Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    152s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241023-en
  • resource tags

    arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    07/01/2025, 19:11

General

  • Target

    Server.exe

  • Size

    790KB

  • MD5

    f8d0d5a67123a19bbda3691836a8aabc

  • SHA1

    0170e410957f3208932abb3c42780b383f47f93f

  • SHA256

    f92b8e334fa7d646f9f34336d340075c8b607727be46290d5b5d04346de3c257

  • SHA512

    5b4aa252812e57390a23ea11117ad3a624969c6c0310c18e92cc099f752c2af184bd85bee29a8699366e0f6dae0825646e9392ee0cfe555fd0fcbb47f3fe12d9

  • SSDEEP

    12288:mMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9nSN/j:mnsJ39LyjbJkQFMhmC+6GD9e

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Njrat family
  • Xred

    Xred is backdoor written in Delphi.

  • Xred family
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Server.exe
    "C:\Users\Admin\AppData\Local\Temp\Server.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4952
    • C:\Users\Admin\AppData\Local\Temp\._cache_Server.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Server.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3744
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\._cache_Server.exe" "._cache_Server.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:2868
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3000
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3980
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:4616

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe

    Filesize

    790KB

    MD5

    f8d0d5a67123a19bbda3691836a8aabc

    SHA1

    0170e410957f3208932abb3c42780b383f47f93f

    SHA256

    f92b8e334fa7d646f9f34336d340075c8b607727be46290d5b5d04346de3c257

    SHA512

    5b4aa252812e57390a23ea11117ad3a624969c6c0310c18e92cc099f752c2af184bd85bee29a8699366e0f6dae0825646e9392ee0cfe555fd0fcbb47f3fe12d9

  • C:\Users\Admin\AppData\Local\Temp\._cache_Server.exe

    Filesize

    37KB

    MD5

    28c6f96db52b32c32f25ef6c0ac2717d

    SHA1

    4eaf024711d5dbaf641ae52eacb6e745f9f12bb2

    SHA256

    2cd48d626ada71c84e1db58049bf428794e8854011e0d2bf6d6b62f8bde4ac9e

    SHA512

    b506ef288d3e733c1b0b3cf631a4727c23923609aa07d910322dd65518aeca68e976f279726b0b31a774da2283ba3d561894a0c055abed274bd7d9f0767afc16

  • C:\Users\Admin\AppData\Local\Temp\BEC75E00

    Filesize

    23KB

    MD5

    bb830b30ff64bf5ddfa7da997a5d60ff

    SHA1

    94145d07148f11e8e84a214d1f46eb93d0b66c13

    SHA256

    f922786db4463a791b3b1253326334034f84880f470ee5d5af10bd0e953d9f01

    SHA512

    5556380d42aa5e7a05795c7e28f126d80261ad0d7bee2f8fd2d222eac50a61810fd2fcb4530d55e8010613893e5a35f45787ae0118486ebde59ab8e09fbee817

  • C:\Users\Admin\AppData\Local\Temp\nBqynwSE.xlsm

    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

  • memory/3000-221-0x0000000000400000-0x00000000004CC000-memory.dmp

    Filesize

    816KB

  • memory/3000-190-0x0000000002230000-0x0000000002231000-memory.dmp

    Filesize

    4KB

  • memory/3000-189-0x0000000000400000-0x00000000004CC000-memory.dmp

    Filesize

    816KB

  • memory/3000-106-0x0000000002230000-0x0000000002231000-memory.dmp

    Filesize

    4KB

  • memory/3744-107-0x0000000072B52000-0x0000000072B54000-memory.dmp

    Filesize

    8KB

  • memory/3744-105-0x0000000072B50000-0x0000000073101000-memory.dmp

    Filesize

    5.7MB

  • memory/3744-188-0x0000000072B50000-0x0000000073101000-memory.dmp

    Filesize

    5.7MB

  • memory/3744-91-0x0000000072B51000-0x0000000072B52000-memory.dmp

    Filesize

    4KB

  • memory/4616-141-0x00007FFF05630000-0x00007FFF05640000-memory.dmp

    Filesize

    64KB

  • memory/4616-140-0x00007FFF05630000-0x00007FFF05640000-memory.dmp

    Filesize

    64KB

  • memory/4616-143-0x00007FFF05630000-0x00007FFF05640000-memory.dmp

    Filesize

    64KB

  • memory/4616-142-0x00007FFF05630000-0x00007FFF05640000-memory.dmp

    Filesize

    64KB

  • memory/4616-144-0x00007FFF02FF0000-0x00007FFF03000000-memory.dmp

    Filesize

    64KB

  • memory/4616-145-0x00007FFF02FF0000-0x00007FFF03000000-memory.dmp

    Filesize

    64KB

  • memory/4616-139-0x00007FFF05630000-0x00007FFF05640000-memory.dmp

    Filesize

    64KB

  • memory/4952-0-0x0000000002360000-0x0000000002361000-memory.dmp

    Filesize

    4KB

  • memory/4952-102-0x0000000000400000-0x00000000004CC000-memory.dmp

    Filesize

    816KB