Overview

overview

10

Static

static

10

397366a8a4...fe.exe

windows7-x64

10

397366a8a4...fe.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-12-2024 09:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    397366a8a4ba92c38c1453ea4f3f200587ef6c718b6d48fdb8245095aa267afe.exe

  • Size

    2.9MB

  • MD5

    9c431dec548b3c2305b0901c9cedcfab

  • SHA1

    58280d15682dc346450b0bcdeb4688f80430938d

  • SHA256

    397366a8a4ba92c38c1453ea4f3f200587ef6c718b6d48fdb8245095aa267afe

  • SHA512

    ffec38663923e5ad2f71566ca176c19b38648eebea09719790b6583cc987334dd9886534564e59f28b934139202b7c45c37c4a5aa6930b433913f0240c28dbb8

  • SSDEEP

    49152:M09XJt4HIN2H2tFvduySdpEWoxvKnsHyjtk2MYC5GDZz5T1y9GMN4r8w:xZJt4HINy2LkdKZxinsmtk2am5TwU+43

Score
10/10
gh0stratpurplefoxxredbackdoordiscoverypersistenceratrootkittrojanupx

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Detect PurpleFox Rootkit 12 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 12 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Purplefox family
    purplefox
  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Drops file in Drivers directory 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • UPX packed file 15 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • NSIS installer 3 IoCs
    installer
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\397366a8a4ba92c38c1453ea4f3f200587ef6c718b6d48fdb8245095aa267afe.exe
    "C:\Users\Admin\AppData\Local\Temp\397366a8a4ba92c38c1453ea4f3f200587ef6c718b6d48fdb8245095aa267afe.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4724
    • C:\Users\Admin\AppData\Local\Temp\RVN.exe
      C:\Users\Admin\AppData\Local\Temp\\RVN.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5088
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:4204
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 127.0.0.1
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1996
    • C:\Users\Admin\AppData\Local\Temp\HD_397366a8a4ba92c38c1453ea4f3f200587ef6c718b6d48fdb8245095aa267afe.exe
      C:\Users\Admin\AppData\Local\Temp\HD_397366a8a4ba92c38c1453ea4f3f200587ef6c718b6d48fdb8245095aa267afe.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2416
      • C:\Users\Admin\AppData\Local\Temp\._cache_HD_397366a8a4ba92c38c1453ea4f3f200587ef6c718b6d48fdb8245095aa267afe.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_HD_397366a8a4ba92c38c1453ea4f3f200587ef6c718b6d48fdb8245095aa267afe.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2664
      • C:\ProgramData\Synaptics\Synaptics.exe
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1728
        • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
          "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:5056
  • C:\Windows\SysWOW64\TXPlatforn.exe
    C:\Windows\SysWOW64\TXPlatforn.exe -auto
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2660
    • C:\Windows\SysWOW64\TXPlatforn.exe
      C:\Windows\SysWOW64\TXPlatforn.exe -acsi
      2⤵
      • Drops file in Drivers directory
      • Sets service image path in registry
      • Executes dropped EXE
      • Suspicious behavior: LoadsDriver
      • Suspicious use of AdjustPrivilegeToken
      PID:1012
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:4508

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\._cache_HD_397366a8a4ba92c38c1453ea4f3f200587ef6c718b6d48fdb8245095aa267afe.exe
    Filesize

    735KB

    MD5

    d4625a4f3259696db5c152500a90cbbf

    SHA1

    b95359b707dbed1e46d6ee36cb91954773edc766

    SHA256

    cbae6eb7fc95cbafcc0fe7889c320228606c843a272605efeea17652bf8dd928

    SHA512

    d95084cff062a3dbd362561c8ff222a9f3c59e880299416505ffd37f5f158bf870de00ee15361a67bbd6e845cc90d3c2fc322b21cc945f874d4eb9bbd10e4f89

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\HD_397366a8a4ba92c38c1453ea4f3f200587ef6c718b6d48fdb8245095aa267afe.exe
    Filesize

    1.5MB

    MD5

    20cb6e2186e922d8a93b6a34edef8b02

    SHA1

    d26ead027a78ace963ad83838534f16b0b28811b

    SHA256

    76a3fea54556cecbf78ca6af2b184f1dd0c788582e5c4be54efe733db6e40396

    SHA512

    c08e2e1f0554565ccd5f3409a5146c993bce6f507519335af62af6e9a15881d5008f8bc0d4425c599a773efb64837f30004bf96abd6f9e5f1e145482b7ca0574

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\HD_X.dat
    Filesize

    1.5MB

    MD5

    fe6f3116d488099d29fe5f36d3a217b4

    SHA1

    5c260f3b36c8a925ff31848c4aa2afa7df82a389

    SHA256

    dd100b0969d88b05337237e2d87050c311ef3dca75c07885809d38c4ec57bc30

    SHA512

    9fda336ddcc397a3463bbdcdcdbf043b01b85409baaf47aaf75248f68069db50bd73fed0cc3400c2f885a2e4dfd3cd91512e64bf4f4abc8f56f7d48f7145a60a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RVN.exe
    Filesize

    377KB

    MD5

    80ade1893dec9cab7f2e63538a464fcc

    SHA1

    c06614da33a65eddb506db00a124a3fc3f5be02e

    SHA256

    57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd

    SHA512

    fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TuuNOQBV.xlsm
    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsv6E7B.tmp\System.dll
    Filesize

    11KB

    MD5

    00a0194c20ee912257df53bfe258ee4a

    SHA1

    d7b4e319bc5119024690dc8230b9cc919b1b86b2

    SHA256

    dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

    SHA512

    3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

    Download Submit

  • memory/1012-75-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1012-26-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1012-80-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1012-79-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1012-31-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1012-32-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1728-303-0x0000000000400000-0x000000000057A000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1728-352-0x0000000000400000-0x000000000057A000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2416-25-0x00000000021D0000-0x00000000021D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2416-210-0x0000000000400000-0x000000000057A000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2660-14-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2660-15-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2660-24-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2660-16-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2660-17-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4508-272-0x00007FFB5F330000-0x00007FFB5F340000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4508-274-0x00007FFB5F330000-0x00007FFB5F340000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4508-275-0x00007FFB5F330000-0x00007FFB5F340000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4508-273-0x00007FFB5F330000-0x00007FFB5F340000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4508-278-0x00007FFB5F330000-0x00007FFB5F340000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4508-285-0x00007FFB5CB80000-0x00007FFB5CB90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4508-286-0x00007FFB5CB80000-0x00007FFB5CB90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5088-7-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/5088-4-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/5088-10-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/5088-6-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download