Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-11-2024 09:28
Behavioral task
behavioral1
Sample
710b936106397a34d7f1000e74f032687067b21893d76ccfd3ea4bf5d9111d91N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
710b936106397a34d7f1000e74f032687067b21893d76ccfd3ea4bf5d9111d91N.exe
Resource
win10v2004-20241007-en
General
-
Target
710b936106397a34d7f1000e74f032687067b21893d76ccfd3ea4bf5d9111d91N.exe
-
Size
2.4MB
-
MD5
bfe942ca711739d291ad987cc724a3a0
-
SHA1
317df04b21c29b20c45c4a007ca33cf3d6357392
-
SHA256
710b936106397a34d7f1000e74f032687067b21893d76ccfd3ea4bf5d9111d91
-
SHA512
836bd519511e760a8496787f02dfe26aeb3b45c1603cbbaa2c7adcb5dccb7fc794a87033634f8870fe686e864b6fca42bc920ebc934e78f0f4c7b7d4c10d84e8
-
SSDEEP
49152:snsHyjtk2MYC5GDvxdth7VaHBIW2Y4XxChF6Hq2BIetbWx:snsmtk2a8F6fT4XAhIH+eVWx
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Xred family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 710b936106397a34d7f1000e74f032687067b21893d76ccfd3ea4bf5d9111d91N.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation Synaptics.exe -
Executes dropped EXE 11 IoCs
pid Process 2848 ._cache_710b936106397a34d7f1000e74f032687067b21893d76ccfd3ea4bf5d9111d91N.exe 4908 Synaptics.exe 2324 Setup.exe 2540 IKernel.exe 4036 ._cache_Synaptics.exe 5084 IKernel.exe 2836 Setup.exe 1268 IKernel.exe 2972 IKernel.exe 1084 iKernel.exe 1436 iKernel.exe -
Loads dropped DLL 20 IoCs
pid Process 5084 IKernel.exe 5084 IKernel.exe 5084 IKernel.exe 5084 IKernel.exe 2972 IKernel.exe 2972 IKernel.exe 2972 IKernel.exe 2972 IKernel.exe 5084 IKernel.exe 2324 Setup.exe 5084 IKernel.exe 5084 IKernel.exe 5084 IKernel.exe 5084 IKernel.exe 5084 IKernel.exe 5084 IKernel.exe 5084 IKernel.exe 5084 IKernel.exe 5084 IKernel.exe 5084 IKernel.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" 710b936106397a34d7f1000e74f032687067b21893d76ccfd3ea4bf5d9111d91N.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 27 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\setup.ini IKernel.exe File created C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\temp.000 Setup.exe File created C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\obje9366.rra IKernel.exe File opened for modification C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\corecomp.ini IKernel.exe File opened for modification C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iuser.dll IKernel.exe File created C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\layod830.rra IKernel.exe File created C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iuse9376.rra IKernel.exe File created C:\Program Files (x86)\Common Files\InstallShield\IScript\iscr93e3.rra IKernel.exe File opened for modification C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\data1.cab IKernel.exe File created C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Setud830.rra IKernel.exe File opened for modification C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe Setup.exe File opened for modification C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\corecomp.ini IKernel.exe File opened for modification C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\layout.bin IKernel.exe File opened for modification C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Setup.exe IKernel.exe File created C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\datad830.rra IKernel.exe File created C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\setud84f.rra IKernel.exe File opened for modification C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\objectps.dll IKernel.exe File opened for modification C:\Program Files (x86)\Common Files\InstallShield\IScript\iscript.dll IKernel.exe File opened for modification C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\data1.hdr IKernel.exe File created C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Setud84f.rra IKernel.exe File created C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\core92e9.rra IKernel.exe File opened for modification C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\corecomp.ini IKernel.exe File opened for modification C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ctor.dll IKernel.exe File opened for modification C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Setup.ini IKernel.exe File opened for modification C:\Program Files (x86)\InstallShield Installation Information IKernel.exe File created C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ctor92f9.rra IKernel.exe File opened for modification C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\setup.inx IKernel.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 710b936106397a34d7f1000e74f032687067b21893d76ccfd3ea4bf5d9111d91N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_710b936106397a34d7f1000e74f032687067b21893d76ccfd3ea4bf5d9111d91N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IKernel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IKernel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iKernel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IKernel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IKernel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iKernel.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001d4141155d34ac580000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001d4141150000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001d414115000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1d414115000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001d41411500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Setup.LogServices\ = "SetupLogServices Class" IKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{44D61997-B7D4-11D2-80BA-00104B1F6CEA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" IKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2060-CB55-11D2-8094-00104B1F9838}\TypeLib\Version = "1.0" IKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2583251F-0A04-11D3-886B-00C04F72F303}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}" IKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9CD1A93-D7B4-11D2-80C5-00104B1F6CEA}\ = "InstallShield setup user interafce" IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9CD1A93-D7B4-11D2-80C5-00104B1F6CEA}\VersionIndependentProgID IKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FEBEC920-1849-11D3-A8FE-00105A088FAC}\TypeLib\ = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}" IKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AFED5DD0-0694-11D4-A934-00105A088FAC}\TypeLib\Version = "1.0" IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{94F4A332-A2AE-11D3-8378-00C04F59FBE9}\TypeLib IKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2065-CB55-11D2-8094-00104B1F9838}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}" iKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B12-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\ = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}" IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C3C1B13-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid32 IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2065-CB55-11D2-8094-00104B1F9838} IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91814EC5-B5F0-11D2-80B9-00104B1F6CEA}\ProxyStubClsid32 IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7D795704-435D-11D3-88FF-00C04F72F303}\ProxyStubClsid32 IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4AAC3B1-C547-11D3-B289-00C04F59FBE9} IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9E561C6B-425D-4E3D-95CA-A2D289D7C3FB}\TypeLib IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2066-CB55-11D2-8094-00104B1F9838} IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE6115A1-7DE5-48DC-AD2A-25060E00FCE2}\TypeLib IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DAB9BF17-267D-11D3-88B6-00C04F72F303}\TypeLib IKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA7E2086-CB55-11D2-8094-00104B1F9838}\VersionIndependentProgID\ = "Setup.ScriptDriverWrapper" IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22D84EC7-E201-4432-B3ED-A9DCA3604594}\LocalServer32 IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{61892D50-28EF-11D3-A8FF-00105A088FAC}\TypeLib IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E7D06080-238B-11D3-80D7-00104B1F6CEA}\ProgID IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Setup.Kernel\CLSID iKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2062-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32 IKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{348440B0-C79A-11D3-B28B-00C04F59FBE9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{27D2CF3C-D5B0-11D2-8094-00104B1F9838}\1.0 IKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C3C1B16-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}" IKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{94F4A332-A2AE-11D3-8378-00C04F59FBE9}\TypeLib\Version = "1.0" IKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2065-CB55-11D2-8094-00104B1F9838}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}" iKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EDE94BF2-4FB9-11D5-ABAB-00B0D02332EB} IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2065-CB55-11D2-8094-00104B1F9838}\TypeLib IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91814EC0-B5F0-11D2-80B9-00104B1F6CEA} IKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C3C1B16-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\ = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}" IKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2065-CB55-11D2-8094-00104B1F9838}\TypeLib\ = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}" IKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDF8B49D-16D0-49A5-B133-ABE7DCC23DAF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2084-CB55-11D2-8094-00104B1F9838} IKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65D37452-0EBB-11D3-887B-00C04F72F303}\ = "ISetupRegistry" IKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4817E4B-04B6-11D3-8862-00C04F72F303}\ProxyStubClsid32\ = "{F4817E4B-04B6-11D3-8862-00C04F72F303}" IKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4DFB7010-41EB-11D3-BBBA-00105A1F0D68}\ = "ISetupScriptController" IKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{54DADAB3-28A6-11D3-88BA-00C04F72F303}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}" IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9E561C6B-425D-4E3D-95CA-A2D289D7C3FB} IKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2583251F-0A04-11D3-886B-00C04F72F303}\TypeLib\ = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}" IKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2068-CB55-11D2-8094-00104B1F9838}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}" iKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4817E4B-04B6-11D3-8862-00C04F72F303}\ = "PSFactoryBuffer" IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D4FF39B9-1A05-11D3-8896-00C04F72F303} IKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E1B9357F-24B9-11D3-88B2-00C04F72F303}\TypeLib\Version = "1.0" IKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2066-CB55-11D2-8094-00104B1F9838}\TypeLib\ = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}" IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7BB118F1-6D5B-470E-82D0-AFB042724560}\ProxyStubClsid32 IKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2060-CB55-11D2-8094-00104B1F9838}\TypeLib\ = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}" IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}\1.0 IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE6115A1-7DE5-48DC-AD2A-25060E00FCE2} IKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE6115A1-7DE5-48DC-AD2A-25060E00FCE2}\ = "ISetupTransferEvents2" IKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE6115A1-7DE5-48DC-AD2A-25060E00FCE2}\TypeLib\Version = "1.0" IKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8415DDF9-1C1D-11D3-889D-00C04F72F303}\ = "ISetupShell" IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E1B9357F-24B9-11D3-88B2-00C04F72F303} IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AFED5DD0-0694-11D4-A934-00105A088FAC} IKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EDE94BF2-4FB9-11D5-ABAB-00B0D02332EB}\TypeLib\Version = "1.0" IKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B12-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22D84EC7-E201-4432-B3ED-A9DCA3604594}\ProgID IKernel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C3C1B15-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\ = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}" IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Setup.Kernel.1\CLSID IKernel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}\1.0\0 IKernel.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2372 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeBackupPrivilege 2944 vssvc.exe Token: SeRestorePrivilege 2944 vssvc.exe Token: SeAuditPrivilege 2944 vssvc.exe Token: SeBackupPrivilege 3580 srtasks.exe Token: SeRestorePrivilege 3580 srtasks.exe Token: SeSecurityPrivilege 3580 srtasks.exe Token: SeTakeOwnershipPrivilege 3580 srtasks.exe Token: SeBackupPrivilege 3580 srtasks.exe Token: SeRestorePrivilege 3580 srtasks.exe Token: SeSecurityPrivilege 3580 srtasks.exe Token: SeTakeOwnershipPrivilege 3580 srtasks.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2372 EXCEL.EXE 2372 EXCEL.EXE 2372 EXCEL.EXE 2372 EXCEL.EXE -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2276 wrote to memory of 2848 2276 710b936106397a34d7f1000e74f032687067b21893d76ccfd3ea4bf5d9111d91N.exe 86 PID 2276 wrote to memory of 2848 2276 710b936106397a34d7f1000e74f032687067b21893d76ccfd3ea4bf5d9111d91N.exe 86 PID 2276 wrote to memory of 2848 2276 710b936106397a34d7f1000e74f032687067b21893d76ccfd3ea4bf5d9111d91N.exe 86 PID 2276 wrote to memory of 4908 2276 710b936106397a34d7f1000e74f032687067b21893d76ccfd3ea4bf5d9111d91N.exe 87 PID 2276 wrote to memory of 4908 2276 710b936106397a34d7f1000e74f032687067b21893d76ccfd3ea4bf5d9111d91N.exe 87 PID 2276 wrote to memory of 4908 2276 710b936106397a34d7f1000e74f032687067b21893d76ccfd3ea4bf5d9111d91N.exe 87 PID 2848 wrote to memory of 2324 2848 ._cache_710b936106397a34d7f1000e74f032687067b21893d76ccfd3ea4bf5d9111d91N.exe 88 PID 2848 wrote to memory of 2324 2848 ._cache_710b936106397a34d7f1000e74f032687067b21893d76ccfd3ea4bf5d9111d91N.exe 88 PID 2848 wrote to memory of 2324 2848 ._cache_710b936106397a34d7f1000e74f032687067b21893d76ccfd3ea4bf5d9111d91N.exe 88 PID 2324 wrote to memory of 2540 2324 Setup.exe 89 PID 2324 wrote to memory of 2540 2324 Setup.exe 89 PID 2324 wrote to memory of 2540 2324 Setup.exe 89 PID 4908 wrote to memory of 4036 4908 Synaptics.exe 90 PID 4908 wrote to memory of 4036 4908 Synaptics.exe 90 PID 4908 wrote to memory of 4036 4908 Synaptics.exe 90 PID 4036 wrote to memory of 2836 4036 ._cache_Synaptics.exe 92 PID 4036 wrote to memory of 2836 4036 ._cache_Synaptics.exe 92 PID 4036 wrote to memory of 2836 4036 ._cache_Synaptics.exe 92 PID 2836 wrote to memory of 1268 2836 Setup.exe 93 PID 2836 wrote to memory of 1268 2836 Setup.exe 93 PID 2836 wrote to memory of 1268 2836 Setup.exe 93 PID 5084 wrote to memory of 1084 5084 IKernel.exe 95 PID 5084 wrote to memory of 1084 5084 IKernel.exe 95 PID 5084 wrote to memory of 1084 5084 IKernel.exe 95 PID 2972 wrote to memory of 1436 2972 IKernel.exe 96 PID 2972 wrote to memory of 1436 2972 IKernel.exe 96 PID 2972 wrote to memory of 1436 2972 IKernel.exe 96 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\710b936106397a34d7f1000e74f032687067b21893d76ccfd3ea4bf5d9111d91N.exe"C:\Users\Admin\AppData\Local\Temp\710b936106397a34d7f1000e74f032687067b21893d76ccfd3ea4bf5d9111d91N.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Users\Admin\AppData\Local\Temp\._cache_710b936106397a34d7f1000e74f032687067b21893d76ccfd3ea4bf5d9111d91N.exe"C:\Users\Admin\AppData\Local\Temp\._cache_710b936106397a34d7f1000e74f032687067b21893d76ccfd3ea4bf5d9111d91N.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Users\Admin\AppData\Local\Temp\pft8DBB.tmp\Disk1\Setup.exe"C:\Users\Admin\AppData\Local\Temp\pft8DBB.tmp\Disk1\Setup.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe"C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe" -RegServer4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2540
-
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Users\Admin\AppData\Local\Temp\pft9155.tmp\Disk1\Setup.exe"C:\Users\Admin\AppData\Local\Temp\pft9155.tmp\Disk1\Setup.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe"C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe" -RegServer5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1268
-
-
-
-
-
C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exeC:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe -Embedding1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe"C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe" /REGSERVER2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1084
-
-
C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exeC:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe -Embedding1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe"C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe" /REGSERVER2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1436
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2944
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2372
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:21⤵
- Suspicious use of AdjustPrivilegeToken
PID:3580
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
27KB
MD562d5f9827d867eb3e4ab9e6b338348a1
SHA1828e72f9c845b1c0865badaef40d63fb36447293
SHA2565214789c08ee573e904990dcd29e9e03aaf5cf12e86fae368005fd8f4e371bd5
SHA512b38bb74dc2e528c2a58a7d14a07bd1ecaaf55168b53afc8f4718f3bf5d6f8c8b922b98551a355ebb1009f23cff02fd8596413468993a43756c4de7dfed573732
-
Filesize
600KB
MD5b3fd01873bd5fd163ab465779271c58f
SHA1e1ff9981a09ab025d69ac891bfc931a776294d4d
SHA256985eb55ecb750da812876b8569d5f1999a30a24bcc54f9bab4d3fc44dfedb931
SHA5126674ab1d65da9892b7dd2fd37f300e087f58239262d44505b53379c676fd16da5443d2292aeaae01d3e6c40960b12f9cac651418c827d2a33c29a6cdf874be43
-
Filesize
76KB
MD5003a6c011aac993bcde8c860988ce49b
SHA16d39d650dfa5ded45c4e0cb17b986893061104a7
SHA256590be865ddf8c8d0431d8f92aa3948cc3c1685fd0649d607776b81cd1e267d0a
SHA512032aba4403eb45646aa1413fdc6c5d08baab4d0306d20b4209e70c84e47f6b72e68457bbc4331a5f1a5fa44aa776a89eb9fd29d0d956fa2fe11364c26ab09ee7
-
Filesize
172KB
MD5377765fd4de3912c0f814ee9f182feda
SHA1a0ab6a28f4ba057d5eae5c223420eb599cd4d3b1
SHA2568efcbd8752d8bbfd7ee559502d1aa28134c9bf391bf7fc5ce6fdfd4473599afb
SHA51231befb11715f78043b7684287b4086ce003cb66f97c6eff8c2b438eae29045d8856172c6b898be9f08c139edc4647c2bce000da497aed208b7a5a69d4d90c710
-
Filesize
32KB
MD58f02b204853939f8aefe6b07b283be9a
SHA1c161b9374e67d5fa3066ea03fc861cc0023eb3cc
SHA25632c6ad91dc66bc12e1273b1e13eb7a15d6e8f63b93447909ca2163dd21b22998
SHA5128df23b7d80a4dd32c484ca3bd1922e11938d7ecda9fc5fd5045eed882054efca7b7131ea109c4f20d8279845ffeb50ef46fb7419d190b8cf307eb00168746e59
-
Filesize
220KB
MD5b2f7e6dc7e4aae3147fbfc74a2ddb365
SHA1716301112706e93f85977d79f0e8f18f17fb32a7
SHA2564f77a9018b6b0d41151366e9acab3397416d114fc895703deb82b20f40116ad1
SHA512e6ae396bd9b4f069b5fafe135c0f83718cc236d1cf9007db7305bd5442c86483c0f1e0fad9cd6d547e8715278e23e6fafa973c63ebbe998a31a2153dbbbe7f83
-
C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Setup.ini
Filesize200B
MD52faaf3e9574a06e5fd06128832059804
SHA1bd674c3d5d52bc77aad7151ec41faff98d9ffe3f
SHA256e564cdc2a8560d1307340c94006227e4d59c443514d2ddd1c6086af57a6d46ad
SHA51211896122d14862617b92e2917753d880298a126826013bf8c8d1b4bf90153ecf3c8dc09accbc355e49f9be162c5193fcd12e28dcab1a9e87aa59793c40cb5b3c
-
Filesize
2.4MB
MD5bfe942ca711739d291ad987cc724a3a0
SHA1317df04b21c29b20c45c4a007ca33cf3d6357392
SHA256710b936106397a34d7f1000e74f032687067b21893d76ccfd3ea4bf5d9111d91
SHA512836bd519511e760a8496787f02dfe26aeb3b45c1603cbbaa2c7adcb5dccb7fc794a87033634f8870fe686e864b6fca42bc920ebc934e78f0f4c7b7d4c10d84e8
-
C:\Users\Admin\AppData\Local\Temp\._cache_710b936106397a34d7f1000e74f032687067b21893d76ccfd3ea4bf5d9111d91N.exe
Filesize1.6MB
MD506c21d83808efc7c0348753acff24e1e
SHA1a5fcbd6893610e89ed924f4d27d740ad6f462a2a
SHA256c503d2caad26da47dc01712b5fbad62980f7150facf0511e21d452ac64d13b6e
SHA512a939d05a45282233b41c98ac992b74542df2a4146155e2bdc86f3a934be67b92d8fd336d7265e54ec477691a94697d303643597f1d4a636207f1b80d798abc96
-
Filesize
338KB
MD593b63f516482715a784bbec3a0bf5f3a
SHA12478feca446576c33e96e708256d4c6c33e3fa68
SHA256fbf95719b956b548b947436e29feb18bb884e01f75ae31b05c030ebd76605249
SHA5122c8f29dda748e21231ab8c30c7a57735104b786120bb392eb1c20a320f2dddde392d136fd0c70853bb9af851bbe47df2955d8f9d5973b64870ac90bd12d2dd70
-
Filesize
17KB
MD5af4d37aad8b34471da588360a43e768a
SHA183ed64667d4e68ea531b8bcf58aab3ed4a5ca998
SHA256e7550c3453156531308fda255a198c3710aa4bc7412819c180b103c11e85cef1
SHA51274f5000038c47b7c909c4ee5740e0e87cac12c9c96fff8b1c7ec749541ee3d4b7efd80f9ac02cd39809dca3f2707d0063fa852a3a541342d93a9d03de08823da
-
Filesize
164KB
MD5fb6674a519505cc93e28cf600bbc23a3
SHA1d5dbd3dabc4872710d5bdabfb3829f976efe92c6
SHA256fe95a9fc8b2cdb5add76fbd326b1a11801eaa43c7d908f20cbdf413fd4d8dfde
SHA512fd4e93d545a704bbc197bcbfd1731c24fffff7aa05db11ed4ad9bcac458253b8fb368d13e48df3d3d322044f4d4cc9e134c24cc7bee4079110f591623e988912
-
Filesize
172B
MD5f538540e2cfc9a49e1d1a19d7db8234f
SHA14ccc89fe6709a2b58d675e70e1150af32a399d4d
SHA2562f6f2a479b5a083238d960bb24c5f9f9bd551777e9f66205defeeac6db51eb81
SHA512d469cba1840803096590d7d44c998459623fc1176f10e14884ac62abc2daa18924c2b174c432bbfdda571c10affe84c6cd54668cce58d8f927e5a31225d88044
-
Filesize
1.3MB
MD5fc1dc50af3c04a4504005db443b047be
SHA1df5b171c45b10d3ca7c9a30285f6bb3b5b9f8ea5
SHA25696a8733706b182b10c60c509c0cca9e1da329385b78a7fe5bbe1655168c966f7
SHA512f418e0d9fcd7935fd43f9928d86d16266ae896ddd72cc5e3a8235bc4ee365253b6fe4bfec31c217414b60a72a9ef1b4e790c4bbd78d29678a01304be23a090cd
-
Filesize
586KB
MD57a6a7bed57891197746b6f32344c75f5
SHA183a0d2d72052f86cc6fce776490189317684764e
SHA25652e8bfd8231b9fc5fa91541a7b73e9a378bff912d73f260f9697395e13934fb3
SHA5126396266d4f8e1b986d0f3d6814999caa38832116e84a752ee29a853d7753d162e1586970cc87f138820a2a3644899864f1cd1835be6d9a759842087f20b0a8b8
-
Filesize
14KB
MD5b2caa6c179bd67968e7828e9005a07f7
SHA16dc8d77254cb32b73047ca6310e2bb7c3953bdd7
SHA256d2f967c808f13b3d64d99f2109a735dd759a5814f8a1fa72aa1751035904499b
SHA51207a7c517e379ab5821867fadaa5e2c75245745d2c8b029849de0b468a9f5a0f3777ea02e2999f3d8ccc7ae969d020efba3e800ba01e30fb584de153c77f44a0b
-
Filesize
380KB
MD53f665a0e2eb71ca283522916c3519dd6
SHA1c0bfef9824b40c1e29adc0c81f8c15d1d0ec984b
SHA2561c479ea42ad6188db660d39726c7a8b7072ad6ae4805475c96ec6dc39ec92655
SHA5127ce361dc93f9e852e4df2158a8cab2436a5ffdd0f936dbcbb869cafe43b3ce54a042737ef84a1fddaca4c40bf1dc870eaf72144733cd6049886e710356a6b7a6
-
Filesize
417B
MD5879bd0a51200b47312d8c4b78f740858
SHA1acdaec259f2b4587dadf0d7d0f1b90442224c017
SHA256b2c060f31e0db36f18874ec85c55f1e0966c1dbaf2a132398d0f8bfa7a0a84a8
SHA5126df263d03f5796b522425514eacebf7110f6e73ae4cbd004c7757e6ce1e1e755ae79071366ed64f153b77556a4a239fab4222edfd7bf6e9061989a2e1247f1e1
-
Filesize
134KB
MD565c7eed62975bee4c118e332110daabf
SHA189dbf17bdb0992026d6a9b98c39cdc7c30351d73
SHA2561f5689560acf38d2a08eb546bedb8854337fd5961a44e28cc937db57c70c28e5
SHA51209cc634b42c9bdd21323d69d387fc5b67862fc2e2e83d7a37051d2aeb08b7b6fc17ae2cc15b5217e0af3f729e210731ed6733ce5fd1123057fcfd2ad32156640
-
Filesize
5KB
MD59efcc61a0baa38a6d7c67a05a97c7b87
SHA172b713a72ef7e972dfd5be5f79da8e9aacedb296
SHA2567ccb3a50ca08c66a220e4da614cbaba1d05157359edd174223c788b86d929edf
SHA512ac57100b76826af9f7650417dd765c23b522e31a1f3b44bfe9e70ed520bf6c6eb1978118a8147c99487b05a7a4c4afc964f457b79f921ff8236e4d60561b1238
-
Filesize
252KB
MD548ea604d4fa7d9af5b121c04db6a2fec
SHA1dc3c04977106bc1fbf1776a6b27899d7b81fb937
SHA256cbe8127704f36adcc6adbab60df55d1ff8fb7e600f1337fb9c4a59644ba7aa2b
SHA5129206a1235ce6bd8ceda0ff80fc01842e9cbbeb16267b4a875a0f1e6ea202fd4cbd1a52f8a51bed35a2b38252eb2b2cd2426dc7d24b1ea715203cc0935d612707
-
Filesize
324KB
MD561c056d2df7ab769d6fd801869b828a9
SHA14213d0395692fa4181483ffb04eef4bda22cceee
SHA256148d8f53bba9a8d5558b192fb4919a5b0d9cb7fd9f8e481660f8667de4e89b66
SHA512a2da2558c44e80973badc2e5f283cec254a12dfbcc66c352c8f394e03b1e50f98551303eab6f7995ac4afd5a503bd29b690d778b0526233efc781695ed9e9172