njrat | a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47

General

Target

a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe
Size

5.2MB
MD5

cf4a7182c8b3dcdd1f2e8db2e011c700
SHA1

b518086df01053f00e73159ad4b4d6159e608a14
SHA256

a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47
SHA512

1cbc47bfe21a07246880893b8024813ad368b5f573a351c637d97759dc6dcfe2a495f3b595db6e9d31846ccc5d6b2b71a73be39730e54980fd507c9cbb63a8b7
SSDEEP

98304:bnsmtk2aW3KI5OVU8/GsW+exVVxHjkxuiCllBHr8wBo:DLQQ+Urt+eHVxHjqui+r8Ao

Score

10^/10

njrat xred hacked backdoor discovery persistence trojan

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

njrat

Version

v4.0

Botnet

HacKed

C2

ecutuning.ddns.net:11560

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

Njrat family
njrat
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Drops startup file 5 IoCs

Processes:

svchost.exepaylod.exepaylod.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	paylod.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	paylod.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	svchost.exe

Executes dropped EXE 8 IoCs

Processes:

._cache_a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exeSynaptics.exe._cache_Synaptics.exepaylod.exepaylod.exeKeygen (2).exeKeygen (2).exesvchost.exe

pid	process
1608	._cache_a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe
3024	Synaptics.exe
1548	._cache_Synaptics.exe
1648	paylod.exe
1772	paylod.exe
380	Keygen (2).exe
1628	Keygen (2).exe
2844	svchost.exe

Loads dropped DLL 15 IoCs

Processes:

a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exeSynaptics.exe._cache_Synaptics.exe._cache_a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe

pid	process
2204	a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe
2204	a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe
2204	a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe
2204	a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe
3024	Synaptics.exe
3024	Synaptics.exe
3024	Synaptics.exe
1548	._cache_Synaptics.exe
1548	._cache_Synaptics.exe
1608	._cache_a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe
1608	._cache_a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe
1548	._cache_Synaptics.exe
1548	._cache_Synaptics.exe
1608	._cache_a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe
1608	._cache_a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exepaylod.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Windows\\svchost.exe"	paylod.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

._cache_a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe._cache_Synaptics.exe

pid	process
1608	._cache_a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe
1548	._cache_Synaptics.exe
1608	._cache_a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe
1548	._cache_Synaptics.exe

Drops file in Windows directory 2 IoCs

Processes:

paylod.exeattrib.exe

description ioc process

File created C:\Windows\svchost.exe paylod.exe
File opened for modification C:\Windows\svchost.exe attrib.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\svchost.exe	paylod.exe
File opened for modification	C:\Windows\svchost.exe	attrib.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

EXCEL.EXEKeygen (2).exeKeygen (2).exepaylod.exea8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exeSynaptics.exepaylod.exesvchost.exeattrib.exe._cache_a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe._cache_Synaptics.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keygen (2).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keygen (2).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	paylod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	paylod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2908 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

._cache_a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe._cache_Synaptics.exe

pid process

1608 ._cache_a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe
1548 ._cache_Synaptics.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
2908	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeDebugPrivilege	2844	svchost.exe
Token: 33	2844	svchost.exe
Token: SeIncBasePriorityPrivilege	2844	svchost.exe
Token: 33	2844	svchost.exe
Token: SeIncBasePriorityPrivilege	2844	svchost.exe
Token: 33	2844	svchost.exe
Token: SeIncBasePriorityPrivilege	2844	svchost.exe
Token: 33	2844	svchost.exe
Token: SeIncBasePriorityPrivilege	2844	svchost.exe
Token: 33	2844	svchost.exe
Token: SeIncBasePriorityPrivilege	2844	svchost.exe
Token: 33	2844	svchost.exe
Token: SeIncBasePriorityPrivilege	2844	svchost.exe
Token: 33	2844	svchost.exe
Token: SeIncBasePriorityPrivilege	2844	svchost.exe
Token: 33	2844	svchost.exe
Token: SeIncBasePriorityPrivilege	2844	svchost.exe
Token: 33	2844	svchost.exe
Token: SeIncBasePriorityPrivilege	2844	svchost.exe
Token: 33	2844	svchost.exe
Token: SeIncBasePriorityPrivilege	2844	svchost.exe
Token: 33	2844	svchost.exe
Token: SeIncBasePriorityPrivilege	2844	svchost.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

._cache_a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe._cache_Synaptics.exeEXCEL.EXEKeygen (2).exeKeygen (2).exe

pid	process
1608	._cache_a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe
1548	._cache_Synaptics.exe
2908	EXCEL.EXE
380	Keygen (2).exe
1628	Keygen (2).exe
380	Keygen (2).exe
1628	Keygen (2).exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exeSynaptics.exe._cache_Synaptics.exe._cache_a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exepaylod.exe

description	pid	process	target process
PID 2204 wrote to memory of 1608	2204	a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe	._cache_a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe
PID 2204 wrote to memory of 1608	2204	a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe	._cache_a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe
PID 2204 wrote to memory of 1608	2204	a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe	._cache_a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe
PID 2204 wrote to memory of 1608	2204	a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe	._cache_a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe
PID 2204 wrote to memory of 3024	2204	a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe	Synaptics.exe
PID 2204 wrote to memory of 3024	2204	a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe	Synaptics.exe
PID 2204 wrote to memory of 3024	2204	a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe	Synaptics.exe
PID 2204 wrote to memory of 3024	2204	a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe	Synaptics.exe
PID 3024 wrote to memory of 1548	3024	Synaptics.exe	._cache_Synaptics.exe
PID 3024 wrote to memory of 1548	3024	Synaptics.exe	._cache_Synaptics.exe
PID 3024 wrote to memory of 1548	3024	Synaptics.exe	._cache_Synaptics.exe
PID 3024 wrote to memory of 1548	3024	Synaptics.exe	._cache_Synaptics.exe
PID 1548 wrote to memory of 1648	1548	._cache_Synaptics.exe	paylod.exe
PID 1548 wrote to memory of 1648	1548	._cache_Synaptics.exe	paylod.exe
PID 1548 wrote to memory of 1648	1548	._cache_Synaptics.exe	paylod.exe
PID 1548 wrote to memory of 1648	1548	._cache_Synaptics.exe	paylod.exe
PID 1608 wrote to memory of 1772	1608	._cache_a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe	paylod.exe
PID 1608 wrote to memory of 1772	1608	._cache_a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe	paylod.exe
PID 1608 wrote to memory of 1772	1608	._cache_a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe	paylod.exe
PID 1608 wrote to memory of 1772	1608	._cache_a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe	paylod.exe
PID 1548 wrote to memory of 1628	1548	._cache_Synaptics.exe	Keygen (2).exe
PID 1548 wrote to memory of 1628	1548	._cache_Synaptics.exe	Keygen (2).exe
PID 1548 wrote to memory of 1628	1548	._cache_Synaptics.exe	Keygen (2).exe
PID 1548 wrote to memory of 1628	1548	._cache_Synaptics.exe	Keygen (2).exe
PID 1608 wrote to memory of 380	1608	._cache_a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe	Keygen (2).exe
PID 1608 wrote to memory of 380	1608	._cache_a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe	Keygen (2).exe
PID 1608 wrote to memory of 380	1608	._cache_a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe	Keygen (2).exe
PID 1608 wrote to memory of 380	1608	._cache_a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe	Keygen (2).exe
PID 1648 wrote to memory of 2844	1648	paylod.exe	svchost.exe
PID 1648 wrote to memory of 2844	1648	paylod.exe	svchost.exe
PID 1648 wrote to memory of 2844	1648	paylod.exe	svchost.exe
PID 1648 wrote to memory of 2844	1648	paylod.exe	svchost.exe
PID 1648 wrote to memory of 2088	1648	paylod.exe	attrib.exe
PID 1648 wrote to memory of 2088	1648	paylod.exe	attrib.exe
PID 1648 wrote to memory of 2088	1648	paylod.exe	attrib.exe
PID 1648 wrote to memory of 2088	1648	paylod.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

2088 attrib.exe

pid	process
2088	attrib.exe

C:\Users\Admin\AppData\Local\Temp\a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe
"C:\Users\Admin\AppData\Local\Temp\a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Users\Admin\AppData\Local\Temp\._cache_a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1608
- - C:\Users\Admin\AppData\Local\Temp\paylod.exe
    "C:\Users\Admin\AppData\Local\Temp\paylod.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1772
- - C:\Users\Admin\AppData\Local\Temp\Keygen (2).exe
    "C:\Users\Admin\AppData\Local\Temp\Keygen (2).exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:380
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1548
  - - C:\Users\Admin\AppData\Local\Temp\paylod.exe
      "C:\Users\Admin\AppData\Local\Temp\paylod.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1648
    - - C:\Windows\svchost.exe
        
        "C:\Windows\svchost.exe"
        5⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +h +r +s "C:\Windows\svchost.exe"
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2088
  - - C:\Users\Admin\AppData\Local\Temp\Keygen (2).exe
      "C:\Users\Admin\AppData\Local\Temp\Keygen (2).exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1628

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
5.2MB

MD5
cf4a7182c8b3dcdd1f2e8db2e011c700

SHA1
b518086df01053f00e73159ad4b4d6159e608a14

SHA256
a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47

SHA512
1cbc47bfe21a07246880893b8024813ad368b5f573a351c637d97759dc6dcfe2a495f3b595db6e9d31846ccc5d6b2b71a73be39730e54980fd507c9cbb63a8b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_a8037ce48676e2bc83b9e00ae1db9871996282d873211dbcb021dd9f44b90c47N.exe

Filesize
4.5MB

MD5
a26afc4b230cde67dec5e341aef0e90f

SHA1
f5a7a08bbd039184c3e89f4ea4ef5eeb392b5fa1

SHA256
567c4101aa7ad812b7bd42d87a5ba7d9c4f82dd7096daa7b079cfa70649dec2e

SHA512
06e71d53d1e0e0436be193f05c05c8896e9184bfc7db1842195452d34a8c9a59f26b38129a4216eb301c96e367babb8db7b1e50b2a258acc5f0d6c981db4621a

Download Submit
C:\Users\Admin\AppData\Local\Temp\H1HoR48f.xlsm

Filesize
17KB

MD5
af4d37aad8b34471da588360a43e768a

SHA1
83ed64667d4e68ea531b8bcf58aab3ed4a5ca998

SHA256
e7550c3453156531308fda255a198c3710aa4bc7412819c180b103c11e85cef1

SHA512
74f5000038c47b7c909c4ee5740e0e87cac12c9c96fff8b1c7ec749541ee3d4b7efd80f9ac02cd39809dca3f2707d0063fa852a3a541342d93a9d03de08823da

Download Submit
C:\Users\Admin\AppData\Local\Temp\Keygen (2).exe

Filesize
1.7MB

MD5
91b154d347d471b16c0662f071828792

SHA1
22ed21e428006595cf0b144492edab06203a7b67

SHA256
83f395011aadf443178dc7fdfb4857a61872ab46f7d2eac68905632965706042

SHA512
73d20d1b0fbb33136570b80c5a8a850bc278682129e8f59d27f4c166796aa8b82c84df7b7b74c8fb22c9fb2e362d766e88cba0b7e4b452eb269ae60e17d3a921

Download Submit
C:\Users\Admin\AppData\Local\Temp\paylod.exe

Filesize
26KB

MD5
e6149ed0cdf7e22aaa3c79dfc7150900

SHA1
d9e1b9e3feff75897030366ba28d2c460374afa2

SHA256
b107529ccc4a4ad32ab1bd60ef6ae6b1cebc5e5252c0a6cd53a0cf6028e346d2

SHA512
f086c90a52981143e79066482b73c5e673c0e72332f204fa8f33b2ff180dbe52f1ee93bb44a1852d513569c3091ce81ba1185e511e00abdbbe1f2182a853f67e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

Filesize
1KB

MD5
483f86727c45f8708ef5c52cf2ffb202

SHA1
4a8f1f974de6dc5a4b0d061d31f99e066e274a6e

SHA256
38d64461d94b76bfc989857b1e7d90ec6b739aacd5ee97b5510a7851c4623fdd

SHA512
7cfe13eb4ba6ebf5a5bd871b9f0ae66c43a8fc31ca175442c76199b28cbf6f3e3ef726dbc01c358ce8a9512c3f0888b0574174b4883decfd5a054523b1519f21

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

Filesize
1022B

MD5
45a6f40ede1d1b1750641d01aebbbc36

SHA1
7b032f59ca7967d5bc7017c09cb7fe5199ea1f77

SHA256
86c6167b81bcb992c2e403308e53a7d801a3b7b2cbc1245d47704074c5004238

SHA512
686969179d56b400a781c5a0a29e60b9802503755df7613a350f19a128b5a6705c44448a8c18ec13bdaf1229b82217a9d11ecd541b48f301a609435f045270c1

Download Submit
memory/380-84-0x0000000000400000-0x00000000005B5000-memory.dmp

Filesize
1.7MB

Download
memory/1548-75-0x00000000012C0000-0x0000000001BFA000-memory.dmp

Filesize
9.2MB

Download
memory/1548-47-0x00000000012C0000-0x0000000001BFA000-memory.dmp

Filesize
9.2MB

Download
memory/1608-74-0x00000000011B0000-0x0000000001AEA000-memory.dmp

Filesize
9.2MB

Download
memory/1608-31-0x00000000011B0000-0x0000000001AEA000-memory.dmp

Filesize
9.2MB

Download
memory/1628-85-0x0000000000400000-0x00000000005B5000-memory.dmp

Filesize
1.7MB

Download
memory/1772-76-0x0000000000860000-0x000000000086C000-memory.dmp

Filesize
48KB

Download
memory/2204-30-0x0000000000400000-0x000000000093C000-memory.dmp

Filesize
5.2MB

Download
memory/2204-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2204-28-0x0000000005A90000-0x00000000063CA000-memory.dmp

Filesize
9.2MB

Download
memory/2844-96-0x0000000001180000-0x000000000118C000-memory.dmp

Filesize
48KB

Download
memory/2908-48-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3024-77-0x0000000005AA0000-0x00000000063DA000-memory.dmp

Filesize
9.2MB

Download
memory/3024-46-0x0000000005AA0000-0x00000000063DA000-memory.dmp

Filesize
9.2MB

Download
memory/3024-43-0x0000000005AA0000-0x00000000063DA000-memory.dmp

Filesize
9.2MB

Download
memory/3024-86-0x0000000000400000-0x000000000093C000-memory.dmp

Filesize
5.2MB

Download
memory/3024-87-0x0000000005AA0000-0x00000000063DA000-memory.dmp

Filesize
9.2MB

Download
memory/3024-101-0x0000000000400000-0x000000000093C000-memory.dmp

Filesize
5.2MB

Download
memory/3024-103-0x0000000000400000-0x000000000093C000-memory.dmp

Filesize
5.2MB

Download
memory/3024-134-0x0000000000400000-0x000000000093C000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads