Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 19:53
Behavioral task
behavioral1
Sample
10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.exe
Resource
win10v2004-20241007-en
General
-
Target
10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.exe
-
Size
1.2MB
-
MD5
9865af46180d9eec214713622cb82d7b
-
SHA1
8f18fe6bf7b58bdcb6ad71d0d7f2ffd5a909a07f
-
SHA256
10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c
-
SHA512
3e0ca8bc92b58ed3c159bf9f78e86c4cf43a99d429e06d5d0b38cfd0db6571c021896a6c14cbe7783e1878973d27e9b725ee66b0f1c67736f81cc1e00d304d3c
-
SSDEEP
24576:znsJ39LyjbJkQFMhmC+6GD9GyIZ8E19pme8Ndd/bW83G:znsHyjtk2MYC5GDIyg849WVNW
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Xred family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation Synaptics.exe -
Executes dropped EXE 5 IoCs
pid Process 4348 ._cache_10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.exe 2680 ._cache_10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.tmp 2184 Synaptics.exe 4636 ._cache_Synaptics.exe 4580 ._cache_Synaptics.tmp -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" 10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\CyberLink\AudioDirector15\is-4R2T0.tmp ._cache_Synaptics.tmp File created C:\Program Files\CyberLink\AudioDirector15\is-2N0FL.tmp ._cache_Synaptics.tmp File created C:\Program Files\CyberLink\AudioDirector15\is-TRU2M.tmp ._cache_10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.tmp File created C:\Program Files\CyberLink\AudioDirector15\is-JUCQ5.tmp ._cache_10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.tmp -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Synaptics.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3932 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4580 ._cache_Synaptics.tmp 4580 ._cache_Synaptics.tmp 2680 ._cache_10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.tmp 2680 ._cache_10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.tmp -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4580 ._cache_Synaptics.tmp 2680 ._cache_10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.tmp -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3932 EXCEL.EXE 3932 EXCEL.EXE 3932 EXCEL.EXE 3932 EXCEL.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4572 wrote to memory of 4348 4572 10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.exe 82 PID 4572 wrote to memory of 4348 4572 10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.exe 82 PID 4572 wrote to memory of 4348 4572 10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.exe 82 PID 4348 wrote to memory of 2680 4348 ._cache_10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.exe 83 PID 4348 wrote to memory of 2680 4348 ._cache_10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.exe 83 PID 4348 wrote to memory of 2680 4348 ._cache_10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.exe 83 PID 4572 wrote to memory of 2184 4572 10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.exe 84 PID 4572 wrote to memory of 2184 4572 10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.exe 84 PID 4572 wrote to memory of 2184 4572 10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.exe 84 PID 2184 wrote to memory of 4636 2184 Synaptics.exe 85 PID 2184 wrote to memory of 4636 2184 Synaptics.exe 85 PID 2184 wrote to memory of 4636 2184 Synaptics.exe 85 PID 4636 wrote to memory of 4580 4636 ._cache_Synaptics.exe 87 PID 4636 wrote to memory of 4580 4636 ._cache_Synaptics.exe 87 PID 4636 wrote to memory of 4580 4636 ._cache_Synaptics.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.exe"C:\Users\Admin\AppData\Local\Temp\10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Users\Admin\AppData\Local\Temp\._cache_10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.exe"C:\Users\Admin\AppData\Local\Temp\._cache_10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Users\Admin\AppData\Local\Temp\is-6QEQM.tmp\._cache_10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.tmp"C:\Users\Admin\AppData\Local\Temp\is-6QEQM.tmp\._cache_10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.tmp" /SL5="$8020A,119392,114176,C:\Users\Admin\AppData\Local\Temp\._cache_10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2680
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Users\Admin\AppData\Local\Temp\is-19SPG.tmp\._cache_Synaptics.tmp"C:\Users\Admin\AppData\Local\Temp\is-19SPG.tmp\._cache_Synaptics.tmp" /SL5="$70060,119392,114176,C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:4580
-
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3932
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
381B
MD561a7279afdb88c3843a57c0edf94ae5e
SHA1e1abfaad737d58a65e1448d89428647aace81891
SHA256d817f1e8d48d7b3c5c442b64f6aab6338985255f7592b77115e24dd58fb5300a
SHA512240b8fb90e6e352df69aaab602a8b5e8d37ec340691a7c29c263dc3d76ed9e27afd1f5cf1937b3c0b74f56a9af538a744b7718e52f3a0d7b1591d9c2a0cde4db
-
Filesize
4KB
MD595796261a6323f19c7d96945f0777f62
SHA1411205c177b5a9d3648ad0c9be1fff02735f708f
SHA256211414e89b0c8d1df11361c6ae1adafb86dd971af6ca3b92f4b25e96702b532d
SHA512bf49b4306da8c87f5974fcbfb83e83a0e70bb27382137e0fdb11818e4f255d77fd4c779e7a4fe2954499f1ecd22cfe98e926332a2cfc6f703d688c9bbcd7d580
-
Filesize
1.2MB
MD59865af46180d9eec214713622cb82d7b
SHA18f18fe6bf7b58bdcb6ad71d0d7f2ffd5a909a07f
SHA25610f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c
SHA5123e0ca8bc92b58ed3c159bf9f78e86c4cf43a99d429e06d5d0b38cfd0db6571c021896a6c14cbe7783e1878973d27e9b725ee66b0f1c67736f81cc1e00d304d3c
-
C:\Users\Admin\AppData\Local\Temp\._cache_10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.exe
Filesize480KB
MD5478931185c762e3820cc89da1e932dbe
SHA164feec6ff7981eed8d8e7c8c9f96a060b901df94
SHA256a9c902b4bc20046c921dfc99744a791ca694ea0e9ecf7a757279ea50ab364bf1
SHA5128b797b8ca5a8377e39db3cce101f0a76248dada2e592be3bd04a11fe486d36c3417054a6352b4c55e55903ade41321fc7a54ff5e07853e253dbf6b01a3be840d
-
C:\Users\Admin\AppData\Local\Temp\is-6QEQM.tmp\._cache_10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.tmp
Filesize757KB
MD5bf1ce8b5097aadbe98c5c87f8d59be2f
SHA15c30464b85d8a12f0abee6519eb8f3448042f9f8
SHA2560b6baaeb14ed1b68a45213b8a63cd9d69c3070a72dd75ba0fb45c5d60f308bc3
SHA512072a85610d7f9f6894d9822e5493cec98876bdb0157a826de59f80219a1924d6e698c94b2959516395443a930b20879af44fa4ef48142983436f66977386dc45
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04