Analysis
-
max time kernel
8s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
24/02/2025, 11:32
General
-
Target
344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe
-
Size
1.4MB
-
MD5
6b00f6d824861317ec66502dce58904d
-
SHA1
74580a12cbfb253e126545139757a30ee4e079da
-
SHA256
344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e
-
SHA512
452fb86e9917945261929b83bcff47ebf39f006fc22629d4ce88dfaaeef4f9bc61668ffbdd3f2e7c5fc613d7fc831091233d470ad1715fb7818cc31988e2e70d
-
SSDEEP
24576:vnsJ39LyjbJkQFMhmC+6GR94dChNRASWgDxPWnP0LamWYC8Eud13:vnsHyjtk2MYC5GRadWHyzGd13
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Xred
Xred is backdoor written in Delphi.
-
Xred family
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 5 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
UPX packed file 20 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 44 IoCs
-
Suspicious use of WriteProcessMemory 22 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe"C:\Users\Admin\AppData\Local\Temp\344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\._cache_344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe"C:\Users\Admin\AppData\Local\Temp\._cache_344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e.exe"3⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate4⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD56b00f6d824861317ec66502dce58904d
SHA174580a12cbfb253e126545139757a30ee4e079da
SHA256344e450edda18bac682601bd49bd327e447fad7cbd119a4bdfa58fe79664e01e
SHA512452fb86e9917945261929b83bcff47ebf39f006fc22629d4ce88dfaaeef4f9bc61668ffbdd3f2e7c5fc613d7fc831091233d470ad1715fb7818cc31988e2e70d
-
Filesize
636KB
MD514b1a90f6fe653e288cbe188a38ea760
SHA14507f58630bbf3869330715c81a5a1ede2be4686
SHA256abf8d7bce6d461f240c7f25d3d50bfd36d2a397e1842e289653792d56543da4a
SHA512670ae90404b95246d18e008ee2587ae4877be3ce0c376d6c42dde7841d7ed68115b945d1a1bd3384e59fd1c8a89c52a76fab6dd9bd1f77a5150b6ae7d7134cbf
-
Filesize
257B
MD5496b9a045b9c34b2d8e4d57e82a461bf
SHA16ccc28060f2a1e0b30e836b8093036cbab94e83c
SHA2564475511cbde3f6d0dc8e6c8b1506141aa199a819672b20a22569baa1b8ea4f95
SHA5121a37813e45526a0c43e34364a9dbc79f35dee83a85dac3def1a8bf6106e27c1c09f64d2a6ada2c0b88f4bbc1813506186bddee494df4b27bbeeff373461261b9
-
Filesize
97KB
MD55e94b966d2cdb93aead0193ae28230e7
SHA1cfb38fd622dc562e915378f470a33f4227565cfa
SHA2566d2b87b8924d15e9bf068aa199a65a3f54ec8588f54322b0a527ae974a9a52dc
SHA512a7bd446f27c2aea01a292c9989c3c611dbed195d46984093bf066b3a1d74bad6349f645b498b66e15c0d09233b195714b90981c08ce005ced0fdb418b1dc2193
-
Filesize
16.7MB
-
Filesize
1.4MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
1.4MB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
64KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
1.4MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
1.4MB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
64KB
-
Filesize
16.7MB
-
Filesize
1.4MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB