Analysis
-
max time kernel
112s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-11-2024 19:00
Behavioral task
behavioral1
Sample
dda150a32ba87e98364c9cc2b4aea0787686b74abb858a7f1215936705062fa4N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
dda150a32ba87e98364c9cc2b4aea0787686b74abb858a7f1215936705062fa4N.exe
Resource
win10v2004-20241007-en
General
-
Target
dda150a32ba87e98364c9cc2b4aea0787686b74abb858a7f1215936705062fa4N.exe
-
Size
6.5MB
-
MD5
869de13d6a202e5074bcabc7947b91e0
-
SHA1
a2698642df4719a33a7cd3be4d4cb18e16867779
-
SHA256
dda150a32ba87e98364c9cc2b4aea0787686b74abb858a7f1215936705062fa4
-
SHA512
8968b5067bbb0ef5e48ed6a49cdad49946e9bfce1019d56dbf478333d229e73d89869bd96b6cae555b40b52cf578e43bb27940faf39d452c8e1c6312751f10ce
-
SSDEEP
98304:ansmtk2afBa/eaDz7w3zdnYwPccKfHPqtRzIL6VaL7LahgUtb9khmC9618IB4tka:UL2Ba3z03+O1KfuNVa/Gycb2D94J4Oa
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Xred family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation dda150a32ba87e98364c9cc2b4aea0787686b74abb858a7f1215936705062fa4N.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation Synaptics.exe -
Executes dropped EXE 3 IoCs
pid Process 4788 ._cache_dda150a32ba87e98364c9cc2b4aea0787686b74abb858a7f1215936705062fa4N.exe 1724 Synaptics.exe 1624 ._cache_Synaptics.exe -
Loads dropped DLL 6 IoCs
pid Process 4788 ._cache_dda150a32ba87e98364c9cc2b4aea0787686b74abb858a7f1215936705062fa4N.exe 1624 ._cache_Synaptics.exe 1624 ._cache_Synaptics.exe 4788 ._cache_dda150a32ba87e98364c9cc2b4aea0787686b74abb858a7f1215936705062fa4N.exe 1624 ._cache_Synaptics.exe 1624 ._cache_Synaptics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" dda150a32ba87e98364c9cc2b4aea0787686b74abb858a7f1215936705062fa4N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dda150a32ba87e98364c9cc2b4aea0787686b74abb858a7f1215936705062fa4N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_dda150a32ba87e98364c9cc2b4aea0787686b74abb858a7f1215936705062fa4N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ dda150a32ba87e98364c9cc2b4aea0787686b74abb858a7f1215936705062fa4N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Synaptics.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1556 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1556 EXCEL.EXE 1556 EXCEL.EXE 1556 EXCEL.EXE 1556 EXCEL.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1340 wrote to memory of 4788 1340 dda150a32ba87e98364c9cc2b4aea0787686b74abb858a7f1215936705062fa4N.exe 86 PID 1340 wrote to memory of 4788 1340 dda150a32ba87e98364c9cc2b4aea0787686b74abb858a7f1215936705062fa4N.exe 86 PID 1340 wrote to memory of 4788 1340 dda150a32ba87e98364c9cc2b4aea0787686b74abb858a7f1215936705062fa4N.exe 86 PID 1340 wrote to memory of 1724 1340 dda150a32ba87e98364c9cc2b4aea0787686b74abb858a7f1215936705062fa4N.exe 87 PID 1340 wrote to memory of 1724 1340 dda150a32ba87e98364c9cc2b4aea0787686b74abb858a7f1215936705062fa4N.exe 87 PID 1340 wrote to memory of 1724 1340 dda150a32ba87e98364c9cc2b4aea0787686b74abb858a7f1215936705062fa4N.exe 87 PID 1724 wrote to memory of 1624 1724 Synaptics.exe 88 PID 1724 wrote to memory of 1624 1724 Synaptics.exe 88 PID 1724 wrote to memory of 1624 1724 Synaptics.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\dda150a32ba87e98364c9cc2b4aea0787686b74abb858a7f1215936705062fa4N.exe"C:\Users\Admin\AppData\Local\Temp\dda150a32ba87e98364c9cc2b4aea0787686b74abb858a7f1215936705062fa4N.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Users\Admin\AppData\Local\Temp\._cache_dda150a32ba87e98364c9cc2b4aea0787686b74abb858a7f1215936705062fa4N.exe"C:\Users\Admin\AppData\Local\Temp\._cache_dda150a32ba87e98364c9cc2b4aea0787686b74abb858a7f1215936705062fa4N.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4788
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1624
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1556
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.5MB
MD5869de13d6a202e5074bcabc7947b91e0
SHA1a2698642df4719a33a7cd3be4d4cb18e16867779
SHA256dda150a32ba87e98364c9cc2b4aea0787686b74abb858a7f1215936705062fa4
SHA5128968b5067bbb0ef5e48ed6a49cdad49946e9bfce1019d56dbf478333d229e73d89869bd96b6cae555b40b52cf578e43bb27940faf39d452c8e1c6312751f10ce
-
C:\Users\Admin\AppData\Local\Temp\._cache_dda150a32ba87e98364c9cc2b4aea0787686b74abb858a7f1215936705062fa4N.exe
Filesize5.8MB
MD58cc39739b5418a1bbde9684807376325
SHA1232794de7993036c4cad65a1936c1fb341da7b37
SHA25645529eeaac3e24fcd31cb392dc66058dab4f13cce1462c129606aa01c7c66755
SHA512010ee6e2cd656d5b191d1aa5360551facb230605153d879c62de2eff009fd01dd43d525cc81c5fc796892a5507799e5cf70fbc8297e4c21ea4693bece459de5e
-
Filesize
11KB
MD5cd0664e18c7c4587f9a61be1dd534e22
SHA1ceb2cc7dd87e0221ce8a0bff87c010174c3113e8
SHA25663ddd3d99e919f0d27e0c438c9798ba8307f00ad439b3620e03b7badc6f728ff
SHA512dec32d8f95f15a92f33fb12a65c1e45a3799d1ce6957fa6aa71f5f454fca572d1cb97fff011774bc7b2f4bac9d7da557abe95d4a994dabde9541aa1178766e44
-
Filesize
9KB
MD57bdc263925cc66ffbfe5818bdf75db92
SHA1ce4fd90b133a984b00066b16ea7a990be55f5e2d
SHA256717f0c111a9eba8bc06ce7b5e8ca50f55e2bf9a136d5867b7e46ca5709ff83f3
SHA512a4989529dc8f76bf4d5b12542e4d3ab754050ad7d97fe69e4c24504ee0b444a729bdb32c25722800ce2a1a0263c2f35ab3e32e6d7aac12e4244a8dec0dc1c9fb
-
Filesize
5KB
MD58f1c566e12153e91d4a7319892a122a5
SHA1cf2e091b6b7117bf2c4642cfd549c5a8463eb397
SHA256012662cfbb6bfbabca4d5cc3a5904a230d199c29a98b63b5b240aebba3dab9c9
SHA51296a3d36aaf9961c7af1c107df08af2231025f9852c1ad15556c00f2361b1e4772e1a9929890bbdd82d23014dffa3364bc7ee278cc80d3d692c3c47d8d406dd33
-
Filesize
17KB
MD5af4d37aad8b34471da588360a43e768a
SHA183ed64667d4e68ea531b8bcf58aab3ed4a5ca998
SHA256e7550c3453156531308fda255a198c3710aa4bc7412819c180b103c11e85cef1
SHA51274f5000038c47b7c909c4ee5740e0e87cac12c9c96fff8b1c7ec749541ee3d4b7efd80f9ac02cd39809dca3f2707d0063fa852a3a541342d93a9d03de08823da