Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
31/01/2025, 20:51
250131-zngnysynhl 1022/01/2025, 17:19
250122-vv8c2awqf1 1022/01/2025, 16:20
250122-ts986swjel 1022/01/2025, 13:44
250122-q2a9nayng1 1022/01/2025, 13:43
250122-q1jjmszmel 1022/01/2025, 13:42
250122-qz519ayncz 1021/01/2025, 02:07
250121-cjzbwa1jhp 1020/01/2025, 18:36
250120-w88fmasqfy 1020/01/2025, 18:27
250120-w3q96asnh1 10Analysis
-
max time kernel
38s -
max time network
41s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
22/01/2025, 13:43
Behavioral task
behavioral1
Sample
4363463463464363463463463.zip
Resource
win11-20241007-en
Behavioral task
behavioral2
Sample
4363463463464363463463463.zip
Resource
win11-20241007-en
General
-
Target
4363463463464363463463463.zip
-
Size
393KB
-
MD5
c223234ed4e0bc5325c0b09744f06b6d
-
SHA1
ecfdd884ee353ceb205be8729eb683aeca5cce2e
-
SHA256
fda46baacb7dcd211250fe29aaa2b1b17657961675b4d8c6415a0c3d004d00a6
-
SHA512
b36c66d8c4c3c2d46a24bb85bd165e71b862f1de8cdc600f343f12a0238e3a5b3d48cb91a06acd6e0024e30798ddc715c211b4d59a65197d8058e3c937df4d1f
-
SSDEEP
6144:mw6UunfgHXYz9cZLa2MM1ZDQblzXhVqWvSI6Xr6i5OywSiTbBeqscDoAUll4QwjS:mJUKz9cB3MMnmd+W6vXmi5ONvMc05yQ
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Extracted
lumma
https://sordid-snaked.cyou/api
https://awake-weaves.cyou/api
https://wrathful-jammy.cyou/api
https://debonairnukk.xyz/api
https://diffuculttan.xyz/api
https://effecterectz.xyz/api
https://deafeninggeh.biz/api
https://immureprech.biz/api
https://bellflamre.click/api
Signatures
-
Lumma family
-
Xred family
-
Downloads MZ/PE file
-
Executes dropped EXE 7 IoCs
pid Process 4656 4363463463464363463463463.exe 852 ._cache_4363463463464363463463463.exe 2728 Synaptics.exe 1180 ._cache_Synaptics.exe 3496 Loader.exe 3080 Loader.exe 4544 Loader.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" 4363463463464363463463463.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 4 raw.githubusercontent.com 20 raw.githubusercontent.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3496 set thread context of 4544 3496 Loader.exe 90 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4363463463464363463463463.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_4363463463464363463463463.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 4363463463464363463463463.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Synaptics.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3068 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3464 7zFM.exe 3464 7zFM.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3464 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeRestorePrivilege 3464 7zFM.exe Token: 35 3464 7zFM.exe Token: SeSecurityPrivilege 3464 7zFM.exe Token: SeDebugPrivilege 852 ._cache_4363463463464363463463463.exe Token: SeDebugPrivilege 1180 ._cache_Synaptics.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3464 7zFM.exe 3464 7zFM.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 3068 EXCEL.EXE 3068 EXCEL.EXE 3068 EXCEL.EXE 3068 EXCEL.EXE 3068 EXCEL.EXE 3068 EXCEL.EXE 3068 EXCEL.EXE 3068 EXCEL.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 3464 wrote to memory of 4656 3464 7zFM.exe 77 PID 3464 wrote to memory of 4656 3464 7zFM.exe 77 PID 3464 wrote to memory of 4656 3464 7zFM.exe 77 PID 4656 wrote to memory of 852 4656 4363463463464363463463463.exe 80 PID 4656 wrote to memory of 852 4656 4363463463464363463463463.exe 80 PID 4656 wrote to memory of 852 4656 4363463463464363463463463.exe 80 PID 4656 wrote to memory of 2728 4656 4363463463464363463463463.exe 82 PID 4656 wrote to memory of 2728 4656 4363463463464363463463463.exe 82 PID 4656 wrote to memory of 2728 4656 4363463463464363463463463.exe 82 PID 2728 wrote to memory of 1180 2728 Synaptics.exe 83 PID 2728 wrote to memory of 1180 2728 Synaptics.exe 83 PID 2728 wrote to memory of 1180 2728 Synaptics.exe 83 PID 852 wrote to memory of 3496 852 ._cache_4363463463464363463463463.exe 87 PID 852 wrote to memory of 3496 852 ._cache_4363463463464363463463463.exe 87 PID 852 wrote to memory of 3496 852 ._cache_4363463463464363463463463.exe 87 PID 3496 wrote to memory of 3080 3496 Loader.exe 89 PID 3496 wrote to memory of 3080 3496 Loader.exe 89 PID 3496 wrote to memory of 3080 3496 Loader.exe 89 PID 3496 wrote to memory of 4544 3496 Loader.exe 90 PID 3496 wrote to memory of 4544 3496 Loader.exe 90 PID 3496 wrote to memory of 4544 3496 Loader.exe 90 PID 3496 wrote to memory of 4544 3496 Loader.exe 90 PID 3496 wrote to memory of 4544 3496 Loader.exe 90 PID 3496 wrote to memory of 4544 3496 Loader.exe 90 PID 3496 wrote to memory of 4544 3496 Loader.exe 90 PID 3496 wrote to memory of 4544 3496 Loader.exe 90 PID 3496 wrote to memory of 4544 3496 Loader.exe 90 PID 3496 wrote to memory of 4544 3496 Loader.exe 90
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.zip"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Users\Admin\AppData\Local\Temp\7zO88D2D0F7\4363463463464363463463463.exe"C:\Users\Admin\AppData\Local\Temp\7zO88D2D0F7\4363463463464363463463463.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Users\Admin\AppData\Local\Temp\7zO88D2D0F7\._cache_4363463463464363463463463.exe"C:\Users\Admin\AppData\Local\Temp\7zO88D2D0F7\._cache_4363463463464363463463463.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Users\Admin\AppData\Local\Temp\7zO88D2D0F7\Files\Loader.exe"C:\Users\Admin\AppData\Local\Temp\7zO88D2D0F7\Files\Loader.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Users\Admin\AppData\Local\Temp\7zO88D2D0F7\Files\Loader.exe"C:\Users\Admin\AppData\Local\Temp\7zO88D2D0F7\Files\Loader.exe"5⤵
- Executes dropped EXE
PID:3080
-
-
C:\Users\Admin\AppData\Local\Temp\7zO88D2D0F7\Files\Loader.exe"C:\Users\Admin\AppData\Local\Temp\7zO88D2D0F7\Files\Loader.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4544
-
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Users\Admin\AppData\Local\Temp\7zO88D2D0F7\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\7zO88D2D0F7\._cache_Synaptics.exe" InjUpdate4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1180
-
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3068
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD52a94f3960c58c6e70826495f76d00b85
SHA1e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA2562fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
Filesize
764KB
MD585e3d4ac5a6ef32fb93764c090ef32b7
SHA1adedb0aab26d15cf96f66fda8b4cfbbdcc15ef52
SHA2564e5cc8cb98584335400d00f0a0803c3e0202761f3fbe50bcab3858a80df255e1
SHA512a7a037bde41bcd425be18a712e27a793185f7fde638e139bbd9d253c371cd9622385eda39cf91ab715ead2591cff5b8c9f5b31d903f138d8af7bab6a9001ccab
-
Filesize
393KB
MD53c4161be295e9e9d019ce68dae82d60a
SHA136447fc6418e209dff1bb8a5e576f4d46e3b3296
SHA2560f6481dabf7871823f259eb95f3b85c37d1de8a7d1884ac77a97d887cf96f75d
SHA512cfa2d491a5d28beb8eb908d5af61254ac4c4c88e74c53d5d00ae15ef0731df1654304199996545d1074814c0ea8a032957b28d70774f05347616428e667f70e6
-
Filesize
25KB
MD53c3fcfa093bdaaa60a2192cd24334bc7
SHA1000b4a6076908cb092d6670a62e4b793c0945f05
SHA2568229a6181f8ffae09d04028cccc80d490f4194a1a639acacc40f7c34e7f40dcc
SHA512fb1a1ee3a9d6fbe43f97f8c46a99d15d6e03cc539bdbdc1d707c511989417f963ce2991d88c16f5bf68a88b945577c8633856ff3ecfcccb68a181fe31e6987b5
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04