Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
111s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
02/01/2025, 00:13
General
-
Target
1d8004dae7fe7320a1eca8e0bf11e4501bcea0fb10f619bcfc83489230c2b2d5N.exe
-
Size
925KB
-
MD5
c76bafc4c7c2f9586f39af3f15a2f000
-
SHA1
dc39d9e0d8b8ebc7e5ae56d3d0ea4909b0c4988a
-
SHA256
1d8004dae7fe7320a1eca8e0bf11e4501bcea0fb10f619bcfc83489230c2b2d5
-
SHA512
5523fcbc201dd0c7ae6267cead2bc73babe49e94dea57b230467c9850f11d4e171ee95e68432480f61c602321bb4fb6aac2387d87f7db98e68d3e80736d85ae8
-
SSDEEP
12288:kMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9RZvwnXj:knsJ39LyjbJkQFMhmC+6GD9noT
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Xred
Xred is backdoor written in Delphi.
-
Xred family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 2 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d8004dae7fe7320a1eca8e0bf11e4501bcea0fb10f619bcfc83489230c2b2d5N.exe"C:\Users\Admin\AppData\Local\Temp\1d8004dae7fe7320a1eca8e0bf11e4501bcea0fb10f619bcfc83489230c2b2d5N.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_1d8004dae7fe7320a1eca8e0bf11e4501bcea0fb10f619bcfc83489230c2b2d5N.exe"C:\Users\Admin\AppData\Local\Temp\._cache_1d8004dae7fe7320a1eca8e0bf11e4501bcea0fb10f619bcfc83489230c2b2d5N.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
925KB
MD5c76bafc4c7c2f9586f39af3f15a2f000
SHA1dc39d9e0d8b8ebc7e5ae56d3d0ea4909b0c4988a
SHA2561d8004dae7fe7320a1eca8e0bf11e4501bcea0fb10f619bcfc83489230c2b2d5
SHA5125523fcbc201dd0c7ae6267cead2bc73babe49e94dea57b230467c9850f11d4e171ee95e68432480f61c602321bb4fb6aac2387d87f7db98e68d3e80736d85ae8
-
Filesize
172KB
MD55a6b680e2caf4335da59f9271903a0fc
SHA1d361b91d8abb9a4ac45c759378671fce95ee6a71
SHA2564de460a6f7658f9c6233c9be3f9be70cf893d2010276c1b5c7521cfc42e15ce7
SHA51205e41eb4c9a5672561b74bf61582b6ed3f48b99df4890c8404dff827e864c3de29ec070d15c22245aa9cacccb927fd9d985646f771a1ede2185331e73bb279c3
-
Filesize
27KB
MD596226e554a2ad7374bc00f1642025bcd
SHA155bfde58ee319b6feb28727bd1ccb36c8c324645
SHA256beef5a011b93670e110cba25e14d1c0893d73d66728fd1fa0c061722ca6752dd
SHA512a10aacceddc7019631fb8c6b274c6a5dbe25e81b79635e0f8631c509c63505e4b674fa6e9acc407e8e58fabb20cc1e34c606ee5c6effe31da7304d2bfafa797a
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
948KB
-
Filesize
4KB
-
Filesize
948KB
-
Filesize
4KB
-
Filesize
948KB
-
Filesize
4KB
-
Filesize
948KB
-
Filesize
172KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB