Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240221-en -
submitted
23-04-2024 20:18
Behavioral task
behavioral1
Sample
RUN ME FIRST.exe
Resource
win7-20240221-en
windows7-x64
22 signatures
150 seconds
General
-
Target
RUN ME FIRST.exe
-
Size
30.2MB
-
MD5
1a1d3ccdb446065c89c44b67105a48c1
-
SHA1
6a045b2be0a524d2e46e1a158fa9f5768d539470
-
SHA256
76be196c4deabfcb66820dbc30df22421bd2940a68993272eea691cad86092fc
-
SHA512
83b47897b5a958ba3d915caf631c1971445fcdb38b1fc344867126ffb2b94068ed447a280a7d330b3b2cd7a7d82171f5abce29bb36a11f7f9f371e20eb02ddb2
-
SSDEEP
786432:TZ/Z/rp+Ty2SfUfnbu+zMFy/7zYgWXRLTArzttOaaFH:1Rzp+Ty2SfWnPzMFO7zYgWBLbFH
Malware Config
Extracted
Family
xred
C2
xred.mooo.com
Attributes
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Xred family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ RUN ME FIRST.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ icsys.icn.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ._cache_Synaptics.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ icsys.icn.exe -
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RUN ME FIRST.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion icsys.icn.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion icsys.icn.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ._cache_Synaptics.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion icsys.icn.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion RUN ME FIRST.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion icsys.icn.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ._cache_Synaptics.exe -
Executes dropped EXE 12 IoCs
pid Process 1776 run me first.exe 2460 icsys.icn.exe 2440 explorer.exe 2500 spoolsv.exe 2800 svchost.exe 112 Synaptics.exe 1328 spoolsv.exe 2840 ._cache_Synaptics.exe 2592 ._cache_synaptics.exe 2280 ._cache_synaptics.exe 2216 icsys.icn.exe 940 explorer.exe -
Loads dropped DLL 15 IoCs
pid Process 1692 RUN ME FIRST.exe 1692 RUN ME FIRST.exe 1692 RUN ME FIRST.exe 2460 icsys.icn.exe 2440 explorer.exe 2500 spoolsv.exe 1776 run me first.exe 1776 run me first.exe 1776 run me first.exe 2800 svchost.exe 112 Synaptics.exe 112 Synaptics.exe 2840 ._cache_Synaptics.exe 2592 ._cache_synaptics.exe 2280 ._cache_synaptics.exe -
resource yara_rule behavioral1/memory/1692-0-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral1/files/0x000b00000001560a-17.dat themida behavioral1/memory/1692-20-0x00000000032D0000-0x00000000038E6000-memory.dmp themida behavioral1/memory/2460-22-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral1/files/0x00090000000165ae-32.dat themida behavioral1/memory/2440-34-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral1/files/0x00060000000186a0-42.dat themida behavioral1/memory/2440-45-0x0000000003490000-0x0000000003AA6000-memory.dmp themida behavioral1/memory/1692-51-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral1/memory/2500-59-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral1/files/0x0007000000018b33-64.dat themida behavioral1/memory/2460-69-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral1/memory/2800-71-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral1/memory/1328-92-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral1/files/0x0006000000018b37-97.dat themida behavioral1/memory/2840-106-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral1/memory/2440-111-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral1/memory/1328-112-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral1/memory/2500-113-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral1/memory/1692-114-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral1/memory/2460-115-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral1/memory/2440-127-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral1/memory/2440-170-0x0000000003490000-0x0000000003AA6000-memory.dmp themida behavioral1/memory/2800-172-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral1/memory/2840-178-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral1/memory/2216-198-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral1/memory/940-204-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral1/memory/2216-210-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral1/memory/940-209-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral1/memory/2840-211-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral1/memory/2440-218-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral1/memory/2440-228-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral1/memory/2800-260-0x0000000000400000-0x0000000000A16000-memory.dmp themida -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" run me first.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RUN ME FIRST.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ._cache_Synaptics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA icsys.icn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA icsys.icn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
pid Process 1692 RUN ME FIRST.exe 2460 icsys.icn.exe 2440 explorer.exe 2500 spoolsv.exe 2800 svchost.exe 1328 spoolsv.exe 2840 ._cache_Synaptics.exe 2216 icsys.icn.exe 940 explorer.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe RUN ME FIRST.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe ._cache_Synaptics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 17 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RUN ME FIRST.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language run me first.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE -
Modifies registry class 64 IoCs
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command EXCEL.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2392 schtasks.exe 2904 schtasks.exe 2188 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2288 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1692 RUN ME FIRST.exe 1692 RUN ME FIRST.exe 1692 RUN ME FIRST.exe 1692 RUN ME FIRST.exe 1692 RUN ME FIRST.exe 1692 RUN ME FIRST.exe 1692 RUN ME FIRST.exe 1692 RUN ME FIRST.exe 1692 RUN ME FIRST.exe 1692 RUN ME FIRST.exe 1692 RUN ME FIRST.exe 1692 RUN ME FIRST.exe 1692 RUN ME FIRST.exe 1692 RUN ME FIRST.exe 1692 RUN ME FIRST.exe 1692 RUN ME FIRST.exe 2460 icsys.icn.exe 2460 icsys.icn.exe 2460 icsys.icn.exe 2460 icsys.icn.exe 2460 icsys.icn.exe 2460 icsys.icn.exe 2460 icsys.icn.exe 2460 icsys.icn.exe 2460 icsys.icn.exe 2460 icsys.icn.exe 2460 icsys.icn.exe 2460 icsys.icn.exe 2460 icsys.icn.exe 2460 icsys.icn.exe 2460 icsys.icn.exe 2460 icsys.icn.exe 2460 icsys.icn.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2440 explorer.exe 2800 svchost.exe 2800 svchost.exe 2800 svchost.exe 2800 svchost.exe 2800 svchost.exe 2800 svchost.exe 2800 svchost.exe 2800 svchost.exe 2800 svchost.exe 2800 svchost.exe 2800 svchost.exe 2800 svchost.exe 2800 svchost.exe 2800 svchost.exe 2800 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2440 explorer.exe 2800 svchost.exe -
Suspicious use of SetWindowsHookEx 19 IoCs
pid Process 1692 RUN ME FIRST.exe 1692 RUN ME FIRST.exe 2460 icsys.icn.exe 2460 icsys.icn.exe 2440 explorer.exe 2440 explorer.exe 2500 spoolsv.exe 2500 spoolsv.exe 2800 svchost.exe 2800 svchost.exe 1328 spoolsv.exe 2840 ._cache_Synaptics.exe 2840 ._cache_Synaptics.exe 1328 spoolsv.exe 2288 EXCEL.EXE 2216 icsys.icn.exe 2216 icsys.icn.exe 940 explorer.exe 940 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1692 wrote to memory of 1776 1692 RUN ME FIRST.exe 28 PID 1692 wrote to memory of 1776 1692 RUN ME FIRST.exe 28 PID 1692 wrote to memory of 1776 1692 RUN ME FIRST.exe 28 PID 1692 wrote to memory of 1776 1692 RUN ME FIRST.exe 28 PID 1692 wrote to memory of 2460 1692 RUN ME FIRST.exe 29 PID 1692 wrote to memory of 2460 1692 RUN ME FIRST.exe 29 PID 1692 wrote to memory of 2460 1692 RUN ME FIRST.exe 29 PID 1692 wrote to memory of 2460 1692 RUN ME FIRST.exe 29 PID 2460 wrote to memory of 2440 2460 icsys.icn.exe 30 PID 2460 wrote to memory of 2440 2460 icsys.icn.exe 30 PID 2460 wrote to memory of 2440 2460 icsys.icn.exe 30 PID 2460 wrote to memory of 2440 2460 icsys.icn.exe 30 PID 2440 wrote to memory of 2500 2440 explorer.exe 31 PID 2440 wrote to memory of 2500 2440 explorer.exe 31 PID 2440 wrote to memory of 2500 2440 explorer.exe 31 PID 2440 wrote to memory of 2500 2440 explorer.exe 31 PID 2500 wrote to memory of 2800 2500 spoolsv.exe 32 PID 2500 wrote to memory of 2800 2500 spoolsv.exe 32 PID 2500 wrote to memory of 2800 2500 spoolsv.exe 32 PID 2500 wrote to memory of 2800 2500 spoolsv.exe 32 PID 1776 wrote to memory of 112 1776 run me first.exe 33 PID 1776 wrote to memory of 112 1776 run me first.exe 33 PID 1776 wrote to memory of 112 1776 run me first.exe 33 PID 1776 wrote to memory of 112 1776 run me first.exe 33 PID 2800 wrote to memory of 1328 2800 svchost.exe 34 PID 2800 wrote to memory of 1328 2800 svchost.exe 34 PID 2800 wrote to memory of 1328 2800 svchost.exe 34 PID 2800 wrote to memory of 1328 2800 svchost.exe 34 PID 112 wrote to memory of 2840 112 Synaptics.exe 35 PID 112 wrote to memory of 2840 112 Synaptics.exe 35 PID 112 wrote to memory of 2840 112 Synaptics.exe 35 PID 112 wrote to memory of 2840 112 Synaptics.exe 35 PID 2440 wrote to memory of 2148 2440 explorer.exe 36 PID 2440 wrote to memory of 2148 2440 explorer.exe 36 PID 2440 wrote to memory of 2148 2440 explorer.exe 36 PID 2440 wrote to memory of 2148 2440 explorer.exe 36 PID 2800 wrote to memory of 2392 2800 svchost.exe 37 PID 2800 wrote to memory of 2392 2800 svchost.exe 37 PID 2800 wrote to memory of 2392 2800 svchost.exe 37 PID 2800 wrote to memory of 2392 2800 svchost.exe 37 PID 2840 wrote to memory of 2592 2840 ._cache_Synaptics.exe 40 PID 2840 wrote to memory of 2592 2840 ._cache_Synaptics.exe 40 PID 2840 wrote to memory of 2592 2840 ._cache_Synaptics.exe 40 PID 2840 wrote to memory of 2592 2840 ._cache_Synaptics.exe 40 PID 2840 wrote to memory of 2592 2840 ._cache_Synaptics.exe 40 PID 2840 wrote to memory of 2592 2840 ._cache_Synaptics.exe 40 PID 2840 wrote to memory of 2592 2840 ._cache_Synaptics.exe 40 PID 2592 wrote to memory of 2280 2592 ._cache_synaptics.exe 41 PID 2592 wrote to memory of 2280 2592 ._cache_synaptics.exe 41 PID 2592 wrote to memory of 2280 2592 ._cache_synaptics.exe 41 PID 2592 wrote to memory of 2280 2592 ._cache_synaptics.exe 41 PID 2592 wrote to memory of 2280 2592 ._cache_synaptics.exe 41 PID 2592 wrote to memory of 2280 2592 ._cache_synaptics.exe 41 PID 2592 wrote to memory of 2280 2592 ._cache_synaptics.exe 41 PID 2840 wrote to memory of 2216 2840 ._cache_Synaptics.exe 45 PID 2840 wrote to memory of 2216 2840 ._cache_Synaptics.exe 45 PID 2840 wrote to memory of 2216 2840 ._cache_Synaptics.exe 45 PID 2840 wrote to memory of 2216 2840 ._cache_Synaptics.exe 45 PID 2216 wrote to memory of 940 2216 icsys.icn.exe 46 PID 2216 wrote to memory of 940 2216 icsys.icn.exe 46 PID 2216 wrote to memory of 940 2216 icsys.icn.exe 46 PID 2216 wrote to memory of 940 2216 icsys.icn.exe 46 PID 2800 wrote to memory of 2904 2800 svchost.exe 49 PID 2800 wrote to memory of 2904 2800 svchost.exe 49
Processes
-
C:\Users\Admin\AppData\Local\Temp\RUN ME FIRST.exe"C:\Users\Admin\AppData\Local\Temp\RUN ME FIRST.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1692 -
\??\c:\users\admin\appdata\local\temp\run me first.exe"c:\users\admin\appdata\local\temp\run me first.exe "2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\users\admin\appdata\local\temp\._cache_synaptics.exec:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\Temp\{BBB5AEB2-2F95-4E9E-B5AC-7F87F5EFA83A}\.cr\._cache_synaptics.exe"C:\Windows\Temp\{BBB5AEB2-2F95-4E9E-B5AC-7F87F5EFA83A}\.cr\._cache_synaptics.exe " -burn.clean.room="c:\users\admin\appdata\local\temp\._cache_synaptics.exe " -burn.filehandle.attached=180 -burn.filehandle.self=188 InjUpdate6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2280
-
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2216 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:940
-
-
-
-
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2460 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2440 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2500 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1328
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 20:21 /f6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2392
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 20:22 /f6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2904
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 20:23 /f6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2188
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe4⤵PID:2148
-
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2288
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
3Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
2.6MB
MD5598d546ef73a926bf66564b0cdd24724
SHA1d0195bb2c4653c1b1964187e9824998063fe8111
SHA2563360e23cae09d4f1819bdac72c394a1d2cdd95703997cf9dbbdad969837b51d7
SHA512751f872848ccdd1a196ffe452d8f427e92d662dcd4df4241df13cc756875aff31f41e86e83cc072ee84bd5bfc234825fa2489cb4ebd74887c7c82491b4799e2d
-
Filesize
1KB
MD5d6bd210f227442b3362493d046cea233
SHA1ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b
-
Filesize
635KB
MD553e9222bc438cbd8b7320f800bef2e78
SHA1c4f295d8855b4b16c7450a4a9150eb95046f6390
SHA2560e49026767420229afd23b1352cf9f97f24e0768c3d527000d449ffdb4ca6888
SHA5127533f9791e1807072a4dbb6ca03c696b12dfa5337678fab53aceea0e4b7e5ffefb90c9b450ac80878e1e9a4bce549f619da4cd2d06eb2554c9add5b4ec838b4a
-
Filesize
24.2MB
MD5101b0b9f74cdc6cdbd2570bfe92e302c
SHA12e6bae42c2842b4f558bd68099479b929bb7d910
SHA2564dfe83c91124cd542f4222fe2c396cabeac617bb6f59bdcbdf89fd6f0df0a32f
SHA512ccf4fd7da2c3440f1bc7fcac67c8a12599eab8d5c015affdc2e439fa30f5c7868ef5f52ede058361faae37ccc4af2c17c0adf30b8e1f852bb7106d0ec7162506
-
Filesize
26.8MB
MD5295a5c23bd7d75fb93c29d301461999e
SHA1fe574720ca812f4cf0523efc7bd65c2b9e1cd006
SHA256f12b9927989c46a741e1b6dba0cdca4d6da86852cefd9cdb08204e26caac53e7
SHA512e08857e8fd4f3a2e501add77e7a2326693b97283a03106f4e60fcdfa1dd148009681134895b6285f328549ab24172effd9c5ee09aa5283f170a6c62bfa6efc3e
-
Filesize
27.6MB
MD5d91e55db411d487e8311d12596327ac4
SHA1e0104af553bf10a7bd178b41d1026fee4393d90c
SHA256f5c8914376373c7c48658ee56adf44ba3157c4ca5fbba82f7794c3b820687128
SHA512fe016a2c18f69f36c0c9ce9d1dda3a1a3b6e701c32f3fbb57ca4ba74ffe53edddb09ad2849da206509faa0e7a1af8d606c0c55ab803fe8987e5fb7d8e7a6887d
-
Filesize
2.6MB
MD5a7d44128dcb01d3d19a1ef4213f70062
SHA1958e7e8688e020f97ed58d271510c3fa31f581fa
SHA25620f97327231090b3d3231195923ff1e2e1955824bc7b73bee506a2f7fe152cd9
SHA51275659f857d97fd372185dd806c2fdff94500c670d5774c803a79a0a6d9d6be10c5aab58a8afec6e9e4d750a5de7eeeb4ef664101a379f3dfb97b3a7c34979ebb
-
Filesize
2.6MB
MD59a3fbe26eeb9f984d83d8ccedaabf87a
SHA15593600aaf7ddff092467654acfd38baad5556aa
SHA2569696c6aa0e2179df2f614a815068933e8abf176028e8979c8fc9a8cc5c64157f
SHA512fdcea58301c04b38c07fc036240bcbf3932d160adafa21b27da32c0559482667f4da7751d5fd54a57e2b4daf04b571ebf1262c103328c8612cff132bc64e405f
-
Filesize
2.6MB
MD549a5b5e574ca40d464e06059b360c333
SHA105a1b2df1e3cce2287e5ec11e3b25540ac37268d
SHA256d7f49fb79e8bbc3fb19bca4d5f18013816de884035b857a0f051470ac8eefb5f
SHA5120d14983c084e311800aaadef6d50b9d0be9bbae004c4dcac83be5baff686f7b07046138a49d8b88562e5b5af4275575f21e027f4f7ceda79a8bd7b877770f17f
-
Filesize
191KB
MD5eab9caf4277829abdf6223ec1efa0edd
SHA174862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA51245b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2
