Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
113s -
max time network
104s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
21/01/2025, 10:36
Behavioral task
behavioral1
Sample
ed5b30e41302e1ea89583f4e611955c0ad7cb254e5402886bcc929b80560021e.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
ed5b30e41302e1ea89583f4e611955c0ad7cb254e5402886bcc929b80560021e.exe
Resource
win10v2004-20241007-en
General
-
Target
ed5b30e41302e1ea89583f4e611955c0ad7cb254e5402886bcc929b80560021e.exe
-
Size
1.1MB
-
MD5
2f11696096547bb90be1d77e2a6fbd87
-
SHA1
af51fd9d955700b9b7528a9600f4b73082462f6c
-
SHA256
ed5b30e41302e1ea89583f4e611955c0ad7cb254e5402886bcc929b80560021e
-
SHA512
492eefa13df44a3aeae1c1f184c566bc27bdd36965dc3ff1280c8dce0615b4a7a51074ca5bf82cb54e9076c44e591f9134c9449ec0eeddaf47e60361f857ff90
-
SSDEEP
12288:4MSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9gB+FT+ucrZ:4nsJ39LyjbJkQFMhmC+6GD96y0V
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Xred family
-
Executes dropped EXE 3 IoCs
pid Process 2188 ._cache_ed5b30e41302e1ea89583f4e611955c0ad7cb254e5402886bcc929b80560021e.exe 2948 Synaptics.exe 2780 ._cache_Synaptics.exe -
Loads dropped DLL 11 IoCs
pid Process 1268 ed5b30e41302e1ea89583f4e611955c0ad7cb254e5402886bcc929b80560021e.exe 1268 ed5b30e41302e1ea89583f4e611955c0ad7cb254e5402886bcc929b80560021e.exe 1268 ed5b30e41302e1ea89583f4e611955c0ad7cb254e5402886bcc929b80560021e.exe 2980 dw20.exe 2980 dw20.exe 2948 Synaptics.exe 2948 Synaptics.exe 2684 dw20.exe 2684 dw20.exe 2684 dw20.exe 2980 dw20.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" ed5b30e41302e1ea89583f4e611955c0ad7cb254e5402886bcc929b80560021e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ed5b30e41302e1ea89583f4e611955c0ad7cb254e5402886bcc929b80560021e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_ed5b30e41302e1ea89583f4e611955c0ad7cb254e5402886bcc929b80560021e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dw20.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dw20.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2900 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2900 EXCEL.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1268 wrote to memory of 2188 1268 ed5b30e41302e1ea89583f4e611955c0ad7cb254e5402886bcc929b80560021e.exe 29 PID 1268 wrote to memory of 2188 1268 ed5b30e41302e1ea89583f4e611955c0ad7cb254e5402886bcc929b80560021e.exe 29 PID 1268 wrote to memory of 2188 1268 ed5b30e41302e1ea89583f4e611955c0ad7cb254e5402886bcc929b80560021e.exe 29 PID 1268 wrote to memory of 2188 1268 ed5b30e41302e1ea89583f4e611955c0ad7cb254e5402886bcc929b80560021e.exe 29 PID 1268 wrote to memory of 2948 1268 ed5b30e41302e1ea89583f4e611955c0ad7cb254e5402886bcc929b80560021e.exe 30 PID 1268 wrote to memory of 2948 1268 ed5b30e41302e1ea89583f4e611955c0ad7cb254e5402886bcc929b80560021e.exe 30 PID 1268 wrote to memory of 2948 1268 ed5b30e41302e1ea89583f4e611955c0ad7cb254e5402886bcc929b80560021e.exe 30 PID 1268 wrote to memory of 2948 1268 ed5b30e41302e1ea89583f4e611955c0ad7cb254e5402886bcc929b80560021e.exe 30 PID 2188 wrote to memory of 2980 2188 ._cache_ed5b30e41302e1ea89583f4e611955c0ad7cb254e5402886bcc929b80560021e.exe 31 PID 2188 wrote to memory of 2980 2188 ._cache_ed5b30e41302e1ea89583f4e611955c0ad7cb254e5402886bcc929b80560021e.exe 31 PID 2188 wrote to memory of 2980 2188 ._cache_ed5b30e41302e1ea89583f4e611955c0ad7cb254e5402886bcc929b80560021e.exe 31 PID 2188 wrote to memory of 2980 2188 ._cache_ed5b30e41302e1ea89583f4e611955c0ad7cb254e5402886bcc929b80560021e.exe 31 PID 2948 wrote to memory of 2780 2948 Synaptics.exe 32 PID 2948 wrote to memory of 2780 2948 Synaptics.exe 32 PID 2948 wrote to memory of 2780 2948 Synaptics.exe 32 PID 2948 wrote to memory of 2780 2948 Synaptics.exe 32 PID 2780 wrote to memory of 2684 2780 ._cache_Synaptics.exe 34 PID 2780 wrote to memory of 2684 2780 ._cache_Synaptics.exe 34 PID 2780 wrote to memory of 2684 2780 ._cache_Synaptics.exe 34 PID 2780 wrote to memory of 2684 2780 ._cache_Synaptics.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed5b30e41302e1ea89583f4e611955c0ad7cb254e5402886bcc929b80560021e.exe"C:\Users\Admin\AppData\Local\Temp\ed5b30e41302e1ea89583f4e611955c0ad7cb254e5402886bcc929b80560021e.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Users\Admin\AppData\Local\Temp\._cache_ed5b30e41302e1ea89583f4e611955c0ad7cb254e5402886bcc929b80560021e.exe"C:\Users\Admin\AppData\Local\Temp\._cache_ed5b30e41302e1ea89583f4e611955c0ad7cb254e5402886bcc929b80560021e.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 4123⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2980
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 4084⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2684
-
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2900
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD52f11696096547bb90be1d77e2a6fbd87
SHA1af51fd9d955700b9b7528a9600f4b73082462f6c
SHA256ed5b30e41302e1ea89583f4e611955c0ad7cb254e5402886bcc929b80560021e
SHA512492eefa13df44a3aeae1c1f184c566bc27bdd36965dc3ff1280c8dce0615b4a7a51074ca5bf82cb54e9076c44e591f9134c9449ec0eeddaf47e60361f857ff90
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
21KB
MD51cca84a7f853599242a6a087857e6595
SHA186e13819388515a45f73b8ae1d516ee6b02cfd3f
SHA256a8e248262128063f61d38b957ab3866a325650caf5dda0c3b22f1909d5dd4f28
SHA5127bdce8e68d8226ceef671b2ce1f5cc2b7bf64e26cf36d8c18c703433abcf4c3997ba362054195543284cbb6bf086b1fb14426a0090f52e777cc9179dd1fc9813
-
\Users\Admin\AppData\Local\Temp\._cache_ed5b30e41302e1ea89583f4e611955c0ad7cb254e5402886bcc929b80560021e.exe
Filesize390KB
MD5fb01ddbb2526e00dd1eb1e8a9a1bcd42
SHA1fc6205ba3c2cdf594fa96892028e409a4283c792
SHA256960d09544cdc2e1f655afed211900c5beed12b23a0853f79a504fe5fc0653912
SHA5127e31d6c032cbf75d68b30a4b73226f20f4ba48bf4184d90f17558e079641a77ed69a2c3d646ec0a211ae067691dd80787601e0f4a5d3a8abc49a2da8eabe3279