xred | 7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2024 01:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
Size

4.1MB
MD5

d7a3723ed09e9d1510f75ca35aba5ea7
SHA1

b6265bc2091d20ed0a3715f0bb47371d49f9c65f
SHA256

7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed
SHA512

e02e9729de1f37bf8369c0869c3dc11c65f91a8a3a11ee463b26fb8fbd878fe1acb9ee7da32177ad726b7fc13ec7e96892ac3145cf96fe0dfa05c6313d5d836a
SSDEEP

98304:Vnsmtk2aEXzhW148Pd+Tf1mpcOldJQ3/V11v3jypj:pLnFK4s0TfLOdo/HV3epj

Score

10^/10

xred backdoor discovery evasion persistence themida trojan

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe._cache_Synaptics.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	spoolsv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	spoolsv.exe

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exespoolsv.exe._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exeexplorer.exespoolsv.exe._cache_Synaptics.exeicsys.icn.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	icsys.icn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	icsys.icn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	spoolsv.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exeSynaptics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 11 IoCs

Processes:

._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exeSynaptics.exe._cache_Synaptics.exe._cache_synaptics.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe._cache_synaptics.exe ._cache_synaptics.exe

pid	process
2952	._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
1776	Synaptics.exe
2708	._cache_Synaptics.exe
1156	._cache_synaptics.exe
916	icsys.icn.exe
1992	explorer.exe
1324	spoolsv.exe
4252	svchost.exe
764	spoolsv.exe
2036	._cache_synaptics.exe
912	._cache_synaptics.exe

Themida packer 23 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe	themida
behavioral2/memory/2952-70-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/2708-192-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
C:\Windows\Resources\Themes\icsys.icn.exe	themida
behavioral2/memory/916-218-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
C:\Windows\Resources\Themes\explorer.exe	themida
behavioral2/memory/1992-227-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
\??\c:\windows\resources\spoolsv.exe	themida
behavioral2/memory/1324-236-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
\??\c:\windows\resources\svchost.exe	themida
behavioral2/memory/4252-248-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/764-253-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/764-266-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/1324-268-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/2708-270-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/2952-289-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/916-324-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/1992-327-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/4252-333-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/1992-354-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/1992-378-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/4252-379-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/1992-402-0x0000000000400000-0x0000000000A16000-memory.dmp	themida

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exeexplorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Checks whether UAC is enabled 1 TTPs 7 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

explorer.exespoolsv.exesvchost.exespoolsv.exe._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe._cache_Synaptics.exeicsys.icn.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	icsys.icn.exe

Drops file in System32 directory 2 IoCs

Processes:

explorer.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

Processes:

._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe._cache_Synaptics.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
2952	._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
2708	._cache_Synaptics.exe
916	icsys.icn.exe
1992	explorer.exe
1324	spoolsv.exe
4252	svchost.exe
764	spoolsv.exe

Drops file in Windows directory 5 IoCs

Processes:

._cache_Synaptics.exeicsys.icn.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

spoolsv.exesvchost.exe._cache_synaptics.exe 7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exeicsys.icn.exeexplorer.exe._cache_synaptics.exe Synaptics.exe._cache_Synaptics.exe._cache_synaptics.exe spoolsv.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies data under HKEY_USERS 1 IoCs

Processes:

._cache_synaptics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\ndfapi.dll,-40001 = "Windows Network Diagnostics"	._cache_synaptics.exe

Modifies registry class 2 IoCs

Processes:

7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exeSynaptics.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

828 EXCEL.EXE

pid	process
828	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

._cache_Synaptics.exeicsys.icn.exe

pid	process
2708	._cache_Synaptics.exe
2708	._cache_Synaptics.exe
2708	._cache_Synaptics.exe
2708	._cache_Synaptics.exe
2708	._cache_Synaptics.exe
2708	._cache_Synaptics.exe
2708	._cache_Synaptics.exe
2708	._cache_Synaptics.exe
2708	._cache_Synaptics.exe
2708	._cache_Synaptics.exe
2708	._cache_Synaptics.exe
2708	._cache_Synaptics.exe
2708	._cache_Synaptics.exe
2708	._cache_Synaptics.exe
2708	._cache_Synaptics.exe
2708	._cache_Synaptics.exe
2708	._cache_Synaptics.exe
2708	._cache_Synaptics.exe
2708	._cache_Synaptics.exe
2708	._cache_Synaptics.exe
2708	._cache_Synaptics.exe
2708	._cache_Synaptics.exe
2708	._cache_Synaptics.exe
2708	._cache_Synaptics.exe
2708	._cache_Synaptics.exe
2708	._cache_Synaptics.exe
2708	._cache_Synaptics.exe
2708	._cache_Synaptics.exe
2708	._cache_Synaptics.exe
2708	._cache_Synaptics.exe
2708	._cache_Synaptics.exe
2708	._cache_Synaptics.exe
916	icsys.icn.exe
916	icsys.icn.exe
916	icsys.icn.exe
916	icsys.icn.exe
916	icsys.icn.exe
916	icsys.icn.exe
916	icsys.icn.exe
916	icsys.icn.exe
916	icsys.icn.exe
916	icsys.icn.exe
916	icsys.icn.exe
916	icsys.icn.exe
916	icsys.icn.exe
916	icsys.icn.exe
916	icsys.icn.exe
916	icsys.icn.exe
916	icsys.icn.exe
916	icsys.icn.exe
916	icsys.icn.exe
916	icsys.icn.exe
916	icsys.icn.exe
916	icsys.icn.exe
916	icsys.icn.exe
916	icsys.icn.exe
916	icsys.icn.exe
916	icsys.icn.exe
916	icsys.icn.exe
916	icsys.icn.exe
916	icsys.icn.exe
916	icsys.icn.exe
916	icsys.icn.exe
916	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

1992 explorer.exe
4252 svchost.exe

pid	process
1992	explorer.exe
4252	svchost.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

._cache_synaptics.exe ._cache_synaptics.exe

description	pid	process
Token: SeDebugPrivilege	1156	._cache_synaptics.exe
Token: SeAssignPrimaryTokenPrivilege	1156	._cache_synaptics.exe
Token: SeIncreaseQuotaPrivilege	1156	._cache_synaptics.exe
Token: 0	1156	._cache_synaptics.exe
Token: SeDebugPrivilege	2036	._cache_synaptics.exe
Token: SeAssignPrimaryTokenPrivilege	2036	._cache_synaptics.exe
Token: SeIncreaseQuotaPrivilege	2036	._cache_synaptics.exe

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

._cache_Synaptics.exeEXCEL.EXEicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
2708	._cache_Synaptics.exe
2708	._cache_Synaptics.exe
828	EXCEL.EXE
828	EXCEL.EXE
916	icsys.icn.exe
916	icsys.icn.exe
1992	explorer.exe
1992	explorer.exe
828	EXCEL.EXE
828	EXCEL.EXE
1324	spoolsv.exe
1324	spoolsv.exe
4252	svchost.exe
4252	svchost.exe
764	spoolsv.exe
764	spoolsv.exe
828	EXCEL.EXE
828	EXCEL.EXE
828	EXCEL.EXE
828	EXCEL.EXE

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exeSynaptics.exe._cache_Synaptics.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 4196 wrote to memory of 2952	4196	7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe	._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
PID 4196 wrote to memory of 2952	4196	7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe	._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
PID 4196 wrote to memory of 2952	4196	7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe	._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
PID 4196 wrote to memory of 1776	4196	7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe	Synaptics.exe
PID 4196 wrote to memory of 1776	4196	7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe	Synaptics.exe
PID 4196 wrote to memory of 1776	4196	7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe	Synaptics.exe
PID 1776 wrote to memory of 2708	1776	Synaptics.exe	._cache_Synaptics.exe
PID 1776 wrote to memory of 2708	1776	Synaptics.exe	._cache_Synaptics.exe
PID 1776 wrote to memory of 2708	1776	Synaptics.exe	._cache_Synaptics.exe
PID 2708 wrote to memory of 1156	2708	._cache_Synaptics.exe	._cache_synaptics.exe
PID 2708 wrote to memory of 1156	2708	._cache_Synaptics.exe	._cache_synaptics.exe
PID 2708 wrote to memory of 1156	2708	._cache_Synaptics.exe	._cache_synaptics.exe
PID 2708 wrote to memory of 916	2708	._cache_Synaptics.exe	icsys.icn.exe
PID 2708 wrote to memory of 916	2708	._cache_Synaptics.exe	icsys.icn.exe
PID 2708 wrote to memory of 916	2708	._cache_Synaptics.exe	icsys.icn.exe
PID 916 wrote to memory of 1992	916	icsys.icn.exe	explorer.exe
PID 916 wrote to memory of 1992	916	icsys.icn.exe	explorer.exe
PID 916 wrote to memory of 1992	916	icsys.icn.exe	explorer.exe
PID 1992 wrote to memory of 1324	1992	explorer.exe	spoolsv.exe
PID 1992 wrote to memory of 1324	1992	explorer.exe	spoolsv.exe
PID 1992 wrote to memory of 1324	1992	explorer.exe	spoolsv.exe
PID 1324 wrote to memory of 4252	1324	spoolsv.exe	svchost.exe
PID 1324 wrote to memory of 4252	1324	spoolsv.exe	svchost.exe
PID 1324 wrote to memory of 4252	1324	spoolsv.exe	svchost.exe
PID 4252 wrote to memory of 764	4252	svchost.exe	spoolsv.exe
PID 4252 wrote to memory of 764	4252	svchost.exe	spoolsv.exe
PID 4252 wrote to memory of 764	4252	svchost.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
"C:\Users\Admin\AppData\Local\Temp\7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4196
- C:\Users\Admin\AppData\Local\Temp\._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:2952
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1776
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
      c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1156
    - - \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        "c:\users\admin\appdata\local\temp\._cache_synaptics.exe " InjUpdate
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
      - \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        "c:\users\admin\appdata\local\temp\._cache_synaptics.exe " /TI/ InjUpdate
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies data under HKEY_USERS
        
        PID:912
  - - C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:916
    - - \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1992
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        7⤵
        Modifies visiblity of hidden/system files in Explorer
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4252
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        8⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:764

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
4.1MB

MD5
d7a3723ed09e9d1510f75ca35aba5ea7

SHA1
b6265bc2091d20ed0a3715f0bb47371d49f9c65f

SHA256
7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed

SHA512
e02e9729de1f37bf8369c0869c3dc11c65f91a8a3a11ee463b26fb8fbd878fe1acb9ee7da32177ad726b7fc13ec7e96892ac3145cf96fe0dfa05c6313d5d836a

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe

Filesize
3.3MB

MD5
923d00022b92bfbc27f875cf19f03e10

SHA1
5b015ccd1eaf741ef16dc1d7bc97d53dc8cfca98

SHA256
26902e46a1dda71d501c54d348dc242adf97032c630199307f8b432eed4afde6

SHA512
274011c0320b7f242a5e7aac066b7a8b10f4d08b657b4cc348630d7e84dc7e9c2fd260f6d1e818cdcb9eedb30ca374d8f0a6717b95e0388e12fdac96fd6dfb38

Download Submit
C:\Users\Admin\AppData\Local\Temp\28D75E00

Filesize
24KB

MD5
eff60c6bd2461ae40d6aa32f998a8d57

SHA1
4e87ed8519f916e0698193db04622368c0017f89

SHA256
fe3b22b4d8fe059db4a6d6f3a88687ca81b0e81894cf369bb90e1ba1f915bcef

SHA512
922b4ea14af4ab64b3fe33c700977a2521542bb501f6fec378703c5feb184724872bceeb737f4ae82699e97beba3676fb11c028cfb6b29575fd3f6c6708124d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\QoMkg7h1.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
2.6MB

MD5
4e6746f2d713bfe5d5d2089dedaf52e1

SHA1
9f898e1babb594bb3edca86e4cbc37d2869f7702

SHA256
b351a2568ae05650bb8902be9adf7dda0f7757dd85cf2786dde70bb2f2fc4ec6

SHA512
6a9f696e0c421e6f4bbb3daa4fe18e010901743202bc5ac207bfe5275e5b5a7a88a04960c0c570a6ac2fbc7f6215befd173198f681e7043ce4ddd82f23a939b4

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
2.6MB

MD5
02da612c2a12a61524dd5b95f1ad1f0f

SHA1
672ef806475880f58483b111acc7cf8bfd77ce6c

SHA256
d3b0de7c01802869be2c1233a491a2b94945e2fc82a3c3719365a9746477a24d

SHA512
0a4c32617c2a94d7eba6435a72e0b718f2e37ac80b67414bec0d60f8a2df43fb902bc682aa585d03fa04cab145236fe42d541b7d60cee796619c9523fbb322d8

Download Submit
C:\Windows\Temp\autD590.tmp

Filesize
25KB

MD5
d5c0165d31fb3813f8646555a5758881

SHA1
f517870ae53ddc77512d36debb44468da3edbd8e

SHA256
6916a5d078c6daf3db977ae55853cc4eef93e24328c8e8ef955220d10c7052b9

SHA512
21fa61a736ce0dd802aae7c81efeb5ae2f2319f34aadee941ea87dfeda3431f36a278513fbab6e33a028e6b7ee024cd51333fd31ce645dd92598e078e3313219

Download Submit
C:\Windows\Temp\outnpyx

Filesize
86KB

MD5
2cc29be38bd5a1e14386c7186a7f6959

SHA1
858df624a55d519b8f1e597850c867b97cbcbc7b

SHA256
1f8a85d2720b2cbeeadfb92ac471a3902c128f13cf04e0d59bbff54f786943a0

SHA512
0a39e8dbf9dad26e085de227679447586f3923fc3d2d3df219e9b837723cbc026af592d30ae25195338b627c1526b114f98527e37d51072a48083213915b0cbe

Download Submit
\??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe

Filesize
771KB

MD5
fe260da05d0512b65eec3e4cec4ea17c

SHA1
8915d023e9a5dfbba722b6d9678cbafe6a3b3630

SHA256
9dd559318f745949f4b68015033866a5ff02afea3fce22fca28e5bc33de40fc8

SHA512
bf875821c7b4bd21b458e248d657a23378493066a77113786c67ac94d8632f90fcb2da183ab842c5fab1ecedb80e2b143c0ffb24dc864264f3386eff3f929f5b

Download Submit
\??\c:\windows\resources\spoolsv.exe

Filesize
2.6MB

MD5
821d4579d8adfef5ab5e444ac2318d5b

SHA1
1d0a270d5fa913842da1b675f1ab135250b256d0

SHA256
f953e7bc5b1f054dea8fcd6ea1c2738d48b5df29ed98c3ec83c6b8aa7e20ba68

SHA512
ce4c2d4fa31e14909879b4851cff74a3b125c1d2defc5c2067ba2d55bee33bacd7fd5cd905f567e71f779edf43e918983b2be16a22eb207102bf53aed113844c

Download Submit
\??\c:\windows\resources\svchost.exe

Filesize
2.6MB

MD5
b58b0ea287e0c6f943669d8a37f101b5

SHA1
6bd379315e3ad64f90f6ce6af4896c7aed40fe19

SHA256
e9fd0499f000ba338e91be5aaa5e69eadc7d4c4642e7eb1ec6012eedfe8b776e

SHA512
0298de99252e1c0caffe404493fd06e53ece99ab5ebd9a41b409c0391e4d98efed2bbec40e45fd8e12ca94fcd25d8850054a2543fc86ead4543ffd4a90a9fe63

Download Submit
memory/764-266-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/764-253-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/828-196-0x00007FF9E8BD0000-0x00007FF9E8BE0000-memory.dmp

Filesize
64KB

Download
memory/828-199-0x00007FF9E8BD0000-0x00007FF9E8BE0000-memory.dmp

Filesize
64KB

Download
memory/828-214-0x00007FF9E6770000-0x00007FF9E6780000-memory.dmp

Filesize
64KB

Download
memory/828-194-0x00007FF9E8BD0000-0x00007FF9E8BE0000-memory.dmp

Filesize
64KB

Download
memory/828-202-0x00007FF9E6770000-0x00007FF9E6780000-memory.dmp

Filesize
64KB

Download
memory/828-195-0x00007FF9E8BD0000-0x00007FF9E8BE0000-memory.dmp

Filesize
64KB

Download
memory/828-198-0x00007FF9E8BD0000-0x00007FF9E8BE0000-memory.dmp

Filesize
64KB

Download
memory/916-218-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/916-324-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1324-268-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1324-236-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1776-326-0x0000000000400000-0x0000000000819000-memory.dmp

Filesize
4.1MB

Download
memory/1776-377-0x0000000000400000-0x0000000000819000-memory.dmp

Filesize
4.1MB

Download
memory/1776-133-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/1776-335-0x0000000000400000-0x0000000000819000-memory.dmp

Filesize
4.1MB

Download
memory/1992-354-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1992-227-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1992-402-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1992-378-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1992-327-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2708-192-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2708-270-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2952-70-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2952-119-0x0000000077894000-0x0000000077896000-memory.dmp

Filesize
8KB

Download
memory/2952-289-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/4196-0-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/4196-130-0x0000000000400000-0x0000000000819000-memory.dmp

Filesize
4.1MB

Download
memory/4252-333-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/4252-248-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/4252-379-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download