Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/01/2025, 07:17

General

  • Target

    db9fae14fff980af1185980403e8e5c65d757ebbf02732d1c46a9668898256f4.exe

  • Size

    980KB

  • MD5

    a98bb278468370c572610865052def56

  • SHA1

    b3f61627939e0899cf0208d8070e4a38e625bb06

  • SHA256

    db9fae14fff980af1185980403e8e5c65d757ebbf02732d1c46a9668898256f4

  • SHA512

    87cf147589b1005891d78ea07f6596b3094d29b2fc812e63622f98f38ed068e02491ce143cc68b93a9015361f2e913f85b8edefb05b52bbd5c535ffe10e5aed1

  • SSDEEP

    24576:nnsJ39LyjbJkQFMhmC+6GD975xolYQY6+I:nnsHyjtk2MYC5GDQYNI

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Xred

    Xred is backdoor written in Delphi.

  • Xred family
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 11 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 26 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\db9fae14fff980af1185980403e8e5c65d757ebbf02732d1c46a9668898256f4.exe
    "C:\Users\Admin\AppData\Local\Temp\db9fae14fff980af1185980403e8e5c65d757ebbf02732d1c46a9668898256f4.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1500
    • C:\Users\Admin\AppData\Local\Temp\._cache_db9fae14fff980af1185980403e8e5c65d757ebbf02732d1c46a9668898256f4.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_db9fae14fff980af1185980403e8e5c65d757ebbf02732d1c46a9668898256f4.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2592
      • \??\c:\users\admin\appdata\local\temp\._cache_db9fae14fff980af1185980403e8e5c65d757ebbf02732d1c46a9668898256f4.exe 
        c:\users\admin\appdata\local\temp\._cache_db9fae14fff980af1185980403e8e5c65d757ebbf02732d1c46a9668898256f4.exe 
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:408
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 800
          4⤵
          • Program crash
          PID:4744
      • C:\Users\Admin\AppData\Local\icsys.icn.exe
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:900
        • \??\c:\windows\system\explorer.exe
          c:\windows\system\explorer.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3880
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe SE
            5⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3172
            • \??\c:\windows\system\svchost.exe
              c:\windows\system\svchost.exe
              6⤵
              • Modifies WinLogon for persistence
              • Modifies visiblity of hidden/system files in Explorer
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:4504
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe PR
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:1692
              • C:\Windows\SysWOW64\at.exe
                at 07:19 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                7⤵
                • System Location Discovery: System Language Discovery
                PID:5116
              • C:\Windows\SysWOW64\at.exe
                at 07:20 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2836
              • C:\Windows\SysWOW64\at.exe
                at 07:21 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2400
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3936
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4664
        • \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe 
          c:\users\admin\appdata\local\temp\._cache_synaptics.exe  InjUpdate
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4344
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 824
            5⤵
            • Program crash
            PID:2908
        • C:\Users\Admin\AppData\Local\icsys.icn.exe
          C:\Users\Admin\AppData\Local\icsys.icn.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:4116
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 408 -ip 408
    1⤵
      PID:1624
    • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
      1⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2436
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4344 -ip 4344
      1⤵
        PID:3712

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Synaptics\Synaptics.exe

        Filesize

        980KB

        MD5

        a98bb278468370c572610865052def56

        SHA1

        b3f61627939e0899cf0208d8070e4a38e625bb06

        SHA256

        db9fae14fff980af1185980403e8e5c65d757ebbf02732d1c46a9668898256f4

        SHA512

        87cf147589b1005891d78ea07f6596b3094d29b2fc812e63622f98f38ed068e02491ce143cc68b93a9015361f2e913f85b8edefb05b52bbd5c535ffe10e5aed1

      • C:\Users\Admin\AppData\Local\Temp\._cache_db9fae14fff980af1185980403e8e5c65d757ebbf02732d1c46a9668898256f4.exe

        Filesize

        226KB

        MD5

        ebb8f5135ff7cb88580e27f9581ebc3f

        SHA1

        e7a1e28ae53005278924c3a50df2da9037a4df02

        SHA256

        831f7ca536139c61b78b3f02482994ea206d1c056dd12aabe3a3b8dcdc0a854c

        SHA512

        22ebbf0f086ab3a9852ec7b0d783b30dbc2bcbb76401d379ff13538d3b452da8ad0b6fcb2b980168df2ef5643eeb5ab5da828c92697f96863c818cf734ab5046

      • C:\Users\Admin\AppData\Local\Temp\._cache_db9fae14fff980af1185980403e8e5c65d757ebbf02732d1c46a9668898256f4.exe 

        Filesize

        20KB

        MD5

        f83e3d53d747b25e29df03c30eafcb1f

        SHA1

        bf705087922f4c9ccf8cf4194c1ce67a7bfbd319

        SHA256

        41b3a316dc3856ef958f3e9d7968f6fde0040e199fe61f85b00d188f24f50ba9

        SHA512

        30d1c759e183ca054e03229b72f21878d906c8100be5c63fe1ba62a4926e7dabc3b0e71396a427671865f406135fa2a8d771ae919d8110fe592c95e3a589728f

      • C:\Users\Admin\AppData\Local\Temp\BnBX4MkY.xlsm

        Filesize

        17KB

        MD5

        e566fc53051035e1e6fd0ed1823de0f9

        SHA1

        00bc96c48b98676ecd67e81a6f1d7754e4156044

        SHA256

        8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

        SHA512

        a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

      • C:\Users\Admin\AppData\Local\Temp\D1C75E00

        Filesize

        21KB

        MD5

        b03fd69189851f671bb2139f1dde213d

        SHA1

        6338a50c45501d15f143121c10c78591fad721cc

        SHA256

        c98a4034f03344600bc848e708d9a15b4a4917f97f231896ff45ead59b5c0276

        SHA512

        5d5d818159d60f179f4e60f3b38ee7b7db0b00f38d1c0187a5e25954e7650e15a976ce779126c3d94c7a9c7a1c4db29597b0ca0c34919bd0073a7e9db5c711c7

      • C:\Users\Admin\AppData\Local\icsys.icn.exe

        Filesize

        206KB

        MD5

        102899034e993b46a13a62d3ff2d9fdb

        SHA1

        d784fd07ecdfe133fbeae14fd9785b6f4e490f76

        SHA256

        4ea6b9830682272506a8ad0dd559379bbe8b5b7989609d14562353d34425d4f4

        SHA512

        38faae6f4f267a0554d772cb99584f634d94b30e8769ae00a648011a82de16ac7cd725b094a6bc982c994f268da72caae9b2b880d8e8cf7a27f7e0e1fd73cca0

      • C:\Users\Admin\AppData\Roaming\mrsys.exe

        Filesize

        206KB

        MD5

        d926db8287b9624c5ef3c9d4b5b143b1

        SHA1

        cdcef6638b5498c69ee0b3ec90ddd536c203cd65

        SHA256

        3b2ecfd9f9815b922532f4e299a0002189ed1c901692265ff25c52cec900fb0f

        SHA512

        f6649bc29f3c06610771f1bd04acc1681313242aca86d5aa8da0f7af97e5bc29af8eab1acfeaaaa0fe7c4ed827f8affc1f9cba1478dcb1f8341ca82625dd96fa

      • C:\Windows\System\explorer.exe

        Filesize

        207KB

        MD5

        a6952fec156c0f537ab055af1a55906e

        SHA1

        d1e2ac1cf55ef8ab76e49fe805aac1df25568e32

        SHA256

        2c3b7223d4d1a1cecf752ae257a85ac1cf5368faf3c6e077855c72c4867451f1

        SHA512

        6e4748c735b65b7d31c835e3ed65c5af9577a8658b517c1057d6d7c0869d8b4269bb34211a3fcfc44d25607aee4b575e0012403272c6c94430e7dcb9198f48a2

      • C:\Windows\System\spoolsv.exe

        Filesize

        206KB

        MD5

        7532601de1c6a8abe56e4d2f2353cc14

        SHA1

        cd77425a774449efb350276608234c72112f67ab

        SHA256

        dee15dfd991f2cd3047e50e38a21bbdf0f84286c6f9834f7f1958d3f427941a7

        SHA512

        240f187128ba50a9819f333191478f339c07dc6dd23b3c4cb30a31466d4eec1e27218ed3b2303678a6dbae4787d1ddfb035766049023ad3a9ecef844afd859a0

      • C:\Windows\System\svchost.exe

        Filesize

        206KB

        MD5

        3ef258f85aa1a26136417b89bfaa1881

        SHA1

        b6aac4d37dea2bd215f3d6d49756a1760ebd3d56

        SHA256

        e9e4f8a2ea15fb5cb210120b49f501561a0473d54ca9a5d4ee6c8cf5f3cf1402

        SHA512

        2739418fc843d8c32791e36446ecfb2719abefb21157b0b721c6e9ca5adcad5ad88643bd20f9816f901c1808d90ec20d8f3e9fb25de6d0e6ef10fb4988f96c48

      • memory/408-141-0x0000000000B60000-0x0000000000B6C000-memory.dmp

        Filesize

        48KB

      • memory/408-190-0x0000000005AD0000-0x0000000006074000-memory.dmp

        Filesize

        5.6MB

      • memory/900-265-0x0000000000400000-0x0000000000441000-memory.dmp

        Filesize

        260KB

      • memory/1500-0-0x00000000023B0000-0x00000000023B1000-memory.dmp

        Filesize

        4KB

      • memory/1500-136-0x0000000000400000-0x00000000004FB000-memory.dmp

        Filesize

        1004KB

      • memory/1692-263-0x0000000000400000-0x0000000000441000-memory.dmp

        Filesize

        260KB

      • memory/2436-215-0x00007FFEC7F90000-0x00007FFEC7FA0000-memory.dmp

        Filesize

        64KB

      • memory/2436-210-0x00007FFEC7F90000-0x00007FFEC7FA0000-memory.dmp

        Filesize

        64KB

      • memory/2436-208-0x00007FFEC7F90000-0x00007FFEC7FA0000-memory.dmp

        Filesize

        64KB

      • memory/2436-209-0x00007FFEC7F90000-0x00007FFEC7FA0000-memory.dmp

        Filesize

        64KB

      • memory/2436-216-0x00007FFEC5710000-0x00007FFEC5720000-memory.dmp

        Filesize

        64KB

      • memory/2436-214-0x00007FFEC7F90000-0x00007FFEC7FA0000-memory.dmp

        Filesize

        64KB

      • memory/2436-217-0x00007FFEC5710000-0x00007FFEC5720000-memory.dmp

        Filesize

        64KB

      • memory/2592-266-0x0000000000400000-0x0000000000441000-memory.dmp

        Filesize

        260KB

      • memory/2592-61-0x0000000000400000-0x0000000000441000-memory.dmp

        Filesize

        260KB

      • memory/3172-264-0x0000000000400000-0x0000000000441000-memory.dmp

        Filesize

        260KB

      • memory/3880-344-0x0000000000400000-0x0000000000441000-memory.dmp

        Filesize

        260KB

      • memory/3936-138-0x0000000002150000-0x0000000002151000-memory.dmp

        Filesize

        4KB

      • memory/3936-311-0x0000000002150000-0x0000000002151000-memory.dmp

        Filesize

        4KB

      • memory/3936-312-0x0000000000400000-0x00000000004FB000-memory.dmp

        Filesize

        1004KB

      • memory/3936-343-0x0000000000400000-0x00000000004FB000-memory.dmp

        Filesize

        1004KB

      • memory/4116-239-0x0000000000400000-0x0000000000441000-memory.dmp

        Filesize

        260KB

      • memory/4504-346-0x0000000000400000-0x0000000000441000-memory.dmp

        Filesize

        260KB

      • memory/4664-201-0x0000000000400000-0x0000000000441000-memory.dmp

        Filesize

        260KB

      • memory/4664-241-0x0000000000400000-0x0000000000441000-memory.dmp

        Filesize

        260KB