Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
02/01/2025, 19:14
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20241007-en
General
-
Target
file.exe
-
Size
14.5MB
-
MD5
7274b0b15c4e6d5bbe8db5aa93c65a12
-
SHA1
643418b70ee7242fb4cf797e54ec78c910d32824
-
SHA256
70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435
-
SHA512
241ca5eaa520a22a1c264f2fd3307c95d78fb56c2433602e42dcf9f2eb419ed2d43d40f6524a61a1d6e696375f7ea722fd502fa939d4453d88ca63ac068be224
-
SSDEEP
393216:o0d/FlptVYmfr7yBG/4JU4TRjtjUMy4i6kgsY7A:H1PpttD7yBG/QHTJtYMyke3
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Xred family
-
resource behavioral1/files/0x000500000001a4fc-170.dat -
Executes dropped EXE 5 IoCs
pid Process 2116 ._cache_file.exe 2968 ._cache_file.exe 2860 Synaptics.exe 2496 ._cache_Synaptics.exe 2136 ._cache_Synaptics.exe -
Loads dropped DLL 9 IoCs
pid Process 2364 file.exe 2116 ._cache_file.exe 2968 ._cache_file.exe 2364 file.exe 2364 file.exe 2860 Synaptics.exe 2860 Synaptics.exe 2496 ._cache_Synaptics.exe 2136 ._cache_Synaptics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" file.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_file.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1452 EXCEL.EXE -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2968 ._cache_file.exe 2136 ._cache_Synaptics.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1452 EXCEL.EXE -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2364 wrote to memory of 2116 2364 file.exe 30 PID 2364 wrote to memory of 2116 2364 file.exe 30 PID 2364 wrote to memory of 2116 2364 file.exe 30 PID 2364 wrote to memory of 2116 2364 file.exe 30 PID 2364 wrote to memory of 2116 2364 file.exe 30 PID 2364 wrote to memory of 2116 2364 file.exe 30 PID 2364 wrote to memory of 2116 2364 file.exe 30 PID 2116 wrote to memory of 2968 2116 ._cache_file.exe 31 PID 2116 wrote to memory of 2968 2116 ._cache_file.exe 31 PID 2116 wrote to memory of 2968 2116 ._cache_file.exe 31 PID 2116 wrote to memory of 2968 2116 ._cache_file.exe 31 PID 2116 wrote to memory of 2968 2116 ._cache_file.exe 31 PID 2116 wrote to memory of 2968 2116 ._cache_file.exe 31 PID 2116 wrote to memory of 2968 2116 ._cache_file.exe 31 PID 2364 wrote to memory of 2860 2364 file.exe 32 PID 2364 wrote to memory of 2860 2364 file.exe 32 PID 2364 wrote to memory of 2860 2364 file.exe 32 PID 2364 wrote to memory of 2860 2364 file.exe 32 PID 2860 wrote to memory of 2496 2860 Synaptics.exe 33 PID 2860 wrote to memory of 2496 2860 Synaptics.exe 33 PID 2860 wrote to memory of 2496 2860 Synaptics.exe 33 PID 2860 wrote to memory of 2496 2860 Synaptics.exe 33 PID 2860 wrote to memory of 2496 2860 Synaptics.exe 33 PID 2860 wrote to memory of 2496 2860 Synaptics.exe 33 PID 2860 wrote to memory of 2496 2860 Synaptics.exe 33 PID 2496 wrote to memory of 2136 2496 ._cache_Synaptics.exe 34 PID 2496 wrote to memory of 2136 2496 ._cache_Synaptics.exe 34 PID 2496 wrote to memory of 2136 2496 ._cache_Synaptics.exe 34 PID 2496 wrote to memory of 2136 2496 ._cache_Synaptics.exe 34 PID 2496 wrote to memory of 2136 2496 ._cache_Synaptics.exe 34 PID 2496 wrote to memory of 2136 2496 ._cache_Synaptics.exe 34 PID 2496 wrote to memory of 2136 2496 ._cache_Synaptics.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\._cache_file.exe"C:\Users\Admin\AppData\Local\Temp\._cache_file.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\Temp\{9D405F72-6458-41E9-9B27-AA92D7162D9F}\.cr\._cache_file.exe"C:\Windows\Temp\{9D405F72-6458-41E9-9B27-AA92D7162D9F}\.cr\._cache_file.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\._cache_file.exe" -burn.filehandle.attached=180 -burn.filehandle.self=1883⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:2968
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\Temp\{96A6C52E-5832-4732-BF94-1195CA45B4F1}\.cr\._cache_Synaptics.exe"C:\Windows\Temp\{96A6C52E-5832-4732-BF94-1195CA45B4F1}\.cr\._cache_Synaptics.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188 InjUpdate4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:2136
-
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1452
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14.5MB
MD57274b0b15c4e6d5bbe8db5aa93c65a12
SHA1643418b70ee7242fb4cf797e54ec78c910d32824
SHA25670c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435
SHA512241ca5eaa520a22a1c264f2fd3307c95d78fb56c2433602e42dcf9f2eb419ed2d43d40f6524a61a1d6e696375f7ea722fd502fa939d4453d88ca63ac068be224
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
24KB
MD5e64d42ded7003dd8051d2c988b227476
SHA1ef693102f2789dd4cd94b80153070a8e1c477bb1
SHA2561c5925a5c2b7544b894e96f9d5bf8f499e33e68912dd5e9c6d8b4b861e17efc5
SHA51286608a81c21bd2410bd1a272a709cab867753c4522f001881d68750c07a72a623e53e2d27fe5fe5efb14e96d5e7f58ea09746b759613ae68652ecaffa1473852
-
Filesize
1KB
MD5d6bd210f227442b3362493d046cea233
SHA1ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b
-
Filesize
632KB
MD52f9d2b6ce54f9095695b53d1aa217c7b
SHA13f54934c240f1955301811d2c399728a3e6d1272
SHA2560009d3f27837c3af3f6fff7973faf07afaa4b53119846f55b6f2a79f1759c757
SHA512692857f960f26039c7b0af6329e65a71e8588ff71eaac6b956bd6e437994a8d5a470c7e75dd776e0772e473967b64d5ea0e1d8396546691316daf4d6b8ccc237
-
Filesize
13.7MB
MD5de34b1c517e0463602624bbc8294c08d
SHA15ce7923ffea712468c05e7ac376dd9c29ea9f6be
SHA256ac96016f1511ae3eb5ec9de04551146fe351b7f97858dcd67163912e2302f5d6
SHA512114bca1ecd17e419ad617a1a4341e607250bcb02626cdc0670eb60be734bbad1f3c84e38f077af9a32a6b1607b8ce6e4b3641c0faefaa779c0fec0d3ac022dac
-
Filesize
191KB
MD5eab9caf4277829abdf6223ec1efa0edd
SHA174862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA51245b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2