Analysis
-
max time kernel
141s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 19:45
Behavioral task
behavioral1
Sample
0e72c060893ae412a1cba2f0095e8d07d47350bacb568a3e3383b807c38dd0b1.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
0e72c060893ae412a1cba2f0095e8d07d47350bacb568a3e3383b807c38dd0b1.exe
Resource
win10v2004-20241007-en
General
-
Target
0e72c060893ae412a1cba2f0095e8d07d47350bacb568a3e3383b807c38dd0b1.exe
-
Size
938KB
-
MD5
6a2f1c3f0e069d648d30706d308336bc
-
SHA1
0d88c721c68b405abfa7bd6c0dbbcbf3cf70ce88
-
SHA256
0e72c060893ae412a1cba2f0095e8d07d47350bacb568a3e3383b807c38dd0b1
-
SHA512
31adecce3fc954ecfb69093e7b9a169b7c4d839a4ce8f59ee155c003bfa93733da68d7cd41b303d4cd42d892ecb56273a31f23faed498f3d9b1151a470c29df8
-
SSDEEP
12288:/MSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9QlGXd4OvXkLGHj0qTDzZI:/nsJ39LyjbJkQFMhmC+6GD9CGmA0UTPS
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Xred family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation 0e72c060893ae412a1cba2f0095e8d07d47350bacb568a3e3383b807c38dd0b1.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation Synaptics.exe -
Executes dropped EXE 3 IoCs
pid Process 1212 ._cache_0e72c060893ae412a1cba2f0095e8d07d47350bacb568a3e3383b807c38dd0b1.exe 1512 Synaptics.exe 2384 ._cache_Synaptics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\????? = "C:\\ProgramData\\Synaptics\\Synaptics.exe" 0e72c060893ae412a1cba2f0095e8d07d47350bacb568a3e3383b807c38dd0b1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0e72c060893ae412a1cba2f0095e8d07d47350bacb568a3e3383b807c38dd0b1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_0e72c060893ae412a1cba2f0095e8d07d47350bacb568a3e3383b807c38dd0b1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 0e72c060893ae412a1cba2f0095e8d07d47350bacb568a3e3383b807c38dd0b1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Synaptics.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 456 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 456 EXCEL.EXE 456 EXCEL.EXE 456 EXCEL.EXE 456 EXCEL.EXE 456 EXCEL.EXE 456 EXCEL.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3848 wrote to memory of 1212 3848 0e72c060893ae412a1cba2f0095e8d07d47350bacb568a3e3383b807c38dd0b1.exe 83 PID 3848 wrote to memory of 1212 3848 0e72c060893ae412a1cba2f0095e8d07d47350bacb568a3e3383b807c38dd0b1.exe 83 PID 3848 wrote to memory of 1212 3848 0e72c060893ae412a1cba2f0095e8d07d47350bacb568a3e3383b807c38dd0b1.exe 83 PID 3848 wrote to memory of 1512 3848 0e72c060893ae412a1cba2f0095e8d07d47350bacb568a3e3383b807c38dd0b1.exe 84 PID 3848 wrote to memory of 1512 3848 0e72c060893ae412a1cba2f0095e8d07d47350bacb568a3e3383b807c38dd0b1.exe 84 PID 3848 wrote to memory of 1512 3848 0e72c060893ae412a1cba2f0095e8d07d47350bacb568a3e3383b807c38dd0b1.exe 84 PID 1512 wrote to memory of 2384 1512 Synaptics.exe 85 PID 1512 wrote to memory of 2384 1512 Synaptics.exe 85 PID 1512 wrote to memory of 2384 1512 Synaptics.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e72c060893ae412a1cba2f0095e8d07d47350bacb568a3e3383b807c38dd0b1.exe"C:\Users\Admin\AppData\Local\Temp\0e72c060893ae412a1cba2f0095e8d07d47350bacb568a3e3383b807c38dd0b1.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Users\Admin\AppData\Local\Temp\._cache_0e72c060893ae412a1cba2f0095e8d07d47350bacb568a3e3383b807c38dd0b1.exe"C:\Users\Admin\AppData\Local\Temp\._cache_0e72c060893ae412a1cba2f0095e8d07d47350bacb568a3e3383b807c38dd0b1.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1212
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2384
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:456
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
938KB
MD56a2f1c3f0e069d648d30706d308336bc
SHA10d88c721c68b405abfa7bd6c0dbbcbf3cf70ce88
SHA2560e72c060893ae412a1cba2f0095e8d07d47350bacb568a3e3383b807c38dd0b1
SHA51231adecce3fc954ecfb69093e7b9a169b7c4d839a4ce8f59ee155c003bfa93733da68d7cd41b303d4cd42d892ecb56273a31f23faed498f3d9b1151a470c29df8
-
C:\Users\Admin\AppData\Local\Temp\._cache_0e72c060893ae412a1cba2f0095e8d07d47350bacb568a3e3383b807c38dd0b1.exe
Filesize193KB
MD5e2a73f000402b054a9d3811812364082
SHA18ec59cf3542ef7ce523c4c803365297b5790032e
SHA256bcff800b187c59da9fbdf7dcf11c5e03862f676de6ef7275a84a7f8e21938a87
SHA5122e7c835a86e3f3c6ce7cd3535f90591e892fc0f761f02fa3e7b18c9666d28e387eb488ab5386e91941849f412b329d8dba5f1659d6d4040bffc408d45cca1e64
-
Filesize
22KB
MD5ebf8aa7c9f27174924d59a403cd41b5d
SHA1748cabf32e54dea55e89488e9f1247539839b75e
SHA2563a84d29d2fca4396507def513c6bc164376ad3679659b4361dd753239bde1dac
SHA512b054d97e1e11e1c2627c1cf1117259d20e2c901b930d43da554c2e3e4d2fd874cc8effbf43d6d2cca64aae0d7d5d9554c54869907cef7a3f36685e7f494202a5
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04