xred | a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
09-11-2024 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe
Size

4.9MB
MD5

6742e83960e0d52f80c5b3a568d46d00
SHA1

3bc31e5e4e877228ee51cf7a39a0c9172ff0bf41
SHA256

a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77
SHA512

8316fd3ef98d95b59118f6dbdb9d5cdc8d31fdd405a7f4ce377ee2e182174c69564d295582b086bfdb61f9282cfd149cf9cd61b89e2de62a6ca549bab10397f5
SSDEEP

98304:fP5ZVnOwOdoqUiChfM1cwvCYP5ZVnOwOdoqUiChfM1cwvCr:5ZVn0RUF72LZVn0RUF72S

Score

10^/10

xred backdoor discovery execution persistence upx

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2820 powershell.exe
856 powershell.exe

pid	process
2820	powershell.exe
856	powershell.exe

Executes dropped EXE 4 IoCs

Processes:

._cache_a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exeSynaptics.exeSynaptics.exe._cache_Synaptics.exe

pid	process
2792	._cache_a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe
572	Synaptics.exe
1632	Synaptics.exe
2308	._cache_Synaptics.exe

Loads dropped DLL 4 IoCs

Processes:

a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exeSynaptics.exe

pid	process
2720	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe
2720	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe
1632	Synaptics.exe
1632	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\????? = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe

AutoIT Executable 10 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/2792-50-0x00000000001A0000-0x0000000000364000-memory.dmp	autoit_exe
behavioral1/memory/2792-59-0x00000000001A0000-0x0000000000364000-memory.dmp	autoit_exe
behavioral1/memory/2792-60-0x00000000001A0000-0x0000000000364000-memory.dmp	autoit_exe
behavioral1/memory/2308-97-0x0000000000F30000-0x00000000010F4000-memory.dmp	autoit_exe
behavioral1/memory/2308-144-0x0000000000F30000-0x00000000010F4000-memory.dmp	autoit_exe
behavioral1/memory/2792-145-0x00000000001A0000-0x0000000000364000-memory.dmp	autoit_exe
behavioral1/memory/2792-149-0x00000000001A0000-0x0000000000364000-memory.dmp	autoit_exe
behavioral1/memory/2792-152-0x00000000001A0000-0x0000000000364000-memory.dmp	autoit_exe
behavioral1/memory/2792-183-0x00000000001A0000-0x0000000000364000-memory.dmp	autoit_exe
behavioral1/memory/2792-185-0x00000000001A0000-0x0000000000364000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exeSynaptics.exe

description	pid	process	target process
PID 2932 set thread context of 2720	2932	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe
PID 572 set thread context of 1632	572	Synaptics.exe	Synaptics.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\._cache_a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe	upx
behavioral1/memory/2792-50-0x00000000001A0000-0x0000000000364000-memory.dmp	upx
behavioral1/memory/2720-48-0x0000000004AC0000-0x0000000004C84000-memory.dmp	upx
behavioral1/memory/2792-59-0x00000000001A0000-0x0000000000364000-memory.dmp	upx
behavioral1/memory/2792-60-0x00000000001A0000-0x0000000000364000-memory.dmp	upx
behavioral1/memory/2308-97-0x0000000000F30000-0x00000000010F4000-memory.dmp	upx
behavioral1/memory/2308-144-0x0000000000F30000-0x00000000010F4000-memory.dmp	upx
behavioral1/memory/2792-145-0x00000000001A0000-0x0000000000364000-memory.dmp	upx
behavioral1/memory/2792-149-0x00000000001A0000-0x0000000000364000-memory.dmp	upx
behavioral1/memory/2792-152-0x00000000001A0000-0x0000000000364000-memory.dmp	upx
behavioral1/memory/2792-183-0x00000000001A0000-0x0000000000364000-memory.dmp	upx
behavioral1/memory/2792-185-0x00000000001A0000-0x0000000000364000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exeschtasks.exe._cache_a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exeSynaptics.exepowershell.exeSynaptics.exe._cache_Synaptics.exeEXCEL.EXEpowershell.exea0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exeschtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

NTFS ADS 1 IoCs

Processes:

._cache_a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\root\SecurityCenter2	._cache_a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

2904 schtasks.exe
2176 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1424 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe._cache_a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exepowershell.exe

pid process

2820 powershell.exe
2792 ._cache_a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe
856 powershell.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

._cache_a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe

pid process

2792 ._cache_a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2820 powershell.exe
Token: SeDebugPrivilege 856 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

EXCEL.EXE

pid process

1424 EXCEL.EXE

pid	process
2904	schtasks.exe
2176	schtasks.exe

pid	process
1424	EXCEL.EXE

pid	process
2820	powershell.exe
2792	._cache_a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe
856	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	856	powershell.exe

pid	process
1424	EXCEL.EXE

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exea0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exeSynaptics.exeSynaptics.exe

description	pid	process	target process
PID 2932 wrote to memory of 2820	2932	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe	powershell.exe
PID 2932 wrote to memory of 2820	2932	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe	powershell.exe
PID 2932 wrote to memory of 2820	2932	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe	powershell.exe
PID 2932 wrote to memory of 2820	2932	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe	powershell.exe
PID 2932 wrote to memory of 2904	2932	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe	schtasks.exe
PID 2932 wrote to memory of 2904	2932	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe	schtasks.exe
PID 2932 wrote to memory of 2904	2932	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe	schtasks.exe
PID 2932 wrote to memory of 2904	2932	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe	schtasks.exe
PID 2932 wrote to memory of 2720	2932	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe
PID 2932 wrote to memory of 2720	2932	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe
PID 2932 wrote to memory of 2720	2932	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe
PID 2932 wrote to memory of 2720	2932	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe
PID 2932 wrote to memory of 2720	2932	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe
PID 2932 wrote to memory of 2720	2932	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe
PID 2932 wrote to memory of 2720	2932	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe
PID 2932 wrote to memory of 2720	2932	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe
PID 2932 wrote to memory of 2720	2932	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe
PID 2932 wrote to memory of 2720	2932	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe
PID 2932 wrote to memory of 2720	2932	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe
PID 2932 wrote to memory of 2720	2932	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe
PID 2720 wrote to memory of 2792	2720	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe	._cache_a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe
PID 2720 wrote to memory of 2792	2720	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe	._cache_a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe
PID 2720 wrote to memory of 2792	2720	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe	._cache_a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe
PID 2720 wrote to memory of 2792	2720	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe	._cache_a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe
PID 2720 wrote to memory of 572	2720	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe	Synaptics.exe
PID 2720 wrote to memory of 572	2720	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe	Synaptics.exe
PID 2720 wrote to memory of 572	2720	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe	Synaptics.exe
PID 2720 wrote to memory of 572	2720	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe	Synaptics.exe
PID 572 wrote to memory of 856	572	Synaptics.exe	powershell.exe
PID 572 wrote to memory of 856	572	Synaptics.exe	powershell.exe
PID 572 wrote to memory of 856	572	Synaptics.exe	powershell.exe
PID 572 wrote to memory of 856	572	Synaptics.exe	powershell.exe
PID 572 wrote to memory of 2176	572	Synaptics.exe	schtasks.exe
PID 572 wrote to memory of 2176	572	Synaptics.exe	schtasks.exe
PID 572 wrote to memory of 2176	572	Synaptics.exe	schtasks.exe
PID 572 wrote to memory of 2176	572	Synaptics.exe	schtasks.exe
PID 572 wrote to memory of 1632	572	Synaptics.exe	Synaptics.exe
PID 572 wrote to memory of 1632	572	Synaptics.exe	Synaptics.exe
PID 572 wrote to memory of 1632	572	Synaptics.exe	Synaptics.exe
PID 572 wrote to memory of 1632	572	Synaptics.exe	Synaptics.exe
PID 572 wrote to memory of 1632	572	Synaptics.exe	Synaptics.exe
PID 572 wrote to memory of 1632	572	Synaptics.exe	Synaptics.exe
PID 572 wrote to memory of 1632	572	Synaptics.exe	Synaptics.exe
PID 572 wrote to memory of 1632	572	Synaptics.exe	Synaptics.exe
PID 572 wrote to memory of 1632	572	Synaptics.exe	Synaptics.exe
PID 572 wrote to memory of 1632	572	Synaptics.exe	Synaptics.exe
PID 572 wrote to memory of 1632	572	Synaptics.exe	Synaptics.exe
PID 572 wrote to memory of 1632	572	Synaptics.exe	Synaptics.exe
PID 1632 wrote to memory of 2308	1632	Synaptics.exe	._cache_Synaptics.exe
PID 1632 wrote to memory of 2308	1632	Synaptics.exe	._cache_Synaptics.exe
PID 1632 wrote to memory of 2308	1632	Synaptics.exe	._cache_Synaptics.exe
PID 1632 wrote to memory of 2308	1632	Synaptics.exe	._cache_Synaptics.exe

C:\Users\Admin\AppData\Local\Temp\a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe
"C:\Users\Admin\AppData\Local\Temp\a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\YlHxWzZtqvwE.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2820
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YlHxWzZtqvwE" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB673.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2904
- C:\Users\Admin\AppData\Local\Temp\a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe
  "C:\Users\Admin\AppData\Local\Temp\a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Users\Admin\AppData\Local\Temp\._cache_a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2792
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:572
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\YlHxWzZtqvwE.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:856
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YlHxWzZtqvwE" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF1FD.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2176
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1632
    - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2308

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
4.9MB

MD5
6742e83960e0d52f80c5b3a568d46d00

SHA1
3bc31e5e4e877228ee51cf7a39a0c9172ff0bf41

SHA256
a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77

SHA512
8316fd3ef98d95b59118f6dbdb9d5cdc8d31fdd405a7f4ce377ee2e182174c69564d295582b086bfdb61f9282cfd149cf9cd61b89e2de62a6ca549bab10397f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nRNL7s7X.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\nRNL7s7X.xlsm

Filesize
22KB

MD5
b0fd460d8f2cee7fb6597b86c5ab7dfb

SHA1
a1a47d52c5badb118c624dbfa351923a73270cd6

SHA256
bced8ddb93c54144a378aa4285309e27746d418a506077fa77415ee743cc4c39

SHA512
3243222e91abbda47c4af7059a94ed1dd3d23b6fbe3282a5fd5740130722bf84b4bbda91c76280009ffc277c2be2bba92a201d47e606d347c4203021b37444c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB673.tmp

Filesize
1KB

MD5
ad5a2b7076593e3b452999c6e57aebf3

SHA1
e32f7db14cc3a585153d6bfb72e051d3fb41284c

SHA256
1b596ebfbcfac76248ab829ca27654e781e7d20f2ad9ae80ac46cd81685ceecb

SHA512
19e63ee0ccb9dbe6eef834c416b1ff95d806e683602068a2a5837f7d0670f519d488375504c2b205275b9ca611cac9b5b31544ba85fc53070c35fc70cc05bdc4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
d342aadf00b3ee91f814a9ef49a0952f

SHA1
ade55a1f51d3e571de5fed0ffb552994a527f38e

SHA256
2f7874d03c70b9d11c3b2aa06b2ff0a3aae0b1975ec22416bec7dcd546584793

SHA512
814df53b9884a3f543de93b19d9cfb27c314d1cba16fb99f63867d2a0836147d6cd848eda487fb82f1f90421dda97df8ddb8b1b0203123c92f2a7670b03d477f

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe

Filesize
808KB

MD5
c034089f99b9eaf0da25e21400b6b8a5

SHA1
0b4b67813258f9ce7d194501607a5c5614edba2d

SHA256
f99fd3de760f23f1c7aa83129e351b3666ee28d53876ed76f940d7b46dd695aa

SHA512
1a3f904bde26153a9d50e3d93461d215ffcafa014bc74aade389981a15e48fe98c9841b932c2b920b07146d7d654b1ceb53b9ba9f0273977be484904c90f4fbb

Download Submit
memory/572-57-0x00000000012E0000-0x00000000017CA000-memory.dmp

Filesize
4.9MB

Download
memory/1424-98-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1632-147-0x0000000000400000-0x000000000058A000-memory.dmp

Filesize
1.5MB

Download
memory/1632-141-0x0000000000400000-0x000000000058A000-memory.dmp

Filesize
1.5MB

Download
memory/1632-142-0x0000000000400000-0x000000000058A000-memory.dmp

Filesize
1.5MB

Download
memory/1632-146-0x0000000004D70000-0x0000000004F34000-memory.dmp

Filesize
1.8MB

Download
memory/1632-96-0x0000000004D70000-0x0000000004F34000-memory.dmp

Filesize
1.8MB

Download
memory/1632-85-0x0000000000400000-0x000000000058A000-memory.dmp

Filesize
1.5MB

Download
memory/1632-182-0x0000000000400000-0x000000000058A000-memory.dmp

Filesize
1.5MB

Download
memory/1632-82-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2308-144-0x0000000000F30000-0x00000000010F4000-memory.dmp

Filesize
1.8MB

Download
memory/2308-97-0x0000000000F30000-0x00000000010F4000-memory.dmp

Filesize
1.8MB

Download
memory/2720-26-0x0000000000400000-0x000000000058A000-memory.dmp

Filesize
1.5MB

Download
memory/2720-25-0x0000000000400000-0x000000000058A000-memory.dmp

Filesize
1.5MB

Download
memory/2720-48-0x0000000004AC0000-0x0000000004C84000-memory.dmp

Filesize
1.8MB

Download
memory/2720-12-0x0000000000400000-0x000000000058A000-memory.dmp

Filesize
1.5MB

Download
memory/2720-29-0x0000000000400000-0x000000000058A000-memory.dmp

Filesize
1.5MB

Download
memory/2720-30-0x0000000000400000-0x000000000058A000-memory.dmp

Filesize
1.5MB

Download
memory/2720-14-0x0000000000400000-0x000000000058A000-memory.dmp

Filesize
1.5MB

Download
memory/2720-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2720-17-0x0000000000400000-0x000000000058A000-memory.dmp

Filesize
1.5MB

Download
memory/2720-20-0x0000000000400000-0x000000000058A000-memory.dmp

Filesize
1.5MB

Download
memory/2720-22-0x0000000000400000-0x000000000058A000-memory.dmp

Filesize
1.5MB

Download
memory/2792-60-0x00000000001A0000-0x0000000000364000-memory.dmp

Filesize
1.8MB

Download
memory/2792-145-0x00000000001A0000-0x0000000000364000-memory.dmp

Filesize
1.8MB

Download
memory/2792-50-0x00000000001A0000-0x0000000000364000-memory.dmp

Filesize
1.8MB

Download
memory/2792-185-0x00000000001A0000-0x0000000000364000-memory.dmp

Filesize
1.8MB

Download
memory/2792-59-0x00000000001A0000-0x0000000000364000-memory.dmp

Filesize
1.8MB

Download
memory/2792-183-0x00000000001A0000-0x0000000000364000-memory.dmp

Filesize
1.8MB

Download
memory/2792-152-0x00000000001A0000-0x0000000000364000-memory.dmp

Filesize
1.8MB

Download
memory/2792-149-0x00000000001A0000-0x0000000000364000-memory.dmp

Filesize
1.8MB

Download
memory/2932-1-0x0000000001070000-0x000000000155A000-memory.dmp

Filesize
4.9MB

Download
memory/2932-6-0x0000000005FB0000-0x000000000617C000-memory.dmp

Filesize
1.8MB

Download
memory/2932-5-0x00000000748C0000-0x0000000074FAE000-memory.dmp

Filesize
6.9MB

Download
memory/2932-2-0x00000000748C0000-0x0000000074FAE000-memory.dmp

Filesize
6.9MB

Download
memory/2932-4-0x00000000748CE000-0x00000000748CF000-memory.dmp

Filesize
4KB

Download
memory/2932-3-0x0000000000B00000-0x0000000000B18000-memory.dmp

Filesize
96KB

Download
memory/2932-33-0x00000000748C0000-0x0000000074FAE000-memory.dmp

Filesize
6.9MB

Download
memory/2932-0-0x00000000748CE000-0x00000000748CF000-memory.dmp

Filesize
4KB

Download