Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
11-12-2024 05:23
Behavioral task
behavioral1
Sample
ccb3c30a428e81e25890d02691794b8e453ba521230532a01bd8c207241fa0faN.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
ccb3c30a428e81e25890d02691794b8e453ba521230532a01bd8c207241fa0faN.exe
Resource
win10v2004-20241007-en
General
-
Target
ccb3c30a428e81e25890d02691794b8e453ba521230532a01bd8c207241fa0faN.exe
-
Size
4.9MB
-
MD5
219868f2fbe15bcd64bd6b7a83c53f80
-
SHA1
53ddd7120e26ddffcb51a8cd29f5499308324396
-
SHA256
ccb3c30a428e81e25890d02691794b8e453ba521230532a01bd8c207241fa0fa
-
SHA512
fd924748f1a241945ed2a26dad540449211feba6e770a3f225f72449bc239c7837fbfe3b90186ffd33227a19421f9f4523ac1dd47ba54071635fb8f25cb55d95
-
SSDEEP
98304:8nsmtk2a3qn8jyKfnh00zrt2miokfKA9/iLIkZKIbqY1wu46:SLx8j790miokb/iLIkAIR
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Xred family
-
resource behavioral1/files/0x000800000001960a-117.dat -
Executes dropped EXE 3 IoCs
pid Process 2732 ._cache_ccb3c30a428e81e25890d02691794b8e453ba521230532a01bd8c207241fa0faN.exe 2740 Synaptics.exe 1796 ._cache_Synaptics.exe -
Loads dropped DLL 5 IoCs
pid Process 2668 ccb3c30a428e81e25890d02691794b8e453ba521230532a01bd8c207241fa0faN.exe 2668 ccb3c30a428e81e25890d02691794b8e453ba521230532a01bd8c207241fa0faN.exe 2668 ccb3c30a428e81e25890d02691794b8e453ba521230532a01bd8c207241fa0faN.exe 2740 Synaptics.exe 2740 Synaptics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" ccb3c30a428e81e25890d02691794b8e453ba521230532a01bd8c207241fa0faN.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2668 ccb3c30a428e81e25890d02691794b8e453ba521230532a01bd8c207241fa0faN.exe 2740 Synaptics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ccb3c30a428e81e25890d02691794b8e453ba521230532a01bd8c207241fa0faN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_ccb3c30a428e81e25890d02691794b8e453ba521230532a01bd8c207241fa0faN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 612 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2668 ccb3c30a428e81e25890d02691794b8e453ba521230532a01bd8c207241fa0faN.exe 2740 Synaptics.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 612 EXCEL.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2668 wrote to memory of 2732 2668 ccb3c30a428e81e25890d02691794b8e453ba521230532a01bd8c207241fa0faN.exe 30 PID 2668 wrote to memory of 2732 2668 ccb3c30a428e81e25890d02691794b8e453ba521230532a01bd8c207241fa0faN.exe 30 PID 2668 wrote to memory of 2732 2668 ccb3c30a428e81e25890d02691794b8e453ba521230532a01bd8c207241fa0faN.exe 30 PID 2668 wrote to memory of 2732 2668 ccb3c30a428e81e25890d02691794b8e453ba521230532a01bd8c207241fa0faN.exe 30 PID 2668 wrote to memory of 2740 2668 ccb3c30a428e81e25890d02691794b8e453ba521230532a01bd8c207241fa0faN.exe 31 PID 2668 wrote to memory of 2740 2668 ccb3c30a428e81e25890d02691794b8e453ba521230532a01bd8c207241fa0faN.exe 31 PID 2668 wrote to memory of 2740 2668 ccb3c30a428e81e25890d02691794b8e453ba521230532a01bd8c207241fa0faN.exe 31 PID 2668 wrote to memory of 2740 2668 ccb3c30a428e81e25890d02691794b8e453ba521230532a01bd8c207241fa0faN.exe 31 PID 2740 wrote to memory of 1796 2740 Synaptics.exe 32 PID 2740 wrote to memory of 1796 2740 Synaptics.exe 32 PID 2740 wrote to memory of 1796 2740 Synaptics.exe 32 PID 2740 wrote to memory of 1796 2740 Synaptics.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\ccb3c30a428e81e25890d02691794b8e453ba521230532a01bd8c207241fa0faN.exe"C:\Users\Admin\AppData\Local\Temp\ccb3c30a428e81e25890d02691794b8e453ba521230532a01bd8c207241fa0faN.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Users\Admin\AppData\Local\Temp\._cache_ccb3c30a428e81e25890d02691794b8e453ba521230532a01bd8c207241fa0faN.exe"C:\Users\Admin\AppData\Local\Temp\._cache_ccb3c30a428e81e25890d02691794b8e453ba521230532a01bd8c207241fa0faN.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2732
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1796
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:612
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
182KB
MD5aceaf589902c4905f4d163f06cdb3213
SHA1889e6070de66e63ab00ea1f80233db907475e61e
SHA2569d6b6119d03a42674ecbda7dd6509b25443605330f7c9e5ce77e4e2e0f5a0d16
SHA51247ad71b73d4dbf2417828459ccea342a36aa03f08cffeae99de1b4a6698121bce94628bffb49cb749d6547e3ed740b4a2945b4a52f6bb067e6a78bff1b3470cd
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
21KB
MD5bef5ab6c4a9b0f2968625b123ed51134
SHA16589c556cdccdba11711856120a7209fa2f75a5b
SHA256ee2ed5f1a9fbf33295a9bb5c87b4dce238a328f8549e77d9bbec3c5440e575e6
SHA5121a042afb72a999675109249981f0c1b1e773748e5d7ee68ba7f91e87b5f2a8bd87c21a8a4348d6fd5a2adb998ef8fb9f0d6a0a7b1b9d3c577701233683d52503
-
Filesize
23KB
MD54d09690038770a08727606df821fefca
SHA1d4ac8a25cd670fc27ddbf6759d013c52a741de7a
SHA256454359d7b65d22050a47eb3941cbfaebce492d117fce53377c33f37c86192719
SHA51248836b21812e2ff27271451b44e465327477c83c0efc380412ee1e3ff1999b0651451b78113b223146c43cc3f0dc37673682578665c1343b63a60ecd7d5d8c7d
-
Filesize
22KB
MD552631fb85d1bbb1cc2a9d2d9b327259e
SHA1e744f45b7b131b3d9ee6ea21b4bd1922e5369ec5
SHA256e6987306b5b49018876062e062c49b5ff314c2fade84f14b31eb2a479b7193cb
SHA512998ca4fc9f9af03f97b65b9020bc82f6ab15564106479892a6159bc13f6aabbce32cecab99da14ee3efaa2ebb9b0b59e755ae0f834704607311f5ac3cf194c72
-
Filesize
24KB
MD5f49d74a60672ad45b2eba5cb5cb08d16
SHA1003b4c649c11e1c1a6b8bfdc8e8406c71fe7a9d9
SHA2562a709ecc853a248c8fc372f90107f9205022a7c3d3bdb92d90a45d04ca0dfc2b
SHA5129d91a7d424c632ce847f7b8189e4e06ad1efa7918b18adc5510fc82871ab420045935a1eb81a69835e3f0712c3752fa89bff5d0d0097b2d279933ef1e5b29ec3
-
Filesize
27KB
MD5289a956e68c3c73212fd0c9fcbeba360
SHA106b5427e0c9d12dcc7b1fbbd9241ca4bfd7347d3
SHA25668b5578762da9e19c2f7975f2e40fa8a8cc31dcb0a86e38116d270788dbe893d
SHA5120b0cc8fb047b299ef3d84959a168038eac46e542b593da3991e6df23d262c9919b28bc32b6134d0f04a1872e042fa15cc60a921dbda4ec9bcaa4d5d98347d2d6
-
Filesize
25KB
MD5f41d4f0d8176ec9b30abf946183f8784
SHA1d9e8eb6870e2a984d1f44fe5711c6691978840c5
SHA256df58a14312b9d324e706d24bc8e9a603b18e218f9b2b36168e75ecd4660e4072
SHA512af86a2847fc17a41f6c1cfd5fefa986951d8b47d6fae803d8c23cf0ce1e62ec6714239746126885b5c8624775e27542a8cddea33fc41287262f1b9e9f3a62a56
-
Filesize
165B
MD5ff09371174f7c701e75f357a187c06e8
SHA157f9a638fd652922d7eb23236c80055a91724503
SHA256e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8
SHA512e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882
-
Filesize
4.9MB
MD5219868f2fbe15bcd64bd6b7a83c53f80
SHA153ddd7120e26ddffcb51a8cd29f5499308324396
SHA256ccb3c30a428e81e25890d02691794b8e453ba521230532a01bd8c207241fa0fa
SHA512fd924748f1a241945ed2a26dad540449211feba6e770a3f225f72449bc239c7837fbfe3b90186ffd33227a19421f9f4523ac1dd47ba54071635fb8f25cb55d95