Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/11/2024, 19:08
Behavioral task
behavioral1
Sample
8aadfdd433f8ede5fd88bc465b4cf19d8b6083caadc5b0f41502bb6e2105883cN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
8aadfdd433f8ede5fd88bc465b4cf19d8b6083caadc5b0f41502bb6e2105883cN.exe
Resource
win10v2004-20241007-en
General
-
Target
8aadfdd433f8ede5fd88bc465b4cf19d8b6083caadc5b0f41502bb6e2105883cN.exe
-
Size
4.8MB
-
MD5
9384a0735fc13a99b539f6dd056c6440
-
SHA1
497390cac868697a67135216d4da8dfac0e54856
-
SHA256
8aadfdd433f8ede5fd88bc465b4cf19d8b6083caadc5b0f41502bb6e2105883c
-
SHA512
4bc4bd244fb090f84482f93dc356c22f95fb8c419d0ca8ebdcf5d725ebf6a5df645fa7fc4eb903554528d5c498d409b1573b9336b9deb0f614f24452bea5c66b
-
SSDEEP
98304:2nsmtk2aJ3xL6eQhbL3l+Ug7n8fRnWC9t1cCGP7KrNlMVEK7Az+7HHy:oLImeQ7+lbUt5RxSVnaOy
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Xred family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation 8aadfdd433f8ede5fd88bc465b4cf19d8b6083caadc5b0f41502bb6e2105883cN.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Synaptics.exe -
Executes dropped EXE 5 IoCs
pid Process 1032 ._cache_8aadfdd433f8ede5fd88bc465b4cf19d8b6083caadc5b0f41502bb6e2105883cN.exe 376 ._cache_8aadfdd433f8ede5fd88bc465b4cf19d8b6083caadc5b0f41502bb6e2105883cN.tmp 2344 Synaptics.exe 972 ._cache_Synaptics.exe 4788 ._cache_Synaptics.tmp -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" 8aadfdd433f8ede5fd88bc465b4cf19d8b6083caadc5b0f41502bb6e2105883cN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8aadfdd433f8ede5fd88bc465b4cf19d8b6083caadc5b0f41502bb6e2105883cN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_8aadfdd433f8ede5fd88bc465b4cf19d8b6083caadc5b0f41502bb6e2105883cN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_8aadfdd433f8ede5fd88bc465b4cf19d8b6083caadc5b0f41502bb6e2105883cN.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Synaptics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 8aadfdd433f8ede5fd88bc465b4cf19d8b6083caadc5b0f41502bb6e2105883cN.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 816 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 816 EXCEL.EXE 816 EXCEL.EXE 816 EXCEL.EXE 816 EXCEL.EXE 816 EXCEL.EXE 816 EXCEL.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3800 wrote to memory of 1032 3800 8aadfdd433f8ede5fd88bc465b4cf19d8b6083caadc5b0f41502bb6e2105883cN.exe 84 PID 3800 wrote to memory of 1032 3800 8aadfdd433f8ede5fd88bc465b4cf19d8b6083caadc5b0f41502bb6e2105883cN.exe 84 PID 3800 wrote to memory of 1032 3800 8aadfdd433f8ede5fd88bc465b4cf19d8b6083caadc5b0f41502bb6e2105883cN.exe 84 PID 1032 wrote to memory of 376 1032 ._cache_8aadfdd433f8ede5fd88bc465b4cf19d8b6083caadc5b0f41502bb6e2105883cN.exe 85 PID 1032 wrote to memory of 376 1032 ._cache_8aadfdd433f8ede5fd88bc465b4cf19d8b6083caadc5b0f41502bb6e2105883cN.exe 85 PID 1032 wrote to memory of 376 1032 ._cache_8aadfdd433f8ede5fd88bc465b4cf19d8b6083caadc5b0f41502bb6e2105883cN.exe 85 PID 3800 wrote to memory of 2344 3800 8aadfdd433f8ede5fd88bc465b4cf19d8b6083caadc5b0f41502bb6e2105883cN.exe 86 PID 3800 wrote to memory of 2344 3800 8aadfdd433f8ede5fd88bc465b4cf19d8b6083caadc5b0f41502bb6e2105883cN.exe 86 PID 3800 wrote to memory of 2344 3800 8aadfdd433f8ede5fd88bc465b4cf19d8b6083caadc5b0f41502bb6e2105883cN.exe 86 PID 2344 wrote to memory of 972 2344 Synaptics.exe 87 PID 2344 wrote to memory of 972 2344 Synaptics.exe 87 PID 2344 wrote to memory of 972 2344 Synaptics.exe 87 PID 972 wrote to memory of 4788 972 ._cache_Synaptics.exe 89 PID 972 wrote to memory of 4788 972 ._cache_Synaptics.exe 89 PID 972 wrote to memory of 4788 972 ._cache_Synaptics.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\8aadfdd433f8ede5fd88bc465b4cf19d8b6083caadc5b0f41502bb6e2105883cN.exe"C:\Users\Admin\AppData\Local\Temp\8aadfdd433f8ede5fd88bc465b4cf19d8b6083caadc5b0f41502bb6e2105883cN.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Users\Admin\AppData\Local\Temp\._cache_8aadfdd433f8ede5fd88bc465b4cf19d8b6083caadc5b0f41502bb6e2105883cN.exe"C:\Users\Admin\AppData\Local\Temp\._cache_8aadfdd433f8ede5fd88bc465b4cf19d8b6083caadc5b0f41502bb6e2105883cN.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Users\Admin\AppData\Local\Temp\is-RC0Q9.tmp\._cache_8aadfdd433f8ede5fd88bc465b4cf19d8b6083caadc5b0f41502bb6e2105883cN.tmp"C:\Users\Admin\AppData\Local\Temp\is-RC0Q9.tmp\._cache_8aadfdd433f8ede5fd88bc465b4cf19d8b6083caadc5b0f41502bb6e2105883cN.tmp" /SL5="$601C6,3788295,227328,C:\Users\Admin\AppData\Local\Temp\._cache_8aadfdd433f8ede5fd88bc465b4cf19d8b6083caadc5b0f41502bb6e2105883cN.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:376
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Users\Admin\AppData\Local\Temp\is-P0882.tmp\._cache_Synaptics.tmp"C:\Users\Admin\AppData\Local\Temp\is-P0882.tmp\._cache_Synaptics.tmp" /SL5="$F0064,3788295,227328,C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4788
-
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:816
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.8MB
MD59384a0735fc13a99b539f6dd056c6440
SHA1497390cac868697a67135216d4da8dfac0e54856
SHA2568aadfdd433f8ede5fd88bc465b4cf19d8b6083caadc5b0f41502bb6e2105883c
SHA5124bc4bd244fb090f84482f93dc356c22f95fb8c419d0ca8ebdcf5d725ebf6a5df645fa7fc4eb903554528d5c498d409b1573b9336b9deb0f614f24452bea5c66b
-
C:\Users\Admin\AppData\Local\Temp\._cache_8aadfdd433f8ede5fd88bc465b4cf19d8b6083caadc5b0f41502bb6e2105883cN.exe
Filesize4.0MB
MD5f2f0f372ec02d97e3770fa7cb20416d5
SHA140d658ef24e2ccc48e44685b233fae7563140738
SHA2562ac7d09aee7ac018af3c6ecd1e6afcb768dfdaaee29c15e5671a2546744c0526
SHA512525f0efa927c6b10795800622defb83c9badfe4e2a9125791c2aad672df7a5db842e544870f476b5924a7be7fd4b4244ed0d49f809df1d20235219235e246c3d
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
23KB
MD5c7fc7a35924fb195e15bb047be61ce7c
SHA18db642eebfac4ae1c8bda6a9c4fdae65b35b6405
SHA256d32f608067fdd67e74a077f8823663a6167d389f772771fb3160ca27173e5ba1
SHA512806c0f2e533b708e2833c42a218859cbb0df1f637d41e50078d0c22170f759636c6b13c13eacd8b961dad61a12bc7744b116607fe36a52dfff179082ab9a41c1
-
C:\Users\Admin\AppData\Local\Temp\is-RC0Q9.tmp\._cache_8aadfdd433f8ede5fd88bc465b4cf19d8b6083caadc5b0f41502bb6e2105883cN.tmp
Filesize1.2MB
MD56a144d451bed469456c5398afbacd260
SHA1e4b049e19ba6f537651720423df4b365e0f95e1c
SHA25661b642a01bfa8ea1a100241fc1b57b016b23e769cabc321f22ad5f7d4e37443c
SHA512f2e9cc45765dcceaa8e818a7046de5c1c5b486678e7826d5460632a66e6907bfa6ca94fa78ef85706d5e9e86ba0e02ad3b771f76afab3df3ebca60b82fda66c8