xred | bf7700d0b025ef158f166015ec391ff8cb93a12c3b8644b49948caed69389057

Analysis

max time kernel
142s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24/11/2024, 02:55 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf7700d0b025ef158f166015ec391ff8cb93a12c3b8644b49948caed69389057.exe
Size

4.2MB
MD5

6e9cae124971221351f356b3bdad7edb
SHA1

5c58ecaba6422ced12338191481db46148f2d2b3
SHA256

bf7700d0b025ef158f166015ec391ff8cb93a12c3b8644b49948caed69389057
SHA512

9d47d04869ccbd4ea60cbdbb9b6ae4c88442820a12c8184166a23861a346f10804c82d52bf972f6a0936f3b3a1a6d167a7be6d86723692ab14e3fa407f9906dc
SSDEEP

98304:jnsmtk2aCu2rd6vFGq/ZkPcdGlGW49VZBXukIWf9RZB:7L/uwd6v8q/2PCGl4DL5IwRZB

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
xredline1@gmail.com
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	bf7700d0b025ef158f166015ec391ff8cb93a12c3b8644b49948caed69389057.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 3 IoCs

pid	Process
4528	._cache_bf7700d0b025ef158f166015ec391ff8cb93a12c3b8644b49948caed69389057.exe
5100	Synaptics.exe
3812	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	bf7700d0b025ef158f166015ec391ff8cb93a12c3b8644b49948caed69389057.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bf7700d0b025ef158f166015ec391ff8cb93a12c3b8644b49948caed69389057.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_bf7700d0b025ef158f166015ec391ff8cb93a12c3b8644b49948caed69389057.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	bf7700d0b025ef158f166015ec391ff8cb93a12c3b8644b49948caed69389057.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3616	EXCEL.EXE

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4528	._cache_bf7700d0b025ef158f166015ec391ff8cb93a12c3b8644b49948caed69389057.exe
4528	._cache_bf7700d0b025ef158f166015ec391ff8cb93a12c3b8644b49948caed69389057.exe
3812	._cache_Synaptics.exe
3812	._cache_Synaptics.exe
3616	EXCEL.EXE
3616	EXCEL.EXE
3616	EXCEL.EXE
3616	EXCEL.EXE
3616	EXCEL.EXE
3616	EXCEL.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 4528	1700	bf7700d0b025ef158f166015ec391ff8cb93a12c3b8644b49948caed69389057.exe	83
PID 1700 wrote to memory of 4528	1700	bf7700d0b025ef158f166015ec391ff8cb93a12c3b8644b49948caed69389057.exe	83
PID 1700 wrote to memory of 4528	1700	bf7700d0b025ef158f166015ec391ff8cb93a12c3b8644b49948caed69389057.exe	83
PID 1700 wrote to memory of 5100	1700	bf7700d0b025ef158f166015ec391ff8cb93a12c3b8644b49948caed69389057.exe	84
PID 1700 wrote to memory of 5100	1700	bf7700d0b025ef158f166015ec391ff8cb93a12c3b8644b49948caed69389057.exe	84
PID 1700 wrote to memory of 5100	1700	bf7700d0b025ef158f166015ec391ff8cb93a12c3b8644b49948caed69389057.exe	84
PID 5100 wrote to memory of 3812	5100	Synaptics.exe	85
PID 5100 wrote to memory of 3812	5100	Synaptics.exe	85
PID 5100 wrote to memory of 3812	5100	Synaptics.exe	85

C:\Users\Admin\AppData\Local\Temp\bf7700d0b025ef158f166015ec391ff8cb93a12c3b8644b49948caed69389057.exe
"C:\Users\Admin\AppData\Local\Temp\bf7700d0b025ef158f166015ec391ff8cb93a12c3b8644b49948caed69389057.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Users\Admin\AppData\Local\Temp\._cache_bf7700d0b025ef158f166015ec391ff8cb93a12c3b8644b49948caed69389057.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_bf7700d0b025ef158f166015ec391ff8cb93a12c3b8644b49948caed69389057.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4528
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5100
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3812

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3616

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

97.17.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.17.167.52.in-addr.arpa

IN PTR

Response
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

71.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

71.159.190.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

xred.mooo.com

Synaptics.exe

Remote address:

8.8.8.8:53

Request

xred.mooo.com

IN A

Response
DNS

freedns.afraid.org

Synaptics.exe

Remote address:

8.8.8.8:53

Request

freedns.afraid.org

IN A

Response

freedns.afraid.org

IN A

69.42.215.252
GET

http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

Synaptics.exe

Remote address:

69.42.215.252:80

Request

GET /api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 HTTP/1.1
User-Agent: MyApp
Host: freedns.afraid.org
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 24 Nov 2024 02:55:50 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Cache: MISS
DNS

252.215.42.69.in-addr.arpa

Remote address:

8.8.8.8:53

Request

252.215.42.69.in-addr.arpa

IN PTR

Response
DNS

252.215.42.69.in-addr.arpa

Remote address:

8.8.8.8:53

Request

252.215.42.69.in-addr.arpa

IN PTR

Response
DNS

209.205.72.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.205.72.20.in-addr.arpa

IN PTR

Response
DNS

137.71.105.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

137.71.105.51.in-addr.arpa

IN PTR

Response
DNS

53.210.109.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

53.210.109.20.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

81.14.97.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

81.14.97.104.in-addr.arpa

IN PTR

Response

81.14.97.104.in-addr.arpa

IN PTR

a104-97-14-81deploystaticakamaitechnologiescom
DNS

docs.google.com

Synaptics.exe

Remote address:

8.8.8.8:53

Request

docs.google.com

IN A

Response

docs.google.com

IN A

142.250.187.206
GET

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

Synaptics.exe

Remote address:

142.250.187.206:443

Request

GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Host: docs.google.com
Cache-Control: no-cache

Response

HTTP/1.1 303 See Other

Content-Type: application/binary
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Sun, 24 Nov 2024 02:56:49 GMT
Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
Strict-Transport-Security: max-age=31536000
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Cross-Origin-Opener-Policy: same-origin
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Content-Security-Policy: script-src 'report-sample' 'nonce-qLUGDaIVu8jCr_xS2s08nw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Server: ESF
Content-Length: 0
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
GET

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

Synaptics.exe

Remote address:

142.250.187.206:443

Request

GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Host: docs.google.com
Cache-Control: no-cache
Cookie: NID=519=tXTYA6W-Q1MiZt_TtzQ52cCvYV3D6DslJ2HtZ6F37awGYSIb6p-KMrMarBrRUcIzLzAJE4h1kvdmNoZTSO6X63RaNe89l7-nm5NWbdNMpe_cnZAZiNrV6v-2jyqBcd_cfCObAsjsBk11W4uHzIAj4YNuD7ubmbt0GmN5aAad7dWNd7CS

Response

HTTP/1.1 303 See Other

Content-Type: application/binary
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Sun, 24 Nov 2024 02:56:50 GMT
Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
Strict-Transport-Security: max-age=31536000
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Content-Security-Policy: script-src 'report-sample' 'nonce-paopCfd5OmrfV0q4TW7Jhw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Cross-Origin-Opener-Policy: same-origin
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Server: ESF
Content-Length: 0
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
GET

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

Synaptics.exe

Remote address:

142.250.187.206:443

Request

GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Host: docs.google.com
Cache-Control: no-cache
Cookie: NID=519=tXTYA6W-Q1MiZt_TtzQ52cCvYV3D6DslJ2HtZ6F37awGYSIb6p-KMrMarBrRUcIzLzAJE4h1kvdmNoZTSO6X63RaNe89l7-nm5NWbdNMpe_cnZAZiNrV6v-2jyqBcd_cfCObAsjsBk11W4uHzIAj4YNuD7ubmbt0GmN5aAad7dWNd7CS

Response

HTTP/1.1 303 See Other

Content-Type: application/binary
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Sun, 24 Nov 2024 02:56:50 GMT
Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
Strict-Transport-Security: max-age=31536000
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Content-Security-Policy: script-src 'report-sample' 'nonce-upVnsSUWtcDBKPokcpW5zg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Cross-Origin-Opener-Policy: same-origin
Server: ESF
Content-Length: 0
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
DNS

c.pki.goog

Synaptics.exe

Remote address:

8.8.8.8:53

Request

c.pki.goog

IN A

Response

c.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

142.250.200.3
GET

http://c.pki.goog/r/r1.crl

Synaptics.exe

Remote address:

142.250.200.3:80

Request

GET /r/r1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 854
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Sun, 24 Nov 2024 02:14:32 GMT
Expires: Sun, 24 Nov 2024 03:04:32 GMT
Cache-Control: public, max-age=3000
Age: 2537
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
DNS

o.pki.goog

Synaptics.exe

Remote address:

8.8.8.8:53

Request

o.pki.goog

IN A

Response

o.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

142.250.200.3
GET

http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEEGoFYJ0C3qQCbRh5xcgwPQ%3D

Synaptics.exe

Remote address:

142.250.200.3:80

Request

GET /wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEEGoFYJ0C3qQCbRh5xcgwPQ%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: o.pki.goog

Response

HTTP/1.1 200 OK

Server: ocsp_responder
Content-Length: 471
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Date: Sun, 24 Nov 2024 02:11:49 GMT
Cache-Control: public, max-age=14400
Content-Type: application/ocsp-response
Age: 2700
GET

http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDHA1yyGqTiRQmAB36tPEBH

Synaptics.exe

Remote address:

142.250.200.3:80

Request

GET /wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDHA1yyGqTiRQmAB36tPEBH HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: o.pki.goog

Response

HTTP/1.1 200 OK

Server: ocsp_responder
Content-Length: 472
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Date: Sun, 24 Nov 2024 02:19:13 GMT
Cache-Control: public, max-age=14400
Content-Type: application/ocsp-response
Age: 2256
DNS

drive.usercontent.google.com

Synaptics.exe

Remote address:

8.8.8.8:53

Request

drive.usercontent.google.com

IN A

Response

drive.usercontent.google.com

IN A

142.250.179.225
GET

https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

Synaptics.exe

Remote address:

142.250.179.225:443

Request

GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Cache-Control: no-cache
Host: drive.usercontent.google.com
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Sun, 24 Nov 2024 02:56:49 GMT
P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
Content-Security-Policy: script-src 'report-sample' 'nonce-uOa9K28Bz8PzA7jmmqFyKQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Cross-Origin-Opener-Policy: same-origin
Content-Length: 1652
X-GUploader-UploadID: AFiumC5uZN7FYOP4IqBJAsdJjsZrQCU-UDYBEB22CcO5uRMXxmSB66Gw3WxyUcwDCkp-uju24hZYldO_eg
Server: UploadServer
Set-Cookie: NID=519=tXTYA6W-Q1MiZt_TtzQ52cCvYV3D6DslJ2HtZ6F37awGYSIb6p-KMrMarBrRUcIzLzAJE4h1kvdmNoZTSO6X63RaNe89l7-nm5NWbdNMpe_cnZAZiNrV6v-2jyqBcd_cfCObAsjsBk11W4uHzIAj4YNuD7ubmbt0GmN5aAad7dWNd7CS; expires=Mon, 26-May-2025 02:56:49 GMT; path=/; domain=.google.com; HttpOnly
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Content-Security-Policy: sandbox allow-scripts
GET

https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

Synaptics.exe

Remote address:

142.250.179.225:443

Request

GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Cache-Control: no-cache
Host: drive.usercontent.google.com
Connection: Keep-Alive
Cookie: NID=519=tXTYA6W-Q1MiZt_TtzQ52cCvYV3D6DslJ2HtZ6F37awGYSIb6p-KMrMarBrRUcIzLzAJE4h1kvdmNoZTSO6X63RaNe89l7-nm5NWbdNMpe_cnZAZiNrV6v-2jyqBcd_cfCObAsjsBk11W4uHzIAj4YNuD7ubmbt0GmN5aAad7dWNd7CS

Response

HTTP/1.1 404 Not Found

Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Sun, 24 Nov 2024 02:56:50 GMT
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Content-Security-Policy: script-src 'report-sample' 'nonce-qwA-Kd-0rt74o5xMlvulLQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Cross-Origin-Opener-Policy: same-origin
Content-Length: 1652
X-GUploader-UploadID: AFiumC7ZiaQmoAn2UjxFvM7IMvVdPT0nscsxTeZQutreAcQAT8iC0r2El2M1IXVatiJrZEW9s7gXfzqmww
Server: UploadServer
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Content-Security-Policy: sandbox allow-scripts
GET

https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

Synaptics.exe

Remote address:

142.250.179.225:443

Request

GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Cache-Control: no-cache
Host: drive.usercontent.google.com
Connection: Keep-Alive
Cookie: NID=519=tXTYA6W-Q1MiZt_TtzQ52cCvYV3D6DslJ2HtZ6F37awGYSIb6p-KMrMarBrRUcIzLzAJE4h1kvdmNoZTSO6X63RaNe89l7-nm5NWbdNMpe_cnZAZiNrV6v-2jyqBcd_cfCObAsjsBk11W4uHzIAj4YNuD7ubmbt0GmN5aAad7dWNd7CS

Response

HTTP/1.1 404 Not Found

Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Sun, 24 Nov 2024 02:56:50 GMT
Content-Security-Policy: script-src 'report-sample' 'nonce-yCJ--JNfVbmOpbYRxxtY5Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Cross-Origin-Opener-Policy: same-origin
Content-Length: 1652
X-GUploader-UploadID: AFiumC6iRnPgEm-7vOUkxMgeqtGcNP4ptHoPJGk0jo3FfsC6MnfaXZS0Wov-IbFmv4Rooq131cAZJsmaIQ
Server: UploadServer
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Content-Security-Policy: sandbox allow-scripts
DNS

225.179.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

225.179.250.142.in-addr.arpa

IN PTR

Response

225.179.250.142.in-addr.arpa

IN PTR

lhr25s31-in-f11e100net
DNS

206.187.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.187.250.142.in-addr.arpa

IN PTR

Response

206.187.250.142.in-addr.arpa

IN PTR

lhr25s33-in-f141e100net
DNS

3.200.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

3.200.250.142.in-addr.arpa

IN PTR

Response

3.200.250.142.in-addr.arpa

IN PTR

lhr48s29-in-f31e100net
DNS

43.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.229.111.52.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response

69.42.215.252:80

http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

http

Synaptics.exe

752 B
415 B
13
4

HTTP Request

GET http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

HTTP Response

200
142.250.187.206:443

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

tls, http

Synaptics.exe

1.9kB
11.3kB
16
14

HTTP Request

GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

HTTP Response

303

HTTP Request

GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

HTTP Response

303

HTTP Request

GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

HTTP Response

303
142.250.200.3:80

http://c.pki.goog/r/r1.crl

http

Synaptics.exe

303 B
1.7kB
4
4

HTTP Request

GET http://c.pki.goog/r/r1.crl

HTTP Response

200
142.250.200.3:80

http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDHA1yyGqTiRQmAB36tPEBH

http

Synaptics.exe

738 B
1.6kB
6
4

HTTP Request

GET http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEEGoFYJ0C3qQCbRh5xcgwPQ%3D

HTTP Response

200

HTTP Request

GET http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDHA1yyGqTiRQmAB36tPEBH

HTTP Response

200
142.250.179.225:443

https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

tls, http

Synaptics.exe

2.4kB
14.7kB
23
21

HTTP Request

GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

HTTP Response

404

HTTP Request

GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

HTTP Response

404

HTTP Request

GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

HTTP Response

404

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

97.17.167.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

97.17.167.52.in-addr.arpa
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

71.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

71.159.190.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

xred.mooo.com

dns

Synaptics.exe

59 B
118 B
1
1

DNS Request

xred.mooo.com
8.8.8.8:53

freedns.afraid.org

dns

Synaptics.exe

64 B
80 B
1
1

DNS Request

freedns.afraid.org

DNS Response

69.42.215.252
224.0.0.251:5353

57 B
1
8.8.8.8:53

252.215.42.69.in-addr.arpa

dns

144 B
144 B
2
2

DNS Request

252.215.42.69.in-addr.arpa

DNS Request

252.215.42.69.in-addr.arpa
8.8.8.8:53

209.205.72.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

209.205.72.20.in-addr.arpa
8.8.8.8:53

137.71.105.51.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

137.71.105.51.in-addr.arpa
8.8.8.8:53

53.210.109.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

53.210.109.20.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

81.14.97.104.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

81.14.97.104.in-addr.arpa
8.8.8.8:53

docs.google.com

dns

Synaptics.exe

61 B
77 B
1
1

DNS Request

docs.google.com

DNS Response

142.250.187.206
8.8.8.8:53

c.pki.goog

dns

Synaptics.exe

56 B
107 B
1
1

DNS Request

c.pki.goog

DNS Response

142.250.200.3
8.8.8.8:53

o.pki.goog

dns

Synaptics.exe

56 B
107 B
1
1

DNS Request

o.pki.goog

DNS Response

142.250.200.3
8.8.8.8:53

drive.usercontent.google.com

dns

Synaptics.exe

74 B
90 B
1
1

DNS Request

drive.usercontent.google.com

DNS Response

142.250.179.225
8.8.8.8:53

225.179.250.142.in-addr.arpa

dns

74 B
112 B
1
1

DNS Request

225.179.250.142.in-addr.arpa
8.8.8.8:53

206.187.250.142.in-addr.arpa

dns

74 B
113 B
1
1

DNS Request

206.187.250.142.in-addr.arpa
8.8.8.8:53

3.200.250.142.in-addr.arpa

dns

72 B
110 B
1
1

DNS Request

3.200.250.142.in-addr.arpa
8.8.8.8:53

43.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

43.229.111.52.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
4.2MB

MD5
6e9cae124971221351f356b3bdad7edb

SHA1
5c58ecaba6422ced12338191481db46148f2d2b3

SHA256
bf7700d0b025ef158f166015ec391ff8cb93a12c3b8644b49948caed69389057

SHA512
9d47d04869ccbd4ea60cbdbb9b6ae4c88442820a12c8184166a23861a346f10804c82d52bf972f6a0936f3b3a1a6d167a7be6d86723692ab14e3fa407f9906dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_bf7700d0b025ef158f166015ec391ff8cb93a12c3b8644b49948caed69389057.exe

Filesize
3.5MB

MD5
25c22bf44d111c1660b51c892f5bdfbf

SHA1
cc76535ade822b0bfeb9c778d18ebe0119a3f21c

SHA256
b49c28ededd4e6b741b0ade11fd4dadb1a2852197e6364624c56501860039649

SHA512
83038eb0a90b94ec150a3ef07d38528699084dd17daa9865d6e49ac8c6efca091a08fbaad67bc21b0ef7bc83a0ea1c3f72b1f1b008a7162592679c9b402d2062

Download Submit
C:\Users\Admin\AppData\Local\Temp\6DgvtI5Q.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\8CA75E00

Filesize
21KB

MD5
4168d3052af7f7e15151885d3bcab024

SHA1
d46dd01f3269bb46623e9d37b17c7dc8a9078c17

SHA256
5122d3e8e53983da55004a9fa8c970ea023187d231117870252abc3ef08171b6

SHA512
0b0117a8ea9a2a38d714d52bcd1dfdfb46557dc4720f9cbaa1fa531e7d3eb02c6a7ac2e47d876ed26ff1b72de9e445ba8d249f5fa3f5a3a1436eb4d54c6cf2ba

Download Submit
memory/1700-0-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/1700-101-0x0000000000400000-0x000000000083A000-memory.dmp

Filesize
4.2MB

Download
memory/3616-139-0x00007FF95A230000-0x00007FF95A240000-memory.dmp

Filesize
64KB

Download
memory/3616-140-0x00007FF95A230000-0x00007FF95A240000-memory.dmp

Filesize
64KB

Download
memory/3616-137-0x00007FF95A230000-0x00007FF95A240000-memory.dmp

Filesize
64KB

Download
memory/3616-136-0x00007FF95A230000-0x00007FF95A240000-memory.dmp

Filesize
64KB

Download
memory/3616-141-0x00007FF957CB0000-0x00007FF957CC0000-memory.dmp

Filesize
64KB

Download
memory/3616-142-0x00007FF957CB0000-0x00007FF957CC0000-memory.dmp

Filesize
64KB

Download
memory/3616-138-0x00007FF95A230000-0x00007FF95A240000-memory.dmp

Filesize
64KB

Download
memory/5100-102-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/5100-190-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/5100-189-0x0000000000400000-0x000000000083A000-memory.dmp

Filesize
4.2MB

Download
memory/5100-221-0x0000000000400000-0x000000000083A000-memory.dmp

Filesize
4.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.