Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
112s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23/11/2024, 06:02
Behavioral task
behavioral1
Sample
5a42040f74b27ca9546fedea26a987788a38395c8dc5703ee8ea906b72020588N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
5a42040f74b27ca9546fedea26a987788a38395c8dc5703ee8ea906b72020588N.exe
Resource
win10v2004-20241007-en
General
-
Target
5a42040f74b27ca9546fedea26a987788a38395c8dc5703ee8ea906b72020588N.exe
-
Size
767KB
-
MD5
5155ce92308f62e4034ebb0a6a44eba0
-
SHA1
17e29545c931dd0ff2eedb84f16dc5c3aee8fb4a
-
SHA256
5a42040f74b27ca9546fedea26a987788a38395c8dc5703ee8ea906b72020588
-
SHA512
f93fd3d2c15163a4d3bf15f23a1eb0e0297d5f67df18c943015d0ac729676bb0df1e180a964ee170aae2f7d3649d309281e3af03aed33e95d94ff8b54e7960d6
-
SSDEEP
12288:yMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9g1KE+VIemF:ynsJ39LyjbJkQFMhmC+6GD9UKE+VIe4
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Xred family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation 5a42040f74b27ca9546fedea26a987788a38395c8dc5703ee8ea906b72020588N.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation Synaptics.exe -
Executes dropped EXE 3 IoCs
pid Process 5064 ._cache_5a42040f74b27ca9546fedea26a987788a38395c8dc5703ee8ea906b72020588N.exe 4500 Synaptics.exe 1816 ._cache_Synaptics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" 5a42040f74b27ca9546fedea26a987788a38395c8dc5703ee8ea906b72020588N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_5a42040f74b27ca9546fedea26a987788a38395c8dc5703ee8ea906b72020588N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5a42040f74b27ca9546fedea26a987788a38395c8dc5703ee8ea906b72020588N.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 5a42040f74b27ca9546fedea26a987788a38395c8dc5703ee8ea906b72020588N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Synaptics.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4696 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 4696 EXCEL.EXE 4696 EXCEL.EXE 4696 EXCEL.EXE 4696 EXCEL.EXE 4696 EXCEL.EXE 4696 EXCEL.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1176 wrote to memory of 5064 1176 5a42040f74b27ca9546fedea26a987788a38395c8dc5703ee8ea906b72020588N.exe 83 PID 1176 wrote to memory of 5064 1176 5a42040f74b27ca9546fedea26a987788a38395c8dc5703ee8ea906b72020588N.exe 83 PID 1176 wrote to memory of 5064 1176 5a42040f74b27ca9546fedea26a987788a38395c8dc5703ee8ea906b72020588N.exe 83 PID 1176 wrote to memory of 4500 1176 5a42040f74b27ca9546fedea26a987788a38395c8dc5703ee8ea906b72020588N.exe 85 PID 1176 wrote to memory of 4500 1176 5a42040f74b27ca9546fedea26a987788a38395c8dc5703ee8ea906b72020588N.exe 85 PID 1176 wrote to memory of 4500 1176 5a42040f74b27ca9546fedea26a987788a38395c8dc5703ee8ea906b72020588N.exe 85 PID 4500 wrote to memory of 1816 4500 Synaptics.exe 86 PID 4500 wrote to memory of 1816 4500 Synaptics.exe 86 PID 4500 wrote to memory of 1816 4500 Synaptics.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\5a42040f74b27ca9546fedea26a987788a38395c8dc5703ee8ea906b72020588N.exe"C:\Users\Admin\AppData\Local\Temp\5a42040f74b27ca9546fedea26a987788a38395c8dc5703ee8ea906b72020588N.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Users\Admin\AppData\Local\Temp\._cache_5a42040f74b27ca9546fedea26a987788a38395c8dc5703ee8ea906b72020588N.exe"C:\Users\Admin\AppData\Local\Temp\._cache_5a42040f74b27ca9546fedea26a987788a38395c8dc5703ee8ea906b72020588N.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5064
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1816
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4696
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
767KB
MD55155ce92308f62e4034ebb0a6a44eba0
SHA117e29545c931dd0ff2eedb84f16dc5c3aee8fb4a
SHA2565a42040f74b27ca9546fedea26a987788a38395c8dc5703ee8ea906b72020588
SHA512f93fd3d2c15163a4d3bf15f23a1eb0e0297d5f67df18c943015d0ac729676bb0df1e180a964ee170aae2f7d3649d309281e3af03aed33e95d94ff8b54e7960d6
-
C:\Users\Admin\AppData\Local\Temp\._cache_5a42040f74b27ca9546fedea26a987788a38395c8dc5703ee8ea906b72020588N.exe
Filesize13KB
MD584fd44b4b30da69be28538b2a4eb3849
SHA12aca5149336162091e9bce82a122e31f92e9a13c
SHA2563d4fa2424acb9803c893b68da9691a85200305f0683abd8c4c702781ec6f5161
SHA512c819b612161edb71824fc1bbe87c48a71816166d6ab5021cf9d664e2f0820c83088cf5d37d3ee59d39b8ea43d30500ad1a3b2775c896505a3078413d585bb55c
-
Filesize
22KB
MD5afd188e33f3e9311ca34b719ffaf47b3
SHA12bd59c0432de31911cce86623d3de29340299f1d
SHA256891eefd050985f35f458582d742dbd9e7a796929eb5c14cc096075b4d433768d
SHA5123d3ebb333c74f546dcd54ee6e7af402ba1c37d53423181a99c8fc83bdf57fb5e3ff786efb5417cd84ceccedb2793cdaaf62587fa93a6f18a8c499e42a0830941
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04