xred | 7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2024 01:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
Size

4.1MB
MD5

d7a3723ed09e9d1510f75ca35aba5ea7
SHA1

b6265bc2091d20ed0a3715f0bb47371d49f9c65f
SHA256

7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed
SHA512

e02e9729de1f37bf8369c0869c3dc11c65f91a8a3a11ee463b26fb8fbd878fe1acb9ee7da32177ad726b7fc13ec7e96892ac3145cf96fe0dfa05c6313d5d836a
SSDEEP

98304:Vnsmtk2aEXzhW148Pd+Tf1mpcOldJQ3/V11v3jypj:pLnFK4s0TfLOdo/HV3epj

Score

10^/10

xred backdoor discovery evasion persistence themida trojan

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe._cache_Synaptics.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	spoolsv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	spoolsv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	._cache_Synaptics.exe

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

icsys.icn.exespoolsv.exespoolsv.exe._cache_Synaptics.exeexplorer.exesvchost.exe._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	icsys.icn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	icsys.icn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	._cache_Synaptics.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exeSynaptics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 11 IoCs

Processes:

._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exeSynaptics.exe._cache_Synaptics.exe._cache_synaptics.exe icsys.icn.exe._cache_synaptics.exe explorer.exespoolsv.exesvchost.exe._cache_synaptics.exe spoolsv.exe

pid	process
64	._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
3496	Synaptics.exe
4332	._cache_Synaptics.exe
4200	._cache_synaptics.exe
1432	icsys.icn.exe
4980	._cache_synaptics.exe
4632	explorer.exe
1512	spoolsv.exe
1056	svchost.exe
1776	._cache_synaptics.exe
4260	spoolsv.exe

Themida packer 22 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe	themida
behavioral2/memory/64-70-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/64-127-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/4332-192-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
C:\Windows\Resources\Themes\icsys.icn.exe	themida
behavioral2/memory/4632-219-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
C:\Windows\Resources\Themes\explorer.exe	themida
\??\c:\windows\resources\spoolsv.exe	themida
behavioral2/memory/1512-236-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
C:\Windows\Resources\svchost.exe	themida
behavioral2/memory/1056-245-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/4260-258-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/4332-267-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/1512-265-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/1432-269-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/4260-263-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/64-270-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/4632-288-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/1056-296-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/1056-297-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/1056-321-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/4632-337-0x0000000000400000-0x0000000000A16000-memory.dmp	themida

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe

Checks whether UAC is enabled 1 TTPs 7 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe._cache_Synaptics.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	icsys.icn.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe

Drops file in System32 directory 2 IoCs

Processes:

explorer.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

Processes:

._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe._cache_Synaptics.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
64	._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
4332	._cache_Synaptics.exe
1432	icsys.icn.exe
4632	explorer.exe
1512	spoolsv.exe
1056	svchost.exe
4260	spoolsv.exe

Drops file in Windows directory 5 IoCs

Processes:

._cache_Synaptics.exeicsys.icn.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Synaptics.exe._cache_Synaptics.exeicsys.icn.exe._cache_synaptics.exe explorer.exe._cache_synaptics.exe 7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exespoolsv.exesvchost.exe._cache_synaptics.exe spoolsv.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies data under HKEY_USERS 1 IoCs

Processes:

._cache_synaptics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\ndfapi.dll,-40001 = "Windows Network Diagnostics"	._cache_synaptics.exe

Modifies registry class 2 IoCs

Processes:

7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exeSynaptics.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4812 EXCEL.EXE

pid	process
4812	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

._cache_Synaptics.exe._cache_synaptics.exe icsys.icn.exe

pid	process
4332	._cache_Synaptics.exe
4332	._cache_Synaptics.exe
4332	._cache_Synaptics.exe
4332	._cache_Synaptics.exe
4332	._cache_Synaptics.exe
4332	._cache_Synaptics.exe
4332	._cache_Synaptics.exe
4332	._cache_Synaptics.exe
4332	._cache_Synaptics.exe
4332	._cache_Synaptics.exe
4332	._cache_Synaptics.exe
4332	._cache_Synaptics.exe
4332	._cache_Synaptics.exe
4332	._cache_Synaptics.exe
4332	._cache_Synaptics.exe
4332	._cache_Synaptics.exe
4332	._cache_Synaptics.exe
4332	._cache_Synaptics.exe
4332	._cache_Synaptics.exe
4332	._cache_Synaptics.exe
4332	._cache_Synaptics.exe
4332	._cache_Synaptics.exe
4332	._cache_Synaptics.exe
4332	._cache_Synaptics.exe
4332	._cache_Synaptics.exe
4332	._cache_Synaptics.exe
4332	._cache_Synaptics.exe
4332	._cache_Synaptics.exe
4332	._cache_Synaptics.exe
4332	._cache_Synaptics.exe
4332	._cache_Synaptics.exe
4332	._cache_Synaptics.exe
4200	._cache_synaptics.exe
4200	._cache_synaptics.exe
4200	._cache_synaptics.exe
4200	._cache_synaptics.exe
1432	icsys.icn.exe
1432	icsys.icn.exe
1432	icsys.icn.exe
1432	icsys.icn.exe
1432	icsys.icn.exe
1432	icsys.icn.exe
1432	icsys.icn.exe
1432	icsys.icn.exe
1432	icsys.icn.exe
1432	icsys.icn.exe
1432	icsys.icn.exe
1432	icsys.icn.exe
1432	icsys.icn.exe
1432	icsys.icn.exe
1432	icsys.icn.exe
1432	icsys.icn.exe
1432	icsys.icn.exe
1432	icsys.icn.exe
1432	icsys.icn.exe
1432	icsys.icn.exe
1432	icsys.icn.exe
1432	icsys.icn.exe
1432	icsys.icn.exe
1432	icsys.icn.exe
1432	icsys.icn.exe
1432	icsys.icn.exe
1432	icsys.icn.exe
1432	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

4632 explorer.exe
1056 svchost.exe

pid	process
4632	explorer.exe
1056	svchost.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

._cache_synaptics.exe ._cache_synaptics.exe

description	pid	process
Token: SeDebugPrivilege	4200	._cache_synaptics.exe
Token: SeAssignPrimaryTokenPrivilege	4200	._cache_synaptics.exe
Token: SeIncreaseQuotaPrivilege	4200	._cache_synaptics.exe
Token: 0	4200	._cache_synaptics.exe
Token: SeDebugPrivilege	4980	._cache_synaptics.exe
Token: SeAssignPrimaryTokenPrivilege	4980	._cache_synaptics.exe
Token: SeIncreaseQuotaPrivilege	4980	._cache_synaptics.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

._cache_Synaptics.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exeEXCEL.EXE

pid	process
4332	._cache_Synaptics.exe
4332	._cache_Synaptics.exe
1432	icsys.icn.exe
1432	icsys.icn.exe
4632	explorer.exe
4632	explorer.exe
1512	spoolsv.exe
1512	spoolsv.exe
1056	svchost.exe
1056	svchost.exe
4260	spoolsv.exe
4260	spoolsv.exe
4812	EXCEL.EXE
4812	EXCEL.EXE
4812	EXCEL.EXE
4812	EXCEL.EXE

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exeSynaptics.exe._cache_Synaptics.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 4000 wrote to memory of 64	4000	7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe	._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
PID 4000 wrote to memory of 64	4000	7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe	._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
PID 4000 wrote to memory of 64	4000	7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe	._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
PID 4000 wrote to memory of 3496	4000	7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe	Synaptics.exe
PID 4000 wrote to memory of 3496	4000	7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe	Synaptics.exe
PID 4000 wrote to memory of 3496	4000	7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe	Synaptics.exe
PID 3496 wrote to memory of 4332	3496	Synaptics.exe	._cache_Synaptics.exe
PID 3496 wrote to memory of 4332	3496	Synaptics.exe	._cache_Synaptics.exe
PID 3496 wrote to memory of 4332	3496	Synaptics.exe	._cache_Synaptics.exe
PID 4332 wrote to memory of 4200	4332	._cache_Synaptics.exe	._cache_synaptics.exe
PID 4332 wrote to memory of 4200	4332	._cache_Synaptics.exe	._cache_synaptics.exe
PID 4332 wrote to memory of 4200	4332	._cache_Synaptics.exe	._cache_synaptics.exe
PID 4332 wrote to memory of 1432	4332	._cache_Synaptics.exe	icsys.icn.exe
PID 4332 wrote to memory of 1432	4332	._cache_Synaptics.exe	icsys.icn.exe
PID 4332 wrote to memory of 1432	4332	._cache_Synaptics.exe	icsys.icn.exe
PID 1432 wrote to memory of 4632	1432	icsys.icn.exe	explorer.exe
PID 1432 wrote to memory of 4632	1432	icsys.icn.exe	explorer.exe
PID 1432 wrote to memory of 4632	1432	icsys.icn.exe	explorer.exe
PID 4632 wrote to memory of 1512	4632	explorer.exe	spoolsv.exe
PID 4632 wrote to memory of 1512	4632	explorer.exe	spoolsv.exe
PID 4632 wrote to memory of 1512	4632	explorer.exe	spoolsv.exe
PID 1512 wrote to memory of 1056	1512	spoolsv.exe	svchost.exe
PID 1512 wrote to memory of 1056	1512	spoolsv.exe	svchost.exe
PID 1512 wrote to memory of 1056	1512	spoolsv.exe	svchost.exe
PID 1056 wrote to memory of 4260	1056	svchost.exe	spoolsv.exe
PID 1056 wrote to memory of 4260	1056	svchost.exe	spoolsv.exe
PID 1056 wrote to memory of 4260	1056	svchost.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
"C:\Users\Admin\AppData\Local\Temp\7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Users\Admin\AppData\Local\Temp\._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:64
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3496
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4332
  - - \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
      c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4200
    - - \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        "c:\users\admin\appdata\local\temp\._cache_synaptics.exe " InjUpdate
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4980
      - \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        "c:\users\admin\appdata\local\temp\._cache_synaptics.exe " /TI/ InjUpdate
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies data under HKEY_USERS
        
        PID:1776
  - - C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1432
    - - \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4632
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        7⤵
        Modifies visiblity of hidden/system files in Explorer
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        8⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4260

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
4.1MB

MD5
d7a3723ed09e9d1510f75ca35aba5ea7

SHA1
b6265bc2091d20ed0a3715f0bb47371d49f9c65f

SHA256
7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed

SHA512
e02e9729de1f37bf8369c0869c3dc11c65f91a8a3a11ee463b26fb8fbd878fe1acb9ee7da32177ad726b7fc13ec7e96892ac3145cf96fe0dfa05c6313d5d836a

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_7153358b522f1803b87d15a720aa73e8a796e8b58397c7aff5ce0027224756ed.exe

Filesize
3.3MB

MD5
923d00022b92bfbc27f875cf19f03e10

SHA1
5b015ccd1eaf741ef16dc1d7bc97d53dc8cfca98

SHA256
26902e46a1dda71d501c54d348dc242adf97032c630199307f8b432eed4afde6

SHA512
274011c0320b7f242a5e7aac066b7a8b10f4d08b657b4cc348630d7e84dc7e9c2fd260f6d1e818cdcb9eedb30ca374d8f0a6717b95e0388e12fdac96fd6dfb38

Download Submit
C:\Users\Admin\AppData\Local\Temp\NF5r7UoO.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
2.6MB

MD5
c2e327360b45274dc3d5af4e79c62298

SHA1
8c81178f5c7d7de9e9a2a180f166d311a545cc5d

SHA256
b04c7e1222b50509a46811300e0f9da4d1daeef7c49a961a9fe507e9e0a6d139

SHA512
5c48930c7229fee6a81c986939fc3547e6ab1b0afcfa68d0a9bfb351da2f5d1e5b07fd2d60a5989d7e952a830c984ca83c53808dea8dfa012399c59625b19e61

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
2.6MB

MD5
02da612c2a12a61524dd5b95f1ad1f0f

SHA1
672ef806475880f58483b111acc7cf8bfd77ce6c

SHA256
d3b0de7c01802869be2c1233a491a2b94945e2fc82a3c3719365a9746477a24d

SHA512
0a4c32617c2a94d7eba6435a72e0b718f2e37ac80b67414bec0d60f8a2df43fb902bc682aa585d03fa04cab145236fe42d541b7d60cee796619c9523fbb322d8

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
2.6MB

MD5
653ab54a8910a0688f5dce859cdd72ad

SHA1
85d2366d88f8c113963fcf37004402fda70451e7

SHA256
ef388ac5524d4688cad696f2904081dbadea83d036b6f0a1f2edd061f8f5fde7

SHA512
9bc288a44cba01a7dbc5e79812127b99af4cddf2f8e926da3ca42bee82622aee10cfbf2a51434b745c66e05aa56653454eb2cff8fd95aa883b47941224183143

Download Submit
C:\Windows\Temp\autB1CB.tmp

Filesize
25KB

MD5
d5c0165d31fb3813f8646555a5758881

SHA1
f517870ae53ddc77512d36debb44468da3edbd8e

SHA256
6916a5d078c6daf3db977ae55853cc4eef93e24328c8e8ef955220d10c7052b9

SHA512
21fa61a736ce0dd802aae7c81efeb5ae2f2319f34aadee941ea87dfeda3431f36a278513fbab6e33a028e6b7ee024cd51333fd31ce645dd92598e078e3313219

Download Submit
C:\Windows\Temp\eisxyja

Filesize
86KB

MD5
2cc29be38bd5a1e14386c7186a7f6959

SHA1
858df624a55d519b8f1e597850c867b97cbcbc7b

SHA256
1f8a85d2720b2cbeeadfb92ac471a3902c128f13cf04e0d59bbff54f786943a0

SHA512
0a39e8dbf9dad26e085de227679447586f3923fc3d2d3df219e9b837723cbc026af592d30ae25195338b627c1526b114f98527e37d51072a48083213915b0cbe

Download Submit
\??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe

Filesize
771KB

MD5
fe260da05d0512b65eec3e4cec4ea17c

SHA1
8915d023e9a5dfbba722b6d9678cbafe6a3b3630

SHA256
9dd559318f745949f4b68015033866a5ff02afea3fce22fca28e5bc33de40fc8

SHA512
bf875821c7b4bd21b458e248d657a23378493066a77113786c67ac94d8632f90fcb2da183ab842c5fab1ecedb80e2b143c0ffb24dc864264f3386eff3f929f5b

Download Submit
\??\c:\windows\resources\spoolsv.exe

Filesize
2.6MB

MD5
d22580306883049b2eca8a7239094e3b

SHA1
d8e1b1ccd2f5f7cbb1f4522a2768864501bcf133

SHA256
eb328e17505e1de1b8743a9d129038b07439b3059c47a44e822c133da1d90d64

SHA512
0bab32195e97cf84b3960b1154a5d908dea8f951691ea268333b3b9b954c577471ad9db6eb80538447c50ab05c02553323b34a824707588b893964b3d85b6d7a

Download Submit
memory/64-270-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/64-127-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/64-70-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1056-321-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1056-297-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1056-296-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1056-245-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1432-269-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1512-236-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1512-265-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/3496-271-0x0000000000400000-0x0000000000819000-memory.dmp

Filesize
4.1MB

Download
memory/3496-348-0x0000000000400000-0x0000000000819000-memory.dmp

Filesize
4.1MB

Download
memory/3496-299-0x0000000000400000-0x0000000000819000-memory.dmp

Filesize
4.1MB

Download
memory/3496-131-0x0000000000400000-0x0000000000819000-memory.dmp

Filesize
4.1MB

Download
memory/4000-0-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/4000-130-0x0000000000400000-0x0000000000819000-memory.dmp

Filesize
4.1MB

Download
memory/4260-258-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/4260-263-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/4332-267-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/4332-192-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/4632-219-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/4632-288-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/4632-337-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/4812-280-0x00007FFDDF3F0000-0x00007FFDDF400000-memory.dmp

Filesize
64KB

Download
memory/4812-279-0x00007FFDDF3F0000-0x00007FFDDF400000-memory.dmp

Filesize
64KB

Download
memory/4812-274-0x00007FFDE15B0000-0x00007FFDE15C0000-memory.dmp

Filesize
64KB

Download
memory/4812-275-0x00007FFDE15B0000-0x00007FFDE15C0000-memory.dmp

Filesize
64KB

Download
memory/4812-276-0x00007FFDE15B0000-0x00007FFDE15C0000-memory.dmp

Filesize
64KB

Download
memory/4812-277-0x00007FFDE15B0000-0x00007FFDE15C0000-memory.dmp

Filesize
64KB

Download
memory/4812-278-0x00007FFDE15B0000-0x00007FFDE15C0000-memory.dmp

Filesize
64KB

Download