xred | 7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1

Analysis

max time kernel
111s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-11-2024 10:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.exe
Size

2.7MB
MD5

89b5d70f47802c99d07cfbd0a66aa31a
SHA1

14b7e4e18394a25e6221b1c4e3d3c267e6b0f79a
SHA256

7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1
SHA512

09956558088ccd7b27027d4b0d4c22751c5ad37dca92692cbd6fa229d20edf04bc564e3600db06b3028ed98650c08ca42aafdb1ab554f9b0d1703bdf1e10fbdd
SSDEEP

49152:0nsHyjtk2MYC5GD09D9vdaaGtXKEY9f5NsJwY03vMNOi:0nsmtk2aZD91aaXL4wY03kIi

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 6 IoCs

Processes:

._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.exeSynaptics.exe._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.tmp._cache_Synaptics.exe._cache_Synaptics.tmpWBH-Diag.exe

pid	process
2052	._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.exe
2360	Synaptics.exe
2832	._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.tmp
2648	._cache_Synaptics.exe
1284	._cache_Synaptics.tmp
1800	WBH-Diag.exe

Loads dropped DLL 18 IoCs

Processes:

7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.exe._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.exeSynaptics.exe._cache_Synaptics.exe._cache_Synaptics.tmp._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.tmpWBH-Diag.exe

pid	process
2380	7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.exe
2380	7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.exe
2380	7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.exe
2052	._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.exe
2360	Synaptics.exe
2360	Synaptics.exe
2648	._cache_Synaptics.exe
1284	._cache_Synaptics.tmp
1284	._cache_Synaptics.tmp
2832	._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.tmp
2832	._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.tmp
1284	._cache_Synaptics.tmp
1800	WBH-Diag.exe
1800	WBH-Diag.exe
1800	WBH-Diag.exe
1800	WBH-Diag.exe
1800	WBH-Diag.exe
1800	WBH-Diag.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 38 IoCs

Processes:

._cache_Synaptics.tmp._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.tmp

description	ioc	process
File created	C:\Program Files (x86)\wbh-diag\is-9UOPB.tmp	._cache_Synaptics.tmp
File created	C:\Program Files (x86)\wbh-diag\is-BNKUR.tmp	._cache_Synaptics.tmp
File created	C:\Program Files (x86)\wbh-diag\labelfiles_de\is-L3OVB.tmp	._cache_Synaptics.tmp
File opened for modification	C:\Program Files (x86)\wbh-diag\Microsoft.VisualBasic.PowerPacks.dll	._cache_Synaptics.tmp
File opened for modification	C:\Program Files (x86)\wbh-diag\MySql.Data.dll	._cache_Synaptics.tmp
File opened for modification	C:\Program Files (x86)\wbh-diag\WBH-Diag.vshost.exe	._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.tmp
File created	C:\Program Files (x86)\wbh-diag\is-KJ0DP.tmp	._cache_Synaptics.tmp
File created	C:\Program Files (x86)\wbh-diag\is-ULQ9F.tmp	._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.tmp
File created	C:\Program Files (x86)\wbh-diag\is-DP42N.tmp	._cache_Synaptics.tmp
File opened for modification	C:\Program Files (x86)\wbh-diag\unins000.dat	._cache_Synaptics.tmp
File opened for modification	C:\Program Files (x86)\wbh-diag\WBH-Diag.exe	._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.tmp
File created	C:\Program Files (x86)\wbh-diag\unins000.dat	._cache_Synaptics.tmp
File created	C:\Program Files (x86)\wbh-diag\is-635HS.tmp	._cache_Synaptics.tmp
File created	C:\Program Files (x86)\wbh-diag\labelfiles_de\is-JQRCU.tmp	._cache_Synaptics.tmp
File opened for modification	C:\Program Files (x86)\wbh-diag\WBH-Diag.vshost.exe	._cache_Synaptics.tmp
File created	C:\Program Files (x86)\wbh-diag\labelfiles_de\is-QE8IF.tmp	._cache_Synaptics.tmp
File created	C:\Program Files (x86)\wbh-diag\labelfiles_de\is-B99G0.tmp	._cache_Synaptics.tmp
File created	C:\Program Files (x86)\wbh-diag\labelfiles_de\is-BDV83.tmp	._cache_Synaptics.tmp
File created	C:\Program Files (x86)\wbh-diag\is-HJ2KC.tmp	._cache_Synaptics.tmp
File created	C:\Program Files (x86)\wbh-diag\is-LUML9.tmp	._cache_Synaptics.tmp
File created	C:\Program Files (x86)\wbh-diag\is-LPO1R.tmp	._cache_Synaptics.tmp
File created	C:\Program Files (x86)\wbh-diag\is-7S6M5.tmp	._cache_Synaptics.tmp
File created	C:\Program Files (x86)\wbh-diag\labelfiles_de\is-2OPJN.tmp	._cache_Synaptics.tmp
File created	C:\Program Files (x86)\wbh-diag\labelfiles_de\is-R8KRC.tmp	._cache_Synaptics.tmp
File opened for modification	C:\Program Files (x86)\wbh-diag\WBH-Diag.exe	._cache_Synaptics.tmp
File opened for modification	C:\Program Files (x86)\wbh-diag\Microsoft.VisualBasic.PowerPacks.dll	._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.tmp
File created	C:\Program Files (x86)\wbh-diag\is-MDAFP.tmp	._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.tmp
File created	C:\Program Files (x86)\wbh-diag\is-I96L2.tmp	._cache_Synaptics.tmp
File opened for modification	C:\Program Files (x86)\wbh-diag\MySql.Data.dll	._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.tmp
File created	C:\Program Files (x86)\wbh-diag\labelfiles_de\is-G94P0.tmp	._cache_Synaptics.tmp
File created	C:\Program Files (x86)\wbh-diag\labelfiles_de\is-2O7C7.tmp	._cache_Synaptics.tmp
File created	C:\Program Files (x86)\wbh-diag\is-QE2RN.tmp	._cache_Synaptics.tmp
File created	C:\Program Files (x86)\wbh-diag\labelfiles_de\is-1M3LK.tmp	._cache_Synaptics.tmp
File created	C:\Program Files (x86)\wbh-diag\labelfiles_de\is-LMHG3.tmp	._cache_Synaptics.tmp
File created	C:\Program Files (x86)\wbh-diag\unins001.dat	._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.tmp
File created	C:\Program Files (x86)\wbh-diag\is-FAPRV.tmp	._cache_Synaptics.tmp
File created	C:\Program Files (x86)\wbh-diag\is-PJ5HN.tmp	._cache_Synaptics.tmp
File created	C:\Program Files (x86)\wbh-diag\is-PRJ1M.tmp	._cache_Synaptics.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Synaptics.exe._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.tmpEXCEL.EXE._cache_Synaptics.exe._cache_Synaptics.tmpWBH-Diag.exe7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.exe._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WBH-Diag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2792 EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
2792	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

._cache_Synaptics.tmp._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.tmp

pid	process
1284	._cache_Synaptics.tmp
1284	._cache_Synaptics.tmp
2832	._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.tmp
2832	._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.tmp

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

._cache_Synaptics.tmp._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.tmp

pid process

1284 ._cache_Synaptics.tmp
2832 ._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.tmp
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WBH-Diag.exe

description pid process

Token: SeDebugPrivilege 1800 WBH-Diag.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

._cache_Synaptics.tmp._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.tmp

pid process

1284 ._cache_Synaptics.tmp
2832 ._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.tmp
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

EXCEL.EXE

pid process

2792 EXCEL.EXE

description	pid	process
Token: SeDebugPrivilege	1800	WBH-Diag.exe

pid	process
2792	EXCEL.EXE

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.exe._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.exeSynaptics.exe._cache_Synaptics.exe._cache_Synaptics.tmp

description	pid	process	target process
PID 2380 wrote to memory of 2052	2380	7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.exe	._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.exe
PID 2380 wrote to memory of 2052	2380	7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.exe	._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.exe
PID 2380 wrote to memory of 2052	2380	7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.exe	._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.exe
PID 2380 wrote to memory of 2052	2380	7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.exe	._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.exe
PID 2380 wrote to memory of 2052	2380	7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.exe	._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.exe
PID 2380 wrote to memory of 2052	2380	7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.exe	._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.exe
PID 2380 wrote to memory of 2052	2380	7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.exe	._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.exe
PID 2380 wrote to memory of 2360	2380	7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.exe	Synaptics.exe
PID 2380 wrote to memory of 2360	2380	7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.exe	Synaptics.exe
PID 2380 wrote to memory of 2360	2380	7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.exe	Synaptics.exe
PID 2380 wrote to memory of 2360	2380	7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.exe	Synaptics.exe
PID 2052 wrote to memory of 2832	2052	._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.exe	._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.tmp
PID 2052 wrote to memory of 2832	2052	._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.exe	._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.tmp
PID 2052 wrote to memory of 2832	2052	._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.exe	._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.tmp
PID 2052 wrote to memory of 2832	2052	._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.exe	._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.tmp
PID 2052 wrote to memory of 2832	2052	._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.exe	._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.tmp
PID 2052 wrote to memory of 2832	2052	._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.exe	._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.tmp
PID 2052 wrote to memory of 2832	2052	._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.exe	._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.tmp
PID 2360 wrote to memory of 2648	2360	Synaptics.exe	._cache_Synaptics.exe
PID 2360 wrote to memory of 2648	2360	Synaptics.exe	._cache_Synaptics.exe
PID 2360 wrote to memory of 2648	2360	Synaptics.exe	._cache_Synaptics.exe
PID 2360 wrote to memory of 2648	2360	Synaptics.exe	._cache_Synaptics.exe
PID 2360 wrote to memory of 2648	2360	Synaptics.exe	._cache_Synaptics.exe
PID 2360 wrote to memory of 2648	2360	Synaptics.exe	._cache_Synaptics.exe
PID 2360 wrote to memory of 2648	2360	Synaptics.exe	._cache_Synaptics.exe
PID 2648 wrote to memory of 1284	2648	._cache_Synaptics.exe	._cache_Synaptics.tmp
PID 2648 wrote to memory of 1284	2648	._cache_Synaptics.exe	._cache_Synaptics.tmp
PID 2648 wrote to memory of 1284	2648	._cache_Synaptics.exe	._cache_Synaptics.tmp
PID 2648 wrote to memory of 1284	2648	._cache_Synaptics.exe	._cache_Synaptics.tmp
PID 2648 wrote to memory of 1284	2648	._cache_Synaptics.exe	._cache_Synaptics.tmp
PID 2648 wrote to memory of 1284	2648	._cache_Synaptics.exe	._cache_Synaptics.tmp
PID 2648 wrote to memory of 1284	2648	._cache_Synaptics.exe	._cache_Synaptics.tmp
PID 1284 wrote to memory of 1800	1284	._cache_Synaptics.tmp	WBH-Diag.exe
PID 1284 wrote to memory of 1800	1284	._cache_Synaptics.tmp	WBH-Diag.exe
PID 1284 wrote to memory of 1800	1284	._cache_Synaptics.tmp	WBH-Diag.exe
PID 1284 wrote to memory of 1800	1284	._cache_Synaptics.tmp	WBH-Diag.exe
PID 1284 wrote to memory of 1800	1284	._cache_Synaptics.tmp	WBH-Diag.exe
PID 1284 wrote to memory of 1800	1284	._cache_Synaptics.tmp	WBH-Diag.exe

C:\Users\Admin\AppData\Local\Temp\7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.exe
"C:\Users\Admin\AppData\Local\Temp\7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Local\Temp\._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Users\Admin\AppData\Local\Temp\is-SI74R.tmp\._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-SI74R.tmp\._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.tmp" /SL5="$70018,1720962,424960,C:\Users\Admin\AppData\Local\Temp\._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    PID:2832
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Users\Admin\AppData\Local\Temp\is-6R8NJ.tmp\._cache_Synaptics.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-6R8NJ.tmp\._cache_Synaptics.tmp" /SL5="$301DA,1720962,424960,C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:1284
    - - C:\Program Files (x86)\wbh-diag\WBH-Diag.exe
        
        "C:\Program Files (x86)\wbh-diag\WBH-Diag.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1800

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\wbh-diag\Microsoft.VisualBasic.PowerPacks.dll

Filesize
263KB

MD5
e8e4ad69eb6199e3ea7a8e7bc5d253d2

SHA1
7713c550e75421bb034790252997fe570e5f929c

SHA256
f52a5b0e1d13b197d4cc0632f71c2a3bc44a62a5a6df1ee2116d6547893dd2f6

SHA512
d51c234f2defce4191d0c3eff232655ff25384b266d7ccdc09a6212a59e5a22748edac2fc24f30b5eaf68119deed64261c09f5bd2d02f0fcacc8d339f5286ac0

Download Submit
C:\Program Files (x86)\wbh-diag\MySql.Data.dll

Filesize
446KB

MD5
94bbe02a2b7494833014b31da9961c19

SHA1
25e0041be5a76545d2d4000e42acf34561c03e37

SHA256
d6b70ac9aa8b91570e24a86c5fb44ef183278132781f65f639878eef9477b6fa

SHA512
8acfce099b7b5914e83659d630a6c8602a84441dc70ddabc93332cd0ab779d3a5f1a5992d0af8f708be10a8fb93d45e08bc73636a971656e7dc6207de07d3f6d

Download Submit
C:\Program Files (x86)\wbh-diag\WBH-Diag.exe.config

Filesize
3KB

MD5
180dba8197005a4879e6ebb0f6de3743

SHA1
455dc84860c6756687caec67635cec67b53e1ca9

SHA256
ce01b25c7a052569868f5cc0f0a228bced404e29ec6a5150183cacd9b5eba5d4

SHA512
c3f305f45c9e26a043cd3de70723c4bae002199dee12bdd642222a20cc1683a26701be1e88a64281db18bf84bc8512410359172af30351e733b0b288b84f4a2e

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
2.7MB

MD5
89b5d70f47802c99d07cfbd0a66aa31a

SHA1
14b7e4e18394a25e6221b1c4e3d3c267e6b0f79a

SHA256
7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1

SHA512
09956558088ccd7b27027d4b0d4c22751c5ad37dca92692cbd6fa229d20edf04bc564e3600db06b3028ed98650c08ca42aafdb1ab554f9b0d1703bdf1e10fbdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SI74R.tmp\._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.tmp

Filesize
1.0MB

MD5
f911f075a9be615cbd60aa192dc88c54

SHA1
580c8a34169daf2730c4afe4675780e3fa928c2c

SHA256
3b1215484731c8bf063ad0dd2ff1f83f739186e277ef5bdc4c5d03a181c8a44b

SHA512
1902541e66d8d250729f06242c0ef1e545a44586c47b90803b6423bba2ac5d8fa2c3422a8f4fc36cf56506c63aeac3e72c92f9ba4d042e0c4c9b359d304a636e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nBzl6Keg.xlsm

Filesize
17KB

MD5
af4d37aad8b34471da588360a43e768a

SHA1
83ed64667d4e68ea531b8bcf58aab3ed4a5ca998

SHA256
e7550c3453156531308fda255a198c3710aa4bc7412819c180b103c11e85cef1

SHA512
74f5000038c47b7c909c4ee5740e0e87cac12c9c96fff8b1c7ec749541ee3d4b7efd80f9ac02cd39809dca3f2707d0063fa852a3a541342d93a9d03de08823da

Download Submit
\Program Files (x86)\wbh-diag\WBH-Diag.exe

Filesize
2.1MB

MD5
d9427afabf59556cb442b3173b0d0f65

SHA1
60e0997a1eaa51f298eb18d59c69093e922ed348

SHA256
5841ff1a15a68f31bc62d6c56e3f5a846f13b08a2a2d73bc688fc60427871178

SHA512
e979b88212aed0dcf99041b8f9bcee2acd49c730c9fd1650cd41ff65f6fc48515be12afc5e8d23c340ae7679aa685013e81104f278d8432cb67871d7b454e172

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.exe

Filesize
1.9MB

MD5
b9cdb56c6e2a49c486751f7e00258726

SHA1
1bdc5792898a1d4e53b020df8b2f9e2b98806837

SHA256
3bb02f84367e17338b79ed7829df18790f34d0d3e634df71fcf7147a87c3c8dc

SHA512
57bc1eee5589fa09bc56cdf4ec53a673a7910574f07254999156ff5fb9840b0c66308a17cb70f70c1aedd957b76549bb831eea89d0d6a2fb766de71767d7c775

Download Submit
\Users\Admin\AppData\Local\Temp\is-EAT1H.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/1284-77-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/1284-163-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/1284-87-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/1284-72-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/1284-82-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/1800-168-0x0000000006BB0000-0x0000000006C26000-memory.dmp

Filesize
472KB

Download
memory/1800-160-0x0000000000850000-0x0000000000896000-memory.dmp

Filesize
280KB

Download
memory/1800-153-0x0000000000350000-0x000000000056E000-memory.dmp

Filesize
2.1MB

Download
memory/2052-17-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2052-68-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2052-21-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2360-202-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/2360-173-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/2360-74-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/2360-69-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/2380-30-0x0000000000400000-0x00000000006AD000-memory.dmp

Filesize
2.7MB

Download
memory/2380-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2648-49-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2648-164-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2648-71-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2792-44-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2832-155-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/2832-70-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/2832-85-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/2832-75-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/2832-80-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download