Analysis
-
max time kernel
142s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
03/01/2025, 01:02
Behavioral task
behavioral1
Sample
dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe
Resource
win10v2004-20241007-en
General
-
Target
dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe
-
Size
2.5MB
-
MD5
955b5c84e9db2eba7f71d15229611e54
-
SHA1
803fb7d591b378efb2f33f3f4596b41d488edb34
-
SHA256
dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa
-
SHA512
318626a5488ddeecc6af91ad37aa30c9811057c41bc39a7de76a4de2bbf5de3dadfafdfbf367b2ec7ecbeb9886e8ca28429179cf754b5bd0b4b2bca6b72dc516
-
SSDEEP
49152:fnsHyjtk2MYC5GD8oIInpcITYbNbNWo4kSH3OqtwIfKI4GD2z5pvnQ:fnsmtk2akhiIT4bNJFY3Oqtr4lpvQ
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Xred family
-
resource behavioral1/files/0x0006000000018bdd-95.dat -
Executes dropped EXE 5 IoCs
pid Process 3008 ._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe 2932 ._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe 1944 Synaptics.exe 828 ._cache_Synaptics.exe 1768 ._cache_synaptics.exe -
Loads dropped DLL 7 IoCs
pid Process 2828 dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe 3008 ._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe 2828 dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe 2828 dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe 1944 Synaptics.exe 1944 Synaptics.exe 828 ._cache_Synaptics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe ._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe ._cache_Synaptics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2624 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 3008 ._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe 3008 ._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe 3008 ._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe 3008 ._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe 3008 ._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe 3008 ._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe 3008 ._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe 3008 ._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe 3008 ._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe 3008 ._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe 3008 ._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe 3008 ._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe 3008 ._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe 3008 ._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe 3008 ._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe 3008 ._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe 828 ._cache_Synaptics.exe 828 ._cache_Synaptics.exe 828 ._cache_Synaptics.exe 828 ._cache_Synaptics.exe 828 ._cache_Synaptics.exe 828 ._cache_Synaptics.exe 828 ._cache_Synaptics.exe 828 ._cache_Synaptics.exe 828 ._cache_Synaptics.exe 828 ._cache_Synaptics.exe 828 ._cache_Synaptics.exe 828 ._cache_Synaptics.exe 828 ._cache_Synaptics.exe 828 ._cache_Synaptics.exe 828 ._cache_Synaptics.exe 828 ._cache_Synaptics.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1768 ._cache_synaptics.exe Token: SeDebugPrivilege 2932 ._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 3008 ._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe 3008 ._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe 828 ._cache_Synaptics.exe 828 ._cache_Synaptics.exe 2624 EXCEL.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2828 wrote to memory of 3008 2828 dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe 30 PID 2828 wrote to memory of 3008 2828 dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe 30 PID 2828 wrote to memory of 3008 2828 dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe 30 PID 2828 wrote to memory of 3008 2828 dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe 30 PID 3008 wrote to memory of 2932 3008 ._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe 31 PID 3008 wrote to memory of 2932 3008 ._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe 31 PID 3008 wrote to memory of 2932 3008 ._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe 31 PID 3008 wrote to memory of 2932 3008 ._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe 31 PID 2828 wrote to memory of 1944 2828 dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe 32 PID 2828 wrote to memory of 1944 2828 dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe 32 PID 2828 wrote to memory of 1944 2828 dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe 32 PID 2828 wrote to memory of 1944 2828 dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe 32 PID 1944 wrote to memory of 828 1944 Synaptics.exe 33 PID 1944 wrote to memory of 828 1944 Synaptics.exe 33 PID 1944 wrote to memory of 828 1944 Synaptics.exe 33 PID 1944 wrote to memory of 828 1944 Synaptics.exe 33 PID 828 wrote to memory of 1768 828 ._cache_Synaptics.exe 35 PID 828 wrote to memory of 1768 828 ._cache_Synaptics.exe 35 PID 828 wrote to memory of 1768 828 ._cache_Synaptics.exe 35 PID 828 wrote to memory of 1768 828 ._cache_Synaptics.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe"C:\Users\Admin\AppData\Local\Temp\dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe"C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3008 -
\??\c:\users\admin\appdata\local\temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exec:\users\admin\appdata\local\temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2932
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:828 -
\??\c:\users\admin\appdata\local\temp\._cache_synaptics.exec:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1768
-
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2624
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD5955b5c84e9db2eba7f71d15229611e54
SHA1803fb7d591b378efb2f33f3f4596b41d488edb34
SHA256dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa
SHA512318626a5488ddeecc6af91ad37aa30c9811057c41bc39a7de76a4de2bbf5de3dadfafdfbf367b2ec7ecbeb9886e8ca28429179cf754b5bd0b4b2bca6b72dc516
-
Filesize
23KB
MD51659047ccd57bc438c71a0974475c299
SHA136e09a2d4bd671b4775a1cab6707f2571a8caa71
SHA25686cfb13a1e329955b5f37c7b9e2d529b0ec6715ea2b29cd0c83adfb33a1aaa02
SHA512c1be34510dbdd648d0c93b2f46164fd20cd8777ebf834780cb8ecf2b2f8e9298c4c60e57320fb60d70f191a11d05b0b2a29f773b689d29e2dc3366ba080ae61c
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
135KB
MD5b2b0f7ed52405ce562cdf3fc98642fc4
SHA1ea849492e1f78495de05274e86166d949f3c5d52
SHA25699540984de3d492d34879a243e04d9ed1c64babe9f41fbaab6ab60bab54083a7
SHA512e63923a1db48345a393f2ae786e54ddc6cd1657d33b6f72df13a5034a17d127671d88ddf6f71e5b97ee3ec597fd966ce450d872db6b7bdf3d181b8c9010caa01
-
\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe
Filesize1.8MB
MD5391ae2a331ac042af3375a8bec61c542
SHA12b4ac01d34886e81d492e9b5ce8e0c3867378241
SHA256ab3c3cfc26b066a0118eb29d96751d60f078dbd432b6f2faa6ecdf5b14b8d96e
SHA512c4bd6e66c0a220b2a5e0f4684c85d0a201d9b6ba54fd7a64d47bf3d1851b3d361b3c18f1917c34f68239c47ee31cb414dc4bc3607f8167116ca0b7bfa251ccb5
-
\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe
Filesize1.7MB
MD5d440e40758c321682e212e61e6bf297e
SHA1ad0e6fd020d5619a76789e7dc4c51503aa51c854
SHA25603afa67e7c0bebf918c799b844b7ef8f9eb7f982caf6de5f62710e92484cc104
SHA5127456186ef64e682cd6e90bb3598e1c90bd17cc0f0616dbb113c596496a8603973930eca7c5e9b4b5dc12f69456b234b90e500ae60e8cc5a9abb3ff7f4ee5b0bc