gh0strat | ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d

Analysis

max time kernel
150s
max time network
137s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-11-2024 09:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
Size

6.4MB
MD5

8e332e917f3d6c75acc6a7bccc89bf7b
SHA1

b8d85ffc16bcf890e7dd04f0001b2c086d97d24e
SHA256

ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d
SHA512

5f1ebad01ab356be07aed2abc1873e54f09e1a03623f06dd50f67c5d87a2624a641b8b18eacaa2991bf389004c7f363f5e8219f43870663ca047e944063e44bd
SSDEEP

196608:Q4yL7Ql90yZsnUHha87/2uARAucSAucUhDKu:oQ5Zxl7/2XAXaDb

Score

10^/10

gh0strat xred backdoor discovery macro persistence rat upx

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Gh0st RAT payload 1 IoCs

Processes:

resource	yara_rule
\Windows\SysWOW64\259422502.bat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

Processes:

look2.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\svchcst\Parameters\ServiceDll = "C:\\Windows\\system32\\259422502.bat"	look2.exe

Suspicious Office macro 3 IoCs

Office document equipped with macros.

macro

Processes:

resource
C:\Users\Admin\AppData\Local\Temp\eIOzeaIb.xlsm
C:\Users\Admin\AppData\Local\Temp\eIOzeaIb.xlsm
C:\Users\Admin\AppData\Local\Temp\eIOzeaIb.xlsm

Executes dropped EXE 6 IoCs

Processes:

look2.exeHD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe._cache_HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exeSynaptics.exe._cache_Synaptics.exesvchcst.exe

pid	process
1812	look2.exe
2784	HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
2336	._cache_HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
2788	Synaptics.exe
2256	._cache_Synaptics.exe
560	svchcst.exe

Loads dropped DLL 15 IoCs

Processes:

ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exelook2.exesvchost.exeHD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exeSynaptics.exesvchcst.exe

pid	process
2320	ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
1812	look2.exe
2292	svchost.exe
2320	ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
2320	ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
2784	HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
2784	HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
2784	HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
2784	HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
2784	HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
2788	Synaptics.exe
2788	Synaptics.exe
2788	Synaptics.exe
2292	svchost.exe
560	svchcst.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe

Drops file in System32 directory 4 IoCs

Processes:

svchost.exelook2.exe

description	ioc	process
File created	C:\Windows\SysWOW64\svchcst.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchcst.exe	svchost.exe
File created	C:\Windows\SysWOW64\259422502.bat	look2.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	look2.exe

UPX packed file 39 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\._cache_HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe	upx
behavioral1/memory/2336-100-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2336-98-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2336-96-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2336-94-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2336-92-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2336-90-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2336-88-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2336-86-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2336-84-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2336-82-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2336-80-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2336-78-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2336-76-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2336-74-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2336-72-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2336-101-0x0000000000400000-0x00000000008CB000-memory.dmp	upx
behavioral1/memory/2336-70-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2336-68-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2336-66-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2336-64-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2336-62-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2336-60-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2336-59-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2336-56-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2256-168-0x0000000000400000-0x00000000008CB000-memory.dmp	upx
behavioral1/memory/2256-143-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2256-141-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2256-139-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2256-137-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2256-135-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2256-133-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2256-131-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2256-129-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2256-127-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2256-126-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2788-125-0x0000000005B60000-0x000000000602B000-memory.dmp	upx
behavioral1/memory/2336-256-0x0000000000400000-0x00000000008CB000-memory.dmp	upx
behavioral1/memory/2256-259-0x0000000000400000-0x00000000008CB000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

Processes:

ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

svchost.exeSynaptics.exeEXCEL.EXElook2.exeHD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe._cache_HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe._cache_Synaptics.exesvchcst.execa4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	look2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2332 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe

pid process

2320 ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
2332	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

._cache_HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe._cache_Synaptics.exe

description	pid	process
Token: 33	2336	._cache_HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
Token: SeIncBasePriorityPrivilege	2336	._cache_HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
Token: 33	2256	._cache_Synaptics.exe
Token: SeIncBasePriorityPrivilege	2256	._cache_Synaptics.exe
Token: 33	2336	._cache_HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
Token: SeIncBasePriorityPrivilege	2336	._cache_HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
Token: 33	2336	._cache_HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
Token: SeIncBasePriorityPrivilege	2336	._cache_HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
Token: 33	2256	._cache_Synaptics.exe
Token: SeIncBasePriorityPrivilege	2256	._cache_Synaptics.exe
Token: 33	2256	._cache_Synaptics.exe
Token: SeIncBasePriorityPrivilege	2256	._cache_Synaptics.exe
Token: 33	2336	._cache_HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
Token: SeIncBasePriorityPrivilege	2336	._cache_HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
Token: 33	2336	._cache_HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
Token: SeIncBasePriorityPrivilege	2336	._cache_HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
Token: 33	2256	._cache_Synaptics.exe
Token: SeIncBasePriorityPrivilege	2256	._cache_Synaptics.exe
Token: 33	2256	._cache_Synaptics.exe
Token: SeIncBasePriorityPrivilege	2256	._cache_Synaptics.exe
Token: 33	2336	._cache_HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
Token: SeIncBasePriorityPrivilege	2336	._cache_HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
Token: 33	2336	._cache_HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
Token: SeIncBasePriorityPrivilege	2336	._cache_HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
Token: 33	2256	._cache_Synaptics.exe
Token: SeIncBasePriorityPrivilege	2256	._cache_Synaptics.exe
Token: 33	2256	._cache_Synaptics.exe
Token: SeIncBasePriorityPrivilege	2256	._cache_Synaptics.exe
Token: 33	2336	._cache_HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
Token: 33	2336	._cache_HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
Token: SeIncBasePriorityPrivilege	2336	._cache_HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
Token: SeIncBasePriorityPrivilege	2336	._cache_HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
Token: 33	2256	._cache_Synaptics.exe
Token: SeIncBasePriorityPrivilege	2256	._cache_Synaptics.exe
Token: 33	2256	._cache_Synaptics.exe
Token: SeIncBasePriorityPrivilege	2256	._cache_Synaptics.exe
Token: 33	2336	._cache_HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
Token: SeIncBasePriorityPrivilege	2336	._cache_HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
Token: 33	2336	._cache_HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
Token: SeIncBasePriorityPrivilege	2336	._cache_HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
Token: 33	2256	._cache_Synaptics.exe
Token: SeIncBasePriorityPrivilege	2256	._cache_Synaptics.exe
Token: 33	2256	._cache_Synaptics.exe
Token: SeIncBasePriorityPrivilege	2256	._cache_Synaptics.exe
Token: 33	2336	._cache_HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
Token: SeIncBasePriorityPrivilege	2336	._cache_HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
Token: 33	2336	._cache_HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
Token: SeIncBasePriorityPrivilege	2336	._cache_HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
Token: 33	2256	._cache_Synaptics.exe
Token: SeIncBasePriorityPrivilege	2256	._cache_Synaptics.exe
Token: 33	2256	._cache_Synaptics.exe
Token: SeIncBasePriorityPrivilege	2256	._cache_Synaptics.exe
Token: 33	2336	._cache_HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
Token: SeIncBasePriorityPrivilege	2336	._cache_HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
Token: 33	2336	._cache_HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
Token: SeIncBasePriorityPrivilege	2336	._cache_HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
Token: 33	2256	._cache_Synaptics.exe
Token: SeIncBasePriorityPrivilege	2256	._cache_Synaptics.exe
Token: 33	2256	._cache_Synaptics.exe
Token: SeIncBasePriorityPrivilege	2256	._cache_Synaptics.exe
Token: 33	2336	._cache_HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
Token: SeIncBasePriorityPrivilege	2336	._cache_HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
Token: 33	2336	._cache_HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
Token: SeIncBasePriorityPrivilege	2336	._cache_HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe._cache_HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe._cache_Synaptics.exeEXCEL.EXE

pid	process
2320	ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
2320	ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
2336	._cache_HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
2336	._cache_HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
2336	._cache_HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
2256	._cache_Synaptics.exe
2256	._cache_Synaptics.exe
2256	._cache_Synaptics.exe
2332	EXCEL.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exeHD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exeSynaptics.exesvchost.exe

description	pid	process	target process
PID 2320 wrote to memory of 1812	2320	ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe	look2.exe
PID 2320 wrote to memory of 1812	2320	ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe	look2.exe
PID 2320 wrote to memory of 1812	2320	ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe	look2.exe
PID 2320 wrote to memory of 1812	2320	ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe	look2.exe
PID 2320 wrote to memory of 2784	2320	ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe	HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
PID 2320 wrote to memory of 2784	2320	ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe	HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
PID 2320 wrote to memory of 2784	2320	ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe	HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
PID 2320 wrote to memory of 2784	2320	ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe	HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
PID 2784 wrote to memory of 2336	2784	HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe	._cache_HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
PID 2784 wrote to memory of 2336	2784	HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe	._cache_HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
PID 2784 wrote to memory of 2336	2784	HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe	._cache_HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
PID 2784 wrote to memory of 2336	2784	HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe	._cache_HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
PID 2784 wrote to memory of 2788	2784	HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe	Synaptics.exe
PID 2784 wrote to memory of 2788	2784	HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe	Synaptics.exe
PID 2784 wrote to memory of 2788	2784	HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe	Synaptics.exe
PID 2784 wrote to memory of 2788	2784	HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe	Synaptics.exe
PID 2788 wrote to memory of 2256	2788	Synaptics.exe	._cache_Synaptics.exe
PID 2788 wrote to memory of 2256	2788	Synaptics.exe	._cache_Synaptics.exe
PID 2788 wrote to memory of 2256	2788	Synaptics.exe	._cache_Synaptics.exe
PID 2788 wrote to memory of 2256	2788	Synaptics.exe	._cache_Synaptics.exe
PID 2292 wrote to memory of 560	2292	svchost.exe	svchcst.exe
PID 2292 wrote to memory of 560	2292	svchost.exe	svchcst.exe
PID 2292 wrote to memory of 560	2292	svchost.exe	svchcst.exe
PID 2292 wrote to memory of 560	2292	svchost.exe	svchcst.exe

C:\Users\Admin\AppData\Local\Temp\ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
"C:\Users\Admin\AppData\Local\Temp\ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Users\Admin\AppData\Local\Temp\look2.exe
  C:\Users\Admin\AppData\Local\Temp\\look2.exe
  2⤵
  - Server Software Component: Terminal Services DLL
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:1812
- C:\Users\Admin\AppData\Local\Temp\HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
  C:\Users\Admin\AppData\Local\Temp\HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Users\Admin\AppData\Local\Temp\._cache_HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2336
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2256

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
1⤵
PID:2280

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchcst"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Windows\SysWOW64\svchcst.exe
  C:\Windows\system32\svchcst.exe "c:\windows\system32\259422502.bat",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:560

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
1.2MB

MD5
c571f838e2d8712dc164e10202d2e804

SHA1
f9178df311c54de126c1b9d8a82db5e19a9dbd81

SHA256
d894014ff299db4dc489733c784fa71b6c6bcf6b4e19ca44409da97627e0aea5

SHA512
43255dd2be91e0c6b95c9fb304d123b3bd437eb766d37580b42cbc8f408db477bce7f420752a4a19077355debfe8095982c5d32b858f646f7fc0e8876a9e5fd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIOzeaIb.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIOzeaIb.xlsm

Filesize
22KB

MD5
7a2ca9ac908358df1416f851886d17a0

SHA1
d0ad14a32b9b306edc27a1505b1882bdfde40a87

SHA256
a15b68aa267c21db2b13ae13de6106f3258197f03228d5c2162c850b96d5d874

SHA512
b93f0a034c87aeb038eae0c86a5e4e79cf5fca7028ea4f2c167b43fca97b4f51174995a91262a01f49ee879def4f6349d63a39da71b7b26eb3506c03c303100d

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIOzeaIb.xlsm

Filesize
23KB

MD5
5ee9e19e79e9e3861718dd6ea3d58313

SHA1
06346fe0b520facbd8496c120c4a2bb09faf88ef

SHA256
9042175e7bb6960af6ee1323b3fb19f08dcdc09a11fc77908cb5869d55026d43

SHA512
9fc321ffe488ec8872729b4ef06c9c4541bcf71a944c0c89bb15a4427f0e966b493f26119deb18108c3abc53c1c862cd35912ee590c031b13e97ccbccf89acde

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIOzeaIb.xlsm

Filesize
26KB

MD5
ae4e394d148a95c3dfebbec80421ac89

SHA1
4b2b06b2394ffc74df3bcb5e75704a6fd10f0b16

SHA256
8af3bceca02751df04ba60cf2913ee13bd137790f26e09ed0952a24ff40699b2

SHA512
9bd810902ead1bc58575ef727e74edac026fdfa89809553bf00dd7fe4bee078b85c485ef797436b73d2df7c56c850e4cd6cf4317e317ab9eb90c34e09ec4b8d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIOzeaIb.xlsm

Filesize
24KB

MD5
e6fdf984a07a5eb62b6526c235bb8f62

SHA1
21a552eccfacbe7fd740e5461de4158e8f61dca3

SHA256
df54390e3818dc07c0a3ea8433a976a58c0e096d0c7f32c429d9fe1f6c32e944

SHA512
8e80ac7f09d95ed0ff00425f42129faf0589b68535e5f292b4958e5e2804f364c885dce5b35fe683aa0fb22b8c33c16b1e2e7fc7f84c6114c19da5e6c1b76ad7

Download Submit
C:\Users\Admin\AppData\Local\Temp\look2.exe

Filesize
337KB

MD5
fb66e1e31fa1e6dfb21a50ccd11e0409

SHA1
6c45a0a115ec896eb14a531a44809b2a22cf8934

SHA256
5ea8c5455f0ebe884ed98834e78ead8b6c68814bbb1723370299fa44b88c0faa

SHA512
58ee149f70438296a67d5ae5cbd6cb9f5b2510a0381466b8f09eec3835be1ce7cad6903ca8fbc9273105132e85952208e78c59f776416c5449b86cc62111154b

Download Submit
C:\Users\Admin\Downloads\~$CompareClear.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
C:\Windows\SysWOW64\svchcst.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe

Filesize
4.4MB

MD5
a8b58b62400156169c08e476d49f93d5

SHA1
4e0fda6f2a04400834d9e627f2a1fba83a060bfe

SHA256
83010a66416ee369595a5cc25579ed4872821609c33a9899cd36ad7abc372af0

SHA512
310dca2b11792871f2788ed55ba0cc7e56fd01ff06d987d1ce92ea7a1b447b70be37408d18e1c83330c7634f690c3cffc5c095fac47bd40ddf7475d6dde5c2d9

Download Submit
\Users\Admin\AppData\Local\Temp\HD_ca4d39469bbf4c84ccee380d2cb03d15b7fbcb76e640b3714ffc15baf6a0145d.exe

Filesize
5.2MB

MD5
ead6353ec80c02989ad2e1bb1eee149c

SHA1
e9ae278b098f3bc7f42ef17043e34b83db5dcc2b

SHA256
19f47345fb52b753612911750f87dfc67b69887cf3e1154b6e2829390976e597

SHA512
06a0b27ce95cc21e5e92fba87590c62d38226fbe5fdfe43df2a3ad134ce8181ecc200a12fe1e575c2cd31a9192aace17183628cd0b92209f838915a3115e4dcd

Download Submit
\Windows\SysWOW64\259422502.bat

Filesize
51KB

MD5
2726b5ee09ddc8f443445a347b14186d

SHA1
7b8fb44a470b3c66393defe23a367120999c4046

SHA256
b767b73261c664e8a8e439593db291d31009d931033414b9ec75d3825a6ec520

SHA512
25349176b344830f2fb921bf5bceee938978b653119525fa423c2883392d07fa53cc7c890be09d597a06483a9d954e8b86642e1374fbbfbe4af1adccbb1885b6

Download Submit
memory/2256-127-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2256-259-0x0000000000400000-0x00000000008CB000-memory.dmp

Filesize
4.8MB

Download
memory/2256-126-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2256-168-0x0000000000400000-0x00000000008CB000-memory.dmp

Filesize
4.8MB

Download
memory/2256-129-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2256-131-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2256-133-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2256-135-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2256-137-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2256-139-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2256-141-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2256-143-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2336-86-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2336-76-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2336-256-0x0000000000400000-0x00000000008CB000-memory.dmp

Filesize
4.8MB

Download
memory/2336-62-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2336-60-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2336-59-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2336-100-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2336-56-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2336-66-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2336-98-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2336-68-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2336-70-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2336-101-0x0000000000400000-0x00000000008CB000-memory.dmp

Filesize
4.8MB

Download
memory/2336-72-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2336-74-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2336-64-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2336-78-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2336-80-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2336-82-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2336-84-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2336-96-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2336-88-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2336-90-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2336-92-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2336-94-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2784-58-0x0000000005C10000-0x00000000060DB000-memory.dmp

Filesize
4.8MB

Download
memory/2784-110-0x0000000000400000-0x0000000000933000-memory.dmp

Filesize
5.2MB

Download
memory/2784-54-0x0000000005C10000-0x00000000060DB000-memory.dmp

Filesize
4.8MB

Download
memory/2788-125-0x0000000005B60000-0x000000000602B000-memory.dmp

Filesize
4.8MB

Download
memory/2788-169-0x0000000005B60000-0x000000000602B000-memory.dmp

Filesize
4.8MB

Download
memory/2788-257-0x0000000005B60000-0x000000000602B000-memory.dmp

Filesize
4.8MB

Download