xred | 3b4b87fdc8c5531b416d5d9817c8ea165c8a79ad4d23154a50cd55a4965a585d

System Information Discovery

Processes:

Synaptics.exe3b4b87fdc8c5531b416d5d9817c8ea165c8a79ad4d23154a50cd55a4965a585d.exetmp142.exe._cache_tmp142.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	3b4b87fdc8c5531b416d5d9817c8ea165c8a79ad4d23154a50cd55a4965a585d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	tmp142.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	._cache_tmp142.exe

Executes dropped EXE 7 IoCs

Processes:

tmp142.exetmp142.exe._cache_tmp142.exeSynaptics.exeServer.exeSynaptics.exe._cache_Synaptics.exe

pid process

4168 tmp142.exe
972 tmp142.exe
1676 ._cache_tmp142.exe
2696 Synaptics.exe
2600 Server.exe
3416 Synaptics.exe
1084 ._cache_Synaptics.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

pid	process
4168	tmp142.exe
972	tmp142.exe
1676	._cache_tmp142.exe
2696	Synaptics.exe
2600	Server.exe
3416	Synaptics.exe
1084	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

tmp142.exe._cache_tmp142.exeServer.exe._cache_Synaptics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\????? = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	tmp142.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\AppData\\Local\\Temp\\._cache_tmp142.exe"	._cache_tmp142.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\AppData\\Roaming\\VanToM Folder\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\AppData\\Local\\Temp\\._cache_Synaptics.exe"	._cache_Synaptics.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

Processes:

tmp142.exeSynaptics.exe

description	pid	process	target process
PID 4168 set thread context of 972	4168	tmp142.exe	tmp142.exe
PID 2696 set thread context of 3416	2696	Synaptics.exe	Synaptics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

3b4b87fdc8c5531b416d5d9817c8ea165c8a79ad4d23154a50cd55a4965a585d.exetmp142.execmd.exetmp142.exeSynaptics.exeSynaptics.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b4b87fdc8c5531b416d5d9817c8ea165c8a79ad4d23154a50cd55a4965a585d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp142.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp142.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 6 IoCs

Processes:

Server.exeOpenWith.exeSynaptics.exe._cache_Synaptics.exeOpenWith.exetmp142.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	Server.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	._cache_Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	tmp142.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3540 EXCEL.EXE

pid	process
3540	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

3b4b87fdc8c5531b416d5d9817c8ea165c8a79ad4d23154a50cd55a4965a585d.exetmp142.exeSynaptics.exe

pid	process
4348	3b4b87fdc8c5531b416d5d9817c8ea165c8a79ad4d23154a50cd55a4965a585d.exe
4348	3b4b87fdc8c5531b416d5d9817c8ea165c8a79ad4d23154a50cd55a4965a585d.exe
4168	tmp142.exe
4168	tmp142.exe
2696	Synaptics.exe
2696	Synaptics.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

._cache_tmp142.exeServer.exe._cache_Synaptics.exe

pid process

1676 ._cache_tmp142.exe
2600 Server.exe
1084 ._cache_Synaptics.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

._cache_tmp142.exeServer.exeOpenWith.exeEXCEL.EXE._cache_Synaptics.exeOpenWith.exe

pid	process
1676	._cache_tmp142.exe
2600	Server.exe
2020	OpenWith.exe
3540	EXCEL.EXE
3540	EXCEL.EXE
1084	._cache_Synaptics.exe
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
3540	EXCEL.EXE
1072	OpenWith.exe
3540	EXCEL.EXE
3540	EXCEL.EXE

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

3b4b87fdc8c5531b416d5d9817c8ea165c8a79ad4d23154a50cd55a4965a585d.exetmp142.exetmp142.exe._cache_tmp142.exeSynaptics.exeSynaptics.exe

description	pid	process	target process
PID 4348 wrote to memory of 4168	4348	3b4b87fdc8c5531b416d5d9817c8ea165c8a79ad4d23154a50cd55a4965a585d.exe	tmp142.exe
PID 4348 wrote to memory of 4168	4348	3b4b87fdc8c5531b416d5d9817c8ea165c8a79ad4d23154a50cd55a4965a585d.exe	tmp142.exe
PID 4348 wrote to memory of 4168	4348	3b4b87fdc8c5531b416d5d9817c8ea165c8a79ad4d23154a50cd55a4965a585d.exe	tmp142.exe
PID 4348 wrote to memory of 3084	4348	3b4b87fdc8c5531b416d5d9817c8ea165c8a79ad4d23154a50cd55a4965a585d.exe	cmd.exe
PID 4348 wrote to memory of 3084	4348	3b4b87fdc8c5531b416d5d9817c8ea165c8a79ad4d23154a50cd55a4965a585d.exe	cmd.exe
PID 4348 wrote to memory of 3084	4348	3b4b87fdc8c5531b416d5d9817c8ea165c8a79ad4d23154a50cd55a4965a585d.exe	cmd.exe
PID 4168 wrote to memory of 972	4168	tmp142.exe	tmp142.exe
PID 4168 wrote to memory of 972	4168	tmp142.exe	tmp142.exe
PID 4168 wrote to memory of 972	4168	tmp142.exe	tmp142.exe
PID 4168 wrote to memory of 972	4168	tmp142.exe	tmp142.exe
PID 4168 wrote to memory of 972	4168	tmp142.exe	tmp142.exe
PID 4168 wrote to memory of 972	4168	tmp142.exe	tmp142.exe
PID 4168 wrote to memory of 972	4168	tmp142.exe	tmp142.exe
PID 4168 wrote to memory of 972	4168	tmp142.exe	tmp142.exe
PID 4168 wrote to memory of 972	4168	tmp142.exe	tmp142.exe
PID 4168 wrote to memory of 972	4168	tmp142.exe	tmp142.exe
PID 4168 wrote to memory of 972	4168	tmp142.exe	tmp142.exe
PID 4168 wrote to memory of 972	4168	tmp142.exe	tmp142.exe
PID 4168 wrote to memory of 972	4168	tmp142.exe	tmp142.exe
PID 972 wrote to memory of 1676	972	tmp142.exe	._cache_tmp142.exe
PID 972 wrote to memory of 1676	972	tmp142.exe	._cache_tmp142.exe
PID 972 wrote to memory of 2696	972	tmp142.exe	Synaptics.exe
PID 972 wrote to memory of 2696	972	tmp142.exe	Synaptics.exe
PID 972 wrote to memory of 2696	972	tmp142.exe	Synaptics.exe
PID 1676 wrote to memory of 2600	1676	._cache_tmp142.exe	Server.exe
PID 1676 wrote to memory of 2600	1676	._cache_tmp142.exe	Server.exe
PID 2696 wrote to memory of 3416	2696	Synaptics.exe	Synaptics.exe
PID 2696 wrote to memory of 3416	2696	Synaptics.exe	Synaptics.exe
PID 2696 wrote to memory of 3416	2696	Synaptics.exe	Synaptics.exe
PID 2696 wrote to memory of 3416	2696	Synaptics.exe	Synaptics.exe
PID 2696 wrote to memory of 3416	2696	Synaptics.exe	Synaptics.exe
PID 2696 wrote to memory of 3416	2696	Synaptics.exe	Synaptics.exe
PID 2696 wrote to memory of 3416	2696	Synaptics.exe	Synaptics.exe
PID 2696 wrote to memory of 3416	2696	Synaptics.exe	Synaptics.exe
PID 2696 wrote to memory of 3416	2696	Synaptics.exe	Synaptics.exe
PID 2696 wrote to memory of 3416	2696	Synaptics.exe	Synaptics.exe
PID 2696 wrote to memory of 3416	2696	Synaptics.exe	Synaptics.exe
PID 2696 wrote to memory of 3416	2696	Synaptics.exe	Synaptics.exe
PID 2696 wrote to memory of 3416	2696	Synaptics.exe	Synaptics.exe
PID 3416 wrote to memory of 1084	3416	Synaptics.exe	._cache_Synaptics.exe
PID 3416 wrote to memory of 1084	3416	Synaptics.exe	._cache_Synaptics.exe

C:\Users\Admin\AppData\Local\Temp\3b4b87fdc8c5531b416d5d9817c8ea165c8a79ad4d23154a50cd55a4965a585d.exe
"C:\Users\Admin\AppData\Local\Temp\3b4b87fdc8c5531b416d5d9817c8ea165c8a79ad4d23154a50cd55a4965a585d.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4348
- C:\Users\Admin\AppData\Local\Temp\tmp142.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp142.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4168
- - C:\Users\Admin\AppData\Local\Temp\tmp142.exe
    C:\Users\Admin\AppData\Local\Temp\tmp142.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:972
  - - C:\Users\Admin\AppData\Local\Temp\._cache_tmp142.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_tmp142.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1676
    - - C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:2600
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\ProgramData\Synaptics\Synaptics.exe
        
        C:\ProgramData\Synaptics\Synaptics.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3416
      - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:1084
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\3B4B87~1.EXE >> NUL
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3084

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2020

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3540

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

Modify Registry

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

Query Registry

3

System Information Discovery

4

System Location Discovery

T1614

System Language Discovery