Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
112s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21/01/2025, 10:36
Behavioral task
behavioral1
Sample
ed5b30e41302e1ea89583f4e611955c0ad7cb254e5402886bcc929b80560021e.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
ed5b30e41302e1ea89583f4e611955c0ad7cb254e5402886bcc929b80560021e.exe
Resource
win10v2004-20241007-en
General
-
Target
ed5b30e41302e1ea89583f4e611955c0ad7cb254e5402886bcc929b80560021e.exe
-
Size
1.1MB
-
MD5
2f11696096547bb90be1d77e2a6fbd87
-
SHA1
af51fd9d955700b9b7528a9600f4b73082462f6c
-
SHA256
ed5b30e41302e1ea89583f4e611955c0ad7cb254e5402886bcc929b80560021e
-
SHA512
492eefa13df44a3aeae1c1f184c566bc27bdd36965dc3ff1280c8dce0615b4a7a51074ca5bf82cb54e9076c44e591f9134c9449ec0eeddaf47e60361f857ff90
-
SSDEEP
12288:4MSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9gB+FT+ucrZ:4nsJ39LyjbJkQFMhmC+6GD96y0V
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Xred family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation ed5b30e41302e1ea89583f4e611955c0ad7cb254e5402886bcc929b80560021e.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Synaptics.exe -
Executes dropped EXE 3 IoCs
pid Process 4504 ._cache_ed5b30e41302e1ea89583f4e611955c0ad7cb254e5402886bcc929b80560021e.exe 5092 Synaptics.exe 4612 ._cache_Synaptics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" ed5b30e41302e1ea89583f4e611955c0ad7cb254e5402886bcc929b80560021e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_ed5b30e41302e1ea89583f4e611955c0ad7cb254e5402886bcc929b80560021e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dw20.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dw20.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ed5b30e41302e1ea89583f4e611955c0ad7cb254e5402886bcc929b80560021e.exe -
Checks processor information in registry 2 TTPs 9 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe -
Enumerates system info in registry 2 TTPs 7 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Synaptics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ ed5b30e41302e1ea89583f4e611955c0ad7cb254e5402886bcc929b80560021e.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2424 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeRestorePrivilege 1692 dw20.exe Token: SeBackupPrivilege 1692 dw20.exe Token: SeBackupPrivilege 1692 dw20.exe Token: SeBackupPrivilege 1692 dw20.exe Token: SeBackupPrivilege 2928 dw20.exe Token: SeBackupPrivilege 2928 dw20.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 2424 EXCEL.EXE 2424 EXCEL.EXE 2424 EXCEL.EXE 2424 EXCEL.EXE 2424 EXCEL.EXE 2424 EXCEL.EXE 2424 EXCEL.EXE 2424 EXCEL.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2000 wrote to memory of 4504 2000 ed5b30e41302e1ea89583f4e611955c0ad7cb254e5402886bcc929b80560021e.exe 83 PID 2000 wrote to memory of 4504 2000 ed5b30e41302e1ea89583f4e611955c0ad7cb254e5402886bcc929b80560021e.exe 83 PID 2000 wrote to memory of 4504 2000 ed5b30e41302e1ea89583f4e611955c0ad7cb254e5402886bcc929b80560021e.exe 83 PID 2000 wrote to memory of 5092 2000 ed5b30e41302e1ea89583f4e611955c0ad7cb254e5402886bcc929b80560021e.exe 84 PID 2000 wrote to memory of 5092 2000 ed5b30e41302e1ea89583f4e611955c0ad7cb254e5402886bcc929b80560021e.exe 84 PID 2000 wrote to memory of 5092 2000 ed5b30e41302e1ea89583f4e611955c0ad7cb254e5402886bcc929b80560021e.exe 84 PID 4504 wrote to memory of 1692 4504 ._cache_ed5b30e41302e1ea89583f4e611955c0ad7cb254e5402886bcc929b80560021e.exe 85 PID 4504 wrote to memory of 1692 4504 ._cache_ed5b30e41302e1ea89583f4e611955c0ad7cb254e5402886bcc929b80560021e.exe 85 PID 4504 wrote to memory of 1692 4504 ._cache_ed5b30e41302e1ea89583f4e611955c0ad7cb254e5402886bcc929b80560021e.exe 85 PID 5092 wrote to memory of 4612 5092 Synaptics.exe 87 PID 5092 wrote to memory of 4612 5092 Synaptics.exe 87 PID 5092 wrote to memory of 4612 5092 Synaptics.exe 87 PID 4612 wrote to memory of 2928 4612 ._cache_Synaptics.exe 89 PID 4612 wrote to memory of 2928 4612 ._cache_Synaptics.exe 89 PID 4612 wrote to memory of 2928 4612 ._cache_Synaptics.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed5b30e41302e1ea89583f4e611955c0ad7cb254e5402886bcc929b80560021e.exe"C:\Users\Admin\AppData\Local\Temp\ed5b30e41302e1ea89583f4e611955c0ad7cb254e5402886bcc929b80560021e.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Users\Admin\AppData\Local\Temp\._cache_ed5b30e41302e1ea89583f4e611955c0ad7cb254e5402886bcc929b80560021e.exe"C:\Users\Admin\AppData\Local\Temp\._cache_ed5b30e41302e1ea89583f4e611955c0ad7cb254e5402886bcc929b80560021e.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 8243⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1692
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 8324⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2928
-
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2424
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD52f11696096547bb90be1d77e2a6fbd87
SHA1af51fd9d955700b9b7528a9600f4b73082462f6c
SHA256ed5b30e41302e1ea89583f4e611955c0ad7cb254e5402886bcc929b80560021e
SHA512492eefa13df44a3aeae1c1f184c566bc27bdd36965dc3ff1280c8dce0615b4a7a51074ca5bf82cb54e9076c44e591f9134c9449ec0eeddaf47e60361f857ff90
-
C:\Users\Admin\AppData\Local\Temp\._cache_ed5b30e41302e1ea89583f4e611955c0ad7cb254e5402886bcc929b80560021e.exe
Filesize390KB
MD5fb01ddbb2526e00dd1eb1e8a9a1bcd42
SHA1fc6205ba3c2cdf594fa96892028e409a4283c792
SHA256960d09544cdc2e1f655afed211900c5beed12b23a0853f79a504fe5fc0653912
SHA5127e31d6c032cbf75d68b30a4b73226f20f4ba48bf4184d90f17558e079641a77ed69a2c3d646ec0a211ae067691dd80787601e0f4a5d3a8abc49a2da8eabe3279
-
Filesize
21KB
MD56648d473acf39ca86c0ba1b915537107
SHA1205ea5685bb8ffb28d33b6bc56a9a6c733d96ff4
SHA25618e4dcd7559f3e6aa8a04f54dac6241383b5fbc9cc547b5dec043253e2990488
SHA512842f9ea9cea56ef2ee3b874fc33e093d64dfbaa17ee535da396cf152924322e0fdf523d3458665fc05b4b69971a4f8351e2ee00253ab270fb0b0cc37f498749f
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04