Analysis
-
max time kernel
141s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 03:46
Behavioral task
behavioral1
Sample
db45046c3621a6977cf9b5597544048c258e55dadb9d01b9276328e695f7240c.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
db45046c3621a6977cf9b5597544048c258e55dadb9d01b9276328e695f7240c.exe
Resource
win10v2004-20241007-en
General
-
Target
db45046c3621a6977cf9b5597544048c258e55dadb9d01b9276328e695f7240c.exe
-
Size
1.8MB
-
MD5
61ef5a84476d103a712bd15f1e234b59
-
SHA1
283a10bfbeb188c581038f81de38f292c5f888d5
-
SHA256
db45046c3621a6977cf9b5597544048c258e55dadb9d01b9276328e695f7240c
-
SHA512
ac489b4b4db5f24b7150da552da52257b39437a9be1b357cf0fdcb691f53d4473bad830bae01f481fa1a5c55615d7ece2c42157e959c12b2b28646e8fe9f0279
-
SSDEEP
49152:JnsHyjtk2MYC5GDh8iYglRRbCbtiYglRHiYglR1/4mHkl:Jnsmtk2aZiYMXbCbtiYMBiYMH/4Gs
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Xred family
-
resource behavioral1/files/0x000500000001875f-75.dat -
Executes dropped EXE 3 IoCs
pid Process 1132 ._cache_db45046c3621a6977cf9b5597544048c258e55dadb9d01b9276328e695f7240c.exe 2788 Synaptics.exe 2848 ._cache_Synaptics.exe -
Loads dropped DLL 5 IoCs
pid Process 2172 db45046c3621a6977cf9b5597544048c258e55dadb9d01b9276328e695f7240c.exe 2172 db45046c3621a6977cf9b5597544048c258e55dadb9d01b9276328e695f7240c.exe 2172 db45046c3621a6977cf9b5597544048c258e55dadb9d01b9276328e695f7240c.exe 2788 Synaptics.exe 2788 Synaptics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" db45046c3621a6977cf9b5597544048c258e55dadb9d01b9276328e695f7240c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language db45046c3621a6977cf9b5597544048c258e55dadb9d01b9276328e695f7240c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_db45046c3621a6977cf9b5597544048c258e55dadb9d01b9276328e695f7240c.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 700 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1132 ._cache_db45046c3621a6977cf9b5597544048c258e55dadb9d01b9276328e695f7240c.exe 1132 ._cache_db45046c3621a6977cf9b5597544048c258e55dadb9d01b9276328e695f7240c.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1132 ._cache_db45046c3621a6977cf9b5597544048c258e55dadb9d01b9276328e695f7240c.exe 1132 ._cache_db45046c3621a6977cf9b5597544048c258e55dadb9d01b9276328e695f7240c.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 700 EXCEL.EXE 1132 ._cache_db45046c3621a6977cf9b5597544048c258e55dadb9d01b9276328e695f7240c.exe 1132 ._cache_db45046c3621a6977cf9b5597544048c258e55dadb9d01b9276328e695f7240c.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2172 wrote to memory of 1132 2172 db45046c3621a6977cf9b5597544048c258e55dadb9d01b9276328e695f7240c.exe 30 PID 2172 wrote to memory of 1132 2172 db45046c3621a6977cf9b5597544048c258e55dadb9d01b9276328e695f7240c.exe 30 PID 2172 wrote to memory of 1132 2172 db45046c3621a6977cf9b5597544048c258e55dadb9d01b9276328e695f7240c.exe 30 PID 2172 wrote to memory of 1132 2172 db45046c3621a6977cf9b5597544048c258e55dadb9d01b9276328e695f7240c.exe 30 PID 2172 wrote to memory of 1132 2172 db45046c3621a6977cf9b5597544048c258e55dadb9d01b9276328e695f7240c.exe 30 PID 2172 wrote to memory of 1132 2172 db45046c3621a6977cf9b5597544048c258e55dadb9d01b9276328e695f7240c.exe 30 PID 2172 wrote to memory of 1132 2172 db45046c3621a6977cf9b5597544048c258e55dadb9d01b9276328e695f7240c.exe 30 PID 2172 wrote to memory of 2788 2172 db45046c3621a6977cf9b5597544048c258e55dadb9d01b9276328e695f7240c.exe 31 PID 2172 wrote to memory of 2788 2172 db45046c3621a6977cf9b5597544048c258e55dadb9d01b9276328e695f7240c.exe 31 PID 2172 wrote to memory of 2788 2172 db45046c3621a6977cf9b5597544048c258e55dadb9d01b9276328e695f7240c.exe 31 PID 2172 wrote to memory of 2788 2172 db45046c3621a6977cf9b5597544048c258e55dadb9d01b9276328e695f7240c.exe 31 PID 2788 wrote to memory of 2848 2788 Synaptics.exe 32 PID 2788 wrote to memory of 2848 2788 Synaptics.exe 32 PID 2788 wrote to memory of 2848 2788 Synaptics.exe 32 PID 2788 wrote to memory of 2848 2788 Synaptics.exe 32 PID 2788 wrote to memory of 2848 2788 Synaptics.exe 32 PID 2788 wrote to memory of 2848 2788 Synaptics.exe 32 PID 2788 wrote to memory of 2848 2788 Synaptics.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\db45046c3621a6977cf9b5597544048c258e55dadb9d01b9276328e695f7240c.exe"C:\Users\Admin\AppData\Local\Temp\db45046c3621a6977cf9b5597544048c258e55dadb9d01b9276328e695f7240c.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Users\Admin\AppData\Local\Temp\._cache_db45046c3621a6977cf9b5597544048c258e55dadb9d01b9276328e695f7240c.exe"C:\Users\Admin\AppData\Local\Temp\._cache_db45046c3621a6977cf9b5597544048c258e55dadb9d01b9276328e695f7240c.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1132
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2848
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:700
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD561ef5a84476d103a712bd15f1e234b59
SHA1283a10bfbeb188c581038f81de38f292c5f888d5
SHA256db45046c3621a6977cf9b5597544048c258e55dadb9d01b9276328e695f7240c
SHA512ac489b4b4db5f24b7150da552da52257b39437a9be1b357cf0fdcb691f53d4473bad830bae01f481fa1a5c55615d7ece2c42157e959c12b2b28646e8fe9f0279
-
C:\Users\Admin\AppData\Local\Temp\._cache_db45046c3621a6977cf9b5597544048c258e55dadb9d01b9276328e695f7240c.exe
Filesize1.1MB
MD5d476151065d4ce41bc90647f63b7ad9f
SHA1d3af36d23aca4aac11560e27b463977049f8bf4b
SHA25683f59c81a61f4171347e55c8726a00fd1271ddeea9160d36b9f1425ef903b2fc
SHA51274015e4a18de26319a05a4e1b74ce6f7a99aff209dce45e9768ca162aa65636a19dd49180a23dc94ca62990b854b8d81bc9256c6ca3f9cc4bfc6121285a6d608
-
Filesize
23KB
MD58f282ac5f5748257d40951b58760e0ce
SHA126a0fe7d4877577f7ae7f05f1b50df8b71e65307
SHA256fbcaf2690ac148e92f01756a625ec85a4db1c58467b472ceb7481f633e899744
SHA51297d4aec3732e69a4e9ab8f3cebe4156afcdb63866455b7669ba2e020ab011256e7bced7b026a7c78f3767524fda82e55e971316e41d823b3e3c3ca6051fe2bd4
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04