Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07/01/2025, 06:31
Behavioral task
behavioral1
Sample
ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea.exe
Resource
win10v2004-20241007-en
General
-
Target
ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea.exe
-
Size
814KB
-
MD5
66a61fa07f6a99e8eb497b4ab2a4b8d4
-
SHA1
b275c01835d1a3c50ff351c8505c409b072807a6
-
SHA256
ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea
-
SHA512
d8b873937545a990b83b8916d5859bbe76217dbda4830d6fdf28cece3147b2aa7719d4584a28f8fa1d84864e303f414f4fb348579c9b2bea3a38e632f1e0703d
-
SSDEEP
12288:tMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9BZhA0S47c:tnsJ39LyjbJkQFMhmC+6GD9l7g
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Xred family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation Synaptics.exe -
Executes dropped EXE 3 IoCs
pid Process 4820 ._cache_ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea.exe 2156 Synaptics.exe 3260 ._cache_Synaptics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Synaptics.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3384 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 3384 EXCEL.EXE 3384 EXCEL.EXE 3384 EXCEL.EXE 3384 EXCEL.EXE 3384 EXCEL.EXE 3384 EXCEL.EXE 3384 EXCEL.EXE 3384 EXCEL.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1772 wrote to memory of 4820 1772 ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea.exe 83 PID 1772 wrote to memory of 4820 1772 ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea.exe 83 PID 1772 wrote to memory of 4820 1772 ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea.exe 83 PID 1772 wrote to memory of 2156 1772 ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea.exe 84 PID 1772 wrote to memory of 2156 1772 ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea.exe 84 PID 1772 wrote to memory of 2156 1772 ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea.exe 84 PID 2156 wrote to memory of 3260 2156 Synaptics.exe 85 PID 2156 wrote to memory of 3260 2156 Synaptics.exe 85 PID 2156 wrote to memory of 3260 2156 Synaptics.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea.exe"C:\Users\Admin\AppData\Local\Temp\ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Users\Admin\AppData\Local\Temp\._cache_ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea.exe"C:\Users\Admin\AppData\Local\Temp\._cache_ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4820
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3260
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3384
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
814KB
MD566a61fa07f6a99e8eb497b4ab2a4b8d4
SHA1b275c01835d1a3c50ff351c8505c409b072807a6
SHA256ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea
SHA512d8b873937545a990b83b8916d5859bbe76217dbda4830d6fdf28cece3147b2aa7719d4584a28f8fa1d84864e303f414f4fb348579c9b2bea3a38e632f1e0703d
-
C:\Users\Admin\AppData\Local\Temp\._cache_ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea.exe
Filesize60KB
MD5cf5ae9b73422687b7979d82f66d9a2ee
SHA116ae4c62c231c716082a03db0ba3da5d38583e5e
SHA256cae98e535dba104fd872f22ff16ff94cdadc7fe0a6791f29359ca4f5b17f43a2
SHA51215dad8f4fb76af8297cb53421488cf3815fb883e221f32b15bfeb8dab2327f6bf8eeeae1e9014fc7a10292f9b56dccfe3736b1e04e3a6b670614c0c11b259045
-
Filesize
24KB
MD5e6dc5108ea7c41db11c6dd4d5d702e22
SHA1ea480d015d6c7f410f8bcbfd682f3b8f0ecb58ea
SHA2561905db6e61f879f2f528fc752b276d315d159776756184647bb03e2cb3e71e30
SHA512e9f20f9d85824ad5433877ead5ebe0ac8221ff631a93f994dfa5c052aa9725feda431d1c4ee2b5874762cea2a2b90232b182a28d685b60a1e425950142123319
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04