Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-11-2024 21:02
Behavioral task
behavioral1
Sample
e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe
Resource
win10v2004-20241007-en
General
-
Target
e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe
-
Size
1013KB
-
MD5
548150d442a1c649b78da947ce0ca1c9
-
SHA1
00b5dc0b636708d8335c09cc671d61e1162ce547
-
SHA256
e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04
-
SHA512
579b42a35e616be216ffa113797ec8c9dfa0f65c91499754ab93bf4f575defc5e4bafa8a3907aaab90a3b446caf242ac75b6365295e16d361f04247f51eda710
-
SSDEEP
24576:2nsJ39LyjbJkQFMhmC+6GD9rFOa3KGekZ:2nsHyjtk2MYC5GD7mGekZ
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Xred family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Synaptics.exe -
Executes dropped EXE 11 IoCs
pid Process 1000 ._cache_e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe 1800 Synaptics.exe 412 ._cache_e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe 5020 ._cache_Synaptics.exe 4068 ._cache_synaptics.exe 888 icsys.icn.exe 672 explorer.exe 1320 icsys.icn.exe 2736 spoolsv.exe 1044 svchost.exe 4132 spoolsv.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe ._cache_e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe ._cache_Synaptics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 4464 412 WerFault.exe 88 4368 4068 WerFault.exe 100 -
System Location Discovery: System Language Discovery 1 TTPs 18 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Kills process with taskkill 2 IoCs
pid Process 1300 taskkill.exe 2044 taskkill.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Synaptics.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4180 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1000 ._cache_e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe 1000 ._cache_e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe 1000 ._cache_e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe 1000 ._cache_e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe 1000 ._cache_e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe 1000 ._cache_e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe 1000 ._cache_e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe 1000 ._cache_e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe 1000 ._cache_e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe 1000 ._cache_e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe 1000 ._cache_e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe 1000 ._cache_e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe 1000 ._cache_e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe 1000 ._cache_e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe 1000 ._cache_e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe 1000 ._cache_e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe 1000 ._cache_e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe 1000 ._cache_e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe 1000 ._cache_e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe 1000 ._cache_e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe 1000 ._cache_e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe 1000 ._cache_e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe 1000 ._cache_e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe 1000 ._cache_e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe 1000 ._cache_e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe 1000 ._cache_e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe 1000 ._cache_e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe 1000 ._cache_e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe 1000 ._cache_e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe 1000 ._cache_e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe 1000 ._cache_e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe 1000 ._cache_e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe 5020 ._cache_Synaptics.exe 5020 ._cache_Synaptics.exe 5020 ._cache_Synaptics.exe 5020 ._cache_Synaptics.exe 5020 ._cache_Synaptics.exe 5020 ._cache_Synaptics.exe 5020 ._cache_Synaptics.exe 5020 ._cache_Synaptics.exe 5020 ._cache_Synaptics.exe 5020 ._cache_Synaptics.exe 5020 ._cache_Synaptics.exe 5020 ._cache_Synaptics.exe 5020 ._cache_Synaptics.exe 5020 ._cache_Synaptics.exe 5020 ._cache_Synaptics.exe 5020 ._cache_Synaptics.exe 5020 ._cache_Synaptics.exe 5020 ._cache_Synaptics.exe 5020 ._cache_Synaptics.exe 5020 ._cache_Synaptics.exe 5020 ._cache_Synaptics.exe 5020 ._cache_Synaptics.exe 5020 ._cache_Synaptics.exe 5020 ._cache_Synaptics.exe 5020 ._cache_Synaptics.exe 5020 ._cache_Synaptics.exe 5020 ._cache_Synaptics.exe 5020 ._cache_Synaptics.exe 5020 ._cache_Synaptics.exe 5020 ._cache_Synaptics.exe 5020 ._cache_Synaptics.exe 5020 ._cache_Synaptics.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 672 explorer.exe 1044 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1300 taskkill.exe Token: SeDebugPrivilege 2044 taskkill.exe -
Suspicious use of SetWindowsHookEx 24 IoCs
pid Process 1000 ._cache_e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe 1000 ._cache_e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe 5020 ._cache_Synaptics.exe 5020 ._cache_Synaptics.exe 4180 EXCEL.EXE 4180 EXCEL.EXE 4180 EXCEL.EXE 4180 EXCEL.EXE 888 icsys.icn.exe 888 icsys.icn.exe 672 explorer.exe 672 explorer.exe 2736 spoolsv.exe 1320 icsys.icn.exe 2736 spoolsv.exe 1320 icsys.icn.exe 1044 svchost.exe 1044 svchost.exe 4132 spoolsv.exe 4132 spoolsv.exe 4180 EXCEL.EXE 4180 EXCEL.EXE 4180 EXCEL.EXE 4180 EXCEL.EXE -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 3108 wrote to memory of 1000 3108 e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe 86 PID 3108 wrote to memory of 1000 3108 e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe 86 PID 3108 wrote to memory of 1000 3108 e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe 86 PID 3108 wrote to memory of 1800 3108 e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe 87 PID 3108 wrote to memory of 1800 3108 e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe 87 PID 3108 wrote to memory of 1800 3108 e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe 87 PID 1000 wrote to memory of 412 1000 ._cache_e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe 88 PID 1000 wrote to memory of 412 1000 ._cache_e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe 88 PID 1000 wrote to memory of 412 1000 ._cache_e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe 88 PID 412 wrote to memory of 4460 412 ._cache_e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe 89 PID 412 wrote to memory of 4460 412 ._cache_e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe 89 PID 412 wrote to memory of 4460 412 ._cache_e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe 89 PID 412 wrote to memory of 1304 412 ._cache_e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe 90 PID 412 wrote to memory of 1304 412 ._cache_e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe 90 PID 412 wrote to memory of 1304 412 ._cache_e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe 90 PID 1304 wrote to memory of 1300 1304 cmd.exe 94 PID 1304 wrote to memory of 1300 1304 cmd.exe 94 PID 1304 wrote to memory of 1300 1304 cmd.exe 94 PID 1800 wrote to memory of 5020 1800 Synaptics.exe 98 PID 1800 wrote to memory of 5020 1800 Synaptics.exe 98 PID 1800 wrote to memory of 5020 1800 Synaptics.exe 98 PID 5020 wrote to memory of 4068 5020 ._cache_Synaptics.exe 100 PID 5020 wrote to memory of 4068 5020 ._cache_Synaptics.exe 100 PID 5020 wrote to memory of 4068 5020 ._cache_Synaptics.exe 100 PID 4068 wrote to memory of 1176 4068 ._cache_synaptics.exe 101 PID 4068 wrote to memory of 1176 4068 ._cache_synaptics.exe 101 PID 4068 wrote to memory of 1176 4068 ._cache_synaptics.exe 101 PID 4068 wrote to memory of 5072 4068 ._cache_synaptics.exe 102 PID 4068 wrote to memory of 5072 4068 ._cache_synaptics.exe 102 PID 4068 wrote to memory of 5072 4068 ._cache_synaptics.exe 102 PID 1176 wrote to memory of 2044 1176 cmd.exe 107 PID 1176 wrote to memory of 2044 1176 cmd.exe 107 PID 1176 wrote to memory of 2044 1176 cmd.exe 107 PID 1000 wrote to memory of 888 1000 ._cache_e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe 108 PID 1000 wrote to memory of 888 1000 ._cache_e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe 108 PID 1000 wrote to memory of 888 1000 ._cache_e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe 108 PID 888 wrote to memory of 672 888 icsys.icn.exe 109 PID 888 wrote to memory of 672 888 icsys.icn.exe 109 PID 888 wrote to memory of 672 888 icsys.icn.exe 109 PID 5020 wrote to memory of 1320 5020 ._cache_Synaptics.exe 110 PID 5020 wrote to memory of 1320 5020 ._cache_Synaptics.exe 110 PID 5020 wrote to memory of 1320 5020 ._cache_Synaptics.exe 110 PID 672 wrote to memory of 2736 672 explorer.exe 111 PID 672 wrote to memory of 2736 672 explorer.exe 111 PID 672 wrote to memory of 2736 672 explorer.exe 111 PID 2736 wrote to memory of 1044 2736 spoolsv.exe 112 PID 2736 wrote to memory of 1044 2736 spoolsv.exe 112 PID 2736 wrote to memory of 1044 2736 spoolsv.exe 112 PID 1044 wrote to memory of 4132 1044 svchost.exe 113 PID 1044 wrote to memory of 4132 1044 svchost.exe 113 PID 1044 wrote to memory of 4132 1044 svchost.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe"C:\Users\Admin\AppData\Local\Temp\e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Users\Admin\AppData\Local\Temp\._cache_e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe"C:\Users\Admin\AppData\Local\Temp\._cache_e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1000 -
\??\c:\users\admin\appdata\local\temp\._cache_e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exec:\users\admin\appdata\local\temp\._cache_e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c run.bat4⤵
- System Location Discovery: System Language Discovery
PID:4460
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM system64bit.exe /F4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\taskkill.exetaskkill /IM system64bit.exe /F5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1300
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 8324⤵
- Program crash
PID:4464
-
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:888 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:672 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe6⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1044 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4132
-
-
-
-
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5020 -
\??\c:\users\admin\appdata\local\temp\._cache_synaptics.exec:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM system64bit.exe /F5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\taskkill.exetaskkill /IM system64bit.exe /F6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2044
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c run.bat5⤵
- System Location Discovery: System Language Discovery
PID:5072
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 10045⤵
- Program crash
PID:4368
-
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1320
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 412 -ip 4121⤵PID:700
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4180
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4068 -ip 40681⤵PID:2216
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1013KB
MD5548150d442a1c649b78da947ce0ca1c9
SHA100b5dc0b636708d8335c09cc671d61e1162ce547
SHA256e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04
SHA512579b42a35e616be216ffa113797ec8c9dfa0f65c91499754ab93bf4f575defc5e4bafa8a3907aaab90a3b446caf242ac75b6365295e16d361f04247f51eda710
-
C:\Users\Admin\AppData\Local\Temp\._cache_e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe
Filesize259KB
MD519a636fff650a9e71235824df356e982
SHA119d727767b5f8f67e41e4e12064619ea1441253a
SHA256d0b122309ba7ec2bc6a4dd8cd65925c7bfa06918125c439198da415c16223009
SHA51234d359c77fa4b70f9ee25333825f663cb7e3078d950a66d0256c2ad947bf21130628d748087152f244816c01d889c7011826327368924bac15f2e629f13ef7f8
-
C:\Users\Admin\AppData\Local\Temp\._cache_e4b56bafba2096102e89442da19263b0bd9c3f172d6ff9e8d3a35a79942fec04.exe
Filesize129KB
MD550418f43f9eb2e0f0758949e47a5d3b0
SHA190565581b95c6db13fae2fcb6ee405185eb9c4a8
SHA256f24da0bbc002a963bf6f985cda381424c864e4875fd78a94f1e6fe59b083713d
SHA512f347679c631d601f045eabb03faf832ac768e275fd5a74437d936f764ba2bd824bf7ff6ab6e408e4bf58bf444e0b27b69e7a222303642cdf32fe66954d33947e
-
Filesize
25KB
MD578ed69d397fc33a83f622314a6953295
SHA101c6abb34d1d38c1e5066b28a63e1b0f0c772b76
SHA25699c10b9cfd0c8eee276681952d95f7cfe5494c93c5cc71d539e2773618273be1
SHA5129a44d11bda0ee772288eeeb41ccf3c38cad972f96dd4d1d78f38d6b16d54bbd736c52f9130e0f708d6caadcf9b6a1d9b2507e916b4a02d0f92d71f92f9c67020
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
130KB
MD53bb11a44abf1b7dbb2b93ce8bf32d003
SHA10ed31a91447936f6218382939b40de1c92a94a90
SHA25630d83f1be6b4b6dfbedb8d6de781c8c87b08b4d0f7d7361c5197b0a9cfb22ec1
SHA51273392f5c2d54e683241268379eaea04f67c89748044d09628f31046f5fc7404eb3af2b4f8ad74d3e06577dd617a554a5f1c458cc04d35b7937891499bc9e350b
-
Filesize
130KB
MD50f85c76d2336f68a63adadda673b7e56
SHA141d19ff0281de8b6193976d77246b9cd6592e040
SHA25642277c82a915501e677897c4970fd3673481f41235e773fafe3f3a64d429c0a2
SHA512cd20a0d5abbd64dd692c4f3c4a304a6860714ebbe60701bf11fc5d8b4585e272e97323255dde52a23f0f3d428f6baa2a0d496a0cd8b4b4be18e36078bf779c83
-
Filesize
130KB
MD5aa270f3c5e3fb86ae6dcd7b663afd564
SHA18f531652cf30974b94d39dae8a0fbd9d6a959a0b
SHA2562b73273e761a62c18b4a3cbc23ad4eff3604770a2668fc1f7481e6cfc6f16cf5
SHA51284da890dc2ba53b7014d7dd239214b36151554fc7da78d0920cf997237c1412ddafa644d96f05c85bb7dca17f082187480e1ac4618e41fd20fa6a2ad36eeddb3
-
Filesize
130KB
MD544db80596ab35f9a8c4e1ec29be9e582
SHA132f76e084b940bcdac856140b6530eb63336d5ca
SHA25657f803bb20a36c70253e8de1fe0a688ba9b2f6d4618a30cd33a41c3a7acbc88c
SHA512982eac6fab56c5bf29f78a7da4d62bd1ecf1095f9adf5f1ad6ec71075d4a3b89bfb9d0e88666890df2918d3a7d4116b536021ced38415cd573667aeb9704998c