Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
31s -
max time network
32s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
01/02/2025, 09:19
General
-
Target
Synaptics.exe
-
Size
764KB
-
MD5
85e3d4ac5a6ef32fb93764c090ef32b7
-
SHA1
adedb0aab26d15cf96f66fda8b4cfbbdcc15ef52
-
SHA256
4e5cc8cb98584335400d00f0a0803c3e0202761f3fbe50bcab3858a80df255e1
-
SHA512
a7a037bde41bcd425be18a712e27a793185f7fde638e139bbd9d253c371cd9622385eda39cf91ab715ead2591cff5b8c9f5b31d903f138d8af7bab6a9001ccab
-
SSDEEP
12288:6MSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9Ufbj:6nsJ39LyjbJkQFMhmC+6GD9mH
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Extracted
quasar
1.4.1
CleanerV2
192.168.4.185:4782
1607a026-352e-4041-bc1f-757dd6cd2e95
-
encryption_key
73BCD6A075C4505333DE1EDC77C7242196AF9552
-
install_name
Client.exe
-
log_directory
Clean
-
reconnect_delay
3000
-
startup_key
CleanerV2
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral1/files/0x0002000000025cda-197.dat family_quasar behavioral1/memory/4844-204-0x00000000003E0000-0x0000000000704000-memory.dmp family_quasar -
Xred family
-
Downloads MZ/PE file 1 IoCs
flow pid Process 29 5096 ._cache_Synaptics.exe -
Executes dropped EXE 5 IoCs
pid Process 2172 ._cache_Synaptics.exe 3700 Synaptics.exe 5096 ._cache_Synaptics.exe 4844 CleanerV2.exe 400 Client.exe -
Loads dropped DLL 2 IoCs
pid Process 3700 Synaptics.exe 3700 Synaptics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" Synaptics.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 1 raw.githubusercontent.com 29 raw.githubusercontent.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE -
Modifies registry class 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix BackgroundTransferHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" BackgroundTransferHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" BackgroundTransferHost.exe Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\MuiCache BackgroundTransferHost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Synaptics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Synaptics.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4220 schtasks.exe 2004 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1172 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2172 ._cache_Synaptics.exe Token: SeDebugPrivilege 5096 ._cache_Synaptics.exe Token: SeDebugPrivilege 4844 CleanerV2.exe Token: SeDebugPrivilege 400 Client.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 400 Client.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 400 Client.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 1172 EXCEL.EXE 1172 EXCEL.EXE 1172 EXCEL.EXE 1172 EXCEL.EXE 1172 EXCEL.EXE 1172 EXCEL.EXE 1172 EXCEL.EXE 1172 EXCEL.EXE 400 Client.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4776 wrote to memory of 2172 4776 Synaptics.exe 77 PID 4776 wrote to memory of 2172 4776 Synaptics.exe 77 PID 4776 wrote to memory of 2172 4776 Synaptics.exe 77 PID 4776 wrote to memory of 3700 4776 Synaptics.exe 79 PID 4776 wrote to memory of 3700 4776 Synaptics.exe 79 PID 4776 wrote to memory of 3700 4776 Synaptics.exe 79 PID 3700 wrote to memory of 5096 3700 Synaptics.exe 80 PID 3700 wrote to memory of 5096 3700 Synaptics.exe 80 PID 3700 wrote to memory of 5096 3700 Synaptics.exe 80 PID 5096 wrote to memory of 4844 5096 ._cache_Synaptics.exe 90 PID 5096 wrote to memory of 4844 5096 ._cache_Synaptics.exe 90 PID 4844 wrote to memory of 4220 4844 CleanerV2.exe 91 PID 4844 wrote to memory of 4220 4844 CleanerV2.exe 91 PID 4844 wrote to memory of 400 4844 CleanerV2.exe 93 PID 4844 wrote to memory of 400 4844 CleanerV2.exe 93 PID 400 wrote to memory of 2004 400 Client.exe 94 PID 400 wrote to memory of 2004 400 Client.exe 94 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\Synaptics.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2172
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Downloads MZ/PE file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Users\Admin\AppData\Local\Temp\Files\CleanerV2.exe"C:\Users\Admin\AppData\Local\Temp\Files\CleanerV2.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "CleanerV2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:4220
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "CleanerV2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:2004
-
-
-
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1172
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:3504
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.131⤵
- Modifies registry class
PID:4956
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
764KB
MD585e3d4ac5a6ef32fb93764c090ef32b7
SHA1adedb0aab26d15cf96f66fda8b4cfbbdcc15ef52
SHA2564e5cc8cb98584335400d00f0a0803c3e0202761f3fbe50bcab3858a80df255e1
SHA512a7a037bde41bcd425be18a712e27a793185f7fde638e139bbd9d253c371cd9622385eda39cf91ab715ead2591cff5b8c9f5b31d903f138d8af7bab6a9001ccab
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\86a8dc27-86d9-426c-b1ef-408d8bec040d.down_data
Filesize555KB
MD55683c0028832cae4ef93ca39c8ac5029
SHA1248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3
-
Filesize
10KB
MD52a94f3960c58c6e70826495f76d00b85
SHA1e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA2562fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
Filesize
22KB
MD5daf6e82c0c13921cd7c2aff60a7bed9a
SHA1a548d0f5ff7bedb0bddd64da266c1894d058a311
SHA256c813009be2c90202c5b84121bef5131c07354f7fd2a92f3c7c7b047fd9bc702f
SHA512a0239737279d4abc19384a288d2b0f43ba1b32bcd98e7796c6b5f634437ab1e5a44bd9f5316007cd44dbe430b2e33e618c19363f780700390193d9b6a68b3126
-
Filesize
3.1MB
MD5e6aeb08ae65e312d03f1092df3ba422c
SHA1f0a4cbe24646ad6bd75869ecc8991fd3a7b55e62
SHA25674fc53844845b75a441d394b74932caa7c7ad583e091ec0521c78ebad718100e
SHA5125cce681c2bfea2924516abab84028ebbd78194a4a9a83f9cfdcebdf88aba9e799b1e9ca859a0c68a2438c1c6b605120fc5f192db205173b36237512623514284
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04