xred | 68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2

Analysis

max time kernel
142s
max time network
150s
platform
windows7_x64
resource
win7-20240220-en
submitted
26/03/2024, 20:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe
Size

3.3MB
MD5

114c176c85577fb44d98e6fe003ea0dd
SHA1

54a4a3e91c34a00e30555bd824d6e32b567ff388
SHA256

68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2
SHA512

67651902b0d275c18fb61f6dab3cf936bbb9d0ff9ff48530a1b827dd386561f1a616702dcb68b177120d86a13e47ed55f4ca3fab4739328cfa2dd3e5e9dd5b05
SSDEEP

98304:Rnsmtk2aYOI4cydaEAQARToxcAQARToxA:tL3Ocy4EAQARkKAQARki

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 3 IoCs

pid	Process
3020	._cache_68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe
2652	Synaptics.exe
2548	._cache_Synaptics.exe

Loads dropped DLL 7 IoCs

pid	Process
2072	68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe
2072	68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe
2072	68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe
2072	68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe
2652	Synaptics.exe
2652	Synaptics.exe
2652	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe

Modifies registry class 53 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A5B76B6-8DE8-11D3-A85E-0080C86DC5CF}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\._cache_68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe"	._cache_68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A5B76B6-8DE8-11D3-A85E-0080C86DC5CF}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	._cache_68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1A5B76B7-8DE8-11D3-A85E-0080C86DC5CF}\TypeLib\Version = "1.0"	._cache_68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1A5B76B7-8DE8-11D3-A85E-0080C86DC5CF}	._cache_68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A5B76B9-8DE8-11D3-A85E-0080C86DC5CF}\ = "Class1 Object"	._cache_68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A5B76B9-8DE8-11D3-A85E-0080C86DC5CF}\ProgID	._cache_68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A5B76B9-8DE8-11D3-A85E-0080C86DC5CF}\Version	._cache_68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A5B76B6-8DE8-11D3-A85E-0080C86DC5CF}\1.0\ = "DSC Leader - SystemControl Library"	._cache_68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemControlS.Class1\Clsid	._cache_Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A5B76B9-8DE8-11D3-A85E-0080C86DC5CF}\ProgID	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A5B76B6-8DE8-11D3-A85E-0080C86DC5CF}\1.0\FLAGS\ = "0"	._cache_68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1A5B76B7-8DE8-11D3-A85E-0080C86DC5CF}\ = "IClass1"	._cache_68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemControlS.Class1	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemControlS.Class1\Clsid\ = "{1A5B76B9-8DE8-11D3-A85E-0080C86DC5CF}"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A5B76B9-8DE8-11D3-A85E-0080C86DC5CF}\ProgID\ = "SystemControlS.Class1"	._cache_Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A5B76B6-8DE8-11D3-A85E-0080C86DC5CF}\1.0	._cache_68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A5B76B9-8DE8-11D3-A85E-0080C86DC5CF}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\._cache_68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe"	._cache_68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemControlS.Class1\Clsid	._cache_68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A5B76B9-8DE8-11D3-A85E-0080C86DC5CF}	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A5B76B9-8DE8-11D3-A85E-0080C86DC5CF}\ = "Class1 Object"	._cache_Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A5B76B6-8DE8-11D3-A85E-0080C86DC5CF}	._cache_68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A5B76B9-8DE8-11D3-A85E-0080C86DC5CF}	._cache_68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A5B76B9-8DE8-11D3-A85E-0080C86DC5CF}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\._cache_Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1A5B76B7-8DE8-11D3-A85E-0080C86DC5CF}\TypeLib\ = "{1A5B76B6-8DE8-11D3-A85E-0080C86DC5CF}"	._cache_68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1A5B76B7-8DE8-11D3-A85E-0080C86DC5CF}\TypeLib	._cache_68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1A5B76B7-8DE8-11D3-A85E-0080C86DC5CF}\TypeLib\Version = "1.0"	._cache_68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemControlS.Class1\ = "Class1 Object"	._cache_68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A5B76B6-8DE8-11D3-A85E-0080C86DC5CF}\1.0\HELPDIR	._cache_68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1A5B76B7-8DE8-11D3-A85E-0080C86DC5CF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	._cache_68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A5B76B9-8DE8-11D3-A85E-0080C86DC5CF}\Version	._cache_Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1A5B76B7-8DE8-11D3-A85E-0080C86DC5CF}\ProxyStubClsid32	._cache_68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A5B76B6-8DE8-11D3-A85E-0080C86DC5CF}\1.0\0	._cache_68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A5B76B6-8DE8-11D3-A85E-0080C86DC5CF}\1.0\0\win32	._cache_68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A5B76B9-8DE8-11D3-A85E-0080C86DC5CF}\TypeLib\ = "{1A5B76B6-8DE8-11D3-A85E-0080C86DC5CF}"	._cache_Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A5B76B6-8DE8-11D3-A85E-0080C86DC5CF}\1.0\FLAGS	._cache_68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A5B76B6-8DE8-11D3-A85E-0080C86DC5CF}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\._cache_Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A5B76B9-8DE8-11D3-A85E-0080C86DC5CF}\TypeLib\ = "{1A5B76B6-8DE8-11D3-A85E-0080C86DC5CF}"	._cache_68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1A5B76B7-8DE8-11D3-A85E-0080C86DC5CF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	._cache_68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemControlS.Class1\ = "Class1 Object"	._cache_Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1A5B76B7-8DE8-11D3-A85E-0080C86DC5CF}	._cache_68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1A5B76B7-8DE8-11D3-A85E-0080C86DC5CF}\ = "IClass1"	._cache_68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1A5B76B7-8DE8-11D3-A85E-0080C86DC5CF}\TypeLib\ = "{1A5B76B6-8DE8-11D3-A85E-0080C86DC5CF}"	._cache_68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A5B76B9-8DE8-11D3-A85E-0080C86DC5CF}\ProgID\ = "SystemControlS.Class1"	._cache_68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A5B76B9-8DE8-11D3-A85E-0080C86DC5CF}\TypeLib	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemControlS.Class1\Clsid\ = "{1A5B76B9-8DE8-11D3-A85E-0080C86DC5CF}"	._cache_68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A5B76B9-8DE8-11D3-A85E-0080C86DC5CF}\TypeLib	._cache_68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemControlS.Class1	._cache_68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A5B76B9-8DE8-11D3-A85E-0080C86DC5CF}\LocalServer32	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A5B76B9-8DE8-11D3-A85E-0080C86DC5CF}\Version\ = "1.0"	._cache_Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A5B76B9-8DE8-11D3-A85E-0080C86DC5CF}\LocalServer32	._cache_68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1A5B76B7-8DE8-11D3-A85E-0080C86DC5CF}\ProxyStubClsid32	._cache_68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A5B76B9-8DE8-11D3-A85E-0080C86DC5CF}\Version\ = "1.0"	._cache_68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1A5B76B7-8DE8-11D3-A85E-0080C86DC5CF}\TypeLib	._cache_68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3020	._cache_68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3020	._cache_68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3020	._cache_68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3020	._cache_68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe
2548	._cache_Synaptics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 3020	2072	68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe	28
PID 2072 wrote to memory of 3020	2072	68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe	28
PID 2072 wrote to memory of 3020	2072	68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe	28
PID 2072 wrote to memory of 3020	2072	68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe	28
PID 2072 wrote to memory of 2652	2072	68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe	29
PID 2072 wrote to memory of 2652	2072	68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe	29
PID 2072 wrote to memory of 2652	2072	68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe	29
PID 2072 wrote to memory of 2652	2072	68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe	29
PID 2652 wrote to memory of 2548	2652	Synaptics.exe	30
PID 2652 wrote to memory of 2548	2652	Synaptics.exe	30
PID 2652 wrote to memory of 2548	2652	Synaptics.exe	30
PID 2652 wrote to memory of 2548	2652	Synaptics.exe	30

C:\Users\Admin\AppData\Local\Temp\68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe
"C:\Users\Admin\AppData\Local\Temp\68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Users\Admin\AppData\Local\Temp\._cache_68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3020
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
3.3MB

MD5
114c176c85577fb44d98e6fe003ea0dd

SHA1
54a4a3e91c34a00e30555bd824d6e32b567ff388

SHA256
68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2

SHA512
67651902b0d275c18fb61f6dab3cf936bbb9d0ff9ff48530a1b827dd386561f1a616702dcb68b177120d86a13e47ed55f4ca3fab4739328cfa2dd3e5e9dd5b05

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log\Alert_SystemControl_checkin_20240326.log

Filesize
834B

MD5
9806549f391cd4c27a4db7cd408dd57c

SHA1
e04459147fe9341d4975f48ce8c4fa9f7956763b

SHA256
0cb06f00b4763c476e11d5a5f8ae56bed854a0e26914d0d8efad2e445f9c894f

SHA512
9e399d43419e295c813e401c0741f1105606c200bbcc9c3693b5fff93d0edf84c43564b97d139dd0d5fb568bc7621f07f3655e0fffbc6048e12bc1c75b6f7940

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log\Alert_SystemControl_checkin_20240326.log

Filesize
1KB

MD5
361b0d4209917fdf022eb4c4ef9c7fc0

SHA1
ce3953945c7cfe2777cbf572056b51c03f40d5a5

SHA256
ddb8454c1ec16d1bc3a3303c8d9d3500a40dcc0a58b3ad7a1cd5e812461eb920

SHA512
d82c1234350cb38d4dc7851af535ed613a133e1dc3df5b905b708d94e85136e0804405316350ef8dab1e018ce11c8e85d8836b2d37c2f6c5a1154cba88101efe

Download Submit
C:\Users\Admin\AppData\Local\Temp\SystemControlS.ini

Filesize
32B

MD5
7ddb7f6460d79786b106c9a5cd8ec31e

SHA1
c6f3263e1dbac97b572cbbb611c079ff93a4cd81

SHA256
057fbde078653585d7fa74d4db3b05349b4a691347a10ae2cf841ca042f6e308

SHA512
275baff023281119ca884bc41bd89bc4d2e2466e3e32fce74408815ba69c26939669c0b3eb664094e051a74119dd902b455a2ad6afc6deac08e502ec2893e2be

Download Submit
C:\Users\Admin\AppData\Local\Temp\SystemControl_ENG.ini

Filesize
8KB

MD5
17365d20f218e5f05565a2eb28aa9f4f

SHA1
946f44c8d473d2525fb27f892d7ccbe2f734440c

SHA256
4d73f05a2eadee45238952648b47593e7428eb29adb658569dad2e0cbc4147da

SHA512
89c8133d8456757a7a2c85cf410e135fae7c3936022960ae99306ce6f00f8af495118cac9c61ac9c1412ded58bb05e27da5dc947891225df2e7791d5c0dd84f8

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_68ff76b503852728d9cc06e55376c841c103168957214e6ded8d866ce1df78b2.exe

Filesize
2.6MB

MD5
467e6f5a5f84cc2774b6db01e639b2cb

SHA1
9c5a86d6b2139eedf2be918deebb43431c6e4464

SHA256
43d311818f2da3429b59879d1f8e698f569de98e8cd73bd0bb076369840fdb5d

SHA512
482526480b41ff2e112ae5b4e3fbd71e2da2061386aaedb5fd7fb82e06d73bcd7a6d553b2e3cb183e38ceae28a77d1f33e5bb966787c29f75ca3be2a08e74885

Download Submit
memory/2072-29-0x0000000000400000-0x000000000075E000-memory.dmp

Filesize
3.4MB

Download
memory/2072-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2548-46-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2548-230-0x0000000000400000-0x00000000006A3000-memory.dmp

Filesize
2.6MB

Download
memory/2652-31-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2652-249-0x0000000000400000-0x000000000075E000-memory.dmp

Filesize
3.4MB

Download
memory/2652-252-0x0000000000400000-0x000000000075E000-memory.dmp

Filesize
3.4MB

Download
memory/2652-253-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2652-262-0x0000000000400000-0x000000000075E000-memory.dmp

Filesize
3.4MB

Download
memory/2652-294-0x0000000000400000-0x000000000075E000-memory.dmp

Filesize
3.4MB

Download
memory/3020-20-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/3020-248-0x0000000000400000-0x00000000006A3000-memory.dmp

Filesize
2.6MB

Download
memory/3020-251-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads