Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    01/01/2025, 16:32

General

  • Target

    98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe

  • Size

    793KB

  • MD5

    1951df1cc3262a172ce0bd85cc390d00

  • SHA1

    e88411f0b9155eec15712630de1a45b654f52eb3

  • SHA256

    98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56

  • SHA512

    e06061133c6e987fc53fc1cfb3ddf5394a8d13d8635221bb98dc177f4c794ac3cb3adcbed810d47f6e212cd6082b44021ae9dbe0c113a1bff31a7cda9347aad1

  • SSDEEP

    12288:mMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9TuQj:mnsJ39LyjbJkQFMhmC+6GD9ig

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

  • Xred family
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 40 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe
    "C:\Users\Admin\AppData\Local\Temp\98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:296
    • C:\Users\Admin\AppData\Local\Temp\._cache_98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2776
      • C:\Windows\SysWOW64\cmd.exe
        cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2620
      • C:\Windows\SysWOW64\cmd.exe
        cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1820
      • C:\Windows\SysWOW64\cmd.exe
        cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
        3⤵
        • System Location Discovery: System Language Discovery
        PID:600
      • C:\Windows\SysWOW64\cmd.exe
        cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2504
      • C:\Windows\SysWOW64\cmd.exe
        cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2220
      • C:\Windows\SysWOW64\cmd.exe
        cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
        3⤵
        • System Location Discovery: System Language Discovery
        PID:968
      • C:\Windows\SysWOW64\cmd.exe
        cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1852
      • C:\Windows\SysWOW64\cmd.exe
        cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2416
      • C:\Windows\SysWOW64\cmd.exe
        cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1800
      • C:\Windows\SysWOW64\cmd.exe
        cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1844
      • C:\Windows\SysWOW64\cmd.exe
        cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2712
      • C:\Windows\SysWOW64\cmd.exe
        cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2780
      • C:\Windows\SysWOW64\cmd.exe
        cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2228
      • C:\Windows\SysWOW64\cmd.exe
        cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1724
      • C:\Windows\SysWOW64\cmd.exe
        cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
        3⤵
        • System Location Discovery: System Language Discovery
        PID:572
      • C:\Windows\SysWOW64\cmd.exe
        cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2160
      • C:\Windows\SysWOW64\cmd.exe
        cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1856
      • C:\Windows\SysWOW64\cmd.exe
        cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1696
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2596
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2572
        • C:\Windows\SysWOW64\cmd.exe
          cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
          4⤵
          • System Location Discovery: System Language Discovery
          PID:480
        • C:\Windows\SysWOW64\cmd.exe
          cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2144
        • C:\Windows\SysWOW64\cmd.exe
          cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1712
        • C:\Windows\SysWOW64\cmd.exe
          cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2384
        • C:\Windows\SysWOW64\cmd.exe
          cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1860
        • C:\Windows\SysWOW64\cmd.exe
          cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
          4⤵
          • System Location Discovery: System Language Discovery
          PID:916
        • C:\Windows\SysWOW64\cmd.exe
          cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2548
        • C:\Windows\SysWOW64\cmd.exe
          cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
          4⤵
          • System Location Discovery: System Language Discovery
          PID:344
        • C:\Windows\SysWOW64\cmd.exe
          cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3020
        • C:\Windows\SysWOW64\cmd.exe
          cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2716
        • C:\Windows\SysWOW64\cmd.exe
          cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2836
        • C:\Windows\SysWOW64\cmd.exe
          cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2592
        • C:\Windows\SysWOW64\cmd.exe
          cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2864
        • C:\Windows\SysWOW64\cmd.exe
          cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2120
        • C:\Windows\SysWOW64\cmd.exe
          cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2188
        • C:\Windows\SysWOW64\cmd.exe
          cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2444
        • C:\Windows\SysWOW64\cmd.exe
          cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2976
  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:796

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe

    Filesize

    793KB

    MD5

    1951df1cc3262a172ce0bd85cc390d00

    SHA1

    e88411f0b9155eec15712630de1a45b654f52eb3

    SHA256

    98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56

    SHA512

    e06061133c6e987fc53fc1cfb3ddf5394a8d13d8635221bb98dc177f4c794ac3cb3adcbed810d47f6e212cd6082b44021ae9dbe0c113a1bff31a7cda9347aad1

  • C:\Users\Admin\AppData\Local\Temp\._cache_98d15d74b36ebb0709c4a2f476088a5889fa548029dc90e7e0a070b1f36c4e56N.exe

    Filesize

    40KB

    MD5

    83db3f55c5a97402b73de7fb23b77add

    SHA1

    7812537505190566cfc04c4708404e25c0750b4d

    SHA256

    af7120cdf209e98bfe63bbc98c176b57987976ab671ab25c5f71d3e72a13a168

    SHA512

    eee63a61b3e86ed029c2ab29bf477e3cc56c956321b29c7a36e947a9441c28bd46ebe629e3955b2339d494cc9cc905581e52af838d088c15b48fdcc557caa916

  • C:\Users\Admin\AppData\Local\Temp\roTxq5tf.xlsm

    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

  • memory/296-0-0x00000000001C0000-0x00000000001C1000-memory.dmp

    Filesize

    4KB

  • memory/296-30-0x0000000000400000-0x00000000004CC000-memory.dmp

    Filesize

    816KB

  • memory/796-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/2596-65-0x0000000000400000-0x00000000004CC000-memory.dmp

    Filesize

    816KB

  • memory/2596-71-0x0000000000400000-0x00000000004CC000-memory.dmp

    Filesize

    816KB

  • memory/2596-100-0x0000000000400000-0x00000000004CC000-memory.dmp

    Filesize

    816KB