Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09-12-2024 22:27
Behavioral task
behavioral1
Sample
FileGrab.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
FileGrab.exe
Resource
win10v2004-20241007-en
General
-
Target
FileGrab.exe
-
Size
802KB
-
MD5
f4d902e70524666a52182720fe208ab1
-
SHA1
33774655d0fc10bccd652e95b18fb428dcd80a38
-
SHA256
6eb643eb56e8fbff11276d23354b6b473bc252464d3ef7b98ec8cbbd57792f8e
-
SHA512
5bf37506097654f384f12f2d90fc9888f0bb5eaa548033a616ed16cbc90fd7a6483aa1b74f7423925e11f7f826e42d5373ac1c88ab7b049e63e23288ac656d65
-
SSDEEP
12288:2MSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V935lC6FOj:2nsJ39LyjbJkQFMhmC+6GD9q6Fq
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Xred family
-
Executes dropped EXE 3 IoCs
pid Process 1048 ._cache_FileGrab.exe 1572 Synaptics.exe 2820 ._cache_Synaptics.exe -
Loads dropped DLL 5 IoCs
pid Process 2380 FileGrab.exe 2380 FileGrab.exe 2380 FileGrab.exe 1572 Synaptics.exe 1572 Synaptics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" FileGrab.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FileGrab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_FileGrab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Runs regedit.exe 1 IoCs
pid Process 2416 regedit.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2576 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2416 regedit.exe 2532 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1916 taskmgr.exe Token: SeDebugPrivilege 2532 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2820 ._cache_Synaptics.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1048 ._cache_FileGrab.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 1916 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe 2532 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2576 EXCEL.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2380 wrote to memory of 1048 2380 FileGrab.exe 31 PID 2380 wrote to memory of 1048 2380 FileGrab.exe 31 PID 2380 wrote to memory of 1048 2380 FileGrab.exe 31 PID 2380 wrote to memory of 1048 2380 FileGrab.exe 31 PID 2380 wrote to memory of 1572 2380 FileGrab.exe 32 PID 2380 wrote to memory of 1572 2380 FileGrab.exe 32 PID 2380 wrote to memory of 1572 2380 FileGrab.exe 32 PID 2380 wrote to memory of 1572 2380 FileGrab.exe 32 PID 1572 wrote to memory of 2820 1572 Synaptics.exe 33 PID 1572 wrote to memory of 2820 1572 Synaptics.exe 33 PID 1572 wrote to memory of 2820 1572 Synaptics.exe 33 PID 1572 wrote to memory of 2820 1572 Synaptics.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\FileGrab.exe"C:\Users\Admin\AppData\Local\Temp\FileGrab.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Users\Admin\AppData\Local\Temp\._cache_FileGrab.exe"C:\Users\Admin\AppData\Local\Temp\._cache_FileGrab.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:1048
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2820
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2576
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1916
-
C:\Windows\regedit.exe"C:\Windows\regedit.exe"1⤵
- Runs regedit.exe
- Suspicious behavior: GetForegroundWindowSpam
PID:2416
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2532
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
802KB
MD5f4d902e70524666a52182720fe208ab1
SHA133774655d0fc10bccd652e95b18fb428dcd80a38
SHA2566eb643eb56e8fbff11276d23354b6b473bc252464d3ef7b98ec8cbbd57792f8e
SHA5125bf37506097654f384f12f2d90fc9888f0bb5eaa548033a616ed16cbc90fd7a6483aa1b74f7423925e11f7f826e42d5373ac1c88ab7b049e63e23288ac656d65
-
Filesize
24KB
MD514138b6415a36cc2065b89d6bf3b4384
SHA150d3ffc6b4fc0bed615da8368e506d0d77c5e2fe
SHA25621a2a466314c0c63f0d97cbac4eba37e249c5e869b5cbbdbd058553a2f4c0cde
SHA512742c0ba94a89691b9d2c006124d0c9a11334ef71223547f69fe261d82388927db69a54c1f59a9deacb449727602c469090c8fafb033e7a98ed55db22162b117a
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
49KB
MD527f87ebebb071afec1891e00fd0700a4
SHA1fbfc0a10ecf83da88df02356568bcac2399b3b9d
SHA25611b8cdd387370de1d162516b82376ecf28d321dc8f46ebcce389dccc2a5a4cc9
SHA5125386cae4eef9b767082d1143962851727479295b75321e07927bf7ebd60c5e051aeb78d6fa306ed6ef1c1d0182a16f1132a23263aefe9ed5d9d446b70b43a25d