Overview

overview

10

Static

static

10

364e79d63b...75.exe

windows7-x64

10

364e79d63b...75.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    17s
  • max time network
    40s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24/02/2025, 21:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe

  • Size

    1.8MB

  • MD5

    1d1940b7775280d355fa25e70d7f17ec

  • SHA1

    cf79bbeaa4e37d9cbcb99b18ca04f52be2124793

  • SHA256

    364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775

  • SHA512

    fd4b749a3c8293612087cb9e9d8db559d0ab05125f8517886f214d304d086022472237c1db834548cefccd1a8c305eb78be967f21988d06c43a7c6164beb8496

  • SSDEEP

    49152:bnsHyjtk2MYC5GDkY80D4YSbxIWvbqmmdtL4i96Ua:bnsmtk2a9YRmbSIKSi9e

Score
10/10
salityxredbackdoordefense_evasiondiscoverymacropersistencetrojanupx

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

  • Modifies firewall policy service 3 TTPs 6 IoCs
    defense_evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • Sality family
    sality
  • UAC bypass 3 TTPs 2 IoCs
    defense_evasiontrojan
  • Windows security bypass 2 TTPs 12 IoCs
    defense_evasiontrojan
  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Suspicious Office macro 3 IoCs

    Office document equipped with macros.

    macro
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Windows security modification 2 TTPs 14 IoCs
    defense_evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    defense_evasiontrojan
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • UPX packed file 22 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 2 IoCs
    defense_evasion

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1112
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1188
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1248
          • C:\Users\Admin\AppData\Local\Temp\364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
            "C:\Users\Admin\AppData\Local\Temp\364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe"
            2⤵
            • Modifies firewall policy service
            • UAC bypass
            • Windows security bypass
            • Loads dropped DLL
            • Windows security modification
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:2092
            • C:\Users\Admin\AppData\Local\Temp\._cache_364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
              "C:\Users\Admin\AppData\Local\Temp\._cache_364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe"
              3⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:3036
            • C:\ProgramData\Synaptics\Synaptics.exe
              "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
              3⤵
              • Modifies firewall policy service
              • UAC bypass
              • Windows security bypass
              • Executes dropped EXE
              • Loads dropped DLL
              • Windows security modification
              • Checks whether UAC is enabled
              • Enumerates connected drives
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:2656
              • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
                "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
                4⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:1924
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:608
          • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
            "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
            1⤵
            • System Location Discovery: System Language Discovery
            • Enumerates system info in registry
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious use of SetWindowsHookEx
            PID:1380
          • C:\Windows\system32\DllHost.exe
            C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
            1⤵
              PID:3060

            Network

            MITRE ATT&CK Enterprise v15

            Reconnaissance

            Resource Development

            Initial Access

            Execution

            Persistence

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Create or Modify System Process

            1
            T1543

            Windows Service

            1
            T1543.003

            Privilege Escalation

            Abuse Elevation Control Mechanism

            1
            T1548

            Bypass User Account Control

            1
            T1548.002

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Create or Modify System Process

            1
            T1543

            Windows Service

            1
            T1543.003

            Defense Evasion

            Abuse Elevation Control Mechanism

            1
            T1548

            Bypass User Account Control

            1
            T1548.002

            Impair Defenses

            4
            T1562

            Disable or Modify System Firewall

            1
            T1562.004

            Disable or Modify Tools

            3
            T1562.001

            Modify Registry

            6
            T1112

            Credential Access

            Discovery

            Peripheral Device Discovery

            1
            T1120

            Query Registry

            2
            T1012

            System Information Discovery

            4
            T1082

            System Location Discovery

            1
            T1614

            System Language Discovery

            1
            T1614.001

            Lateral Movement

            Collection

            Command and Control

            Exfiltration

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\ProgramData\Synaptics\Synaptics.exe
              Filesize

              1.8MB

              MD5

              1d1940b7775280d355fa25e70d7f17ec

              SHA1

              cf79bbeaa4e37d9cbcb99b18ca04f52be2124793

              SHA256

              364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775

              SHA512

              fd4b749a3c8293612087cb9e9d8db559d0ab05125f8517886f214d304d086022472237c1db834548cefccd1a8c305eb78be967f21988d06c43a7c6164beb8496

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\._cache_364e79d63bdff425fe5fc7616aa8973af5c74406eb30845d76fb5ba64079b775.exe
              Filesize

              979KB

              MD5

              8ce50fc290bed7711d97b16d5ffb49f6

              SHA1

              59cdc83c4d5f32ca1d5bdc32fe6656fadb27a72f

              SHA256

              023b628b690f5185604fc7218dc4e9842604c7bd9f2e2c065f9360255cb39e49

              SHA512

              455905bf556e9629c4ad1eea48ab1c4aa471462f289a74fbe6a06071a58e8cad2a31b686bd39e62e2e15be9bab2e64ea6c52d829738519eb159ca59609fc1ef9

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\bVPwsLBU.xlsm
              Filesize

              29KB

              MD5

              899b8de0854cf8d6847d4d036944b531

              SHA1

              5f3697205836a538202c8475453b7c9518b2dad6

              SHA256

              d79dbfff2b154c97c8cbee1f09467684f41bb1b2424e53d5df706085238ac004

              SHA512

              d1cc231e8334e801c869b1de319d1c8d29d5d18f44bdd1840134fb6dd203e5436e446ef564f9dc73e4ef88f1dc63157de624814a99ef2de155abcf0449c2b5a9

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\bVPwsLBU.xlsm
              Filesize

              17KB

              MD5

              e566fc53051035e1e6fd0ed1823de0f9

              SHA1

              00bc96c48b98676ecd67e81a6f1d7754e4156044

              SHA256

              8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

              SHA512

              a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\bVPwsLBU.xlsm
              Filesize

              27KB

              MD5

              b619804bbe7bab9e3259d768a30c66e3

              SHA1

              36287e5fbfde528a9119d818e440079d1d24d2f3

              SHA256

              9ad88c0e32c61a435121b5dd86217b5e01f175960cd2aea4bef00033bba06bd3

              SHA512

              9470f3d8f33ece62bbe9dc0fd70cd26e1ca6121c0ed2308cf4ce133bdbe6dbb9c6ce7bae95536325d9b5673caede59b19df3c8041329f36c1d7b4947f9bb4619

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\bVPwsLBU.xlsm
              Filesize

              30KB

              MD5

              7161c417ba820c70f820ae39b610c03e

              SHA1

              dfb90fae0391466b65ff6d571b3ed9fa1a063007

              SHA256

              fd74c36e6bc9413d3b73a2c37c0d03e1bb8434b85c362cc36dabda992a98d677

              SHA512

              3271811b9557e30285a106848988749f1d9c458ae1698acb4408b059f9e0492809f49339112cec2f9aa7ae4fc128c280c80ee1da066cc282fbb47a33a37d3fe1

              Download Submit

            • C:\Windows\SYSTEM.INI
              Filesize

              257B

              MD5

              f30b9a16182404d401a592dc301a7df1

              SHA1

              35e0535bba50803fd096a171f0a256b7b2282e46

              SHA256

              d4502a5f18302f7bb68df61285407ca7abf062799b9b6c3fb79682ff3df390fe

              SHA512

              cbac82a020debb33e96773ad9578f257e70368518767aaa819b45a37ef37a3f1219783c76ca5c9233f2b1825ce563955afbf79f96118c1b6d0a0091d5f0dc607

              Download Submit

            • memory/1112-21-0x0000000001FF0000-0x0000000001FF2000-memory.dmp

              Filesize

              8KB

              Download

            • memory/1380-159-0x000000005FFF0000-0x0000000060000000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1380-95-0x000000005FFF0000-0x0000000060000000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1924-96-0x0000000000400000-0x0000000001A73000-memory.dmp

              Filesize

              22.4MB

              Download

            • memory/2092-30-0x00000000003D0000-0x00000000003D1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2092-72-0x0000000000400000-0x00000000005CA000-memory.dmp

              Filesize

              1.8MB

              Download

            • memory/2092-29-0x00000000003B0000-0x00000000003B2000-memory.dmp

              Filesize

              8KB

              Download

            • memory/2092-32-0x00000000003D0000-0x00000000003D1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2092-9-0x0000000002110000-0x00000000031CA000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2092-6-0x0000000002110000-0x00000000031CA000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2092-33-0x00000000003B0000-0x00000000003B2000-memory.dmp

              Filesize

              8KB

              Download

            • memory/2092-10-0x0000000002110000-0x00000000031CA000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2092-15-0x0000000002110000-0x00000000031CA000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2092-37-0x00000000063E0000-0x00000000063F0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2092-60-0x00000000003B0000-0x00000000003B2000-memory.dmp

              Filesize

              8KB

              Download

            • memory/2092-68-0x0000000002110000-0x00000000031CA000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2092-79-0x00000000077D0000-0x0000000008E43000-memory.dmp

              Filesize

              22.4MB

              Download

            • memory/2092-2-0x0000000002110000-0x00000000031CA000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2092-5-0x0000000002110000-0x00000000031CA000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2092-77-0x0000000007E20000-0x0000000007FEA000-memory.dmp

              Filesize

              1.8MB

              Download

            • memory/2092-76-0x0000000007E20000-0x0000000007FEA000-memory.dmp

              Filesize

              1.8MB

              Download

            • memory/2092-8-0x0000000002110000-0x00000000031CA000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2092-73-0x00000000077D0000-0x0000000008E43000-memory.dmp

              Filesize

              22.4MB

              Download

            • memory/2092-1-0x0000000000400000-0x00000000005CA000-memory.dmp

              Filesize

              1.8MB

              Download

            • memory/2092-12-0x00000000002E0000-0x00000000002E1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2092-34-0x00000000003B0000-0x00000000003B2000-memory.dmp

              Filesize

              8KB

              Download

            • memory/2092-7-0x0000000002110000-0x00000000031CA000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2092-4-0x0000000002110000-0x00000000031CA000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2092-11-0x0000000002110000-0x00000000031CA000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2656-194-0x0000000000400000-0x00000000005CA000-memory.dmp

              Filesize

              1.8MB

              Download

            • memory/2656-160-0x0000000005E40000-0x0000000006EFA000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2656-185-0x0000000004020000-0x0000000004021000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2656-78-0x0000000000400000-0x00000000005CA000-memory.dmp

              Filesize

              1.8MB

              Download

            • memory/2656-162-0x0000000005E40000-0x0000000006EFA000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2656-191-0x0000000004000000-0x0000000004002000-memory.dmp

              Filesize

              8KB

              Download

            • memory/2656-167-0x0000000005E40000-0x0000000006EFA000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2656-87-0x0000000004350000-0x0000000004360000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2656-169-0x0000000005E40000-0x0000000006EFA000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2656-165-0x0000000005E40000-0x0000000006EFA000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2656-164-0x0000000005E40000-0x0000000006EFA000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/2656-163-0x0000000005E40000-0x0000000006EFA000-memory.dmp

              Filesize

              16.7MB

              Download

            • memory/3036-75-0x0000000000400000-0x0000000001A73000-memory.dmp

              Filesize

              22.4MB

              Download

            • memory/3036-83-0x0000000000400000-0x0000000001A73000-memory.dmp

              Filesize

              22.4MB

              Download