xred | df44de684671c741c6829e74c2ca682c7db85240fa600b769d7cee78a3b73776

System Information Discovery

Processes:

df44de684671c741c6829e74c2ca682c7db85240fa600b769d7cee78a3b73776.exetmp142.exe._cache_tmp142.exeSynaptics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	df44de684671c741c6829e74c2ca682c7db85240fa600b769d7cee78a3b73776.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	tmp142.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	._cache_tmp142.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 7 IoCs

Processes:

tmp142.exetmp142.exe._cache_tmp142.exeSynaptics.exeServer.exeSynaptics.exe._cache_Synaptics.exe

pid process

716 tmp142.exe
1448 tmp142.exe
1716 ._cache_tmp142.exe
3964 Synaptics.exe
4600 Server.exe
3644 Synaptics.exe
4000 ._cache_Synaptics.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

pid	process
716	tmp142.exe
1448	tmp142.exe
1716	._cache_tmp142.exe
3964	Synaptics.exe
4600	Server.exe
3644	Synaptics.exe
4000	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

._cache_tmp142.exeServer.exe._cache_Synaptics.exetmp142.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\AppData\\Local\\Temp\\._cache_tmp142.exe"	._cache_tmp142.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\AppData\\Roaming\\VanToM Folder\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\AppData\\Local\\Temp\\._cache_Synaptics.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\????? = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	tmp142.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 2 IoCs

Processes:

tmp142.exeSynaptics.exe

description	pid	process	target process
PID 716 set thread context of 1448	716	tmp142.exe	tmp142.exe
PID 3964 set thread context of 3644	3964	Synaptics.exe	Synaptics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

tmp142.execmd.exetmp142.exeSynaptics.exeSynaptics.exedf44de684671c741c6829e74c2ca682c7db85240fa600b769d7cee78a3b73776.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp142.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp142.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	df44de684671c741c6829e74c2ca682c7db85240fa600b769d7cee78a3b73776.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 6 IoCs

Processes:

OpenWith.exe._cache_Synaptics.exeOpenWith.exetmp142.exeSynaptics.exeServer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	._cache_Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	tmp142.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	Server.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3328 EXCEL.EXE

pid	process
3328	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

df44de684671c741c6829e74c2ca682c7db85240fa600b769d7cee78a3b73776.exetmp142.exeSynaptics.exe

pid	process
524	df44de684671c741c6829e74c2ca682c7db85240fa600b769d7cee78a3b73776.exe
524	df44de684671c741c6829e74c2ca682c7db85240fa600b769d7cee78a3b73776.exe
716	tmp142.exe
716	tmp142.exe
3964	Synaptics.exe
3964	Synaptics.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

._cache_tmp142.exeServer.exe._cache_Synaptics.exe

pid process

1716 ._cache_tmp142.exe
4600 Server.exe
4000 ._cache_Synaptics.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

._cache_tmp142.exeServer.exeOpenWith.exeEXCEL.EXE._cache_Synaptics.exeOpenWith.exe

pid	process
1716	._cache_tmp142.exe
4600	Server.exe
740	OpenWith.exe
3328	EXCEL.EXE
3328	EXCEL.EXE
4000	._cache_Synaptics.exe
3328	EXCEL.EXE
3328	EXCEL.EXE
4596	OpenWith.exe
3328	EXCEL.EXE
3328	EXCEL.EXE
3328	EXCEL.EXE
3328	EXCEL.EXE

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

df44de684671c741c6829e74c2ca682c7db85240fa600b769d7cee78a3b73776.exetmp142.exetmp142.exe._cache_tmp142.exeSynaptics.exeSynaptics.exe

description	pid	process	target process
PID 524 wrote to memory of 716	524	df44de684671c741c6829e74c2ca682c7db85240fa600b769d7cee78a3b73776.exe	tmp142.exe
PID 524 wrote to memory of 716	524	df44de684671c741c6829e74c2ca682c7db85240fa600b769d7cee78a3b73776.exe	tmp142.exe
PID 524 wrote to memory of 716	524	df44de684671c741c6829e74c2ca682c7db85240fa600b769d7cee78a3b73776.exe	tmp142.exe
PID 524 wrote to memory of 220	524	df44de684671c741c6829e74c2ca682c7db85240fa600b769d7cee78a3b73776.exe	cmd.exe
PID 524 wrote to memory of 220	524	df44de684671c741c6829e74c2ca682c7db85240fa600b769d7cee78a3b73776.exe	cmd.exe
PID 524 wrote to memory of 220	524	df44de684671c741c6829e74c2ca682c7db85240fa600b769d7cee78a3b73776.exe	cmd.exe
PID 716 wrote to memory of 1448	716	tmp142.exe	tmp142.exe
PID 716 wrote to memory of 1448	716	tmp142.exe	tmp142.exe
PID 716 wrote to memory of 1448	716	tmp142.exe	tmp142.exe
PID 716 wrote to memory of 1448	716	tmp142.exe	tmp142.exe
PID 716 wrote to memory of 1448	716	tmp142.exe	tmp142.exe
PID 716 wrote to memory of 1448	716	tmp142.exe	tmp142.exe
PID 716 wrote to memory of 1448	716	tmp142.exe	tmp142.exe
PID 716 wrote to memory of 1448	716	tmp142.exe	tmp142.exe
PID 716 wrote to memory of 1448	716	tmp142.exe	tmp142.exe
PID 716 wrote to memory of 1448	716	tmp142.exe	tmp142.exe
PID 716 wrote to memory of 1448	716	tmp142.exe	tmp142.exe
PID 716 wrote to memory of 1448	716	tmp142.exe	tmp142.exe
PID 716 wrote to memory of 1448	716	tmp142.exe	tmp142.exe
PID 1448 wrote to memory of 1716	1448	tmp142.exe	._cache_tmp142.exe
PID 1448 wrote to memory of 1716	1448	tmp142.exe	._cache_tmp142.exe
PID 1448 wrote to memory of 3964	1448	tmp142.exe	Synaptics.exe
PID 1448 wrote to memory of 3964	1448	tmp142.exe	Synaptics.exe
PID 1448 wrote to memory of 3964	1448	tmp142.exe	Synaptics.exe
PID 1716 wrote to memory of 4600	1716	._cache_tmp142.exe	Server.exe
PID 1716 wrote to memory of 4600	1716	._cache_tmp142.exe	Server.exe
PID 3964 wrote to memory of 3644	3964	Synaptics.exe	Synaptics.exe
PID 3964 wrote to memory of 3644	3964	Synaptics.exe	Synaptics.exe
PID 3964 wrote to memory of 3644	3964	Synaptics.exe	Synaptics.exe
PID 3964 wrote to memory of 3644	3964	Synaptics.exe	Synaptics.exe
PID 3964 wrote to memory of 3644	3964	Synaptics.exe	Synaptics.exe
PID 3964 wrote to memory of 3644	3964	Synaptics.exe	Synaptics.exe
PID 3964 wrote to memory of 3644	3964	Synaptics.exe	Synaptics.exe
PID 3964 wrote to memory of 3644	3964	Synaptics.exe	Synaptics.exe
PID 3964 wrote to memory of 3644	3964	Synaptics.exe	Synaptics.exe
PID 3964 wrote to memory of 3644	3964	Synaptics.exe	Synaptics.exe
PID 3964 wrote to memory of 3644	3964	Synaptics.exe	Synaptics.exe
PID 3964 wrote to memory of 3644	3964	Synaptics.exe	Synaptics.exe
PID 3964 wrote to memory of 3644	3964	Synaptics.exe	Synaptics.exe
PID 3644 wrote to memory of 4000	3644	Synaptics.exe	._cache_Synaptics.exe
PID 3644 wrote to memory of 4000	3644	Synaptics.exe	._cache_Synaptics.exe

C:\Users\Admin\AppData\Local\Temp\df44de684671c741c6829e74c2ca682c7db85240fa600b769d7cee78a3b73776.exe
"C:\Users\Admin\AppData\Local\Temp\df44de684671c741c6829e74c2ca682c7db85240fa600b769d7cee78a3b73776.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:524
- C:\Users\Admin\AppData\Local\Temp\tmp142.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp142.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:716
- - C:\Users\Admin\AppData\Local\Temp\tmp142.exe
    C:\Users\Admin\AppData\Local\Temp\tmp142.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1448
  - - C:\Users\Admin\AppData\Local\Temp\._cache_tmp142.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_tmp142.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1716
    - - C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe
        
        "C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:4600
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3964
    - - C:\ProgramData\Synaptics\Synaptics.exe
        
        C:\ProgramData\Synaptics\Synaptics.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3644
      - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:4000
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\DF44DE~1.EXE >> NUL
  2⤵
  - System Location Discovery: System Language Discovery
  PID:220

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:740

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3328

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

Modify Registry

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

Query Registry

3

System Information Discovery

4

System Location Discovery

T1614

System Language Discovery