xred | 07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548

Analysis

max time kernel
148s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24/02/2025, 19:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
Size

955KB
MD5

16be03e62abaa80f7434e2740e18fe84
SHA1

a7e50cb5fa19e3dac8c1a76808a46352cdc9c46b
SHA256

07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548
SHA512

76dedba0a2b17d6b4ed229e7e3f0478c19a94e22dba0a079997159012852b05a3cd66c8a71e5d3fd5f65bb9aa8b78622d9b9024df5e4dc14aaadb673240f974c
SSDEEP

12288:OWppGHNu4B2UDI3MSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V93JJc:5GI4r83nsJ39LyjbJkQFMhmC+6GD9Za

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 4 IoCs

pid	Process
2244	zgokr00.exe
2320	.07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
2824	vshost32.exe
2784	._cache_.07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe

Loads dropped DLL 8 IoCs

pid	Process
2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
2244	zgokr00.exe
2320	.07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
2320	.07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
2824	vshost32.exe
2824	vshost32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\ScdBcd = "C:\\Users\\Admin\\AppData\\Roaming\\Dibifu_9\\vshost32.exe"	vshost32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	.07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zgokr00.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	.07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vshost32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_.07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe

Modifies registry class 20 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	._cache_.07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	._cache_.07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	._cache_.07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	._cache_.07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	._cache_.07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	._cache_.07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	._cache_.07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	._cache_.07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	._cache_.07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	._cache_.07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	._cache_.07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	._cache_.07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	._cache_.07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	._cache_.07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	._cache_.07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	._cache_.07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0"	._cache_.07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_Classes\Local Settings	._cache_.07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	._cache_.07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	._cache_.07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe

Suspicious behavior: EnumeratesProcesses 49 IoCs

pid	Process
2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2784	._cache_.07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2784	._cache_.07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2244	2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe	30
PID 2380 wrote to memory of 2244	2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe	30
PID 2380 wrote to memory of 2244	2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe	30
PID 2380 wrote to memory of 2244	2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe	30
PID 2380 wrote to memory of 2320	2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe	31
PID 2380 wrote to memory of 2320	2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe	31
PID 2380 wrote to memory of 2320	2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe	31
PID 2380 wrote to memory of 2320	2380	07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe	31
PID 2244 wrote to memory of 2824	2244	zgokr00.exe	32
PID 2244 wrote to memory of 2824	2244	zgokr00.exe	32
PID 2244 wrote to memory of 2824	2244	zgokr00.exe	32
PID 2244 wrote to memory of 2824	2244	zgokr00.exe	32
PID 2244 wrote to memory of 2772	2244	zgokr00.exe	33
PID 2244 wrote to memory of 2772	2244	zgokr00.exe	33
PID 2244 wrote to memory of 2772	2244	zgokr00.exe	33
PID 2244 wrote to memory of 2772	2244	zgokr00.exe	33
PID 2772 wrote to memory of 2108	2772	cmd.exe	35
PID 2772 wrote to memory of 2108	2772	cmd.exe	35
PID 2772 wrote to memory of 2108	2772	cmd.exe	35
PID 2772 wrote to memory of 2108	2772	cmd.exe	35
PID 2320 wrote to memory of 2784	2320	.07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe	36
PID 2320 wrote to memory of 2784	2320	.07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe	36
PID 2320 wrote to memory of 2784	2320	.07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe	36
PID 2320 wrote to memory of 2784	2320	.07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe	36

C:\Users\Admin\AppData\Local\Temp\07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
"C:\Users\Admin\AppData\Local\Temp\07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Local\Temp\zgokr00.exe
  "C:\Users\Admin\AppData\Local\Temp\zgokr00.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Users\Admin\AppData\Roaming\Dibifu_9\vshost32.exe
    "C:\Users\Admin\AppData\Roaming\Dibifu_9\vshost32.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2824
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del C:\Users\Admin\AppData\Local\Temp\zgokr00.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Windows\SysWOW64\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      System Location Discovery: System Language Discovery
      PID:2108
- C:\Users\Admin\AppData\Local\Temp\.07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
  "C:\Users\Admin\AppData\Local\Temp\.07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Users\Admin\AppData\Local\Temp\._cache_.07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_.07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe

Filesize
773KB

MD5
57dfe93f95213e2cc6503da17131f2a2

SHA1
03ed343fc3da8c5b6105250e300c9874dd537405

SHA256
2eebca588edd0822176b86a8b43418441af7c4f0ed74372c8f777ad075c413d9

SHA512
26f37def4b48268d4dcdbcca90f784c3d4debe082678c910620e92c43b3641a57cf7564bc82e87e16cdfb3bc917b597cd620deba67953a0bc1283bbcc5134da6

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_.07754fa67752fa06a7ced516f9229d42adba92b9ae7c0522271ee45c403e9548.exe

Filesize
20KB

MD5
23a1543ce363983050a8ea5f2f2891fa

SHA1
99c1f7b493224bbe05a6f4f993d5a21e14523398

SHA256
491e350397b7181d3264598cd06fe7358743896ba7d0ee5a315815842b766fc7

SHA512
23ed9560796ea618d6e56a071bae75b4ce883f73a6fad5a2c9cbd1b298216e8e60f86d6cb0e2e0f5bf768d649da2973099c5f7b626971042801e3f120ce4255b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zgokr00.exe

Filesize
182KB

MD5
50029ba9c4ab83a28a243918de1b9460

SHA1
9c218fd83bedc8ae1ce9f6b053f3c779c5104f64

SHA256
ba4545ebdd50388b019799f74580629d0d838bc73f8e4a8a16e14e8cc5c63e34

SHA512
6968ac2e4e7dbc6a7f9f806932d14d7907dd00e9fa148587e3eba1c26ab87f8ff1ddef6bed8b8e7d400e108b0d35441f95eb316a58311a04a6611a6d79527bce

Download Submit
\Users\Admin\AppData\Roaming\Dibifu_9\IconExtractor.dll

Filesize
10KB

MD5
a21a157e7f27cb80cdd82cdb02dc2da6

SHA1
90a8a42d7356f06b1c144e657071461ddb224752

SHA256
35ba8730dd874fca3c0348bb38f972c099dbc7ba0f1c9b748dcfebdde1b0004e

SHA512
c4c68a9fa6f130526a0a0ec010d92dae38b81aebcf0fa3256b561987aa7b26e98b69bbc2acad4bafdc29ee2e6f714d81583baac2e28a8a25f62045ad84dba2a5

Download Submit
memory/2244-19-0x00000000749D0000-0x00000000750BE000-memory.dmp

Filesize
6.9MB

Download
memory/2244-38-0x00000000749D0000-0x00000000750BE000-memory.dmp

Filesize
6.9MB

Download
memory/2244-18-0x0000000000FE0000-0x0000000001014000-memory.dmp

Filesize
208KB

Download
memory/2320-44-0x0000000004040000-0x0000000004049000-memory.dmp

Filesize
36KB

Download
memory/2320-78-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/2320-88-0x0000000004040000-0x0000000004049000-memory.dmp

Filesize
36KB

Download
memory/2380-2-0x00000000749D0000-0x00000000750BE000-memory.dmp

Filesize
6.9MB

Download
memory/2380-0-0x00000000749DE000-0x00000000749DF000-memory.dmp

Filesize
4KB

Download
memory/2380-1-0x0000000000920000-0x0000000000954000-memory.dmp

Filesize
208KB

Download
memory/2380-76-0x00000000749DE000-0x00000000749DF000-memory.dmp

Filesize
4KB

Download
memory/2380-77-0x00000000749D0000-0x00000000750BE000-memory.dmp

Filesize
6.9MB

Download
memory/2784-56-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2784-89-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2824-37-0x0000000000CC0000-0x0000000000CF4000-memory.dmp

Filesize
208KB

Download
memory/2824-61-0x00000000004D0000-0x00000000004D8000-memory.dmp

Filesize
32KB

Download