xred | 2cbf4a18cf8df6a631826a5006d13b3bf36d0971b8c96678b278fc99795a9386

Resubmissions

18-11-2024 08:39

241118-kkf6paxpdq 10

11-11-2024 17:15

241111-vsh1csscpj 10

Analysis

max time kernel
147s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
18-11-2024 08:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Stix_Advanced_Tweak.exe
Size

1.5MB
MD5

43afea647840c9ed1d2888ce8c85ed32
SHA1

a9ca7722b5d49f42ae01dc20d3b7397f67647cd0
SHA256

2cbf4a18cf8df6a631826a5006d13b3bf36d0971b8c96678b278fc99795a9386
SHA512

ffe6cb55700d3e27544315998300c6d2532fa7b9085d9dd83088eb4579124579595c06ef9abe2fcc532468c5477a6fa13c57af2ae24df28b064050691ab48bc9
SSDEEP

24576:2nsJ39LyjbJkQFMhmC+6GD9k0TO7wx6RZrLSQeMeNyUc7nyWOqmpezMJQF:2nsHyjtk2MYC5GD60TO7JRZHSSr0py

Score

10^/10

xred backdoor discovery persistence phishing

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: wpm@9f017859w3e2d8f07pb5314abam9a646b7e
phishing
Executes dropped EXE 3 IoCs

Processes:

._cache_Stix_Advanced_Tweak.exeSynaptics.exe._cache_Synaptics.exe

pid process

4336 ._cache_Stix_Advanced_Tweak.exe
2036 Synaptics.exe
1164 ._cache_Synaptics.exe

pid	process
4336	._cache_Stix_Advanced_Tweak.exe
2036	Synaptics.exe
1164	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Stix_Advanced_Tweak.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	Stix_Advanced_Tweak.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Stix_Advanced_Tweak.exeSynaptics.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Stix_Advanced_Tweak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exeEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 2 IoCs

Processes:

Stix_Advanced_Tweak.exeSynaptics.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Stix_Advanced_Tweak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4564 EXCEL.EXE

pid	process
4564	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
3764	msedge.exe
3764	msedge.exe
488	msedge.exe
488	msedge.exe
4628	msedge.exe
4628	msedge.exe
2128	identity_helper.exe
2128	identity_helper.exe
900	msedge.exe
900	msedge.exe
900	msedge.exe
900	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

488 msedge.exe
488 msedge.exe
488 msedge.exe
488 msedge.exe
488 msedge.exe
488 msedge.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

._cache_Stix_Advanced_Tweak.exe._cache_Synaptics.exe

description pid process

Token: SeDebugPrivilege 4336 ._cache_Stix_Advanced_Tweak.exe
Token: SeDebugPrivilege 1164 ._cache_Synaptics.exe

description	pid	process
Token: SeDebugPrivilege	4336	._cache_Stix_Advanced_Tweak.exe
Token: SeDebugPrivilege	1164	._cache_Synaptics.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe
488	msedge.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

EXCEL.EXE

pid process

4564 EXCEL.EXE
4564 EXCEL.EXE
4564 EXCEL.EXE
4564 EXCEL.EXE
4564 EXCEL.EXE
4564 EXCEL.EXE

pid	process
4564	EXCEL.EXE
4564	EXCEL.EXE
4564	EXCEL.EXE
4564	EXCEL.EXE
4564	EXCEL.EXE
4564	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Stix_Advanced_Tweak.exeSynaptics.exe._cache_Stix_Advanced_Tweak.exemsedge.exe

description	pid	process	target process
PID 340 wrote to memory of 4336	340	Stix_Advanced_Tweak.exe	._cache_Stix_Advanced_Tweak.exe
PID 340 wrote to memory of 4336	340	Stix_Advanced_Tweak.exe	._cache_Stix_Advanced_Tweak.exe
PID 340 wrote to memory of 2036	340	Stix_Advanced_Tweak.exe	Synaptics.exe
PID 340 wrote to memory of 2036	340	Stix_Advanced_Tweak.exe	Synaptics.exe
PID 340 wrote to memory of 2036	340	Stix_Advanced_Tweak.exe	Synaptics.exe
PID 2036 wrote to memory of 1164	2036	Synaptics.exe	._cache_Synaptics.exe
PID 2036 wrote to memory of 1164	2036	Synaptics.exe	._cache_Synaptics.exe
PID 4336 wrote to memory of 488	4336	._cache_Stix_Advanced_Tweak.exe	msedge.exe
PID 4336 wrote to memory of 488	4336	._cache_Stix_Advanced_Tweak.exe	msedge.exe
PID 488 wrote to memory of 772	488	msedge.exe	msedge.exe
PID 488 wrote to memory of 772	488	msedge.exe	msedge.exe
PID 488 wrote to memory of 3412	488	msedge.exe	msedge.exe
PID 488 wrote to memory of 3412	488	msedge.exe	msedge.exe
PID 488 wrote to memory of 3412	488	msedge.exe	msedge.exe
PID 488 wrote to memory of 3412	488	msedge.exe	msedge.exe
PID 488 wrote to memory of 3412	488	msedge.exe	msedge.exe
PID 488 wrote to memory of 3412	488	msedge.exe	msedge.exe
PID 488 wrote to memory of 3412	488	msedge.exe	msedge.exe
PID 488 wrote to memory of 3412	488	msedge.exe	msedge.exe
PID 488 wrote to memory of 3412	488	msedge.exe	msedge.exe
PID 488 wrote to memory of 3412	488	msedge.exe	msedge.exe
PID 488 wrote to memory of 3412	488	msedge.exe	msedge.exe
PID 488 wrote to memory of 3412	488	msedge.exe	msedge.exe
PID 488 wrote to memory of 3412	488	msedge.exe	msedge.exe
PID 488 wrote to memory of 3412	488	msedge.exe	msedge.exe
PID 488 wrote to memory of 3412	488	msedge.exe	msedge.exe
PID 488 wrote to memory of 3412	488	msedge.exe	msedge.exe
PID 488 wrote to memory of 3412	488	msedge.exe	msedge.exe
PID 488 wrote to memory of 3412	488	msedge.exe	msedge.exe
PID 488 wrote to memory of 3412	488	msedge.exe	msedge.exe
PID 488 wrote to memory of 3412	488	msedge.exe	msedge.exe
PID 488 wrote to memory of 3412	488	msedge.exe	msedge.exe
PID 488 wrote to memory of 3412	488	msedge.exe	msedge.exe
PID 488 wrote to memory of 3412	488	msedge.exe	msedge.exe
PID 488 wrote to memory of 3412	488	msedge.exe	msedge.exe
PID 488 wrote to memory of 3412	488	msedge.exe	msedge.exe
PID 488 wrote to memory of 3412	488	msedge.exe	msedge.exe
PID 488 wrote to memory of 3412	488	msedge.exe	msedge.exe
PID 488 wrote to memory of 3412	488	msedge.exe	msedge.exe
PID 488 wrote to memory of 3412	488	msedge.exe	msedge.exe
PID 488 wrote to memory of 3412	488	msedge.exe	msedge.exe
PID 488 wrote to memory of 3412	488	msedge.exe	msedge.exe
PID 488 wrote to memory of 3412	488	msedge.exe	msedge.exe
PID 488 wrote to memory of 3412	488	msedge.exe	msedge.exe
PID 488 wrote to memory of 3412	488	msedge.exe	msedge.exe
PID 488 wrote to memory of 3412	488	msedge.exe	msedge.exe
PID 488 wrote to memory of 3412	488	msedge.exe	msedge.exe
PID 488 wrote to memory of 3412	488	msedge.exe	msedge.exe
PID 488 wrote to memory of 3412	488	msedge.exe	msedge.exe
PID 488 wrote to memory of 3412	488	msedge.exe	msedge.exe
PID 488 wrote to memory of 3412	488	msedge.exe	msedge.exe
PID 488 wrote to memory of 3764	488	msedge.exe	msedge.exe
PID 488 wrote to memory of 3764	488	msedge.exe	msedge.exe
PID 488 wrote to memory of 1860	488	msedge.exe	msedge.exe
PID 488 wrote to memory of 1860	488	msedge.exe	msedge.exe
PID 488 wrote to memory of 1860	488	msedge.exe	msedge.exe
PID 488 wrote to memory of 1860	488	msedge.exe	msedge.exe
PID 488 wrote to memory of 1860	488	msedge.exe	msedge.exe
PID 488 wrote to memory of 1860	488	msedge.exe	msedge.exe
PID 488 wrote to memory of 1860	488	msedge.exe	msedge.exe
PID 488 wrote to memory of 1860	488	msedge.exe	msedge.exe
PID 488 wrote to memory of 1860	488	msedge.exe	msedge.exe
PID 488 wrote to memory of 1860	488	msedge.exe	msedge.exe
PID 488 wrote to memory of 1860	488	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\Stix_Advanced_Tweak.exe
"C:\Users\Admin\AppData\Local\Temp\Stix_Advanced_Tweak.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:340
- C:\Users\Admin\AppData\Local\Temp\._cache_Stix_Advanced_Tweak.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_Stix_Advanced_Tweak.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4336
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://stixtweaks.com/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:488
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd9a313cb8,0x7ffd9a313cc8,0x7ffd9a313cd8
      4⤵
      PID:772
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,10568097240455593848,7278738399667161997,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
      4⤵
      PID:3412
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,10568097240455593848,7278738399667161997,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3764
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,10568097240455593848,7278738399667161997,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
      4⤵
      PID:1860
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10568097240455593848,7278738399667161997,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
      4⤵
      PID:3476
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10568097240455593848,7278738399667161997,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
      4⤵
      PID:1656
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1876,10568097240455593848,7278738399667161997,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5052 /prefetch:8
      4⤵
      PID:4884
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10568097240455593848,7278738399667161997,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
      4⤵
      PID:2884
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10568097240455593848,7278738399667161997,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
      4⤵
      PID:2292
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10568097240455593848,7278738399667161997,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1860 /prefetch:1
      4⤵
      PID:2728
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,10568097240455593848,7278738399667161997,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
      4⤵
      PID:1988
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1876,10568097240455593848,7278738399667161997,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5764 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4628
  - - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,10568097240455593848,7278738399667161997,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5556 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2128
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,10568097240455593848,7278738399667161997,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5520 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:900
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1164

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4564

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3020

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.5MB

MD5
43afea647840c9ed1d2888ce8c85ed32

SHA1
a9ca7722b5d49f42ae01dc20d3b7397f67647cd0

SHA256
2cbf4a18cf8df6a631826a5006d13b3bf36d0971b8c96678b278fc99795a9386

SHA512
ffe6cb55700d3e27544315998300c6d2532fa7b9085d9dd83088eb4579124579595c06ef9abe2fcc532468c5477a6fa13c57af2ae24df28b064050691ab48bc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cb557349d7af9d6754aed39b4ace5bee

SHA1
04de2ac30defbb36508a41872ddb475effe2d793

SHA256
cfc24ed7d1c2e2c6585f53db7b39aa2447bf9212487b0a3c8c2a7d8e7e5572ee

SHA512
f0cf51f42d975d720d613d09f201435bf98c6283ae5bc033207f4ada93b15e49743a235a1cfb1b761bde268e2f7f8561aa57619b99bff67a36820bc1a4d0ec4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aad1d98ca9748cc4c31aa3b5abfe0fed

SHA1
32e8d4d9447b13bc00ec3eb15a88c55c29489495

SHA256
2a07cac05ffcf140a9ad32e58ef51b32ecccf1e3ab5ef4e656770df813a8944e

SHA512
150ebf7e37d20f88b21ab7ea0793afe1d40b00611ed36f0cf1ac1371b656d26f11b08a84dbb958891c79776fae04c9c616e45e2e211d292988a5709857a3bf72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
624B

MD5
646d6a58c3ef21ca18fec5e0050e6d5c

SHA1
0f87bfeb13fccb0d892d37ab31d629f46ab7d5c9

SHA256
3c23bc844a06f5188cfae91953ec04712be2e124e1abdacb70da4d5a1d7d8e4f

SHA512
17aa664611a01c934047539e8b676c6bbbea40fd3e0e62f9ebff44872fa4df2cc0be33783fea5fb06f92510c19bcdcac44dcf9cd08feaa25a9b40cc232662c95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
538B

MD5
05ec688778359001664e2d11c390f585

SHA1
b6f5e262702daf4107fc03b01c0fc8d3893b14a1

SHA256
2a82419318664a3f517000a97cc9f008a746aaade40d678857add0aa8361c993

SHA512
b1a124cce4f65dbe350b3be7ad7d9bf53165999eaf4ab5a480f666d5cf409f4f16370651d371b3c49fbb029d3fc43bf55e5b0559616bd7989c934b7728f66dde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ea043d461b0943fe652bd90fff06fdf9

SHA1
30cb1ea4bbf3a7923542492e68c4072df6b57f7d

SHA256
3fae2582e349e01f1a2d7e278d3281949be94712b2ec809a348aca2bf45d0a66

SHA512
1c2d3362c0a9ee38b542b1fd0f379cb1145f1f690628648af2782b272943b17c0934d41e81d6413ea04d1ee852c9a45faf3cd257fbcb8679c4b9606c520de62d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1081a0da5f942349e4880fe200498cdd

SHA1
8a7add03a09c2b9e4b519cb76d5589ba6eb762d7

SHA256
251fe31acc1abd4f5b8fca7d3dea347b5ea19ce8e179e8a7c8077d08e442bba7

SHA512
64f6c6d207093720a19c6edd15b143918a0ab19ef78b790bc074919bdec67c47911054b6f43dcbb49685d78812ed032ce2df5ba021df361cc563611f936754e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d4df534926f37922aa91bf5cb9e9324d

SHA1
dfe3ac2d42e4343f44503f92ecc13a855ee41421

SHA256
9df1182ce9b13b1655fb0be18505e39974d66eb4c9f1d197b2f0259669522b02

SHA512
2c4991adb00461fa5effecff1908a43be1cb208b1a10913f4c6a8ddb99f193bc5059ca1a999e913575917d6f0ccbe405c9ac7f3f96684148834b94e906877fad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f01b4bbafa103de07d17359e749bf7e3

SHA1
6370cb928719e4879d7935b9fc717e570bbbb212

SHA256
2867694165c91fa2e2c2186b028630fef8ba7b324b130421ee1aea75c1476bab

SHA512
444645bd53e69bf42a2f1a6815f2807ac4b12239a20dd9eb5f208c478d4f6d3d2a6e5f7c8ab37bf1949b506ed40b23adf44cbadfc7751ac33c001e7475443a67

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Stix_Advanced_Tweak.exe

Filesize
766KB

MD5
204feb8a295ab9432b3ec64419c98484

SHA1
d2ccef786b20d3c3a3ff164c51beb149583011df

SHA256
7267c4fe27fd5e9aaf8d564f209a12c496d0e053c501504d42cf7234a789cf08

SHA512
6d216e8f82bd0f2e9db49e67d5fa440bd1fa6dedeea2476585a8c01029ffbfa093088ac3bf5293edd49e0509c04821cebbfc63e47c6aae44eb7b8db67f6ee088

Download Submit
C:\Users\Admin\AppData\Local\Temp\BD875E00

Filesize
21KB

MD5
8fe3e5ca394c46b7ad5035bdb133a1b7

SHA1
553526a44b4351ab349bacdef44debc17cb079a5

SHA256
b95f5059abd08e4e3bc10128bb687888cd9225b58f1604181c3a2df3f2e93b75

SHA512
431e121ee145b76c8602cf478357a3d2ead49c83ee043d4f832188e1af844254a92a9e8486a6005c204bff2b7eb706e8cfdcb31e3b24f44622110106928ec61b

Download Submit
C:\Users\Admin\AppData\Local\Temp\LsQ7Dver.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
\??\pipe\LOCAL\crashpad_488_NNCINMSQNBWGXRMI

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/340-130-0x0000000000400000-0x0000000000582000-memory.dmp

Filesize
1.5MB

Download
memory/340-0-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/2036-252-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/2036-443-0x0000000000400000-0x0000000000582000-memory.dmp

Filesize
1.5MB

Download
memory/2036-133-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/2036-333-0x0000000000400000-0x0000000000582000-memory.dmp

Filesize
1.5MB

Download
memory/2036-261-0x0000000000400000-0x0000000000582000-memory.dmp

Filesize
1.5MB

Download
memory/4336-245-0x00007FFDAF5C3000-0x00007FFDAF5C5000-memory.dmp

Filesize
8KB

Download
memory/4336-183-0x000002F9DD110000-0x000002F9DD116000-memory.dmp

Filesize
24KB

Download
memory/4336-64-0x00007FFDAF5C3000-0x00007FFDAF5C5000-memory.dmp

Filesize
8KB

Download
memory/4336-72-0x000002F9C2B20000-0x000002F9C2BE4000-memory.dmp

Filesize
784KB

Download
memory/4336-140-0x000002F9C47C0000-0x000002F9C48AE000-memory.dmp

Filesize
952KB

Download
memory/4336-262-0x000002F9DD1A0000-0x000002F9DD1B0000-memory.dmp

Filesize
64KB

Download
memory/4336-200-0x000002F9DE770000-0x000002F9DE782000-memory.dmp

Filesize
72KB

Download
memory/4336-184-0x000002F9DD1A0000-0x000002F9DD1B0000-memory.dmp

Filesize
64KB

Download
memory/4336-207-0x000002F9DFA10000-0x000002F9DFA4C000-memory.dmp

Filesize
240KB

Download
memory/4564-197-0x00007FFD7F130000-0x00007FFD7F140000-memory.dmp

Filesize
64KB

Download
memory/4564-195-0x00007FFD7F130000-0x00007FFD7F140000-memory.dmp

Filesize
64KB

Download
memory/4564-199-0x00007FFD7F130000-0x00007FFD7F140000-memory.dmp

Filesize
64KB

Download
memory/4564-196-0x00007FFD7F130000-0x00007FFD7F140000-memory.dmp

Filesize
64KB

Download
memory/4564-257-0x00007FFD7F130000-0x00007FFD7F140000-memory.dmp

Filesize
64KB

Download
memory/4564-258-0x00007FFD7F130000-0x00007FFD7F140000-memory.dmp

Filesize
64KB

Download
memory/4564-198-0x00007FFD7F130000-0x00007FFD7F140000-memory.dmp

Filesize
64KB

Download
memory/4564-202-0x00007FFD7C730000-0x00007FFD7C740000-memory.dmp

Filesize
64KB

Download
memory/4564-260-0x00007FFD7F130000-0x00007FFD7F140000-memory.dmp

Filesize
64KB

Download
memory/4564-201-0x00007FFD7C730000-0x00007FFD7C740000-memory.dmp

Filesize
64KB

Download
memory/4564-259-0x00007FFD7F130000-0x00007FFD7F140000-memory.dmp

Filesize
64KB

Download