xred | 7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed

Analysis

max time kernel
150s
max time network
142s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-11-2024 01:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
Size

4.1MB
MD5

d7a3723ed09e9d1510f75ca35aba5ea7
SHA1

b6265bc2091d20ed0a3715f0bb47371d49f9c65f
SHA256

7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed
SHA512

e02e9729de1f37bf8369c0869c3dc11c65f91a8a3a11ee463b26fb8fbd878fe1acb9ee7da32177ad726b7fc13ec7e96892ac3145cf96fe0dfa05c6313d5d836a
SSDEEP

98304:Vnsmtk2aEXzhW148Pd+Tf1mpcOldJQ3/V11v3jypj:pLnFK4s0TfLOdo/HV3epj

Score

10^/10

xred backdoor discovery evasion persistence themida trojan

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

._cache_Synaptics.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	spoolsv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	spoolsv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explorer.exespoolsv.exesvchost.exeicsys.icn.exe._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exespoolsv.exe._cache_Synaptics.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	icsys.icn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	icsys.icn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	._cache_Synaptics.exe

Executes dropped EXE 11 IoCs

Processes:

._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exeSynaptics.exe._cache_Synaptics.exe._cache_synaptics.exe icsys.icn.exe._cache_synaptics.exe explorer.exe._cache_synaptics.exe spoolsv.exesvchost.exespoolsv.exe

pid	process
2568	._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
2244	Synaptics.exe
2888	._cache_Synaptics.exe
2520	._cache_synaptics.exe
2700	icsys.icn.exe
572	._cache_synaptics.exe
1220	explorer.exe
2140	._cache_synaptics.exe
2288	spoolsv.exe
1656	svchost.exe
956	spoolsv.exe

Loads dropped DLL 11 IoCs

Processes:

7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exeSynaptics.exe._cache_Synaptics.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

pid	process
2532	7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
2532	7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
2532	7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
2244	Synaptics.exe
2244	Synaptics.exe
2888	._cache_Synaptics.exe
2888	._cache_Synaptics.exe
2700	icsys.icn.exe
1220	explorer.exe
2288	spoolsv.exe
1656	svchost.exe

Themida packer 23 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe	themida
behavioral1/memory/2568-18-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/2888-38-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/2700-77-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
C:\Windows\Resources\Themes\icsys.icn.exe	themida
C:\Windows\Resources\Themes\explorer.exe	themida
behavioral1/memory/1220-109-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/2288-130-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
C:\Windows\Resources\spoolsv.exe	themida
C:\Windows\Resources\svchost.exe	themida
behavioral1/memory/1656-156-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/2888-166-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/956-169-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/2288-170-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/2888-175-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/2700-172-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/2568-157-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/1220-178-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/1656-182-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/1220-183-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/1220-211-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/1220-246-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/1656-267-0x0000000000400000-0x0000000000A16000-memory.dmp	themida

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe

Checks whether UAC is enabled 1 TTPs 7 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

spoolsv.exe._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe._cache_Synaptics.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	icsys.icn.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchost.exe

Drops file in System32 directory 2 IoCs

Processes:

explorer.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

Processes:

._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe._cache_Synaptics.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
2568	._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
2888	._cache_Synaptics.exe
2700	icsys.icn.exe
1220	explorer.exe
2288	spoolsv.exe
1656	svchost.exe
956	spoolsv.exe

Drops file in Windows directory 6 IoCs

Processes:

explorer.exe._cache_Synaptics.exeicsys.icn.exespoolsv.exemakecab.exe

description	ioc	process
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20241125013840.cab	makecab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Synaptics.exeschtasks.exeEXCEL.EXEexplorer.exespoolsv.exe7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe._cache_Synaptics.exe._cache_synaptics.exe svchost.exeschtasks.exe._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exeicsys.icn.exespoolsv.exeschtasks.exe._cache_synaptics.exe ._cache_synaptics.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

920 schtasks.exe
2668 schtasks.exe
2040 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3024 EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
920	schtasks.exe
2668	schtasks.exe
2040	schtasks.exe

pid	process
3024	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

._cache_Synaptics.exe._cache_synaptics.exe icsys.icn.exeexplorer.exe._cache_synaptics.exe svchost.exe

pid	process
2888	._cache_Synaptics.exe
2888	._cache_Synaptics.exe
2888	._cache_Synaptics.exe
2888	._cache_Synaptics.exe
2888	._cache_Synaptics.exe
2888	._cache_Synaptics.exe
2888	._cache_Synaptics.exe
2888	._cache_Synaptics.exe
2888	._cache_Synaptics.exe
2888	._cache_Synaptics.exe
2888	._cache_Synaptics.exe
2888	._cache_Synaptics.exe
2888	._cache_Synaptics.exe
2888	._cache_Synaptics.exe
2888	._cache_Synaptics.exe
2888	._cache_Synaptics.exe
2520	._cache_synaptics.exe
2520	._cache_synaptics.exe
2700	icsys.icn.exe
2700	icsys.icn.exe
2700	icsys.icn.exe
2700	icsys.icn.exe
2700	icsys.icn.exe
2700	icsys.icn.exe
2700	icsys.icn.exe
2700	icsys.icn.exe
2700	icsys.icn.exe
2700	icsys.icn.exe
2700	icsys.icn.exe
2700	icsys.icn.exe
2700	icsys.icn.exe
2700	icsys.icn.exe
2700	icsys.icn.exe
2700	icsys.icn.exe
2700	icsys.icn.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
1220	explorer.exe
572	._cache_synaptics.exe
572	._cache_synaptics.exe
1656	svchost.exe
1656	svchost.exe
1656	svchost.exe
1656	svchost.exe
1656	svchost.exe
1656	svchost.exe
1656	svchost.exe
1656	svchost.exe
1656	svchost.exe
1656	svchost.exe
1656	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

1220 explorer.exe
1656 svchost.exe

pid	process
1220	explorer.exe
1656	svchost.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

._cache_synaptics.exe ._cache_synaptics.exe

description	pid	process
Token: SeDebugPrivilege	2520	._cache_synaptics.exe
Token: SeAssignPrimaryTokenPrivilege	2520	._cache_synaptics.exe
Token: SeIncreaseQuotaPrivilege	2520	._cache_synaptics.exe
Token: 0	2520	._cache_synaptics.exe
Token: SeDebugPrivilege	572	._cache_synaptics.exe
Token: SeAssignPrimaryTokenPrivilege	572	._cache_synaptics.exe
Token: SeIncreaseQuotaPrivilege	572	._cache_synaptics.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

._cache_Synaptics.exeEXCEL.EXEicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
2888	._cache_Synaptics.exe
3024	EXCEL.EXE
2888	._cache_Synaptics.exe
2700	icsys.icn.exe
2700	icsys.icn.exe
1220	explorer.exe
1220	explorer.exe
2288	spoolsv.exe
2288	spoolsv.exe
1656	svchost.exe
1656	svchost.exe
956	spoolsv.exe
956	spoolsv.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exeSynaptics.exe._cache_Synaptics.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 2532 wrote to memory of 2568	2532	7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe	._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
PID 2532 wrote to memory of 2568	2532	7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe	._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
PID 2532 wrote to memory of 2568	2532	7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe	._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
PID 2532 wrote to memory of 2568	2532	7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe	._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
PID 2532 wrote to memory of 2244	2532	7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe	Synaptics.exe
PID 2532 wrote to memory of 2244	2532	7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe	Synaptics.exe
PID 2532 wrote to memory of 2244	2532	7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe	Synaptics.exe
PID 2532 wrote to memory of 2244	2532	7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe	Synaptics.exe
PID 2244 wrote to memory of 2888	2244	Synaptics.exe	._cache_Synaptics.exe
PID 2244 wrote to memory of 2888	2244	Synaptics.exe	._cache_Synaptics.exe
PID 2244 wrote to memory of 2888	2244	Synaptics.exe	._cache_Synaptics.exe
PID 2244 wrote to memory of 2888	2244	Synaptics.exe	._cache_Synaptics.exe
PID 2888 wrote to memory of 2520	2888	._cache_Synaptics.exe	._cache_synaptics.exe
PID 2888 wrote to memory of 2520	2888	._cache_Synaptics.exe	._cache_synaptics.exe
PID 2888 wrote to memory of 2520	2888	._cache_Synaptics.exe	._cache_synaptics.exe
PID 2888 wrote to memory of 2520	2888	._cache_Synaptics.exe	._cache_synaptics.exe
PID 2888 wrote to memory of 2700	2888	._cache_Synaptics.exe	icsys.icn.exe
PID 2888 wrote to memory of 2700	2888	._cache_Synaptics.exe	icsys.icn.exe
PID 2888 wrote to memory of 2700	2888	._cache_Synaptics.exe	icsys.icn.exe
PID 2888 wrote to memory of 2700	2888	._cache_Synaptics.exe	icsys.icn.exe
PID 2700 wrote to memory of 1220	2700	icsys.icn.exe	explorer.exe
PID 2700 wrote to memory of 1220	2700	icsys.icn.exe	explorer.exe
PID 2700 wrote to memory of 1220	2700	icsys.icn.exe	explorer.exe
PID 2700 wrote to memory of 1220	2700	icsys.icn.exe	explorer.exe
PID 1220 wrote to memory of 2288	1220	explorer.exe	spoolsv.exe
PID 1220 wrote to memory of 2288	1220	explorer.exe	spoolsv.exe
PID 1220 wrote to memory of 2288	1220	explorer.exe	spoolsv.exe
PID 1220 wrote to memory of 2288	1220	explorer.exe	spoolsv.exe
PID 2288 wrote to memory of 1656	2288	spoolsv.exe	svchost.exe
PID 2288 wrote to memory of 1656	2288	spoolsv.exe	svchost.exe
PID 2288 wrote to memory of 1656	2288	spoolsv.exe	svchost.exe
PID 2288 wrote to memory of 1656	2288	spoolsv.exe	svchost.exe
PID 1656 wrote to memory of 956	1656	svchost.exe	spoolsv.exe
PID 1656 wrote to memory of 956	1656	svchost.exe	spoolsv.exe
PID 1656 wrote to memory of 956	1656	svchost.exe	spoolsv.exe
PID 1656 wrote to memory of 956	1656	svchost.exe	spoolsv.exe
PID 1220 wrote to memory of 280	1220	explorer.exe	Explorer.exe
PID 1220 wrote to memory of 280	1220	explorer.exe	Explorer.exe
PID 1220 wrote to memory of 280	1220	explorer.exe	Explorer.exe
PID 1220 wrote to memory of 280	1220	explorer.exe	Explorer.exe
PID 1656 wrote to memory of 920	1656	svchost.exe	schtasks.exe
PID 1656 wrote to memory of 920	1656	svchost.exe	schtasks.exe
PID 1656 wrote to memory of 920	1656	svchost.exe	schtasks.exe
PID 1656 wrote to memory of 920	1656	svchost.exe	schtasks.exe
PID 1656 wrote to memory of 2668	1656	svchost.exe	schtasks.exe
PID 1656 wrote to memory of 2668	1656	svchost.exe	schtasks.exe
PID 1656 wrote to memory of 2668	1656	svchost.exe	schtasks.exe
PID 1656 wrote to memory of 2668	1656	svchost.exe	schtasks.exe
PID 1656 wrote to memory of 2040	1656	svchost.exe	schtasks.exe
PID 1656 wrote to memory of 2040	1656	svchost.exe	schtasks.exe
PID 1656 wrote to memory of 2040	1656	svchost.exe	schtasks.exe
PID 1656 wrote to memory of 2040	1656	svchost.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
"C:\Users\Admin\AppData\Local\Temp\7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Users\Admin\AppData\Local\Temp\._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:2568
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2888
  - - \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
      c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2520
    - - \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        "c:\users\admin\appdata\local\temp\._cache_synaptics.exe " InjUpdate
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:572
      - \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        "c:\users\admin\appdata\local\temp\._cache_synaptics.exe " /TI/ InjUpdate
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2140
  - - C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2700
    - - \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1220
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        7⤵
        Modifies visiblity of hidden/system files in Explorer
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        8⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:956
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:40 /f
        8⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:920
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:41 /f
        8⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2668
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:42 /f
        8⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2040
      - C:\Windows\Explorer.exe
        
        C:\Windows\Explorer.exe
        6⤵
        
        PID:280

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3024

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20241125013840.log C:\Windows\Logs\CBS\CbsPersist_20241125013840.cab
1⤵
- Drops file in Windows directory
PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
4.1MB

MD5
d7a3723ed09e9d1510f75ca35aba5ea7

SHA1
b6265bc2091d20ed0a3715f0bb47371d49f9c65f

SHA256
7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed

SHA512
e02e9729de1f37bf8369c0869c3dc11c65f91a8a3a11ee463b26fb8fbd878fe1acb9ee7da32177ad726b7fc13ec7e96892ac3145cf96fe0dfa05c6313d5d836a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4lgPj71s.xlsm

Filesize
25KB

MD5
a590464953ddb2e17068c12da95e7ab5

SHA1
95d2f7dde049ad839aded5048765c998bf1a8c28

SHA256
6ded1f68d4d05a9942dc66340eecaf223c1bb1bd78357c6124bc5b9fdf33dce0

SHA512
871e75f20b0d270988e5108e86c00aee110b9c817739034154100e83fab0a6c97cf6b0d99ea07dce8b2b393e7ee8b01aca518089ecc6ff2faa8f539bb6ffc44f

Download Submit
C:\Users\Admin\AppData\Local\Temp\4lgPj71s.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
2.6MB

MD5
7a80e0ecdb8cee2481e117caaa97cfcc

SHA1
7b3f199c33915472833870f2c0c15c2aa3ba2542

SHA256
d6fbc6aca1dcbe464ecfa222cbedd78bafba4c6a13415904da79afb6e1fb58b8

SHA512
c4d1b55dda2edb313f345c38dbc93b55d5ad919508bbb52ef5f019e7abf3a87c089f7c5eeb6cb2a61833d1fcf9354d767479a0a4445155bca0b2433f6dada557

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
2.6MB

MD5
02da612c2a12a61524dd5b95f1ad1f0f

SHA1
672ef806475880f58483b111acc7cf8bfd77ce6c

SHA256
d3b0de7c01802869be2c1233a491a2b94945e2fc82a3c3719365a9746477a24d

SHA512
0a4c32617c2a94d7eba6435a72e0b718f2e37ac80b67414bec0d60f8a2df43fb902bc682aa585d03fa04cab145236fe42d541b7d60cee796619c9523fbb322d8

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
2.6MB

MD5
1a20a647b31abe9f77dc81e2253e6064

SHA1
d6bbaa99de126e4e615aba2421cd4a2d5cbe0419

SHA256
cce2506e1c6fd632b19b5e6601c54544cc6a8e54ee9cbfa681c5324813a33610

SHA512
3128b0a8adc9d421da44c2cb2e8457093d247bc7a861ee73639ae6f653ee0731be157f6165d2ed9fa6162d0fb73dc0776374bfaec21d42281c43e72bb0c5c245

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
2.6MB

MD5
3abdae8909bf959bb8fecd0ffeb3dffd

SHA1
59f3d6d2239a1a265da5aa4e94a35fba8196ced7

SHA256
ea3de221db7cfb14edd06fa7ad51d4b9adc855997013597fca17bb8d096cfac9

SHA512
fb9929fc738aa409cc61170dd81cc1f092f9c32cac062a1af9354670e3f42ea8c51608b885911b7ef013fb5e6e6e184970e9818e8da082fd5a0f68f06941b333

Download Submit
C:\Windows\Temp\autAFA0.tmp

Filesize
25KB

MD5
d5c0165d31fb3813f8646555a5758881

SHA1
f517870ae53ddc77512d36debb44468da3edbd8e

SHA256
6916a5d078c6daf3db977ae55853cc4eef93e24328c8e8ef955220d10c7052b9

SHA512
21fa61a736ce0dd802aae7c81efeb5ae2f2319f34aadee941ea87dfeda3431f36a278513fbab6e33a028e6b7ee024cd51333fd31ce645dd92598e078e3313219

Download Submit
C:\Windows\Temp\phtwpql

Filesize
86KB

MD5
2cc29be38bd5a1e14386c7186a7f6959

SHA1
858df624a55d519b8f1e597850c867b97cbcbc7b

SHA256
1f8a85d2720b2cbeeadfb92ac471a3902c128f13cf04e0d59bbff54f786943a0

SHA512
0a39e8dbf9dad26e085de227679447586f3923fc3d2d3df219e9b837723cbc026af592d30ae25195338b627c1526b114f98527e37d51072a48083213915b0cbe

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe

Filesize
3.3MB

MD5
923d00022b92bfbc27f875cf19f03e10

SHA1
5b015ccd1eaf741ef16dc1d7bc97d53dc8cfca98

SHA256
26902e46a1dda71d501c54d348dc242adf97032c630199307f8b432eed4afde6

SHA512
274011c0320b7f242a5e7aac066b7a8b10f4d08b657b4cc348630d7e84dc7e9c2fd260f6d1e818cdcb9eedb30ca374d8f0a6717b95e0388e12fdac96fd6dfb38

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_synaptics.exe

Filesize
771KB

MD5
fe260da05d0512b65eec3e4cec4ea17c

SHA1
8915d023e9a5dfbba722b6d9678cbafe6a3b3630

SHA256
9dd559318f745949f4b68015033866a5ff02afea3fce22fca28e5bc33de40fc8

SHA512
bf875821c7b4bd21b458e248d657a23378493066a77113786c67ac94d8632f90fcb2da183ab842c5fab1ecedb80e2b143c0ffb24dc864264f3386eff3f929f5b

Download Submit
memory/956-169-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1220-129-0x0000000003900000-0x0000000003F16000-memory.dmp

Filesize
6.1MB

Download
memory/1220-178-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1220-183-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1220-179-0x0000000003900000-0x0000000003F16000-memory.dmp

Filesize
6.1MB

Download
memory/1220-211-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1220-109-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1220-246-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1656-156-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1656-267-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1656-182-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1656-168-0x00000000032E0000-0x00000000038F6000-memory.dmp

Filesize
6.1MB

Download
memory/1656-184-0x00000000032E0000-0x00000000038F6000-memory.dmp

Filesize
6.1MB

Download
memory/2244-181-0x0000000000400000-0x0000000000819000-memory.dmp

Filesize
4.1MB

Download
memory/2244-245-0x0000000000400000-0x0000000000819000-memory.dmp

Filesize
4.1MB

Download
memory/2244-37-0x0000000005940000-0x0000000005F56000-memory.dmp

Filesize
6.1MB

Download
memory/2244-165-0x0000000005940000-0x0000000005F56000-memory.dmp

Filesize
6.1MB

Download
memory/2244-198-0x0000000000400000-0x0000000000819000-memory.dmp

Filesize
4.1MB

Download
memory/2288-150-0x00000000036A0000-0x0000000003CB6000-memory.dmp

Filesize
6.1MB

Download
memory/2288-170-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2288-130-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2532-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2532-27-0x0000000000400000-0x0000000000819000-memory.dmp

Filesize
4.1MB

Download
memory/2532-17-0x0000000005A20000-0x0000000006036000-memory.dmp

Filesize
6.1MB

Download
memory/2568-157-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2568-18-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2700-172-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2700-108-0x00000000038C0000-0x0000000003ED6000-memory.dmp

Filesize
6.1MB

Download
memory/2700-77-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2888-175-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2888-166-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2888-63-0x0000000003290000-0x00000000038A6000-memory.dmp

Filesize
6.1MB

Download
memory/2888-38-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/3024-41-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download