Analysis
-
max time kernel
111s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2024 00:16
Behavioral task
behavioral1
Sample
9524a1cadb215fe07b2bd4ee53f1f5492dada313e84ce1cb01b56006b1b7b6b3N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
9524a1cadb215fe07b2bd4ee53f1f5492dada313e84ce1cb01b56006b1b7b6b3N.exe
Resource
win10v2004-20241007-en
General
-
Target
9524a1cadb215fe07b2bd4ee53f1f5492dada313e84ce1cb01b56006b1b7b6b3N.exe
-
Size
769KB
-
MD5
6db4320c191b06ddd85567b74efb6e70
-
SHA1
747086d62c1b6b441a10a055334de4813addff78
-
SHA256
9524a1cadb215fe07b2bd4ee53f1f5492dada313e84ce1cb01b56006b1b7b6b3
-
SHA512
3256d70188c5ff90b35b7b4f0ab00df6117ccd4c84ce9dd223118732a1b28d1eeb02bc12b74fe607585c6e55e60e38a7797e4cd83cae69ce01f2773f0108fc75
-
SSDEEP
12288:yMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V911KE+VIo1/:ynsJ39LyjbJkQFMhmC+6GD9fKE+VIop
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Xred family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 9524a1cadb215fe07b2bd4ee53f1f5492dada313e84ce1cb01b56006b1b7b6b3N.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Synaptics.exe -
Executes dropped EXE 3 IoCs
pid Process 4748 ._cache_9524a1cadb215fe07b2bd4ee53f1f5492dada313e84ce1cb01b56006b1b7b6b3N.exe 116 Synaptics.exe 2848 ._cache_Synaptics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" 9524a1cadb215fe07b2bd4ee53f1f5492dada313e84ce1cb01b56006b1b7b6b3N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9524a1cadb215fe07b2bd4ee53f1f5492dada313e84ce1cb01b56006b1b7b6b3N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 9524a1cadb215fe07b2bd4ee53f1f5492dada313e84ce1cb01b56006b1b7b6b3N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Synaptics.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 5116 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 5116 EXCEL.EXE 5116 EXCEL.EXE 5116 EXCEL.EXE 5116 EXCEL.EXE 5116 EXCEL.EXE 5116 EXCEL.EXE 5116 EXCEL.EXE 5116 EXCEL.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3080 wrote to memory of 4748 3080 9524a1cadb215fe07b2bd4ee53f1f5492dada313e84ce1cb01b56006b1b7b6b3N.exe 82 PID 3080 wrote to memory of 4748 3080 9524a1cadb215fe07b2bd4ee53f1f5492dada313e84ce1cb01b56006b1b7b6b3N.exe 82 PID 3080 wrote to memory of 4748 3080 9524a1cadb215fe07b2bd4ee53f1f5492dada313e84ce1cb01b56006b1b7b6b3N.exe 82 PID 3080 wrote to memory of 116 3080 9524a1cadb215fe07b2bd4ee53f1f5492dada313e84ce1cb01b56006b1b7b6b3N.exe 84 PID 3080 wrote to memory of 116 3080 9524a1cadb215fe07b2bd4ee53f1f5492dada313e84ce1cb01b56006b1b7b6b3N.exe 84 PID 3080 wrote to memory of 116 3080 9524a1cadb215fe07b2bd4ee53f1f5492dada313e84ce1cb01b56006b1b7b6b3N.exe 84 PID 116 wrote to memory of 2848 116 Synaptics.exe 85 PID 116 wrote to memory of 2848 116 Synaptics.exe 85 PID 116 wrote to memory of 2848 116 Synaptics.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\9524a1cadb215fe07b2bd4ee53f1f5492dada313e84ce1cb01b56006b1b7b6b3N.exe"C:\Users\Admin\AppData\Local\Temp\9524a1cadb215fe07b2bd4ee53f1f5492dada313e84ce1cb01b56006b1b7b6b3N.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Users\Admin\AppData\Local\Temp\._cache_9524a1cadb215fe07b2bd4ee53f1f5492dada313e84ce1cb01b56006b1b7b6b3N.exe"C:\Users\Admin\AppData\Local\Temp\._cache_9524a1cadb215fe07b2bd4ee53f1f5492dada313e84ce1cb01b56006b1b7b6b3N.exe"2⤵
- Executes dropped EXE
PID:4748
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
PID:2848
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5116
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
769KB
MD56db4320c191b06ddd85567b74efb6e70
SHA1747086d62c1b6b441a10a055334de4813addff78
SHA2569524a1cadb215fe07b2bd4ee53f1f5492dada313e84ce1cb01b56006b1b7b6b3
SHA5123256d70188c5ff90b35b7b4f0ab00df6117ccd4c84ce9dd223118732a1b28d1eeb02bc12b74fe607585c6e55e60e38a7797e4cd83cae69ce01f2773f0108fc75
-
C:\Users\Admin\AppData\Local\Temp\._cache_9524a1cadb215fe07b2bd4ee53f1f5492dada313e84ce1cb01b56006b1b7b6b3N.exe
Filesize15KB
MD5a66641f10443a02ffb730bcc6c2f630c
SHA1fc8c9ac0b0fda230c8cb47b1c98fc6daf5c6b0ed
SHA2563898114b93d5102fda924637e06c952c1cf0477223b61f0138086a6a73120a89
SHA512ead3c4825d9cdc0877f267b9853014cc408555fcf4eafdb1ae0778c6a194ca4d6352d24512429efa109b92a33f07f2cc97994f71e346e43c188256f8a9ec6c7a
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
23KB
MD597e3906de1496c60bb296997c8af77b7
SHA197dba89b3957196c8971bbbff8d9fed2b38818a3
SHA256f0f9592de9dce7581be82827c55e89fc0bd503aec0875de77d93f32418d31671
SHA512d15471f69ab9e56a92034f78c3a31d5def63a99d00f9fa8e9531b27ad478edc480636b8f819f01cc07d4e261b27cb104075de8ba0a5b55810e39ce5bfe276b13