Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 19:21
Behavioral task
behavioral1
Sample
360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079N.exe
Resource
win7-20240903-en
General
-
Target
360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079N.exe
-
Size
3.2MB
-
MD5
d6e3bd48e7bf7d18525e20dc4b51d7f0
-
SHA1
34a9faceb26594db8d9e157c4bb1d8968a734b05
-
SHA256
360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079
-
SHA512
444b5d1cc039a27b7b63339d68a4cd7018793317c9125513d0eeccfbaa4865dab2038b4613c48881b0c3cc890861a75c61f8af48730ffc8dfd7fdebdfd1a3b22
-
SSDEEP
49152:N4yjtk2MYC5GDzxwpiJmTgXkuvib1TogsPuqU4b6KzxzYeY:ttk2akJggXkuvv3U4u6xzY7
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Xred family
-
Executes dropped EXE 2 IoCs
pid Process 2400 JollySaga.exe 2772 JollySaga.exe -
Loads dropped DLL 4 IoCs
pid Process 1316 360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079N.exe 1316 360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079N.exe 1316 360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079N.exe 1316 360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079N.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079N.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification \??\f:\$recycle.bin\s-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini JollySaga.exe File opened for modification \??\f:\$recycle.bin\s-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini JollySaga.exe -
Installs/modifies Browser Helper Object 2 TTPs 1 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D4B669E1-CDD4-2208-7A42-A045F4609710} regsvr32.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\SatanicScore\SatanicForfeiture.exe JollySaga.exe File opened for modification C:\Program Files\SatanicScore\SatanicForfeiture.exe JollySaga.exe File created C:\Program Files\SpeleologyTuber\TuberLivable.exe JollySaga.exe File opened for modification C:\Program Files\SpeleologyTuber\TuberLivable.exe JollySaga.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\RVWVLYCAVB.dll 360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JollySaga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JollySaga.exe -
Modifies registry class 46 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\InprocServer32\ = "C:\\Windows\\RVWVLYCAVB.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\CLSID\ = "{D4B669E1-CDD4-2208-7A42-A045F4609710}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\ProgID\ = "Thunder.xunlei.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CLSID\ = "{D4B669E1-CDD4-2208-7A42-A045F4609710}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2654C523-FB79-3EA1-CA99-745FAF63915A}\1.0\FLAGS\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\ = "{2654C523-FB79-3EA1-CA99-745FAF63915A}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ = "Ixunlei" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CurVer\ = "Thunder.xunlei.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2654C523-FB79-3EA1-CA99-745FAF63915A}\1.0\0\win32\ = "C:\\Windows\\RVWVLYCAVB.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2654C523-FB79-3EA1-CA99-745FAF63915A}\1.0\HELPDIR regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\ = "xunlei Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2654C523-FB79-3EA1-CA99-745FAF63915A}\1.0\0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2654C523-FB79-3EA1-CA99-745FAF63915A}\1.0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\ = "{2654C523-FB79-3EA1-CA99-745FAF63915A}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CurVer regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2654C523-FB79-3EA1-CA99-745FAF63915A} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2654C523-FB79-3EA1-CA99-745FAF63915A}\1.0\ = "Thunder 1.0 Type Library" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2654C523-FB79-3EA1-CA99-745FAF63915A}\1.0\0\win32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\TypeLib\ = "{2654C523-FB79-3EA1-CA99-745FAF63915A}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2654C523-FB79-3EA1-CA99-745FAF63915A}\1.0\FLAGS regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2654C523-FB79-3EA1-CA99-745FAF63915A}\1.0\HELPDIR\ = "C:\\Windows" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ = "Ixunlei" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\ = "xunlei Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\ = "xunlei Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\VersionIndependentProgID\ = "Thunder.xunlei" regsvr32.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 1316 360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079N.exe 1316 360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079N.exe 1316 360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079N.exe 1316 360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079N.exe 1316 360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079N.exe 2400 JollySaga.exe 2400 JollySaga.exe 2772 JollySaga.exe 2772 JollySaga.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1316 wrote to memory of 2136 1316 360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079N.exe 30 PID 1316 wrote to memory of 2136 1316 360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079N.exe 30 PID 1316 wrote to memory of 2136 1316 360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079N.exe 30 PID 1316 wrote to memory of 2136 1316 360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079N.exe 30 PID 1316 wrote to memory of 2136 1316 360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079N.exe 30 PID 1316 wrote to memory of 2136 1316 360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079N.exe 30 PID 1316 wrote to memory of 2136 1316 360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079N.exe 30 PID 1316 wrote to memory of 2400 1316 360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079N.exe 31 PID 1316 wrote to memory of 2400 1316 360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079N.exe 31 PID 1316 wrote to memory of 2400 1316 360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079N.exe 31 PID 1316 wrote to memory of 2400 1316 360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079N.exe 31 PID 1316 wrote to memory of 2772 1316 360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079N.exe 32 PID 1316 wrote to memory of 2772 1316 360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079N.exe 32 PID 1316 wrote to memory of 2772 1316 360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079N.exe 32 PID 1316 wrote to memory of 2772 1316 360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079N.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079N.exe"C:\Users\Admin\AppData\Local\Temp\360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079N.exe"1⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Windows\RVWVLYCAVB.dll"2⤵
- Installs/modifies Browser Helper Object
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2136
-
-
C:\Users\Admin\AppData\Local\Temp\JollySaga.exe"C:\Users\Admin\AppData\Local\Temp\JollySaga.exe"2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2400
-
-
C:\Users\Admin\AppData\Local\Temp\JollySaga.exeC:\Users\Admin\AppData\Local\Temp\JollySaga.exe2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2772
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD5d6e3bd48e7bf7d18525e20dc4b51d7f0
SHA134a9faceb26594db8d9e157c4bb1d8968a734b05
SHA256360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079
SHA512444b5d1cc039a27b7b63339d68a4cd7018793317c9125513d0eeccfbaa4865dab2038b4613c48881b0c3cc890861a75c61f8af48730ffc8dfd7fdebdfd1a3b22
-
Filesize
3.2MB
MD5a7c8cdb5fea4d1aa91205ba68e3b8e1d
SHA18d549353cc948adf4438557e81e180070bf5d8d9
SHA25668e8e42ce8dc01cec3eb19ce1a4508d383035756b62e1cf573d5c5700d09b790
SHA512f03d1161dd3e1dd5c931216c48c968b31441e6f8aba95bc677e06761f0ee991bed5083623bddd59a7941d261fc164565d5cd6e0efcf3f213b9c0670922e68b0f
-
Filesize
28KB
MD5927476200feeb6160af47839940f10cc
SHA177dbd1d864d608a59fe5be14c10df1682de40486
SHA2567f3bcfae359fce0e86d1f0b8881d204b3f4bea37b993c06d8a42d3771d92c2da
SHA51242e9c462242865567d1b5429d45b561535c1fd732ba62ef1c773e8f446663adb5cf81bf27c3dee16458f1e56397911ba0d1b54db372f619f536e2161c1121c9f