xred | 90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-11-2024 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe
Size

3.6MB
MD5

c2972d792053690ef2691934ceaa9c3b
SHA1

ed118d6e81af163e6596d31981a594b334efd7eb
SHA256

90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904
SHA512

fec10ed87dd11db615e752f338995dc482a46bf2a5b0337bd9e30b67e9cbbf1f6e061665f79ee5f920e960af0312b34cc16de6ef10e456be0400e117518f7695
SSDEEP

98304:5nsmtk2aKXzhW148Pd+Tf1mpcOldJQ3/Vk3Y:FLtFK4s0TfLOdo/d

Score

10^/10

xred backdoor discovery evasion macro persistence themida trojan

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

spoolsv.exe._cache_90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe._cache_Synaptics.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	spoolsv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	._cache_90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	spoolsv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	svchost.exe

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

Processes:

resource
C:\Users\Admin\AppData\Local\Temp\EOqJAsZa.xlsm

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

._cache_Synaptics.exesvchost.exespoolsv.exespoolsv.exeicsys.icn.exeexplorer.exe._cache_90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	icsys.icn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	._cache_90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	._cache_90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	icsys.icn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	spoolsv.exe

Executes dropped EXE 9 IoCs

Processes:

._cache_90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exeSynaptics.exe._cache_Synaptics.exe._cache_synaptics.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
2804	._cache_90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe
2872	Synaptics.exe
2624	._cache_Synaptics.exe
2220	._cache_synaptics.exe
2544	icsys.icn.exe
2636	explorer.exe
2096	spoolsv.exe
1820	svchost.exe
1160	spoolsv.exe

Loads dropped DLL 11 IoCs

Processes:

90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exeSynaptics.exe._cache_Synaptics.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

pid	process
2984	90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe
2984	90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe
2984	90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe
2872	Synaptics.exe
2872	Synaptics.exe
2624	._cache_Synaptics.exe
2624	._cache_Synaptics.exe
2544	icsys.icn.exe
2636	explorer.exe
2096	spoolsv.exe
1820	svchost.exe

Themida packer 28 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\._cache_90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe	themida
behavioral1/memory/2984-16-0x0000000005A90000-0x00000000060A6000-memory.dmp	themida
behavioral1/memory/2804-18-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/2624-38-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
\Windows\Resources\Themes\icsys.icn.exe	themida
behavioral1/memory/2544-70-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
\Windows\Resources\Themes\explorer.exe	themida
behavioral1/memory/2636-94-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
\Windows\Resources\spoolsv.exe	themida
behavioral1/memory/2636-105-0x0000000003680000-0x0000000003C96000-memory.dmp	themida
behavioral1/memory/2804-104-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/2096-109-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/2624-116-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
\Windows\Resources\svchost.exe	themida
behavioral1/memory/1820-123-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/2544-133-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/1160-134-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/1160-140-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/2096-152-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/2544-155-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/2624-157-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/2636-159-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/2636-186-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/1820-187-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/2636-209-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/2636-241-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/1820-242-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/1820-266-0x0000000000400000-0x0000000000A16000-memory.dmp	themida

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exeexplorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Checks whether UAC is enabled 1 TTPs 7 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe._cache_90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe._cache_Synaptics.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	icsys.icn.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	._cache_90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	._cache_Synaptics.exe

Drops file in System32 directory 2 IoCs

Processes:

explorer.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

Processes:

._cache_90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe._cache_Synaptics.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
2804	._cache_90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe
2624	._cache_Synaptics.exe
2544	icsys.icn.exe
2636	explorer.exe
2096	spoolsv.exe
1820	svchost.exe
1160	spoolsv.exe

Drops file in Windows directory 5 IoCs

Processes:

explorer.exe._cache_Synaptics.exeicsys.icn.exespoolsv.exe

description	ioc	process
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exeSynaptics.exe._cache_Synaptics.exeEXCEL.EXE._cache_synaptics.exe explorer.exeicsys.icn.exespoolsv.exeschtasks.exesvchost.exe._cache_90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exespoolsv.exeschtasks.exeschtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2300 schtasks.exe
2132 schtasks.exe
624 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2312 EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
2300	schtasks.exe
2132	schtasks.exe
624	schtasks.exe

pid	process
2312	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

._cache_Synaptics.exeicsys.icn.exeexplorer.exesvchost.exe

pid	process
2624	._cache_Synaptics.exe
2624	._cache_Synaptics.exe
2624	._cache_Synaptics.exe
2624	._cache_Synaptics.exe
2624	._cache_Synaptics.exe
2624	._cache_Synaptics.exe
2624	._cache_Synaptics.exe
2624	._cache_Synaptics.exe
2624	._cache_Synaptics.exe
2624	._cache_Synaptics.exe
2624	._cache_Synaptics.exe
2624	._cache_Synaptics.exe
2624	._cache_Synaptics.exe
2624	._cache_Synaptics.exe
2624	._cache_Synaptics.exe
2624	._cache_Synaptics.exe
2544	icsys.icn.exe
2544	icsys.icn.exe
2544	icsys.icn.exe
2544	icsys.icn.exe
2544	icsys.icn.exe
2544	icsys.icn.exe
2544	icsys.icn.exe
2544	icsys.icn.exe
2544	icsys.icn.exe
2544	icsys.icn.exe
2544	icsys.icn.exe
2544	icsys.icn.exe
2544	icsys.icn.exe
2544	icsys.icn.exe
2544	icsys.icn.exe
2544	icsys.icn.exe
2544	icsys.icn.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
1820	svchost.exe
1820	svchost.exe
1820	svchost.exe
1820	svchost.exe
1820	svchost.exe
1820	svchost.exe
1820	svchost.exe
1820	svchost.exe
1820	svchost.exe
1820	svchost.exe
1820	svchost.exe
1820	svchost.exe
1820	svchost.exe
1820	svchost.exe
1820	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

2636 explorer.exe
1820 svchost.exe

pid	process
2636	explorer.exe
1820	svchost.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

._cache_Synaptics.exeEXCEL.EXEicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
2624	._cache_Synaptics.exe
2312	EXCEL.EXE
2624	._cache_Synaptics.exe
2544	icsys.icn.exe
2544	icsys.icn.exe
2636	explorer.exe
2636	explorer.exe
2096	spoolsv.exe
2096	spoolsv.exe
1820	svchost.exe
1820	svchost.exe
1160	spoolsv.exe
1160	spoolsv.exe

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exeSynaptics.exe._cache_Synaptics.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 2984 wrote to memory of 2804	2984	90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe	._cache_90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe
PID 2984 wrote to memory of 2804	2984	90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe	._cache_90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe
PID 2984 wrote to memory of 2804	2984	90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe	._cache_90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe
PID 2984 wrote to memory of 2804	2984	90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe	._cache_90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe
PID 2984 wrote to memory of 2872	2984	90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe	Synaptics.exe
PID 2984 wrote to memory of 2872	2984	90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe	Synaptics.exe
PID 2984 wrote to memory of 2872	2984	90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe	Synaptics.exe
PID 2984 wrote to memory of 2872	2984	90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe	Synaptics.exe
PID 2872 wrote to memory of 2624	2872	Synaptics.exe	._cache_Synaptics.exe
PID 2872 wrote to memory of 2624	2872	Synaptics.exe	._cache_Synaptics.exe
PID 2872 wrote to memory of 2624	2872	Synaptics.exe	._cache_Synaptics.exe
PID 2872 wrote to memory of 2624	2872	Synaptics.exe	._cache_Synaptics.exe
PID 2624 wrote to memory of 2220	2624	._cache_Synaptics.exe	._cache_synaptics.exe
PID 2624 wrote to memory of 2220	2624	._cache_Synaptics.exe	._cache_synaptics.exe
PID 2624 wrote to memory of 2220	2624	._cache_Synaptics.exe	._cache_synaptics.exe
PID 2624 wrote to memory of 2220	2624	._cache_Synaptics.exe	._cache_synaptics.exe
PID 2624 wrote to memory of 2220	2624	._cache_Synaptics.exe	._cache_synaptics.exe
PID 2624 wrote to memory of 2220	2624	._cache_Synaptics.exe	._cache_synaptics.exe
PID 2624 wrote to memory of 2220	2624	._cache_Synaptics.exe	._cache_synaptics.exe
PID 2624 wrote to memory of 2544	2624	._cache_Synaptics.exe	icsys.icn.exe
PID 2624 wrote to memory of 2544	2624	._cache_Synaptics.exe	icsys.icn.exe
PID 2624 wrote to memory of 2544	2624	._cache_Synaptics.exe	icsys.icn.exe
PID 2624 wrote to memory of 2544	2624	._cache_Synaptics.exe	icsys.icn.exe
PID 2544 wrote to memory of 2636	2544	icsys.icn.exe	explorer.exe
PID 2544 wrote to memory of 2636	2544	icsys.icn.exe	explorer.exe
PID 2544 wrote to memory of 2636	2544	icsys.icn.exe	explorer.exe
PID 2544 wrote to memory of 2636	2544	icsys.icn.exe	explorer.exe
PID 2636 wrote to memory of 2096	2636	explorer.exe	spoolsv.exe
PID 2636 wrote to memory of 2096	2636	explorer.exe	spoolsv.exe
PID 2636 wrote to memory of 2096	2636	explorer.exe	spoolsv.exe
PID 2636 wrote to memory of 2096	2636	explorer.exe	spoolsv.exe
PID 2096 wrote to memory of 1820	2096	spoolsv.exe	svchost.exe
PID 2096 wrote to memory of 1820	2096	spoolsv.exe	svchost.exe
PID 2096 wrote to memory of 1820	2096	spoolsv.exe	svchost.exe
PID 2096 wrote to memory of 1820	2096	spoolsv.exe	svchost.exe
PID 1820 wrote to memory of 1160	1820	svchost.exe	spoolsv.exe
PID 1820 wrote to memory of 1160	1820	svchost.exe	spoolsv.exe
PID 1820 wrote to memory of 1160	1820	svchost.exe	spoolsv.exe
PID 1820 wrote to memory of 1160	1820	svchost.exe	spoolsv.exe
PID 2636 wrote to memory of 1780	2636	explorer.exe	Explorer.exe
PID 2636 wrote to memory of 1780	2636	explorer.exe	Explorer.exe
PID 2636 wrote to memory of 1780	2636	explorer.exe	Explorer.exe
PID 2636 wrote to memory of 1780	2636	explorer.exe	Explorer.exe
PID 1820 wrote to memory of 624	1820	svchost.exe	schtasks.exe
PID 1820 wrote to memory of 624	1820	svchost.exe	schtasks.exe
PID 1820 wrote to memory of 624	1820	svchost.exe	schtasks.exe
PID 1820 wrote to memory of 624	1820	svchost.exe	schtasks.exe
PID 1820 wrote to memory of 2300	1820	svchost.exe	schtasks.exe
PID 1820 wrote to memory of 2300	1820	svchost.exe	schtasks.exe
PID 1820 wrote to memory of 2300	1820	svchost.exe	schtasks.exe
PID 1820 wrote to memory of 2300	1820	svchost.exe	schtasks.exe
PID 1820 wrote to memory of 2132	1820	svchost.exe	schtasks.exe
PID 1820 wrote to memory of 2132	1820	svchost.exe	schtasks.exe
PID 1820 wrote to memory of 2132	1820	svchost.exe	schtasks.exe
PID 1820 wrote to memory of 2132	1820	svchost.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe
"C:\Users\Admin\AppData\Local\Temp\90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Users\Admin\AppData\Local\Temp\._cache_90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:2804
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
      c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2220
  - - C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2544
    - - \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2636
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        7⤵
        Modifies visiblity of hidden/system files in Explorer
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        8⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1160
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:08 /f
        8⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:624
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:09 /f
        8⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2300
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:10 /f
        8⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2132
      - C:\Windows\Explorer.exe
        
        C:\Windows\Explorer.exe
        6⤵
        
        PID:1780

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
3.6MB

MD5
c2972d792053690ef2691934ceaa9c3b

SHA1
ed118d6e81af163e6596d31981a594b334efd7eb

SHA256
90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904

SHA512
fec10ed87dd11db615e752f338995dc482a46bf2a5b0337bd9e30b67e9cbbf1f6e061665f79ee5f920e960af0312b34cc16de6ef10e456be0400e117518f7695

Download Submit
C:\Users\Admin\AppData\Local\Temp\EOqJAsZa.xlsm

Filesize
23KB

MD5
92a729377efa21589aa6acf4eb314b2a

SHA1
8765e2abd78775c082b2227d81109df3a10a1c52

SHA256
334b985b1b6652d852f4e5fecb4d83c74d4a4df4c501698d3b4b99b4b38db56a

SHA512
eefb9c1108fcf4304720e4633661d2d0d2e96f14460f5be0c6f23f29e1ec85f5f07412d266fe87062a549937907a9dd9ab14a554f0b92760630eb247145052b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\EOqJAsZa.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\EOqJAsZa.xlsm

Filesize
26KB

MD5
39f5486f2283ab2696243ccac25e3d03

SHA1
78a65e8284d5b8384dcfbe9361504204f83aa51b

SHA256
d6f1af444a6c9cf9998c7e216d93f7ea1efe5a11b555f3dd7bc9f25c20d99331

SHA512
0da505846131ee8b41e4fe5cff4af483de31096564daee6cf249621c70c50255b8d2c51769c042a10bafd6add6df4947450e1eb98623241a4c066df8713b1a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EOqJAsZa.xlsm

Filesize
24KB

MD5
6173c031fa60f85c612db96d5157a663

SHA1
335b706b77e51da0eed49e1993eb2ca060387453

SHA256
32547ac6ac234e304488d2cd2e528dfc78eaf82c8d54efe84cf594ce4e391f95

SHA512
8acc35daa1c62c663cd348e8a92d2d92b7a86c498c39f6b3a136c0e246951ac11be1c8cdc3dce40968f7971d000b27ce3bba0f567d775683402f858c1ba4bff2

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_90525c27b1aaf55a465127b8fc26818ecec0c1fae0962d39d9d9c3ab81d13904.exe

Filesize
2.9MB

MD5
e6e46dcb7b705fd81d734400be4509ee

SHA1
89c64904baa6da8ab8fe8f338830080bd9caf1bb

SHA256
00f214326e5ce3cf86fa2871e0e130cb420fcf2ed726a3adf4fc5554a946546c

SHA512
2e81d5469756a65e2ee363ac6aa7bb957425e0c9b323f64816ff05bf575cba98cdf3e412b0996c583d82d44c2b3a5603ab706eb33039cc5576769f906f72cf5f

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_synaptics.exe

Filesize
288KB

MD5
2cbd6ad183914a0c554f0739069e77d7

SHA1
7bf35f2afca666078db35ca95130beb2e3782212

SHA256
2cf71d098c608c56e07f4655855a886c3102553f648df88458df616b26fd612f

SHA512
ff1af2d2a883865f2412dddcd68006d1907a719fe833319c833f897c93ee750bac494c0991170dc1cf726b3f0406707daa361d06568cd610eeb4ed1d9c0fbb10

Download Submit
\Windows\Resources\Themes\explorer.exe

Filesize
2.6MB

MD5
b9f8cf4e911f7a7e8bfc974358427c4e

SHA1
8ab760061895e00a248962604c498fe8ca26f5e4

SHA256
1bd2aa2ba5df037ef92cb2ee0c6bbe73bdf7ff54619fe5f426c194e8d1604c55

SHA512
d067ba3aa0afa8b0e3776fc42681c0e5b063de4b0082b77d9ad8b4090f417a1e1245265f42fa999a44b7bc1eaee49ac70e2e50567ac420a147d43bcb8cf8d936

Download Submit
\Windows\Resources\Themes\icsys.icn.exe

Filesize
2.6MB

MD5
b309b01a70b3626e8ed42f1e9b7b4044

SHA1
7f86f99254693a333ad4e4a61b14c9e5761cf089

SHA256
ca5e53e2c25cf51c3a04101f84a8e3b880edc6b73a526f92ce27f56689074929

SHA512
614ba3ce52e6a07ae5ca5c70d1d321c5998de9a645c5bfca44b07730394a62d08537705a3f595e6fba912f919c80201bb028a2f43714e23a9ea72b1d4bc81340

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
2.6MB

MD5
f3e7d5772ce89e8295e4e96564884b34

SHA1
f8d4146f0cbe4e3ba219c77b95992c62f4b98d4a

SHA256
83e2248c4f0feff2e270dc88bcff7541f96cc9a2e406b9fe4e4407e12799993a

SHA512
291efa25a7a5f0b4cb33e0b3f8f0adc47a32deba613209ad4a863b6e5b13ec3211e78800a4a4e0c56744548fd31bf7b15e5c6964a7a0c370be1aaa7c664e92d7

Download Submit
\Windows\Resources\svchost.exe

Filesize
2.6MB

MD5
e736226909896c36ee3086a2f222d32f

SHA1
bd897549827a2b2cdbcd595d88977a0f6031e4b6

SHA256
6f821bdaf3e4d945212a0b38c730afbc2ac2b0c0f6213e1a4506413502760e2f

SHA512
41c763c9583aa7cb418946c9ee877529bfb154e437e1796bde93d0b7b5e30c3590f9afa160dac42b8c66e3cfadb57e35ee1232b3bd4597279c15d85feae0ab03

Download Submit
memory/1160-140-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1160-134-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1820-187-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1820-189-0x0000000003150000-0x0000000003766000-memory.dmp

Filesize
6.1MB

Download
memory/1820-242-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1820-123-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1820-129-0x0000000003150000-0x0000000003766000-memory.dmp

Filesize
6.1MB

Download
memory/1820-266-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2096-152-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2096-109-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2096-120-0x00000000035D0000-0x0000000003BE6000-memory.dmp

Filesize
6.1MB

Download
memory/2312-40-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2312-185-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2544-70-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2544-155-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2544-133-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2544-93-0x0000000003690000-0x0000000003CA6000-memory.dmp

Filesize
6.1MB

Download
memory/2544-153-0x0000000003690000-0x0000000003CA6000-memory.dmp

Filesize
6.1MB

Download
memory/2624-116-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2624-38-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2624-69-0x0000000003460000-0x0000000003A76000-memory.dmp

Filesize
6.1MB

Download
memory/2624-122-0x0000000003460000-0x0000000003A76000-memory.dmp

Filesize
6.1MB

Download
memory/2624-157-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2636-159-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2636-186-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2636-241-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2636-105-0x0000000003680000-0x0000000003C96000-memory.dmp

Filesize
6.1MB

Download
memory/2636-209-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2636-94-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2804-104-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2804-18-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2872-108-0x0000000005730000-0x0000000005D46000-memory.dmp

Filesize
6.1MB

Download
memory/2872-37-0x0000000005730000-0x0000000005D46000-memory.dmp

Filesize
6.1MB

Download
memory/2872-191-0x0000000000400000-0x00000000007A0000-memory.dmp

Filesize
3.6MB

Download
memory/2872-195-0x0000000000400000-0x00000000007A0000-memory.dmp

Filesize
3.6MB

Download
memory/2872-158-0x0000000000400000-0x00000000007A0000-memory.dmp

Filesize
3.6MB

Download
memory/2872-244-0x0000000000400000-0x00000000007A0000-memory.dmp

Filesize
3.6MB

Download
memory/2984-27-0x0000000000400000-0x00000000007A0000-memory.dmp

Filesize
3.6MB

Download
memory/2984-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2984-16-0x0000000005A90000-0x00000000060A6000-memory.dmp

Filesize
6.1MB

Download