Analysis
-
max time kernel
292s -
max time network
278s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 20:45
Behavioral task
behavioral1
Sample
winrar-x64-700.exe
Resource
win7-20240903-en
General
-
Target
winrar-x64-700.exe
-
Size
4.6MB
-
MD5
82d05c70559d829137a17d62d637a061
-
SHA1
4ad6926261e5b6fdd1b3128e005cd5a67e0b5180
-
SHA256
8e12be66a20bed006ce45cbf83658bd56441ed070ce3605814d6d8a38b84f462
-
SHA512
25df17152f2b0f84cc2941a83b4ca91e03e98e3e2c6a9531f5b0c95c521f63ece6228fadf14e21a865d3aeaad3b5531c69f5e0ed9a5e5a2e8ef549c2919c974d
-
SSDEEP
98304:DBrmtk2a4BTBUWaWOBfKnlSXdgRgopW/r+N5op154iXEBdbwUoy60518ymXM2mGu:QxamnqdgyoE+noL54u2wUoylrVml69
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Detect Neshta payload 49 IoCs
resource yara_rule behavioral2/files/0x000e000000023b56-4.dat family_neshta behavioral2/files/0x0032000000023b5c-16.dat family_neshta behavioral2/memory/4568-134-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3776-129-0x0000000000400000-0x0000000000891000-memory.dmp family_neshta behavioral2/files/0x000a000000023b60-120.dat family_neshta behavioral2/files/0x0004000000020343-160.dat family_neshta behavioral2/files/0x0004000000020348-174.dat family_neshta behavioral2/files/0x0001000000020225-169.dat family_neshta behavioral2/files/0x000200000002030d-195.dat family_neshta behavioral2/files/0x00010000000225d8-198.dat family_neshta behavioral2/files/0x00010000000214d9-209.dat family_neshta behavioral2/files/0x0001000000022f2a-217.dat family_neshta behavioral2/files/0x0001000000022f2e-216.dat family_neshta behavioral2/files/0x00010000000167af-235.dat family_neshta behavioral2/files/0x00010000000167c8-238.dat family_neshta behavioral2/files/0x000100000001dbd1-249.dat family_neshta behavioral2/files/0x000100000001691a-258.dat family_neshta behavioral2/files/0x0001000000022e68-264.dat family_neshta behavioral2/files/0x0001000000016918-263.dat family_neshta behavioral2/files/0x0001000000016801-234.dat family_neshta behavioral2/files/0x0001000000022f2d-215.dat family_neshta behavioral2/files/0x00010000000214d8-213.dat family_neshta behavioral2/files/0x00010000000214da-211.dat family_neshta behavioral2/memory/460-275-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/files/0x000e00000001f3c7-293.dat family_neshta behavioral2/files/0x000500000001e8c0-297.dat family_neshta behavioral2/files/0x000b00000001e614-294.dat family_neshta behavioral2/files/0x000400000001e6aa-292.dat family_neshta behavioral2/files/0x000a00000001e806-300.dat family_neshta behavioral2/files/0x000300000001e8c7-291.dat family_neshta behavioral2/files/0x000300000001e876-290.dat family_neshta behavioral2/files/0x00020000000215ca-273.dat family_neshta behavioral2/files/0x000200000000072d-272.dat family_neshta behavioral2/files/0x000b00000001ee08-308.dat family_neshta behavioral2/files/0x000600000001e5d1-306.dat family_neshta behavioral2/memory/4296-310-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3396-359-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1144-360-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2252-361-0x0000000000400000-0x0000000000891000-memory.dmp family_neshta behavioral2/memory/3396-365-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1144-366-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2252-367-0x0000000000400000-0x0000000000891000-memory.dmp family_neshta behavioral2/memory/3396-368-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1144-369-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3396-371-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1144-372-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/1144-377-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3396-378-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2252-401-0x0000000000400000-0x0000000000891000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Xred family
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation winrar-x64-700.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation winrar-x64-700.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation ._cache_winrar-x64-700.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation Synaptics.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation ._cache_Synaptics.exe -
Executes dropped EXE 8 IoCs
pid Process 3776 winrar-x64-700.exe 1144 ._cache_winrar-x64-700.exe 4568 svchost.com 2252 Synaptics.exe 1984 _CACHE~1.EXE 460 ._cache_Synaptics.exe 4296 svchost.com 4952 _CACHE~2.EXE -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" winrar-x64-700.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" winrar-x64-700.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE ._cache_winrar-x64-700.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE ._cache_winrar-x64-700.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE winrar-x64-700.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe winrar-x64-700.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE winrar-x64-700.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe ._cache_winrar-x64-700.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe winrar-x64-700.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE ._cache_winrar-x64-700.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe ._cache_winrar-x64-700.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE ._cache_winrar-x64-700.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE ._cache_winrar-x64-700.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE winrar-x64-700.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe ._cache_winrar-x64-700.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe ._cache_winrar-x64-700.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE winrar-x64-700.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE ._cache_winrar-x64-700.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE winrar-x64-700.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe winrar-x64-700.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe winrar-x64-700.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE winrar-x64-700.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE ._cache_winrar-x64-700.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE winrar-x64-700.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE ._cache_winrar-x64-700.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE winrar-x64-700.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe winrar-x64-700.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE ._cache_winrar-x64-700.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe winrar-x64-700.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE ._cache_winrar-x64-700.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe winrar-x64-700.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe ._cache_winrar-x64-700.exe File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE winrar-x64-700.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe winrar-x64-700.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe winrar-x64-700.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE ._cache_winrar-x64-700.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE ._cache_winrar-x64-700.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe winrar-x64-700.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE ._cache_winrar-x64-700.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE ._cache_winrar-x64-700.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE ._cache_winrar-x64-700.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe ._cache_winrar-x64-700.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE winrar-x64-700.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe winrar-x64-700.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe winrar-x64-700.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE winrar-x64-700.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE ._cache_winrar-x64-700.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe winrar-x64-700.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe ._cache_winrar-x64-700.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE ._cache_winrar-x64-700.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE winrar-x64-700.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe winrar-x64-700.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe winrar-x64-700.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE winrar-x64-700.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE winrar-x64-700.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE winrar-x64-700.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe ._cache_winrar-x64-700.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE winrar-x64-700.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE winrar-x64-700.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe ._cache_winrar-x64-700.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE winrar-x64-700.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE ._cache_winrar-x64-700.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE winrar-x64-700.exe File opened for modification C:\PROGRA~3\SYNAPT~1\SYNAPT~1.EXE ._cache_winrar-x64-700.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe ._cache_winrar-x64-700.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe ._cache_winrar-x64-700.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File opened for modification C:\Windows\svchost.com winrar-x64-700.exe File opened for modification C:\Windows\directx.sys ._cache_winrar-x64-700.exe File opened for modification C:\Windows\svchost.com ._cache_winrar-x64-700.exe File opened for modification C:\Windows\svchost.com ._cache_Synaptics.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys ._cache_Synaptics.exe File opened for modification C:\Windows\svchost.com svchost.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winrar-x64-700.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winrar-x64-700.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_winrar-x64-700.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings ._cache_winrar-x64-700.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Synaptics.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings ._cache_Synaptics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" winrar-x64-700.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winrar-x64-700.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2088 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1984 _CACHE~1.EXE 1984 _CACHE~1.EXE 2088 EXCEL.EXE 4952 _CACHE~2.EXE 4952 _CACHE~2.EXE 2088 EXCEL.EXE 2088 EXCEL.EXE 2088 EXCEL.EXE 2088 EXCEL.EXE 2088 EXCEL.EXE 2088 EXCEL.EXE 2088 EXCEL.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 3396 wrote to memory of 3776 3396 winrar-x64-700.exe 83 PID 3396 wrote to memory of 3776 3396 winrar-x64-700.exe 83 PID 3396 wrote to memory of 3776 3396 winrar-x64-700.exe 83 PID 3776 wrote to memory of 1144 3776 winrar-x64-700.exe 84 PID 3776 wrote to memory of 1144 3776 winrar-x64-700.exe 84 PID 3776 wrote to memory of 1144 3776 winrar-x64-700.exe 84 PID 1144 wrote to memory of 4568 1144 ._cache_winrar-x64-700.exe 86 PID 1144 wrote to memory of 4568 1144 ._cache_winrar-x64-700.exe 86 PID 1144 wrote to memory of 4568 1144 ._cache_winrar-x64-700.exe 86 PID 3776 wrote to memory of 2252 3776 winrar-x64-700.exe 85 PID 3776 wrote to memory of 2252 3776 winrar-x64-700.exe 85 PID 3776 wrote to memory of 2252 3776 winrar-x64-700.exe 85 PID 4568 wrote to memory of 1984 4568 svchost.com 87 PID 4568 wrote to memory of 1984 4568 svchost.com 87 PID 2252 wrote to memory of 460 2252 Synaptics.exe 88 PID 2252 wrote to memory of 460 2252 Synaptics.exe 88 PID 2252 wrote to memory of 460 2252 Synaptics.exe 88 PID 460 wrote to memory of 4296 460 ._cache_Synaptics.exe 90 PID 460 wrote to memory of 4296 460 ._cache_Synaptics.exe 90 PID 460 wrote to memory of 4296 460 ._cache_Synaptics.exe 90 PID 4296 wrote to memory of 4952 4296 svchost.com 91 PID 4296 wrote to memory of 4952 4296 svchost.com 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\winrar-x64-700.exe"C:\Users\Admin\AppData\Local\Temp\winrar-x64-700.exe"1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Users\Admin\AppData\Local\Temp\3582-490\winrar-x64-700.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\winrar-x64-700.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Users\Admin\AppData\Local\Temp\._cache_winrar-x64-700.exe"C:\Users\Admin\AppData\Local\Temp\._cache_winrar-x64-700.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1984
-
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:460 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate5⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4952
-
-
-
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2088
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\08e8d8f66cff4a1f9f9db2b1054c9a3d /t 756 /p 49521⤵PID:1672
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
368KB
MD5a344438de9e499ca3d9038688440f406
SHA1c961917349de7e9d269f6f4a5593b6b9d3fcd4d2
SHA256715f6420c423ae4068b25a703d5575f7c147b26e388f0fff1ae20c6abe821557
SHA5128bf3c621725fddafa6326b057fee9beee95966e43c5fbab40ebaa4a1a64d17acca97a19d0ece10c3574e13e194ff191316871d1d46d4d74ffc0ac3efb403bca9
-
Filesize
386KB
MD58c753d6448183dea5269445738486e01
SHA1ebbbdc0022ca7487cd6294714cd3fbcb70923af9
SHA256473eb551101caeaf2d18f811342e21de323c8dd19ed21011997716871defe997
SHA5124f6fddefc42455540448eac0b693a4847e21b68467486376a4186776bfe137337733d3075b7b87ed7dac532478dc9afc63883607ec8205df3f155fee64c7a9be
-
Filesize
125KB
MD5cce8964848413b49f18a44da9cb0a79b
SHA10b7452100d400acebb1c1887542f322a92cbd7ae
SHA256fe44ca8d5050932851aa54c23133277e66db939501af58e5aeb7b67ec1dde7b5
SHA512bf8fc270229d46a083ced30da6637f3ca510b0ce44624a9b21ec6aacac81666dffd41855053a936aa9e8ea6e745a09b820b506ec7bf1173b6f1837828a35103d
-
Filesize
454KB
MD5bcd0f32f28d3c2ba8f53d1052d05252d
SHA1c29b4591df930dabc1a4bd0fa2c0ad91500eafb2
SHA256bb07d817b8b1b6b4c25e62b6120e51dec10118557d7b6b696ad084a5ba5bfdeb
SHA51279f407735853f82f46870c52058ceee4d91857a89db14868ee1169abd5c0fd2e3fa1ed230ab90b5f479a9581b88998643d69b0df498defea29e73b0d487f3b10
-
Filesize
121KB
MD5cbd96ba6abe7564cb5980502eec0b5f6
SHA174e1fe1429cec3e91f55364e5cb8385a64bb0006
SHA256405b8bd647fa703e233b8b609a18999abe465a8458168f1daf23197bd2ea36aa
SHA512a551001853f6b93dfbc6cf6a681820af31330a19d5411076ff3dbce90937b3d92173085a15f29ebf56f2ef12a4e86860ac6723ebc89c98ea31ea7a6c7e3d7cdc
-
Filesize
366KB
MD5f1dd0a0fe1c98603a4d5666f5175a911
SHA112bc988ea7a55e6d7fd4c7a59d74393bb8473d4d
SHA256f5bf98813e2d5a12f3b78f02108f7d16436e2454770599859b1e694d97df4264
SHA5123196905919cb6c45d287ab9a26d5970ccf710d092c166202e0919989703584dfeab416adc998a50104a7a76fe175838de5544904a32bbc96e19c2f68362ce895
-
Filesize
366KB
MD5d722ea08b4e55dbfca956d34b7fef6e2
SHA169119f4475fc6f7fd1f749c52b03cc49adf50014
SHA2569fc432a9ce058ba19348e5918a716db8d429cfd87ae51deccc220ff5d2a9708c
SHA51211bc7e857aeabbc3c914da0d00cdc34fe3cd42ebea22a3c688985dda1b94095ba634a3bc1c9d1e0a808f8be42f1d754233ab963d123329066b9e0cb6f3c3719a
-
Filesize
505KB
MD5452c3ce70edba3c6e358fad9fb47eb4c
SHA1d24ea3b642f385a666159ef4c39714bec2b08636
SHA256da73b6e071788372702104b9c72b6697e84e7c75e248e964996700b77c6b6f1c
SHA512fe8a0b9b1386d6931dc7b646d0dd99c3d1b44bd40698b33077e7eeba877b53e5cb39ff2aa0f6919ccab62953a674577bc1b2516d9cadc0c051009b2083a08085
-
Filesize
198KB
MD57429ce42ac211cd3aa986faad186cedd
SHA1b61a57f0f99cfd702be0fbafcb77e9f911223fac
SHA256d608c05409ac4bd05d8e0702fcf66dfae5f4f38cbae13406842fa5504f4d616f
SHA512ee4456877d6d881d9904013aabecb9f2daf6fc0ec7a7c9251e77396b66a7f5a577fe8544e64e2bb7464db429db56a3fe47c183a81d40cc869d01be573ab5e4c1
-
Filesize
335KB
MD5e4351f1658eab89bbd70beb15598cf1c
SHA1e18fbfaee18211fd9e58461145306f9bc4f459ea
SHA2564c783822b873188a9ced8bd4888e1736e3d4f51f6b3b7a62675b0dc85277e0eb
SHA51257dbc6418011bcac298e122990b14ed1461c53b5f41cb4986d1d3bbbb516c764a7c205fc4da3722399fdb9122f28e4ec98f39d2af80d4b6a64d7bd7944d1c218
-
Filesize
433KB
MD5674eddc440664b8b854bc397e67ee338
SHA1af9d74243ee3ea5f88638172f592ed89bbbd7e0d
SHA25620bbf92426732ff7269b4f2f89d404d5fee0fa6a20944004d2eeb3cc2d1fa457
SHA5125aced0e2235f113e323d6b28be74da5e4da4dc881629461df4644a52bccd717dc6d2632c40ed8190b3ad060b8b62c347757a0bbe82680d892114c1f0529146b7
-
Filesize
244KB
MD5da18586b25e72ff40c0f24da690a2edc
SHA127a388f3cdcfa7357f971b5c4411ea5aa1b9e5f5
SHA25667f6e8f14bcf0e6d570c1f4ac5a1bb80a4e1470b5bad5a7ee85689c476597d8e
SHA5123512820a9d37b61f77a79b2d4d3f6aec9ef53dbf81071bee16f5dcc8173393a1cd1bffe9f7f39467b72f9c9271a78e42078e68598934188d9df0b887f2edc5ab
-
Filesize
290KB
MD523b1708cd5e7409832fe36f125844e7a
SHA139ec7d4322cf4ccea82ee65343d05459c5eb3f3e
SHA25603e0297166fcd0b5a439d974080fbd5efbb48dfe3b019ab11faa89ecc372765f
SHA512d6291f0a98f1dfedd81589f07d219df23a9e734680975d5e2d91553767927bd2b7ed915e6f5974767277fb813e14f8549caf57f96912ea3cebe28b73ca3ec62e
-
Filesize
509KB
MD57c73e01bd682dc67ef2fbb679be99866
SHA1ad3834bd9f95f8bf64eb5be0a610427940407117
SHA256da333c92fdfd2e8092f5b56686b94f713f8fa27ef8f333e7222259ad1eb08f5d
SHA512b2f3398e486cde482cb6bea18f4e5312fa2db7382ca25cea17bcba5ab1ff0e891d59328bc567641a9da05caca4d7c61dc102289d46e7135f947ce6155e295711
-
Filesize
138KB
MD55e08d87c074f0f8e3a8e8c76c5bf92ee
SHA1f52a554a5029fb4749842b2213d4196c95d48561
SHA2565d548c2cc25d542f2061ed9c8e38bd5ca72bddb37dd17654346cae8a19645714
SHA512dd98d6fa7d943604914b2e3b27e1f21a95f1fe1feb942dd6956e864da658f4fbd9d1d0cf775e79ceaae6a025aafd4e633763389c37034134bd5245969bec383e
-
Filesize
1.1MB
MD5301d7f5daa3b48c83df5f6b35de99982
SHA117e68d91f3ec1eabde1451351cc690a1978d2cd4
SHA256abe398284d90be5e5e78f98654b88664e2e14478f7eb3f55c5fd1c1bcf1bebee
SHA5124a72a24dec461d116fe8324c651913273ccaa50cb036ccdacb3ae300e417cf4a64aa458869b8d2f3b4c298c59977437d11b241d08b391a481c3226954bba22e4
-
Filesize
3.2MB
MD55119e350591269f44f732b470024bb7c
SHA14ccd48e4c6ba6e162d1520760ee3063e93e2c014
SHA2562b3aa9642b291932ba7f9f3d85221402a9d27078f56ef0e9c6bca633616e3873
SHA512599b4ec673169d42a348d1117737b4ad4d7539574153df5a5c7689130c9ac5ff5cd00f3c8ec39adf32ff2b56be074081efcabb6456272c649703c3ea6cdaded4
-
Filesize
274KB
MD5d84f63a0bf5eff0c8c491f69b81d1a36
SHA117c7d7ae90e571e99f1b1685872f91c04ee76e85
SHA25606d363997722b0e3c4787f72ca61cb2a8ad59ea7ba8a9d14eafa8a8a550687a2
SHA512865aab84cfe40604ffd013d8517a538eb1322b90372d236821c0e39e285a20bdad755ddff8d59d8af47a9b10b6c77947abc9148761e75892c617db8503b0ef6e
-
Filesize
494KB
MD505bdfd8a3128ab14d96818f43ebe9c0e
SHA1495cbbd020391e05d11c52aa23bdae7b89532eb7
SHA2567b945c7e6b8bfbb489f003ecd1d0dcd4803042003de4646d4206114361a0fbbb
SHA5128d9b9fc407986bd53fe3b56c96b7371cc782b4bac705253bfb0a2b0b1e6883fdb022f1ac87b8bfd7005291991b6a3dfbaceab54f5d494e0af70f0435a0b8b0da
-
Filesize
6.7MB
MD563dc05e27a0b43bf25f151751b481b8c
SHA1b20321483dac62bce0aa0cef1d193d247747e189
SHA2567d607fb69c69a72a5bf4305599279f46318312ce1082b6a34ac9100b8c7762ce
SHA512374d705704d456cc5f9f79b7f465f6ec7c775dc43001c840e9d6efbbdef20926ed1fa97f8a9b1e73161e17f72520b96c05fa58ac86b3945208b405f9166e7ba3
-
Filesize
674KB
MD597510a7d9bf0811a6ea89fad85a9f3f3
SHA12ac0c49b66a92789be65580a38ae9798237711db
SHA256c48abbc29405559e68cc9f8fc6d218aa317a9d0023839c7846ca509c1f563fea
SHA5122a93e2a3bd187fdde160f87ef777ccd1d1c398d547b7c869e6b64469b9418ad04d887cdfe94af7407476377bf2d009f576de3935c025b7aefbab26fbcd8f90fb
-
Filesize
674KB
MD59c10a5ec52c145d340df7eafdb69c478
SHA157f3d99e41d123ad5f185fc21454367a7285db42
SHA256ccf37e88447a7afdb0ba4351b8c5606dbb05b984fb133194d71bcc00d7be4e36
SHA5122704cfd1a708bfca6db7c52467d3abf0b09313db0cdd1ea8e5d48504c8240c4bf24e677f17c5df9e3ac1f6a678e0328e73e951dc4481f35027cb03b2966dc38f
-
Filesize
495KB
MD59597098cfbc45fae685d9480d135ed13
SHA184401f03a7942a7e4fcd26e4414b227edd9b0f09
SHA25645966655baaed42df92cd6d8094b4172c0e7a0320528b59cf63fca7c25d66e9c
SHA51216afbdffe4b4b2e54b4cc96fe74e49ca367dea50752321ddf334756519812ba8ce147ef5459e421dc42e103bc3456aab1d185588cc86b35fa2315ac86b2a0164
-
Filesize
650KB
MD5558fdb0b9f097118b0c928bb6062370a
SHA1ad971a9a4cac3112a494a167e1b7736dcd6718b3
SHA25690cee4a89cc1401ac464818226b7df69aa930804cefce56758d4e2ea0009d924
SHA5125d08d5428e82fb3dad55c19e2c029de8f16e121faac87575b97f468b0ec312b3e0696225546cba91addaaf8f2451d44ae6386b4e4f7f621ce45055f3be797d7c
-
Filesize
485KB
MD587f15006aea3b4433e226882a56f188d
SHA1e3ad6beb8229af62b0824151dbf546c0506d4f65
SHA2568d0045c74270281c705009d49441167c8a51ac70b720f84ff941b39fad220919
SHA512b01a8af6dc836044d2adc6828654fa7a187c3f7ffe2a4db4c73021be6d121f9c1c47b1643513c3f25c0e1b5123b8ce2dc78b2ca8ce638a09c2171f158762c7c1
-
Filesize
650KB
MD52f826daacb184077b67aad3fe30e3413
SHA1981d415fe70414aaac3a11024e65ae2e949aced8
SHA256a6180f0aa9c56c32e71fe8dc150131177e4036a5a2111d0f3ec3c341fd813222
SHA5122a6d9bdf4b7be9b766008e522cbb2c21921ba55d84dfde653ca977f70639e342a9d5548768de29ae2a85031c11dac2ae4b3c76b9136c020a6e7c9a9a5879caeb
-
Filesize
495KB
MD507e194ce831b1846111eb6c8b176c86e
SHA1b9c83ec3b0949cb661878fb1a8b43a073e15baf1
SHA256d882f673ddf40a7ea6d89ce25e4ee55d94a5ef0b5403aa8d86656fd960d0e4ac
SHA51255f9b6d3199aa60d836b6792ae55731236fb2a99c79ce8522e07e579c64eabb88fa413c02632deb87a361dd8490361aa1424beed2e01ba28be220f8c676a1bb5
-
Filesize
485KB
MD586749cd13537a694795be5d87ef7106d
SHA1538030845680a8be8219618daee29e368dc1e06c
SHA2568c35dcc975a5c7c687686a3970306452476d17a89787bc5bd3bf21b9de0d36a5
SHA5127b6ae20515fb6b13701df422cbb0844d26c8a98087b2758427781f0bf11eb9ec5da029096e42960bf99ddd3d4f817db6e29ac172039110df6ea92547d331db4c
-
Filesize
650KB
MD572d0addae57f28c993b319bfafa190ac
SHA18082ad7a004a399f0edbf447425f6a0f6c772ff3
SHA256671be498af4e13872784eeae4bae2e462dfac62d51d7057b2b3bebff511b7d18
SHA51298bcde1133edbff713aa43b944dceb5dae20a9cbdf8009f5b758da20ccfbcdf6d617f609a7094aa52a514373f6695b0fd43c3d601538483816cd08832edd15ab
-
Filesize
3.8MB
MD5e1444ef9fae2c4e96e82fdadb2d55562
SHA137e0752741342148132cc052ec94c09c699e4da9
SHA256ace00d359a579417781ae1b6cb482b8ac2c8acb8617ac0952887fcc43e25b375
SHA512924394effac8b16650a72422c397d3b827025eb03776fc1d102acc287ad64cab422290871a3e305256e3582e5a778ca33423971c0a407111e48cea5ad2ff54df
-
Filesize
3.8MB
MD548deabfacb5c8e88b81c7165ed4e3b0b
SHA1de3dab0e9258f9ff3c93ab6738818c6ec399e6a4
SHA256ff309d1430fc97fccaa9cb82ddf3d23ce9afdf62dcf8c69512de40820df15e24
SHA512d1d30f6267349bb23334f72376fe3384ac14d202bc8e12c16773231f5f4a3f02b76563f05b11d89d5ef6c05d4acaacc79f72f1d617ee6d1b6eddab2b866426af
-
Filesize
4.5MB
MD5a477b22c086fe3b66f2e7c28a7e2f3fc
SHA1fe8cb3c370d7362039a3a7d18b8f1496dffac027
SHA256ccac32bfa0d9f9042575c405cc8b09a8c0f5ea551e1eee4a60bedb28146bbf9c
SHA5121e08025b8e427ab35a1e8cee1c71c67bdb14cf9e54f2cb5149fb026514a4ef7038f824f2a935bc11876b85e1525a9d0406c7ababee141cd32e0db6ffccd2ed43
-
Filesize
21KB
MD548ad4c7e178c2b98758fdef6bbcc06b7
SHA1e2f6d7c2d835870f24df086b4b305cc4de5cc715
SHA2563a6596a5a4390b5f10c252e38acb651e400c8c8d5f1488f7b0b1d738f60c93b2
SHA51248d01fdb12c574d03c81d7800bf3b75fff58a9234e5bd61f6a5837aca411cd502f5061d8ca450ea9c5cee5a07fd3c0356b6330d3e67b9dd5f67fcf648347f2e5
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
8B
MD5d912d2b80b632071f4628f52e4d6aad2
SHA131f4fb0b9af6d1af959ddc212935c71bb9afa62d
SHA256317e0d378c9ab02f64b5dc160dbb79d5481945713f5d206a0e2cecbd8c562ab0
SHA5128079e4fff7ba2e88386b908017880441cd8e4a2301b9cd56a85ca960c609b9a7a95216732219af3d709b2e035d8fca68ed69114689952aeda57394ca768319e8
-
Filesize
57B
MD56b3bfceb3942a9508a2148acbee89007
SHA13622ac7466cc40f50515eb6fcdc15d1f34ad3be3
SHA256e0a7bae2a9ac263cff5d725922e40272d8854278d901233a93a5267859c00a3c
SHA512fa222bfcade636824af32124b45450c92b1abec7a33e6e647a9248eef5371c127d22ccb7cc5a096b4d5d52e2457f3841293a1b34304e8e5523549856ac02f224
-
Filesize
40KB
MD53ef1c7215091e71cc869d4bae25bd8e6
SHA17aea7c89e8ed7b53ec828de7ba17c45fe510a6be
SHA256b549fa9002ce39ae7df3f2f027372cadc9d19b10c3f220ba323d2b85d5cbe190
SHA5127a081a78d43de844f957cdb39ffd69caf9fceb6889cab95e52fae9f5814d0ef6bcfa341d2658545bf9556f2fe9574be41086f272d3d255a77f3bc1e67c102a00