xred | hxxps://github[.]com/Da2dalus/OneLastSong

Analysis

max time kernel
39s
max time network
45s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
10-11-2024 05:26

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/Da2dalus/OneLastSong

Score

10^/10

xred backdoor bootkit discovery macro persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

Processes:

resource
C:\Users\Admin\AppData\Local\Temp\TFACUPi9.xlsm

Executes dropped EXE 2 IoCs

Processes:

._cache_Da2dalus.exeSynaptics.exe

pid process

4000 ._cache_Da2dalus.exe
772 Synaptics.exe

pid	process
4000	._cache_Da2dalus.exe
772	Synaptics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

._cache_Da2dalus.exeDa2dalus.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "C:\\Users\\Admin\\Downloads\\OneLastSong-main\\OneLastSong-main\\._cache_Da2dalus.exe"	._cache_Da2dalus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	Da2dalus.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

._cache_Da2dalus.exe

description ioc process

File opened for modification \??\PhysicalDrive0 ._cache_Da2dalus.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2724 4000 WerFault.exe ._cache_Da2dalus.exe
2988 3852 WerFault.exe ._cache_Synaptics.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	._cache_Da2dalus.exe

pid	pid_target	process	target process
2724	4000	WerFault.exe	._cache_Da2dalus.exe
2988	3852	WerFault.exe	._cache_Synaptics.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Da2dalus.exe._cache_Da2dalus.exeschtasks.exeSynaptics.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Da2dalus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Da2dalus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 3 IoCs

Processes:

Synaptics.exemsedge.exeDa2dalus.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Da2dalus.exe

NTFS ADS 2 IoCs

Processes:

msedge.exeDa2dalus.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\OneLastSong-main.zip:Zone.Identifier	msedge.exe
File created	C:\ProgramData\Synaptics\Synaptics.exe\:Zone.Identifier:$DATA	Da2dalus.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

2204 schtasks.exe
5416 schtasks.exe

pid	process
2204	schtasks.exe
5416	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exeidentity_helper.exe._cache_Da2dalus.exe

pid	process
3324	msedge.exe
3324	msedge.exe
5728	msedge.exe
5728	msedge.exe
5128	msedge.exe
5128	msedge.exe
5068	msedge.exe
5068	msedge.exe
1488	identity_helper.exe
1488	identity_helper.exe
4000	._cache_Da2dalus.exe
4000	._cache_Da2dalus.exe
4000	._cache_Da2dalus.exe
4000	._cache_Da2dalus.exe
4000	._cache_Da2dalus.exe
4000	._cache_Da2dalus.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

5728 msedge.exe
5728 msedge.exe
5728 msedge.exe
5728 msedge.exe
5728 msedge.exe
5728 msedge.exe
5728 msedge.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

._cache_Da2dalus.exe

description pid process

Token: SeDebugPrivilege 4000 ._cache_Da2dalus.exe

description	pid	process
Token: SeDebugPrivilege	4000	._cache_Da2dalus.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

msedge.exe

pid	process
5728	msedge.exe
5728	msedge.exe
5728	msedge.exe
5728	msedge.exe
5728	msedge.exe
5728	msedge.exe
5728	msedge.exe
5728	msedge.exe
5728	msedge.exe
5728	msedge.exe
5728	msedge.exe
5728	msedge.exe
5728	msedge.exe
5728	msedge.exe
5728	msedge.exe
5728	msedge.exe
5728	msedge.exe
5728	msedge.exe
5728	msedge.exe
5728	msedge.exe
5728	msedge.exe
5728	msedge.exe
5728	msedge.exe
5728	msedge.exe
5728	msedge.exe
5728	msedge.exe
5728	msedge.exe
5728	msedge.exe
5728	msedge.exe
5728	msedge.exe
5728	msedge.exe
5728	msedge.exe
5728	msedge.exe
5728	msedge.exe
5728	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
5728	msedge.exe
5728	msedge.exe
5728	msedge.exe
5728	msedge.exe
5728	msedge.exe
5728	msedge.exe
5728	msedge.exe
5728	msedge.exe
5728	msedge.exe
5728	msedge.exe
5728	msedge.exe
5728	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 5728 wrote to memory of 2972	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 2972	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 3980	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 3980	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 3980	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 3980	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 3980	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 3980	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 3980	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 3980	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 3980	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 3980	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 3980	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 3980	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 3980	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 3980	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 3980	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 3980	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 3980	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 3980	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 3980	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 3980	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 3980	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 3980	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 3980	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 3980	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 3980	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 3980	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 3980	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 3980	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 3980	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 3980	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 3980	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 3980	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 3980	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 3980	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 3980	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 3980	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 3980	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 3980	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 3980	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 3980	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 3324	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 3324	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 1520	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 1520	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 1520	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 1520	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 1520	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 1520	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 1520	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 1520	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 1520	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 1520	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 1520	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 1520	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 1520	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 1520	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 1520	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 1520	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 1520	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 1520	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 1520	5728	msedge.exe	msedge.exe
PID 5728 wrote to memory of 1520	5728	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/OneLastSong
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffac1093cb8,0x7ffac1093cc8,0x7ffac1093cd8
  2⤵
  PID:2972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,4975402168520836276,1023260999313167809,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:2
  2⤵
  PID:3980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,4975402168520836276,1023260999313167809,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,4975402168520836276,1023260999313167809,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:8
  2⤵
  PID:1520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4975402168520836276,1023260999313167809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:2540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4975402168520836276,1023260999313167809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:1760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,4975402168520836276,1023260999313167809,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4032 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4975402168520836276,1023260999313167809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
  2⤵
  PID:5400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,4975402168520836276,1023260999313167809,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,4975402168520836276,1023260999313167809,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6200 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4975402168520836276,1023260999313167809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
  2⤵
  PID:2220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4975402168520836276,1023260999313167809,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
  2⤵
  PID:4132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4975402168520836276,1023260999313167809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6312 /prefetch:1
  2⤵
  PID:4688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4975402168520836276,1023260999313167809,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1
  2⤵
  PID:2376

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1104

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5984

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1784

C:\Users\Admin\Downloads\OneLastSong-main\OneLastSong-main\Da2dalus.exe
"C:\Users\Admin\Downloads\OneLastSong-main\OneLastSong-main\Da2dalus.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- NTFS ADS
PID:4276
- C:\Users\Admin\Downloads\OneLastSong-main\OneLastSong-main\._cache_Da2dalus.exe
  "C:\Users\Admin\Downloads\OneLastSong-main\OneLastSong-main\._cache_Da2dalus.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4000
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\Downloads\OneLastSong-main\OneLastSong-main\._cache_Da2dalus.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2204
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4000 -s 536
    3⤵
    - Program crash
    PID:2724
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:772
- - C:\Users\Admin\Downloads\OneLastSong-main\OneLastSong-main\._cache_Synaptics.exe
    "C:\Users\Admin\Downloads\OneLastSong-main\OneLastSong-main\._cache_Synaptics.exe" InjUpdate
    3⤵
    PID:3852
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\Downloads\OneLastSong-main\OneLastSong-main\._cache_Synaptics.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5416
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 532
      4⤵
      Program crash
      PID:2988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4000 -ip 4000
1⤵
PID:492

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:2756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3852 -ip 3852
1⤵
PID:5956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
904KB

MD5
5a38adf9adbc76bc3372cb728fa0a1bd

SHA1
80019a609790bd67855590d719c283edd50c93a7

SHA256
72042a01e253fbaedeff3a532795574d496a99b787f35c0f1e30c5cc69a63d6b

SHA512
034ca1fe24b7cbdf8c5024fb2dc1e8a52392d1e278b7c54eb0db1ac6aa76b4577e60a0b9ce7573bfdfe452d3269f24ef5bed2df86e33eacb63ea2ea0f0996d22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d68c7edc2a288ee58e6629398bb9f7c

SHA1
6c1909dea9321c55cae38b8f16bd9d67822e2e51

SHA256
dfd733ed3cf4fb59f2041f82fdf676973783ffa75b9acca095609c7d4f73587b

SHA512
0eda66a07ec4cdb46b0f27d6c8cc157415d803af610b7430adac19547e121f380b9c6a2840f90fe49eaea9b48fa16079d93833c2bcf4b85e3c401d90d464ad2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c03d23a8155753f5a936bd7195e475bc

SHA1
cdf47f410a3ec000e84be83a3216b54331679d63

SHA256
6f5f7996d9b0e131dc2fec84859b7a8597c11a67dd41bdb5a5ef21a46e1ae0ca

SHA512
6ea9a631b454d7e795ec6161e08dbe388699012dbbc9c8cfdf73175a0ecd51204d45cf28a6f1706c8d5f1780666d95e46e4bc27752da9a9d289304f1d97c2f41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
e727881239454b3b567a48ead135cb52

SHA1
e085b28c2d32d51bfd6b3ad18ce14b0189055501

SHA256
74f28b7f4de9d8794817d84b7ef2fd5da1c892bf6fe91a55b25815fffb78b849

SHA512
2d5c5102652d37f4ccf1bfc4e223f2343131e95c1755feec5270272438dce21fd7dac5d707fe363d8a262a51db8bce08d312fb06d3da99605ece97ecf878cfa0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7e7fb9fdde75f3d11afd959087df1786

SHA1
f40a34b9a05d8f53da2d86dabacfb81d3899ef86

SHA256
747ef07308508c6afeedc09ace9fe76c729458bec12b16a0f3b536e627b25aa5

SHA512
68cb7467328b5db85a13993d9796ae5083712dc82b3c2ae5ae534696bc64214a14f8a157f2e58ba68fc253e8ca24e53f59c78cfdaf9ccbce98e49f8968f0accb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3dfaa50695cd491692334d13bb05fc06

SHA1
e6493dab337709b5818603b0f51a801860b490b4

SHA256
91bdb3b12fe6afb685c0b3975194165fc3a060808fdc5dbb695bce120ef80510

SHA512
595cd5e3dc7a018193af66670a6d4a8e7203e4eba0b9d8069d5173846785004d69a36fbbb162760b4827aaee6fd1a0d92135be8ab9a9f104daf516f7a2f07baa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
029a4d4bdf5ccc641de12b067336724a

SHA1
509977142887f5e5279f912bf3119e0adfa6a20b

SHA256
e40d7cc5514c99c847c02a5aa3adba5d01a928bc61d7e1b0f48080b78a5c6686

SHA512
0a047f33c68951c3ba44ca6f633fa9432fe9f79a030bdd798035a51e968625be365350665d8657c36f2b7a78e60fff0e40deeca503a46c478503a79641d83b99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7bb38c13dcf64c19e8e3b87a2525c23b

SHA1
b8c8183263d88f443a7cb76f782d335e7c1908ad

SHA256
e880b9d31dba469388a22aa3d9b00168cf1baf297b0b20b69e32948d4fc073bd

SHA512
8d6b2f323199987fd050678a3b2359f42907a6ba46468c5f6d3f5a18afb360ad94422739245f1b37c41aa61a553507e8881ac013f767c9b9aa6316aece953c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TFACUPi9.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\TFACUPi9.xlsm

Filesize
23KB

MD5
f0a1d163321f136760873159755fca0a

SHA1
95f2503aa21b9e761197157f41f4913c91fe973f

SHA256
0e3f349195530768c005d21f744df92abde85e413452906fc3b8ff0ab10c849e

SHA512
38f6eec261c78361c349669f185f6a640e08422b988fa60adea2bf8cdda4303e1d9333ff78942c130de317aae1b0c7074232c266e7fff56e9dcf333b34bb4dd8

Download Submit
C:\Users\Admin\Desktop\~$cache1:Zone.Identifier

Filesize
85B

MD5
db97f53f8ba4f59024983ff46a14bf30

SHA1
bcea3cc27885397cbe0dcf47727b1938ff9d5347

SHA256
dc59452c8932f0161919c21e0589cb0b4816cf9f71bf8687f098c4324c06021d

SHA512
9f2b65e47ae01c31e9b4b13c533310c7328f690189607159873f0bc27178968e42fc933d40b65c804c392a9e3d382c1dc058a0b96f6bcc5caa9e25c81f04438f

Download Submit
C:\Users\Admin\Downloads\OneLastSong-main.zip

Filesize
5.2MB

MD5
06b485c9caa3d881d8162e742a1ade8d

SHA1
fdd6f04f05f2d33a6d62c492e581676067fcc893

SHA256
fadb0c3fe023f044c9857462cd1198f2529f44778e718d892ac56b70f12260ea

SHA512
148ffedcd03c765412888280e65bce72b3a960c97f54df0f219373cb1ba3e994aa469d648fdd84b7d1ed568b388d059c05731fcc43cc60b15b0270ab59b8d092

Download Submit
C:\Users\Admin\Downloads\OneLastSong-main.zip:Zone.Identifier

Filesize
79B

MD5
cdb7dcc3ce7af6f41ca26c6cbcd8695e

SHA1
ca15ee3e421a3378ba2aa68a5c72c3414fe881b1

SHA256
ff2c8fdc24835f73d82d09a4d8bf99380da46c3102ebfdbfc4c9b7e10172e72d

SHA512
8423e07e7fd4d83ab228b3d88429fd7644842fb37b9f8723c1fea26e143fa46f9a66a6b3d4a3e2d6965d9808ef3897e78a16c695d10379209ed4f461b202e852

Download Submit
C:\Users\Admin\Downloads\OneLastSong-main\OneLastSong-main\._cache_Da2dalus.exe

Filesize
150KB

MD5
2b290f588594a23f5685f851edae21cf

SHA1
9f3703bc7c9be2a468cb9cea9c76b106871bbd0d

SHA256
01c572264dd4d49b68b480698ccf8694557e79356366656da4ce13cfb63e5d3a

SHA512
c21bec4d5f7d5473dafbda5ce0385e1584b456d331f49f18789c2899603a03164f0f41c93111eaa96bfce367970ed3b39516314917d90869f2cd26fea636b198

Download Submit
\??\pipe\LOCAL\crashpad_5728_MNYHXZIGNASKEXWD

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2756-349-0x00007FFA8CE90000-0x00007FFA8CEA0000-memory.dmp

Filesize
64KB

Download
memory/2756-351-0x00007FFA8CE90000-0x00007FFA8CEA0000-memory.dmp

Filesize
64KB

Download
memory/2756-352-0x00007FFA8CE90000-0x00007FFA8CEA0000-memory.dmp

Filesize
64KB

Download
memory/2756-353-0x00007FFA8A8F0000-0x00007FFA8A900000-memory.dmp

Filesize
64KB

Download
memory/2756-354-0x00007FFA8A8F0000-0x00007FFA8A900000-memory.dmp

Filesize
64KB

Download
memory/2756-350-0x00007FFA8CE90000-0x00007FFA8CEA0000-memory.dmp

Filesize
64KB

Download
memory/2756-348-0x00007FFA8CE90000-0x00007FFA8CEA0000-memory.dmp

Filesize
64KB

Download
memory/4276-313-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads