Analysis
-
max time kernel
112s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-11-2024 22:56
Behavioral task
behavioral1
Sample
b828dc24877aa7129ea58fb4bdf7373ec5a8ac06d02907cfe663a4599eae2aa2.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
b828dc24877aa7129ea58fb4bdf7373ec5a8ac06d02907cfe663a4599eae2aa2.exe
Resource
win10v2004-20241007-en
General
-
Target
b828dc24877aa7129ea58fb4bdf7373ec5a8ac06d02907cfe663a4599eae2aa2.exe
-
Size
2.4MB
-
MD5
4a3d911453118d58a4bc16043c726142
-
SHA1
30755f517d05c784ef5857b3d5fa665cea91b438
-
SHA256
b828dc24877aa7129ea58fb4bdf7373ec5a8ac06d02907cfe663a4599eae2aa2
-
SHA512
ad39db2d93687bec5761514440ef1566049a1c567fcd1ef852c52c312a24f3c2497e9c8ce9fc9564537b5607748daf87bc6f71f4cdd7e1f486833c58708f41f3
-
SSDEEP
49152:snsHyjtk2MYC5GDvxdth7VaHBIW2Y4XxChF6Hq2BIetbWr:snsmtk2a8F6fT4XAhIH+eVWr
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Xred family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation b828dc24877aa7129ea58fb4bdf7373ec5a8ac06d02907cfe663a4599eae2aa2.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation Synaptics.exe -
Executes dropped EXE 10 IoCs
pid Process 2860 ._cache_b828dc24877aa7129ea58fb4bdf7373ec5a8ac06d02907cfe663a4599eae2aa2.exe 3744 Synaptics.exe 2648 Setup.exe 4376 IKernel.exe 1920 ._cache_Synaptics.exe 3704 Setup.exe 2724 IKernel.exe 1480 IKernel.exe 912 IKernel.exe 532 iKernel.exe -
Loads dropped DLL 16 IoCs
pid Process 2724 IKernel.exe 2724 IKernel.exe 2724 IKernel.exe 2724 IKernel.exe 2724 IKernel.exe 2648 Setup.exe 2724 IKernel.exe 2724 IKernel.exe 2724 IKernel.exe 2724 IKernel.exe 2724 IKernel.exe 2724 IKernel.exe 2724 IKernel.exe 2724 IKernel.exe 2724 IKernel.exe 2724 IKernel.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" b828dc24877aa7129ea58fb4bdf7373ec5a8ac06d02907cfe663a4599eae2aa2.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 30 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\objectps.dll IKernel.exe File created C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iuseb91e.rra IKernel.exe File opened for modification C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iuser.dll IKernel.exe File opened for modification C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\data1.hdr IKernel.exe File created C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Setude6.rra IKernel.exe File opened for modification C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe Setup.exe File opened for modification C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\corecomp.ini IKernel.exe File opened for modification C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Setup.ini IKernel.exe File created C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\setude6.rra IKernel.exe File opened for modification C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\setup.ini IKernel.exe File created C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ctorb8a1.rra IKernel.exe File opened for modification C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ctor.dll IKernel.exe File created C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\objeb90f.rra IKernel.exe File created C:\Program Files (x86)\Common Files\InstallShield\IScript\iscrb97c.rra IKernel.exe File created C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\layodb7.rra IKernel.exe File opened for modification C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\data1.cab IKernel.exe File opened for modification C:\Program Files (x86)\InstallShield Installation Information IKernel.exe File opened for modification C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\corecomp.ini IKernel.exe File created C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ctorb8b1.rra IKernel.exe File opened for modification C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ctor.dll IKernel.exe File opened for modification C:\Program Files (x86)\Common Files\InstallShield\IScript\iscript.dll IKernel.exe File opened for modification C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Setup.exe IKernel.exe File created C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\datadb7.rra IKernel.exe File created C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\coreb8a1.rra IKernel.exe File created C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\datadc6.rra IKernel.exe File opened for modification C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\setup.inx IKernel.exe File created C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\temp.000 Setup.exe File opened for modification C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\corecomp.ini IKernel.exe File opened for modification C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ctorb8b1.rra IKernel.exe File opened for modification C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\layout.bin IKernel.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IKernel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_b828dc24877aa7129ea58fb4bdf7373ec5a8ac06d02907cfe663a4599eae2aa2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IKernel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IKernel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IKernel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iKernel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b828dc24877aa7129ea58fb4bdf7373ec5a8ac06d02907cfe663a4599eae2aa2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f914d34881601a250000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f914d3480000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f914d348000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df914d348000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f914d34800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B10-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\ = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}" IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF57A6F1-4101-11D3-88F6-00C04F72F303}\TypeLib IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2067-CB55-11D2-8094-00104B1F9838} IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{27D2CF3C-D5B0-11D2-8094-00104B1F9838} IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0C8D0880-1AC4-11D3-A8FF-00105A088FAC}\ProxyStubClsid32 IKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{251753FA-FB3B-11D2-8842-00C04F72F303}\ = "ISetupFileRegistrar" IKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{80FDE82A-2CAA-11D3-88C3-00C04F72F303}\TypeLib\ = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}" IKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8415DDF9-1C1D-11D3-889D-00C04F72F303}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}" IKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2067-CB55-11D2-8094-00104B1F9838}\ = "ISetupStringTable" IKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1B1B8830-C559-11D3-B289-00C04F59FBE9}\TypeLib\Version = "1.0" IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D8B6331-D8B1-11D2-80C5-00104B1F6CEA}\TypeLib IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8415DE38-1C1D-11D3-889D-00C04F72F303}\TypeLib IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D8B6331-D8B1-11D2-80C5-00104B1F6CEA}\TypeLib IKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8c3c1b17-e59d-11d2-b40b-00a024b9dddd}\TreatAs\ = "{22D84EC7-E201-4432-B3ED-A9DCA3604594}" iKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3EE77D8B-40C1-4A2A-9B77-421907F02058}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" IKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65D37452-0EBB-11D3-887B-00C04F72F303}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}" IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{91814EC3-B5F0-11D2-80B9-00104B1F6CEA} IKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7D795704-435D-11D3-88FF-00C04F72F303}\TypeLib\Version = "1.0" IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54DADAB3-28A6-11D3-88BA-00C04F72F303}\TypeLib IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C4AAC3B1-C547-11D3-B289-00C04F59FBE9}\TypeLib IKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Setup.Kernel.1\ = "InstallShield setup kernel" IKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91814EC0-B5F0-11D2-80B9-00104B1F6CEA}\ProgID\ = "Setup.Kernel.1" IKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2068-CB55-11D2-8094-00104B1F9838}\TypeLib\Version = "1.0" IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B15A454-9067-4878-B10E-B9DFFE03049D} IKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Setup.LogServices\ = "SetupLogServices Class" IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Setup.ScriptDriverWrapper\CLSID IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2064-CB55-11D2-8094-00104B1F9838} IKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{067DBAA0-38DF-11D3-BBB7-00105A1F0D68}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91814EBF-B5F0-11D2-80B9-00104B1F6CEA}\ProxyStubClsid32 IKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DED5FEEC-225A-11D3-88AA-00C04F72F303}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4817E4B-04B6-11D3-8862-00C04F72F303}\ProxyStubClsid32 IKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{112EB4F0-5A48-11D3-A90A-00105A088FAC}\TypeLib\Version = "1.0" IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Setup.LogServices IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B15-E59D-11D2-B40B-00A024B9DDDD}\TypeLib IKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1F9922A2-F026-11D2-8822-00C04F72F303}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}" IKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9CD1A93-D7B4-11D2-80C5-00104B1F6CEA}\VersionIndependentProgID\ = "Setup.User" IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{067DBAA0-38DF-11D3-BBB7-00105A1F0D68}\ProxyStubClsid32 IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EDE94BF2-4FB9-11D5-ABAB-00B0D02332EB}\TypeLib IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2583251F-0A04-11D3-886B-00C04F72F303}\ProxyStubClsid32 IKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2583251F-0A04-11D3-886B-00C04F72F303}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}" IKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54DADAB2-28A6-11D3-88BA-00C04F72F303}\TypeLib\Version = "1.0" IKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Setup.ScriptObjectWrapper\CLSID\ = "{AA7E2087-CB55-11D2-8094-00104B1F9838}" IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7BB118F1-6D5B-470E-82D0-AFB042724560}\TypeLib IKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3EDC2C10-66FE-11D3-A90F-00105A088FAC}\TypeLib\ = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}" IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DED1EA29-3F89-11D3-BBB9-00105A1F0D68}\1.0\0 IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91814EC0-B5F0-11D2-80B9-00104B1F6CEA}\VersionIndependentProgID IKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C3C1B13-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{91814EBF-B5F0-11D2-80B9-00104B1F6CEA} IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91814EC1-B5F0-11D2-80B9-00104B1F6CEA} IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91814EC0-B5F0-11D2-80B9-00104B1F6CEA}\LocalServer32 IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CC096170-E2CB-11D2-80C8-00104B1F6CEA} IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2064-CB55-11D2-8094-00104B1F9838}\TypeLib IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91814EC0-B5F0-11D2-80B9-00104B1F6CEA}\VersionIndependentProgID iKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22D84EC7-E201-4432-B3ED-A9DCA3604594}\LocalServer32 iKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}\1.0\0 IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C3C1B16-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid32 IKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4AAC3B1-C547-11D3-B289-00C04F59FBE9}\TypeLib\Version = "1.0" IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2064-CB55-11D2-8094-00104B1F9838} IKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C3C1B12-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\ = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}" IKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF57A6F0-4101-11D3-88F6-00C04F72F303}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}" iKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91814EC1-B5F0-11D2-80B9-00104B1F6CEA}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}" IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{251753FA-FB3B-11D2-8842-00C04F72F303}\ProxyStubClsid32 IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Setup.LogServices\CLSID IKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{80FDE82A-2CAA-11D3-88C3-00C04F72F303}\TypeLib\ = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}" IKernel.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3620 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeBackupPrivilege 4964 vssvc.exe Token: SeRestorePrivilege 4964 vssvc.exe Token: SeAuditPrivilege 4964 vssvc.exe Token: SeBackupPrivilege 2584 srtasks.exe Token: SeRestorePrivilege 2584 srtasks.exe Token: SeSecurityPrivilege 2584 srtasks.exe Token: SeTakeOwnershipPrivilege 2584 srtasks.exe Token: SeBackupPrivilege 2584 srtasks.exe Token: SeRestorePrivilege 2584 srtasks.exe Token: SeSecurityPrivilege 2584 srtasks.exe Token: SeTakeOwnershipPrivilege 2584 srtasks.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3620 EXCEL.EXE 3620 EXCEL.EXE 3620 EXCEL.EXE 3620 EXCEL.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1312 wrote to memory of 2860 1312 b828dc24877aa7129ea58fb4bdf7373ec5a8ac06d02907cfe663a4599eae2aa2.exe 86 PID 1312 wrote to memory of 2860 1312 b828dc24877aa7129ea58fb4bdf7373ec5a8ac06d02907cfe663a4599eae2aa2.exe 86 PID 1312 wrote to memory of 2860 1312 b828dc24877aa7129ea58fb4bdf7373ec5a8ac06d02907cfe663a4599eae2aa2.exe 86 PID 1312 wrote to memory of 3744 1312 b828dc24877aa7129ea58fb4bdf7373ec5a8ac06d02907cfe663a4599eae2aa2.exe 87 PID 1312 wrote to memory of 3744 1312 b828dc24877aa7129ea58fb4bdf7373ec5a8ac06d02907cfe663a4599eae2aa2.exe 87 PID 1312 wrote to memory of 3744 1312 b828dc24877aa7129ea58fb4bdf7373ec5a8ac06d02907cfe663a4599eae2aa2.exe 87 PID 2860 wrote to memory of 2648 2860 ._cache_b828dc24877aa7129ea58fb4bdf7373ec5a8ac06d02907cfe663a4599eae2aa2.exe 88 PID 2860 wrote to memory of 2648 2860 ._cache_b828dc24877aa7129ea58fb4bdf7373ec5a8ac06d02907cfe663a4599eae2aa2.exe 88 PID 2860 wrote to memory of 2648 2860 ._cache_b828dc24877aa7129ea58fb4bdf7373ec5a8ac06d02907cfe663a4599eae2aa2.exe 88 PID 2648 wrote to memory of 4376 2648 Setup.exe 107 PID 2648 wrote to memory of 4376 2648 Setup.exe 107 PID 2648 wrote to memory of 4376 2648 Setup.exe 107 PID 3744 wrote to memory of 1920 3744 Synaptics.exe 90 PID 3744 wrote to memory of 1920 3744 Synaptics.exe 90 PID 3744 wrote to memory of 1920 3744 Synaptics.exe 90 PID 1920 wrote to memory of 3704 1920 ._cache_Synaptics.exe 92 PID 1920 wrote to memory of 3704 1920 ._cache_Synaptics.exe 92 PID 1920 wrote to memory of 3704 1920 ._cache_Synaptics.exe 92 PID 3704 wrote to memory of 1480 3704 Setup.exe 94 PID 3704 wrote to memory of 1480 3704 Setup.exe 94 PID 3704 wrote to memory of 1480 3704 Setup.exe 94 PID 2724 wrote to memory of 532 2724 IKernel.exe 97 PID 2724 wrote to memory of 532 2724 IKernel.exe 97 PID 2724 wrote to memory of 532 2724 IKernel.exe 97 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b828dc24877aa7129ea58fb4bdf7373ec5a8ac06d02907cfe663a4599eae2aa2.exe"C:\Users\Admin\AppData\Local\Temp\b828dc24877aa7129ea58fb4bdf7373ec5a8ac06d02907cfe663a4599eae2aa2.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Users\Admin\AppData\Local\Temp\._cache_b828dc24877aa7129ea58fb4bdf7373ec5a8ac06d02907cfe663a4599eae2aa2.exe"C:\Users\Admin\AppData\Local\Temp\._cache_b828dc24877aa7129ea58fb4bdf7373ec5a8ac06d02907cfe663a4599eae2aa2.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Users\Admin\AppData\Local\Temp\pftB2B8.tmp\Disk1\Setup.exe"C:\Users\Admin\AppData\Local\Temp\pftB2B8.tmp\Disk1\Setup.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe"C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe" -RegServer4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4376
-
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Users\Admin\AppData\Local\Temp\pftB4FA.tmp\Disk1\Setup.exe"C:\Users\Admin\AppData\Local\Temp\pftB4FA.tmp\Disk1\Setup.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe"C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe" -RegServer5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1480
-
-
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3620
-
C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exeC:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe -Embedding1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe"C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe" /REGSERVER2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:532
-
-
C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exeC:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe -Embedding1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:912
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4964
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵PID:4376
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:21⤵
- Suspicious use of AdjustPrivilegeToken
PID:2584
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
27KB
MD562d5f9827d867eb3e4ab9e6b338348a1
SHA1828e72f9c845b1c0865badaef40d63fb36447293
SHA2565214789c08ee573e904990dcd29e9e03aaf5cf12e86fae368005fd8f4e371bd5
SHA512b38bb74dc2e528c2a58a7d14a07bd1ecaaf55168b53afc8f4718f3bf5d6f8c8b922b98551a355ebb1009f23cff02fd8596413468993a43756c4de7dfed573732
-
Filesize
600KB
MD5b3fd01873bd5fd163ab465779271c58f
SHA1e1ff9981a09ab025d69ac891bfc931a776294d4d
SHA256985eb55ecb750da812876b8569d5f1999a30a24bcc54f9bab4d3fc44dfedb931
SHA5126674ab1d65da9892b7dd2fd37f300e087f58239262d44505b53379c676fd16da5443d2292aeaae01d3e6c40960b12f9cac651418c827d2a33c29a6cdf874be43
-
Filesize
76KB
MD5003a6c011aac993bcde8c860988ce49b
SHA16d39d650dfa5ded45c4e0cb17b986893061104a7
SHA256590be865ddf8c8d0431d8f92aa3948cc3c1685fd0649d607776b81cd1e267d0a
SHA512032aba4403eb45646aa1413fdc6c5d08baab4d0306d20b4209e70c84e47f6b72e68457bbc4331a5f1a5fa44aa776a89eb9fd29d0d956fa2fe11364c26ab09ee7
-
Filesize
172KB
MD5377765fd4de3912c0f814ee9f182feda
SHA1a0ab6a28f4ba057d5eae5c223420eb599cd4d3b1
SHA2568efcbd8752d8bbfd7ee559502d1aa28134c9bf391bf7fc5ce6fdfd4473599afb
SHA51231befb11715f78043b7684287b4086ce003cb66f97c6eff8c2b438eae29045d8856172c6b898be9f08c139edc4647c2bce000da497aed208b7a5a69d4d90c710
-
Filesize
32KB
MD58f02b204853939f8aefe6b07b283be9a
SHA1c161b9374e67d5fa3066ea03fc861cc0023eb3cc
SHA25632c6ad91dc66bc12e1273b1e13eb7a15d6e8f63b93447909ca2163dd21b22998
SHA5128df23b7d80a4dd32c484ca3bd1922e11938d7ecda9fc5fd5045eed882054efca7b7131ea109c4f20d8279845ffeb50ef46fb7419d190b8cf307eb00168746e59
-
Filesize
220KB
MD5b2f7e6dc7e4aae3147fbfc74a2ddb365
SHA1716301112706e93f85977d79f0e8f18f17fb32a7
SHA2564f77a9018b6b0d41151366e9acab3397416d114fc895703deb82b20f40116ad1
SHA512e6ae396bd9b4f069b5fafe135c0f83718cc236d1cf9007db7305bd5442c86483c0f1e0fad9cd6d547e8715278e23e6fafa973c63ebbe998a31a2153dbbbe7f83
-
C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Setup.ini
Filesize200B
MD52faaf3e9574a06e5fd06128832059804
SHA1bd674c3d5d52bc77aad7151ec41faff98d9ffe3f
SHA256e564cdc2a8560d1307340c94006227e4d59c443514d2ddd1c6086af57a6d46ad
SHA51211896122d14862617b92e2917753d880298a126826013bf8c8d1b4bf90153ecf3c8dc09accbc355e49f9be162c5193fcd12e28dcab1a9e87aa59793c40cb5b3c
-
Filesize
2.4MB
MD54a3d911453118d58a4bc16043c726142
SHA130755f517d05c784ef5857b3d5fa665cea91b438
SHA256b828dc24877aa7129ea58fb4bdf7373ec5a8ac06d02907cfe663a4599eae2aa2
SHA512ad39db2d93687bec5761514440ef1566049a1c567fcd1ef852c52c312a24f3c2497e9c8ce9fc9564537b5607748daf87bc6f71f4cdd7e1f486833c58708f41f3
-
C:\Users\Admin\AppData\Local\Temp\._cache_b828dc24877aa7129ea58fb4bdf7373ec5a8ac06d02907cfe663a4599eae2aa2.exe
Filesize1.6MB
MD506c21d83808efc7c0348753acff24e1e
SHA1a5fcbd6893610e89ed924f4d27d740ad6f462a2a
SHA256c503d2caad26da47dc01712b5fbad62980f7150facf0511e21d452ac64d13b6e
SHA512a939d05a45282233b41c98ac992b74542df2a4146155e2bdc86f3a934be67b92d8fd336d7265e54ec477691a94697d303643597f1d4a636207f1b80d798abc96
-
Filesize
17KB
MD5af4d37aad8b34471da588360a43e768a
SHA183ed64667d4e68ea531b8bcf58aab3ed4a5ca998
SHA256e7550c3453156531308fda255a198c3710aa4bc7412819c180b103c11e85cef1
SHA51274f5000038c47b7c909c4ee5740e0e87cac12c9c96fff8b1c7ec749541ee3d4b7efd80f9ac02cd39809dca3f2707d0063fa852a3a541342d93a9d03de08823da
-
Filesize
338KB
MD593b63f516482715a784bbec3a0bf5f3a
SHA12478feca446576c33e96e708256d4c6c33e3fa68
SHA256fbf95719b956b548b947436e29feb18bb884e01f75ae31b05c030ebd76605249
SHA5122c8f29dda748e21231ab8c30c7a57735104b786120bb392eb1c20a320f2dddde392d136fd0c70853bb9af851bbe47df2955d8f9d5973b64870ac90bd12d2dd70
-
Filesize
164KB
MD5fb6674a519505cc93e28cf600bbc23a3
SHA1d5dbd3dabc4872710d5bdabfb3829f976efe92c6
SHA256fe95a9fc8b2cdb5add76fbd326b1a11801eaa43c7d908f20cbdf413fd4d8dfde
SHA512fd4e93d545a704bbc197bcbfd1731c24fffff7aa05db11ed4ad9bcac458253b8fb368d13e48df3d3d322044f4d4cc9e134c24cc7bee4079110f591623e988912
-
Filesize
172B
MD5f538540e2cfc9a49e1d1a19d7db8234f
SHA14ccc89fe6709a2b58d675e70e1150af32a399d4d
SHA2562f6f2a479b5a083238d960bb24c5f9f9bd551777e9f66205defeeac6db51eb81
SHA512d469cba1840803096590d7d44c998459623fc1176f10e14884ac62abc2daa18924c2b174c432bbfdda571c10affe84c6cd54668cce58d8f927e5a31225d88044
-
Filesize
1.3MB
MD5fc1dc50af3c04a4504005db443b047be
SHA1df5b171c45b10d3ca7c9a30285f6bb3b5b9f8ea5
SHA25696a8733706b182b10c60c509c0cca9e1da329385b78a7fe5bbe1655168c966f7
SHA512f418e0d9fcd7935fd43f9928d86d16266ae896ddd72cc5e3a8235bc4ee365253b6fe4bfec31c217414b60a72a9ef1b4e790c4bbd78d29678a01304be23a090cd
-
Filesize
586KB
MD57a6a7bed57891197746b6f32344c75f5
SHA183a0d2d72052f86cc6fce776490189317684764e
SHA25652e8bfd8231b9fc5fa91541a7b73e9a378bff912d73f260f9697395e13934fb3
SHA5126396266d4f8e1b986d0f3d6814999caa38832116e84a752ee29a853d7753d162e1586970cc87f138820a2a3644899864f1cd1835be6d9a759842087f20b0a8b8
-
Filesize
14KB
MD5b2caa6c179bd67968e7828e9005a07f7
SHA16dc8d77254cb32b73047ca6310e2bb7c3953bdd7
SHA256d2f967c808f13b3d64d99f2109a735dd759a5814f8a1fa72aa1751035904499b
SHA51207a7c517e379ab5821867fadaa5e2c75245745d2c8b029849de0b468a9f5a0f3777ea02e2999f3d8ccc7ae969d020efba3e800ba01e30fb584de153c77f44a0b
-
Filesize
380KB
MD53f665a0e2eb71ca283522916c3519dd6
SHA1c0bfef9824b40c1e29adc0c81f8c15d1d0ec984b
SHA2561c479ea42ad6188db660d39726c7a8b7072ad6ae4805475c96ec6dc39ec92655
SHA5127ce361dc93f9e852e4df2158a8cab2436a5ffdd0f936dbcbb869cafe43b3ce54a042737ef84a1fddaca4c40bf1dc870eaf72144733cd6049886e710356a6b7a6
-
Filesize
417B
MD5879bd0a51200b47312d8c4b78f740858
SHA1acdaec259f2b4587dadf0d7d0f1b90442224c017
SHA256b2c060f31e0db36f18874ec85c55f1e0966c1dbaf2a132398d0f8bfa7a0a84a8
SHA5126df263d03f5796b522425514eacebf7110f6e73ae4cbd004c7757e6ce1e1e755ae79071366ed64f153b77556a4a239fab4222edfd7bf6e9061989a2e1247f1e1
-
Filesize
134KB
MD565c7eed62975bee4c118e332110daabf
SHA189dbf17bdb0992026d6a9b98c39cdc7c30351d73
SHA2561f5689560acf38d2a08eb546bedb8854337fd5961a44e28cc937db57c70c28e5
SHA51209cc634b42c9bdd21323d69d387fc5b67862fc2e2e83d7a37051d2aeb08b7b6fc17ae2cc15b5217e0af3f729e210731ed6733ce5fd1123057fcfd2ad32156640
-
Filesize
5KB
MD59efcc61a0baa38a6d7c67a05a97c7b87
SHA172b713a72ef7e972dfd5be5f79da8e9aacedb296
SHA2567ccb3a50ca08c66a220e4da614cbaba1d05157359edd174223c788b86d929edf
SHA512ac57100b76826af9f7650417dd765c23b522e31a1f3b44bfe9e70ed520bf6c6eb1978118a8147c99487b05a7a4c4afc964f457b79f921ff8236e4d60561b1238
-
Filesize
252KB
MD548ea604d4fa7d9af5b121c04db6a2fec
SHA1dc3c04977106bc1fbf1776a6b27899d7b81fb937
SHA256cbe8127704f36adcc6adbab60df55d1ff8fb7e600f1337fb9c4a59644ba7aa2b
SHA5129206a1235ce6bd8ceda0ff80fc01842e9cbbeb16267b4a875a0f1e6ea202fd4cbd1a52f8a51bed35a2b38252eb2b2cd2426dc7d24b1ea715203cc0935d612707
-
Filesize
324KB
MD561c056d2df7ab769d6fd801869b828a9
SHA14213d0395692fa4181483ffb04eef4bda22cceee
SHA256148d8f53bba9a8d5558b192fb4919a5b0d9cb7fd9f8e481660f8667de4e89b66
SHA512a2da2558c44e80973badc2e5f283cec254a12dfbcc66c352c8f394e03b1e50f98551303eab6f7995ac4afd5a503bd29b690d778b0526233efc781695ed9e9172