Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

492260b1dc...ba.exe

windows7-x64

10

492260b1dc...ba.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/12/2024, 06:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    492260b1dcdd3b08e8837893efee73216c77e7af428a6d0877885502acef8fba.exe

  • Size

    2.5MB

  • MD5

    2288dccccc744c0e17ae8b4a200336fc

  • SHA1

    2935f59c88801387ed400b0860362890aa07b42c

  • SHA256

    492260b1dcdd3b08e8837893efee73216c77e7af428a6d0877885502acef8fba

  • SHA512

    2903ee54996743a60beb77209091d35410e3abdaec1548ba581f6a3ef64954a26cf1fb3686bc7ff86049c4d19fb6f3fc973408aded034169965156ea177a729a

  • SSDEEP

    49152:M09XJt4HIN2H2tFvduySepEWoxvonsHyjtk2MYC5GDTrOO53RTqtiR:xZJt4HINy2LkeKZxgnsmtk2aIrOO53x

Score
10/10
gh0stratpurplefoxxredbackdoordiscoverypersistenceratrootkittrojanupx

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Detect PurpleFox Rootkit 11 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 11 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Purplefox family
    purplefox
  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Drops file in Drivers directory 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\492260b1dcdd3b08e8837893efee73216c77e7af428a6d0877885502acef8fba.exe
    "C:\Users\Admin\AppData\Local\Temp\492260b1dcdd3b08e8837893efee73216c77e7af428a6d0877885502acef8fba.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2940
    • C:\Users\Admin\AppData\Local\Temp\RVN.exe
      C:\Users\Admin\AppData\Local\Temp\\RVN.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4116
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:2440
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 127.0.0.1
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3896
    • C:\Users\Admin\AppData\Local\Temp\HD_492260b1dcdd3b08e8837893efee73216c77e7af428a6d0877885502acef8fba.exe
      C:\Users\Admin\AppData\Local\Temp\HD_492260b1dcdd3b08e8837893efee73216c77e7af428a6d0877885502acef8fba.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2424
      • C:\Users\Admin\AppData\Local\Temp\._cache_HD_492260b1dcdd3b08e8837893efee73216c77e7af428a6d0877885502acef8fba.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_HD_492260b1dcdd3b08e8837893efee73216c77e7af428a6d0877885502acef8fba.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:5012
      • C:\ProgramData\Synaptics\Synaptics.exe
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2840
        • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
          "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4104
  • C:\Windows\SysWOW64\TXPlatforn.exe
    C:\Windows\SysWOW64\TXPlatforn.exe -auto
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5116
    • C:\Windows\SysWOW64\TXPlatforn.exe
      C:\Windows\SysWOW64\TXPlatforn.exe -acsi
      2⤵
      • Drops file in Drivers directory
      • Sets service image path in registry
      • Executes dropped EXE
      • Suspicious behavior: LoadsDriver
      • Suspicious use of AdjustPrivilegeToken
      PID:920
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1808

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\59D76868C250B3240414CE3EFBB12518_DED20A0F952AFF3092F4A1CA14DFAF28
    Filesize

    471B

    MD5

    ec29b6d68b432f9eff3ef8d4709a2055

    SHA1

    8d21afa630107dbe41427e770560f1658c1d61ab

    SHA256

    ab0b859a15ba4e90f219b1a563cb25ca309170c2d93cba77c20acee2402ce327

    SHA512

    206859f40bf46e19fe9d4331c8d7de8d72f617b3955e3bf7f3788ad37951e15f8b44c7377e29bfc44e35b3be8d3fa4a5c13df8e6d0d81ff651a054c7b74091f3

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419
    Filesize

    471B

    MD5

    c02ceb4c1f14793e6f2baaf4bf1ab5f8

    SHA1

    becfa28109fa73a2555ea04aabcaee316975e030

    SHA256

    90c35ce9eefa79c9c8cc0a465dcfab7c6bb7b05dd2596d7e114419db97e71ad8

    SHA512

    08a1938e734ad150d165dbb32cbfd3c3c0277a68ff72a38af7ac6e1689bf85864853311c35983b7a7a3056f8b0901ab465253ab9a8373158f7dc67e997e9937a

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\59D76868C250B3240414CE3EFBB12518_DED20A0F952AFF3092F4A1CA14DFAF28
    Filesize

    408B

    MD5

    11aea6c4aeadd448ba9a8f8af90d37e7

    SHA1

    2f895d08561a6aab5cc435e6dd84d2cdf7d9b755

    SHA256

    6d0f4e9642ef1a08602108469a1563091cff94053f526c733daca8ca67f89564

    SHA512

    d8aee0c55b6dff529bb66fac6cf6ac8ad8f68bc69686b05b67d7ca1e41468d897de34fdc2f4bf784fa8c786b07549c5d33db6355a12fcf9453610c7834c5d336

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419
    Filesize

    412B

    MD5

    e5a954f739a813edfa8436dd3604cd83

    SHA1

    03493f8e2ca5ac427d2f10344ecf847054b242f6

    SHA256

    cf88e6f37d674d4c2b5665564feef6cc496842a527aaf0c92b53e4205caa6ac7

    SHA512

    c56877e40f159d5d6eadfe445f6b748daae3c764e1347ac189490f0cad6380ba2da7c6262ef9a48878c43eb1069381d5b4b05a05ac9c201cdbf3bf84fd7ac4e4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\._cache_HD_492260b1dcdd3b08e8837893efee73216c77e7af428a6d0877885502acef8fba.exe
    Filesize

    324KB

    MD5

    401d2bb1174f24689d0279ee0d4c4c85

    SHA1

    6182304eb212b5458f0c6b18c5d8bcd8da18c96a

    SHA256

    6fc6a0156e6f38b1d61ee39df837fa3f49e9f87807599dc9694582d7d646c23e

    SHA512

    ee0bedd2029b9aa724af8c2991303402359193132d92e1bea755c12b4c6828fe320a12d05642cf0bb69257fc873ffe12e7a6db53b14d532e18c32374179d229f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\9EB75E00
    Filesize

    25KB

    MD5

    39e60576aa3ce985062066c683e390c6

    SHA1

    20a4a4ee110c71b9b3e03b762fed913c8e619fa0

    SHA256

    e0b0cc6a7b27634af752cc1e01da25c5342441c54159e134148fcf97518a2b73

    SHA512

    6767040541ee4bc77997003128c865a583240afcb31eecc493e7d25592c3cf946ed0e8adeca98c4d407dd4d5b1e1891cca6e8e035eaca84620adf28d0f531b09

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Gfxtr2Vm.xlsm
    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\HD_492260b1dcdd3b08e8837893efee73216c77e7af428a6d0877885502acef8fba.exe
    Filesize

    1.1MB

    MD5

    2275706f1b3ba48421c4b0cc31124f1e

    SHA1

    6dc5fe1f49a794955371f60d4ecc776760bfb64f

    SHA256

    6f7f88da4242252364ef8cc882e001aece409b8543378a8de18765e9f266b430

    SHA512

    a367f278ece57785d534388c16336cfb2c98041cd91f370aa8ff180025014e53f28720a3a11bb51ddb3b417161f42dad33b6a546106fa706f7ec958eee2d0154

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\HD_X.dat
    Filesize

    1.5MB

    MD5

    d9d481674ffdea74865a6031479962b3

    SHA1

    07dbfbd87c719537e616f2347bd66efb3a9a5ae6

    SHA256

    44e5331ce62c8de6480bf05b1c22f4c2ae0ebd7f546cb8f50d078756162f11e3

    SHA512

    26ffff903de9f9f2e43d76648dbec786463759ff2fa5dd80a8ef47b58000682cc54e6b8c0abfce4ac22617a7a94b7fca958b0b770e1b7b5c14b53f936eac4e9a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RVN.exe
    Filesize

    377KB

    MD5

    80ade1893dec9cab7f2e63538a464fcc

    SHA1

    c06614da33a65eddb506db00a124a3fc3f5be02e

    SHA256

    57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd

    SHA512

    fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Adobe\LogTransport2\LogTransport2.cfg
    Filesize

    142B

    MD5

    708e70bb8457512bd59b0b1d1ae5cf95

    SHA1

    338aac5c514b8bcd82b56e4df2b32b92888b3117

    SHA256

    8f46a5749117a9f6447458d20dc2e8a8fcb45db56c2be8bc8cf8b2851abae93d

    SHA512

    fde423f19062d2b33d218fa8de6e00295eb45a8d8e6685e460987c0f33ed0c5a306a5f4fb50aa920fbf3f80462ef24d9b5287b050baa868a0896bc0daeb7925c

    Download Submit

  • memory/920-78-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/920-27-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/920-33-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/920-41-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1808-285-0x00007FF8B9F10000-0x00007FF8B9F20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1808-287-0x00007FF8B9F10000-0x00007FF8B9F20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1808-290-0x00007FF8B7790000-0x00007FF8B77A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1808-289-0x00007FF8B7790000-0x00007FF8B77A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1808-284-0x00007FF8B9F10000-0x00007FF8B9F20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1808-288-0x00007FF8B9F10000-0x00007FF8B9F20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1808-286-0x00007FF8B9F10000-0x00007FF8B9F20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2424-205-0x0000000000400000-0x0000000000513000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2840-386-0x0000000000400000-0x0000000000513000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2840-349-0x0000000000400000-0x0000000000513000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2840-339-0x0000000000400000-0x0000000000513000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4116-10-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4116-7-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4116-6-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4116-4-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/5116-23-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/5116-13-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/5116-16-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/5116-17-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/5116-15-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download