xred | 6df4d2f3708e6c56adb14bf17255abbdac61830549424fb443084775ad68afbb

Analysis

max time kernel
114s
max time network
76s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
26-12-2024 12:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6df4d2f3708e6c56adb14bf17255abbdac61830549424fb443084775ad68afbb.exe
Size

3.1MB
MD5

87fb4257cb0773489cd1ef55238c8045
SHA1

36a40324575abb231d4f6f7db0bd8c7f8682a1cb
SHA256

6df4d2f3708e6c56adb14bf17255abbdac61830549424fb443084775ad68afbb
SHA512

5fa362502c546c84204e7a525256adbcfff999fdf3a1bd0cd9c1d289c6f169d63b81ce17dd19117b78dc9282cb31f1fc729edb87e0fc5e6947bb8d8131c85603
SSDEEP

49152:RnsHyjtk2MYC5GDfL0UVAhJtZjwhf+3KlVahOfe3ax+UlSa4MUkPEwBs2b0Rr00:Rnsmtk2aAL2hTZchf+arfeqUTMRPBGhh

Score

10^/10

xred backdoor bootkit discovery persistence upx

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 6 IoCs

pid	Process
2720	._cache_6df4d2f3708e6c56adb14bf17255abbdac61830549424fb443084775ad68afbb.exe
2940	Synaptics.exe
2148	._cache_Synaptics.exe
2108	DiskInfo64.exe
320	DiskInfo64.exe
1256	Process not Found

Loads dropped DLL 7 IoCs

pid	Process
844	6df4d2f3708e6c56adb14bf17255abbdac61830549424fb443084775ad68afbb.exe
844	6df4d2f3708e6c56adb14bf17255abbdac61830549424fb443084775ad68afbb.exe
844	6df4d2f3708e6c56adb14bf17255abbdac61830549424fb443084775ad68afbb.exe
2940	Synaptics.exe
2940	Synaptics.exe
2720	._cache_6df4d2f3708e6c56adb14bf17255abbdac61830549424fb443084775ad68afbb.exe
2148	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	6df4d2f3708e6c56adb14bf17255abbdac61830549424fb443084775ad68afbb.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	DiskInfo64.exe
File opened (read-only)	\??\O:	DiskInfo64.exe
File opened (read-only)	\??\T:	DiskInfo64.exe
File opened (read-only)	\??\U:	DiskInfo64.exe
File opened (read-only)	\??\Y:	DiskInfo64.exe
File opened (read-only)	\??\A:	DiskInfo64.exe
File opened (read-only)	\??\B:	DiskInfo64.exe
File opened (read-only)	\??\K:	DiskInfo64.exe
File opened (read-only)	\??\Z:	DiskInfo64.exe
File opened (read-only)	\??\W:	DiskInfo64.exe
File opened (read-only)	\??\X:	DiskInfo64.exe
File opened (read-only)	\??\G:	DiskInfo64.exe
File opened (read-only)	\??\J:	DiskInfo64.exe
File opened (read-only)	\??\S:	DiskInfo64.exe
File opened (read-only)	\??\L:	DiskInfo64.exe
File opened (read-only)	\??\M:	DiskInfo64.exe
File opened (read-only)	\??\P:	DiskInfo64.exe
File opened (read-only)	\??\Q:	DiskInfo64.exe
File opened (read-only)	\??\R:	DiskInfo64.exe
File opened (read-only)	\??\E:	DiskInfo64.exe
File opened (read-only)	\??\H:	DiskInfo64.exe
File opened (read-only)	\??\I:	DiskInfo64.exe
File opened (read-only)	\??\V:	DiskInfo64.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	DiskInfo64.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0003000000018334-4.dat	upx
behavioral1/memory/844-6-0x0000000003D40000-0x0000000003D69000-memory.dmp	upx
behavioral1/memory/2720-9-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/2148-538-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/2148-1165-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/2720-1183-0x0000000000400000-0x0000000000429000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6df4d2f3708e6c56adb14bf17255abbdac61830549424fb443084775ad68afbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_6df4d2f3708e6c56adb14bf17255abbdac61830549424fb443084775ad68afbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2140	EXCEL.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2108	DiskInfo64.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2108	DiskInfo64.exe
2108	DiskInfo64.exe
2140	EXCEL.EXE
320	DiskInfo64.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 844 wrote to memory of 2720	844	6df4d2f3708e6c56adb14bf17255abbdac61830549424fb443084775ad68afbb.exe	30
PID 844 wrote to memory of 2720	844	6df4d2f3708e6c56adb14bf17255abbdac61830549424fb443084775ad68afbb.exe	30
PID 844 wrote to memory of 2720	844	6df4d2f3708e6c56adb14bf17255abbdac61830549424fb443084775ad68afbb.exe	30
PID 844 wrote to memory of 2720	844	6df4d2f3708e6c56adb14bf17255abbdac61830549424fb443084775ad68afbb.exe	30
PID 844 wrote to memory of 2940	844	6df4d2f3708e6c56adb14bf17255abbdac61830549424fb443084775ad68afbb.exe	31
PID 844 wrote to memory of 2940	844	6df4d2f3708e6c56adb14bf17255abbdac61830549424fb443084775ad68afbb.exe	31
PID 844 wrote to memory of 2940	844	6df4d2f3708e6c56adb14bf17255abbdac61830549424fb443084775ad68afbb.exe	31
PID 844 wrote to memory of 2940	844	6df4d2f3708e6c56adb14bf17255abbdac61830549424fb443084775ad68afbb.exe	31
PID 2940 wrote to memory of 2148	2940	Synaptics.exe	32
PID 2940 wrote to memory of 2148	2940	Synaptics.exe	32
PID 2940 wrote to memory of 2148	2940	Synaptics.exe	32
PID 2940 wrote to memory of 2148	2940	Synaptics.exe	32
PID 2720 wrote to memory of 2108	2720	._cache_6df4d2f3708e6c56adb14bf17255abbdac61830549424fb443084775ad68afbb.exe	34
PID 2720 wrote to memory of 2108	2720	._cache_6df4d2f3708e6c56adb14bf17255abbdac61830549424fb443084775ad68afbb.exe	34
PID 2720 wrote to memory of 2108	2720	._cache_6df4d2f3708e6c56adb14bf17255abbdac61830549424fb443084775ad68afbb.exe	34
PID 2720 wrote to memory of 2108	2720	._cache_6df4d2f3708e6c56adb14bf17255abbdac61830549424fb443084775ad68afbb.exe	34
PID 2148 wrote to memory of 320	2148	._cache_Synaptics.exe	36
PID 2148 wrote to memory of 320	2148	._cache_Synaptics.exe	36
PID 2148 wrote to memory of 320	2148	._cache_Synaptics.exe	36
PID 2148 wrote to memory of 320	2148	._cache_Synaptics.exe	36

C:\Users\Admin\AppData\Local\Temp\6df4d2f3708e6c56adb14bf17255abbdac61830549424fb443084775ad68afbb.exe
"C:\Users\Admin\AppData\Local\Temp\6df4d2f3708e6c56adb14bf17255abbdac61830549424fb443084775ad68afbb.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:844
- C:\Users\Admin\AppData\Local\Temp\._cache_6df4d2f3708e6c56adb14bf17255abbdac61830549424fb443084775ad68afbb.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_6df4d2f3708e6c56adb14bf17255abbdac61830549424fb443084775ad68afbb.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskInfo\DiskInfo64.exe
    "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskInfo\DiskInfo64.exe"
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Writes to the Master Boot Record (MBR)
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2108
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2148
  - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\CrystalDiskInfo\DiskInfo64.exe
      "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\CrystalDiskInfo\DiskInfo64.exe" InjUpdateInjUpdate
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:320

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
3.1MB

MD5
87fb4257cb0773489cd1ef55238c8045

SHA1
36a40324575abb231d4f6f7db0bd8c7f8682a1cb

SHA256
6df4d2f3708e6c56adb14bf17255abbdac61830549424fb443084775ad68afbb

SHA512
5fa362502c546c84204e7a525256adbcfff999fdf3a1bd0cd9c1d289c6f169d63b81ce17dd19117b78dc9282cb31f1fc729edb87e0fc5e6947bb8d8131c85603

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskInfo\CdiResource\dialog\Graph.html

Filesize
8KB

MD5
1f2f281f50cdefb6794c9c87133b89fb

SHA1
6aaf495b5eba156f3b6d69395a022251f54e8460

SHA256
00ceba3cca57b7ae140f077d6aebb88e172f69b4cc0c8879c5be7f2734a989f8

SHA512
c1d8d99104f0dfc0f3417c6c0a2519ab9508aadecc573b6c338614237d6d91ce03825b4b978a3a9a03272759d7d566d1bc7c60b7742b4f83a8ad1b9d943e906b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskInfo\CdiResource\language\English.lang

Filesize
81KB

MD5
dde617c1e6268fb95455e2ac2317a875

SHA1
2ba5bbc614464a700b459fb377cb75398a0446ad

SHA256
c3bb9d79852fe709633d06d9290f5820cb67b6efea2c348130240c98c3b75eb4

SHA512
e8c535d84d7bb89e2e42b3b6bd36f8a221a4c72de1f47be15078049cba0fd230ba2f6dd3645afc375ac155ddb2434a6ccf1238096856188f6e3b40ecfa168659

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskInfo\CdiResource\language\Simplified Chinese.lang

Filesize
47KB

MD5
43cbd9abc0ce3773b1f5c64418125544

SHA1
5965a22e2c74ca1ebfc89cfc1fe73dcfbaf8bdc8

SHA256
a206a47afb6bf7ea6cbd76db61b63df1a4bb5cc7d612de69798a2386a75b7e77

SHA512
11487f18dde17cce50797d073181050d877cac358573c190382533f1ad4ca3e5e0dc8eac98e9d96fca930b4731a34c8e5eb663778a94975683c3822ab1d77cfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskInfo\CdiResource\themes\Default\Background-300.png

Filesize
859B

MD5
6e1b248aadf999ed859629a33e396050

SHA1
a5aad24c174b5b427f8813ede9791ceaa4644f90

SHA256
2711e84f951b486c5dfc718e716f4f0bf80c1dd08260b4b49d77f800770e1171

SHA512
1b38a67ff13c7d03bddca5640143314ffadb65955d51e30ad251718d7d8ad32f99a6a9d49b1eedb6298c6d22a66f18cb324b7fcfd3f7437f2580b441420915cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskInfo\CdiResource\themes\Default\diskGood-100.png

Filesize
1KB

MD5
3cc7c30b4d9d0535606243ca9eb0df71

SHA1
ffe6b634b273ae6bd7cf9176577d5d3ae1e3f5c6

SHA256
02d7410905e93eba492498cc80d70603c5353ab9c5c0f0dd6ab459e9a4abc8a8

SHA512
bf5e1fe7cd97de16791d2824ac883f0f5d2d9762bd2170967ac9a448c5cef23ac60ec2e42160c1a0b5e30658bb2d251d2a494bb13e373926a0c439a4b6bf9d40

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskInfo\CdiResource\themes\Default\diskStatusGood-100.png

Filesize
918B

MD5
ad2e97a4c59814858876abad24002ffd

SHA1
7636bf632981a0d6ccbf3adcdc78d2715f9f359e

SHA256
e290f8d7031f82007b91cf3082825540f0a6585065dd0ae8f467fefe4d81e4fc

SHA512
09a1485cb7c4580e5094c4d6f08c5b10c567b6ffa6a6b7f7b80d8fcc5ee0ba88091432530f1b01ee09b0cd15a6e387e5557d843d91b0273bd0a6bb1a550f2efc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskInfo\CdiResource\themes\Default\diskStatusUnknown-100.png

Filesize
721B

MD5
c1ce67fb776dac5793910f863c5ea96f

SHA1
cd007917fc199a30001a8d0caf1ac1b0d3461df7

SHA256
5ec1b8f09bc590ee7b93c88eba131579b5acd921db4efd44a1003e160f9c055b

SHA512
1556ebe02ef6f63ce2b0377547eb3e919298fda10375da4d2dfd3b5c772b79c1f7c71d322373c366e534680c07de9affc22844f8ad7bfccc6e0b3c3a09694478

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskInfo\CdiResource\themes\Default\noDisk-100.png

Filesize
137B

MD5
aca9c4d69b8c4779167452f77f415a9a

SHA1
d40806f8ef1a7cb989dfbe9cfb4b3be717a47292

SHA256
0229291a30857f8ce7499e7f9a6ac30be452419bd5327b98468deba097ae76ee

SHA512
91652e2bdb710a11c25e78a8192c0da52538690e2743ba2f228e29279e0175d02e30ee01e4213b866552c4cf4e8c18ce687da13bd64d4ee554054f2efbc2df8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskInfo\CdiResource\themes\Default\preDisk-100.png

Filesize
1KB

MD5
b49a97118724c54530d4c4eaefd729c8

SHA1
102187b9534a2c6359d37b68f9509e0fd227b473

SHA256
4358ec9b50bf01820f6037299941916c196616fa08d8150b57607957cecda485

SHA512
5a5ab0d9cec7aa61b99cb1b3742df2acdadff43cb12dcdc48cfea95eb9479ae4c5673870f2b85560ed3285961837fe0c4eed3e31f1ada33fdcdcd23336dc236c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskInfo\CdiResource\themes\Default\temperatureGood-100.png

Filesize
2KB

MD5
73254517a6033adcaf4b35f2beb364df

SHA1
00f8e72d371bf377e910804a7e1348c6351db1d5

SHA256
18a675e519cf07fcc3447b8dc318576b0181d81cb668b60ddb99cfad19a73604

SHA512
71a8c08ce0ad19de4699e926479a457e0c7ea89bba8da5d33c87becac3c90634553cdea33dcf7c2d6d86b56c02618221f06cd6e9bdd775b2000450f3fd9fd176

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskInfo\CdiResource\themes\Default\temperatureUnknown-100.png

Filesize
1KB

MD5
88b4976e1a7618d1bad04673d382fb62

SHA1
37717ab939bda51d66b14eaa46f0cde97226f6c1

SHA256
3b5c53c752b6155cfc66917b2cd8dabdb43cce1f98d623dd39342655e60d076c

SHA512
f159ec4b2518b5022a66ba896c38d92c69f7a23fb847dbbdca3026e1f22dc5ddee04432c20a30f684b7de5ea4f4bc8233c8bb1d5e47b5ae7cad107dafa471a17

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskInfo\CdiResource\themes\Default\theme.ini

Filesize
267B

MD5
ec7be8d591e7fc9b16b7700fe78f2d1a

SHA1
a167edd91f9f0bce9b9d93785e683942bd7dbde2

SHA256
2b95db1daf862a5c38c8628fdf941512004bcea7b56b22e44fa52709e57c6ddb

SHA512
d884e807e773bfb48bfe6c26a99ad7e9316bf4aea08bda148e84fd2922064a46696d830b327dee24eb0d8db3ad9e6d93d62f3965e6cd1c64330f5abc5015b8ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskInfo\DiskInfo.ini

Filesize
427B

MD5
bc5e5fab19792168d68cb761f4a26b8a

SHA1
7a828d2af0e225848ed1a2eee480429a90bb9bac

SHA256
71017bf2084b5fe57eeea62793aa17b05e5929a4e44258eeede86e45dc336f77

SHA512
77047139184074e5862287221413cd41867154a749c670bbec5ebbd664a58f0c11db0ab2423b088ca310ef6d00b6233b153455ce87f8e39de5875bebf6bb7412

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskInfo\DiskInfo.ini

Filesize
508B

MD5
b984fe2604a378707875ece68d50852d

SHA1
18524f71ff485d55888484d77daa8914a707fca8

SHA256
7f9cd11e657b4cd750f98838706f7fb22e8f5759253ee7d75442a05de3d63237

SHA512
885a48106657949210c34cda4c89da846ee8640e74ceb05f2597272903ddf78ab22cdce3003005e66c1e910ca09d89030dbc1f1e8ffd738370ef8408add482ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskInfo\DiskInfo.ini

Filesize
510B

MD5
6286f51fda4828ab829322721c11cdad

SHA1
44ad9ddf57b2c89c465bc4539ae16282ae3e099c

SHA256
54363c2e08ced088df9500e53d2c8d330b89d88cb8cd68e48f91661ce7335cf5

SHA512
d8b32e55825cb8f6d5227062f2cc382bcfe50cb411494c6bf7bee4a65ff87f73e0c2dc3466e82c439d4942c8167459560673d2721c8dc7ab95e1a5476e7cbff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskInfo\DiskInfo.ini

Filesize
349B

MD5
21aec8298e081c15c0cc92f60ce6548f

SHA1
2a37140b11ed7dab3935a75631a151ed3e6c80f9

SHA256
5615d5e7e096f095417dda7d5dbfc0bb9724ec2f16e5d9f4538628aaf032ac31

SHA512
7c920408a807d5739aa071d036702dc4d1479d08d3d2853cf07277e111e2046bdeaedd6c6424e7cbbeebd3b179f6202de451947b19df73fdb01e5ef197ffd0fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskInfo\DiskInfo64.exe

Filesize
2.7MB

MD5
96200b88971d97359043512cfbcb9b65

SHA1
07b97037ae3ee3cd9f53807f6ef10d8c1e73ba61

SHA256
8e239e599b6f49e7094cf7d8989413a7504a4cf43ac248c7f46e6a2948561f6a

SHA512
7d9738372375ec5f0143019bcfe488d9651d4de8d93cd09f5ae758780a5adf65fe2212ea01546b4ec3807d9169b741798f61404b41e1a45bac1ca4d1ea2313ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskInfo\Smart\WDC PC SN730 SDBPNTY-512G-11012047D4454411\03.csv

Filesize
23B

MD5
8306e4492ce23287a799b2e0c73dc768

SHA1
a359368340a83fcc415436c59871edd6aa3a6a5c

SHA256
cbbe0c5196478fab22d4536b7661b48579bc330bfc62587103a07e3c4f392e1c

SHA512
7dca559ca0263d3991d59a66977f29c75c7720068e3fae76c5d70e04194bab5ee1117da5f0cb16c03c1eca85f56c2387bc4d11cbfc3d9ba0158303114579b695

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskInfo\Smart\WDC WDS100T2B0A232138804165\09.csv

Filesize
25B

MD5
49deedb715b0d957050930a4e81425c9

SHA1
e2b2611c9461d94e75c3ca7c5e480c21552f1d92

SHA256
342036464f78e0f25b7bba261e181d1e69650cb75b196517653e1d95b1c83c33

SHA512
3e7685a7931b56cac4735a8451a4bba2cb375de82492000c2442ad0bb634ee1abd6d2beba65ccd82ceb2ca1744ef9902bb855a8fa3847c945d6eeacac1b467f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskInfo\Smart\WDC WDS100T2B0A232138804165\Smart.ini

Filesize
262B

MD5
528bae60a92900ba9403029473cae074

SHA1
1914ec6141b9e2dcdffc45e2464f446feef60008

SHA256
b35e73de33a3d8bab00e4d17bc1b0c3206045b79754ec20f9874c5c43a5af0d4

SHA512
4ddcf8bff8d2248277bae7b634f852b2854d41c6bcf163d811d4057b4468d076df4582c08f1ef25941075b4a461343c0f568159c7bbddc01ba110d8c21011b75

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\CrystalDiskInfo\Smart\WDC WDS100T2B0A232138804165\Smart.ini

Filesize
502B

MD5
96ebfaf4dd9f56b2402fc9b954a483c8

SHA1
c2b02fdaeab90b553a242514917d474545a997a6

SHA256
ccdfb24efbc2358f1dae509dd9f122eda5c4017e8d9908e839ad9cfc045c0549

SHA512
d9f1728b93f17c1c1b42275bc630938228e3948ddd5c0307da645ed7dc94abc7f3de7709f869cc494b1a5b95888b2ece173b3a51837776ee0d3410477f151b95

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\CrystalDiskInfo\CdiResource\AlertMail.exe

Filesize
81KB

MD5
b8369f93200cddfd93e46437a1b099e3

SHA1
3f7c589dcd36f733712a1e94611bd39ba7e11971

SHA256
abbb2bd38f8e5cfd1fca428e27de421b77beb09f7bb8fdb7d91018a6bce7b098

SHA512
7cde6064e5095fcde14128aada6c54168173b0b33b2f11783c6e2eab6b1735d5f834f38a9f034c584d9e781fd7bc8155a3fc1552b950131b3f011478c706457d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\CrystalDiskInfo\CdiResource\AlertMail4.exe

Filesize
81KB

MD5
4ca37bcaa4e6d83e7d25be1dae022f41

SHA1
14625ad67ee56c166e329ca6e6fc992fef1a7fe5

SHA256
aaae342e4c84a3540a1220b9ed6d8ed215ab71c05df862349c1980bc044f7f77

SHA512
019762e0720158ae4b66fdb27541b4d5b6b00e6b1a6f6c0364677c37bd8f2e378dac6026239c66a5a7654612acd985e5a666f29739d28de9059fca6a2cfac757

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\CrystalDiskInfo\CdiResource\AlertMail48.exe

Filesize
76KB

MD5
dd8ff21bfa0454fc8a0eae1567ffff5c

SHA1
266a24c1a78cd06504ba88055313de2ff13d8673

SHA256
0e4ee8b55078581ebf642e51690049de857200f48d35073cd5f852868ac8cfd9

SHA512
fce812ca9aa9fc5e5169e5ccf3e6d74fbc315792facff628b6a0af4c97813b01a9daaf2a80e5bf5685ddfe7589dbe11f018ee48e89040d9d4ac250785d17caaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\CrystalDiskInfo\CdiResource\dialog\flot\excanvas.min.js

Filesize
10KB

MD5
08182065d2093c978a9bfa16b0829173

SHA1
b72f4f5b78513de55e61ae0f8804757b7be97d9f

SHA256
5f94b032a110504b7b261eaf71392fa3e8d82cdc6455c0cba5c9f03cd34ed122

SHA512
73edb75f889493c40765f8c34ae02746afab14f98585639279ead7f87232c98122adf9eaeb8d4e585ca45fda9a9b272f126c239a9acf50cf02a77c3e889e6112

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\CrystalDiskInfo\CdiResource\dialog\flot\jquery.flot.min.js

Filesize
43KB

MD5
f1843acdb53f2c88903f89e4e175cd32

SHA1
6fe88ea552177f7117dc4cffecc5cdd53a250234

SHA256
8a0f1dd79995a9308cffdcae12445d9f727d66a450ef5158280e0724de55c32f

SHA512
1a0c7e84d6edd2678624c1b9bf4b4cf3bf2c897ae3c5d75a08199f96dd2c9d03b77a43851f033f2ae9cca197f6cba1d996730ceffbdbf5a78aa31ab7d2c5bf48

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\CrystalDiskInfo\CdiResource\dialog\flot\jquery.min.js

Filesize
54KB

MD5
a9331828c517ac5d97f93b3cfdbcc9bc

SHA1
1be9c3684054001f53fa7ff6d85ec3cb573a9cd2

SHA256
d548530775a6286f49ba66e0715876b4ec5985966b0291c21568fecfc4178e8d

SHA512
403b7c0dc179ee12b85b76885ecb9a16e1e538572ad866a943f404f674dd3ca8c626b1cb2729fb720a6db3eba4e6ac1ac1de875a4d598f1b76337366d33bdba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\CrystalDiskInfo\CdiResource\themes\Default\nextDisk-100.png

Filesize
1KB

MD5
dc3be62f884c9b96af9a3d5b2a937cb6

SHA1
7a06d204ea1bb9130845305face66d7f74efa2e5

SHA256
cb9099db8ccb5d69db902858ebdd0657667fdc4c2ac1b8211b0d2503be18639a

SHA512
2b8163d191793ddda76ce36c08d87b343dd528ca042cfb795a816b96c8d7be90d584a34e4734d217a24ed54db1ce11332108540bd34baa64778f785c0bcd4a19

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\CrystalDiskInfo\CdiResource\themes\Default\nextDisk-125.png

Filesize
1KB

MD5
f4fc4c73e6029a2aaefee1845e6a4816

SHA1
7c74e2ef733c3b1895d3a16cd307ccc567523803

SHA256
86057c11b3e056f46e45ec63a802622ae5ce688634761af1f40c94f60d226797

SHA512
93d555a41f53544579fd9254c0a6717e2359b501c9a240d486488d1f2ff1f91452e392bbfaeba469cef60178e6b3738470f2ebc97759f8dafcdb592b5d0009c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\CrystalDiskInfo\CdiResource\themes\Default\nextDisk-150.png

Filesize
1KB

MD5
51f91ab993fae36ef3f9f0a46b90842e

SHA1
d8a09405f80a5e4040a5e14a70827e192e3155d4

SHA256
51b01e57d1b6a8d29ebcd3d23bf8142dcd51e8851604e0f15d2a65cb43e9a7ba

SHA512
f74b4cc69b3ab0d13fc3935a9cbfcb41da0a77dfdd3b98597bd02f79daa2dd2aeda3745a2fde58047f2738f1c360595f2eeb726f21579dcf74f9f7c255801c29

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\CrystalDiskInfo\CdiResource\themes\Default\nextDisk-200.png

Filesize
1KB

MD5
ebc5b548b45b30f10ad68bbc3d4504e7

SHA1
de691abd523a14f55618b532d5ace2f4dfb24c4e

SHA256
2f9f607262966e9d2f9542b1075982e40342e2bc12206f19fff22e570ff37214

SHA512
a5a40618fdac6850b274aaf32c32763ae2e614996e5abc5b2b125162f3895451b694d6fa89eb3ab4c9048b2fb9027a82ba29e3494f8bc142f133113bc3b1f453

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\CrystalDiskInfo\CdiResource\themes\Default\nextDisk-250.png

Filesize
2KB

MD5
665680dbd59e0df574330ea25c6319d8

SHA1
86236c8d6186ee92e0e8aac2cfb81aefac83500c

SHA256
d463f40cdabf71e4365358223898c3bda1a21df452be2e62d2b52a8642f2bce2

SHA512
e38456c8e34c28671e62d320469ca21ca366dead788668244c6cadb06085adf8f5467f5b1d3c7d3e5b731efacf5925b6e93024a70e81e77c686ec3838ba724cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\CrystalDiskInfo\CdiResource\themes\Default\nextDisk-300.png

Filesize
2KB

MD5
41644a7d381ad8dc33ce155c70493be0

SHA1
2e4bfa2660d07bde2f77198b4d82d1befdf993b9

SHA256
f8d4c3f0998261075801e5f1068507f7f28ee4d5ed29123150fd22e89fb88feb

SHA512
380aaa43164fbf56c555db9c94acaa015a15bf7e206092010399becdd0705fb1d3f986d246c07e456a00496fe68411b0831c8053e8b7f6108a779e4e6721041b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\CrystalDiskInfo\DiskInfo.ini

Filesize
329B

MD5
d983249099bce500262fa632baebf218

SHA1
d3bcda5de44b406ec26b6bfd9b3c42d22ec8c39a

SHA256
eb9e821df2dbd7fd1db2088a65bbdec739139850ad00ec50778c0937b3b2f7f6

SHA512
993e6ce6801130fa7f0dd675767a9681aec7cccdf6045c04a23de6b2c0f815bda2ce3376753310dbf8554b0e64b6371ce21a56e2e1d0313399b5c010184794b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\m27LrWhB.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_6df4d2f3708e6c56adb14bf17255abbdac61830549424fb443084775ad68afbb.exe

Filesize
2.3MB

MD5
cb17bc93675499d5725c279d6f8654d5

SHA1
5f6c04ee0839da3a5a0dec0cbf0dfa51fa91166a

SHA256
bbc9a3bdbdeecf6ad089c4af19a9876f3bab86cef3929fa154375f68770d004f

SHA512
e909db53616de4e2c4a6335a0dbe4caf37d220399410b972230baed6fb2b1fc81eb72e3a343e93f5c26b18c72f7a7c290be542bdb7ecf878b9c672c463234503

Download Submit
memory/844-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/844-6-0x0000000003D40000-0x0000000003D69000-memory.dmp

Filesize
164KB

Download
memory/844-212-0x0000000000400000-0x0000000000718000-memory.dmp

Filesize
3.1MB

Download
memory/2140-915-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2148-538-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2148-1165-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2720-1183-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2720-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2940-1186-0x0000000005040000-0x0000000005069000-memory.dmp

Filesize
164KB

Download
memory/2940-1185-0x0000000000400000-0x0000000000718000-memory.dmp

Filesize
3.1MB

Download
memory/2940-535-0x0000000005040000-0x0000000005069000-memory.dmp

Filesize
164KB

Download
memory/2940-1270-0x0000000000400000-0x0000000000718000-memory.dmp

Filesize
3.1MB

Download
memory/2940-1311-0x0000000000400000-0x0000000000718000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads