Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/11/2024, 20:53
Behavioral task
behavioral1
Sample
3079e3aef9f301939ce7609cc5730c52a9478c711ef003b033b0240ec724c57d.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
3079e3aef9f301939ce7609cc5730c52a9478c711ef003b033b0240ec724c57d.exe
Resource
win10v2004-20241007-en
General
-
Target
3079e3aef9f301939ce7609cc5730c52a9478c711ef003b033b0240ec724c57d.exe
-
Size
790KB
-
MD5
a6ce8540967df09c1a03a9a3ca0e4d7c
-
SHA1
6d74f41b9b2ae6ec75a4d84566161032e3547d9b
-
SHA256
3079e3aef9f301939ce7609cc5730c52a9478c711ef003b033b0240ec724c57d
-
SHA512
782143c9be6ada1e64ee45e05b8ccf874fc8589e6b10227ae9f86d4864d6bca0e81c59057e70da574ab8a8d02f06a0f70b8620605d736bf0e220ec5ccd255794
-
SSDEEP
12288:qMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V951KE+VI+l8/:qnsJ39LyjbJkQFMhmC+6GD9jKE+VI+lg
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Xred family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Synaptics.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation 3079e3aef9f301939ce7609cc5730c52a9478c711ef003b033b0240ec724c57d.exe -
Executes dropped EXE 3 IoCs
pid Process 3660 ._cache_3079e3aef9f301939ce7609cc5730c52a9478c711ef003b033b0240ec724c57d.exe 4920 Synaptics.exe 3976 ._cache_Synaptics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" 3079e3aef9f301939ce7609cc5730c52a9478c711ef003b033b0240ec724c57d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3079e3aef9f301939ce7609cc5730c52a9478c711ef003b033b0240ec724c57d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 3079e3aef9f301939ce7609cc5730c52a9478c711ef003b033b0240ec724c57d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Synaptics.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3020 wrote to memory of 3660 3020 3079e3aef9f301939ce7609cc5730c52a9478c711ef003b033b0240ec724c57d.exe 86 PID 3020 wrote to memory of 3660 3020 3079e3aef9f301939ce7609cc5730c52a9478c711ef003b033b0240ec724c57d.exe 86 PID 3020 wrote to memory of 3660 3020 3079e3aef9f301939ce7609cc5730c52a9478c711ef003b033b0240ec724c57d.exe 86 PID 3020 wrote to memory of 4920 3020 3079e3aef9f301939ce7609cc5730c52a9478c711ef003b033b0240ec724c57d.exe 88 PID 3020 wrote to memory of 4920 3020 3079e3aef9f301939ce7609cc5730c52a9478c711ef003b033b0240ec724c57d.exe 88 PID 3020 wrote to memory of 4920 3020 3079e3aef9f301939ce7609cc5730c52a9478c711ef003b033b0240ec724c57d.exe 88 PID 4920 wrote to memory of 3976 4920 Synaptics.exe 89 PID 4920 wrote to memory of 3976 4920 Synaptics.exe 89 PID 4920 wrote to memory of 3976 4920 Synaptics.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\3079e3aef9f301939ce7609cc5730c52a9478c711ef003b033b0240ec724c57d.exe"C:\Users\Admin\AppData\Local\Temp\3079e3aef9f301939ce7609cc5730c52a9478c711ef003b033b0240ec724c57d.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Users\Admin\AppData\Local\Temp\._cache_3079e3aef9f301939ce7609cc5730c52a9478c711ef003b033b0240ec724c57d.exe"C:\Users\Admin\AppData\Local\Temp\._cache_3079e3aef9f301939ce7609cc5730c52a9478c711ef003b033b0240ec724c57d.exe"2⤵
- Executes dropped EXE
PID:3660
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
PID:3976
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
790KB
MD5a6ce8540967df09c1a03a9a3ca0e4d7c
SHA16d74f41b9b2ae6ec75a4d84566161032e3547d9b
SHA2563079e3aef9f301939ce7609cc5730c52a9478c711ef003b033b0240ec724c57d
SHA512782143c9be6ada1e64ee45e05b8ccf874fc8589e6b10227ae9f86d4864d6bca0e81c59057e70da574ab8a8d02f06a0f70b8620605d736bf0e220ec5ccd255794
-
C:\Users\Admin\AppData\Local\Temp\._cache_3079e3aef9f301939ce7609cc5730c52a9478c711ef003b033b0240ec724c57d.exe
Filesize36KB
MD52bf435cef155b4afdc12f184ed3ebafe
SHA140f9cc633b195a23939cb1b272b3dc5b3518026c
SHA2565429ce81180ab00242ec9c3d06624493d2560f745f025b078816920c30bb8bc9
SHA5126216310b057f90fd3ee914b6ff3d67a2a3db1c64f5b07fcb8f4abb8f6b70e0c1949e4b3bdff339e158153d8ea0ba7c804f964e6f3210394685b4d413ead40320