Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows11-21h2_x64 -
resource
win11-20241023-en -
resource tags
arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system -
submitted
07/01/2025, 19:11
Behavioral task
behavioral1
Sample
Server.exe
Resource
win11-20241023-en
General
-
Target
Server.exe
-
Size
790KB
-
MD5
f8d0d5a67123a19bbda3691836a8aabc
-
SHA1
0170e410957f3208932abb3c42780b383f47f93f
-
SHA256
f92b8e334fa7d646f9f34336d340075c8b607727be46290d5b5d04346de3c257
-
SHA512
5b4aa252812e57390a23ea11117ad3a624969c6c0310c18e92cc099f752c2af184bd85bee29a8699366e0f6dae0825646e9392ee0cfe555fd0fcbb47f3fe12d9
-
SSDEEP
12288:mMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9nSN/j:mnsJ39LyjbJkQFMhmC+6GD9e
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Njrat family
-
Xred family
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2868 netsh.exe -
Executes dropped EXE 3 IoCs
pid Process 3744 ._cache_Server.exe 3000 Synaptics.exe 3980 ._cache_Synaptics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" Server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Synaptics.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4616 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 3744 ._cache_Server.exe Token: 33 3744 ._cache_Server.exe Token: SeIncBasePriorityPrivilege 3744 ._cache_Server.exe Token: 33 3744 ._cache_Server.exe Token: SeIncBasePriorityPrivilege 3744 ._cache_Server.exe Token: 33 3744 ._cache_Server.exe Token: SeIncBasePriorityPrivilege 3744 ._cache_Server.exe Token: 33 3744 ._cache_Server.exe Token: SeIncBasePriorityPrivilege 3744 ._cache_Server.exe Token: 33 3744 ._cache_Server.exe Token: SeIncBasePriorityPrivilege 3744 ._cache_Server.exe Token: 33 3744 ._cache_Server.exe Token: SeIncBasePriorityPrivilege 3744 ._cache_Server.exe Token: 33 3744 ._cache_Server.exe Token: SeIncBasePriorityPrivilege 3744 ._cache_Server.exe Token: 33 3744 ._cache_Server.exe Token: SeIncBasePriorityPrivilege 3744 ._cache_Server.exe Token: 33 3744 ._cache_Server.exe Token: SeIncBasePriorityPrivilege 3744 ._cache_Server.exe Token: 33 3744 ._cache_Server.exe Token: SeIncBasePriorityPrivilege 3744 ._cache_Server.exe Token: 33 3744 ._cache_Server.exe Token: SeIncBasePriorityPrivilege 3744 ._cache_Server.exe Token: 33 3744 ._cache_Server.exe Token: SeIncBasePriorityPrivilege 3744 ._cache_Server.exe Token: 33 3744 ._cache_Server.exe Token: SeIncBasePriorityPrivilege 3744 ._cache_Server.exe Token: 33 3744 ._cache_Server.exe Token: SeIncBasePriorityPrivilege 3744 ._cache_Server.exe Token: 33 3744 ._cache_Server.exe Token: SeIncBasePriorityPrivilege 3744 ._cache_Server.exe Token: 33 3744 ._cache_Server.exe Token: SeIncBasePriorityPrivilege 3744 ._cache_Server.exe Token: 33 3744 ._cache_Server.exe Token: SeIncBasePriorityPrivilege 3744 ._cache_Server.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 4616 EXCEL.EXE 4616 EXCEL.EXE 4616 EXCEL.EXE 4616 EXCEL.EXE 4616 EXCEL.EXE 4616 EXCEL.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4952 wrote to memory of 3744 4952 Server.exe 77 PID 4952 wrote to memory of 3744 4952 Server.exe 77 PID 4952 wrote to memory of 3744 4952 Server.exe 77 PID 4952 wrote to memory of 3000 4952 Server.exe 78 PID 4952 wrote to memory of 3000 4952 Server.exe 78 PID 4952 wrote to memory of 3000 4952 Server.exe 78 PID 3000 wrote to memory of 3980 3000 Synaptics.exe 79 PID 3000 wrote to memory of 3980 3000 Synaptics.exe 79 PID 3000 wrote to memory of 3980 3000 Synaptics.exe 79 PID 3744 wrote to memory of 2868 3744 ._cache_Server.exe 82 PID 3744 wrote to memory of 2868 3744 ._cache_Server.exe 82 PID 3744 wrote to memory of 2868 3744 ._cache_Server.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Users\Admin\AppData\Local\Temp\._cache_Server.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Server.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\._cache_Server.exe" "._cache_Server.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2868
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3980
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4616
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
790KB
MD5f8d0d5a67123a19bbda3691836a8aabc
SHA10170e410957f3208932abb3c42780b383f47f93f
SHA256f92b8e334fa7d646f9f34336d340075c8b607727be46290d5b5d04346de3c257
SHA5125b4aa252812e57390a23ea11117ad3a624969c6c0310c18e92cc099f752c2af184bd85bee29a8699366e0f6dae0825646e9392ee0cfe555fd0fcbb47f3fe12d9
-
Filesize
37KB
MD528c6f96db52b32c32f25ef6c0ac2717d
SHA14eaf024711d5dbaf641ae52eacb6e745f9f12bb2
SHA2562cd48d626ada71c84e1db58049bf428794e8854011e0d2bf6d6b62f8bde4ac9e
SHA512b506ef288d3e733c1b0b3cf631a4727c23923609aa07d910322dd65518aeca68e976f279726b0b31a774da2283ba3d561894a0c055abed274bd7d9f0767afc16
-
Filesize
23KB
MD5bb830b30ff64bf5ddfa7da997a5d60ff
SHA194145d07148f11e8e84a214d1f46eb93d0b66c13
SHA256f922786db4463a791b3b1253326334034f84880f470ee5d5af10bd0e953d9f01
SHA5125556380d42aa5e7a05795c7e28f126d80261ad0d7bee2f8fd2d222eac50a61810fd2fcb4530d55e8010613893e5a35f45787ae0118486ebde59ab8e09fbee817
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04