Analysis

  • max time kernel
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • submitted
    03-01-2024 14:24

General

  • Target

    38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe

  • Size

    3.5MB

  • MD5

    9faace482045ab5df714a1e42ccca112

  • SHA1

    85156d4347decd70b060f7f90aea67fc7ca7bde8

  • SHA256

    38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33

  • SHA512

    874f04dfad6149d0635c84bf3e6c51caf74a7d5ae7ac62477d6760cfa19dfe8571c2da6e1b149e7f837407cc5e905b4767015e0608d3554ef2a9e05bb87ca083

  • SSDEEP

    49152:9YREXSVMDi34QnsHyjtk2MYC5GDsVN/wEwqq8u5zn:S2SVMD8dnsmtk2alWqTuxn

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Gh0strat family
  • Parallax family
  • ParallaxRat

    ParallaxRat is a multipurpose RAT written in MASM.

  • ParallaxRat payload 20 IoCs

    Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

  • Xred

    Xred is backdoor written in Delphi.

  • Xred family
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe
    "C:\Users\Admin\AppData\Local\Temp\38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3640
    • C:\Users\Admin\AppData\Local\Temp\HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe
      C:\Users\Admin\AppData\Local\Temp\HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2636
      • C:\ProgramData\Synaptics\Synaptics.exe
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1544
        • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
          "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:5008
      • C:\Users\Admin\AppData\Local\Temp\._cache_HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe"
        3⤵
          PID:4520
      • C:\Users\Admin\AppData\Local\Temp\look2.exe
        C:\Users\Admin\AppData\Local\Temp\\look2.exe
        2⤵
        • Server Software Component: Terminal Services DLL
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:4984
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k "svchcst"
      1⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2036
      • C:\Windows\SysWOW64\svchcst.exe
        C:\Windows\system32\svchcst.exe "c:\windows\system32\240601875.bat",MainThread
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:4820
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k "svchcst"
      1⤵
        PID:2024
      • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
        "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
        1⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:2176
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
        1⤵
        • Drops startup file
        • System Location Discovery: System Language Discovery
        PID:3136
      • C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe"
        1⤵
          PID:3804
        • C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe
          "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
          1⤵
            PID:4848
          • C:\Windows\system32\BackgroundTaskHost.exe
            "C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
            1⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4520
          • C:\Windows\servicing\TrustedInstaller.exe
            C:\Windows\servicing\TrustedInstaller.exe
            1⤵
              PID:4848

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\._cache_HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe

              Filesize

              1.5MB

              MD5

              77f82a88068d77ba9ece00d21bf3a4db

              SHA1

              cedf93d2a9dae5a41c7797baaf535f008d0166e9

              SHA256

              33dd66da63f57e1d64d469172a5d5e7615924bcde919e962c4a5a00c51306051

              SHA512

              1c3e8eb58ea6139e738bcf1662037669f470d46cdc60c9b4297542bcc545a2673447686a99827a8d07ae06d0260d5b1778159cd41552bc2c571a06ef297a9e1d

            • C:\Users\Admin\AppData\Local\Temp\HD_38300f4225fbfe1a971e0118640fe123e1a03e529c65a0f93a94425a8ad56c33.exe

              Filesize

              2.3MB

              MD5

              a47b47c84d648763fc6582cce159da58

              SHA1

              34fa81e471a8b8afb42bf689a74106a24a3534fc

              SHA256

              b6a906d58b0320124cfc839d1bb167247a50d172bc964924b0f09ec564b25ea4

              SHA512

              78e7a2a75acba9e37155e01ce63f8527d1aa2fd142377c177ce2251088c29def0eac66ac0287704ef05c989f5f51762e1abbc0aa76790ccb5be38a18a43a262b

            • C:\Users\Admin\AppData\Local\Temp\HD_X.dat

              Filesize

              1.2MB

              MD5

              7492c664376949e0577a85eefa05a637

              SHA1

              31b147b5d115e0361c50dc44b56057bda4936a8f

              SHA256

              f565fd958bcf12cd38879de12ab9ec9932b86161917d789e5fe134cf0cd00fb7

              SHA512

              aba19e9bfc075573313f913db8caf38eafa109bfd9554e5f3ca6b59ce7e073271676ec28613b466c21b6a65ab742075a9a152756e754692256d0113926e41e32

            • C:\Users\Admin\AppData\Local\Temp\SdjHwus4.xlsm

              Filesize

              17KB

              MD5

              e566fc53051035e1e6fd0ed1823de0f9

              SHA1

              00bc96c48b98676ecd67e81a6f1d7754e4156044

              SHA256

              8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

              SHA512

              a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

            • C:\Users\Admin\AppData\Local\Temp\look2.exe

              Filesize

              337KB

              MD5

              2f3b6f16e33e28ad75f3fdaef2567807

              SHA1

              85e907340faf1edfc9210db85a04abd43d21b741

              SHA256

              86492ebf2d6f471a5ee92977318d099b3ea86175b5b7ae522237ae01d07a4857

              SHA512

              db17e99e2df918cfc9ccbe934adfe73f0777ce1ce9f28b57a4b24ecd821efe2e0b976a634853247b77b16627d2bb3af4ba20306059d1d25ef38ffada7da3e3a4

            • C:\Windows\SysWOW64\240601875.bat

              Filesize

              51KB

              MD5

              84f9ce07302135e8f841dcec0fc627e8

              SHA1

              cb89a9fa718f8a823f7cdf9135e0c133d202123f

              SHA256

              b2fb9196ad7be020ce2e6eb226b3fda653adb585205ac5891d083613a2b406f1

              SHA512

              bcc42ac803124bfa9ebf7d2ed391377632d496a005ad28df566f8294486cda514174b3b816388b6c47fbe5fa691baee169fcdef1800fb935419a43bd50ea0889

            • C:\Windows\SysWOW64\svchcst.exe

              Filesize

              60KB

              MD5

              889b99c52a60dd49227c5e485a016679

              SHA1

              8fa889e456aa646a4d0a4349977430ce5fa5e2d7

              SHA256

              6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

              SHA512

              08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

            • memory/1544-161-0x0000000000730000-0x0000000000731000-memory.dmp

              Filesize

              4KB

            • memory/1544-313-0x0000000000400000-0x000000000064A000-memory.dmp

              Filesize

              2.3MB

            • memory/1544-290-0x0000000000400000-0x000000000064A000-memory.dmp

              Filesize

              2.3MB

            • memory/1544-278-0x0000000000730000-0x0000000000731000-memory.dmp

              Filesize

              4KB

            • memory/1544-279-0x0000000000400000-0x000000000064A000-memory.dmp

              Filesize

              2.3MB

            • memory/2176-230-0x00007FFCCE130000-0x00007FFCCE325000-memory.dmp

              Filesize

              2.0MB

            • memory/2176-229-0x00007FFC8E1B0000-0x00007FFC8E1C0000-memory.dmp

              Filesize

              64KB

            • memory/2176-227-0x00007FFC8E1B0000-0x00007FFC8E1C0000-memory.dmp

              Filesize

              64KB

            • memory/2176-226-0x00007FFCCE130000-0x00007FFCCE325000-memory.dmp

              Filesize

              2.0MB

            • memory/2176-231-0x00007FFC8E1B0000-0x00007FFC8E1C0000-memory.dmp

              Filesize

              64KB

            • memory/2176-232-0x00007FFC8B8B0000-0x00007FFC8B8C0000-memory.dmp

              Filesize

              64KB

            • memory/2176-225-0x00007FFC8E1B0000-0x00007FFC8E1C0000-memory.dmp

              Filesize

              64KB

            • memory/2176-228-0x00007FFCCE130000-0x00007FFCCE325000-memory.dmp

              Filesize

              2.0MB

            • memory/2176-224-0x00007FFCCE130000-0x00007FFCCE325000-memory.dmp

              Filesize

              2.0MB

            • memory/2176-280-0x00007FFCCE130000-0x00007FFCCE325000-memory.dmp

              Filesize

              2.0MB

            • memory/2176-235-0x00007FFC8B8B0000-0x00007FFC8B8C0000-memory.dmp

              Filesize

              64KB

            • memory/2176-223-0x00007FFC8E1B0000-0x00007FFC8E1C0000-memory.dmp

              Filesize

              64KB

            • memory/2636-159-0x0000000000400000-0x000000000064A000-memory.dmp

              Filesize

              2.3MB

            • memory/2636-18-0x00000000023E0000-0x00000000023E1000-memory.dmp

              Filesize

              4KB

            • memory/3804-259-0x0000000000400000-0x000000000042C000-memory.dmp

              Filesize

              176KB

            • memory/3804-243-0x0000000000400000-0x000000000042C000-memory.dmp

              Filesize

              176KB

            • memory/3804-291-0x0000000000400000-0x000000000042C000-memory.dmp

              Filesize

              176KB

            • memory/3804-241-0x00000000007F0000-0x00000000007F1000-memory.dmp

              Filesize

              4KB

            • memory/3804-260-0x0000000000400000-0x000000000042C000-memory.dmp

              Filesize

              176KB

            • memory/3804-258-0x0000000000400000-0x000000000042C000-memory.dmp

              Filesize

              176KB

            • memory/3804-257-0x0000000000400000-0x000000000042C000-memory.dmp

              Filesize

              176KB

            • memory/3804-253-0x0000000000400000-0x000000000042C000-memory.dmp

              Filesize

              176KB

            • memory/3804-252-0x0000000000400000-0x000000000042C000-memory.dmp

              Filesize

              176KB

            • memory/3804-251-0x0000000000400000-0x000000000042C000-memory.dmp

              Filesize

              176KB

            • memory/3804-250-0x0000000000400000-0x000000000042C000-memory.dmp

              Filesize

              176KB

            • memory/3804-248-0x0000000000400000-0x000000000042C000-memory.dmp

              Filesize

              176KB

            • memory/3804-247-0x0000000000400000-0x000000000042C000-memory.dmp

              Filesize

              176KB

            • memory/3804-246-0x0000000000400000-0x000000000042C000-memory.dmp

              Filesize

              176KB

            • memory/3804-245-0x0000000000400000-0x000000000042C000-memory.dmp

              Filesize

              176KB

            • memory/3804-244-0x0000000000400000-0x000000000042C000-memory.dmp

              Filesize

              176KB

            • memory/3804-242-0x0000000000400000-0x000000000042C000-memory.dmp

              Filesize

              176KB

            • memory/3804-249-0x0000000000400000-0x000000000042C000-memory.dmp

              Filesize

              176KB

            • memory/3804-237-0x0000000077272000-0x0000000077273000-memory.dmp

              Filesize

              4KB

            • memory/3804-254-0x0000000000400000-0x000000000042C000-memory.dmp

              Filesize

              176KB

            • memory/3804-236-0x0000000000400000-0x000000000042C000-memory.dmp

              Filesize

              176KB

            • memory/4520-240-0x00000000030E0000-0x0000000003160000-memory.dmp

              Filesize

              512KB

            • memory/4520-239-0x0000000003410000-0x0000000003500000-memory.dmp

              Filesize

              960KB

            • memory/4520-101-0x00000000030E0000-0x0000000003160000-memory.dmp

              Filesize

              512KB

            • memory/4520-156-0x0000000077272000-0x0000000077273000-memory.dmp

              Filesize

              4KB

            • memory/4848-266-0x0000000000400000-0x000000000042C000-memory.dmp

              Filesize

              176KB

            • memory/4848-262-0x0000000077272000-0x0000000077273000-memory.dmp

              Filesize

              4KB

            • memory/5008-222-0x0000000002BA0000-0x0000000002C20000-memory.dmp

              Filesize

              512KB

            • memory/5008-265-0x0000000002BA0000-0x0000000002C20000-memory.dmp

              Filesize

              512KB