xred | cbdbf7b8d3a975561d669c99d48f00f4b72aa96220663be3e1001633d175058a

Analysis

max time kernel
17s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-11-2024 19:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1999X UPDATED 20 SEPTEMBER.exe
Size

8.8MB
MD5

8b712c53db526f81706a3f314911eefa
SHA1

5c1e92d76a546a71836bae1455b7f56561274654
SHA256

cbdbf7b8d3a975561d669c99d48f00f4b72aa96220663be3e1001633d175058a
SHA512

10020e4ae6330ccd8242f5a997ece7edbd39e0e42d8f9e89bff1c75c49d2c8bcff66975950762156f6f473d20bff2ed94bafcd1ed7f14641d100f1ce8dcd0d69
SSDEEP

196608:iLhT7iP/BPp7F5Egmo4f7GVdF2VOm5DXRMLor9DR4OL7ectBS9/pU/b:ixmvR5ELx0JeDXRMMrZeOL7eIBS9/pIb

Score

10^/10

xred backdoor discovery evasion macro persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Suspicious Office macro 3 IoCs

Office document equipped with macros.

macro

Processes:

resource
C:\Users\Admin\AppData\Local\Temp\pLMjJESD.xlsm
C:\Users\Admin\AppData\Local\Temp\pLMjJESD.xlsm
C:\Users\Admin\AppData\Local\Temp\pLMjJESD.xlsm

Executes dropped EXE 11 IoCs

Processes:

1999x updated 20 september.exe icsys.icn.exeexplorer.exespoolsv.exeSynaptics.exesvchost.exespoolsv.exe._cache_Synaptics.exe._cache_synaptics.exe icsys.icn.exeexplorer.exe

pid	process
1992	1999x updated 20 september.exe
3048	icsys.icn.exe
2916	explorer.exe
2828	spoolsv.exe
2672	Synaptics.exe
2608	svchost.exe
2540	spoolsv.exe
1988	._cache_Synaptics.exe
2872	._cache_synaptics.exe
2892	icsys.icn.exe
444	explorer.exe

Loads dropped DLL 23 IoCs

Processes:

1999X UPDATED 20 SEPTEMBER.exeicsys.icn.exeexplorer.exe1999x updated 20 september.exe Synaptics.exespoolsv.exesvchost.exe._cache_Synaptics.exeicsys.icn.exeexplorer.exe

pid	process
1868	1999X UPDATED 20 SEPTEMBER.exe
1868	1999X UPDATED 20 SEPTEMBER.exe
3048	icsys.icn.exe
2916	explorer.exe
1992	1999x updated 20 september.exe
1992	1999x updated 20 september.exe
1992	1999x updated 20 september.exe
2672	Synaptics.exe
2672	Synaptics.exe
2672	Synaptics.exe
2828	spoolsv.exe
2608	svchost.exe
2672	Synaptics.exe
2672	Synaptics.exe
1988	._cache_Synaptics.exe
1988	._cache_Synaptics.exe
1988	._cache_Synaptics.exe
1988	._cache_Synaptics.exe
2892	icsys.icn.exe
2892	icsys.icn.exe
2892	icsys.icn.exe
444	explorer.exe
444	explorer.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe1999x updated 20 september.exe explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	1999x updated 20 september.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

Processes:

explorer.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

Processes:

spoolsv.exe._cache_Synaptics.exe1999X UPDATED 20 SEPTEMBER.exeicsys.icn.exeexplorer.exe

description	ioc	process
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	1999X UPDATED 20 SEPTEMBER.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

1999x updated 20 september.exe spoolsv.exe._cache_Synaptics.exeEXCEL.EXEicsys.icn.exesvchost.exeschtasks.exeexplorer.exe1999X UPDATED 20 SEPTEMBER.exeicsys.icn.exeexplorer.exespoolsv.exeSynaptics.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1999x updated 20 september.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1999X UPDATED 20 SEPTEMBER.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

1968 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1696 EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1968	schtasks.exe

pid	process
1696	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1999X UPDATED 20 SEPTEMBER.exeicsys.icn.exeexplorer.exesvchost.exe

pid	process
1868	1999X UPDATED 20 SEPTEMBER.exe
1868	1999X UPDATED 20 SEPTEMBER.exe
1868	1999X UPDATED 20 SEPTEMBER.exe
1868	1999X UPDATED 20 SEPTEMBER.exe
1868	1999X UPDATED 20 SEPTEMBER.exe
1868	1999X UPDATED 20 SEPTEMBER.exe
1868	1999X UPDATED 20 SEPTEMBER.exe
1868	1999X UPDATED 20 SEPTEMBER.exe
1868	1999X UPDATED 20 SEPTEMBER.exe
1868	1999X UPDATED 20 SEPTEMBER.exe
1868	1999X UPDATED 20 SEPTEMBER.exe
1868	1999X UPDATED 20 SEPTEMBER.exe
1868	1999X UPDATED 20 SEPTEMBER.exe
1868	1999X UPDATED 20 SEPTEMBER.exe
1868	1999X UPDATED 20 SEPTEMBER.exe
1868	1999X UPDATED 20 SEPTEMBER.exe
3048	icsys.icn.exe
3048	icsys.icn.exe
3048	icsys.icn.exe
3048	icsys.icn.exe
3048	icsys.icn.exe
3048	icsys.icn.exe
3048	icsys.icn.exe
3048	icsys.icn.exe
3048	icsys.icn.exe
3048	icsys.icn.exe
3048	icsys.icn.exe
3048	icsys.icn.exe
3048	icsys.icn.exe
3048	icsys.icn.exe
3048	icsys.icn.exe
3048	icsys.icn.exe
3048	icsys.icn.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2608	svchost.exe
2608	svchost.exe
2608	svchost.exe
2608	svchost.exe
2608	svchost.exe
2608	svchost.exe
2608	svchost.exe
2608	svchost.exe
2608	svchost.exe
2608	svchost.exe
2608	svchost.exe
2608	svchost.exe
2608	svchost.exe
2608	svchost.exe
2608	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

2916 explorer.exe
2608 svchost.exe

pid	process
2916	explorer.exe
2608	svchost.exe

Suspicious use of SetWindowsHookEx 19 IoCs

Processes:

1999X UPDATED 20 SEPTEMBER.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe._cache_Synaptics.exeEXCEL.EXEicsys.icn.exeexplorer.exe

pid	process
1868	1999X UPDATED 20 SEPTEMBER.exe
1868	1999X UPDATED 20 SEPTEMBER.exe
3048	icsys.icn.exe
3048	icsys.icn.exe
2916	explorer.exe
2916	explorer.exe
2828	spoolsv.exe
2828	spoolsv.exe
2608	svchost.exe
2608	svchost.exe
2540	spoolsv.exe
2540	spoolsv.exe
1988	._cache_Synaptics.exe
1988	._cache_Synaptics.exe
1696	EXCEL.EXE
2892	icsys.icn.exe
2892	icsys.icn.exe
444	explorer.exe
444	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1999X UPDATED 20 SEPTEMBER.exeicsys.icn.exeexplorer.exe1999x updated 20 september.exe spoolsv.exesvchost.exeSynaptics.exe._cache_Synaptics.exeicsys.icn.exe

description	pid	process	target process
PID 1868 wrote to memory of 1992	1868	1999X UPDATED 20 SEPTEMBER.exe	1999x updated 20 september.exe
PID 1868 wrote to memory of 1992	1868	1999X UPDATED 20 SEPTEMBER.exe	1999x updated 20 september.exe
PID 1868 wrote to memory of 1992	1868	1999X UPDATED 20 SEPTEMBER.exe	1999x updated 20 september.exe
PID 1868 wrote to memory of 1992	1868	1999X UPDATED 20 SEPTEMBER.exe	1999x updated 20 september.exe
PID 1868 wrote to memory of 1992	1868	1999X UPDATED 20 SEPTEMBER.exe	1999x updated 20 september.exe
PID 1868 wrote to memory of 1992	1868	1999X UPDATED 20 SEPTEMBER.exe	1999x updated 20 september.exe
PID 1868 wrote to memory of 1992	1868	1999X UPDATED 20 SEPTEMBER.exe	1999x updated 20 september.exe
PID 1868 wrote to memory of 3048	1868	1999X UPDATED 20 SEPTEMBER.exe	icsys.icn.exe
PID 1868 wrote to memory of 3048	1868	1999X UPDATED 20 SEPTEMBER.exe	icsys.icn.exe
PID 1868 wrote to memory of 3048	1868	1999X UPDATED 20 SEPTEMBER.exe	icsys.icn.exe
PID 1868 wrote to memory of 3048	1868	1999X UPDATED 20 SEPTEMBER.exe	icsys.icn.exe
PID 3048 wrote to memory of 2916	3048	icsys.icn.exe	explorer.exe
PID 3048 wrote to memory of 2916	3048	icsys.icn.exe	explorer.exe
PID 3048 wrote to memory of 2916	3048	icsys.icn.exe	explorer.exe
PID 3048 wrote to memory of 2916	3048	icsys.icn.exe	explorer.exe
PID 2916 wrote to memory of 2828	2916	explorer.exe	spoolsv.exe
PID 2916 wrote to memory of 2828	2916	explorer.exe	spoolsv.exe
PID 2916 wrote to memory of 2828	2916	explorer.exe	spoolsv.exe
PID 2916 wrote to memory of 2828	2916	explorer.exe	spoolsv.exe
PID 1992 wrote to memory of 2672	1992	1999x updated 20 september.exe	Synaptics.exe
PID 1992 wrote to memory of 2672	1992	1999x updated 20 september.exe	Synaptics.exe
PID 1992 wrote to memory of 2672	1992	1999x updated 20 september.exe	Synaptics.exe
PID 1992 wrote to memory of 2672	1992	1999x updated 20 september.exe	Synaptics.exe
PID 1992 wrote to memory of 2672	1992	1999x updated 20 september.exe	Synaptics.exe
PID 1992 wrote to memory of 2672	1992	1999x updated 20 september.exe	Synaptics.exe
PID 1992 wrote to memory of 2672	1992	1999x updated 20 september.exe	Synaptics.exe
PID 2828 wrote to memory of 2608	2828	spoolsv.exe	svchost.exe
PID 2828 wrote to memory of 2608	2828	spoolsv.exe	svchost.exe
PID 2828 wrote to memory of 2608	2828	spoolsv.exe	svchost.exe
PID 2828 wrote to memory of 2608	2828	spoolsv.exe	svchost.exe
PID 2608 wrote to memory of 2540	2608	svchost.exe	spoolsv.exe
PID 2608 wrote to memory of 2540	2608	svchost.exe	spoolsv.exe
PID 2608 wrote to memory of 2540	2608	svchost.exe	spoolsv.exe
PID 2608 wrote to memory of 2540	2608	svchost.exe	spoolsv.exe
PID 2916 wrote to memory of 1400	2916	explorer.exe	Explorer.exe
PID 2916 wrote to memory of 1400	2916	explorer.exe	Explorer.exe
PID 2916 wrote to memory of 1400	2916	explorer.exe	Explorer.exe
PID 2916 wrote to memory of 1400	2916	explorer.exe	Explorer.exe
PID 2608 wrote to memory of 1968	2608	svchost.exe	schtasks.exe
PID 2608 wrote to memory of 1968	2608	svchost.exe	schtasks.exe
PID 2608 wrote to memory of 1968	2608	svchost.exe	schtasks.exe
PID 2608 wrote to memory of 1968	2608	svchost.exe	schtasks.exe
PID 2672 wrote to memory of 1988	2672	Synaptics.exe	._cache_Synaptics.exe
PID 2672 wrote to memory of 1988	2672	Synaptics.exe	._cache_Synaptics.exe
PID 2672 wrote to memory of 1988	2672	Synaptics.exe	._cache_Synaptics.exe
PID 2672 wrote to memory of 1988	2672	Synaptics.exe	._cache_Synaptics.exe
PID 2672 wrote to memory of 1988	2672	Synaptics.exe	._cache_Synaptics.exe
PID 2672 wrote to memory of 1988	2672	Synaptics.exe	._cache_Synaptics.exe
PID 2672 wrote to memory of 1988	2672	Synaptics.exe	._cache_Synaptics.exe
PID 1988 wrote to memory of 2872	1988	._cache_Synaptics.exe	._cache_synaptics.exe
PID 1988 wrote to memory of 2872	1988	._cache_Synaptics.exe	._cache_synaptics.exe
PID 1988 wrote to memory of 2872	1988	._cache_Synaptics.exe	._cache_synaptics.exe
PID 1988 wrote to memory of 2872	1988	._cache_Synaptics.exe	._cache_synaptics.exe
PID 1988 wrote to memory of 2892	1988	._cache_Synaptics.exe	icsys.icn.exe
PID 1988 wrote to memory of 2892	1988	._cache_Synaptics.exe	icsys.icn.exe
PID 1988 wrote to memory of 2892	1988	._cache_Synaptics.exe	icsys.icn.exe
PID 1988 wrote to memory of 2892	1988	._cache_Synaptics.exe	icsys.icn.exe
PID 1988 wrote to memory of 2892	1988	._cache_Synaptics.exe	icsys.icn.exe
PID 1988 wrote to memory of 2892	1988	._cache_Synaptics.exe	icsys.icn.exe
PID 1988 wrote to memory of 2892	1988	._cache_Synaptics.exe	icsys.icn.exe
PID 2892 wrote to memory of 444	2892	icsys.icn.exe	explorer.exe
PID 2892 wrote to memory of 444	2892	icsys.icn.exe	explorer.exe
PID 2892 wrote to memory of 444	2892	icsys.icn.exe	explorer.exe
PID 2892 wrote to memory of 444	2892	icsys.icn.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\1999X UPDATED 20 SEPTEMBER.exe
"C:\Users\Admin\AppData\Local\Temp\1999X UPDATED 20 SEPTEMBER.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1868
- \??\c:\users\admin\appdata\local\temp\1999x updated 20 september.exe
  "c:\users\admin\appdata\local\temp\1999x updated 20 september.exe "
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1988
    - - \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        5⤵
        Executes dropped EXE
        
        PID:2872
    - - C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2892
      - \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:444
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3048
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2828
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2608
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2540
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 19:18 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1968
  - - C:\Windows\Explorer.exe
      C:\Windows\Explorer.exe
      4⤵
      PID:1400

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
8.0MB

MD5
d5eeed5294dfeb93be92dd144d7f2933

SHA1
35a7cac1b47d63fb6f1b33edd54ebba26df1952f

SHA256
002f2527578321676701c1c6a869fae4ecdb238cf05138979bae79efbfdce6f7

SHA512
31b06c451c959c299bc81b50247b64c8201b6d8e28fe80403199c7d7d17a6ce7a2ad25a89618871f67cc509fc9962acd2e05cb009bfcf9b0fa73d28557ac9c13

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_synaptics.exe

Filesize
7.8MB

MD5
2e5d7f2c2ad4570bccb74014aadc4fbb

SHA1
e574ae9e92a77205fc3bf54ccf49888b393e640c

SHA256
634318fc02c5f4190c51f3557af1a27215ae4f29fd15debf109570ed9978994c

SHA512
1f5fda7d4bff56709d5fdba799b7bc8983b0bd28678b74c1a85b7ca18b5407d6218894e7c037df7ec588a2bfcd0615d4dc9551a4d275006e15949d6b7b0c22fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\pLMjJESD.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\pLMjJESD.xlsm

Filesize
29KB

MD5
ebe8f0e0464ecb52dcd75a152700e935

SHA1
0e3efccddc0620cf9b42ad2d9ae3d0f7f15b677c

SHA256
b0c91bc6bd755bf07003e404938e4ed161f4606d95513d372a2f27a6498361a6

SHA512
48070a2b1a6c151fbe07a40856f73fac70ed3827f984ce951b8c9bb879b69de3cc16eb82e30abe62542b381440c1c32bc9ee8a4cc493f7b73a2f0e0373fcd935

Download Submit
C:\Users\Admin\AppData\Local\Temp\pLMjJESD.xlsm

Filesize
30KB

MD5
50b8d6ce0f8411f91680431bc93530e2

SHA1
0ea898f76f34c17bb53190fd7bf6b1788e460b78

SHA256
ad36ffb99764a8f4a34587fa3e283952e13b2dd2b92fc1583913bbbea1af7f04

SHA512
7f39f99ae7af12006c428233b6a9b14e9ce5cc18f661fb5c9ad515a4829fc830d99d4092651caa8c588fe072e62f6c15e5ac11bdd965a59d45cd676077deb353

Download Submit
C:\Users\Admin\AppData\Local\Temp\pLMjJESD.xlsm

Filesize
26KB

MD5
5ef40a25c452fe2945a9eefeb9abff17

SHA1
1bed03b1f75994b9529d53d87ef647e43ce58dab

SHA256
28bdb9749a4948a6668968c4ae3344398cfdf1033a1393c1af85e575ec228fb7

SHA512
6d98c311689b065f21bd56685ab9ddac505fb125b702523c2a257f9458608c35befa0809e00d3e1b9e32fb0ab3cc51c23650fc5495b3c979c9b59b6f7a5bbe03

Download Submit
C:\Users\Admin\AppData\Local\Temp\pLMjJESD.xlsm

Filesize
29KB

MD5
aa243625802829bd473f27496b086d0f

SHA1
5424337d95d70d44c0984dacb67b54690d6bff14

SHA256
7f87bd7882b6251d116b8861c687b8fd936232467a12011ebb0e508c6dfa382b

SHA512
b8c9d09e140db4d87a2476016ae5bc9e8b97024bb8f457292aa1ef42d4d76c6ece0dad870f3fea078953eb9bb8dfae0d3e693cfeeac14b84a6e9cd8450ae9423

Download Submit
C:\Users\Admin\AppData\Local\Temp\~$pLMjJESD.xlsm

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
fb48b82239d91a3962551a19fb6d3864

SHA1
c927206df59c002da404858ec13498307ab5b27e

SHA256
c2b252077a7cda01ed6ecba0b1234224791f4a7ac03a489daf769550a9bf3e7d

SHA512
00232230ef5a654d6429b67bbee5d4f28f8457295ae74f24224af0b805b264355abbaba147861d8a07a94c25f5cbd50605d079c6ea9deadd6599263f1e929b95

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
fa6f3ba803a9dab353969e364f3fd0a5

SHA1
5e954e10a052121ec659347343be11e62255afdd

SHA256
e255c905da2d46bfbfdd5ca2da543cc4eccdd55b674c6a7d1f8070a10f27b4e3

SHA512
b2410fe021e0713aec3dc16d6b756943c8feac7cb3ae85fa289365a374f17f8e8c2985b215353dd160401c7ba20d1fbb0791443836ca94a2657ef32f0a2c9aa7

Download Submit
\Users\Admin\AppData\Local\Temp\1999x updated 20 september.exe

Filesize
8.7MB

MD5
c340d6073313ffcbbc065b665582e740

SHA1
602dbad5d1f19d8b849cd93c644d91501a72264d

SHA256
65eb21fcc39901e51073fbfde1d88cb65833747b8fd191410007e2bb1627620b

SHA512
fc97f335dd5d2f325db68d5f2ab9378b5e4f60fd934b2676cdad677eff5b056785eba1223a98e5bd048cb6f9798ff39fecb021fb21e34588b024616a8877d12b

Download Submit
\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
eec85d6cff0acaf67024c96ea66e7322

SHA1
37f345937623ed0f5ab5e52349cec315fa1b6c0c

SHA256
f2cdb5c3952d199b92b400a2dccab47e8e2947d1416d45c99f25c510e23107dd

SHA512
4f0a8fa8fb20f758513befbc44b557bf06bd2a294d67dae16ff0c9c45215647065a2840db9b14367f522198409d3ed90b81595cbc3966c76f58f2d7476fb7994

Download Submit
\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
6ce9a35f26ebe6ab2459bd15d1539a11

SHA1
a4087ff45b1112668cb5d3622ae664ad3e2a1894

SHA256
e9c22145f23d4af670605a63340f2fcb7aad17a3208ad8ccd89da40b990499a0

SHA512
8ed877b443100f65d186d1b0c699f73a6416fb3a17563250b737a79ea09193c60942bfa03f0015b63f0cb1d00a996c7c155787e5ae86f4a52d43da1edf0fc008

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
508ef46b86e952d81c2e97d7b218279d

SHA1
aded1a7021de3d3c0e83822ebfced0fd125e898c

SHA256
142d53d4d22aeb22840f4079b7c4a15385e7e069b60f285a256a21e2bd3bb1b1

SHA512
e4a96b24dd005c96411d1a5482b27543d79b9d5df6b6e6cc525631df28f71d90b789b387e1eb5ff5b04dbe694460ec0dffccdfb1865d17069f9fb3018e45b922

Download Submit
memory/444-141-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1696-104-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1696-205-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1868-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1868-17-0x0000000001E00000-0x0000000001E1F000-memory.dmp

Filesize
124KB

Download
memory/1868-89-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1988-95-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1988-143-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1988-114-0x00000000002E0000-0x00000000002FF000-memory.dmp

Filesize
124KB

Download
memory/1992-61-0x0000000000400000-0x0000000000CB8000-memory.dmp

Filesize
8.7MB

Download
memory/2540-86-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2672-94-0x00000000047B0000-0x00000000047CF000-memory.dmp

Filesize
124KB

Download
memory/2672-206-0x0000000000400000-0x0000000000CB8000-memory.dmp

Filesize
8.7MB

Download
memory/2828-87-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2828-70-0x00000000002A0000-0x00000000002BF000-memory.dmp

Filesize
124KB

Download
memory/2892-134-0x0000000000330000-0x000000000034F000-memory.dmp

Filesize
124KB

Download
memory/2892-142-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3048-35-0x00000000003E0000-0x00000000003FF000-memory.dmp

Filesize
124KB

Download
memory/3048-88-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download