Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-11-2024 08:17
Behavioral task
behavioral1
Sample
dllArena.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
dllArena.exe
Resource
win10v2004-20241007-en
General
-
Target
dllArena.exe
-
Size
8.4MB
-
MD5
b8849b60e1823b0cb7368b56a61c7743
-
SHA1
caa74767470173e44edc33dea3e604fe2620a720
-
SHA256
fd59a4887d5b72ae931bc2c8d3e95a0bd856fbf1c3922331ef00a98ff77dfb9e
-
SHA512
121a100f36184d885517153d94da3bf95a7fc96ea95d12f58addfd7847c9697ea80641316efcfda102ef49170aecb4075cc3dad24b213f3d326eabd13d09e6dd
-
SSDEEP
196608:2LvgQdj4O9LgRRHG94UEbrURbsvnEJlQ9BWg:2LdX2RRmqUEbwRbsvnIG9BWg
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Xred family
-
resource behavioral1/files/0x00070000000187a2-72.dat -
Executes dropped EXE 7 IoCs
pid Process 2564 ._cache_dllArena.exe 2640 Synaptics.exe 2444 ._cache_Synaptics.exe 2312 Built.exe 2384 dllArena.exe 2820 Built.exe 1236 Process not Found -
Loads dropped DLL 10 IoCs
pid Process 2984 dllArena.exe 2984 dllArena.exe 2984 dllArena.exe 2640 Synaptics.exe 2640 Synaptics.exe 2564 ._cache_dllArena.exe 2564 ._cache_dllArena.exe 2312 Built.exe 2820 Built.exe 1236 Process not Found -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" dllArena.exe -
resource yara_rule behavioral1/files/0x00050000000194df-114.dat upx behavioral1/memory/2820-116-0x000007FEF23B0000-0x000007FEF2998000-memory.dmp upx behavioral1/memory/2820-120-0x000007FEF23B0000-0x000007FEF2998000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dllArena.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2540 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2540 EXCEL.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2984 wrote to memory of 2564 2984 dllArena.exe 29 PID 2984 wrote to memory of 2564 2984 dllArena.exe 29 PID 2984 wrote to memory of 2564 2984 dllArena.exe 29 PID 2984 wrote to memory of 2564 2984 dllArena.exe 29 PID 2984 wrote to memory of 2640 2984 dllArena.exe 30 PID 2984 wrote to memory of 2640 2984 dllArena.exe 30 PID 2984 wrote to memory of 2640 2984 dllArena.exe 30 PID 2984 wrote to memory of 2640 2984 dllArena.exe 30 PID 2640 wrote to memory of 2444 2640 Synaptics.exe 31 PID 2640 wrote to memory of 2444 2640 Synaptics.exe 31 PID 2640 wrote to memory of 2444 2640 Synaptics.exe 31 PID 2640 wrote to memory of 2444 2640 Synaptics.exe 31 PID 2564 wrote to memory of 2312 2564 ._cache_dllArena.exe 33 PID 2564 wrote to memory of 2312 2564 ._cache_dllArena.exe 33 PID 2564 wrote to memory of 2312 2564 ._cache_dllArena.exe 33 PID 2564 wrote to memory of 2384 2564 ._cache_dllArena.exe 34 PID 2564 wrote to memory of 2384 2564 ._cache_dllArena.exe 34 PID 2564 wrote to memory of 2384 2564 ._cache_dllArena.exe 34 PID 2312 wrote to memory of 2820 2312 Built.exe 35 PID 2312 wrote to memory of 2820 2312 Built.exe 35 PID 2312 wrote to memory of 2820 2312 Built.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\dllArena.exe"C:\Users\Admin\AppData\Local\Temp\dllArena.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Users\Admin\AppData\Local\Temp\._cache_dllArena.exe"C:\Users\Admin\AppData\Local\Temp\._cache_dllArena.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Users\Admin\AppData\Local\Temp\Built.exe"C:\Users\Admin\AppData\Local\Temp\Built.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Users\Admin\AppData\Local\Temp\Built.exe"C:\Users\Admin\AppData\Local\Temp\Built.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2820
-
-
-
C:\Users\Admin\AppData\Local\Temp\dllArena.exe"C:\Users\Admin\AppData\Local\Temp\dllArena.exe"3⤵
- Executes dropped EXE
PID:2384
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
PID:2444
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2540
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8.4MB
MD5b8849b60e1823b0cb7368b56a61c7743
SHA1caa74767470173e44edc33dea3e604fe2620a720
SHA256fd59a4887d5b72ae931bc2c8d3e95a0bd856fbf1c3922331ef00a98ff77dfb9e
SHA512121a100f36184d885517153d94da3bf95a7fc96ea95d12f58addfd7847c9697ea80641316efcfda102ef49170aecb4075cc3dad24b213f3d326eabd13d09e6dd
-
Filesize
27KB
MD501ff779fc50f60ec2216e6329902a9e4
SHA147d3e38340e0d65a9c6aa9ce32502137d342c324
SHA256e0dd1b94c58b1df68c44ba61a679a0226d4ee891c33c8ef6c61239896c9646d1
SHA512b9c94e9af11021e5cf4d41208465a91a2af422c7b40ba44d16913f93a527060f3bbe2027eb7cc204f550a53947a567e0e4edf00fffd4e4dc2a68019b50c8ce4d
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
7.0MB
MD594673f653706da9ebbd93580d287cc80
SHA19bfb2607d5da3d14b3b56c1aa2a7b65e1940dfa7
SHA2568f41839c2a8a80984e95a7d8dd037f777aeebc72fc134ce4eb487b909f501603
SHA5123a09df96d6434c53e925f9fc667ea896b49664c7e44e7b76a88460953b011450d3ebe3144296dac0f86412bbcdfbdc011178abf193c5f0b3524c1860b8a878ae
-
Filesize
1.6MB
MD5bb46b85029b543b70276ad8e4c238799
SHA1123bdcd9eebcac1ec0fd2764a37e5e5476bb0c1c
SHA25672c24e1db1ba4df791720a93ca9502d77c3738eebf8b9092a5d82aa8d80121d0
SHA5125e993617509c1cf434938d6a467eb0494e04580ad242535a04937f7c174d429da70a6e71792fc3de69e103ffc5d9de51d29001a4df528cfffefdaa2cef4eaf31
-
Filesize
1.1MB
MD53775d5ad506c1b476f96c244e6d1aae7
SHA1873cd472995a6c1a7a229ce5be2c7576918a5a84
SHA256c2e830c774b50e3b45725cf86f61753193f6ed6aa4accd316845a043a71c9103
SHA512e1fa8f07645f34a29e968897a4fd09522e174ceb0fbb843a017ced18ecc45103981252cd78cf52d14baa25425eecea7667d37ec5876db0048cc54ec077cf2e27
-
Filesize
7.6MB
MD57c2457266d068fd709a59182de23d785
SHA1531944996448063c946fd18340386cacf693884c
SHA2565de0550f822ce7ec82356355c1665129164c1f491154bee035dbb8eae46e0ebc
SHA512e93942be68995b21287772c762c3b959f04c503e277ddf74a96caa35a098abfdad5a5baf4bd82f90333db211998f9d803dd264eb0167bda6998c758117a131a6