xred | 90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2024 01:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe
Size

3.6MB
MD5

c2972d792053690ef2691934ceaa9c3b
SHA1

ed118d6e81af163e6596d31981a594b334efd7eb
SHA256

90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904
SHA512

fec10ed87dd11db615e752f338995dc482a46bf2a5b0337bd9e30b67e9cbbf1f6e061665f79ee5f920e960af0312b34cc16de6ef10e456be0400e117518f7695
SSDEEP

98304:5nsmtk2aKXzhW148Pd+Tf1mpcOldJQ3/Vk3Y:FLtFK4s0TfLOdo/d

Score

10^/10

xred backdoor discovery evasion persistence themida trojan

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe._cache_90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe._cache_Synaptics.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	spoolsv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	spoolsv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	._cache_90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	._cache_Synaptics.exe

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

._cache_Synaptics.exeicsys.icn.exe._cache_90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exespoolsv.exeexplorer.exespoolsv.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	icsys.icn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	._cache_90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	icsys.icn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	._cache_90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Synaptics.exe90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe

Executes dropped EXE 9 IoCs

Processes:

._cache_90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exeSynaptics.exe._cache_Synaptics.exe._cache_synaptics.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
3200	._cache_90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe
4156	Synaptics.exe
3720	._cache_Synaptics.exe
4036	._cache_synaptics.exe
3744	icsys.icn.exe
3612	explorer.exe
1696	spoolsv.exe
4908	svchost.exe
3572	spoolsv.exe

Themida packer 23 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\._cache_90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe	themida
behavioral2/memory/3200-65-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/3720-192-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
C:\Windows\Resources\Themes\icsys.icn.exe	themida
behavioral2/memory/3744-211-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
C:\Windows\Resources\Themes\explorer.exe	themida
behavioral2/memory/3612-220-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
C:\Windows\Resources\spoolsv.exe	themida
behavioral2/memory/1696-229-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
C:\Windows\Resources\svchost.exe	themida
behavioral2/memory/4908-240-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/3572-246-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/3572-251-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/1696-253-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/3744-256-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/3720-258-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/3200-254-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/3612-304-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/3612-305-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/4908-309-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/3612-336-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/4908-340-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/4908-379-0x0000000000400000-0x0000000000A16000-memory.dmp	themida

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe

Checks whether UAC is enabled 1 TTPs 7 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

spoolsv.exesvchost.exespoolsv.exe._cache_90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe._cache_Synaptics.exeicsys.icn.exeexplorer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	._cache_90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	icsys.icn.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe

Drops file in System32 directory 2 IoCs

Processes:

explorer.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

Processes:

._cache_90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe._cache_Synaptics.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
3200	._cache_90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe
3720	._cache_Synaptics.exe
3744	icsys.icn.exe
3612	explorer.exe
1696	spoolsv.exe
4908	svchost.exe
3572	spoolsv.exe

Drops file in Windows directory 5 IoCs

Processes:

icsys.icn.exeexplorer.exespoolsv.exe._cache_Synaptics.exe

description	ioc	process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

icsys.icn.exeexplorer.exespoolsv.exespoolsv.exesvchost.exe90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe._cache_90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exeSynaptics.exe._cache_Synaptics.exe._cache_synaptics.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 2 IoCs

Processes:

90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exeSynaptics.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1728 EXCEL.EXE

pid	process
1728	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

._cache_Synaptics.exeicsys.icn.exe

pid	process
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
3744	icsys.icn.exe
3744	icsys.icn.exe
3744	icsys.icn.exe
3744	icsys.icn.exe
3744	icsys.icn.exe
3744	icsys.icn.exe
3744	icsys.icn.exe
3744	icsys.icn.exe
3744	icsys.icn.exe
3744	icsys.icn.exe
3744	icsys.icn.exe
3744	icsys.icn.exe
3744	icsys.icn.exe
3744	icsys.icn.exe
3744	icsys.icn.exe
3744	icsys.icn.exe
3744	icsys.icn.exe
3744	icsys.icn.exe
3744	icsys.icn.exe
3744	icsys.icn.exe
3744	icsys.icn.exe
3744	icsys.icn.exe
3744	icsys.icn.exe
3744	icsys.icn.exe
3744	icsys.icn.exe
3744	icsys.icn.exe
3744	icsys.icn.exe
3744	icsys.icn.exe
3744	icsys.icn.exe
3744	icsys.icn.exe
3744	icsys.icn.exe
3744	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

3612 explorer.exe
4908 svchost.exe

pid	process
3612	explorer.exe
4908	svchost.exe

Suspicious use of SetWindowsHookEx 18 IoCs

Processes:

._cache_Synaptics.exeEXCEL.EXEicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
3720	._cache_Synaptics.exe
3720	._cache_Synaptics.exe
1728	EXCEL.EXE
1728	EXCEL.EXE
3744	icsys.icn.exe
3744	icsys.icn.exe
3612	explorer.exe
3612	explorer.exe
1728	EXCEL.EXE
1728	EXCEL.EXE
1696	spoolsv.exe
1696	spoolsv.exe
4908	svchost.exe
4908	svchost.exe
3572	spoolsv.exe
3572	spoolsv.exe
1728	EXCEL.EXE
1728	EXCEL.EXE

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exeSynaptics.exe._cache_Synaptics.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 4732 wrote to memory of 3200	4732	90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe	._cache_90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe
PID 4732 wrote to memory of 3200	4732	90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe	._cache_90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe
PID 4732 wrote to memory of 3200	4732	90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe	._cache_90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe
PID 4732 wrote to memory of 4156	4732	90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe	Synaptics.exe
PID 4732 wrote to memory of 4156	4732	90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe	Synaptics.exe
PID 4732 wrote to memory of 4156	4732	90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe	Synaptics.exe
PID 4156 wrote to memory of 3720	4156	Synaptics.exe	._cache_Synaptics.exe
PID 4156 wrote to memory of 3720	4156	Synaptics.exe	._cache_Synaptics.exe
PID 4156 wrote to memory of 3720	4156	Synaptics.exe	._cache_Synaptics.exe
PID 3720 wrote to memory of 4036	3720	._cache_Synaptics.exe	._cache_synaptics.exe
PID 3720 wrote to memory of 4036	3720	._cache_Synaptics.exe	._cache_synaptics.exe
PID 3720 wrote to memory of 4036	3720	._cache_Synaptics.exe	._cache_synaptics.exe
PID 3720 wrote to memory of 3744	3720	._cache_Synaptics.exe	icsys.icn.exe
PID 3720 wrote to memory of 3744	3720	._cache_Synaptics.exe	icsys.icn.exe
PID 3720 wrote to memory of 3744	3720	._cache_Synaptics.exe	icsys.icn.exe
PID 3744 wrote to memory of 3612	3744	icsys.icn.exe	explorer.exe
PID 3744 wrote to memory of 3612	3744	icsys.icn.exe	explorer.exe
PID 3744 wrote to memory of 3612	3744	icsys.icn.exe	explorer.exe
PID 3612 wrote to memory of 1696	3612	explorer.exe	spoolsv.exe
PID 3612 wrote to memory of 1696	3612	explorer.exe	spoolsv.exe
PID 3612 wrote to memory of 1696	3612	explorer.exe	spoolsv.exe
PID 1696 wrote to memory of 4908	1696	spoolsv.exe	svchost.exe
PID 1696 wrote to memory of 4908	1696	spoolsv.exe	svchost.exe
PID 1696 wrote to memory of 4908	1696	spoolsv.exe	svchost.exe
PID 4908 wrote to memory of 3572	4908	svchost.exe	spoolsv.exe
PID 4908 wrote to memory of 3572	4908	svchost.exe	spoolsv.exe
PID 4908 wrote to memory of 3572	4908	svchost.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe
"C:\Users\Admin\AppData\Local\Temp\90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4732
- C:\Users\Admin\AppData\Local\Temp\._cache_90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:3200
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4156
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3720
  - - \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
      c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4036
  - - C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3744
    - - \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3612
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        7⤵
        Modifies visiblity of hidden/system files in Explorer
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        8⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3572

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
3.6MB

MD5
c2972d792053690ef2691934ceaa9c3b

SHA1
ed118d6e81af163e6596d31981a594b334efd7eb

SHA256
90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904

SHA512
fec10ed87dd11db615e752f338995dc482a46bf2a5b0337bd9e30b67e9cbbf1f6e061665f79ee5f920e960af0312b34cc16de6ef10e456be0400e117518f7695

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe

Filesize
2.9MB

MD5
e6e46dcb7b705fd81d734400be4509ee

SHA1
89c64904baa6da8ab8fe8f338830080bd9caf1bb

SHA256
00f214326e5ce3cf86fa2871e0e130cb420fcf2ed726a3adf4fc5554a946546c

SHA512
2e81d5469756a65e2ee363ac6aa7bb957425e0c9b323f64816ff05bf575cba98cdf3e412b0996c583d82d44c2b3a5603ab706eb33039cc5576769f906f72cf5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\BBB75E00

Filesize
24KB

MD5
2795fc5843cbb49db3a9af08900c6410

SHA1
6548aac2a256951bc5bfbea7413a2a5df53151b0

SHA256
84aa124705567b9c8a3cf26b37703f686abcabac862e10e357699a9d7f3121e1

SHA512
acc102fb0b4a7ec8d65ab18aa639cd993a0700f694d853648f2493f3db8eba5c47e4681a22421a844c8b2bc27fd6c05b859dee182b83246b717047ab494bbf98

Download Submit
C:\Users\Admin\AppData\Local\Temp\LsB6VfNo.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
2.6MB

MD5
7b524bd2ecc493525c54db2f65b77d90

SHA1
d2984f5d7f7d601c0d52be306d5a32bd48eee1dd

SHA256
bf436303b04ec947cab1532d66e06f1f2b49777792733c44a66e7cc7a12ed219

SHA512
d69399332a4f0122de487688cd6a16efc73f1f2453ac8934ce77dd0b51af64c0b1e69523858b3a6c6c34ea7469c10ff9b380fc341d4254c953176f5b7bf096ec

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
2.6MB

MD5
b309b01a70b3626e8ed42f1e9b7b4044

SHA1
7f86f99254693a333ad4e4a61b14c9e5761cf089

SHA256
ca5e53e2c25cf51c3a04101f84a8e3b880edc6b73a526f92ce27f56689074929

SHA512
614ba3ce52e6a07ae5ca5c70d1d321c5998de9a645c5bfca44b07730394a62d08537705a3f595e6fba912f919c80201bb028a2f43714e23a9ea72b1d4bc81340

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
2.6MB

MD5
3faf2dde2f6615dffa3eee7cc20c2472

SHA1
a6f1fe47ead1b242a8c294b88b9463d38af972a6

SHA256
05599594f35c928f9cae6719c29e1bb966b25bedea23c03d87081cc7a4890281

SHA512
d81a4aa52acf6eb92bc1bf79d8e69a5e6efd0302618dcbe0e7ffc14034aab61f5399f5a135efe19ab2bbd8229518ea6517712b39f4f32fa0ec3e4f1b2f381c95

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
2.6MB

MD5
e4287ad393e06aefbc2105fca322bca9

SHA1
76378dd20383ecbf0d29af44bddb96384bcb3a54

SHA256
0517f76e1e58345221f52ec0d36062da1c174c153786a586d34966b4f8be568d

SHA512
094b028568e4c8b2574b5315c277819a7e1916f0776f9ee3425361e6ba75823a39bdf178dde11cbcc481dfb3afab9a2280911071e3e292c73777c87ea871b00e

Download Submit
\??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe

Filesize
288KB

MD5
2cbd6ad183914a0c554f0739069e77d7

SHA1
7bf35f2afca666078db35ca95130beb2e3782212

SHA256
2cf71d098c608c56e07f4655855a886c3102553f648df88458df616b26fd612f

SHA512
ff1af2d2a883865f2412dddcd68006d1907a719fe833319c833f897c93ee750bac494c0991170dc1cf726b3f0406707daa361d06568cd610eeb4ed1d9c0fbb10

Download Submit
memory/1696-253-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1696-229-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1728-202-0x00007FFD53FF0000-0x00007FFD54000000-memory.dmp

Filesize
64KB

Download
memory/1728-196-0x00007FFD561B0000-0x00007FFD561C0000-memory.dmp

Filesize
64KB

Download
memory/1728-195-0x00007FFD561B0000-0x00007FFD561C0000-memory.dmp

Filesize
64KB

Download
memory/1728-194-0x00007FFD561B0000-0x00007FFD561C0000-memory.dmp

Filesize
64KB

Download
memory/1728-200-0x00007FFD561B0000-0x00007FFD561C0000-memory.dmp

Filesize
64KB

Download
memory/1728-207-0x00007FFD53FF0000-0x00007FFD54000000-memory.dmp

Filesize
64KB

Download
memory/1728-198-0x00007FFD561B0000-0x00007FFD561C0000-memory.dmp

Filesize
64KB

Download
memory/3200-65-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/3200-254-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/3200-71-0x00000000777B4000-0x00000000777B6000-memory.dmp

Filesize
8KB

Download
memory/3572-246-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/3572-251-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/3612-220-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/3612-304-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/3612-336-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/3612-305-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/3720-192-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/3720-258-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/3744-256-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/3744-211-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/4156-311-0x0000000000400000-0x00000000007A0000-memory.dmp

Filesize
3.6MB

Download
memory/4156-281-0x0000000000400000-0x00000000007A0000-memory.dmp

Filesize
3.6MB

Download
memory/4156-132-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/4156-357-0x0000000000400000-0x00000000007A0000-memory.dmp

Filesize
3.6MB

Download
memory/4732-0-0x0000000002630000-0x0000000002631000-memory.dmp

Filesize
4KB

Download
memory/4732-130-0x0000000000400000-0x00000000007A0000-memory.dmp

Filesize
3.6MB

Download
memory/4908-309-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/4908-240-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/4908-340-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/4908-379-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download