Analysis
-
max time kernel
111s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 17:55
Behavioral task
behavioral1
Sample
21d23ee41a142f6399afba67164c12ff6147fbad45bdeadc1ac394c039296543N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
21d23ee41a142f6399afba67164c12ff6147fbad45bdeadc1ac394c039296543N.exe
Resource
win10v2004-20241007-en
General
-
Target
21d23ee41a142f6399afba67164c12ff6147fbad45bdeadc1ac394c039296543N.exe
-
Size
1.1MB
-
MD5
65fe41a424c04ecb1dd22b43e7ec5dc0
-
SHA1
7cb9fe2280a297649c69d4d5ce82ce2b63bfa4b3
-
SHA256
21d23ee41a142f6399afba67164c12ff6147fbad45bdeadc1ac394c039296543
-
SHA512
22093e4ae7ac7559560e96aa2bc63d267433c512f1a87ad6668c81985dc35d35201dcac8ef5839aee0c090870211283ea7847ff2f48a7fe5ac7756f40c629c33
-
SSDEEP
24576:onsJ39LyjbJkQFMhmC+6GD9dTbBv5rUDyLyL5nKU:onsHyjtk2MYC5GDlB/LyVH
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Xred family
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation ._cache_21d23ee41a142f6399afba67164c12ff6147fbad45bdeadc1ac394c039296543N.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation ._cache_Synaptics.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation 21d23ee41a142f6399afba67164c12ff6147fbad45bdeadc1ac394c039296543N.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Synaptics.exe -
Executes dropped EXE 3 IoCs
pid Process 4012 ._cache_21d23ee41a142f6399afba67164c12ff6147fbad45bdeadc1ac394c039296543N.exe 4884 Synaptics.exe 3400 ._cache_Synaptics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" 21d23ee41a142f6399afba67164c12ff6147fbad45bdeadc1ac394c039296543N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_21d23ee41a142f6399afba67164c12ff6147fbad45bdeadc1ac394c039296543N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 21d23ee41a142f6399afba67164c12ff6147fbad45bdeadc1ac394c039296543N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 21d23ee41a142f6399afba67164c12ff6147fbad45bdeadc1ac394c039296543N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Synaptics.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3492 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3492 EXCEL.EXE 3492 EXCEL.EXE 3492 EXCEL.EXE 3492 EXCEL.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 5100 wrote to memory of 4012 5100 21d23ee41a142f6399afba67164c12ff6147fbad45bdeadc1ac394c039296543N.exe 84 PID 5100 wrote to memory of 4012 5100 21d23ee41a142f6399afba67164c12ff6147fbad45bdeadc1ac394c039296543N.exe 84 PID 5100 wrote to memory of 4012 5100 21d23ee41a142f6399afba67164c12ff6147fbad45bdeadc1ac394c039296543N.exe 84 PID 5100 wrote to memory of 4884 5100 21d23ee41a142f6399afba67164c12ff6147fbad45bdeadc1ac394c039296543N.exe 85 PID 5100 wrote to memory of 4884 5100 21d23ee41a142f6399afba67164c12ff6147fbad45bdeadc1ac394c039296543N.exe 85 PID 5100 wrote to memory of 4884 5100 21d23ee41a142f6399afba67164c12ff6147fbad45bdeadc1ac394c039296543N.exe 85 PID 4012 wrote to memory of 3540 4012 ._cache_21d23ee41a142f6399afba67164c12ff6147fbad45bdeadc1ac394c039296543N.exe 86 PID 4012 wrote to memory of 3540 4012 ._cache_21d23ee41a142f6399afba67164c12ff6147fbad45bdeadc1ac394c039296543N.exe 86 PID 4012 wrote to memory of 3540 4012 ._cache_21d23ee41a142f6399afba67164c12ff6147fbad45bdeadc1ac394c039296543N.exe 86 PID 3540 wrote to memory of 3616 3540 cmd.exe 89 PID 3540 wrote to memory of 3616 3540 cmd.exe 89 PID 3540 wrote to memory of 3616 3540 cmd.exe 89 PID 4884 wrote to memory of 3400 4884 Synaptics.exe 90 PID 4884 wrote to memory of 3400 4884 Synaptics.exe 90 PID 4884 wrote to memory of 3400 4884 Synaptics.exe 90 PID 3400 wrote to memory of 1844 3400 ._cache_Synaptics.exe 91 PID 3400 wrote to memory of 1844 3400 ._cache_Synaptics.exe 91 PID 3400 wrote to memory of 1844 3400 ._cache_Synaptics.exe 91 PID 3540 wrote to memory of 772 3540 cmd.exe 93 PID 3540 wrote to memory of 772 3540 cmd.exe 93 PID 3540 wrote to memory of 772 3540 cmd.exe 93 PID 1844 wrote to memory of 1980 1844 cmd.exe 94 PID 1844 wrote to memory of 1980 1844 cmd.exe 94 PID 1844 wrote to memory of 1980 1844 cmd.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\21d23ee41a142f6399afba67164c12ff6147fbad45bdeadc1ac394c039296543N.exe"C:\Users\Admin\AppData\Local\Temp\21d23ee41a142f6399afba67164c12ff6147fbad45bdeadc1ac394c039296543N.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Users\Admin\AppData\Local\Temp\._cache_21d23ee41a142f6399afba67164c12ff6147fbad45bdeadc1ac394c039296543N.exe"C:\Users\Admin\AppData\Local\Temp\._cache_21d23ee41a142f6399afba67164c12ff6147fbad45bdeadc1ac394c039296543N.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Create_Shortcut.cmd" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\SysWOW64\cscript.execscript /nologo "C:\Users\Admin\AppData\Local\Temp\8970-10971-2923-18531.vbs"4⤵
- System Location Discovery: System Language Discovery
PID:3616
-
-
C:\Windows\SysWOW64\cscript.execscript /nologo "C:\Users\Admin\AppData\Local\Temp\24941-8876-1355-18441.vbs"4⤵
- System Location Discovery: System Language Discovery
PID:772
-
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Create_Shortcut.cmd" "4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\cscript.execscript /nologo "C:\Users\Admin\AppData\Local\Temp\8974-21719-20788-9827.vbs"5⤵
- System Location Discovery: System Language Discovery
PID:1980
-
-
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3492
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD565fe41a424c04ecb1dd22b43e7ec5dc0
SHA17cb9fe2280a297649c69d4d5ce82ce2b63bfa4b3
SHA25621d23ee41a142f6399afba67164c12ff6147fbad45bdeadc1ac394c039296543
SHA51222093e4ae7ac7559560e96aa2bc63d267433c512f1a87ad6668c81985dc35d35201dcac8ef5839aee0c090870211283ea7847ff2f48a7fe5ac7756f40c629c33
-
C:\Users\Admin\AppData\Local\Temp\._cache_21d23ee41a142f6399afba67164c12ff6147fbad45bdeadc1ac394c039296543N.exe
Filesize416KB
MD5c51eb3ce1c40dc64487baf70a38d2493
SHA1e236b7cdcd085286ee4dbfdeebb96053b0648f19
SHA256827ce8c698f933e5df0784ac9c759992335f5d5f7c7018ccbf3e32fef65553ba
SHA512d4863e488244386342ed669c972dde4115165fcb6885aed02f171a54be715d210da81258155a4226115a4802c754c5b2bfc3c35802797f6907f845099acff149
-
Filesize
278B
MD50866f21284ab15d4e991f0783080e889
SHA14e88caf2da70ae6207c7fb76f86d975752132732
SHA25623d9130a4e2163c161c353e70dc633a844c0f264ca29784ab1682ed314323d15
SHA5120255eeef24b6e501e4be4daa82e6354691747c2a9038f7e662de53fa400313a7956d5881936d4f2c7b89eab78937895b5cc8f24ce82d6bb8776aa1636223cbaa
-
Filesize
266B
MD5cee6771ae297e6f20fb96ab86eb80eee
SHA1a05e2600757f022696d617259be6e8c6146e6cef
SHA256aa8fe20a3bd0855dd1d79838132bdffaa7749b2e4316d84fbdce77b30717d518
SHA5128ec846f9d5c49d437570d7ed7ef901b8daa37f63597a017c0c292cdf85563605847b541b09ebcff8ec4610d74902e0f678cab169eb8d9fbb9f55d488aac53c16
-
Filesize
1KB
MD560993d0edbab77c9b3636a7789b52a58
SHA12dd951846df7cfedd1af0cf1521bc6298699db22
SHA256806ef21d06c03622c60b9fd1dd100c69543cce57a6d4846711ecca6c882d21c3
SHA512c445f45938aef767d8942171b5a12582855650e0dc9099532c94e0b4c59408d2ee98f4d9643f8f58e61b00c85d87c0b4c03f5126a2145285bc0f802ff41a8b41
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04