Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
292s -
max time network
289s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 17:07
Behavioral task
behavioral1
Sample
Stix_Advanced_Tweak.exe
Resource
win10v2004-20241007-en
General
-
Target
Stix_Advanced_Tweak.exe
-
Size
1.5MB
-
MD5
43afea647840c9ed1d2888ce8c85ed32
-
SHA1
a9ca7722b5d49f42ae01dc20d3b7397f67647cd0
-
SHA256
2cbf4a18cf8df6a631826a5006d13b3bf36d0971b8c96678b278fc99795a9386
-
SHA512
ffe6cb55700d3e27544315998300c6d2532fa7b9085d9dd83088eb4579124579595c06ef9abe2fcc532468c5477a6fa13c57af2ae24df28b064050691ab48bc9
-
SSDEEP
24576:2nsJ39LyjbJkQFMhmC+6GD9k0TO7wx6RZrLSQeMeNyUc7nyWOqmpezMJQF:2nsHyjtk2MYC5GD60TO7JRZHSSr0py
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Xred family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation Stix_Advanced_Tweak.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation Synaptics.exe -
Executes dropped EXE 3 IoCs
pid Process 4460 ._cache_Stix_Advanced_Tweak.exe 4708 Synaptics.exe 4056 ._cache_Synaptics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" Stix_Advanced_Tweak.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Stix_Advanced_Tweak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Stix_Advanced_Tweak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Synaptics.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 980 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4460 ._cache_Stix_Advanced_Tweak.exe Token: SeDebugPrivilege 4056 ._cache_Synaptics.exe -
Suspicious use of SetWindowsHookEx 25 IoCs
pid Process 980 EXCEL.EXE 980 EXCEL.EXE 980 EXCEL.EXE 980 EXCEL.EXE 980 EXCEL.EXE 980 EXCEL.EXE 980 EXCEL.EXE 980 EXCEL.EXE 3620 OpenWith.exe 3620 OpenWith.exe 3620 OpenWith.exe 3620 OpenWith.exe 3620 OpenWith.exe 3620 OpenWith.exe 3620 OpenWith.exe 3620 OpenWith.exe 3620 OpenWith.exe 3620 OpenWith.exe 3620 OpenWith.exe 3620 OpenWith.exe 3620 OpenWith.exe 3620 OpenWith.exe 3620 OpenWith.exe 3620 OpenWith.exe 3620 OpenWith.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 3120 wrote to memory of 4460 3120 Stix_Advanced_Tweak.exe 86 PID 3120 wrote to memory of 4460 3120 Stix_Advanced_Tweak.exe 86 PID 3120 wrote to memory of 4708 3120 Stix_Advanced_Tweak.exe 87 PID 3120 wrote to memory of 4708 3120 Stix_Advanced_Tweak.exe 87 PID 3120 wrote to memory of 4708 3120 Stix_Advanced_Tweak.exe 87 PID 4708 wrote to memory of 4056 4708 Synaptics.exe 89 PID 4708 wrote to memory of 4056 4708 Synaptics.exe 89 PID 4056 wrote to memory of 2540 4056 ._cache_Synaptics.exe 115 PID 4056 wrote to memory of 2540 4056 ._cache_Synaptics.exe 115 PID 2540 wrote to memory of 4916 2540 cmd.exe 117 PID 2540 wrote to memory of 4916 2540 cmd.exe 117 PID 3620 wrote to memory of 2080 3620 OpenWith.exe 121 PID 3620 wrote to memory of 2080 3620 OpenWith.exe 121
Processes
-
C:\Users\Admin\AppData\Local\Temp\Stix_Advanced_Tweak.exe"C:\Users\Admin\AppData\Local\Temp\Stix_Advanced_Tweak.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Users\Admin\AppData\Local\Temp\._cache_Stix_Advanced_Tweak.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Stix_Advanced_Tweak.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4460
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c start cmd /C "color b && title Error && echo Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Response: {"ack":"VaultCord.com FREE Discord backup bot for members & entire server. Avoid Discord term and nukes today!","success":false,"message":"Session not found. Use latest code. You can only have app opened 1 at a time."} && timeout /t 5"4⤵
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\system32\cmd.execmd /C "color b && title Error && echo Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Response: {"ack":"VaultCord.com FREE Discord backup bot for members5⤵PID:4916
-
-
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:980
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:8
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\ProgramData\KeyAuth\debug\._cache_Synaptics\Nov_11_2024_logs.txt1⤵PID:208
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Gui_Test\._cache_Stix_Advanced_Twe_Url_mxys2gi3titc1q3svbxkrtwahaveukl3\1.0.0.0\user.config2⤵PID:2080
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
508B
MD5c8709399113030a2a05c8384bd0ba61d
SHA1792868a109a4c4da6fa650c0811222fe5f784753
SHA25626c02e6d4d09375408de504b08c296e73db1e897723a5788141dd9545f65f14f
SHA51273d4cc9fc18041e4e26eb9ce1c443003431ee894d5ca2da8ab0900f0b5c5f9822a5a7944edc9cbb42ddcc4961d825b74267f53a0f8b5f3aa2a4c5df24e4fb22c
-
Filesize
1.5MB
MD543afea647840c9ed1d2888ce8c85ed32
SHA1a9ca7722b5d49f42ae01dc20d3b7397f67647cd0
SHA2562cbf4a18cf8df6a631826a5006d13b3bf36d0971b8c96678b278fc99795a9386
SHA512ffe6cb55700d3e27544315998300c6d2532fa7b9085d9dd83088eb4579124579595c06ef9abe2fcc532468c5477a6fa13c57af2ae24df28b064050691ab48bc9
-
C:\Users\Admin\AppData\Local\Gui_Test\._cache_Stix_Advanced_Twe_Url_mxys2gi3titc1q3svbxkrtwahaveukl3\1.0.0.0\user.config
Filesize793B
MD50e95025663d33e31bb45991927273f72
SHA1bf9c7d39c677260c53ea4499fb90e20af23dd6a4
SHA2568c8f9c5cba5018f23bf949501c14a4ea278ea7a007a4149d9c73cc07824dc65e
SHA51243fdd72a9f440e1bd491ed50f9968a49fed487383304d5e8babaf15b0565f84c89487b5cdf7e728cd1bfea2990d71a16103295f8d633d0d0d61ccd4b4165bfa2
-
Filesize
766KB
MD5204feb8a295ab9432b3ec64419c98484
SHA1d2ccef786b20d3c3a3ff164c51beb149583011df
SHA2567267c4fe27fd5e9aaf8d564f209a12c496d0e053c501504d42cf7234a789cf08
SHA5126d216e8f82bd0f2e9db49e67d5fa440bd1fa6dedeea2476585a8c01029ffbfa093088ac3bf5293edd49e0509c04821cebbfc63e47c6aae44eb7b8db67f6ee088
-
Filesize
24KB
MD5a6747c3188e05a1610dbb03916838a2c
SHA13a0861b5f51919c8ce746a8d296d5ae5d0f5e3a4
SHA2560abdf82e5f5a225eed98e391179c09ec23aab28d5016d8f1c04d3ff35ba21903
SHA5120122af8fb90fc79559147be729e2c75da044fd7662697d8a15ed1bf4063603352c55bca652a57c36f4d65ebf1a2fc99ce11d5d1385f81cc7e2edbc1270f98b7f
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04