Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
07/01/2025, 06:31
General
-
Target
ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea.exe
-
Size
814KB
-
MD5
66a61fa07f6a99e8eb497b4ab2a4b8d4
-
SHA1
b275c01835d1a3c50ff351c8505c409b072807a6
-
SHA256
ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea
-
SHA512
d8b873937545a990b83b8916d5859bbe76217dbda4830d6fdf28cece3147b2aa7719d4584a28f8fa1d84864e303f414f4fb348579c9b2bea3a38e632f1e0703d
-
SSDEEP
12288:tMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9BZhA0S47c:tnsJ39LyjbJkQFMhmC+6GD9l7g
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Xred
Xred is backdoor written in Delphi.
-
Xred family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 2 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea.exe"C:\Users\Admin\AppData\Local\Temp\ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea.exe"C:\Users\Admin\AppData\Local\Temp\._cache_ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
814KB
MD566a61fa07f6a99e8eb497b4ab2a4b8d4
SHA1b275c01835d1a3c50ff351c8505c409b072807a6
SHA256ab3efd0a20770a9a6cf0d118ef56c92b00f6496baaa8aaadab4be61b9bda54ea
SHA512d8b873937545a990b83b8916d5859bbe76217dbda4830d6fdf28cece3147b2aa7719d4584a28f8fa1d84864e303f414f4fb348579c9b2bea3a38e632f1e0703d
-
Filesize
60KB
MD5cf5ae9b73422687b7979d82f66d9a2ee
SHA116ae4c62c231c716082a03db0ba3da5d38583e5e
SHA256cae98e535dba104fd872f22ff16ff94cdadc7fe0a6791f29359ca4f5b17f43a2
SHA51215dad8f4fb76af8297cb53421488cf3815fb883e221f32b15bfeb8dab2327f6bf8eeeae1e9014fc7a10292f9b56dccfe3736b1e04e3a6b670614c0c11b259045
-
Filesize
24KB
MD5e6dc5108ea7c41db11c6dd4d5d702e22
SHA1ea480d015d6c7f410f8bcbfd682f3b8f0ecb58ea
SHA2561905db6e61f879f2f528fc752b276d315d159776756184647bb03e2cb3e71e30
SHA512e9f20f9d85824ad5433877ead5ebe0ac8221ff631a93f994dfa5c052aa9725feda431d1c4ee2b5874762cea2a2b90232b182a28d685b60a1e425950142123319
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
836KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
836KB
-
Filesize
4KB
-
Filesize
836KB
-
Filesize
836KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB