xred | a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77

Analysis

max time kernel
117s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-11-2024 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe
Size

4.9MB
MD5

6742e83960e0d52f80c5b3a568d46d00
SHA1

3bc31e5e4e877228ee51cf7a39a0c9172ff0bf41
SHA256

a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77
SHA512

8316fd3ef98d95b59118f6dbdb9d5cdc8d31fdd405a7f4ce377ee2e182174c69564d295582b086bfdb61f9282cfd149cf9cd61b89e2de62a6ca549bab10397f5
SSDEEP

98304:fP5ZVnOwOdoqUiChfM1cwvCYP5ZVnOwOdoqUiChfM1cwvCr:5ZVn0RUF72LZVn0RUF72S

Score

10^/10

xred backdoor discovery execution persistence upx

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

3200 powershell.exe
4416 powershell.exe

pid	process
3200	powershell.exe
4416	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exea0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exeSynaptics.exeSynaptics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 5 IoCs

Processes:

._cache_a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exeSynaptics.exeSynaptics.exeSynaptics.exe._cache_Synaptics.exe

pid	process
392	._cache_a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe
1568	Synaptics.exe
1620	Synaptics.exe
3116	Synaptics.exe
4376	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\????? = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe

AutoIT Executable 10 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/392-197-0x0000000000E60000-0x0000000001024000-memory.dmp	autoit_exe
behavioral2/memory/392-198-0x0000000000E60000-0x0000000001024000-memory.dmp	autoit_exe
behavioral2/memory/4376-290-0x0000000000770000-0x0000000000934000-memory.dmp	autoit_exe
behavioral2/memory/4376-305-0x0000000000770000-0x0000000000934000-memory.dmp	autoit_exe
behavioral2/memory/392-318-0x0000000000E60000-0x0000000001024000-memory.dmp	autoit_exe
behavioral2/memory/392-324-0x0000000000E60000-0x0000000001024000-memory.dmp	autoit_exe
behavioral2/memory/392-325-0x0000000000E60000-0x0000000001024000-memory.dmp	autoit_exe
behavioral2/memory/392-327-0x0000000000E60000-0x0000000001024000-memory.dmp	autoit_exe
behavioral2/memory/392-349-0x0000000000E60000-0x0000000001024000-memory.dmp	autoit_exe
behavioral2/memory/392-353-0x0000000000E60000-0x0000000001024000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exeSynaptics.exe

description	pid	process	target process
PID 936 set thread context of 4916	936	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe
PID 1568 set thread context of 3116	1568	Synaptics.exe	Synaptics.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\._cache_a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe	upx
behavioral2/memory/392-102-0x0000000000E60000-0x0000000001024000-memory.dmp	upx
behavioral2/memory/392-197-0x0000000000E60000-0x0000000001024000-memory.dmp	upx
behavioral2/memory/392-198-0x0000000000E60000-0x0000000001024000-memory.dmp	upx
behavioral2/memory/4376-290-0x0000000000770000-0x0000000000934000-memory.dmp	upx
behavioral2/memory/4376-305-0x0000000000770000-0x0000000000934000-memory.dmp	upx
behavioral2/memory/392-318-0x0000000000E60000-0x0000000001024000-memory.dmp	upx
behavioral2/memory/392-324-0x0000000000E60000-0x0000000001024000-memory.dmp	upx
behavioral2/memory/392-325-0x0000000000E60000-0x0000000001024000-memory.dmp	upx
behavioral2/memory/392-327-0x0000000000E60000-0x0000000001024000-memory.dmp	upx
behavioral2/memory/392-349-0x0000000000E60000-0x0000000001024000-memory.dmp	upx
behavioral2/memory/392-353-0x0000000000E60000-0x0000000001024000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Synaptics.exeSynaptics.exe._cache_Synaptics.exea0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exepowershell.exeschtasks.exe._cache_a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exepowershell.exeschtasks.exea0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 2 IoCs

Processes:

a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exeSynaptics.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

NTFS ADS 1 IoCs

Processes:

._cache_a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\root\SecurityCenter2	._cache_a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

1116 schtasks.exe
1860 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

316 EXCEL.EXE

pid	process
1116	schtasks.exe
1860	schtasks.exe

pid	process
316	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exe._cache_a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exepowershell.exeSynaptics.exe

pid	process
4416	powershell.exe
4416	powershell.exe
392	._cache_a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe
392	._cache_a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe
3200	powershell.exe
1568	Synaptics.exe
1568	Synaptics.exe
3200	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

._cache_a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe

pid process

392 ._cache_a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exeSynaptics.exe

description pid process

Token: SeDebugPrivilege 4416 powershell.exe
Token: SeDebugPrivilege 3200 powershell.exe
Token: SeDebugPrivilege 1568 Synaptics.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

EXCEL.EXE

pid process

316 EXCEL.EXE
316 EXCEL.EXE
316 EXCEL.EXE
316 EXCEL.EXE

description	pid	process
Token: SeDebugPrivilege	4416	powershell.exe
Token: SeDebugPrivilege	3200	powershell.exe
Token: SeDebugPrivilege	1568	Synaptics.exe

pid	process
316	EXCEL.EXE
316	EXCEL.EXE
316	EXCEL.EXE
316	EXCEL.EXE

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exea0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exeSynaptics.exeSynaptics.exe

description	pid	process	target process
PID 936 wrote to memory of 4416	936	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe	powershell.exe
PID 936 wrote to memory of 4416	936	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe	powershell.exe
PID 936 wrote to memory of 4416	936	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe	powershell.exe
PID 936 wrote to memory of 1116	936	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe	schtasks.exe
PID 936 wrote to memory of 1116	936	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe	schtasks.exe
PID 936 wrote to memory of 1116	936	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe	schtasks.exe
PID 936 wrote to memory of 4916	936	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe
PID 936 wrote to memory of 4916	936	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe
PID 936 wrote to memory of 4916	936	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe
PID 936 wrote to memory of 4916	936	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe
PID 936 wrote to memory of 4916	936	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe
PID 936 wrote to memory of 4916	936	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe
PID 936 wrote to memory of 4916	936	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe
PID 936 wrote to memory of 4916	936	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe
PID 936 wrote to memory of 4916	936	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe
PID 936 wrote to memory of 4916	936	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe
PID 936 wrote to memory of 4916	936	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe
PID 4916 wrote to memory of 392	4916	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe	._cache_a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe
PID 4916 wrote to memory of 392	4916	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe	._cache_a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe
PID 4916 wrote to memory of 392	4916	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe	._cache_a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe
PID 4916 wrote to memory of 1568	4916	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe	Synaptics.exe
PID 4916 wrote to memory of 1568	4916	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe	Synaptics.exe
PID 4916 wrote to memory of 1568	4916	a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe	Synaptics.exe
PID 1568 wrote to memory of 3200	1568	Synaptics.exe	powershell.exe
PID 1568 wrote to memory of 3200	1568	Synaptics.exe	powershell.exe
PID 1568 wrote to memory of 3200	1568	Synaptics.exe	powershell.exe
PID 1568 wrote to memory of 1860	1568	Synaptics.exe	schtasks.exe
PID 1568 wrote to memory of 1860	1568	Synaptics.exe	schtasks.exe
PID 1568 wrote to memory of 1860	1568	Synaptics.exe	schtasks.exe
PID 1568 wrote to memory of 1620	1568	Synaptics.exe	Synaptics.exe
PID 1568 wrote to memory of 1620	1568	Synaptics.exe	Synaptics.exe
PID 1568 wrote to memory of 1620	1568	Synaptics.exe	Synaptics.exe
PID 1568 wrote to memory of 3116	1568	Synaptics.exe	Synaptics.exe
PID 1568 wrote to memory of 3116	1568	Synaptics.exe	Synaptics.exe
PID 1568 wrote to memory of 3116	1568	Synaptics.exe	Synaptics.exe
PID 1568 wrote to memory of 3116	1568	Synaptics.exe	Synaptics.exe
PID 1568 wrote to memory of 3116	1568	Synaptics.exe	Synaptics.exe
PID 1568 wrote to memory of 3116	1568	Synaptics.exe	Synaptics.exe
PID 1568 wrote to memory of 3116	1568	Synaptics.exe	Synaptics.exe
PID 1568 wrote to memory of 3116	1568	Synaptics.exe	Synaptics.exe
PID 1568 wrote to memory of 3116	1568	Synaptics.exe	Synaptics.exe
PID 1568 wrote to memory of 3116	1568	Synaptics.exe	Synaptics.exe
PID 1568 wrote to memory of 3116	1568	Synaptics.exe	Synaptics.exe
PID 3116 wrote to memory of 4376	3116	Synaptics.exe	._cache_Synaptics.exe
PID 3116 wrote to memory of 4376	3116	Synaptics.exe	._cache_Synaptics.exe
PID 3116 wrote to memory of 4376	3116	Synaptics.exe	._cache_Synaptics.exe

C:\Users\Admin\AppData\Local\Temp\a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe
"C:\Users\Admin\AppData\Local\Temp\a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:936
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\YlHxWzZtqvwE.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4416
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YlHxWzZtqvwE" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC6BB.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1116
- C:\Users\Admin\AppData\Local\Temp\a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe
  "C:\Users\Admin\AppData\Local\Temp\a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4916
- - C:\Users\Admin\AppData\Local\Temp\._cache_a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    PID:392
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1568
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\YlHxWzZtqvwE.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3200
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YlHxWzZtqvwE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6C1.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1860
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      Executes dropped EXE
      PID:1620
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3116
    - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4376

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
4.9MB

MD5
6742e83960e0d52f80c5b3a568d46d00

SHA1
3bc31e5e4e877228ee51cf7a39a0c9172ff0bf41

SHA256
a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77

SHA512
8316fd3ef98d95b59118f6dbdb9d5cdc8d31fdd405a7f4ce377ee2e182174c69564d295582b086bfdb61f9282cfd149cf9cd61b89e2de62a6ca549bab10397f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
18e21772f2dfd2fa51f13f35dfc062e0

SHA1
b1126bbe9fd398eab3c5fd192085c8dbe6d2244f

SHA256
f3bdbdf4b9b5b0bf8657149915d56200e7e370658dd32ac43ae1b5df605cbc8a

SHA512
0b9fe97b367803daffa32529ee0e78835f0a4d47c3247fcee3605ab3edd338e65533fcb1dad89b71defecffdb12f5f75fc87e5afe9a4ac9def29bedf834ccc86

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_a0d2f7f30bde664be9d9d7143c5b22540bc0866c3e3b53d663361c6877650d77N.exe

Filesize
808KB

MD5
c034089f99b9eaf0da25e21400b6b8a5

SHA1
0b4b67813258f9ce7d194501607a5c5614edba2d

SHA256
f99fd3de760f23f1c7aa83129e351b3666ee28d53876ed76f940d7b46dd695aa

SHA512
1a3f904bde26153a9d50e3d93461d215ffcafa014bc74aade389981a15e48fe98c9841b932c2b920b07146d7d654b1ceb53b9ba9f0273977be484904c90f4fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h0kmwniz.hek.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\kjHEDegM.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC6BB.tmp

Filesize
1KB

MD5
77e9e987b6abf396f018e9c215a45208

SHA1
b2f76af24b6783eced749ac743d06e47d8aa19bd

SHA256
286da5856550b2fa2084ed11172b94cea6d04669927535bb54fb1841e09c74ff

SHA512
53d040bbab16d465112c17b21dba416e077f26f87d62c1e8ef9a737df7009ca9c8ff679eecd96157f8f2c3c52ffba35a3814a2b380a1136c98b1f21b20038987

Download Submit
memory/316-292-0x00007FFBD0C50000-0x00007FFBD0C60000-memory.dmp

Filesize
64KB

Download
memory/316-293-0x00007FFBD0C50000-0x00007FFBD0C60000-memory.dmp

Filesize
64KB

Download
memory/316-291-0x00007FFBD0C50000-0x00007FFBD0C60000-memory.dmp

Filesize
64KB

Download
memory/316-296-0x00007FFBCEA70000-0x00007FFBCEA80000-memory.dmp

Filesize
64KB

Download
memory/316-294-0x00007FFBD0C50000-0x00007FFBD0C60000-memory.dmp

Filesize
64KB

Download
memory/316-295-0x00007FFBD0C50000-0x00007FFBD0C60000-memory.dmp

Filesize
64KB

Download
memory/316-298-0x00007FFBCEA70000-0x00007FFBCEA80000-memory.dmp

Filesize
64KB

Download
memory/392-198-0x0000000000E60000-0x0000000001024000-memory.dmp

Filesize
1.8MB

Download
memory/392-327-0x0000000000E60000-0x0000000001024000-memory.dmp

Filesize
1.8MB

Download
memory/392-325-0x0000000000E60000-0x0000000001024000-memory.dmp

Filesize
1.8MB

Download
memory/392-324-0x0000000000E60000-0x0000000001024000-memory.dmp

Filesize
1.8MB

Download
memory/392-102-0x0000000000E60000-0x0000000001024000-memory.dmp

Filesize
1.8MB

Download
memory/392-197-0x0000000000E60000-0x0000000001024000-memory.dmp

Filesize
1.8MB

Download
memory/392-349-0x0000000000E60000-0x0000000001024000-memory.dmp

Filesize
1.8MB

Download
memory/392-318-0x0000000000E60000-0x0000000001024000-memory.dmp

Filesize
1.8MB

Download
memory/392-353-0x0000000000E60000-0x0000000001024000-memory.dmp

Filesize
1.8MB

Download
memory/936-32-0x0000000074670000-0x0000000074E20000-memory.dmp

Filesize
7.7MB

Download
memory/936-6-0x0000000006BA0000-0x0000000006BB8000-memory.dmp

Filesize
96KB

Download
memory/936-2-0x0000000005B60000-0x0000000006104000-memory.dmp

Filesize
5.6MB

Download
memory/936-5-0x0000000074670000-0x0000000074E20000-memory.dmp

Filesize
7.7MB

Download
memory/936-4-0x0000000005530000-0x000000000553A000-memory.dmp

Filesize
40KB

Download
memory/936-1-0x0000000000640000-0x0000000000B2A000-memory.dmp

Filesize
4.9MB

Download
memory/936-0-0x000000007467E000-0x000000007467F000-memory.dmp

Filesize
4KB

Download
memory/936-3-0x00000000055B0000-0x0000000005642000-memory.dmp

Filesize
584KB

Download
memory/936-8-0x0000000074670000-0x0000000074E20000-memory.dmp

Filesize
7.7MB

Download
memory/936-7-0x000000007467E000-0x000000007467F000-memory.dmp

Filesize
4KB

Download
memory/936-10-0x0000000006910000-0x00000000069AC000-memory.dmp

Filesize
624KB

Download
memory/936-9-0x0000000007F20000-0x00000000080EC000-memory.dmp

Filesize
1.8MB

Download
memory/3116-319-0x0000000000400000-0x000000000058A000-memory.dmp

Filesize
1.5MB

Download
memory/3116-311-0x0000000000400000-0x000000000058A000-memory.dmp

Filesize
1.5MB

Download
memory/3116-206-0x0000000000400000-0x000000000058A000-memory.dmp

Filesize
1.5MB

Download
memory/3116-312-0x0000000000400000-0x000000000058A000-memory.dmp

Filesize
1.5MB

Download
memory/3116-348-0x0000000000400000-0x000000000058A000-memory.dmp

Filesize
1.5MB

Download
memory/3200-297-0x0000000007520000-0x0000000007531000-memory.dmp

Filesize
68KB

Download
memory/3200-299-0x0000000007560000-0x0000000007574000-memory.dmp

Filesize
80KB

Download
memory/3200-286-0x0000000007270000-0x0000000007313000-memory.dmp

Filesize
652KB

Download
memory/3200-276-0x0000000070100000-0x000000007014C000-memory.dmp

Filesize
304KB

Download
memory/3200-268-0x0000000006060000-0x00000000060AC000-memory.dmp

Filesize
304KB

Download
memory/3200-213-0x00000000059D0000-0x0000000005D24000-memory.dmp

Filesize
3.3MB

Download
memory/4376-305-0x0000000000770000-0x0000000000934000-memory.dmp

Filesize
1.8MB

Download
memory/4376-290-0x0000000000770000-0x0000000000934000-memory.dmp

Filesize
1.8MB

Download
memory/4416-31-0x0000000004F90000-0x0000000004FB2000-memory.dmp

Filesize
136KB

Download
memory/4416-183-0x0000000006400000-0x000000000641E000-memory.dmp

Filesize
120KB

Download
memory/4416-193-0x00000000074A0000-0x00000000074A8000-memory.dmp

Filesize
32KB

Download
memory/4416-192-0x00000000074C0000-0x00000000074DA000-memory.dmp

Filesize
104KB

Download
memory/4416-191-0x00000000073C0000-0x00000000073D4000-memory.dmp

Filesize
80KB

Download
memory/4416-190-0x00000000073B0000-0x00000000073BE000-memory.dmp

Filesize
56KB

Download
memory/4416-189-0x0000000007380000-0x0000000007391000-memory.dmp

Filesize
68KB

Download
memory/4416-188-0x0000000007400000-0x0000000007496000-memory.dmp

Filesize
600KB

Download
memory/4416-187-0x00000000071F0000-0x00000000071FA000-memory.dmp

Filesize
40KB

Download
memory/4416-186-0x0000000007180000-0x000000000719A000-memory.dmp

Filesize
104KB

Download
memory/4416-185-0x00000000077C0000-0x0000000007E3A000-memory.dmp

Filesize
6.5MB

Download
memory/4416-184-0x0000000006E90000-0x0000000006F33000-memory.dmp

Filesize
652KB

Download
memory/4416-173-0x000000006FD00000-0x000000006FD4C000-memory.dmp

Filesize
304KB

Download
memory/4416-20-0x0000000074670000-0x0000000074E20000-memory.dmp

Filesize
7.7MB

Download
memory/4416-172-0x0000000006E50000-0x0000000006E82000-memory.dmp

Filesize
200KB

Download
memory/4416-196-0x0000000074670000-0x0000000074E20000-memory.dmp

Filesize
7.7MB

Download
memory/4416-91-0x00000000063B0000-0x00000000063FC000-memory.dmp

Filesize
304KB

Download
memory/4416-90-0x0000000005E30000-0x0000000005E4E000-memory.dmp

Filesize
120KB

Download
memory/4416-41-0x00000000059D0000-0x0000000005D24000-memory.dmp

Filesize
3.3MB

Download
memory/4416-15-0x0000000004880000-0x00000000048B6000-memory.dmp

Filesize
216KB

Download
memory/4416-39-0x00000000058D0000-0x0000000005936000-memory.dmp

Filesize
408KB

Download
memory/4416-40-0x0000000005960000-0x00000000059C6000-memory.dmp

Filesize
408KB

Download
memory/4416-16-0x0000000074670000-0x0000000074E20000-memory.dmp

Filesize
7.7MB

Download
memory/4416-17-0x0000000005030000-0x0000000005658000-memory.dmp

Filesize
6.2MB

Download
memory/4416-19-0x0000000074670000-0x0000000074E20000-memory.dmp

Filesize
7.7MB

Download
memory/4916-170-0x0000000000400000-0x000000000058A000-memory.dmp

Filesize
1.5MB

Download
memory/4916-22-0x0000000000400000-0x000000000058A000-memory.dmp

Filesize
1.5MB

Download
memory/4916-24-0x0000000000400000-0x000000000058A000-memory.dmp

Filesize
1.5MB

Download
memory/4916-30-0x0000000000400000-0x000000000058A000-memory.dmp

Filesize
1.5MB

Download
memory/4916-21-0x0000000000400000-0x000000000058A000-memory.dmp

Filesize
1.5MB

Download