Analysis
-
max time kernel
112s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-11-2024 16:18
Behavioral task
behavioral1
Sample
79bedf578b8e61feabedcd9e9e467c5d325bcca87d453b48796ae33d8cb55febN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
79bedf578b8e61feabedcd9e9e467c5d325bcca87d453b48796ae33d8cb55febN.exe
Resource
win10v2004-20241007-en
General
-
Target
79bedf578b8e61feabedcd9e9e467c5d325bcca87d453b48796ae33d8cb55febN.exe
-
Size
1.8MB
-
MD5
0ff280de0233ba547b6e5e689f83ac90
-
SHA1
4342b2f852e52892c8d8a00d6b902d2bd10e15ee
-
SHA256
79bedf578b8e61feabedcd9e9e467c5d325bcca87d453b48796ae33d8cb55feb
-
SHA512
744c18f79e8efba34aca360d3a3931cfd9014db2bd9c5093659c564f5ca50aab0b6f259c168a0ea90faf905c7a7ef9cdfdf7ce924e7e448ba92d96655d1e501f
-
SSDEEP
49152:ansHyjtk2MYC5GD5KyUqTEBBKjVFVcSLTx:ansmtk2avyyw6Sh
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Xred family
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation Synaptics.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation ._cache_Synaptics.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation 79bedf578b8e61feabedcd9e9e467c5d325bcca87d453b48796ae33d8cb55febN.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation ._cache_79bedf578b8e61feabedcd9e9e467c5d325bcca87d453b48796ae33d8cb55febN.exe -
Executes dropped EXE 5 IoCs
pid Process 4880 ._cache_79bedf578b8e61feabedcd9e9e467c5d325bcca87d453b48796ae33d8cb55febN.exe 4480 Synaptics.exe 652 ._cache_79bedf578b8e61feabedcd9e9e467c5d325bcca87d453b48796ae33d8cb55febN.exe 4388 ._cache_Synaptics.exe 2596 ._cache_Synaptics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" 79bedf578b8e61feabedcd9e9e467c5d325bcca87d453b48796ae33d8cb55febN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 79bedf578b8e61feabedcd9e9e467c5d325bcca87d453b48796ae33d8cb55febN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_79bedf578b8e61feabedcd9e9e467c5d325bcca87d453b48796ae33d8cb55febN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_79bedf578b8e61feabedcd9e9e467c5d325bcca87d453b48796ae33d8cb55febN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 79bedf578b8e61feabedcd9e9e467c5d325bcca87d453b48796ae33d8cb55febN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Synaptics.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 904 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 904 EXCEL.EXE 904 EXCEL.EXE 904 EXCEL.EXE 904 EXCEL.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 3188 wrote to memory of 4880 3188 79bedf578b8e61feabedcd9e9e467c5d325bcca87d453b48796ae33d8cb55febN.exe 86 PID 3188 wrote to memory of 4880 3188 79bedf578b8e61feabedcd9e9e467c5d325bcca87d453b48796ae33d8cb55febN.exe 86 PID 3188 wrote to memory of 4880 3188 79bedf578b8e61feabedcd9e9e467c5d325bcca87d453b48796ae33d8cb55febN.exe 86 PID 3188 wrote to memory of 4480 3188 79bedf578b8e61feabedcd9e9e467c5d325bcca87d453b48796ae33d8cb55febN.exe 87 PID 3188 wrote to memory of 4480 3188 79bedf578b8e61feabedcd9e9e467c5d325bcca87d453b48796ae33d8cb55febN.exe 87 PID 3188 wrote to memory of 4480 3188 79bedf578b8e61feabedcd9e9e467c5d325bcca87d453b48796ae33d8cb55febN.exe 87 PID 4880 wrote to memory of 652 4880 ._cache_79bedf578b8e61feabedcd9e9e467c5d325bcca87d453b48796ae33d8cb55febN.exe 88 PID 4880 wrote to memory of 652 4880 ._cache_79bedf578b8e61feabedcd9e9e467c5d325bcca87d453b48796ae33d8cb55febN.exe 88 PID 4880 wrote to memory of 652 4880 ._cache_79bedf578b8e61feabedcd9e9e467c5d325bcca87d453b48796ae33d8cb55febN.exe 88 PID 652 wrote to memory of 4476 652 ._cache_79bedf578b8e61feabedcd9e9e467c5d325bcca87d453b48796ae33d8cb55febN.exe 90 PID 652 wrote to memory of 4476 652 ._cache_79bedf578b8e61feabedcd9e9e467c5d325bcca87d453b48796ae33d8cb55febN.exe 90 PID 652 wrote to memory of 4476 652 ._cache_79bedf578b8e61feabedcd9e9e467c5d325bcca87d453b48796ae33d8cb55febN.exe 90 PID 4480 wrote to memory of 4388 4480 Synaptics.exe 91 PID 4480 wrote to memory of 4388 4480 Synaptics.exe 91 PID 4480 wrote to memory of 4388 4480 Synaptics.exe 91 PID 4388 wrote to memory of 2596 4388 ._cache_Synaptics.exe 93 PID 4388 wrote to memory of 2596 4388 ._cache_Synaptics.exe 93 PID 4388 wrote to memory of 2596 4388 ._cache_Synaptics.exe 93 PID 2596 wrote to memory of 4104 2596 ._cache_Synaptics.exe 96 PID 2596 wrote to memory of 4104 2596 ._cache_Synaptics.exe 96 PID 2596 wrote to memory of 4104 2596 ._cache_Synaptics.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\79bedf578b8e61feabedcd9e9e467c5d325bcca87d453b48796ae33d8cb55febN.exe"C:\Users\Admin\AppData\Local\Temp\79bedf578b8e61feabedcd9e9e467c5d325bcca87d453b48796ae33d8cb55febN.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Users\Admin\AppData\Local\Temp\._cache_79bedf578b8e61feabedcd9e9e467c5d325bcca87d453b48796ae33d8cb55febN.exe"C:\Users\Admin\AppData\Local\Temp\._cache_79bedf578b8e61feabedcd9e9e467c5d325bcca87d453b48796ae33d8cb55febN.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Users\Admin\AppData\Local\Temp\eset.temp\{02D83BBE-6DFA-5B88-C059-45C3892906EA}\._cache_79bedf578b8e61feabedcd9e9e467c5d325bcca87d453b48796ae33d8cb55febN.exe"C:\Users\Admin\AppData\Local\Temp\eset.temp\{02D83BBE-6DFA-5B88-C059-45C3892906EA}\._cache_79bedf578b8e61feabedcd9e9e467c5d325bcca87d453b48796ae33d8cb55febN.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c pause > nul4⤵
- System Location Discovery: System Language Discovery
PID:4476
-
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Users\Admin\AppData\Local\Temp\eset.temp\{02D83BBE-C9A8-51F0-8565-45C3553532E8}\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\eset.temp\{02D83BBE-C9A8-51F0-8565-45C3553532E8}\._cache_Synaptics.exe" "InjUpdate"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c pause > nul5⤵
- System Location Discovery: System Language Discovery
PID:4104
-
-
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:904
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD50ff280de0233ba547b6e5e689f83ac90
SHA14342b2f852e52892c8d8a00d6b902d2bd10e15ee
SHA25679bedf578b8e61feabedcd9e9e467c5d325bcca87d453b48796ae33d8cb55feb
SHA512744c18f79e8efba34aca360d3a3931cfd9014db2bd9c5093659c564f5ca50aab0b6f259c168a0ea90faf905c7a7ef9cdfdf7ce924e7e448ba92d96655d1e501f
-
C:\Users\Admin\AppData\Local\Temp\._cache_79bedf578b8e61feabedcd9e9e467c5d325bcca87d453b48796ae33d8cb55febN.exe
Filesize1.0MB
MD54478f8b0da41ed0a9ae85c2005c551e5
SHA1167bae207c3007b89c4e42161f8526ea893c1b70
SHA2563fbc3476af5674b389b1026ab43f48e672c2f0b28e075fae0ad34dcf2362c112
SHA5120d9b4403f5425e7ebfd2c6243a57d93130f21334da7ebc582d6e15765accf1a52632e404b5e453fdba76e95f5f8fd4b3882ca0980e451c15d83c672850c98664
-
Filesize
17KB
MD5af4d37aad8b34471da588360a43e768a
SHA183ed64667d4e68ea531b8bcf58aab3ed4a5ca998
SHA256e7550c3453156531308fda255a198c3710aa4bc7412819c180b103c11e85cef1
SHA51274f5000038c47b7c909c4ee5740e0e87cac12c9c96fff8b1c7ec749541ee3d4b7efd80f9ac02cd39809dca3f2707d0063fa852a3a541342d93a9d03de08823da
-
C:\Users\Admin\AppData\Local\Temp\eset.temp\{02D83BBE-6DFA-5B88-C059-45C3892906EA}\._cache_79bedf578b8e61feabedcd9e9e467c5d325bcca87d453b48796ae33d8cb55febN.exe
Filesize840KB
MD52e8237dc029d6f9458c9f6a892924379
SHA1a747c2df935141a850a5dc3bd2900fd40d448d68
SHA2562fb60fe210a3f0d1ae5b33f5363a7c42e1680d98b3caac6b06ba6c456280b86c
SHA512b0f329b0d6b06af086facd6f18265649eea5a7e312ccde8e8d488ea85d5b00bee1b1fd6dbb86812010e0dc316e2e72551d566b075686e7c279e5018c1c371590