xred | 360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079

Analysis

max time kernel
106s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/11/2024, 19:21 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079N.exe
Size

3.2MB
MD5

d6e3bd48e7bf7d18525e20dc4b51d7f0
SHA1

34a9faceb26594db8d9e157c4bb1d8968a734b05
SHA256

360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079
SHA512

444b5d1cc039a27b7b63339d68a4cd7018793317c9125513d0eeccfbaa4865dab2038b4613c48881b0c3cc890861a75c61f8af48730ffc8dfd7fdebdfd1a3b22
SSDEEP

49152:N4yjtk2MYC5GDzxwpiJmTgXkuvib1TogsPuqU4b6KzxzYeY:ttk2akJggXkuvv3U4u6xzY7

Score

10^/10

xred adware backdoor discovery evasion stealer trojan

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
xredline1@gmail.com
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079N.exe

Executes dropped EXE 2 IoCs

pid	Process
8	OctogenarianSynthetic.exe
4928	OctogenarianSynthetic.exe

Loads dropped DLL 1 IoCs

pid	Process
2732	regsvr32.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079N.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	\??\f:\$recycle.bin\s-1-5-21-4050598569-1597076380-177084960-1000\desktop.ini	OctogenarianSynthetic.exe
File opened for modification	\??\f:\$recycle.bin\s-1-5-21-4050598569-1597076380-177084960-1000\desktop.ini	OctogenarianSynthetic.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4B669E1-CDD4-2208-7A42-A045F4609710}	regsvr32.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\NattyInfringement\NattyGibe.exe	OctogenarianSynthetic.exe
File opened for modification	C:\Program Files\NattyInfringement\NattyGibe.exe	OctogenarianSynthetic.exe
File created	C:\Program Files\SatanicInfringement\SpeleologyGibe.exe	OctogenarianSynthetic.exe
File opened for modification	C:\Program Files\SatanicInfringement\SpeleologyGibe.exe	OctogenarianSynthetic.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\RVWVLYCAVB.dll	360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OctogenarianSynthetic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OctogenarianSynthetic.exe

Modifies registry class 46 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CLSID\ = "{D4B669E1-CDD4-2208-7A42-A045F4609710}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\ = "xunlei Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ = "Ixunlei"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2654C523-FB79-3EA1-CA99-745FAF63915A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2654C523-FB79-3EA1-CA99-745FAF63915A}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2654C523-FB79-3EA1-CA99-745FAF63915A}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2654C523-FB79-3EA1-CA99-745FAF63915A}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2654C523-FB79-3EA1-CA99-745FAF63915A}\1.0\0\win32\ = "C:\\Windows\\RVWVLYCAVB.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2654C523-FB79-3EA1-CA99-745FAF63915A}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\ = "{2654C523-FB79-3EA1-CA99-745FAF63915A}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\CLSID\ = "{D4B669E1-CDD4-2208-7A42-A045F4609710}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\VersionIndependentProgID\ = "Thunder.xunlei"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2654C523-FB79-3EA1-CA99-745FAF63915A}\1.0\ = "Thunder 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2654C523-FB79-3EA1-CA99-745FAF63915A}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\ = "xunlei Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\ = "xunlei Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\ProgID\ = "Thunder.xunlei.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\TypeLib\ = "{2654C523-FB79-3EA1-CA99-745FAF63915A}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\ = "{2654C523-FB79-3EA1-CA99-745FAF63915A}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CurVer\ = "Thunder.xunlei.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2654C523-FB79-3EA1-CA99-745FAF63915A}\1.0\HELPDIR\ = "C:\\Windows"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ = "Ixunlei"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2654C523-FB79-3EA1-CA99-745FAF63915A}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D4B669E1-CDD4-2208-7A42-A045F4609710}\InprocServer32\ = "C:\\Windows\\RVWVLYCAVB.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32	regsvr32.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2920	360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079N.exe
2920	360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079N.exe
2920	360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079N.exe
2920	360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079N.exe
2920	360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079N.exe
8	OctogenarianSynthetic.exe
8	OctogenarianSynthetic.exe
4928	OctogenarianSynthetic.exe
4928	OctogenarianSynthetic.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2920 wrote to memory of 2732	2920	360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079N.exe	90
PID 2920 wrote to memory of 2732	2920	360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079N.exe	90
PID 2920 wrote to memory of 2732	2920	360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079N.exe	90
PID 2920 wrote to memory of 8	2920	360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079N.exe	94
PID 2920 wrote to memory of 8	2920	360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079N.exe	94
PID 2920 wrote to memory of 8	2920	360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079N.exe	94
PID 2920 wrote to memory of 4928	2920	360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079N.exe	95
PID 2920 wrote to memory of 4928	2920	360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079N.exe	95
PID 2920 wrote to memory of 4928	2920	360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079N.exe	95

C:\Users\Admin\AppData\Local\Temp\360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079N.exe
"C:\Users\Admin\AppData\Local\Temp\360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079N.exe"
1⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s "C:\Windows\RVWVLYCAVB.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2732
- C:\Users\Admin\AppData\Local\Temp\OctogenarianSynthetic.exe
  "C:\Users\Admin\AppData\Local\Temp\OctogenarianSynthetic.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:8
- C:\Users\Admin\AppData\Local\Temp\OctogenarianSynthetic.exe
  C:\Users\Admin\AppData\Local\Temp\OctogenarianSynthetic.exe
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4928

Network

DNS

97.17.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.17.167.52.in-addr.arpa

IN PTR

Response
DNS

138.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

138.32.126.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

241.150.49.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.150.49.20.in-addr.arpa

IN PTR

Response
DNS

217.106.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.106.137.52.in-addr.arpa

IN PTR

Response
DNS

200.163.202.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.163.202.172.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

buytomer.oCry.com

360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079N.exe

Remote address:

8.8.8.8:53

Request

buytomer.oCry.com

IN A

Response
DNS

88.210.23.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.210.23.2.in-addr.arpa

IN PTR

Response

88.210.23.2.in-addr.arpa

IN PTR

a2-23-210-88deploystaticakamaitechnologiescom
DNS

smithewife.zyns.com

360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079N.exe

Remote address:

8.8.8.8:53

Request

smithewife.zyns.com

IN A

Response
DNS

19.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

19.229.111.52.in-addr.arpa

IN PTR

Response

205.209.168.5:443

360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079N.exe

260 B
5
205.209.168.5:443

360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079N.exe

208 B
4

8.8.8.8:53

97.17.167.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

97.17.167.52.in-addr.arpa
8.8.8.8:53

138.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

138.32.126.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

241.150.49.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.150.49.20.in-addr.arpa
8.8.8.8:53

217.106.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

217.106.137.52.in-addr.arpa
8.8.8.8:53

200.163.202.172.in-addr.arpa

dns

74 B
160 B
1
1

DNS Request

200.163.202.172.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

buytomer.oCry.com

dns

360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079N.exe

63 B
128 B
1
1

DNS Request

buytomer.oCry.com
8.8.8.8:53

88.210.23.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

88.210.23.2.in-addr.arpa
8.8.8.8:53

smithewife.zyns.com

dns

360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079N.exe

65 B
130 B
1
1

DNS Request

smithewife.zyns.com
8.8.8.8:53

19.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

19.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\NattyInfringement\NattyGibe.exe

Filesize
3.2MB

MD5
d6e3bd48e7bf7d18525e20dc4b51d7f0

SHA1
34a9faceb26594db8d9e157c4bb1d8968a734b05

SHA256
360e69efd596731ef4b4a69b4e1c76e50ef2c9b969f7af0bed3a9f21e88f6079

SHA512
444b5d1cc039a27b7b63339d68a4cd7018793317c9125513d0eeccfbaa4865dab2038b4613c48881b0c3cc890861a75c61f8af48730ffc8dfd7fdebdfd1a3b22

Download Submit
C:\Users\Admin\AppData\Local\Temp\OctogenarianSynthetic.exe

Filesize
28KB

MD5
927476200feeb6160af47839940f10cc

SHA1
77dbd1d864d608a59fe5be14c10df1682de40486

SHA256
7f3bcfae359fce0e86d1f0b8881d204b3f4bea37b993c06d8a42d3771d92c2da

SHA512
42e9c462242865567d1b5429d45b561535c1fd732ba62ef1c773e8f446663adb5cf81bf27c3dee16458f1e56397911ba0d1b54db372f619f536e2161c1121c9f

Download Submit
C:\Windows\RVWVLYCAVB.dll

Filesize
3.2MB

MD5
a7c8cdb5fea4d1aa91205ba68e3b8e1d

SHA1
8d549353cc948adf4438557e81e180070bf5d8d9

SHA256
68e8e42ce8dc01cec3eb19ce1a4508d383035756b62e1cf573d5c5700d09b790

SHA512
f03d1161dd3e1dd5c931216c48c968b31441e6f8aba95bc677e06761f0ee991bed5083623bddd59a7941d261fc164565d5cd6e0efcf3f213b9c0670922e68b0f

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.