Overview

overview

10

Static

static

10

492260b1dc...ba.exe

windows7-x64

10

492260b1dc...ba.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/12/2024, 06:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    492260b1dcdd3b08e8837893efee73216c77e7af428a6d0877885502acef8fba.exe

  • Size

    2.5MB

  • MD5

    2288dccccc744c0e17ae8b4a200336fc

  • SHA1

    2935f59c88801387ed400b0860362890aa07b42c

  • SHA256

    492260b1dcdd3b08e8837893efee73216c77e7af428a6d0877885502acef8fba

  • SHA512

    2903ee54996743a60beb77209091d35410e3abdaec1548ba581f6a3ef64954a26cf1fb3686bc7ff86049c4d19fb6f3fc973408aded034169965156ea177a729a

  • SSDEEP

    49152:M09XJt4HIN2H2tFvduySepEWoxvonsHyjtk2MYC5GDTrOO53RTqtiR:xZJt4HINy2LkeKZxgnsmtk2aIrOO53x

Score
10/10
gh0stratpurplefoxxredbackdoordiscoverymacropersistenceratrootkittrojanupx

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Detect PurpleFox Rootkit 11 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 11 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Purplefox family
    purplefox
  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Drops file in Drivers directory 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Suspicious Office macro 1 IoCs

    Office document equipped with macros.

    macro
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\492260b1dcdd3b08e8837893efee73216c77e7af428a6d0877885502acef8fba.exe
    "C:\Users\Admin\AppData\Local\Temp\492260b1dcdd3b08e8837893efee73216c77e7af428a6d0877885502acef8fba.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4532
    • C:\Users\Admin\AppData\Local\Temp\RVN.exe
      C:\Users\Admin\AppData\Local\Temp\\RVN.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4200
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:904
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 127.0.0.1
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3120
    • C:\Users\Admin\AppData\Local\Temp\HD_492260b1dcdd3b08e8837893efee73216c77e7af428a6d0877885502acef8fba.exe
      C:\Users\Admin\AppData\Local\Temp\HD_492260b1dcdd3b08e8837893efee73216c77e7af428a6d0877885502acef8fba.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4024
      • C:\Users\Admin\AppData\Local\Temp\._cache_HD_492260b1dcdd3b08e8837893efee73216c77e7af428a6d0877885502acef8fba.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_HD_492260b1dcdd3b08e8837893efee73216c77e7af428a6d0877885502acef8fba.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2812
      • C:\ProgramData\Synaptics\Synaptics.exe
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:3420
        • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
          "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2180
  • C:\Windows\SysWOW64\TXPlatforn.exe
    C:\Windows\SysWOW64\TXPlatforn.exe -auto
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:708
    • C:\Windows\SysWOW64\TXPlatforn.exe
      C:\Windows\SysWOW64\TXPlatforn.exe -acsi
      2⤵
      • Drops file in Drivers directory
      • Sets service image path in registry
      • Executes dropped EXE
      • Suspicious behavior: LoadsDriver
      • Suspicious use of AdjustPrivilegeToken
      PID:5080
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:4216

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\59D76868C250B3240414CE3EFBB12518_DED20A0F952AFF3092F4A1CA14DFAF28
    Filesize

    471B

    MD5

    ec29b6d68b432f9eff3ef8d4709a2055

    SHA1

    8d21afa630107dbe41427e770560f1658c1d61ab

    SHA256

    ab0b859a15ba4e90f219b1a563cb25ca309170c2d93cba77c20acee2402ce327

    SHA512

    206859f40bf46e19fe9d4331c8d7de8d72f617b3955e3bf7f3788ad37951e15f8b44c7377e29bfc44e35b3be8d3fa4a5c13df8e6d0d81ff651a054c7b74091f3

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419
    Filesize

    471B

    MD5

    c02ceb4c1f14793e6f2baaf4bf1ab5f8

    SHA1

    becfa28109fa73a2555ea04aabcaee316975e030

    SHA256

    90c35ce9eefa79c9c8cc0a465dcfab7c6bb7b05dd2596d7e114419db97e71ad8

    SHA512

    08a1938e734ad150d165dbb32cbfd3c3c0277a68ff72a38af7ac6e1689bf85864853311c35983b7a7a3056f8b0901ab465253ab9a8373158f7dc67e997e9937a

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\59D76868C250B3240414CE3EFBB12518_DED20A0F952AFF3092F4A1CA14DFAF28
    Filesize

    408B

    MD5

    4cd51e4f0f2adfdf0105890efbfd152e

    SHA1

    ddc1b1f4fe37478e34e8d2920f737ff6cdcd07ad

    SHA256

    5d2773b2ada982d36608d5c34441669cf2e2d8c98b8a404b4fec281232596b11

    SHA512

    7a07843280f48e539c6b1eaecddbaf224d0a7639ce866ff29a4608e7dd978d08a5be80ddeab1e2e7e8633fb39bf98c7435ccd253283bde6b791ddab9a1712997

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419
    Filesize

    412B

    MD5

    43bbfb3d2d605bd7199f6ad5801f7885

    SHA1

    49684148caa2215ee7c16c3b3a6ca182b7ef853b

    SHA256

    b33b869546ccd9fc85bb0abb73656d181a1bf4274be935aecde78162f35a3166

    SHA512

    1d577e2d4e56c5534e2aa620ced41205ff7447b54f79801946037eb25da7b1521782eb93ba580d29d53fefe3bdf0183fd6958a7a20e464d499704c3c0956c3ed

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\._cache_HD_492260b1dcdd3b08e8837893efee73216c77e7af428a6d0877885502acef8fba.exe
    Filesize

    324KB

    MD5

    401d2bb1174f24689d0279ee0d4c4c85

    SHA1

    6182304eb212b5458f0c6b18c5d8bcd8da18c96a

    SHA256

    6fc6a0156e6f38b1d61ee39df837fa3f49e9f87807599dc9694582d7d646c23e

    SHA512

    ee0bedd2029b9aa724af8c2991303402359193132d92e1bea755c12b4c6828fe320a12d05642cf0bb69257fc873ffe12e7a6db53b14d532e18c32374179d229f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\F9riD9if.xlsm
    Filesize

    23KB

    MD5

    e635f0e34630a83ede9a03cf334d1957

    SHA1

    8ceea2536e155916e76818742d7f50094a81fe53

    SHA256

    f35213bcb00880ce52fed7280d8b941b39169831727f5cf192832826b9d69779

    SHA512

    ef7b88860fe0a023999b8b69b9cabbc790d69980ec16403c77203a9e9cf799d10975e349e728fbbb2e793db7a9cec01de2bdad027b4d0331ec17a83a063acbbf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\F9riD9if.xlsm
    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\HD_492260b1dcdd3b08e8837893efee73216c77e7af428a6d0877885502acef8fba.exe
    Filesize

    1.1MB

    MD5

    2275706f1b3ba48421c4b0cc31124f1e

    SHA1

    6dc5fe1f49a794955371f60d4ecc776760bfb64f

    SHA256

    6f7f88da4242252364ef8cc882e001aece409b8543378a8de18765e9f266b430

    SHA512

    a367f278ece57785d534388c16336cfb2c98041cd91f370aa8ff180025014e53f28720a3a11bb51ddb3b417161f42dad33b6a546106fa706f7ec958eee2d0154

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\HD_X.dat
    Filesize

    1.5MB

    MD5

    d9d481674ffdea74865a6031479962b3

    SHA1

    07dbfbd87c719537e616f2347bd66efb3a9a5ae6

    SHA256

    44e5331ce62c8de6480bf05b1c22f4c2ae0ebd7f546cb8f50d078756162f11e3

    SHA512

    26ffff903de9f9f2e43d76648dbec786463759ff2fa5dd80a8ef47b58000682cc54e6b8c0abfce4ac22617a7a94b7fca958b0b770e1b7b5c14b53f936eac4e9a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RVN.exe
    Filesize

    377KB

    MD5

    80ade1893dec9cab7f2e63538a464fcc

    SHA1

    c06614da33a65eddb506db00a124a3fc3f5be02e

    SHA256

    57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd

    SHA512

    fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Adobe\LogTransport2\LogTransport2.cfg
    Filesize

    142B

    MD5

    708e70bb8457512bd59b0b1d1ae5cf95

    SHA1

    338aac5c514b8bcd82b56e4df2b32b92888b3117

    SHA256

    8f46a5749117a9f6447458d20dc2e8a8fcb45db56c2be8bc8cf8b2851abae93d

    SHA512

    fde423f19062d2b33d218fa8de6e00295eb45a8d8e6685e460987c0f33ed0c5a306a5f4fb50aa920fbf3f80462ef24d9b5287b050baa868a0896bc0daeb7925c

    Download Submit

  • memory/708-17-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/708-15-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/708-13-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/708-27-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/708-16-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/3420-337-0x0000000000400000-0x0000000000513000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3420-386-0x0000000000400000-0x0000000000513000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4024-206-0x0000000000400000-0x0000000000513000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4200-7-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4200-6-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4200-10-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4200-4-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4216-276-0x00007FF962230000-0x00007FF962240000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4216-270-0x00007FF964350000-0x00007FF964360000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4216-271-0x00007FF964350000-0x00007FF964360000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4216-272-0x00007FF964350000-0x00007FF964360000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4216-275-0x00007FF962230000-0x00007FF962240000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4216-273-0x00007FF964350000-0x00007FF964360000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4216-274-0x00007FF964350000-0x00007FF964360000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5080-53-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/5080-41-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/5080-33-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/5080-26-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download