Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    146s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/01/2025, 06:31

General

  • Target

    ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea.exe

  • Size

    814KB

  • MD5

    66a61fa07f6a99e8eb497b4ab2a4b8d4

  • SHA1

    b275c01835d1a3c50ff351c8505c409b072807a6

  • SHA256

    ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea

  • SHA512

    d8b873937545a990b83b8916d5859bbe76217dbda4830d6fdf28cece3147b2aa7719d4584a28f8fa1d84864e303f414f4fb348579c9b2bea3a38e632f1e0703d

  • SSDEEP

    12288:tMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9BZhA0S47c:tnsJ39LyjbJkQFMhmC+6GD9l7g

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

  • Xred family
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea.exe
    "C:\Users\Admin\AppData\Local\Temp\ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1772
    • C:\Users\Admin\AppData\Local\Temp\._cache_ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4820
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2156
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3260
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:3384

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe

    Filesize

    814KB

    MD5

    66a61fa07f6a99e8eb497b4ab2a4b8d4

    SHA1

    b275c01835d1a3c50ff351c8505c409b072807a6

    SHA256

    ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea

    SHA512

    d8b873937545a990b83b8916d5859bbe76217dbda4830d6fdf28cece3147b2aa7719d4584a28f8fa1d84864e303f414f4fb348579c9b2bea3a38e632f1e0703d

  • C:\Users\Admin\AppData\Local\Temp\._cache_ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea.exe

    Filesize

    60KB

    MD5

    cf5ae9b73422687b7979d82f66d9a2ee

    SHA1

    16ae4c62c231c716082a03db0ba3da5d38583e5e

    SHA256

    cae98e535dba104fd872f22ff16ff94cdadc7fe0a6791f29359ca4f5b17f43a2

    SHA512

    15dad8f4fb76af8297cb53421488cf3815fb883e221f32b15bfeb8dab2327f6bf8eeeae1e9014fc7a10292f9b56dccfe3736b1e04e3a6b670614c0c11b259045

  • C:\Users\Admin\AppData\Local\Temp\33E75E00

    Filesize

    24KB

    MD5

    e6dc5108ea7c41db11c6dd4d5d702e22

    SHA1

    ea480d015d6c7f410f8bcbfd682f3b8f0ecb58ea

    SHA256

    1905db6e61f879f2f528fc752b276d315d159776756184647bb03e2cb3e71e30

    SHA512

    e9f20f9d85824ad5433877ead5ebe0ac8221ff631a93f994dfa5c052aa9725feda431d1c4ee2b5874762cea2a2b90232b182a28d685b60a1e425950142123319

  • C:\Users\Admin\AppData\Local\Temp\YTB7zvsg.xlsm

    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

  • memory/1772-101-0x0000000000400000-0x00000000004D1000-memory.dmp

    Filesize

    836KB

  • memory/1772-0-0x0000000002280000-0x0000000002281000-memory.dmp

    Filesize

    4KB

  • memory/2156-102-0x0000000002240000-0x0000000002241000-memory.dmp

    Filesize

    4KB

  • memory/2156-136-0x0000000000400000-0x00000000004D1000-memory.dmp

    Filesize

    836KB

  • memory/2156-137-0x0000000002240000-0x0000000002241000-memory.dmp

    Filesize

    4KB

  • memory/2156-222-0x0000000000400000-0x00000000004D1000-memory.dmp

    Filesize

    836KB

  • memory/2156-191-0x0000000000400000-0x00000000004D1000-memory.dmp

    Filesize

    836KB

  • memory/3384-138-0x00007FFC3BE30000-0x00007FFC3BE40000-memory.dmp

    Filesize

    64KB

  • memory/3384-143-0x00007FFC39C70000-0x00007FFC39C80000-memory.dmp

    Filesize

    64KB

  • memory/3384-144-0x00007FFC39C70000-0x00007FFC39C80000-memory.dmp

    Filesize

    64KB

  • memory/3384-139-0x00007FFC3BE30000-0x00007FFC3BE40000-memory.dmp

    Filesize

    64KB

  • memory/3384-142-0x00007FFC3BE30000-0x00007FFC3BE40000-memory.dmp

    Filesize

    64KB

  • memory/3384-141-0x00007FFC3BE30000-0x00007FFC3BE40000-memory.dmp

    Filesize

    64KB

  • memory/3384-140-0x00007FFC3BE30000-0x00007FFC3BE40000-memory.dmp

    Filesize

    64KB