Overview

overview

10

Static

static

10

2024-12-30...id.exe

windows7-x64

10

2024-12-30...id.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30-12-2024 12:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-12-30_26d0b51d199c4fa8fe11a3df6070a513_icedid.exe

  • Size

    3.5MB

  • MD5

    26d0b51d199c4fa8fe11a3df6070a513

  • SHA1

    6a675c9a102b478cce0acd17af1744c4b31e1d50

  • SHA256

    8b39f3df619fa11eeffc6e19c7b73f5057e42827c307050743bf33fd2fc5c651

  • SHA512

    129da39094733df8294a4a04a705a3a16986e38b03a9325d9dc7fdc2585cac09c82eb05da69032ebdc91437c57e8cc126ccf8fbcf68548c137130880dd6b9732

  • SSDEEP

    98304:TmIlfqCwgm/NulxZJt4HINy2LkCKZxknsmtk2aK:TR5wTNEiINy2LkBvKLV

Score
10/10
gh0stratpurplefoxxredbackdoordiscoverymacropersistenceratrootkittrojanupx

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Detect PurpleFox Rootkit 7 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 7 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Purplefox family
    purplefox
  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Drops file in Drivers directory 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Suspicious Office macro 1 IoCs

    Office document equipped with macros.

    macro
  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 16 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 2 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-12-30_26d0b51d199c4fa8fe11a3df6070a513_icedid.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-12-30_26d0b51d199c4fa8fe11a3df6070a513_icedid.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1152
    • C:\Users\Admin\AppData\Local\Temp\ser.exe
      C:\Users\Admin\AppData\Local\Temp\\ser.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1232
      • C:\Users\Admin\Documents\kjtkoqbj\serevc.exe
        C:\Users\Admin\Documents\\kjtkoqbj\serevc.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2720
    • C:\Users\Admin\AppData\Local\Temp\_cacheaw2024-12-30_26d0b51d199c4fa8fe11a3df6070a513_icedid.exe
      C:\Users\Admin\AppData\Local\Temp\_cacheaw2024-12-30_26d0b51d199c4fa8fe11a3df6070a513_icedid.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2480
      • C:\Users\Admin\AppData\Local\Temp\RVN.exe
        C:\Users\Admin\AppData\Local\Temp\\RVN.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2712
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Suspicious use of WriteProcessMemory
          PID:1656
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 2 127.0.0.1
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:1832
      • C:\Users\Admin\AppData\Local\Temp\HD__cacheaw2024-12-30_26d0b51d199c4fa8fe11a3df6070a513_icedid.exe
        C:\Users\Admin\AppData\Local\Temp\HD__cacheaw2024-12-30_26d0b51d199c4fa8fe11a3df6070a513_icedid.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1696
        • C:\Users\Admin\AppData\Local\Temp\._cache_HD__cacheaw2024-12-30_26d0b51d199c4fa8fe11a3df6070a513_icedid.exe
          "C:\Users\Admin\AppData\Local\Temp\._cache_HD__cacheaw2024-12-30_26d0b51d199c4fa8fe11a3df6070a513_icedid.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1312
        • C:\ProgramData\Synaptics\Synaptics.exe
          "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:476
          • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
            "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:2136
  • C:\Windows\SysWOW64\TXPlatforn.exe
    C:\Windows\SysWOW64\TXPlatforn.exe -auto
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2600
    • C:\Windows\SysWOW64\TXPlatforn.exe
      C:\Windows\SysWOW64\TXPlatforn.exe -acsi
      2⤵
      • Drops file in Drivers directory
      • Sets service image path in registry
      • Executes dropped EXE
      • Suspicious behavior: LoadsDriver
      • Suspicious use of AdjustPrivilegeToken
      PID:980
  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2164

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\A3Yvwm5Y.xlsm
    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\A3Yvwm5Y.xlsm
    Filesize

    28KB

    MD5

    81af6da9825c46d34680bebabc198ca7

    SHA1

    464e34a8b7cf98c01971455f5998fa776b38124a

    SHA256

    670f21fe97394e24af886b905fda695545a4651a9f21cacfa52d1f46699b176e

    SHA512

    f791a98e4f724daf350fdb77a627bfacfdd0140724a538cb08e7cde4d43f6854db33d9b67bfa456e3be380a66f3e968dc3db0a2674a803843b7db1d02d65aead

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\A3Yvwm5Y.xlsm
    Filesize

    33KB

    MD5

    1122832b25f2ad44b8806f34ab080f90

    SHA1

    db941cfecdda714fb654b3b217ca1f42e4c43002

    SHA256

    e8589d9a90b56f2e42b54532741e00f908d9faa34b98435320f15a2c493531c9

    SHA512

    0875d58a74d14cbd96633fae37a2f71c4df8a3a1085b0bbf81a575a4420f10ac5e65ed785cd0bd660ff29b1a8de1bafd03676dd807616b6bae7f72915be6e50f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\A3Yvwm5Y.xlsm
    Filesize

    31KB

    MD5

    711474f5330ce6c89e78a32b60a71cc3

    SHA1

    54e2f2e24dd8a4e58eb0caa374c28a48839dafac

    SHA256

    d21ac25e8cfee5ac831c71b0bc0d0c7a54ba62df4c330589dcaee7a5558cc8b0

    SHA512

    dfeebd8b1c39445db42a57a2ed5259e70ce6db283add86f998f89700e1482bc30967745efc72bd2e8576efa1d3eddd82ed372e413b0b798fd6889d554a5ea670

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\A3Yvwm5Y.xlsm
    Filesize

    31KB

    MD5

    56d9b5ddabee13dc3a77226cd856297e

    SHA1

    6358291cc6d5b79661e70ec688d701705a86e220

    SHA256

    0b1a57e9378a2759a05389437ac1221bb9cbd7f662a3155c5eb600d5f5051e36

    SHA512

    892e72458db1551c78e2e8f3addb013537e052700cf8aa2b96d1fcd5ffd510b8e9ebeafd0b14100527099b196c717bd165d15f6ada86f2376fe84a4416b3ff9a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\HD_X.dat
    Filesize

    1.5MB

    MD5

    43a309d76c3bb4a91e3d464b2adb1a70

    SHA1

    d12fc070e16edf51a1dbe8621fd3e1b2c4be60d3

    SHA256

    10801369a0b307d0b9abf07dab6a92263b7c66fa6fc66bb6d0c86260d2fba649

    SHA512

    6925d0cc83c2d8ca52fa58d49d98e94b667ec68d6e2de68d6bf3f3a406bc027a2db7f1aa3e5f4b13c84503d488b9d7392fcaf61e548dc27ddb102e45d327b9c4

    Download Submit

  • C:\Users\Admin\Downloads\~$InvokeRepair.xlsx
    Filesize

    165B

    MD5

    ff09371174f7c701e75f357a187c06e8

    SHA1

    57f9a638fd652922d7eb23236c80055a91724503

    SHA256

    e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

    SHA512

    e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

    Download Submit

  • \Users\Admin\AppData\Local\Temp\._cache_HD__cacheaw2024-12-30_26d0b51d199c4fa8fe11a3df6070a513_icedid.exe
    Filesize

    89KB

    MD5

    fd5137d1998bf8fcbab832123dd72256

    SHA1

    155e5dd08ecbe6483167f596c927208f4cca8a39

    SHA256

    86ee28923d4e7255762442fe93f220237197a756182ce320f5f6887b5c7147c5

    SHA512

    fd9270902cec43a84048a0e90ded14e56c9bae46ef067081d10784c82ec1a0ef7dc605b11d8819c9c5d75dea342df8a419bdd61f8ef7411c25fee932038ea465

    Download Submit

  • \Users\Admin\AppData\Local\Temp\HD__cacheaw2024-12-30_26d0b51d199c4fa8fe11a3df6070a513_icedid.exe
    Filesize

    843KB

    MD5

    db06bd4b57933fb4dd26188ab9a013c7

    SHA1

    24fb49c4fbe2993e96595d1085dbae18d8a73db4

    SHA256

    5d3ccb3cf874eed6dabe680217d17a22096711ddfe184ecb825cf66b46837600

    SHA512

    cd20b5a3abc4b649ae490553e8ef4973a25b77cc6fc669f096928737eec359fdb53e00985314f14f94d3598bebf119ac17c760ece3cb45a0a56bc36c3521a784

    Download Submit

  • \Users\Admin\AppData\Local\Temp\RVN.exe
    Filesize

    377KB

    MD5

    80ade1893dec9cab7f2e63538a464fcc

    SHA1

    c06614da33a65eddb506db00a124a3fc3f5be02e

    SHA256

    57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd

    SHA512

    fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

    Download Submit

  • \Users\Admin\AppData\Local\Temp\_cacheaw2024-12-30_26d0b51d199c4fa8fe11a3df6070a513_icedid.exe
    Filesize

    2.3MB

    MD5

    273744044bbc6e49baffda91a9dd6b38

    SHA1

    1088749a1051fc3c909959cdcb8c8d6a1d8af316

    SHA256

    8bce0ecd1f7422ffac9920986b14355edda1822c4cb8e7141e5681faf6e2ee50

    SHA512

    e077864cebcc5305f1f5c7c4d6380a84b6cd304a8fda198609da77d1d19d2bb2298ee3a1861cd8854e10c48f9cf9d44612aa6ea6f98bd82a2bb5645e96683daf

    Download Submit

  • \Users\Admin\AppData\Local\Temp\ser.exe
    Filesize

    403KB

    MD5

    cf686da098fea0536081545bc9276c35

    SHA1

    3ac479814a342211e3337c183d62c24441ac172a

    SHA256

    73c9a3ac159d8b5c797961d5502e2595c67d38d401957f749d811f0657777051

    SHA512

    7667040de8df22b37a88c95e37b04c5ca986487098d396414cec8e233304030e75e21d120d7d88810e1bf8079de80f0cefdcd67a1e54ff5b628a70da72cd944d

    Download Submit

  • \Users\Admin\Documents\kjtkoqbj\serevc.exe
    Filesize

    828KB

    MD5

    306c2108078b5250a1b8f3f86b820c81

    SHA1

    ab593ec5deec94eb622b5ed791aa4970b6d23903

    SHA256

    70d5b90cdd1686c42cd57bf514374628b1fe3803aa79b2033a4b9a73736027aa

    SHA512

    0fe75494676a291477a51181e65fa23458473e7112dc8dc012dc98e281aea1523a2f2bbeda43531009d249cf55639b08e984c2ceab8a10fb433f04e18bff611c

    Download Submit

  • memory/476-274-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/476-224-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/980-119-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/980-61-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/980-60-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/980-58-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/980-65-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/980-72-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1152-9-0x0000000002150000-0x0000000002312000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/1152-8-0x0000000002150000-0x0000000002312000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/1232-39-0x0000000000400000-0x00000000005C2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/1232-11-0x0000000000400000-0x00000000005C2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/1696-127-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/2164-144-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2712-32-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2712-35-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2712-34-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download