Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    112s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/11/2024, 06:02

General

  • Target

    5a42040f74b27ca9546fedea26a987788a38395c8dc5703ee8ea906b72020588N.exe

  • Size

    767KB

  • MD5

    5155ce92308f62e4034ebb0a6a44eba0

  • SHA1

    17e29545c931dd0ff2eedb84f16dc5c3aee8fb4a

  • SHA256

    5a42040f74b27ca9546fedea26a987788a38395c8dc5703ee8ea906b72020588

  • SHA512

    f93fd3d2c15163a4d3bf15f23a1eb0e0297d5f67df18c943015d0ac729676bb0df1e180a964ee170aae2f7d3649d309281e3af03aed33e95d94ff8b54e7960d6

  • SSDEEP

    12288:yMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9g1KE+VIemF:ynsJ39LyjbJkQFMhmC+6GD9UKE+VIe4

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

  • Xred family
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5a42040f74b27ca9546fedea26a987788a38395c8dc5703ee8ea906b72020588N.exe
    "C:\Users\Admin\AppData\Local\Temp\5a42040f74b27ca9546fedea26a987788a38395c8dc5703ee8ea906b72020588N.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1176
    • C:\Users\Admin\AppData\Local\Temp\._cache_5a42040f74b27ca9546fedea26a987788a38395c8dc5703ee8ea906b72020588N.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_5a42040f74b27ca9546fedea26a987788a38395c8dc5703ee8ea906b72020588N.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:5064
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4500
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1816
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:4696

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe

    Filesize

    767KB

    MD5

    5155ce92308f62e4034ebb0a6a44eba0

    SHA1

    17e29545c931dd0ff2eedb84f16dc5c3aee8fb4a

    SHA256

    5a42040f74b27ca9546fedea26a987788a38395c8dc5703ee8ea906b72020588

    SHA512

    f93fd3d2c15163a4d3bf15f23a1eb0e0297d5f67df18c943015d0ac729676bb0df1e180a964ee170aae2f7d3649d309281e3af03aed33e95d94ff8b54e7960d6

  • C:\Users\Admin\AppData\Local\Temp\._cache_5a42040f74b27ca9546fedea26a987788a38395c8dc5703ee8ea906b72020588N.exe

    Filesize

    13KB

    MD5

    84fd44b4b30da69be28538b2a4eb3849

    SHA1

    2aca5149336162091e9bce82a122e31f92e9a13c

    SHA256

    3d4fa2424acb9803c893b68da9691a85200305f0683abd8c4c702781ec6f5161

    SHA512

    c819b612161edb71824fc1bbe87c48a71816166d6ab5021cf9d664e2f0820c83088cf5d37d3ee59d39b8ea43d30500ad1a3b2775c896505a3078413d585bb55c

  • C:\Users\Admin\AppData\Local\Temp\01C75E00

    Filesize

    22KB

    MD5

    afd188e33f3e9311ca34b719ffaf47b3

    SHA1

    2bd59c0432de31911cce86623d3de29340299f1d

    SHA256

    891eefd050985f35f458582d742dbd9e7a796929eb5c14cc096075b4d433768d

    SHA512

    3d3ebb333c74f546dcd54ee6e7af402ba1c37d53423181a99c8fc83bdf57fb5e3ff786efb5417cd84ceccedb2793cdaaf62587fa93a6f18a8c499e42a0830941

  • C:\Users\Admin\AppData\Local\Temp\K7JXeScX.xlsm

    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

  • memory/1176-100-0x0000000000400000-0x00000000004C6000-memory.dmp

    Filesize

    792KB

  • memory/1176-0-0x0000000002270000-0x0000000002271000-memory.dmp

    Filesize

    4KB

  • memory/4500-102-0x0000000000660000-0x0000000000661000-memory.dmp

    Filesize

    4KB

  • memory/4500-189-0x0000000000400000-0x00000000004C6000-memory.dmp

    Filesize

    792KB

  • memory/4500-190-0x0000000000660000-0x0000000000661000-memory.dmp

    Filesize

    4KB

  • memory/4500-221-0x0000000000400000-0x00000000004C6000-memory.dmp

    Filesize

    792KB

  • memory/4696-138-0x00007FFE333B0000-0x00007FFE333C0000-memory.dmp

    Filesize

    64KB

  • memory/4696-139-0x00007FFE333B0000-0x00007FFE333C0000-memory.dmp

    Filesize

    64KB

  • memory/4696-140-0x00007FFE333B0000-0x00007FFE333C0000-memory.dmp

    Filesize

    64KB

  • memory/4696-141-0x00007FFE30A50000-0x00007FFE30A60000-memory.dmp

    Filesize

    64KB

  • memory/4696-142-0x00007FFE30A50000-0x00007FFE30A60000-memory.dmp

    Filesize

    64KB

  • memory/4696-137-0x00007FFE333B0000-0x00007FFE333C0000-memory.dmp

    Filesize

    64KB

  • memory/4696-136-0x00007FFE333B0000-0x00007FFE333C0000-memory.dmp

    Filesize

    64KB