Overview

overview

10

Static

static

10

456c524f08...00.exe

windows7-x64

10

456c524f08...00.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/12/2024, 19:41

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    456c524f089c0148e37dd1df2bc52bb9de249fa0c7bf7f708b7c2138b006f700.exe

  • Size

    2.3MB

  • MD5

    ad899b402ed0b7312a06655e39cad09d

  • SHA1

    0dceb8f1743f3d4d927bda6ac389379dd589561c

  • SHA256

    456c524f089c0148e37dd1df2bc52bb9de249fa0c7bf7f708b7c2138b006f700

  • SHA512

    026f77794c95c8f6b1fb74035f98848aab6e07c9157462c260b711ca6ebd67c0a3b1e99a917f534ad35a21d130bbe45d36f21d14ab46225ce310d408696e2861

  • SSDEEP

    49152:M09XJt4HIN2H2tFvduySepEWoxvPnsHyjtk2MYC5GDW4:xZJt4HINy2LkeKZx3nsmtk2aF4

Score
10/10
gh0stratpurplefoxxredbackdoordiscoverypersistenceratrootkittrojanupx

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Detect PurpleFox Rootkit 11 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 11 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Purplefox family
    purplefox
  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Drops file in Drivers directory 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\456c524f089c0148e37dd1df2bc52bb9de249fa0c7bf7f708b7c2138b006f700.exe
    "C:\Users\Admin\AppData\Local\Temp\456c524f089c0148e37dd1df2bc52bb9de249fa0c7bf7f708b7c2138b006f700.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1344
    • C:\Users\Admin\AppData\Local\Temp\RVN.exe
      C:\Users\Admin\AppData\Local\Temp\\RVN.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1908
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:2084
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 127.0.0.1
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4960
    • C:\Users\Admin\AppData\Local\Temp\HD_456c524f089c0148e37dd1df2bc52bb9de249fa0c7bf7f708b7c2138b006f700.exe
      C:\Users\Admin\AppData\Local\Temp\HD_456c524f089c0148e37dd1df2bc52bb9de249fa0c7bf7f708b7c2138b006f700.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3704
      • C:\Users\Admin\AppData\Local\Temp\._cache_HD_456c524f089c0148e37dd1df2bc52bb9de249fa0c7bf7f708b7c2138b006f700.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_HD_456c524f089c0148e37dd1df2bc52bb9de249fa0c7bf7f708b7c2138b006f700.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4468
      • C:\ProgramData\Synaptics\Synaptics.exe
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:4232
        • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
          "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2176
  • C:\Windows\SysWOW64\TXPlatforn.exe
    C:\Windows\SysWOW64\TXPlatforn.exe -auto
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2208
    • C:\Windows\SysWOW64\TXPlatforn.exe
      C:\Windows\SysWOW64\TXPlatforn.exe -acsi
      2⤵
      • Drops file in Drivers directory
      • Sets service image path in registry
      • Executes dropped EXE
      • Suspicious behavior: LoadsDriver
      • Suspicious use of AdjustPrivilegeToken
      PID:1500
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1288

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\._cache_HD_456c524f089c0148e37dd1df2bc52bb9de249fa0c7bf7f708b7c2138b006f700.exe
          Filesize

          35KB

          MD5

          0e20bfff0e17b23201c1ee8859a4e12a

          SHA1

          5969b0363421280138c65320061048b6b7036dfe

          SHA256

          075e7ac339e22a77101d227b139a2010b2e97126bb90a6c96cbdec887443da0c

          SHA512

          51c1dd7f970e3a91f73680e4ba8e0036e793def2f4d54476858d17e81bd105d5fc44b620f02ac0a4c66874adf8ff54fa60035eac82ff8c70b7cb902acb88b58e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\85C75E00
          Filesize

          22KB

          MD5

          d16db95ffd18e51c0ed578d0ac7c10ac

          SHA1

          376a556c3dcbd9493b922a50b49c28d40589fb4d

          SHA256

          c2fdbc80b1dcc28afeb6da1d6d9910ba634b2d26a71e30058fbe00c2b8ccaf9c

          SHA512

          0ccf0c106d9948d97523babc2b39c23ab720f7970ebb9e8f0a2830abfcf89c7ddc4ecd50cc113f994f6881ce0b5a132342887b7b2e26b60a5238f9f08ae9f0c6

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\HD_456c524f089c0148e37dd1df2bc52bb9de249fa0c7bf7f708b7c2138b006f700.exe
          Filesize

          789KB

          MD5

          515dd523ebda43dc027987f5cb27cc3a

          SHA1

          c93ab31c28c79f71ec13c58c20571461dec9b813

          SHA256

          7a27c6f5da069c41cd3643ed98359b976f7f548ac0f70745906f15b84cffd0b5

          SHA512

          4763f2df8de16931d7c15e28bcc76337e5f1a4686d4613bae9c9abf13617f5803574cd065b00012d9b5e6d0642d4b828b5adcc2604c117ef2102ef52d8ffb829

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\HD_X.dat
          Filesize

          1.5MB

          MD5

          d9d481674ffdea74865a6031479962b3

          SHA1

          07dbfbd87c719537e616f2347bd66efb3a9a5ae6

          SHA256

          44e5331ce62c8de6480bf05b1c22f4c2ae0ebd7f546cb8f50d078756162f11e3

          SHA512

          26ffff903de9f9f2e43d76648dbec786463759ff2fa5dd80a8ef47b58000682cc54e6b8c0abfce4ac22617a7a94b7fca958b0b770e1b7b5c14b53f936eac4e9a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RVN.exe
          Filesize

          377KB

          MD5

          80ade1893dec9cab7f2e63538a464fcc

          SHA1

          c06614da33a65eddb506db00a124a3fc3f5be02e

          SHA256

          57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd

          SHA512

          fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\xBTSJNJs.xlsm
          Filesize

          17KB

          MD5

          e566fc53051035e1e6fd0ed1823de0f9

          SHA1

          00bc96c48b98676ecd67e81a6f1d7754e4156044

          SHA256

          8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

          SHA512

          a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

          Download Submit

        • memory/1288-218-0x00007FF7DCAD0000-0x00007FF7DCAE0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1288-217-0x00007FF7DCAD0000-0x00007FF7DCAE0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1288-219-0x00007FF7DA9E0000-0x00007FF7DA9F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1288-216-0x00007FF7DCAD0000-0x00007FF7DCAE0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1288-215-0x00007FF7DCAD0000-0x00007FF7DCAE0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1288-214-0x00007FF7DCAD0000-0x00007FF7DCAE0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1288-220-0x00007FF7DA9E0000-0x00007FF7DA9F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1500-25-0x0000000010000000-0x00000000101B6000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/1500-38-0x0000000010000000-0x00000000101B6000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/1500-43-0x0000000010000000-0x00000000101B6000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/1500-31-0x0000000010000000-0x00000000101B6000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/1908-6-0x0000000010000000-0x00000000101B6000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/1908-5-0x0000000010000000-0x00000000101B6000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/1908-10-0x0000000010000000-0x00000000101B6000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/1908-7-0x0000000010000000-0x00000000101B6000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/2208-16-0x0000000010000000-0x00000000101B6000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/2208-15-0x0000000010000000-0x00000000101B6000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/2208-13-0x0000000010000000-0x00000000101B6000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/2208-22-0x0000000010000000-0x00000000101B6000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/2208-30-0x0000000010000000-0x00000000101B6000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/3704-29-0x0000000002120000-0x0000000002121000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3704-179-0x0000000000400000-0x00000000004CB000-memory.dmp

          Filesize

          812KB

          Download

        • memory/4232-267-0x0000000000400000-0x00000000004CB000-memory.dmp

          Filesize

          812KB

          Download

        • memory/4232-316-0x0000000000400000-0x00000000004CB000-memory.dmp

          Filesize

          812KB

          Download