Analysis
-
max time kernel
141s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-11-2024 06:36
Behavioral task
behavioral1
Sample
dllArena.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
dllArena.exe
Resource
win10v2004-20241007-en
General
-
Target
dllArena.exe
-
Size
8.4MB
-
MD5
b8849b60e1823b0cb7368b56a61c7743
-
SHA1
caa74767470173e44edc33dea3e604fe2620a720
-
SHA256
fd59a4887d5b72ae931bc2c8d3e95a0bd856fbf1c3922331ef00a98ff77dfb9e
-
SHA512
121a100f36184d885517153d94da3bf95a7fc96ea95d12f58addfd7847c9697ea80641316efcfda102ef49170aecb4075cc3dad24b213f3d326eabd13d09e6dd
-
SSDEEP
196608:2LvgQdj4O9LgRRHG94UEbrURbsvnEJlQ9BWg:2LdX2RRmqUEbwRbsvnIG9BWg
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Xred family
-
resource behavioral1/files/0x000600000001879b-85.dat -
Executes dropped EXE 7 IoCs
pid Process 2808 ._cache_dllArena.exe 2536 Synaptics.exe 2472 ._cache_Synaptics.exe 1556 Built.exe 1420 Built.exe 2336 dllArena.exe 1160 Process not Found -
Loads dropped DLL 10 IoCs
pid Process 2856 dllArena.exe 2856 dllArena.exe 2856 dllArena.exe 2536 Synaptics.exe 2536 Synaptics.exe 2808 ._cache_dllArena.exe 1556 Built.exe 1420 Built.exe 2808 ._cache_dllArena.exe 1160 Process not Found -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" dllArena.exe -
resource yara_rule behavioral1/files/0x00050000000193d9-120.dat upx behavioral1/memory/1420-122-0x000007FEF2EB0000-0x000007FEF3498000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dllArena.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1404 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1404 EXCEL.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2856 wrote to memory of 2808 2856 dllArena.exe 30 PID 2856 wrote to memory of 2808 2856 dllArena.exe 30 PID 2856 wrote to memory of 2808 2856 dllArena.exe 30 PID 2856 wrote to memory of 2808 2856 dllArena.exe 30 PID 2856 wrote to memory of 2536 2856 dllArena.exe 31 PID 2856 wrote to memory of 2536 2856 dllArena.exe 31 PID 2856 wrote to memory of 2536 2856 dllArena.exe 31 PID 2856 wrote to memory of 2536 2856 dllArena.exe 31 PID 2536 wrote to memory of 2472 2536 Synaptics.exe 32 PID 2536 wrote to memory of 2472 2536 Synaptics.exe 32 PID 2536 wrote to memory of 2472 2536 Synaptics.exe 32 PID 2536 wrote to memory of 2472 2536 Synaptics.exe 32 PID 2808 wrote to memory of 1556 2808 ._cache_dllArena.exe 34 PID 2808 wrote to memory of 1556 2808 ._cache_dllArena.exe 34 PID 2808 wrote to memory of 1556 2808 ._cache_dllArena.exe 34 PID 1556 wrote to memory of 1420 1556 Built.exe 35 PID 1556 wrote to memory of 1420 1556 Built.exe 35 PID 1556 wrote to memory of 1420 1556 Built.exe 35 PID 2808 wrote to memory of 2336 2808 ._cache_dllArena.exe 36 PID 2808 wrote to memory of 2336 2808 ._cache_dllArena.exe 36 PID 2808 wrote to memory of 2336 2808 ._cache_dllArena.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\dllArena.exe"C:\Users\Admin\AppData\Local\Temp\dllArena.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Users\Admin\AppData\Local\Temp\._cache_dllArena.exe"C:\Users\Admin\AppData\Local\Temp\._cache_dllArena.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Users\Admin\AppData\Local\Temp\Built.exe"C:\Users\Admin\AppData\Local\Temp\Built.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Users\Admin\AppData\Local\Temp\Built.exe"C:\Users\Admin\AppData\Local\Temp\Built.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1420
-
-
-
C:\Users\Admin\AppData\Local\Temp\dllArena.exe"C:\Users\Admin\AppData\Local\Temp\dllArena.exe"3⤵
- Executes dropped EXE
PID:2336
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
PID:2472
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1404
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8.4MB
MD5b8849b60e1823b0cb7368b56a61c7743
SHA1caa74767470173e44edc33dea3e604fe2620a720
SHA256fd59a4887d5b72ae931bc2c8d3e95a0bd856fbf1c3922331ef00a98ff77dfb9e
SHA512121a100f36184d885517153d94da3bf95a7fc96ea95d12f58addfd7847c9697ea80641316efcfda102ef49170aecb4075cc3dad24b213f3d326eabd13d09e6dd
-
Filesize
1.6MB
MD5bb46b85029b543b70276ad8e4c238799
SHA1123bdcd9eebcac1ec0fd2764a37e5e5476bb0c1c
SHA25672c24e1db1ba4df791720a93ca9502d77c3738eebf8b9092a5d82aa8d80121d0
SHA5125e993617509c1cf434938d6a467eb0494e04580ad242535a04937f7c174d429da70a6e71792fc3de69e103ffc5d9de51d29001a4df528cfffefdaa2cef4eaf31
-
Filesize
28KB
MD5a0145ecae020e072a33c99b671992213
SHA17a154a846e3e47b70b64fd9937d7e7dbf3923b1b
SHA25667de1a7ae9fdfd10f9fe86fc202c0360952cd922da22f32f558ff56d2f251612
SHA512424538d8a5215b94ac539eaadf78ad8851efd5b12708228637fdc03cc0bec79129a2b967710894fc55c871db7aab42362909ada512dbc22d3a68005dbd57e9e2
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
22KB
MD53eb47f3c10aaa5470e64f4fd4aa51bda
SHA1d724bdc0a6c94063368f2594768ae0b36c51b1f2
SHA2564acfb9c824e7af82446e8a78bbfe382dbcca486d75d864e23cdaf7063419effc
SHA51260edaba281fff85f6f4b5dacbbece82508dae5d777b9f5813109e2151ff159773539de505475ef16fc36cded884b9bbdca90f8989a41b77e418eb34dcfb37d0c
-
Filesize
1.1MB
MD53775d5ad506c1b476f96c244e6d1aae7
SHA1873cd472995a6c1a7a229ce5be2c7576918a5a84
SHA256c2e830c774b50e3b45725cf86f61753193f6ed6aa4accd316845a043a71c9103
SHA512e1fa8f07645f34a29e968897a4fd09522e174ceb0fbb843a017ced18ecc45103981252cd78cf52d14baa25425eecea7667d37ec5876db0048cc54ec077cf2e27
-
Filesize
7.6MB
MD57c2457266d068fd709a59182de23d785
SHA1531944996448063c946fd18340386cacf693884c
SHA2565de0550f822ce7ec82356355c1665129164c1f491154bee035dbb8eae46e0ebc
SHA512e93942be68995b21287772c762c3b959f04c503e277ddf74a96caa35a098abfdad5a5baf4bd82f90333db211998f9d803dd264eb0167bda6998c758117a131a6
-
Filesize
7.0MB
MD594673f653706da9ebbd93580d287cc80
SHA19bfb2607d5da3d14b3b56c1aa2a7b65e1940dfa7
SHA2568f41839c2a8a80984e95a7d8dd037f777aeebc72fc134ce4eb487b909f501603
SHA5123a09df96d6434c53e925f9fc667ea896b49664c7e44e7b76a88460953b011450d3ebe3144296dac0f86412bbcdfbdc011178abf193c5f0b3524c1860b8a878ae