xred | 63de7eefa324c97a8f31c6d7adb6c795f3ae53517be4ef7e39218fd94d55e04d

Analysis

max time kernel
111s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/01/2025, 21:58 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63de7eefa324c97a8f31c6d7adb6c795f3ae53517be4ef7e39218fd94d55e04dN.exe
Size

1.8MB
MD5

b8fb75331078770f7fbdf9d5154482f0
SHA1

7034b7ff7484102a84451a5f62997b631dddd8db
SHA256

63de7eefa324c97a8f31c6d7adb6c795f3ae53517be4ef7e39218fd94d55e04d
SHA512

0d047ebd748e1a57387d520407100447f53dbdb414e1d4f794df4915a45c43cbb46149a364d88ba65b4df4c17fa3c83a88fc9704b38bb03525537fc6cecb174f
SSDEEP

49152:xnsHyjtk2MYC5GDccykORxLrRtTn6GuYd:xnsmtk2a9kcrRp6GuYd

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
xredline1@gmail.com
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	63de7eefa324c97a8f31c6d7adb6c795f3ae53517be4ef7e39218fd94d55e04dN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 3 IoCs

pid	Process
1468	._cache_63de7eefa324c97a8f31c6d7adb6c795f3ae53517be4ef7e39218fd94d55e04dN.exe
2332	Synaptics.exe
4776	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	63de7eefa324c97a8f31c6d7adb6c795f3ae53517be4ef7e39218fd94d55e04dN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_63de7eefa324c97a8f31c6d7adb6c795f3ae53517be4ef7e39218fd94d55e04dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	63de7eefa324c97a8f31c6d7adb6c795f3ae53517be4ef7e39218fd94d55e04dN.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	63de7eefa324c97a8f31c6d7adb6c795f3ae53517be4ef7e39218fd94d55e04dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1068	EXCEL.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1068	EXCEL.EXE
1068	EXCEL.EXE
1068	EXCEL.EXE
1068	EXCEL.EXE
1068	EXCEL.EXE
1068	EXCEL.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4648 wrote to memory of 1468	4648	63de7eefa324c97a8f31c6d7adb6c795f3ae53517be4ef7e39218fd94d55e04dN.exe	83
PID 4648 wrote to memory of 1468	4648	63de7eefa324c97a8f31c6d7adb6c795f3ae53517be4ef7e39218fd94d55e04dN.exe	83
PID 4648 wrote to memory of 1468	4648	63de7eefa324c97a8f31c6d7adb6c795f3ae53517be4ef7e39218fd94d55e04dN.exe	83
PID 4648 wrote to memory of 2332	4648	63de7eefa324c97a8f31c6d7adb6c795f3ae53517be4ef7e39218fd94d55e04dN.exe	84
PID 4648 wrote to memory of 2332	4648	63de7eefa324c97a8f31c6d7adb6c795f3ae53517be4ef7e39218fd94d55e04dN.exe	84
PID 4648 wrote to memory of 2332	4648	63de7eefa324c97a8f31c6d7adb6c795f3ae53517be4ef7e39218fd94d55e04dN.exe	84
PID 2332 wrote to memory of 4776	2332	Synaptics.exe	85
PID 2332 wrote to memory of 4776	2332	Synaptics.exe	85
PID 2332 wrote to memory of 4776	2332	Synaptics.exe	85

C:\Users\Admin\AppData\Local\Temp\63de7eefa324c97a8f31c6d7adb6c795f3ae53517be4ef7e39218fd94d55e04dN.exe
"C:\Users\Admin\AppData\Local\Temp\63de7eefa324c97a8f31c6d7adb6c795f3ae53517be4ef7e39218fd94d55e04dN.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4648
- C:\Users\Admin\AppData\Local\Temp\._cache_63de7eefa324c97a8f31c6d7adb6c795f3ae53517be4ef7e39218fd94d55e04dN.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_63de7eefa324c97a8f31c6d7adb6c795f3ae53517be4ef7e39218fd94d55e04dN.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1468
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4776

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1068

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

232.168.11.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

232.168.11.51.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

167.173.78.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

167.173.78.104.in-addr.arpa

IN PTR

Response

167.173.78.104.in-addr.arpa

IN PTR

a104-78-173-167deploystaticakamaitechnologiescom
DNS

71.31.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

71.31.126.40.in-addr.arpa

IN PTR

Response
DNS

46.28.109.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

46.28.109.52.in-addr.arpa

IN PTR

Response
DNS

184.112.67.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

184.112.67.20.in-addr.arpa

IN PTR

Response
DNS

4.73.50.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

4.73.50.20.in-addr.arpa

IN PTR

Response
DNS

xred.mooo.com

Synaptics.exe

Remote address:

8.8.8.8:53

Request

xred.mooo.com

IN A

Response
DNS

freedns.afraid.org

Synaptics.exe

Remote address:

8.8.8.8:53

Request

freedns.afraid.org

IN A

Response

freedns.afraid.org

IN A

69.42.215.252
GET

http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

Synaptics.exe

Remote address:

69.42.215.252:80

Request

GET /api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 HTTP/1.1
User-Agent: MyApp
Host: freedns.afraid.org
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 19 Jan 2025 21:58:57 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Cache: MISS
DNS

252.215.42.69.in-addr.arpa

Remote address:

8.8.8.8:53

Request

252.215.42.69.in-addr.arpa

IN PTR

Response
DNS

252.215.42.69.in-addr.arpa

Remote address:

8.8.8.8:53

Request

252.215.42.69.in-addr.arpa

IN PTR

Response
DNS

217.106.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.106.137.52.in-addr.arpa

IN PTR

Response
DNS

200.163.202.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.163.202.172.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

167.190.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

167.190.18.2.in-addr.arpa

IN PTR

Response

167.190.18.2.in-addr.arpa

IN PTR

a2-18-190-167deploystaticakamaitechnologiescom
DNS

133.130.81.91.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.130.81.91.in-addr.arpa

IN PTR

Response
DNS

docs.google.com

Synaptics.exe

Remote address:

8.8.8.8:53

Request

docs.google.com

IN A

Response

docs.google.com

IN A

142.250.179.238
GET

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

Synaptics.exe

Remote address:

142.250.179.238:443

Request

GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Host: docs.google.com
Cache-Control: no-cache

Response

HTTP/1.1 303 See Other

Content-Type: application/binary
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Sun, 19 Jan 2025 21:59:56 GMT
Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
Strict-Transport-Security: max-age=31536000
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Content-Security-Policy: script-src 'report-sample' 'nonce-yIGlMw4sMKfTUEy-X-WsQw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Cross-Origin-Opener-Policy: same-origin
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Server: ESF
Content-Length: 0
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
GET

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

Synaptics.exe

Remote address:

142.250.179.238:443

Request

GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Host: docs.google.com
Cache-Control: no-cache
Cookie: NID=520=h3GsbgD_sieN0pfbW2EE2o8mUCS0bPcN3sbYrga5Jxf78xajJQtG4PNCmKZbhhd6-ST4_zokOIBUZ0PrG1R7XYAvE4HyYS0EeBIPaWfCc--oX4pLljHCZk6v3gVfoWimgKfqUqZASI8Eh0FTWif9PO4QDgiDLdi3XyHUV3fNDyeIDsdMtMkq4iJF

Response

HTTP/1.1 303 See Other

Content-Type: application/binary
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Sun, 19 Jan 2025 21:59:56 GMT
Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
Strict-Transport-Security: max-age=31536000
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Content-Security-Policy: script-src 'report-sample' 'nonce-jpDNCj_oilQkdMnszpjU7g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Cross-Origin-Opener-Policy: same-origin
Server: ESF
Content-Length: 0
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
GET

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

Synaptics.exe

Remote address:

142.250.179.238:443

Request

GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Host: docs.google.com
Cache-Control: no-cache
Cookie: NID=520=h3GsbgD_sieN0pfbW2EE2o8mUCS0bPcN3sbYrga5Jxf78xajJQtG4PNCmKZbhhd6-ST4_zokOIBUZ0PrG1R7XYAvE4HyYS0EeBIPaWfCc--oX4pLljHCZk6v3gVfoWimgKfqUqZASI8Eh0FTWif9PO4QDgiDLdi3XyHUV3fNDyeIDsdMtMkq4iJF

Response

HTTP/1.1 303 See Other

Content-Type: application/binary
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Sun, 19 Jan 2025 21:59:57 GMT
Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
Strict-Transport-Security: max-age=31536000
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Content-Security-Policy: script-src 'report-sample' 'nonce-RthWpWQOsWMPhDpMFA2peQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Cross-Origin-Opener-Policy: same-origin
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Server: ESF
Content-Length: 0
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
DNS

c.pki.goog

Synaptics.exe

Remote address:

8.8.8.8:53

Request

c.pki.goog

IN A

Response

c.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

142.250.178.3
GET

http://c.pki.goog/r/r1.crl

Synaptics.exe

Remote address:

142.250.178.3:80

Request

GET /r/r1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 854
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Sun, 19 Jan 2025 21:50:32 GMT
Expires: Sun, 19 Jan 2025 22:40:32 GMT
Cache-Control: public, max-age=3000
Age: 563
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
DNS

o.pki.goog

Synaptics.exe

Remote address:

8.8.8.8:53

Request

o.pki.goog

IN A

Response

o.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

142.250.178.3
GET

http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDREXAZkIcRFgn9FoWvtnQ0

Synaptics.exe

Remote address:

142.250.178.3:80

Request

GET /wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDREXAZkIcRFgn9FoWvtnQ0 HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: o.pki.goog

Response

HTTP/1.1 200 OK

Server: ocsp_responder
Content-Length: 472
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Date: Sun, 19 Jan 2025 21:15:57 GMT
Cache-Control: public, max-age=14400
Content-Type: application/ocsp-response
Age: 2639
GET

http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQCtrC6LRgin8QlSmIIYAEvj

Synaptics.exe

Remote address:

142.250.178.3:80

Request

GET /wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQCtrC6LRgin8QlSmIIYAEvj HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: o.pki.goog

Response

HTTP/1.1 200 OK

Server: ocsp_responder
Content-Length: 472
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Date: Sun, 19 Jan 2025 21:02:08 GMT
Cache-Control: public, max-age=14400
Content-Type: application/ocsp-response
Age: 3468
DNS

drive.usercontent.google.com

Synaptics.exe

Remote address:

8.8.8.8:53

Request

drive.usercontent.google.com

IN A

Response

drive.usercontent.google.com

IN A

216.58.212.193
GET

https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

Synaptics.exe

Remote address:

216.58.212.193:443

Request

GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Cache-Control: no-cache
Host: drive.usercontent.google.com
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

X-GUploader-UploadID: AFIdbgSFNakSWpsStwEp4HReeGP0-qb4o3FBMyU2tHnrenDwWb1wUwJ4N9XsMRGXOlkYPlqF
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Sun, 19 Jan 2025 21:59:56 GMT
P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Content-Security-Policy: script-src 'report-sample' 'nonce-AlT4BlWC8o0H8vgTra4s1Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Cross-Origin-Opener-Policy: same-origin
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Content-Length: 1652
Server: UploadServer
Set-Cookie: NID=520=h3GsbgD_sieN0pfbW2EE2o8mUCS0bPcN3sbYrga5Jxf78xajJQtG4PNCmKZbhhd6-ST4_zokOIBUZ0PrG1R7XYAvE4HyYS0EeBIPaWfCc--oX4pLljHCZk6v3gVfoWimgKfqUqZASI8Eh0FTWif9PO4QDgiDLdi3XyHUV3fNDyeIDsdMtMkq4iJF; expires=Mon, 21-Jul-2025 21:59:56 GMT; path=/; domain=.google.com; HttpOnly
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Content-Security-Policy: sandbox allow-scripts
GET

https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

Synaptics.exe

Remote address:

216.58.212.193:443

Request

GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Cache-Control: no-cache
Host: drive.usercontent.google.com
Connection: Keep-Alive
Cookie: NID=520=h3GsbgD_sieN0pfbW2EE2o8mUCS0bPcN3sbYrga5Jxf78xajJQtG4PNCmKZbhhd6-ST4_zokOIBUZ0PrG1R7XYAvE4HyYS0EeBIPaWfCc--oX4pLljHCZk6v3gVfoWimgKfqUqZASI8Eh0FTWif9PO4QDgiDLdi3XyHUV3fNDyeIDsdMtMkq4iJF

Response

HTTP/1.1 404 Not Found

X-GUploader-UploadID: AFIdbgQFMMXWBdxRHoRwxidTMkDOx3fZdZb31l93WiKrOwKilH6JSt3AaXtPW2VevpjiGJeL
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Sun, 19 Jan 2025 21:59:56 GMT
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Content-Security-Policy: script-src 'report-sample' 'nonce-6Asa1xptSemFthcWwAGoHA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Cross-Origin-Opener-Policy: same-origin
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Content-Length: 1652
Server: UploadServer
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Content-Security-Policy: sandbox allow-scripts
GET

https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

Synaptics.exe

Remote address:

216.58.212.193:443

Request

GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Cache-Control: no-cache
Host: drive.usercontent.google.com
Connection: Keep-Alive
Cookie: NID=520=h3GsbgD_sieN0pfbW2EE2o8mUCS0bPcN3sbYrga5Jxf78xajJQtG4PNCmKZbhhd6-ST4_zokOIBUZ0PrG1R7XYAvE4HyYS0EeBIPaWfCc--oX4pLljHCZk6v3gVfoWimgKfqUqZASI8Eh0FTWif9PO4QDgiDLdi3XyHUV3fNDyeIDsdMtMkq4iJF

Response

HTTP/1.1 404 Not Found

X-GUploader-UploadID: AFIdbgSpWkuRQ_V1MK6YrkAekm-Wr0xvKfLsXEWg29bwsBbhonmvQ3ZedMa9jl4exuGa-BXOAvMT9s0
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Sun, 19 Jan 2025 21:59:57 GMT
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Content-Security-Policy: script-src 'report-sample' 'nonce-SWQhgntk6p-IqM2he8Y9qw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Cross-Origin-Opener-Policy: same-origin
Content-Length: 1652
Server: UploadServer
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Content-Security-Policy: sandbox allow-scripts
DNS

3.178.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

3.178.250.142.in-addr.arpa

IN PTR

Response

3.178.250.142.in-addr.arpa

IN PTR

lhr48s27-in-f31e100net
DNS

193.212.58.216.in-addr.arpa

Remote address:

8.8.8.8:53

Request

193.212.58.216.in-addr.arpa

IN PTR

Response

193.212.58.216.in-addr.arpa

IN PTR

lhr25s27-in-f11e100net

193.212.58.216.in-addr.arpa

IN PTR

ams16s21-in-f1�H

193.212.58.216.in-addr.arpa

IN PTR

ams16s21-in-f193�H
DNS

13.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.227.111.52.in-addr.arpa

IN PTR

Response

69.42.215.252:80

http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

http

Synaptics.exe

614 B
415 B
10
4

HTTP Request

GET http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

HTTP Response

200
142.250.179.238:443

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

tls, http

Synaptics.exe

1.9kB
11.3kB
16
14

HTTP Request

GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

HTTP Response

303

HTTP Request

GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

HTTP Response

303

HTTP Request

GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

HTTP Response

303
142.250.178.3:80

http://c.pki.goog/r/r1.crl

http

Synaptics.exe

303 B
1.7kB
4
4

HTTP Request

GET http://c.pki.goog/r/r1.crl

HTTP Response

200
142.250.178.3:80

http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQCtrC6LRgin8QlSmIIYAEvj

http

Synaptics.exe

736 B
1.6kB
6
4

HTTP Request

GET http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDREXAZkIcRFgn9FoWvtnQ0

HTTP Response

200

HTTP Request

GET http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQCtrC6LRgin8QlSmIIYAEvj

HTTP Response

200
216.58.212.193:443

https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

tls, http

Synaptics.exe

2.4kB
14.7kB
23
21

HTTP Request

GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

HTTP Response

404

HTTP Request

GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

HTTP Response

404

HTTP Request

GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

HTTP Response

404

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

232.168.11.51.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

232.168.11.51.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

167.173.78.104.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

167.173.78.104.in-addr.arpa
8.8.8.8:53

71.31.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

71.31.126.40.in-addr.arpa
8.8.8.8:53

46.28.109.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

46.28.109.52.in-addr.arpa
8.8.8.8:53

184.112.67.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

184.112.67.20.in-addr.arpa
8.8.8.8:53

4.73.50.20.in-addr.arpa

dns

69 B
155 B
1
1

DNS Request

4.73.50.20.in-addr.arpa
8.8.8.8:53

xred.mooo.com

dns

Synaptics.exe

59 B
118 B
1
1

DNS Request

xred.mooo.com
8.8.8.8:53

freedns.afraid.org

dns

Synaptics.exe

64 B
80 B
1
1

DNS Request

freedns.afraid.org

DNS Response

69.42.215.252
224.0.0.251:5353

114 B
2
8.8.8.8:53

252.215.42.69.in-addr.arpa

dns

144 B
144 B
2
2

DNS Request

252.215.42.69.in-addr.arpa

DNS Request

252.215.42.69.in-addr.arpa
8.8.8.8:53

217.106.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

217.106.137.52.in-addr.arpa
8.8.8.8:53

200.163.202.172.in-addr.arpa

dns

74 B
160 B
1
1

DNS Request

200.163.202.172.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

167.190.18.2.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

167.190.18.2.in-addr.arpa
8.8.8.8:53

133.130.81.91.in-addr.arpa

dns

72 B
147 B
1
1

DNS Request

133.130.81.91.in-addr.arpa
8.8.8.8:53

docs.google.com

dns

Synaptics.exe

61 B
77 B
1
1

DNS Request

docs.google.com

DNS Response

142.250.179.238
8.8.8.8:53

c.pki.goog

dns

Synaptics.exe

56 B
107 B
1
1

DNS Request

c.pki.goog

DNS Response

142.250.178.3
8.8.8.8:53

o.pki.goog

dns

Synaptics.exe

56 B
107 B
1
1

DNS Request

o.pki.goog

DNS Response

142.250.178.3
8.8.8.8:53

drive.usercontent.google.com

dns

Synaptics.exe

74 B
90 B
1
1

DNS Request

drive.usercontent.google.com

DNS Response

216.58.212.193
8.8.8.8:53

3.178.250.142.in-addr.arpa

dns

72 B
110 B
1
1

DNS Request

3.178.250.142.in-addr.arpa
8.8.8.8:53

193.212.58.216.in-addr.arpa

dns

73 B
171 B
1
1

DNS Request

193.212.58.216.in-addr.arpa
8.8.8.8:53

13.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

13.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.8MB

MD5
b8fb75331078770f7fbdf9d5154482f0

SHA1
7034b7ff7484102a84451a5f62997b631dddd8db

SHA256
63de7eefa324c97a8f31c6d7adb6c795f3ae53517be4ef7e39218fd94d55e04d

SHA512
0d047ebd748e1a57387d520407100447f53dbdb414e1d4f794df4915a45c43cbb46149a364d88ba65b4df4c17fa3c83a88fc9704b38bb03525537fc6cecb174f

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_63de7eefa324c97a8f31c6d7adb6c795f3ae53517be4ef7e39218fd94d55e04dN.exe

Filesize
1.1MB

MD5
92b6f926e8c048fbd69ac84ab7683e94

SHA1
bab4040dca7222537d26a007b246634486f03892

SHA256
e4115906f2e6d880ea12e498310494403275018d87788ca7cc4bd48c8376ce6f

SHA512
29adf1f7764c40e320fcf02636de1a546b850b16c451a87adacc3ab364fa2f8007c6f56a77674d36298a3113ccf45ecb4f337311c7c20601182193fbc152253b

Download Submit
C:\Users\Admin\AppData\Local\Temp\36A75E00

Filesize
21KB

MD5
71f49d22f75fe557407c6acb569488fd

SHA1
128496c28b3f9112fec00b24cfa7fe617db92023

SHA256
32840e4fce2d84daf3e7cc3cfcaa5af7d0a98d21676e25c30a558691ad0eb3b9

SHA512
4f5c7892f46b614ba775b779e6335ad79597b5c6884c016b6ca432cbebb68db6151e5fab527d97298cdce6224bcbd689bef07f53805fdb8d18eab69f7d4fa054

Download Submit
C:\Users\Admin\AppData\Local\Temp\jXUhuMnJ.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
memory/1068-195-0x00007FF8E54C0000-0x00007FF8E54D0000-memory.dmp

Filesize
64KB

Download
memory/1068-253-0x00007FF8E7890000-0x00007FF8E78A0000-memory.dmp

Filesize
64KB

Download
memory/1068-191-0x00007FF8E7890000-0x00007FF8E78A0000-memory.dmp

Filesize
64KB

Download
memory/1068-192-0x00007FF8E7890000-0x00007FF8E78A0000-memory.dmp

Filesize
64KB

Download
memory/1068-193-0x00007FF8E7890000-0x00007FF8E78A0000-memory.dmp

Filesize
64KB

Download
memory/1068-194-0x00007FF8E7890000-0x00007FF8E78A0000-memory.dmp

Filesize
64KB

Download
memory/1068-190-0x00007FF8E7890000-0x00007FF8E78A0000-memory.dmp

Filesize
64KB

Download
memory/1068-196-0x00007FF8E54C0000-0x00007FF8E54D0000-memory.dmp

Filesize
64KB

Download
memory/1068-251-0x00007FF8E7890000-0x00007FF8E78A0000-memory.dmp

Filesize
64KB

Download
memory/1068-252-0x00007FF8E7890000-0x00007FF8E78A0000-memory.dmp

Filesize
64KB

Download
memory/1068-254-0x00007FF8E7890000-0x00007FF8E78A0000-memory.dmp

Filesize
64KB

Download
memory/2332-129-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/2332-256-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/2332-255-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2332-281-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4648-127-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4648-0-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.