Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/11/2024, 20:53
Behavioral task
behavioral1
Sample
3079e3aef9f301939ce7609cc5730c52a9478c711ef003b033b0240ec724c57d.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
3079e3aef9f301939ce7609cc5730c52a9478c711ef003b033b0240ec724c57d.exe
Resource
win10v2004-20241007-en
General
-
Target
3079e3aef9f301939ce7609cc5730c52a9478c711ef003b033b0240ec724c57d.exe
-
Size
790KB
-
MD5
a6ce8540967df09c1a03a9a3ca0e4d7c
-
SHA1
6d74f41b9b2ae6ec75a4d84566161032e3547d9b
-
SHA256
3079e3aef9f301939ce7609cc5730c52a9478c711ef003b033b0240ec724c57d
-
SHA512
782143c9be6ada1e64ee45e05b8ccf874fc8589e6b10227ae9f86d4864d6bca0e81c59057e70da574ab8a8d02f06a0f70b8620605d736bf0e220ec5ccd255794
-
SSDEEP
12288:qMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V951KE+VI+l8/:qnsJ39LyjbJkQFMhmC+6GD9jKE+VI+lg
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Xred family
-
Executes dropped EXE 3 IoCs
pid Process 1544 ._cache_3079e3aef9f301939ce7609cc5730c52a9478c711ef003b033b0240ec724c57d.exe 2268 Synaptics.exe 2544 ._cache_Synaptics.exe -
Loads dropped DLL 5 IoCs
pid Process 2512 3079e3aef9f301939ce7609cc5730c52a9478c711ef003b033b0240ec724c57d.exe 2512 3079e3aef9f301939ce7609cc5730c52a9478c711ef003b033b0240ec724c57d.exe 2512 3079e3aef9f301939ce7609cc5730c52a9478c711ef003b033b0240ec724c57d.exe 2268 Synaptics.exe 2268 Synaptics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" 3079e3aef9f301939ce7609cc5730c52a9478c711ef003b033b0240ec724c57d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3079e3aef9f301939ce7609cc5730c52a9478c711ef003b033b0240ec724c57d.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2572 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2572 EXCEL.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2512 wrote to memory of 1544 2512 3079e3aef9f301939ce7609cc5730c52a9478c711ef003b033b0240ec724c57d.exe 31 PID 2512 wrote to memory of 1544 2512 3079e3aef9f301939ce7609cc5730c52a9478c711ef003b033b0240ec724c57d.exe 31 PID 2512 wrote to memory of 1544 2512 3079e3aef9f301939ce7609cc5730c52a9478c711ef003b033b0240ec724c57d.exe 31 PID 2512 wrote to memory of 1544 2512 3079e3aef9f301939ce7609cc5730c52a9478c711ef003b033b0240ec724c57d.exe 31 PID 2512 wrote to memory of 2268 2512 3079e3aef9f301939ce7609cc5730c52a9478c711ef003b033b0240ec724c57d.exe 33 PID 2512 wrote to memory of 2268 2512 3079e3aef9f301939ce7609cc5730c52a9478c711ef003b033b0240ec724c57d.exe 33 PID 2512 wrote to memory of 2268 2512 3079e3aef9f301939ce7609cc5730c52a9478c711ef003b033b0240ec724c57d.exe 33 PID 2512 wrote to memory of 2268 2512 3079e3aef9f301939ce7609cc5730c52a9478c711ef003b033b0240ec724c57d.exe 33 PID 2268 wrote to memory of 2544 2268 Synaptics.exe 34 PID 2268 wrote to memory of 2544 2268 Synaptics.exe 34 PID 2268 wrote to memory of 2544 2268 Synaptics.exe 34 PID 2268 wrote to memory of 2544 2268 Synaptics.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\3079e3aef9f301939ce7609cc5730c52a9478c711ef003b033b0240ec724c57d.exe"C:\Users\Admin\AppData\Local\Temp\3079e3aef9f301939ce7609cc5730c52a9478c711ef003b033b0240ec724c57d.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Users\Admin\AppData\Local\Temp\._cache_3079e3aef9f301939ce7609cc5730c52a9478c711ef003b033b0240ec724c57d.exe"C:\Users\Admin\AppData\Local\Temp\._cache_3079e3aef9f301939ce7609cc5730c52a9478c711ef003b033b0240ec724c57d.exe"2⤵
- Executes dropped EXE
PID:1544
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
PID:2544
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2572
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
790KB
MD5a6ce8540967df09c1a03a9a3ca0e4d7c
SHA16d74f41b9b2ae6ec75a4d84566161032e3547d9b
SHA2563079e3aef9f301939ce7609cc5730c52a9478c711ef003b033b0240ec724c57d
SHA512782143c9be6ada1e64ee45e05b8ccf874fc8589e6b10227ae9f86d4864d6bca0e81c59057e70da574ab8a8d02f06a0f70b8620605d736bf0e220ec5ccd255794
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
27KB
MD575b3279f6b425726b36f21efdba1b3a1
SHA16543c2b6af0879bbf83ecc4b0bd35d4c1ab0929d
SHA256831a7e390ea00f51fc5faccaade37028745d5024986186e0f3e03691ed42c08c
SHA512f66cb0b9a30dc47a95d05c20979e9493849b7a84791897da3c4758468202a3319babf5931f68caf8deac40c63b4adc05b6b305fabe03bef1c1d8627c95c9659f
-
\Users\Admin\AppData\Local\Temp\._cache_3079e3aef9f301939ce7609cc5730c52a9478c711ef003b033b0240ec724c57d.exe
Filesize36KB
MD52bf435cef155b4afdc12f184ed3ebafe
SHA140f9cc633b195a23939cb1b272b3dc5b3518026c
SHA2565429ce81180ab00242ec9c3d06624493d2560f745f025b078816920c30bb8bc9
SHA5126216310b057f90fd3ee914b6ff3d67a2a3db1c64f5b07fcb8f4abb8f6b70e0c1949e4b3bdff339e158153d8ea0ba7c804f964e6f3210394685b4d413ead40320