Analysis
-
max time kernel
111s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-11-2024 17:00
Behavioral task
behavioral1
Sample
c2ebf9821b6abbceb29dcc4fe0ca4285a1bbcbc51525b8d1efb2fca948a9bdacN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c2ebf9821b6abbceb29dcc4fe0ca4285a1bbcbc51525b8d1efb2fca948a9bdacN.exe
Resource
win10v2004-20241007-en
General
-
Target
c2ebf9821b6abbceb29dcc4fe0ca4285a1bbcbc51525b8d1efb2fca948a9bdacN.exe
-
Size
976KB
-
MD5
547c938c518721d96827df79f799a100
-
SHA1
5e818cb4f636f967bb103e6fb9fc0709ba799630
-
SHA256
c2ebf9821b6abbceb29dcc4fe0ca4285a1bbcbc51525b8d1efb2fca948a9bdac
-
SHA512
5327bcf390c8065fe83c76c678a2946c00bea23a02b4b2814abe5f07ce9f3cad070885284d969d6a62f55f57081942aa6c4ff05b1e0af25dcb7844f295a4d817
-
SSDEEP
24576:PnsJ39LyjbJkQFMhmC+6GD9hDZwatUnhUN:PnsHyjtk2MYC5GDux0
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Xred family
-
Executes dropped EXE 3 IoCs
pid Process 2068 ._cache_c2ebf9821b6abbceb29dcc4fe0ca4285a1bbcbc51525b8d1efb2fca948a9bdacN.exe 2836 Synaptics.exe 2856 ._cache_Synaptics.exe -
Loads dropped DLL 11 IoCs
pid Process 2280 c2ebf9821b6abbceb29dcc4fe0ca4285a1bbcbc51525b8d1efb2fca948a9bdacN.exe 2068 ._cache_c2ebf9821b6abbceb29dcc4fe0ca4285a1bbcbc51525b8d1efb2fca948a9bdacN.exe 2068 ._cache_c2ebf9821b6abbceb29dcc4fe0ca4285a1bbcbc51525b8d1efb2fca948a9bdacN.exe 2068 ._cache_c2ebf9821b6abbceb29dcc4fe0ca4285a1bbcbc51525b8d1efb2fca948a9bdacN.exe 2280 c2ebf9821b6abbceb29dcc4fe0ca4285a1bbcbc51525b8d1efb2fca948a9bdacN.exe 2280 c2ebf9821b6abbceb29dcc4fe0ca4285a1bbcbc51525b8d1efb2fca948a9bdacN.exe 2836 Synaptics.exe 2836 Synaptics.exe 2856 ._cache_Synaptics.exe 2856 ._cache_Synaptics.exe 2856 ._cache_Synaptics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" c2ebf9821b6abbceb29dcc4fe0ca4285a1bbcbc51525b8d1efb2fca948a9bdacN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c2ebf9821b6abbceb29dcc4fe0ca4285a1bbcbc51525b8d1efb2fca948a9bdacN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_c2ebf9821b6abbceb29dcc4fe0ca4285a1bbcbc51525b8d1efb2fca948a9bdacN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2604 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2068 ._cache_c2ebf9821b6abbceb29dcc4fe0ca4285a1bbcbc51525b8d1efb2fca948a9bdacN.exe 2068 ._cache_c2ebf9821b6abbceb29dcc4fe0ca4285a1bbcbc51525b8d1efb2fca948a9bdacN.exe 2856 ._cache_Synaptics.exe 2856 ._cache_Synaptics.exe 2604 EXCEL.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2280 wrote to memory of 2068 2280 c2ebf9821b6abbceb29dcc4fe0ca4285a1bbcbc51525b8d1efb2fca948a9bdacN.exe 31 PID 2280 wrote to memory of 2068 2280 c2ebf9821b6abbceb29dcc4fe0ca4285a1bbcbc51525b8d1efb2fca948a9bdacN.exe 31 PID 2280 wrote to memory of 2068 2280 c2ebf9821b6abbceb29dcc4fe0ca4285a1bbcbc51525b8d1efb2fca948a9bdacN.exe 31 PID 2280 wrote to memory of 2068 2280 c2ebf9821b6abbceb29dcc4fe0ca4285a1bbcbc51525b8d1efb2fca948a9bdacN.exe 31 PID 2280 wrote to memory of 2068 2280 c2ebf9821b6abbceb29dcc4fe0ca4285a1bbcbc51525b8d1efb2fca948a9bdacN.exe 31 PID 2280 wrote to memory of 2068 2280 c2ebf9821b6abbceb29dcc4fe0ca4285a1bbcbc51525b8d1efb2fca948a9bdacN.exe 31 PID 2280 wrote to memory of 2068 2280 c2ebf9821b6abbceb29dcc4fe0ca4285a1bbcbc51525b8d1efb2fca948a9bdacN.exe 31 PID 2280 wrote to memory of 2836 2280 c2ebf9821b6abbceb29dcc4fe0ca4285a1bbcbc51525b8d1efb2fca948a9bdacN.exe 32 PID 2280 wrote to memory of 2836 2280 c2ebf9821b6abbceb29dcc4fe0ca4285a1bbcbc51525b8d1efb2fca948a9bdacN.exe 32 PID 2280 wrote to memory of 2836 2280 c2ebf9821b6abbceb29dcc4fe0ca4285a1bbcbc51525b8d1efb2fca948a9bdacN.exe 32 PID 2280 wrote to memory of 2836 2280 c2ebf9821b6abbceb29dcc4fe0ca4285a1bbcbc51525b8d1efb2fca948a9bdacN.exe 32 PID 2836 wrote to memory of 2856 2836 Synaptics.exe 33 PID 2836 wrote to memory of 2856 2836 Synaptics.exe 33 PID 2836 wrote to memory of 2856 2836 Synaptics.exe 33 PID 2836 wrote to memory of 2856 2836 Synaptics.exe 33 PID 2836 wrote to memory of 2856 2836 Synaptics.exe 33 PID 2836 wrote to memory of 2856 2836 Synaptics.exe 33 PID 2836 wrote to memory of 2856 2836 Synaptics.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\c2ebf9821b6abbceb29dcc4fe0ca4285a1bbcbc51525b8d1efb2fca948a9bdacN.exe"C:\Users\Admin\AppData\Local\Temp\c2ebf9821b6abbceb29dcc4fe0ca4285a1bbcbc51525b8d1efb2fca948a9bdacN.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Users\Admin\AppData\Local\Temp\._cache_c2ebf9821b6abbceb29dcc4fe0ca4285a1bbcbc51525b8d1efb2fca948a9bdacN.exe"C:\Users\Admin\AppData\Local\Temp\._cache_c2ebf9821b6abbceb29dcc4fe0ca4285a1bbcbc51525b8d1efb2fca948a9bdacN.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2068
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2856
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2604
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
976KB
MD5547c938c518721d96827df79f799a100
SHA15e818cb4f636f967bb103e6fb9fc0709ba799630
SHA256c2ebf9821b6abbceb29dcc4fe0ca4285a1bbcbc51525b8d1efb2fca948a9bdac
SHA5125327bcf390c8065fe83c76c678a2946c00bea23a02b4b2814abe5f07ce9f3cad070885284d969d6a62f55f57081942aa6c4ff05b1e0af25dcb7844f295a4d817
-
Filesize
17KB
MD5af4d37aad8b34471da588360a43e768a
SHA183ed64667d4e68ea531b8bcf58aab3ed4a5ca998
SHA256e7550c3453156531308fda255a198c3710aa4bc7412819c180b103c11e85cef1
SHA51274f5000038c47b7c909c4ee5740e0e87cac12c9c96fff8b1c7ec749541ee3d4b7efd80f9ac02cd39809dca3f2707d0063fa852a3a541342d93a9d03de08823da
-
\Users\Admin\AppData\Local\Temp\._cache_c2ebf9821b6abbceb29dcc4fe0ca4285a1bbcbc51525b8d1efb2fca948a9bdacN.exe
Filesize220KB
MD5e2d64328061ce1a829d5025f7418b212
SHA111fae83904271c47c84f0ed646e87fec6dfdfbc4
SHA256d7550bb2af35dd19edd8f7d15a2e42bd8ddb403f3b789ef60da0bef092b2aa5f
SHA5124b177ae04f1a1f12f4fe6fa33a93d4ca257cbe8af9f4a64d96448ab9d09e2c3d87e7b6caa60919c3e001e7e95c891ff8febf33ae09cd9bf27ec86fc8be942b13