Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
2s -
max time network
14s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15/12/2024, 22:59
Behavioral task
behavioral1
Sample
000.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
000.exe
Resource
win10v2004-20241007-en
General
-
Target
000.exe
-
Size
7.4MB
-
MD5
06c9504a38c6996916dbd515559c9564
-
SHA1
33e92f8c6dd8b3eab4b06ca0bb428e48b4504dac
-
SHA256
2fbd716ca1f19737591463a9f5776de57105fd800118375012d08fb000d2e39e
-
SHA512
e9259b0ebcf970db693af90a8811e706ef10187c33d662409c678034abdf5282a1bd63e1a6445c25f35a0c7714863109a17289e1919d9ad268ba72fc4f6f792f
-
SSDEEP
12288:cMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9Jt1I2rVvWHuuuvj:cnsJ39LyjbJkQFMhmC+6GD9j1dUuuu7
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Xred family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 000.exe -
Executes dropped EXE 1 IoCs
pid Process 692 ._cache_000.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" 000.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_000.exe -
Kills process with taskkill 4 IoCs
pid Process 4320 taskkill.exe 3796 taskkill.exe 4968 taskkill.exe 4788 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 000.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4768 wrote to memory of 692 4768 000.exe 81 PID 4768 wrote to memory of 692 4768 000.exe 81 PID 4768 wrote to memory of 692 4768 000.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\000.exe"C:\Users\Admin\AppData\Local\Temp\000.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Users\Admin\AppData\Local\Temp\._cache_000.exe"C:\Users\Admin\AppData\Local\Temp\._cache_000.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:692 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""3⤵PID:2340
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe4⤵
- Kills process with taskkill
PID:4968
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Kills process with taskkill
PID:4788
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic useraccount where name='Admin' set FullName='UR NEXT'4⤵PID:2076
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic useraccount where name='Admin' rename 'UR NEXT'4⤵PID:4816
-
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵PID:3900
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵PID:212
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""4⤵PID:1944
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe5⤵
- Kills process with taskkill
PID:4320
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe5⤵
- Kills process with taskkill
PID:3796
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic useraccount where name='Admin' set FullName='UR NEXT'5⤵PID:4516
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic useraccount where name='Admin' rename 'UR NEXT'5⤵PID:384
-
-
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵PID:1156
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.4MB
MD506c9504a38c6996916dbd515559c9564
SHA133e92f8c6dd8b3eab4b06ca0bb428e48b4504dac
SHA2562fbd716ca1f19737591463a9f5776de57105fd800118375012d08fb000d2e39e
SHA512e9259b0ebcf970db693af90a8811e706ef10187c33d662409c678034abdf5282a1bd63e1a6445c25f35a0c7714863109a17289e1919d9ad268ba72fc4f6f792f
-
Filesize
896KB
MD5c71693d0b13636b503b0154ad80f15aa
SHA113aa49806556b3fe11c1df97e73e9b2b40d4209b
SHA256ffe7d7bacd249bc553c2dcbcfb6c4be8307035ac6c0ca9aab8139c6a1b83f964
SHA5123be22d6daf8e0cdc32638694962c0ef3aff74a0bffcdc64728c4639429601e475fda57cb46ae1756017d500ebc60e31e2b5f64806c7b33bf7edab8923a003e35
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
6.7MB
MD5d5671758956b39e048680b6a8275e96a
SHA133c341130bf9c93311001a6284692c86fec200ef
SHA2564a900b344ef765a66f98cf39ac06273d565ca0f5d19f7ea4ca183786155d4a47
SHA512972e89ed8b7b4d75df0a05c53e71fb5c29edaa173d7289656676b9d2a1ed439be1687beddc6fb1fbf068868c3da9c3d2deb03b55e5ab5e7968858b5efc49fbe7
-
Filesize
361KB
MD5a4b9662cf3b6ea6626f6081c0d8c13f3
SHA1946501d358e5e3b10223431e474607e0eb248796
SHA25684a1c2713642090523f05d9fb015c537fd210d3200cadaf442bb67cf1834b356
SHA5124e94dcf9200bfd6d685f93acaa0bd93d49bb0fe2229f3105e22b8893e0d530ad15e8dce5be6db1c1db393fcc169defc43f12e35308be30b054631487d16cbf33
-
Filesize
403B
MD56fbd6ce25307749d6e0a66ebbc0264e7
SHA1faee71e2eac4c03b96aabecde91336a6510fff60
SHA256e152b106733d9263d3cf175f0b6197880d70acb753f8bde8035a3e4865b31690
SHA51235a0d6d91178ec10619cf4d2fd44d3e57aa0266e1779e15b1eef6e9c359c77c384e0ffe4edb2cde980a6847e53f47733e6eacb72d46762066b3541dee3d29064
-
Filesize
76KB
MD59232120b6ff11d48a90069b25aa30abc
SHA197bb45f4076083fca037eee15d001fd284e53e47
SHA25670faa0e1498461731f873d3594f20cbf2beaa6f123a06b66f9df59a9cdf862be
SHA512b06688a9fc0b853d2895f11e812c48d5871f2793183fda5e9638ded22fc5dc1e813f174baedc980a1f0b6a7b0a65cd61f29bb16acc6dd45da62988eb012d6877
-
Filesize
771B
MD5a9401e260d9856d1134692759d636e92
SHA14141d3c60173741e14f36dfe41588bb2716d2867
SHA256b551fba71dfd526d4916ae277d8686d83fff36d22fcf6f18457924a070b30ef7
SHA5125cbe38cdab0283b87d9a9875f7ba6fa4e8a7673d933ca05deddddbcf6cf793bd1bf34ac0add798b4ed59ab483e49f433ce4012f571a658bc0add28dd987a57b6
-
Filesize
396B
MD59037ebf0a18a1c17537832bc73739109
SHA11d951dedfa4c172a1aa1aae096cfb576c1fb1d60
SHA25638c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48
SHA5124fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f