Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
01/02/2025, 18:37
Behavioral task
behavioral1
Sample
Microsoft.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Microsoft.exe
Resource
win10v2004-20250129-en
General
-
Target
Microsoft.exe
-
Size
759KB
-
MD5
a0faa0a41f33e6a28ffe564c5b256bd2
-
SHA1
9fa6b3d29ddd4034b1ec05a44b97941f0ae2ec34
-
SHA256
22d71939ba6e7ed1949625c1ba4e8a40b1bf96c222445a94fd2a94bcb26cffb8
-
SHA512
488ae540fa69204dd51ffea778619dbee42079d4768521c26e9d56aa089dbf4fbcbadc5682f41557efb21f536085aae64c0a265df3cce46aacebb55a26bf5165
-
SSDEEP
12288:WMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9e5j:WnsJ39LyjbJkQFMhmC+6GD90
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Xred family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Control Panel\International\Geo\Nation Microsoft.exe Key value queried \REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Control Panel\International\Geo\Nation Synaptics.exe -
Executes dropped EXE 3 IoCs
pid Process 740 ._cache_Microsoft.exe 2064 Synaptics.exe 412 ._cache_Synaptics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" Microsoft.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Microsoft.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Microsoft.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Synaptics.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4284 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 740 ._cache_Microsoft.exe 412 ._cache_Synaptics.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 740 ._cache_Microsoft.exe Token: SeDebugPrivilege 412 ._cache_Synaptics.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 4284 EXCEL.EXE 4284 EXCEL.EXE 4284 EXCEL.EXE 4284 EXCEL.EXE 4284 EXCEL.EXE 4284 EXCEL.EXE 4284 EXCEL.EXE 4284 EXCEL.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 3176 wrote to memory of 740 3176 Microsoft.exe 86 PID 3176 wrote to memory of 740 3176 Microsoft.exe 86 PID 3176 wrote to memory of 2064 3176 Microsoft.exe 87 PID 3176 wrote to memory of 2064 3176 Microsoft.exe 87 PID 3176 wrote to memory of 2064 3176 Microsoft.exe 87 PID 2064 wrote to memory of 412 2064 Synaptics.exe 91 PID 2064 wrote to memory of 412 2064 Synaptics.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Users\Admin\AppData\Local\Temp\._cache_Microsoft.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Microsoft.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:740
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:412
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4284
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
759KB
MD5a0faa0a41f33e6a28ffe564c5b256bd2
SHA19fa6b3d29ddd4034b1ec05a44b97941f0ae2ec34
SHA25622d71939ba6e7ed1949625c1ba4e8a40b1bf96c222445a94fd2a94bcb26cffb8
SHA512488ae540fa69204dd51ffea778619dbee42079d4768521c26e9d56aa089dbf4fbcbadc5682f41557efb21f536085aae64c0a265df3cce46aacebb55a26bf5165
-
Filesize
6KB
MD5787207be9e9f2c773938e8f3c41f2bff
SHA18068e6f21c93e75579f9bca066d8fc5cdab79215
SHA256c75dd6e6cf5dffcadf61c436971a97e5a768b90a2674b11c548f2975bc9c8529
SHA51288eb905188432c21b149004a3407f002a9b48c8be8e4b8767987e9c0ab90e773ea7e06a355cf035dc2a574c8c95378496a180f43eb31d57e50cc978866d54a02
-
Filesize
20KB
MD54a12ccab8e8028845929d380de3482e7
SHA1b0b7eb2a0d3bb927428728f68c9a27a904ea44b0
SHA25626962b6d28f7c825e4144d4abdfb34523c4b653c57be12ce14495aacd7f83ba5
SHA512c8b1c43395f16129b698cd694204117f50b2bfd4a57ba6f45874e0dfe89db9a1f5aba4118d17d00428c74c2880e0d62e9f8f55d7c9ebcb7a472d7a91c61625ea
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04