Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
111s -
max time network
101s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
23/11/2024, 19:45
Behavioral task
behavioral1
Sample
665020c553dd9d09ef75a1086b3006239b15387cefb8c357c1e3777c9f03296eN.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
665020c553dd9d09ef75a1086b3006239b15387cefb8c357c1e3777c9f03296eN.exe
Resource
win10v2004-20241007-en
General
-
Target
665020c553dd9d09ef75a1086b3006239b15387cefb8c357c1e3777c9f03296eN.exe
-
Size
1.6MB
-
MD5
2eee752f1225c012e625dc63ea1ab4c0
-
SHA1
5e4110ca9af6531f553a4785091af01b9ebbad40
-
SHA256
665020c553dd9d09ef75a1086b3006239b15387cefb8c357c1e3777c9f03296e
-
SHA512
19c8e4ba48fa7b1302732e54536eab8109436a33435f0e576ac431dcc9a4927e2fdedf635e0cdd5cf83569d3aa542925f0a783e32242cbd0c582305ba40dac7e
-
SSDEEP
24576:UnsJ39LyjbJkQFMhmC+6GD93Lxo6av1HX6+tdtO27:UnsHyjtk2MYC5GD4v1HXdHH7
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Xred family
-
Executes dropped EXE 3 IoCs
pid Process 1516 ._cache_665020c553dd9d09ef75a1086b3006239b15387cefb8c357c1e3777c9f03296eN.exe 308 Synaptics.exe 2884 ._cache_Synaptics.exe -
Loads dropped DLL 5 IoCs
pid Process 2036 665020c553dd9d09ef75a1086b3006239b15387cefb8c357c1e3777c9f03296eN.exe 2036 665020c553dd9d09ef75a1086b3006239b15387cefb8c357c1e3777c9f03296eN.exe 2036 665020c553dd9d09ef75a1086b3006239b15387cefb8c357c1e3777c9f03296eN.exe 308 Synaptics.exe 308 Synaptics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" 665020c553dd9d09ef75a1086b3006239b15387cefb8c357c1e3777c9f03296eN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 665020c553dd9d09ef75a1086b3006239b15387cefb8c357c1e3777c9f03296eN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_665020c553dd9d09ef75a1086b3006239b15387cefb8c357c1e3777c9f03296eN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2916 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1516 ._cache_665020c553dd9d09ef75a1086b3006239b15387cefb8c357c1e3777c9f03296eN.exe 1516 ._cache_665020c553dd9d09ef75a1086b3006239b15387cefb8c357c1e3777c9f03296eN.exe 1516 ._cache_665020c553dd9d09ef75a1086b3006239b15387cefb8c357c1e3777c9f03296eN.exe 2884 ._cache_Synaptics.exe 2884 ._cache_Synaptics.exe 2916 EXCEL.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2036 wrote to memory of 1516 2036 665020c553dd9d09ef75a1086b3006239b15387cefb8c357c1e3777c9f03296eN.exe 30 PID 2036 wrote to memory of 1516 2036 665020c553dd9d09ef75a1086b3006239b15387cefb8c357c1e3777c9f03296eN.exe 30 PID 2036 wrote to memory of 1516 2036 665020c553dd9d09ef75a1086b3006239b15387cefb8c357c1e3777c9f03296eN.exe 30 PID 2036 wrote to memory of 1516 2036 665020c553dd9d09ef75a1086b3006239b15387cefb8c357c1e3777c9f03296eN.exe 30 PID 2036 wrote to memory of 308 2036 665020c553dd9d09ef75a1086b3006239b15387cefb8c357c1e3777c9f03296eN.exe 31 PID 2036 wrote to memory of 308 2036 665020c553dd9d09ef75a1086b3006239b15387cefb8c357c1e3777c9f03296eN.exe 31 PID 2036 wrote to memory of 308 2036 665020c553dd9d09ef75a1086b3006239b15387cefb8c357c1e3777c9f03296eN.exe 31 PID 2036 wrote to memory of 308 2036 665020c553dd9d09ef75a1086b3006239b15387cefb8c357c1e3777c9f03296eN.exe 31 PID 308 wrote to memory of 2884 308 Synaptics.exe 32 PID 308 wrote to memory of 2884 308 Synaptics.exe 32 PID 308 wrote to memory of 2884 308 Synaptics.exe 32 PID 308 wrote to memory of 2884 308 Synaptics.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\665020c553dd9d09ef75a1086b3006239b15387cefb8c357c1e3777c9f03296eN.exe"C:\Users\Admin\AppData\Local\Temp\665020c553dd9d09ef75a1086b3006239b15387cefb8c357c1e3777c9f03296eN.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Users\Admin\AppData\Local\Temp\._cache_665020c553dd9d09ef75a1086b3006239b15387cefb8c357c1e3777c9f03296eN.exe"C:\Users\Admin\AppData\Local\Temp\._cache_665020c553dd9d09ef75a1086b3006239b15387cefb8c357c1e3777c9f03296eN.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1516
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:308 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2884
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2916
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD52eee752f1225c012e625dc63ea1ab4c0
SHA15e4110ca9af6531f553a4785091af01b9ebbad40
SHA256665020c553dd9d09ef75a1086b3006239b15387cefb8c357c1e3777c9f03296e
SHA51219c8e4ba48fa7b1302732e54536eab8109436a33435f0e576ac431dcc9a4927e2fdedf635e0cdd5cf83569d3aa542925f0a783e32242cbd0c582305ba40dac7e
-
Filesize
24KB
MD53db0b75ba59ec2d1d31f134a32b67690
SHA100f081fec86e72f5366175ca3e3458903329b651
SHA25693b5fcf91133ef921ebc2613b40c389894daeebd9238a4dedb886cb9be491c7a
SHA512b02eb726ff12b459001cdcb2bb3ff74fa625f055858e4592e592190a707a3b33df5daec4fc7153ba3a1207d343570928f73ee8336152a24d6ec2b1c02139f0fe
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
\Users\Admin\AppData\Local\Temp\._cache_665020c553dd9d09ef75a1086b3006239b15387cefb8c357c1e3777c9f03296eN.exe
Filesize923KB
MD5eb19f5628ad2aaf46cc99ea99a170217
SHA1618947a2cada7faabbf6913ffd1982f0c1fe6271
SHA2568d234088a31cb0ae3d322da455b247502131c0636e21c712022de08ba351b476
SHA512cf538baeb9afe1882a265d7417c352a6f0668207cc49b7f785b9cf82b76291029fb8a2d982d7366941c1488510b59fa4154472a0f1154b9e3f35a1de1ded5b59