afaf9770608b7ba29f183586c580fc8093a2efdd68febff71122ac41cedae49d

Analysis

max time kernel
141s
max time network
140s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 02:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NETFLIX Checker Account By X-KILLER/NETFLIX Checker Account By X-KILLER.exe
Size

1.3MB
MD5

89f4a57b13570e7493112ef54ad3196e
SHA1

22f39b91fc4172194877927dfbfa31a10057ce8f
SHA256

d8bfdcac9ac53a9d4fdcb9b04fa5a33e06db1df062888317302afaf21f17eaa2
SHA512

73e5931cd03bff77a9b4b77b943a4ac4fcc26dc49707c349e1a4bd03e317ea99ef0171e8f9906275cc25e803449cd14549363c7a6b74c76c6f3a1166caf3ed77
SSDEEP

24576:CnsJ39LyjbJkQFMhmC+6GD9Lyq4CeZTdp4ZJSK2i+n9B5t0Agv:CnsHyjtk2MYC5GDpF4ldezSPFn1OAG

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2540	._cache_NETFLIX Checker Account By X-KILLER.exe
1492	Synaptics.exe
2976	._cache_Synaptics.exe

Loads dropped DLL 7 IoCs

pid	Process
2068	NETFLIX Checker Account By X-KILLER.exe
2068	NETFLIX Checker Account By X-KILLER.exe
2068	NETFLIX Checker Account By X-KILLER.exe
1492	Synaptics.exe
1492	Synaptics.exe
2540	._cache_NETFLIX Checker Account By X-KILLER.exe
2976	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	NETFLIX Checker Account By X-KILLER.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NETFLIX Checker Account By X-KILLER.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1428	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2540	._cache_NETFLIX Checker Account By X-KILLER.exe
2540	._cache_NETFLIX Checker Account By X-KILLER.exe
2540	._cache_NETFLIX Checker Account By X-KILLER.exe
2976	._cache_Synaptics.exe
2540	._cache_NETFLIX Checker Account By X-KILLER.exe
2540	._cache_NETFLIX Checker Account By X-KILLER.exe
2976	._cache_Synaptics.exe
2976	._cache_Synaptics.exe
2540	._cache_NETFLIX Checker Account By X-KILLER.exe
2540	._cache_NETFLIX Checker Account By X-KILLER.exe
2540	._cache_NETFLIX Checker Account By X-KILLER.exe
2540	._cache_NETFLIX Checker Account By X-KILLER.exe
2540	._cache_NETFLIX Checker Account By X-KILLER.exe
2976	._cache_Synaptics.exe
2540	._cache_NETFLIX Checker Account By X-KILLER.exe
2976	._cache_Synaptics.exe
2540	._cache_NETFLIX Checker Account By X-KILLER.exe
2976	._cache_Synaptics.exe
2540	._cache_NETFLIX Checker Account By X-KILLER.exe
2976	._cache_Synaptics.exe
2540	._cache_NETFLIX Checker Account By X-KILLER.exe
2976	._cache_Synaptics.exe
2540	._cache_NETFLIX Checker Account By X-KILLER.exe
2976	._cache_Synaptics.exe
2540	._cache_NETFLIX Checker Account By X-KILLER.exe
2976	._cache_Synaptics.exe
2976	._cache_Synaptics.exe
2976	._cache_Synaptics.exe
2976	._cache_Synaptics.exe
2976	._cache_Synaptics.exe
2976	._cache_Synaptics.exe
2976	._cache_Synaptics.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2540	._cache_NETFLIX Checker Account By X-KILLER.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2540	._cache_NETFLIX Checker Account By X-KILLER.exe
2976	._cache_Synaptics.exe
1428	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2540	2068	NETFLIX Checker Account By X-KILLER.exe	31
PID 2068 wrote to memory of 2540	2068	NETFLIX Checker Account By X-KILLER.exe	31
PID 2068 wrote to memory of 2540	2068	NETFLIX Checker Account By X-KILLER.exe	31
PID 2068 wrote to memory of 2540	2068	NETFLIX Checker Account By X-KILLER.exe	31
PID 2068 wrote to memory of 1492	2068	NETFLIX Checker Account By X-KILLER.exe	32
PID 2068 wrote to memory of 1492	2068	NETFLIX Checker Account By X-KILLER.exe	32
PID 2068 wrote to memory of 1492	2068	NETFLIX Checker Account By X-KILLER.exe	32
PID 2068 wrote to memory of 1492	2068	NETFLIX Checker Account By X-KILLER.exe	32
PID 1492 wrote to memory of 2976	1492	Synaptics.exe	33
PID 1492 wrote to memory of 2976	1492	Synaptics.exe	33
PID 1492 wrote to memory of 2976	1492	Synaptics.exe	33
PID 1492 wrote to memory of 2976	1492	Synaptics.exe	33

C:\Users\Admin\AppData\Local\Temp\NETFLIX Checker Account By X-KILLER\NETFLIX Checker Account By X-KILLER.exe
"C:\Users\Admin\AppData\Local\Temp\NETFLIX Checker Account By X-KILLER\NETFLIX Checker Account By X-KILLER.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Users\Admin\AppData\Local\Temp\NETFLIX Checker Account By X-KILLER\._cache_NETFLIX Checker Account By X-KILLER.exe
  "C:\Users\Admin\AppData\Local\Temp\NETFLIX Checker Account By X-KILLER\._cache_NETFLIX Checker Account By X-KILLER.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2540
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Users\Admin\AppData\Local\Temp\NETFLIX Checker Account By X-KILLER\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\NETFLIX Checker Account By X-KILLER\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2976

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.3MB

MD5
89f4a57b13570e7493112ef54ad3196e

SHA1
22f39b91fc4172194877927dfbfa31a10057ce8f

SHA256
d8bfdcac9ac53a9d4fdcb9b04fa5a33e06db1df062888317302afaf21f17eaa2

SHA512
73e5931cd03bff77a9b4b77b943a4ac4fcc26dc49707c349e1a4bd03e317ea99ef0171e8f9906275cc25e803449cd14549363c7a6b74c76c6f3a1166caf3ed77

Download Submit
C:\Users\Admin\AppData\Local\Temp\GaTKZPPe.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\GaTKZPPe.xlsm

Filesize
24KB

MD5
7fb8706f1e6ece60fe1e83fa99360de7

SHA1
c6f70413a8da42e90b9794876e34abf9b0ef42da

SHA256
e8e8199f98366e6ce0754cb2e25205604b4b1f8952721778e1c2a9dc0ec7c365

SHA512
03656140048fc3277d31e1fc57c1e040aa71f826317f217366d1f885038561d50b10291a8efa0adf56a3bbcf44d3b1291a285ec9e05b375a42c12635787683bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\GaTKZPPe.xlsm

Filesize
31KB

MD5
d3054ae1569d809eac61d2b42c011f46

SHA1
fcc8e5f1bc409ca33e5279e24055c97df7026d4a

SHA256
c1a37289061d68b9cc002d5a430e52b945173cf29dafccb6d33e0fc1522b2f9a

SHA512
2de113665d8272685ab40ec41914a193a96659080aa6c30b71446ef60f9aa320edaa3cb07b409fcfa16c4434e7fc22ef97b1ced2dad75eb1b7b8addcafead811

Download Submit
C:\Users\Admin\AppData\Local\Temp\GaTKZPPe.xlsm

Filesize
26KB

MD5
372f3d0db76a331f5f213d10f2286afb

SHA1
86500972b5e641c4268adbe6fd5e7969fb636f1d

SHA256
1da6976d4aa6204c2c2ca45343f588666cea98573d4705c03df6207612047b8b

SHA512
4ac44d067d53a7177ac007296469fb033f87a1d667abec7ed8fd94f506f1a93fef0a8849c460c56384270ef04f8949eeba6315ebd9195bd31cec2ea6edfa1df0

Download Submit
C:\Users\Admin\AppData\Local\Temp\GaTKZPPe.xlsm

Filesize
26KB

MD5
ab2a16c4e427f4350abf937348593f65

SHA1
1f7a88017549efeef1c34bcd4b1567f8d1efe880

SHA256
6fa01a2d60ec3b073c32e4bb1e2b692a8812ec2096d99b68360eeb737e66ea90

SHA512
91b795f4debf5150aa72d454871423f9e2cb49f25e61165b71551e90938d51d98df554202389a96007b223acdb61d3af1e6c71a962898d645525d51ee64a6cf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\~$GaTKZPPe.xlsm

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
\Users\Admin\AppData\Local\SkinSoft\VisualStyler\2.3.5.0\x64\ssapihook.dll

Filesize
66KB

MD5
c74d260d388f5ac3d95d8c1c3a27c989

SHA1
5da009086036004a7c670d608d5e1e923aead568

SHA256
dc1bebb8ce88d59e4b3130c1ff2c4b7f5df2701c7a71b476b8a6f2ed541db628

SHA512
6460db8f73806017d267c0e4e112902956a3bc53853c6a893cff66fe44772305b2c158ef8b58e993806d713aceaddcf2efa7ccf625063678444d3fd20b10546a

Download Submit
\Users\Admin\AppData\Local\Temp\NETFLIX Checker Account By X-KILLER\._cache_NETFLIX Checker Account By X-KILLER.exe

Filesize
538KB

MD5
867f1fbc0a5d89a100d4fe867fa4b34f

SHA1
a41eb575ac101f0954d074932eebcd916ce0023b

SHA256
e22c7f85f00cc4a5219d23ead9ae28897ebea30d09b39387456c1f4fd4541ce5

SHA512
6e71eae56d521d0f62abf605f7181bee429e878aa96853e8e95e0512bb2f5a1c93191ab9afbaf3409d61f78ee4decb6581c7764daaa53bc35ad4c1c77b9ecbfa

Download Submit
memory/1428-101-0x0000000000330000-0x0000000000430000-memory.dmp

Filesize
1024KB

Download
memory/1428-92-0x0000000000330000-0x0000000000430000-memory.dmp

Filesize
1024KB

Download
memory/1428-75-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1428-83-0x0000000000330000-0x0000000000430000-memory.dmp

Filesize
1024KB

Download
memory/1428-94-0x0000000000330000-0x0000000000430000-memory.dmp

Filesize
1024KB

Download
memory/1428-95-0x0000000000330000-0x0000000000430000-memory.dmp

Filesize
1024KB

Download
memory/1428-96-0x0000000000330000-0x0000000000430000-memory.dmp

Filesize
1024KB

Download
memory/1428-97-0x0000000000330000-0x0000000000430000-memory.dmp

Filesize
1024KB

Download
memory/1428-98-0x0000000000330000-0x0000000000430000-memory.dmp

Filesize
1024KB

Download
memory/1428-78-0x0000000000330000-0x0000000000430000-memory.dmp

Filesize
1024KB

Download
memory/1428-99-0x0000000000330000-0x0000000000430000-memory.dmp

Filesize
1024KB

Download
memory/1428-79-0x0000000000330000-0x0000000000430000-memory.dmp

Filesize
1024KB

Download
memory/1428-93-0x0000000000330000-0x0000000000430000-memory.dmp

Filesize
1024KB

Download
memory/1428-90-0x0000000000330000-0x0000000000430000-memory.dmp

Filesize
1024KB

Download
memory/1428-100-0x0000000000330000-0x0000000000430000-memory.dmp

Filesize
1024KB

Download
memory/1428-151-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1428-91-0x0000000000330000-0x0000000000430000-memory.dmp

Filesize
1024KB

Download
memory/1428-80-0x0000000000330000-0x0000000000430000-memory.dmp

Filesize
1024KB

Download
memory/1428-81-0x0000000000330000-0x0000000000430000-memory.dmp

Filesize
1024KB

Download
memory/1428-82-0x0000000000330000-0x0000000000430000-memory.dmp

Filesize
1024KB

Download
memory/1428-84-0x0000000000330000-0x0000000000430000-memory.dmp

Filesize
1024KB

Download
memory/1428-85-0x0000000000330000-0x0000000000430000-memory.dmp

Filesize
1024KB

Download
memory/1428-86-0x0000000000330000-0x0000000000430000-memory.dmp

Filesize
1024KB

Download
memory/1428-87-0x0000000000330000-0x0000000000430000-memory.dmp

Filesize
1024KB

Download
memory/1428-88-0x0000000000330000-0x0000000000430000-memory.dmp

Filesize
1024KB

Download
memory/1428-89-0x0000000000330000-0x0000000000430000-memory.dmp

Filesize
1024KB

Download
memory/1492-74-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/1492-155-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/1492-152-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2068-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2068-20-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2540-49-0x0000000002160000-0x0000000002161000-memory.dmp

Filesize
4KB

Download
memory/2540-54-0x000000001A8D0000-0x000000001A8D1000-memory.dmp

Filesize
4KB

Download
memory/2540-21-0x00000000002D0000-0x000000000035C000-memory.dmp

Filesize
560KB

Download
memory/2540-29-0x0000000002300000-0x00000000023AE000-memory.dmp

Filesize
696KB

Download
memory/2540-33-0x0000000000250000-0x0000000000274000-memory.dmp

Filesize
144KB

Download
memory/2540-66-0x000007FE7BCB0000-0x000007FE7BCB1000-memory.dmp

Filesize
4KB

Download
memory/2540-34-0x0000000000140000-0x0000000000146000-memory.dmp

Filesize
24KB

Download
memory/2540-64-0x000007FE7BCA0000-0x000007FE7BCA1000-memory.dmp

Filesize
4KB

Download
memory/2540-40-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2540-62-0x000007FE7BC70000-0x000007FE7BC71000-memory.dmp

Filesize
4KB

Download
memory/2540-41-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/2540-60-0x000000001B160000-0x000000001B161000-memory.dmp

Filesize
4KB

Download
memory/2540-44-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/2540-58-0x000000001AEE0000-0x000000001AEE1000-memory.dmp

Filesize
4KB

Download
memory/2540-45-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/2540-56-0x000000001AED0000-0x000000001AED1000-memory.dmp

Filesize
4KB

Download
memory/2540-48-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/2540-50-0x00000000021F0000-0x00000000021F1000-memory.dmp

Filesize
4KB

Download
memory/2540-51-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/2540-52-0x000000001A8C0000-0x000000001A8C1000-memory.dmp

Filesize
4KB

Download
memory/2976-53-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/2976-70-0x000000001AAD0000-0x000000001AAD1000-memory.dmp

Filesize
4KB

Download
memory/2976-55-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/2976-47-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/2976-46-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/2976-57-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/2976-59-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/2976-61-0x000000001A890000-0x000000001A891000-memory.dmp

Filesize
4KB

Download
memory/2976-63-0x000000001A8A0000-0x000000001A8A1000-memory.dmp

Filesize
4KB

Download
memory/2976-35-0x000000001B3B0000-0x000000001B4A8000-memory.dmp

Filesize
992KB

Download
memory/2976-65-0x000000001A8B0000-0x000000001A8B1000-memory.dmp

Filesize
4KB

Download
memory/2976-67-0x000000001A8C0000-0x000000001A8C1000-memory.dmp

Filesize
4KB

Download
memory/2976-32-0x0000000000830000-0x00000000008BC000-memory.dmp

Filesize
560KB

Download
memory/2976-68-0x000000001AAB0000-0x000000001AAB1000-memory.dmp

Filesize
4KB

Download
memory/2976-69-0x000000001AAC0000-0x000000001AAC1000-memory.dmp

Filesize
4KB

Download