Analysis

  • max time kernel
    217s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • submitted
    03-01-2024 14:24

General

  • Target

    38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe

  • Size

    3.5MB

  • MD5

    9faace482045ab5df714a1e42ccca112

  • SHA1

    85156d4347decd70b060f7f90aea67fc7ca7bde8

  • SHA256

    38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33

  • SHA512

    874f04dfad6149d0635c84bf3e6c51caf74a7d5ae7ac62477d6760cfa19dfe8571c2da6e1b149e7f837407cc5e905b4767015e0608d3554ef2a9e05bb87ca083

  • SSDEEP

    49152:9YREXSVMDi34QnsHyjtk2MYC5GDsVN/wEwqq8u5zn:S2SVMD8dnsmtk2alWqTuxn

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Gh0strat family
  • Parallax family
  • ParallaxRat

    ParallaxRat is a multipurpose RAT written in MASM.

  • ParallaxRat payload 22 IoCs

    Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

  • Xred

    Xred is backdoor written in Delphi.

  • Xred family
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 17 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe
    "C:\Users\Admin\AppData\Local\Temp\38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2640
    • C:\Users\Admin\AppData\Local\Temp\look2.exe
      C:\Users\Admin\AppData\Local\Temp\\look2.exe
      2⤵
      • Server Software Component: Terminal Services DLL
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:2772
    • C:\Users\Admin\AppData\Local\Temp\HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe
      C:\Users\Admin\AppData\Local\Temp\HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2968
      • C:\Users\Admin\AppData\Local\Temp\._cache_HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1696
        • C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe
          "C:\Users\Admin\AppData\Local\Temp\._cache_HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe"
          4⤵
            PID:3000
        • C:\ProgramData\Synaptics\Synaptics.exe
          "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:848
          • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
            "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1300
            • C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe
              "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1316
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 88
                6⤵
                • Program crash
                PID:2220
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k "svchcst"
      1⤵
        PID:1752
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe -k "svchcst"
        1⤵
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1832
        • C:\Windows\SysWOW64\svchcst.exe
          C:\Windows\system32\svchcst.exe "c:\windows\system32\259544744.bat",MainThread
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:1524
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
        1⤵
        • Drops startup file
        • System Location Discovery: System Language Discovery
        PID:1764
      • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
        1⤵
        • System Location Discovery: System Language Discovery
        • Enumerates system info in registry
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:2616

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\._cache_HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe

        Filesize

        1.5MB

        MD5

        77f82a88068d77ba9ece00d21bf3a4db

        SHA1

        cedf93d2a9dae5a41c7797baaf535f008d0166e9

        SHA256

        33dd66da63f57e1d64d469172a5d5e7615924bcde919e962c4a5a00c51306051

        SHA512

        1c3e8eb58ea6139e738bcf1662037669f470d46cdc60c9b4297542bcc545a2673447686a99827a8d07ae06d0260d5b1778159cd41552bc2c571a06ef297a9e1d

      • C:\Users\Admin\AppData\Local\Temp\TMlTda13.xlsm

        Filesize

        17KB

        MD5

        e566fc53051035e1e6fd0ed1823de0f9

        SHA1

        00bc96c48b98676ecd67e81a6f1d7754e4156044

        SHA256

        8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

        SHA512

        a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

      • \Users\Admin\AppData\Local\Temp\HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe

        Filesize

        2.3MB

        MD5

        a47b47c84d648763fc6582cce159da58

        SHA1

        34fa81e471a8b8afb42bf689a74106a24a3534fc

        SHA256

        b6a906d58b0320124cfc839d1bb167247a50d172bc964924b0f09ec564b25ea4

        SHA512

        78e7a2a75acba9e37155e01ce63f8527d1aa2fd142377c177ce2251088c29def0eac66ac0287704ef05c989f5f51762e1abbc0aa76790ccb5be38a18a43a262b

      • \Users\Admin\AppData\Local\Temp\look2.exe

        Filesize

        337KB

        MD5

        2f3b6f16e33e28ad75f3fdaef2567807

        SHA1

        85e907340faf1edfc9210db85a04abd43d21b741

        SHA256

        86492ebf2d6f471a5ee92977318d099b3ea86175b5b7ae522237ae01d07a4857

        SHA512

        db17e99e2df918cfc9ccbe934adfe73f0777ce1ce9f28b57a4b24ecd821efe2e0b976a634853247b77b16627d2bb3af4ba20306059d1d25ef38ffada7da3e3a4

      • \Users\Admin\Desktop\AssertUndo.exe

        Filesize

        1.7MB

        MD5

        b8948d5f56cfe89d50bcaef19deb5c8f

        SHA1

        01f9f5f36eace35897365d8a70a3e6b14e24225c

        SHA256

        abb578f278cd3f02d2bccac579e737def8f16548f684cc5ebffb155404762c45

        SHA512

        f73b1e9acba6c7bcabe73b54886e5f300e41e77d65414fd621812a3df4cd99541053bf17a7cb0879ba903550e7c2d06ee6df77dc0993a9d167a3aa7782ab0ee1

      • \Windows\SysWOW64\259544744.bat

        Filesize

        51KB

        MD5

        e491b5c6e112140edfbd16872189b2a4

        SHA1

        a21053b07a5e2695c8291d128668314b587ba64f

        SHA256

        605f3ea3074e80fb059a0001fa768eb112cf49acd6009ebf14493bfe974f43fa

        SHA512

        7856847e0bb34ce14911e670fb24d456c5a3776367be8acdd2110513ee16a9f6091ddde535c7cc0d84bd18bdfc92ef4d274bb37ed40d1de1bcbda1c574b6d965

      • \Windows\SysWOW64\svchcst.exe

        Filesize

        43KB

        MD5

        51138beea3e2c21ec44d0932c71762a8

        SHA1

        8939cf35447b22dd2c6e6f443446acc1bf986d58

        SHA256

        5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

        SHA512

        794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

      • memory/848-172-0x0000000000220000-0x0000000000221000-memory.dmp

        Filesize

        4KB

      • memory/848-71-0x0000000000220000-0x0000000000221000-memory.dmp

        Filesize

        4KB

      • memory/848-129-0x0000000000400000-0x000000000064A000-memory.dmp

        Filesize

        2.3MB

      • memory/848-177-0x0000000000400000-0x000000000064A000-memory.dmp

        Filesize

        2.3MB

      • memory/848-197-0x0000000000400000-0x000000000064A000-memory.dmp

        Filesize

        2.3MB

      • memory/848-198-0x0000000000400000-0x000000000064A000-memory.dmp

        Filesize

        2.3MB

      • memory/1300-170-0x0000000000300000-0x0000000000380000-memory.dmp

        Filesize

        512KB

      • memory/1300-148-0x0000000000300000-0x0000000000380000-memory.dmp

        Filesize

        512KB

      • memory/1696-58-0x000000007724F000-0x0000000077250000-memory.dmp

        Filesize

        4KB

      • memory/1696-105-0x0000000000800000-0x0000000000880000-memory.dmp

        Filesize

        512KB

      • memory/1696-52-0x0000000000800000-0x0000000000880000-memory.dmp

        Filesize

        512KB

      • memory/2616-173-0x00000000720AD000-0x00000000720B8000-memory.dmp

        Filesize

        44KB

      • memory/2616-171-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

      • memory/2616-196-0x00000000720AD000-0x00000000720B8000-memory.dmp

        Filesize

        44KB

      • memory/2968-22-0x0000000000400000-0x000000000064A000-memory.dmp

        Filesize

        2.3MB

      • memory/2968-70-0x0000000000400000-0x000000000064A000-memory.dmp

        Filesize

        2.3MB

      • memory/2968-21-0x0000000000220000-0x0000000000221000-memory.dmp

        Filesize

        4KB

      • memory/2968-26-0x0000000000220000-0x0000000000221000-memory.dmp

        Filesize

        4KB

      • memory/2968-25-0x0000000000400000-0x000000000064A000-memory.dmp

        Filesize

        2.3MB

      • memory/2968-20-0x0000000000400000-0x000000000064A000-memory.dmp

        Filesize

        2.3MB

      • memory/2968-57-0x0000000000400000-0x000000000064A000-memory.dmp

        Filesize

        2.3MB

      • memory/3000-103-0x0000000000400000-0x000000000042C000-memory.dmp

        Filesize

        176KB

      • memory/3000-107-0x0000000000400000-0x000000000042C000-memory.dmp

        Filesize

        176KB

      • memory/3000-108-0x0000000000400000-0x000000000042C000-memory.dmp

        Filesize

        176KB

      • memory/3000-109-0x0000000000400000-0x000000000042C000-memory.dmp

        Filesize

        176KB

      • memory/3000-110-0x0000000000400000-0x000000000042C000-memory.dmp

        Filesize

        176KB

      • memory/3000-111-0x0000000000400000-0x000000000042C000-memory.dmp

        Filesize

        176KB

      • memory/3000-112-0x0000000000400000-0x000000000042C000-memory.dmp

        Filesize

        176KB

      • memory/3000-113-0x0000000000400000-0x000000000042C000-memory.dmp

        Filesize

        176KB

      • memory/3000-114-0x0000000000400000-0x000000000042C000-memory.dmp

        Filesize

        176KB

      • memory/3000-115-0x0000000000400000-0x000000000042C000-memory.dmp

        Filesize

        176KB

      • memory/3000-116-0x0000000000400000-0x000000000042C000-memory.dmp

        Filesize

        176KB

      • memory/3000-117-0x0000000000400000-0x000000000042C000-memory.dmp

        Filesize

        176KB

      • memory/3000-118-0x0000000000400000-0x000000000042C000-memory.dmp

        Filesize

        176KB

      • memory/3000-119-0x0000000000400000-0x000000000042C000-memory.dmp

        Filesize

        176KB

      • memory/3000-106-0x0000000000400000-0x000000000042C000-memory.dmp

        Filesize

        176KB

      • memory/3000-104-0x0000000000400000-0x000000000042C000-memory.dmp

        Filesize

        176KB

      • memory/3000-99-0x0000000000070000-0x0000000000071000-memory.dmp

        Filesize

        4KB

      • memory/3000-95-0x000000007724F000-0x0000000077250000-memory.dmp

        Filesize

        4KB

      • memory/3000-94-0x0000000000400000-0x000000000042C000-memory.dmp

        Filesize

        176KB

      • memory/3000-96-0x0000000000080000-0x0000000000081000-memory.dmp

        Filesize

        4KB

      • memory/3000-83-0x0000000000400000-0x000000000042C000-memory.dmp

        Filesize

        176KB

      • memory/3000-92-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

      • memory/3000-176-0x0000000000400000-0x000000000042C000-memory.dmp

        Filesize

        176KB

      • memory/3000-88-0x0000000000400000-0x000000000042C000-memory.dmp

        Filesize

        176KB

      • memory/3000-77-0x0000000000400000-0x000000000042C000-memory.dmp

        Filesize

        176KB

      • memory/3000-79-0x0000000000400000-0x000000000042C000-memory.dmp

        Filesize

        176KB

      • memory/3000-81-0x0000000000400000-0x000000000042C000-memory.dmp

        Filesize

        176KB