Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
22/12/2024, 12:23
General
-
Target
AntiPubs Dork Searcher EZ/Update.exe
-
Size
893KB
-
MD5
f0f73959988dd4d41de1445fb9075b6f
-
SHA1
a39d5fe0e269c062c1b7c64be09db16508f6cc4b
-
SHA256
f7c2e8367293c26805ea8f0efed61aba293a970eeab7883b7c40619499e4fc85
-
SHA512
bff75fa90f703faf4682061bdd609844d98d64b07b0109091f7c2983e4e1459a702e30a4ee06aa036c0e6bc7a508f39a0c6b95a2c27d25df343b4137deb0520c
-
SSDEEP
12288:UMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V94vFUNDasQ:UnsJ39LyjbJkQFMhmC+6GD9AFOaP
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Xred
Xred is backdoor written in Delphi.
-
Xred family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 12 IoCs
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 2 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of SetWindowsHookEx 26 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\AntiPubs Dork Searcher EZ\Update.exe"C:\Users\Admin\AppData\Local\Temp\AntiPubs Dork Searcher EZ\Update.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AntiPubs Dork Searcher EZ\._cache_Update.exe"C:\Users\Admin\AppData\Local\Temp\AntiPubs Dork Searcher EZ\._cache_Update.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\temp\antipubs dork searcher ez\._cache_update.exe"c:\users\admin\appdata\local\temp\antipubs dork searcher ez\._cache_update.exe "3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe6⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AntiPubs Dork Searcher EZ\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\AntiPubs Dork Searcher EZ\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\temp\antipubs dork searcher ez\._cache_synaptics.exe"c:\users\admin\appdata\local\temp\antipubs dork searcher ez\._cache_synaptics.exe " InjUpdate4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
893KB
MD5f0f73959988dd4d41de1445fb9075b6f
SHA1a39d5fe0e269c062c1b7c64be09db16508f6cc4b
SHA256f7c2e8367293c26805ea8f0efed61aba293a970eeab7883b7c40619499e4fc85
SHA512bff75fa90f703faf4682061bdd609844d98d64b07b0109091f7c2983e4e1459a702e30a4ee06aa036c0e6bc7a508f39a0c6b95a2c27d25df343b4137deb0520c
-
Filesize
21KB
MD55a1f79939664d0b8f08f274f294017ac
SHA11ad03087f1eb02d7f8a6a82168f3f381547ab989
SHA256cd71bb771b62592fd93f79e827bcbcbadf3b3ddf67eebac7af90c9a69965cac6
SHA512029aeec056de496fb26bd57d33709b58981fbacd0853031fbf58e4168e9f85040787c1ca101e19a85faa2aabd6edf80fde1566e6a73178c4d4e403926c5ba8d6
-
Filesize
140KB
MD5570ddad76b94dd6156587b6f98ce8f6d
SHA1c4b4b2655cc181add7a1e90d840a6735ca4bbace
SHA256324fd9c87d5311ad7ab72f6238afda44f7bd7532daaf2a3d639a4dea81d95c86
SHA512be0be9826d2e6dcb0f3bcbe16ef624154f6357892d4c57d8d1f87508cb3d1b37966d1ceb679487305ea3236acdcd5871a6cda315a89510264850b0629e36aa0f
-
Filesize
5KB
MD5e2032456744fd06c43c2097f8fcd1a1f
SHA1df474bbbd27166ef9a935457c44130fa20fbda5d
SHA256bf9ba9e515c43c1c7d394cbc528e2fa500d98c423df89958485f61d2bd7bb874
SHA512e3520f05508bcd44d989b7e92102586235a1187afbea8e9d903244e5487679190fc83aaf831ded2b9e0da0803b3298c93ff1be0396bbe54e57b5c3a428c6d7ae
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
135KB
MD5396d11a99266c10b4d6b984cfbfaff7e
SHA18f9c3aed2d92b3773d28f8b9f79f6a47197185aa
SHA2565322aafa38db442e2c8911ce69c1fec5ab8a7dfab31114de275fa9c46f9d4e5b
SHA512726bd4b84cb22a414821dd59fc553ba5c3208d26ccccba272767343d3a3c4473c27fc8e7e2a75f4c6298fcf49df64e60f81c437f6cfc4a085a4643b1ebf79659
-
Filesize
135KB
MD5fe07e43d610bef7a346eef8f8c5b9a95
SHA1f782e9115af0f9cd8f5d88179476614fd84e1a10
SHA25683caed8278b264c26235d659bf80924ba0969a6209d984cf6a38ac66635af4d3
SHA5122e1539602e62dc13a303f71760a4ed6a155daae438804d5bde7f6ff9aa67818e66ada7eea2fa1eff76144513695e91783f481f5fe7ef1c56dfe15251033c2f65
-
Filesize
135KB
MD5852e686eaa7253515d3a680c0214e44b
SHA15fde61b0cd977d1fdf4db42425d343536f0233d7
SHA256a686365c3d144b34f34f168b07de3f90f5a798fbc8cf644e087e81f7f88c9b65
SHA512ea9e68d93eee963d435d174cef2fc524c42038f9e264fc9f1ef2c34f35691797155f47c0e79b6a2ae9570c2a7abb830b46463a219ce9914dda68ac416bcf2528
-
Filesize
135KB
MD50be6864d625233f790876678facc74c7
SHA148e5039c02b4f416ca87c412125da993c6f548bc
SHA256defaadae9a67418c60629828b47b051ad77902a170ec6c26f1fd7297b1139649
SHA512bb88079187d3d35c675af5cd69d2fa0ccf79dc97b15848fc3cfd3f0d6e295b4143b9d02f4c2d770e30f2aed0e6451b6d125945b23e0e85adb1bda5597124739a
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
4KB
-
Filesize
916KB
-
Filesize
916KB
-
Filesize
4KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
124KB
-
Filesize
916KB
-
Filesize
4KB
-
Filesize
32KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB
-
Filesize
124KB