Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    142s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    02/01/2025, 19:14

General

  • Target

    file.exe

  • Size

    14.5MB

  • MD5

    7274b0b15c4e6d5bbe8db5aa93c65a12

  • SHA1

    643418b70ee7242fb4cf797e54ec78c910d32824

  • SHA256

    70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435

  • SHA512

    241ca5eaa520a22a1c264f2fd3307c95d78fb56c2433602e42dcf9f2eb419ed2d43d40f6524a61a1d6e696375f7ea722fd502fa939d4453d88ca63ac068be224

  • SSDEEP

    393216:o0d/FlptVYmfr7yBG/4JU4TRjtjUMy4i6kgsY7A:H1PpttD7yBG/QHTJtYMyke3

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

  • Xred family
  • Suspicious Office macro 1 IoCs

    Office document equipped with macros.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2364
    • C:\Users\Admin\AppData\Local\Temp\._cache_file.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_file.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2116
      • C:\Windows\Temp\{9D405F72-6458-41E9-9B27-AA92D7162D9F}\.cr\._cache_file.exe
        "C:\Windows\Temp\{9D405F72-6458-41E9-9B27-AA92D7162D9F}\.cr\._cache_file.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\._cache_file.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        PID:2968
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2860
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2496
        • C:\Windows\Temp\{96A6C52E-5832-4732-BF94-1195CA45B4F1}\.cr\._cache_Synaptics.exe
          "C:\Windows\Temp\{96A6C52E-5832-4732-BF94-1195CA45B4F1}\.cr\._cache_Synaptics.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188 InjUpdate
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          PID:2136
  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1452

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe

    Filesize

    14.5MB

    MD5

    7274b0b15c4e6d5bbe8db5aa93c65a12

    SHA1

    643418b70ee7242fb4cf797e54ec78c910d32824

    SHA256

    70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435

    SHA512

    241ca5eaa520a22a1c264f2fd3307c95d78fb56c2433602e42dcf9f2eb419ed2d43d40f6524a61a1d6e696375f7ea722fd502fa939d4453d88ca63ac068be224

  • C:\Users\Admin\AppData\Local\Temp\iHmRRYOK.xlsm

    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

  • C:\Users\Admin\AppData\Local\Temp\iHmRRYOK.xlsm

    Filesize

    24KB

    MD5

    e64d42ded7003dd8051d2c988b227476

    SHA1

    ef693102f2789dd4cd94b80153070a8e1c477bb1

    SHA256

    1c5925a5c2b7544b894e96f9d5bf8f499e33e68912dd5e9c6d8b4b861e17efc5

    SHA512

    86608a81c21bd2410bd1a272a709cab867753c4522f001881d68750c07a72a623e53e2d27fe5fe5efb14e96d5e7f58ea09746b759613ae68652ecaffa1473852

  • C:\Windows\Temp\{96D0D4DF-26BA-4940-B7F5-6E3FCFCCDD57}\.ba\logo.png

    Filesize

    1KB

    MD5

    d6bd210f227442b3362493d046cea233

    SHA1

    ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

    SHA256

    335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

    SHA512

    464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

  • C:\Windows\Temp\{9D405F72-6458-41E9-9B27-AA92D7162D9F}\.cr\._cache_file.exe

    Filesize

    632KB

    MD5

    2f9d2b6ce54f9095695b53d1aa217c7b

    SHA1

    3f54934c240f1955301811d2c399728a3e6d1272

    SHA256

    0009d3f27837c3af3f6fff7973faf07afaa4b53119846f55b6f2a79f1759c757

    SHA512

    692857f960f26039c7b0af6329e65a71e8588ff71eaac6b956bd6e437994a8d5a470c7e75dd776e0772e473967b64d5ea0e1d8396546691316daf4d6b8ccc237

  • \Users\Admin\AppData\Local\Temp\._cache_file.exe

    Filesize

    13.7MB

    MD5

    de34b1c517e0463602624bbc8294c08d

    SHA1

    5ce7923ffea712468c05e7ac376dd9c29ea9f6be

    SHA256

    ac96016f1511ae3eb5ec9de04551146fe351b7f97858dcd67163912e2302f5d6

    SHA512

    114bca1ecd17e419ad617a1a4341e607250bcb02626cdc0670eb60be734bbad1f3c84e38f077af9a32a6b1607b8ce6e4b3641c0faefaa779c0fec0d3ac022dac

  • \Windows\Temp\{96D0D4DF-26BA-4940-B7F5-6E3FCFCCDD57}\.ba\wixstdba.dll

    Filesize

    191KB

    MD5

    eab9caf4277829abdf6223ec1efa0edd

    SHA1

    74862ecf349a9bedd32699f2a7a4e00b4727543d

    SHA256

    a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

    SHA512

    45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

  • memory/1452-135-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/2364-75-0x0000000000400000-0x0000000001281000-memory.dmp

    Filesize

    14.5MB

  • memory/2364-0-0x00000000001C0000-0x00000000001C1000-memory.dmp

    Filesize

    4KB

  • memory/2860-178-0x0000000000400000-0x0000000001281000-memory.dmp

    Filesize

    14.5MB

  • memory/2860-179-0x0000000000400000-0x0000000001281000-memory.dmp

    Filesize

    14.5MB

  • memory/2860-211-0x0000000000400000-0x0000000001281000-memory.dmp

    Filesize

    14.5MB