Analysis
-
max time kernel
112s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 07:55
Behavioral task
behavioral1
Sample
ae481a6ed16403ba9b3aad23b1573618951e3990ffcd5fcaba9a64dcea47ef1bN.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
ae481a6ed16403ba9b3aad23b1573618951e3990ffcd5fcaba9a64dcea47ef1bN.exe
Resource
win10v2004-20241007-en
General
-
Target
ae481a6ed16403ba9b3aad23b1573618951e3990ffcd5fcaba9a64dcea47ef1bN.exe
-
Size
1.8MB
-
MD5
f329e7b0d1e658df070483281b3b8240
-
SHA1
1e5dd33facb0b1b816940ded8b79c279b89fb31f
-
SHA256
ae481a6ed16403ba9b3aad23b1573618951e3990ffcd5fcaba9a64dcea47ef1b
-
SHA512
55e98fd6c8c127b69698bdd3f25cefc47326e6d9ae8af2cc4fca4b470ed0ee61e8429534a124b58e12ab7989966143103628ecbde1c6ceb1fe927bd2e46dd9f9
-
SSDEEP
49152:5nsHyjtk2MYC5GD+RLs/w+fnXEtKFJKaf:5nsmtk2aXRLSw+fUCt
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Xred family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation ae481a6ed16403ba9b3aad23b1573618951e3990ffcd5fcaba9a64dcea47ef1bN.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation Synaptics.exe -
Executes dropped EXE 3 IoCs
pid Process 2460 ._cache_ae481a6ed16403ba9b3aad23b1573618951e3990ffcd5fcaba9a64dcea47ef1bN.exe 3964 Synaptics.exe 844 ._cache_Synaptics.exe -
Loads dropped DLL 2 IoCs
pid Process 2460 ._cache_ae481a6ed16403ba9b3aad23b1573618951e3990ffcd5fcaba9a64dcea47ef1bN.exe 844 ._cache_Synaptics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" ae481a6ed16403ba9b3aad23b1573618951e3990ffcd5fcaba9a64dcea47ef1bN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ae481a6ed16403ba9b3aad23b1573618951e3990ffcd5fcaba9a64dcea47ef1bN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_ae481a6ed16403ba9b3aad23b1573618951e3990ffcd5fcaba9a64dcea47ef1bN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 9 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer ._cache_Synaptics.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion ._cache_Synaptics.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion ._cache_ae481a6ed16403ba9b3aad23b1573618951e3990ffcd5fcaba9a64dcea47ef1bN.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer ._cache_ae481a6ed16403ba9b3aad23b1573618951e3990ffcd5fcaba9a64dcea47ef1bN.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS ._cache_Synaptics.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS ._cache_ae481a6ed16403ba9b3aad23b1573618951e3990ffcd5fcaba9a64dcea47ef1bN.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Synaptics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ ae481a6ed16403ba9b3aad23b1573618951e3990ffcd5fcaba9a64dcea47ef1bN.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 5060 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 5060 EXCEL.EXE 5060 EXCEL.EXE 5060 EXCEL.EXE 5060 EXCEL.EXE 5060 EXCEL.EXE 5060 EXCEL.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2380 wrote to memory of 2460 2380 ae481a6ed16403ba9b3aad23b1573618951e3990ffcd5fcaba9a64dcea47ef1bN.exe 83 PID 2380 wrote to memory of 2460 2380 ae481a6ed16403ba9b3aad23b1573618951e3990ffcd5fcaba9a64dcea47ef1bN.exe 83 PID 2380 wrote to memory of 2460 2380 ae481a6ed16403ba9b3aad23b1573618951e3990ffcd5fcaba9a64dcea47ef1bN.exe 83 PID 2380 wrote to memory of 3964 2380 ae481a6ed16403ba9b3aad23b1573618951e3990ffcd5fcaba9a64dcea47ef1bN.exe 84 PID 2380 wrote to memory of 3964 2380 ae481a6ed16403ba9b3aad23b1573618951e3990ffcd5fcaba9a64dcea47ef1bN.exe 84 PID 2380 wrote to memory of 3964 2380 ae481a6ed16403ba9b3aad23b1573618951e3990ffcd5fcaba9a64dcea47ef1bN.exe 84 PID 3964 wrote to memory of 844 3964 Synaptics.exe 85 PID 3964 wrote to memory of 844 3964 Synaptics.exe 85 PID 3964 wrote to memory of 844 3964 Synaptics.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae481a6ed16403ba9b3aad23b1573618951e3990ffcd5fcaba9a64dcea47ef1bN.exe"C:\Users\Admin\AppData\Local\Temp\ae481a6ed16403ba9b3aad23b1573618951e3990ffcd5fcaba9a64dcea47ef1bN.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Users\Admin\AppData\Local\Temp\._cache_ae481a6ed16403ba9b3aad23b1573618951e3990ffcd5fcaba9a64dcea47ef1bN.exe"C:\Users\Admin\AppData\Local\Temp\._cache_ae481a6ed16403ba9b3aad23b1573618951e3990ffcd5fcaba9a64dcea47ef1bN.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:2460
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:844
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5060
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD5f329e7b0d1e658df070483281b3b8240
SHA11e5dd33facb0b1b816940ded8b79c279b89fb31f
SHA256ae481a6ed16403ba9b3aad23b1573618951e3990ffcd5fcaba9a64dcea47ef1b
SHA51255e98fd6c8c127b69698bdd3f25cefc47326e6d9ae8af2cc4fca4b470ed0ee61e8429534a124b58e12ab7989966143103628ecbde1c6ceb1fe927bd2e46dd9f9
-
C:\Users\Admin\AppData\Local\Temp\._cache_ae481a6ed16403ba9b3aad23b1573618951e3990ffcd5fcaba9a64dcea47ef1bN.exe
Filesize1.1MB
MD5ad917b865154a270628b0d19f038309d
SHA10e7626e49aa2b9ed62239eaacb85c17f9d798ef4
SHA25636d40db9d84acffa665ff20bef184fc94e8b857723208f373f988823c31b2161
SHA5128c5439b887f2e005284cfd5ee5d3b74c7bc80e370eb267bcdcacc3b4b3928bec011d5372ee7af36c2862a41623f7a655d83e5444d17042622b845908e84d4e60
-
Filesize
24KB
MD574c10cc1106507d6608e0a9835989738
SHA1b4683344c72bfe8ea9d6d497803bf774685a1cfa
SHA25686ba651c4a377ec96deaefcaa82f1da82ee187d3789c1bfa0a2550447975196b
SHA51215c0616809558e7967231f8d2d15fea5305b442fce62dd2ad5ed14c5caacdf7939b27824b001847ca6187616c58566ea03e6f7173b33157486e20fb70bb58e7a
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
84KB
MD50b0e63957367e620b8697c5341af35b9
SHA169361c2762b2d1cada80667cd55bc5082e60af86
SHA256bd9cdcfaa0edecdb89a204965d20f4a896c6650d4840e28736d9bd832390e1c5
SHA51207d0e52c863f52ecb3d12fab9e71c7a18d54cbedb47250bee7e4297ff72ed793c23a2735c48090c261fe4633d53d03e305c1338dfc881bb86874d1633ff6ecee