Overview

overview

10

Static

static

3

1adcf2e4d8...27.exe

windows7-x64

10

1adcf2e4d8...27.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • submitted
    13-10-2024 02:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1adcf2e4d8d4d2c6444f74992f8e181b42139854e62774fae39b711b27a47327.exe

  • Size

    3.2MB

  • MD5

    e4d2768a201f9bf4d7f29d4b5d035616

  • SHA1

    4bdca388ee6e104c40b3b554e4220ccd14f25cf7

  • SHA256

    1adcf2e4d8d4d2c6444f74992f8e181b42139854e62774fae39b711b27a47327

  • SHA512

    0f174972e64975ff3e8db25cafec8ba6c6bc6378424350e177751783afd528610ebf31cff032bd92259c582d659ff874a31b33398421906b590e84bac5b69486

  • SSDEEP

    98304:BZJt4HINy2Lkknynsmtk2aMIH2+WQMDOemzYSZ:ziINy2Lkkn8LTw2nQ2cfZ

Score
10/10
gh0stratpurplefoxxredbackdoordiscoverymacropersistenceratrootkittrojanupx

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Detect PurpleFox Rootkit 9 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 9 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Purplefox family
    purplefox
  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Drops file in Drivers directory 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Suspicious Office macro 4 IoCs

    Office document equipped with macros.

    macro
  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 20 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1adcf2e4d8d4d2c6444f74992f8e181b42139854e62774fae39b711b27a47327.exe
    "C:\Users\Admin\AppData\Local\Temp\1adcf2e4d8d4d2c6444f74992f8e181b42139854e62774fae39b711b27a47327.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1800
    • C:\Users\Admin\AppData\Local\Temp\RVN.exe
      C:\Users\Admin\AppData\Local\Temp\\RVN.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1308
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:2384
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 127.0.0.1
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2432
    • C:\Users\Admin\AppData\Local\Temp\HD_1adcf2e4d8d4d2c6444f74992f8e181b42139854e62774fae39b711b27a47327.exe
      C:\Users\Admin\AppData\Local\Temp\HD_1adcf2e4d8d4d2c6444f74992f8e181b42139854e62774fae39b711b27a47327.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2484
      • C:\Users\Admin\AppData\Local\Temp\._cache_HD_1adcf2e4d8d4d2c6444f74992f8e181b42139854e62774fae39b711b27a47327.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_HD_1adcf2e4d8d4d2c6444f74992f8e181b42139854e62774fae39b711b27a47327.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2784
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\LOL查号器.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX0\LOL查号器.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:3056
      • C:\ProgramData\Synaptics\Synaptics.exe
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:580
        • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
          "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2116
          • C:\Users\Admin\AppData\Local\Temp\RarSFX1\LOL查号器.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX1\LOL查号器.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            PID:888
  • C:\Windows\SysWOW64\TXPlatforn.exe
    C:\Windows\SysWOW64\TXPlatforn.exe -auto
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3068
    • C:\Windows\SysWOW64\TXPlatforn.exe
      C:\Windows\SysWOW64\TXPlatforn.exe -acsi
      2⤵
      • Drops file in Drivers directory
      • Sets service image path in registry
      • Executes dropped EXE
      • Suspicious behavior: LoadsDriver
      • Suspicious use of AdjustPrivilegeToken
      PID:2540
  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1356

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\._cache_HD_1adcf2e4d8d4d2c6444f74992f8e181b42139854e62774fae39b711b27a47327.exe
    Filesize

    1.3MB

    MD5

    cdffc31376f124a39d41390cfe458b0d

    SHA1

    f049f377a4730520c97cf05e98f39cce261c9eeb

    SHA256

    01aaedd32aa085bf75f7fcff89b1b9fc581c3382b2225fe57fa725adf1b94c40

    SHA512

    672d2094967191162a31dd19e754a9ed4cd8435d903bf4edfd40d382b52b15b47a05e38eec075ee62ca09b49c4e367573985742c0030f46674e02da58011deab

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\HD_1adcf2e4d8d4d2c6444f74992f8e181b42139854e62774fae39b711b27a47327.exe
    Filesize

    2.0MB

    MD5

    48ba244660eab76672b9fa2aa354528f

    SHA1

    d1a4a7fef67c2902f26f39dd5bcc53771d1210a9

    SHA256

    c62f85d0a38cf1bbc6742efc58af647d9766e5691b9053101601ba1403d09a57

    SHA512

    ac0fdec307a22b1e550e4fd162d804bfd80b21720522fc9f96a45896afc489bc5e362cfed356b21bbcaca46060e180a96e03a904b7da590179a1da673e5615fd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\HD_X.dat
    Filesize

    1.2MB

    MD5

    13835e21b77e957c9f933e9ed0644155

    SHA1

    e35107cf2aaa3c877d97a42cf010744f8a7289a7

    SHA256

    9cabb295158ed06668f19465ec9ffc01b5649eb64518b4dffc2d7a086e561b32

    SHA512

    75e6bca863c9478ad1cc4c58130d78f4b96a05fef44f95a4eaa8279db144ef3c532fa5803d6126705879354d7d690c4ad6078c7d8763c5835a4dfef0a517b204

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\LOL查号器.exe
    Filesize

    940KB

    MD5

    a770e92df03ce95b430eed3397965d0b

    SHA1

    3c05da58cf79e1bba554480ecea7e91dfbdf4593

    SHA256

    f0a4b8c5f6b07d3e1089a667502c58f7d76c3fbcfe22019e99d8efd1bab86072

    SHA512

    27b302d2139f52924acb5d1aaba406c7cb2c1182c1072809942b26f419fdaa26b0e901593c5bc96524d7936e09a4c6e4ebe5d0dd3fc3379df07d6b57746206da

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\neL9O9gs.xlsm
    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\neL9O9gs.xlsm
    Filesize

    23KB

    MD5

    f1ce1c0cff71263d5ed1a7d23e3b019c

    SHA1

    0f6f38e6337e25aba140dbc1990b6ab840652665

    SHA256

    fa74ad96af5b64c7c46857ea7ea991586bf77970bc480923b5e76400aa2c106a

    SHA512

    075ead5f4aa3d5c3cdcbeefe1d032baee31d849fa744219eceb0dd65f9de50b5b4130405231b0bd04472667e9a9ea529d1ce1b458deffd946dac4ab18480849e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\neL9O9gs.xlsm
    Filesize

    22KB

    MD5

    ac7cb9acaee3d96237362c45bf97214b

    SHA1

    8a252f18a8d702d5eaf5d79d4d84c41f87989593

    SHA256

    f8ecd6c53e034e57077ee6e240c598bb454d88c6a39018b730446ed30f84c48e

    SHA512

    1c5ff3339ebb84d9d9406745dd6ec2176de9bf3f429dc868bfcf7b0db15aa08facfe1e83644fb3865e09b3156f65d291a1916593be664ec6c710a781bc957d9f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\neL9O9gs.xlsm
    Filesize

    23KB

    MD5

    7f787a1b5c7979c4c4bd7b7c15213129

    SHA1

    c53d5bade225f98c3fa0539f6f38f702ef538fc8

    SHA256

    78b985eaf0c7663373efd97b7521f929c0b3254e601f22cbec8652b57cae54c6

    SHA512

    e23834705397a100f5245cba1a8c9754040d3ab4a7b0fddbd3ba959e847c62e76ed42c99e6cf24e192f87d8d8254e0213f568ade8ebf7ef2bfe1e7de1d9b8b6b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\neL9O9gs.xlsm
    Filesize

    21KB

    MD5

    81decc9571088bbece416603a0aba30b

    SHA1

    4e00e79514d237c22aa2c03b24c3c6de94ab776a

    SHA256

    64f0f691ac89e4d92c05204f05cc397615ae077f970e3c3a82f75d4f8948a98a

    SHA512

    bb0c353b5dd784aa9348b54e2a3d6dd4550dbc0e8a84bbcc3b28a0219b9992d85422e96e47b93013e446ccfdbab7d40b59efd6e87e0e7a71a4fbd468de13bc59

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\~$neL9O9gs.xlsm
    Filesize

    165B

    MD5

    ff09371174f7c701e75f357a187c06e8

    SHA1

    57f9a638fd652922d7eb23236c80055a91724503

    SHA256

    e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

    SHA512

    e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

    Download Submit

  • \??\PIPE\srvsvc
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit

  • \Users\Admin\AppData\Local\Temp\RVN.exe
    Filesize

    377KB

    MD5

    80ade1893dec9cab7f2e63538a464fcc

    SHA1

    c06614da33a65eddb506db00a124a3fc3f5be02e

    SHA256

    57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd

    SHA512

    fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

    Download Submit

  • memory/580-241-0x0000000000400000-0x000000000060E000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/580-247-0x0000000000400000-0x000000000060E000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/580-291-0x0000000000400000-0x000000000060E000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/888-302-0x0000000000400000-0x0000000000530000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/888-166-0x0000000000400000-0x0000000000530000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1308-7-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1308-9-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1308-8-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1308-5-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1356-240-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1356-142-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2116-164-0x00000000036C0000-0x00000000037F0000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2116-163-0x00000000036C0000-0x00000000037F0000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2116-162-0x00000000036C0000-0x00000000037F0000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2116-161-0x00000000036C0000-0x00000000037F0000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2116-165-0x00000000036C0000-0x00000000037F0000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2484-100-0x0000000000400000-0x000000000060E000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2540-75-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2540-60-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2540-74-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2784-294-0x0000000003700000-0x0000000003830000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2784-124-0x0000000003700000-0x0000000003830000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2784-123-0x0000000003700000-0x0000000003830000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2784-126-0x0000000003700000-0x0000000003830000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2784-292-0x0000000003700000-0x0000000003830000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2784-125-0x0000000003700000-0x0000000003830000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2784-293-0x0000000003700000-0x0000000003830000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3056-128-0x0000000000400000-0x0000000000530000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3056-300-0x0000000000400000-0x0000000000530000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3068-32-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download