aa29fce08204b1ca7030cb0605c4973ea588738aff90b722765dfa5bab436d13

Resubmissions

08/09/2024, 11:51

240908-n1j43axalb 1

08/09/2024, 11:48

240908-nyy57svajl 8

Analysis

max time kernel
55s
max time network
18s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/09/2024, 11:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

syncthing-windows-amd64-v1.27.10.zip
Size

10.5MB
MD5

b35205b863104b3d7953ab497aa26566
SHA1

b08706ba27b5e8436fa14be076540484955f9521
SHA256

aa29fce08204b1ca7030cb0605c4973ea588738aff90b722765dfa5bab436d13
SHA512

e6987a75ef8074def067894120e4e5971baf4e27ac34c53347ed96d88ef6c7ccbb4280109133a71b3e1eae98390b52af9ad0abb43145284ad9b67ac117ae2690
SSDEEP

196608:8Vpmyk/GkvP74h0iSSNotMqa6srks+TGdUApmRuIhh4vM10+3YWax:8HkOOz4CbSGOqa6srkJaaj0IhWkZIWC

Score

8^/10

spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\Windows\System32\drivers\it-IT\RNDISMP.sys.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\it-IT\ULIAGPKX.SYS.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\ja-JP\kbdhid.sys.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\kbdclass.sys	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\fr-FR\BTHUSB.SYS.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\fr-FR\tunnel.sys.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\irenum.sys	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\it-IT\vhdmp.sys.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\ja-JP\BrParwdm.sys.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\ja-JP\intelppm.sys.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\de-DE\qwavedrv.sys.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\hwpolicy.sys	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\it-IT\mouclass.sys.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\it-IT\ipnat.sys.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\acpi.sys	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\bridge.sys	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\dxgmms1.sys	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\es-ES\http.sys.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\es-ES\ohci1394.sys.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\gm.dls	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\it-IT\kbdhid.sys.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\null.sys	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\en-US\battc.sys.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\en-US\kbdhid.sys.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\es-ES\bthenum.sys.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\UMDF\en-US\WUDFUsbccidDriver.dll.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\de-DE\volmgrx.sys.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\ja-JP\sermouse.sys.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\de-DE\tsusbhub.sys.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\es-ES\usbport.sys.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\it-IT\volmgrx.sys.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\ja-JP\modem.sys.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\ja-JP\nwifi.sys.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\ja-JP\tsusbflt.sys.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\es-ES\ws2ifsl.sys.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\ja-JP\amdppm.sys.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\ja-JP\ataport.sys.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\de-DE\scsiport.sys.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\fr-FR\hidbth.sys.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\mouclass.sys	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\pci.sys	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\crashdmp.sys	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\it-IT\nwifi.sys.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\ja-JP\hdaudbus.sys.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\es-ES\bthport.sys.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\it-IT\pacer.sys.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\it-IT\rdvgkmd.sys.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\ja-JP\ndis.sys.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\raspppoe.sys	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\de-DE\battc.sys.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\de-DE\kbdhid.sys.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\de-DE\parport.sys.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\mpsdrv.sys	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\de-DE\srv.sys.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\en-US\mountmgr.sys.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\es-ES\pnpmem.sys.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\WUDFPf.sys	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\cdfs.sys	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\de-DE\amdppm.sys.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\de-DE\isapnp.sys.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\fr-FR\RNDISMP.sys.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\fr-FR\UAGP35.SYS.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\fr-FR\vdrvroot.sys.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\ja-JP\disk.sys.mui	cmd.exe

Deletes itself 1 IoCs

pid	Process
2484	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\Windows\assembly\Desktop.ini	cmd.exe

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\c:\Windows\BITLOC~1\autorun.inf	cmd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\Windows\System32\de-DE\SystemPropertiesDataExecutionPrevention.exe.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\devrtl.dll	cmd.exe
File opened for modification	\??\c:\Windows\System32\dllhst3g.exe	cmd.exe
File opened for modification	\??\c:\Windows\System32\DRIVER~1\en-US\faxca003.inf_loc	cmd.exe
File opened for modification	\??\c:\Windows\System32\cmncliM.dll	cmd.exe
File opened for modification	\??\c:\Windows\System32\de-DE\ndadmin.exe.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\DRIVER~1\en-US\keyboard.inf_loc	cmd.exe
File opened for modification	\??\c:\Windows\System32\de-DE\irftp.exe.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\DRIVER~1\de-DE\mdmbr006.inf_loc	cmd.exe
File opened for modification	\??\c:\Windows\System32\de-DE\termsrv.dll.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\de-DE\napinsp.dll.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\de-DE\puiapi.dll.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\de-DE\printui.exe.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\de-DE\rdpinit.exe.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\DRIVER~1\en-US\netvwifibus.inf_loc	cmd.exe
File opened for modification	\??\c:\Windows\System32\de-DE\bcdboot.exe.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\de-DE\packager.dll.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\DRIVER~1\de-DE\prnkm002.inf_loc	cmd.exe
File opened for modification	\??\c:\Windows\System32\Boot\en-US\winload.exe.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\de-DE\newdev.dll.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\Dism\es-ES\DmiProvider.dll.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\dpnhpast.dll	cmd.exe
File opened for modification	\??\c:\Windows\System32\DRIVER~1\de-DE\prnsv004.inf_loc	cmd.exe
File opened for modification	\??\c:\Windows\System32\de-DE\ctfmon.exe.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\de-DE\imaadp32.acm.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\DRIVER~1\en-US\battery.inf_loc	cmd.exe
File opened for modification	\??\c:\Windows\System32\DRIVER~1\en-US\netloop.inf_loc	cmd.exe
File opened for modification	\??\c:\Windows\System32\de-DE\quser.exe.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\DRIVER~1\de-DE\sffdisk.inf_loc	cmd.exe
File opened for modification	\??\c:\Windows\System32\Dism\de-DE\UnattendProvider.dll.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\dmocx.dll	cmd.exe
File opened for modification	\??\c:\Windows\System32\DRIVER~1\en-US\prnkm004.inf_loc	cmd.exe
File opened for modification	\??\c:\Windows\System32\ar-SA\msprivs.dll.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\de-DE\bridgeres.dll.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\de-DE\mrinfo.exe.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\de-DE\msobjs.dll.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\de-DE\pegi.rs.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\de-DE\Wwanpref.dll.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\deskmon.dll	cmd.exe
File opened for modification	\??\c:\Windows\System32\Dism\es-ES\SmiProvider.dll.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\de-DE\AdapterTroubleshooter.exe.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\de-DE\connect.dll.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\DRIVER~1\en-US\brmfport.inf_loc	cmd.exe
File opened for modification	\??\c:\Windows\System32\DRIVER~1\en-US\faxcn001.inf_loc	cmd.exe
File opened for modification	\??\c:\Windows\System32\de-DE\hhctrl.ocx.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\de-DE\hpowiav1.dll.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\de-DE\msdtcVSp1res.dll.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\DRIVER~1\de-DE\netg664.inf_loc	cmd.exe
File opened for modification	\??\c:\Windows\System32\DRIVER~1\de-DE\wiabr00a.inf_loc	cmd.exe
File opened for modification	\??\c:\Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll	cmd.exe
File opened for modification	\??\c:\Windows\System32\C_857.NLS	cmd.exe
File opened for modification	\??\c:\Windows\System32\de-DE\Licenses\eval\Starter\license.rtf	cmd.exe
File opened for modification	\??\c:\Windows\System32\de-DE\LocationNotifications.exe.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\de-DE\winhttp.dll.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\de-DE\AuxiliaryDisplayClassInstaller.dll.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\de-DE\fsmgmt.msc	cmd.exe
File opened for modification	\??\c:\Windows\System32\cic.dll	cmd.exe
File opened for modification	\??\c:\Windows\System32\de-DE\dxdiagn.dll.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\DRIVER~1\de-DE\prnky005.inf_loc	cmd.exe
File opened for modification	\??\c:\Windows\System32\DRIVER~1\en-US\wiaca00a.inf_loc	cmd.exe
File opened for modification	\??\c:\Windows\System32\apilogen.dll	cmd.exe
File opened for modification	\??\c:\Windows\System32\avrt.dll	cmd.exe
File opened for modification	\??\c:\Windows\System32\de-DE\dialer.exe.mui	cmd.exe
File opened for modification	\??\c:\Windows\System32\DRIVER~1\de-DE\netl1c64.inf_loc	cmd.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\PROGRA~2\WI4223~1\Gadgets\PICTUR~1.GAD\fr-FR\picturePuzzle.html	cmd.exe
File opened for modification	\??\c:\PROGRA~2\WI4223~1\Gadgets\RSSFEE~1.GAD\fr-FR\js\RSSFeeds.js	cmd.exe
File opened for modification	\??\c:\PROGRA~2\WI4223~1\Gadgets\WEATHE~1.GAD\images\44.png	cmd.exe
File opened for modification	\??\c:\PROGRA~3\MICROS~1\USERAC~1\DEFAUL~1\usertile25.bmp	cmd.exe
File opened for modification	\??\c:\PROGRA~2\REFERE~1\MICROS~1\FRAMEW~1\v3.5\Microsoft.Build.Utilities.v3.5.dll	cmd.exe
File opened for modification	\??\c:\PROGRA~2\WI4223~1\Gadgets\CURREN~1.GAD\ja-JP\js\localizedStrings.js	cmd.exe
File opened for modification	\??\c:\PROGRA~2\WI4223~1\Gadgets\WEATHE~1.GAD\images\undocked_black_moon-new.png	cmd.exe
File opened for modification	\??\c:\PROGRA~2\WI4223~1\Gadgets\CALEND~1.GAD\images\calendar_single.png	cmd.exe
File opened for modification	\??\c:\PROGRA~2\WI4223~1\Gadgets\PICTUR~1.GAD\Images\settings_box_divider_left.png	cmd.exe
File opened for modification	\??\c:\PROGRA~2\WI4223~1\de-DE\sbdrop.dll.mui	cmd.exe
File opened for modification	\??\c:\PROGRA~1\INTERN~1\en-US\jsprofilerui.dll.mui	cmd.exe
File opened for modification	\??\c:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.0\System.Runtime.Serialization.dll	cmd.exe
File opened for modification	\??\c:\PROGRA~2\REFERE~1\MICROS~1\FRAMEW~1\v3.0\fr\ReachFramework.resources.dll	cmd.exe
File opened for modification	\??\c:\PROGRA~2\WINDOW~4\ImagingDevices.exe	cmd.exe
File opened for modification	\??\c:\PROGRA~2\WI4223~1\Gadgets\WEATHE~1.GAD\images\47.png	cmd.exe
File opened for modification	\??\c:\PROGRA~2\WI4223~1\Gadgets\WEATHE~1.GAD\images\docked_black_moon-waxing-crescent.png	cmd.exe
File opened for modification	\??\c:\PROGRA~1\COMMON~1\MICROS~1\ink\da-DK\tipresx.dll.mui	cmd.exe
File opened for modification	\??\c:\PROGRA~1\WI4223~1\Gadgets\WEATHE~1.GAD\images\docked_black_moon-waxing-crescent.png	cmd.exe
File opened for modification	\??\c:\PROGRA~2\REFERE~1\MICROS~1\FRAMEW~1\v3.0\ja\PresentationBuildTasks.resources.dll	cmd.exe
File opened for modification	\??\c:\PROGRA~1\COMMON~1\MICROS~1\ink\de-DE\mshwLatin.dll.mui	cmd.exe
File opened for modification	\??\c:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\Travel\TravelIntroToMain.wmv	cmd.exe
File opened for modification	\??\c:\PROGRA~2\Adobe\READER~1.0\Reader\Tracker\END_RE~1.GIF	cmd.exe
File opened for modification	\??\c:\PROGRA~2\WINDOW~1\WinMail.exe	cmd.exe
File opened for modification	\??\c:\PROGRA~2\WI4223~1\Gadgets\CPU~1.GAD\drag.png	cmd.exe
File opened for modification	\??\c:\PROGRA~1\COMMON~1\MICROS~1\STATIO~1\OrangeCircles.jpg	cmd.exe
File opened for modification	\??\c:\PROGRA~1\WI4223~1\Gadgets\CPU~1.GAD\es-ES\css\cpu.css	cmd.exe
File opened for modification	\??\c:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.5\it\System.Data.Entity.Resources.dll	cmd.exe
File opened for modification	\??\c:\PROGRA~1\WI54FB~1\WMPMediaSharing.dll	cmd.exe
File opened for modification	\??\c:\PROGRA~1\WI4223~1\Gadgets\CALEND~1.GAD\images\calendar_single_bkg_orange.png	cmd.exe
File opened for modification	\??\c:\PROGRA~2\REFERE~1\MICROS~1\FRAMEW~1\v3.0\fr\System.IO.Log.Resources.dll	cmd.exe
File opened for modification	\??\c:\PROGRA~2\REFERE~1\MICROS~1\FRAMEW~1\v3.0\PresentationCore.dll	cmd.exe
File opened for modification	\??\c:\PROGRA~2\REFERE~1\MICROS~1\FRAMEW~1\v3.5\es\System.Management.Instrumentation.Resources.dll	cmd.exe
File opened for modification	\??\c:\PROGRA~1\COMMON~1\MICROS~1\ink\en-US\IpsMigrationPlugin.dll.mui	cmd.exe
File opened for modification	\??\c:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\HueCycle\NavigationLeft_SelectionSubpicture.png	cmd.exe
File opened for modification	\??\c:\PROGRA~2\WI4223~1\Gadgets\CALEND~1.GAD\images\bPrev-hot.png	cmd.exe
File opened for modification	\??\c:\PROGRA~2\WI4223~1\Gadgets\WEATHE~1.GAD\it-IT\css\weather.css	cmd.exe
File opened for modification	\??\c:\PROGRA~2\COMMON~1\System\msadc\msadcfr.dll	cmd.exe
File opened for modification	\??\c:\PROGRA~2\REFERE~1\MICROS~1\FRAMEW~1\v3.5\ja\System.Web.Entity.Resources.dll	cmd.exe
File opened for modification	\??\c:\PROGRA~2\WI4223~1\Gadgets\CPU~1.GAD\images\glass_lrg.png	cmd.exe
File opened for modification	\??\c:\PROGRA~2\WI4223~1\Gadgets\PICTUR~1.GAD\Images\6.png	cmd.exe
File opened for modification	\??\c:\PROGRA~1\WI4223~1\Gadgets\CLOCK~1.GAD\ja-JP\css\settings.css	cmd.exe
File opened for modification	\??\c:\PROGRA~1\WI4223~1\Gadgets\RSSFEE~1.GAD\it-IT\css\flyout.css	cmd.exe
File opened for modification	\??\c:\PROGRA~2\COMMON~1\MICROS~1\ink\penchs.dll	cmd.exe
File opened for modification	\??\c:\PROGRA~2\COMMON~1\System\OLEDB~1\fr-FR\msdaorar.dll.mui	cmd.exe
File opened for modification	\??\c:\PROGRA~2\REFERE~1\MICROS~1\FRAMEW~1\v3.0\fr\WindowsFormsIntegration.resources.dll	cmd.exe
File opened for modification	\??\c:\PROGRA~2\WI4223~1\Gadgets\CALEND~1.GAD\es-ES\js\calendar.js	cmd.exe
File opened for modification	\??\c:\PROGRA~3\MICROS~1\WINDOW~2\MSFax\COMMON~1\en-US\confident.cov	cmd.exe
File opened for modification	\??\c:\PROGRA~1\COMMON~1\MICROS~1\ink\ipsrom.xml	cmd.exe
File opened for modification	\??\c:\PROGRA~1\WI4223~1\Gadgets\SLIDES~1.GAD\it-IT\gadget.xml	cmd.exe
File opened for modification	\??\c:\PROGRA~2\WI4223~1\Gadgets\CALEND~1.GAD\en-US\css\calendar.css	cmd.exe
File opened for modification	\??\c:\PROGRA~2\WI4223~1\Gadgets\SLIDES~1.GAD\it-IT\gadget.xml	cmd.exe
File opened for modification	\??\c:\PROGRA~2\COMMON~1\MICROS~1\ink\ja-JP\TipRes.dll.mui	cmd.exe
File opened for modification	\??\c:\PROGRA~2\WI4223~1\Gadgets\CURREN~1.GAD\es-ES\css\currency.css	cmd.exe
File opened for modification	\??\c:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.5\it\System.Management.Instrumentation.Resources.dll	cmd.exe
File opened for modification	\??\c:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.5\Microsoft.Build.Utilities.v3.5.dll	cmd.exe
File opened for modification	\??\c:\PROGRA~2\REFERE~1\MICROS~1\FRAMEW~1\v3.5\fr\System.Data.Linq.Resources.dll	cmd.exe
File opened for modification	\??\c:\PROGRA~2\WI4223~1\Gadgets\PICTUR~1.GAD\ja-JP\css\picturePuzzle.css	cmd.exe
File opened for modification	\??\c:\PROGRA~1\COMMON~1\MICROS~1\ink\it-IT\ShapeCollector.exe.mui	cmd.exe
File opened for modification	\??\c:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\Full\full.png	cmd.exe
File opened for modification	\??\c:\PROGRA~1\WI4223~1\Gadgets\PICTUR~1.GAD\it-IT\gadget.xml	cmd.exe
File opened for modification	\??\c:\PROGRA~1\WI4223~1\Gadgets\WEATHE~1.GAD\images\144DPI\(144DPI)grayStateIcon.png	cmd.exe
File opened for modification	\??\c:\PROGRA~1\COMMON~1\MICROS~1\STATIO~1\GreenBubbles.jpg	cmd.exe
File opened for modification	\??\c:\PROGRA~1\WI4223~1\Gadgets\CLOCK~1.GAD\fr-FR\js\timeZones.js	cmd.exe
File opened for modification	\??\c:\PROGRA~1\WI4223~1\Gadgets\WEATHE~1.GAD\images\info.png	cmd.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\Windows\PLA\Rules\de-DE\Rules.System.Configuration.xml	cmd.exe
File opened for modification	\??\c:\Windows\POLICY~1\ShapeCollector.admx	cmd.exe
File opened for modification	\??\c:\Windows\SERVIC~1\Packages\MI3541~1.CAT	cmd.exe
File opened for modification	\??\c:\Windows\Help\mui\0410\msmq.CHM	cmd.exe
File opened for modification	\??\c:\Windows\MICROS~1.NET\FRAMEW~2\V20~1.507\DE\aspnet_rc.dll	cmd.exe
File opened for modification	\??\c:\Windows\Help\mui\0410\eventviewer.CHM	cmd.exe
File opened for modification	\??\c:\Windows\MICROS~1.NET\FRAMEW~1\V20~1.507\DE\System.Web.Resources.dll	cmd.exe
File opened for modification	\??\c:\Windows\MICROS~1.NET\FRAMEW~2\V20~1.507\sysglobl.dll	cmd.exe
File opened for modification	\??\c:\Windows\PLA\Rules\ja-JP\Rules.System.Memory.xml	cmd.exe
File opened for modification	\??\c:\Windows\SERVIC~1\Packages\MI73AC~1.MUM	cmd.exe
File opened for modification	\??\c:\Windows\SERVIC~1\Packages\MI7DDC~1.MUM	cmd.exe
File opened for modification	\??\c:\Windows\SERVIC~1\Packages\MIB830~1.MUM	cmd.exe
File opened for modification	\??\c:\Windows\SERVIC~1\Packages\MIE09C~1.CAT	cmd.exe
File opened for modification	\??\c:\Windows\Help\Windows\de-DE\Windows.h1c	cmd.exe
File opened for modification	\??\c:\Windows\SERVIC~1\Packages\WI85F3~1.MUM	cmd.exe
File opened for modification	\??\c:\Windows\MICROS~1.NET\FRAMEW~2\v3.0\WINDOW~1\es\Microsoft.Transactions.Bridge.Resources.dll	cmd.exe
File opened for modification	\??\c:\Windows\MICROS~1.NET\FRAMEW~1\V20~1.507\JA\System.Drawing.Design.Resources.dll	cmd.exe
File opened for modification	\??\c:\Windows\Media\CHARAC~1\Windows Critical Stop.wav	cmd.exe
File opened for modification	\??\c:\Windows\SERVIC~1\Packages\MID759~1.MUM	cmd.exe
File opened for modification	\??\c:\Windows\inf\MSDTC\0000\msdtcprf.ini	cmd.exe
File opened for modification	\??\c:\Windows\SERVIC~1\Packages\WI6EDF~1.CAT	cmd.exe
File opened for modification	\??\c:\Windows\inf\netbrdgs.inf	cmd.exe
File opened for modification	\??\c:\Windows\POLICY~1\TaskScheduler.admx	cmd.exe
File opened for modification	\??\c:\Windows\MICROS~1.NET\FRAMEW~1\V20~1.507\fr\ShFusRes.dll	cmd.exe
File opened for modification	\??\c:\Windows\MICROS~1.NET\FRAMEW~1\v3.5\MSBuild.exe	cmd.exe
File opened for modification	\??\c:\Windows\POLICY~1\de-DE\CEIPEnable.adml	cmd.exe
File opened for modification	\??\c:\Windows\SERVIC~1\Packages\MIDB60~1.MUM	cmd.exe
File opened for modification	\??\c:\Windows\Fonts\sseriffg.fon	cmd.exe
File opened for modification	\??\c:\Windows\GLOBAL~1\MCT\MCT-US\WALLPA~1\US-wp2.jpg	cmd.exe
File opened for modification	\??\c:\Windows\INSTAL~1\{90140~3\accicons.exe	cmd.exe
File opened for modification	\??\c:\Windows\MICROS~1.NET\FRAMEW~2\v3.0\WINDOW~1\ServiceModelReg.exe	cmd.exe
File opened for modification	\??\c:\Windows\POLICY~1\es-ES\HelpAndSupport.adml	cmd.exe
File opened for modification	\??\c:\Windows\SERVIC~1\Packages\MIADF3~1.MUM	cmd.exe
File opened for modification	\??\c:\Windows\SERVIC~1\Packages\MIFD07~1.MUM	cmd.exe
File opened for modification	\??\c:\Windows\fr-FR\bfsvc.exe.mui	cmd.exe
File opened for modification	\??\c:\Windows\inf\NETFRA~1\040C\corperfmonsymbols_D.ini	cmd.exe
File opened for modification	\??\c:\Windows\Help\mui\040C\certmgr.CHM	cmd.exe
File opened for modification	\??\c:\Windows\POLICY~1\es-ES\ActiveXInstallService.adml	cmd.exe
File opened for modification	\??\c:\Windows\MICROS~1.NET\FRAMEW~2\V20~1.507\fr\Microsoft.Build.Tasks.resources.dll	cmd.exe
File opened for modification	\??\c:\Windows\POLICY~1\fr-FR\MediaCenter.adml	cmd.exe
File opened for modification	\??\c:\Windows\Cursors\size1_im.cur	cmd.exe
File opened for modification	\??\c:\Windows\Help\Windows\ja-JP\artcon2.h1s	cmd.exe
File opened for modification	\??\c:\Windows\POLICY~1\de-DE\MediaCenter.adml	cmd.exe
File opened for modification	\??\c:\Windows\SERVIC~1\Packages\MI628D~1.CAT	cmd.exe
File opened for modification	\??\c:\Windows\ehome\ehrecvr.exe	cmd.exe
File opened for modification	\??\c:\Windows\Help\Windows\fr-FR\shgloss.h1s	cmd.exe
File opened for modification	\??\c:\Windows\POLICY~1\fr-FR\DnsClient.adml	cmd.exe
File opened for modification	\??\c:\Windows\Fonts\sserifee.fon	cmd.exe
File opened for modification	\??\c:\Windows\POLICY~1\it-IT\Conf.adml	cmd.exe
File opened for modification	\??\c:\Windows\SERVIC~1\Packages\WI235E~1.MUM	cmd.exe
File opened for modification	\??\c:\Windows\DIAGNO~1\system\AERO\es-ES\CL_LocalizationData.psd1	cmd.exe
File opened for modification	\??\c:\Windows\MICROS~1.NET\FRAMEW~1\v3.0\WINDOW~1\es\Microsoft.Transactions.Bridge.Dtc.Resources.dll	cmd.exe
File opened for modification	\??\c:\Windows\ehome\Mcx2Prov.exe	cmd.exe
File opened for modification	\??\c:\Windows\Media\Windows Startup.wav	cmd.exe
File opened for modification	\??\c:\Windows\MICROS~1.NET\FRAMEW~1\V20~1.507\1041\vbc7ui.dll	cmd.exe
File opened for modification	\??\c:\Windows\MICROS~1.NET\FRAMEW~1\V20~1.507\es\System.DirectoryServices.Resources.dll	cmd.exe
File opened for modification	\??\c:\Windows\SERVIC~1\Packages\MI69D8~1.CAT	cmd.exe
File opened for modification	\??\c:\Windows\Media\Savanna\Windows Exclamation.wav	cmd.exe
File opened for modification	\??\c:\Windows\Media\CALLIG~1\Windows Default.wav	cmd.exe
File opened for modification	\??\c:\Windows\MICROS~1.NET\FRAMEW~2\V20~1.507\it\Microsoft.VisualBasic.Resources.dll	cmd.exe
File opened for modification	\??\c:\Windows\SERVIC~1\Packages\MI986C~1.MUM	cmd.exe
File opened for modification	\??\c:\Windows\Cursors\move_l.cur	cmd.exe
File opened for modification	\??\c:\Windows\Speech\Engines\SR\ja-JP\am031041.am	cmd.exe
File opened for modification	\??\c:\Windows\en-US\winhlp32.exe.mui	cmd.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\syncthing-windows-amd64-v1.27.10.zip
1⤵
PID:2336

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Drops file in Drivers directory
- Deletes itself
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads