278ce7c166633cd6c478646N.exe 2188 4b2e71c3d737452a52a8bb5c2c728320060586a55278ce7c166633cd6c478646N.exe 2188 4b2e71c3d737452a52a8bb5c2c728320060586a55278ce7c166633cd6c478646N.exe 2896 Synaptics.exe 2896 Synaptics.exe 2896 Synaptics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" 4b2e71c3d737452a52a8bb5c2c728320060586a55278ce7c166633cd6c478646N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4b2e71c3d737452a52a8bb5c2c728320060586a55278ce7c166633cd6c478646N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_4b2e71c3d737452a52a8bb5c2c728320060586a55278ce7c166633cd6c478646N.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2580 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2580 EXCEL.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2188 wrote to memory of 2688 2188 4b2e71c3d737452a52a8bb5c2c728320060586a55278ce7c166633cd6c478646N.exe 30 PID 2188 wrote to memory of 2688 2188 4b2e71c3d737452a52a8bb5c2c728320060586a55278ce7c166633cd6c478646N.exe 30 PID 2188 wrote to memory of 2688 2188 4b2e71c3d737452a52a8bb5c2c728320060586a55278ce7c166633cd6c478646N.exe 30 PID 2188 wrote to memory of 2688 2188 4b2e71c3d737452a52a8bb5c2c728320060586a55278ce7c166633cd6c478646N.exe 30 PID 2188 wrote to memory of 2896 2188 4b2e71c3d737452a52a8bb5c2c728320060586a55278ce7c166633cd6c478646N.exe 31 PID 2188 wrote to memory of 2896 2188 4b2e71c3d737452a52a8bb5c2c728320060586a55278ce7c166633cd6c478646N.exe 31 PID 2188 wrote to memory of 2896 2188 4b2e71c3d737452a52a8bb5c2c728320060586a55278ce7c166633cd6c478646N.exe 31 PID 2188 wrote to memory of 2896 2188 4b2e71c3d737452a52a8bb5c2c728320060586a55278ce7c166633cd6c478646N.exe 31 PID 2896 wrote to memory of 2868 2896 Synaptics.exe 32 PID 2896 wrote to memory of 2868 2896 Synaptics.exe 32 PID 2896 wrote to memory of 2868 2896 Synaptics.exe 32 PID 2896 wrote to memory of 2868 2896 Synaptics.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b2e71c3d737452a52a8bb5c2c728320060586a55278ce7c166633cd6c478646N.exe"C:\Users\Admin\AppData\Local\Temp\4b2e71c3d737452a52a8bb5c2c728320060586a55278ce7c166633cd6c478646N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Users\Admin\AppData\Local\Temp\._cache_4b2e71c3d737452a52a8bb5c2c728320060586a55278ce7c166633cd6c478646N.exe"C:\Users\Admin\AppData\Local\Temp\._cache_4b2e71c3d737452a52a8bb5c2c728320060586a55278ce7c166633cd6c478646N.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2688
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2868
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2580
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
841KB
MD54681b862ac362b8d270772d1ab658d30
SHA17a4bebd64e0320815ad3028c91ebfd2732289a6a
SHA2564b2e71c3d737452a52a8bb5c2c728320060586a55278ce7c166633cd6c478646
SHA512ee762d73051416edb9c96e2ad6916aee4e864e6dc5184200eb823db9303101a51efe01483ea9c836061ff416ad00952831b3eae6af6b689cd46a2750b3b4a187
-
C:\Users\Admin\AppData\Local\Temp\._cache_4b2e71c3d737452a52a8bb5c2c728320060586a55278ce7c166633cd6c478646N.exe
Filesize88KB
MD534086eb509cb68f92f8aa7b8ecec2619
SHA132d41a8bfe5ebf47b8d057015eead3dc892613f4
SHA25674fb60e4617544e625f5854a7a3571fe00b1dcd4f4d4740a6fdded2e8041e252
SHA512d2dd6d7b85af77525f8d2ce8e3d51331b51903a5f8095da1e7765439ab3359db01207177dd413cd538ba94ba00db6fb90f3b0666d1653746c5be2dfe587da945
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
29KB
MD5294c984d2beabc8f456bc5d9ae5867cc
SHA15a212d730873df1d3b8773730fb26a808226b5c1
SHA256ed295ef763adea1763973f6b915df98e9088ec5b758217435b43d7bb74f0b246
SHA5127d8609c554d6c2c79f07c97024a8079751e3e9fd95178252ac09b80dbc656f5742f09a2d95baffa06a08603606580060b6e1f383840a75e00a86a957ee822d34
-
Filesize
24KB
MD5ad50bedcdc53ea83a5405887c3eb0672
SHA19929ebfc24723e0475451c928f668dbe828acca7
SHA256a3f56bd184cbb2e9e5b603819dcf6d23ac957de34e7e84e5eb9759bbe8053124
SHA51248b4748865fb3f9572e2a84eaa01d23f475c32e62eee84923a8965d9341ab79cd5d8afe1ca5eae1fd6a4b197bc359a6b45f8b9a0ec8663bdd2cfcb1e8884d512
-
Filesize
30KB
MD5fd55d7959b53fdc0afe10cce78a2e7e7
SHA1fc54daa7671c21d1ac6575fadaa92b934c06537e
SHA2563a036d4e559655fea9d476480b6f302e8dcb8af8fd4d82b9fd67510f0818c75b
SHA512951ea71b7e72db5bada9131241054c0d30b7ce08f10cfcc32a66a715c0c3c8ff37af44e3506fc2fb3e975e2dcf4c4263fc20d2c92bf3a010c374c2db46b60e8b