Overview

overview

10

Static

static

10

48262173c4...54.exe

windows7-x64

10

48262173c4...54.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-12-2024 06:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe

  • Size

    3.1MB

  • MD5

    5286bdb9041867beb47e916e4f69b1b5

  • SHA1

    4d4ecbb6f3f0fc305660caca7a57decd156a5fc9

  • SHA256

    48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54

  • SHA512

    61932b014263fcddd5e42061fc3ca7a4074b552d9775bd080bd1e3102738fef6d3db654d8c14c6b638d706fed8183b67a9cc47afb239afe028b536dfafadb514

  • SSDEEP

    49152:RCwsbCANnKXferL7Vwe/Gg0P+WhjtDsLnsHyjtk2MYC5GDe/Q:cws2ANnKXOaeOgmh6Lnsmtk2aRQ

Score
10/10
gh0stratpurplefoxxredbackdoordiscoverypersistenceratrootkittrojanupx

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Detect PurpleFox Rootkit 8 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 9 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Purplefox family
    purplefox
  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Drops file in Drivers directory 1 IoCs
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
    persistence
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe
    "C:\Users\Admin\AppData\Local\Temp\48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4988
    • C:\Users\Admin\AppData\Local\Temp\R.exe
      C:\Users\Admin\AppData\Local\Temp\\R.exe
      2⤵
      • Server Software Component: Terminal Services DLL
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:4408
    • C:\Users\Admin\AppData\Local\Temp\N.exe
      C:\Users\Admin\AppData\Local\Temp\\N.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3112
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:3056
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 127.0.0.1
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1372
    • C:\Users\Admin\AppData\Local\Temp\HD_48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe
      C:\Users\Admin\AppData\Local\Temp\HD_48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4068
      • C:\Users\Admin\AppData\Local\Temp\._cache_HD_48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_HD_48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2952
      • C:\ProgramData\Synaptics\Synaptics.exe
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:3588
        • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
          "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:3576
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
    1⤵
      PID:3908
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
      1⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2320
      • C:\Windows\SysWOW64\Remote Data.exe
        "C:\Windows\system32\Remote Data.exe" "c:\windows\system32\240614937.txt",MainThread
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:4976
    • C:\Windows\SysWOW64\TXPlatfor.exe
      C:\Windows\SysWOW64\TXPlatfor.exe -auto
      1⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2692
      • C:\Windows\SysWOW64\TXPlatfor.exe
        C:\Windows\SysWOW64\TXPlatfor.exe -acsi
        2⤵
        • Drops file in Drivers directory
        • Sets service image path in registry
        • Executes dropped EXE
        • Suspicious behavior: LoadsDriver
        • Suspicious use of AdjustPrivilegeToken
        PID:864
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x3ec 0x4e8
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:920
    • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
      1⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:4560

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\._cache_HD_48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe
      Filesize

      27KB

      MD5

      953e9a0a96753d35e10fb466cf4387a5

      SHA1

      a85cbd2b507b19b6b546c92d505c3df46a464453

      SHA256

      75ace23350072600b50db92bd03fa26a3ee3d53aa50a7a93bee4f2346bf60fd3

      SHA512

      4bb518bc8d75dc8f402d3ae0093e0b39a82e0a1664d066739857eab1369fa93d44985f43baf75e303b915016a6550ebe226dc5c3545516bddaf4ac52dbffe633

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\EC875E00
      Filesize

      27KB

      MD5

      6d1d48a2f817397abf78a9ae6c34ebe5

      SHA1

      420860c98701a527ff504e587cebcfbf88816f4f

      SHA256

      e6b5654b97d9a5f256021d83c1adc778e47b9211e09b297ee55064a143831909

      SHA512

      8b30561c71df0757ab10ea7f923014eefbc8c89db1690a9c738953fdcd14cf29af57b7210d07658ac068ebc4d050674d802bb34e7eab5b860fa31409ba1c400b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\HD_48262173c477c0f240e198121b73381fdecf29968b1d33f8fea32dae9d09cd54.exe
      Filesize

      780KB

      MD5

      81ee1e4e5c7ba69b8aea91fe4f12173c

      SHA1

      bae1f4d7cf67666e9d3e52f6b107ec3e7873d0b2

      SHA256

      d65bc856c5d9ed02b20ad7a7671beef5414e69839dbcfa2f8e7230fcaca439f3

      SHA512

      1d7419205aa40306e2cdf0d0680be30e9d5244278f5a537df895cbafbf3b09a344fcf967460ae2b498c8e5bed15be6fb87b2da99238209482131b6602847d787

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\HD_X.dat
      Filesize

      2.3MB

      MD5

      0445d52b514f03eec8e7305e86ba08ec

      SHA1

      e2f8da8a0e68e9b409289dba3993ba9823d27ba6

      SHA256

      12fde7642f171352ea88427887f8ea5cbdc75a4e69a281715feb03e1cd978fab

      SHA512

      2e2e0e2e850abde574e7b35c5d7879847fa3d16d3e2c15d5233027172945b486863adfc61d1709d30b372f88709836b58589ca9338e1de56d39cee85a7c568dd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\N.exe
      Filesize

      377KB

      MD5

      4a36a48e58829c22381572b2040b6fe0

      SHA1

      f09d30e44ff7e3f20a5de307720f3ad148c6143b

      SHA256

      3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

      SHA512

      5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\R.exe
      Filesize

      941KB

      MD5

      8dc3adf1c490211971c1e2325f1424d2

      SHA1

      4eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5

      SHA256

      bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c

      SHA512

      ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TeBgI4gB.xlsm
      Filesize

      17KB

      MD5

      e566fc53051035e1e6fd0ed1823de0f9

      SHA1

      00bc96c48b98676ecd67e81a6f1d7754e4156044

      SHA256

      8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

      SHA512

      a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

      Download Submit

    • C:\Windows\SysWOW64\240614937.txt
      Filesize

      899KB

      MD5

      ee891a88e64f067b5acf5bdbf59c87d5

      SHA1

      c4e9a12d68518167740b56509c2dc784a41d90b9

      SHA256

      0a8132346967e0e819ec8565d4c5cd802bd3c3efc789071ac5cb7489138b74fb

      SHA512

      3d92a2edb516e5677f94763bd9a20dde665af00046f8731be788e5bb3cac4060aa7ce74036d330db52684fb844b738465166f5541c783c06f00817461ddeb09c

      Download Submit

    • C:\Windows\SysWOW64\Remote Data.exe
      Filesize

      60KB

      MD5

      889b99c52a60dd49227c5e485a016679

      SHA1

      8fa889e456aa646a4d0a4349977430ce5fa5e2d7

      SHA256

      6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

      SHA512

      08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

      Download Submit

    • memory/864-42-0x0000000010000000-0x00000000101B6000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/864-45-0x0000000010000000-0x00000000101B6000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/864-40-0x0000000010000000-0x00000000101B6000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2692-26-0x0000000010000000-0x00000000101B6000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2692-29-0x0000000010000000-0x00000000101B6000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2692-28-0x0000000010000000-0x00000000101B6000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/3112-19-0x0000000010000000-0x00000000101B6000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/3112-17-0x0000000010000000-0x00000000101B6000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/3112-20-0x0000000010000000-0x00000000101B6000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/3112-23-0x0000000010000000-0x00000000101B6000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/3588-292-0x0000000000400000-0x00000000004C9000-memory.dmp

      Filesize

      804KB

      Download

    • memory/3588-261-0x0000000000400000-0x00000000004C9000-memory.dmp

      Filesize

      804KB

      Download

    • memory/4068-158-0x0000000000400000-0x00000000004C9000-memory.dmp

      Filesize

      804KB

      Download

    • memory/4560-198-0x00007FFD314F0000-0x00007FFD31500000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4560-197-0x00007FFD314F0000-0x00007FFD31500000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4560-192-0x00007FFD33E50000-0x00007FFD33E60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4560-193-0x00007FFD33E50000-0x00007FFD33E60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4560-196-0x00007FFD33E50000-0x00007FFD33E60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4560-260-0x00007FFD33E50000-0x00007FFD33E60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4560-259-0x00007FFD33E50000-0x00007FFD33E60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4560-258-0x00007FFD33E50000-0x00007FFD33E60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4560-257-0x00007FFD33E50000-0x00007FFD33E60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4560-195-0x00007FFD33E50000-0x00007FFD33E60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4560-194-0x00007FFD33E50000-0x00007FFD33E60000-memory.dmp

      Filesize

      64KB

      Download