xred | 53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56ef

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-11-2024 14:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe
Size

3.3MB
MD5

8b94fa1a548711a611b0555851f48f00
SHA1

03841a4289982705ca933f3d982f056b7b0dd896
SHA256

53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56ef
SHA512

38cbcf67996da5cc094266ab328d229987e521fe66cce78c2f0a9779848ab1e75a917939565573a7aa3f1ace663ffbfeb2dd3d831b5caa82782f30b8664e01fd
SSDEEP

98304:tnsmtk2atXzhW148Pd+Tf1mpcOldJQ3/Vb:RLCFK4s0TfLOdo/h

Score

10^/10

xred backdoor discovery evasion macro persistence themida trojan

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe._cache_53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe._cache_Synaptics.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	spoolsv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	spoolsv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	._cache_53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	._cache_Synaptics.exe

Suspicious Office macro 3 IoCs

Office document equipped with macros.

macro

Processes:

resource
C:\Users\Admin\AppData\Local\Temp\tCeLhqsA.xlsm
C:\Users\Admin\AppData\Local\Temp\tCeLhqsA.xlsm
C:\Users\Admin\AppData\Local\Temp\tCeLhqsA.xlsm

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe._cache_53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe._cache_Synaptics.exeicsys.icn.exespoolsv.exespoolsv.exeexplorer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	._cache_53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	icsys.icn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	._cache_53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	icsys.icn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	spoolsv.exe

Executes dropped EXE 9 IoCs

Processes:

._cache_53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exeSynaptics.exe._cache_Synaptics.exe._cache_synaptics.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
2488	._cache_53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe
2296	Synaptics.exe
2840	._cache_Synaptics.exe
2620	._cache_synaptics.exe
1424	icsys.icn.exe
1672	explorer.exe
1080	spoolsv.exe
1272	svchost.exe
1604	spoolsv.exe

Loads dropped DLL 11 IoCs

Processes:

53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exeSynaptics.exe._cache_Synaptics.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

pid	process
2364	53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe
2364	53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe
2364	53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe
2296	Synaptics.exe
2296	Synaptics.exe
2840	._cache_Synaptics.exe
2840	._cache_Synaptics.exe
1424	icsys.icn.exe
1672	explorer.exe
1080	spoolsv.exe
1272	svchost.exe

Themida packer 27 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\._cache_53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe	themida
behavioral1/memory/2364-17-0x0000000005A50000-0x0000000006066000-memory.dmp	themida
behavioral1/memory/2488-18-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/2840-38-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
C:\Windows\Resources\Themes\icsys.icn.exe	themida
behavioral1/memory/1424-120-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
\Windows\Resources\Themes\explorer.exe	themida
behavioral1/memory/1672-133-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
\Windows\Resources\spoolsv.exe	themida
behavioral1/memory/1672-142-0x00000000038F0000-0x0000000003F06000-memory.dmp	themida
behavioral1/memory/1080-145-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
\Windows\Resources\svchost.exe	themida
behavioral1/memory/2840-158-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/2488-155-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/1272-159-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/1604-169-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/1604-172-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/1080-174-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/1424-176-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/2840-178-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/1672-179-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/1272-182-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/1672-183-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/1672-205-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/1272-222-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/1672-235-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/1672-251-0x0000000000400000-0x0000000000A16000-memory.dmp	themida

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exesvchost.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe

Checks whether UAC is enabled 1 TTPs 7 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe._cache_53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe._cache_Synaptics.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	icsys.icn.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	._cache_53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	._cache_Synaptics.exe

Drops file in System32 directory 2 IoCs

Processes:

svchost.exeexplorer.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

Processes:

._cache_53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe._cache_Synaptics.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
2488	._cache_53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe
2840	._cache_Synaptics.exe
1424	icsys.icn.exe
1672	explorer.exe
1080	spoolsv.exe
1272	svchost.exe
1604	spoolsv.exe

Drops file in Windows directory 5 IoCs

Processes:

._cache_Synaptics.exeicsys.icn.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

EXCEL.EXEicsys.icn.exeexplorer.exesvchost.exe53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe._cache_53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exeSynaptics.exe._cache_Synaptics.exeschtasks.exespoolsv.exespoolsv.exeschtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

1608 schtasks.exe
2820 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2292 EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1608	schtasks.exe
2820	schtasks.exe

pid	process
2292	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

._cache_Synaptics.exeicsys.icn.exeexplorer.exesvchost.exe

pid	process
2840	._cache_Synaptics.exe
2840	._cache_Synaptics.exe
2840	._cache_Synaptics.exe
2840	._cache_Synaptics.exe
2840	._cache_Synaptics.exe
2840	._cache_Synaptics.exe
2840	._cache_Synaptics.exe
2840	._cache_Synaptics.exe
2840	._cache_Synaptics.exe
2840	._cache_Synaptics.exe
2840	._cache_Synaptics.exe
2840	._cache_Synaptics.exe
2840	._cache_Synaptics.exe
2840	._cache_Synaptics.exe
2840	._cache_Synaptics.exe
2840	._cache_Synaptics.exe
1424	icsys.icn.exe
1424	icsys.icn.exe
1424	icsys.icn.exe
1424	icsys.icn.exe
1424	icsys.icn.exe
1424	icsys.icn.exe
1424	icsys.icn.exe
1424	icsys.icn.exe
1424	icsys.icn.exe
1424	icsys.icn.exe
1424	icsys.icn.exe
1424	icsys.icn.exe
1424	icsys.icn.exe
1424	icsys.icn.exe
1424	icsys.icn.exe
1424	icsys.icn.exe
1424	icsys.icn.exe
1672	explorer.exe
1672	explorer.exe
1672	explorer.exe
1672	explorer.exe
1672	explorer.exe
1672	explorer.exe
1672	explorer.exe
1672	explorer.exe
1672	explorer.exe
1672	explorer.exe
1672	explorer.exe
1672	explorer.exe
1672	explorer.exe
1672	explorer.exe
1672	explorer.exe
1672	explorer.exe
1272	svchost.exe
1272	svchost.exe
1272	svchost.exe
1272	svchost.exe
1272	svchost.exe
1272	svchost.exe
1272	svchost.exe
1272	svchost.exe
1272	svchost.exe
1272	svchost.exe
1272	svchost.exe
1272	svchost.exe
1272	svchost.exe
1272	svchost.exe
1272	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

1672 explorer.exe
1272 svchost.exe

pid	process
1672	explorer.exe
1272	svchost.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

._cache_Synaptics.exeEXCEL.EXEicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
2840	._cache_Synaptics.exe
2292	EXCEL.EXE
2840	._cache_Synaptics.exe
1424	icsys.icn.exe
1424	icsys.icn.exe
1672	explorer.exe
1672	explorer.exe
1080	spoolsv.exe
1080	spoolsv.exe
1272	svchost.exe
1272	svchost.exe
1604	spoolsv.exe
1604	spoolsv.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exeSynaptics.exe._cache_Synaptics.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 2364 wrote to memory of 2488	2364	53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe	._cache_53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe
PID 2364 wrote to memory of 2488	2364	53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe	._cache_53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe
PID 2364 wrote to memory of 2488	2364	53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe	._cache_53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe
PID 2364 wrote to memory of 2488	2364	53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe	._cache_53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe
PID 2364 wrote to memory of 2296	2364	53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe	Synaptics.exe
PID 2364 wrote to memory of 2296	2364	53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe	Synaptics.exe
PID 2364 wrote to memory of 2296	2364	53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe	Synaptics.exe
PID 2364 wrote to memory of 2296	2364	53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe	Synaptics.exe
PID 2296 wrote to memory of 2840	2296	Synaptics.exe	._cache_Synaptics.exe
PID 2296 wrote to memory of 2840	2296	Synaptics.exe	._cache_Synaptics.exe
PID 2296 wrote to memory of 2840	2296	Synaptics.exe	._cache_Synaptics.exe
PID 2296 wrote to memory of 2840	2296	Synaptics.exe	._cache_Synaptics.exe
PID 2840 wrote to memory of 2620	2840	._cache_Synaptics.exe	._cache_synaptics.exe
PID 2840 wrote to memory of 2620	2840	._cache_Synaptics.exe	._cache_synaptics.exe
PID 2840 wrote to memory of 2620	2840	._cache_Synaptics.exe	._cache_synaptics.exe
PID 2840 wrote to memory of 2620	2840	._cache_Synaptics.exe	._cache_synaptics.exe
PID 2840 wrote to memory of 1424	2840	._cache_Synaptics.exe	icsys.icn.exe
PID 2840 wrote to memory of 1424	2840	._cache_Synaptics.exe	icsys.icn.exe
PID 2840 wrote to memory of 1424	2840	._cache_Synaptics.exe	icsys.icn.exe
PID 2840 wrote to memory of 1424	2840	._cache_Synaptics.exe	icsys.icn.exe
PID 1424 wrote to memory of 1672	1424	icsys.icn.exe	explorer.exe
PID 1424 wrote to memory of 1672	1424	icsys.icn.exe	explorer.exe
PID 1424 wrote to memory of 1672	1424	icsys.icn.exe	explorer.exe
PID 1424 wrote to memory of 1672	1424	icsys.icn.exe	explorer.exe
PID 1672 wrote to memory of 1080	1672	explorer.exe	spoolsv.exe
PID 1672 wrote to memory of 1080	1672	explorer.exe	spoolsv.exe
PID 1672 wrote to memory of 1080	1672	explorer.exe	spoolsv.exe
PID 1672 wrote to memory of 1080	1672	explorer.exe	spoolsv.exe
PID 1080 wrote to memory of 1272	1080	spoolsv.exe	svchost.exe
PID 1080 wrote to memory of 1272	1080	spoolsv.exe	svchost.exe
PID 1080 wrote to memory of 1272	1080	spoolsv.exe	svchost.exe
PID 1080 wrote to memory of 1272	1080	spoolsv.exe	svchost.exe
PID 1272 wrote to memory of 1604	1272	svchost.exe	spoolsv.exe
PID 1272 wrote to memory of 1604	1272	svchost.exe	spoolsv.exe
PID 1272 wrote to memory of 1604	1272	svchost.exe	spoolsv.exe
PID 1272 wrote to memory of 1604	1272	svchost.exe	spoolsv.exe
PID 1672 wrote to memory of 2516	1672	explorer.exe	Explorer.exe
PID 1672 wrote to memory of 2516	1672	explorer.exe	Explorer.exe
PID 1672 wrote to memory of 2516	1672	explorer.exe	Explorer.exe
PID 1672 wrote to memory of 2516	1672	explorer.exe	Explorer.exe
PID 1272 wrote to memory of 1608	1272	svchost.exe	schtasks.exe
PID 1272 wrote to memory of 1608	1272	svchost.exe	schtasks.exe
PID 1272 wrote to memory of 1608	1272	svchost.exe	schtasks.exe
PID 1272 wrote to memory of 1608	1272	svchost.exe	schtasks.exe
PID 1272 wrote to memory of 2820	1272	svchost.exe	schtasks.exe
PID 1272 wrote to memory of 2820	1272	svchost.exe	schtasks.exe
PID 1272 wrote to memory of 2820	1272	svchost.exe	schtasks.exe
PID 1272 wrote to memory of 2820	1272	svchost.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe
"C:\Users\Admin\AppData\Local\Temp\53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Local\Temp\._cache_53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:2488
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
      c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
      4⤵
      Executes dropped EXE
      PID:2620
  - - C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1424
    - - \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1672
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        7⤵
        Modifies visiblity of hidden/system files in Explorer
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1272
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        8⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1604
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 14:17 /f
        8⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1608
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 14:18 /f
        8⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2820
      - C:\Windows\Explorer.exe
        
        C:\Windows\Explorer.exe
        6⤵
        
        PID:2516

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
3.3MB

MD5
8b94fa1a548711a611b0555851f48f00

SHA1
03841a4289982705ca933f3d982f056b7b0dd896

SHA256
53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56ef

SHA512
38cbcf67996da5cc094266ab328d229987e521fe66cce78c2f0a9779848ab1e75a917939565573a7aa3f1ace663ffbfeb2dd3d831b5caa82782f30b8664e01fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tCeLhqsA.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\tCeLhqsA.xlsm

Filesize
24KB

MD5
b23068a5944783a296738f740b229d69

SHA1
f7dc2c11a36d0b660353501371622be907669b13

SHA256
9ac797ed04be98f4cf930c2096dad0f940d241f41b6dadbe4ab6c6aab7de9a49

SHA512
c231d5eeb9cc23dc0329811f7ec8a890c606ca73f75f61fb6a3ed8bdbbf89a92d9907f0f525f597a97a9d734d7aef7257e1a820ffd198f75b3331095562ff867

Download Submit
C:\Users\Admin\AppData\Local\Temp\tCeLhqsA.xlsm

Filesize
30KB

MD5
0a1255de13cded78f56f630948c83a58

SHA1
401ff50771e6ccbb76abca0874cfa33eb32f5d7e

SHA256
67be4847e74324d06253588aa8b67f9e6ba0dfc8775730da2ba692b19b4956d2

SHA512
e90e1aca84f0b064f558099cfd3a371f820545a0d8c9f3b781d55fda0afb772e1a462494a12e21abdb30a2b27b93deeb801106c5a753203cc95f3eddad676f8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tCeLhqsA.xlsm

Filesize
29KB

MD5
fbc272542f5fa007a20262fdbc6230d1

SHA1
4940b07972a44fe23cad7d9f26b1e37b82b75506

SHA256
a72af0ec48c36a721be316d4e72bd7318b06813ff5add65defebcff868a6fb24

SHA512
47b514d0a41a00d237e39e53e9a511f741347326290a88b9aa34e478d978a311c4e6833b5190e659fd3580d71f112cf672e40a689a3ecc2880f28300c2d61c3e

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
2.6MB

MD5
cb1a029520fcbcd453c91074475fe3cd

SHA1
5050f39b5110aae1b3ca4196d424f15bc5362eb0

SHA256
3ec7a56ade24d41b83b3105e6987966fc6ee47c0c7a6f585b73540cff0739f8f

SHA512
522a77819c9108127e697750d160e4609c1a4d2d3d440f389b6069bf2fcedaf8cb87137422aea0a39e3f3f812e7996d2978d4e22f8f89fd1632a4db1a133ee92

Download Submit
\??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe

Filesize
29KB

MD5
dbd2194b7a5b38636edf7112ebc6fe91

SHA1
6fea8daee367fbdee5a299a214c0419ef04ea7bb

SHA256
927004a7ed771954853acfd331baf0a2d74c84037d4adff5a4a65fb1b287e586

SHA512
238cf410957b64bc0f8997fb3669b6f362e6b170c942fecca43ddc72a73ebffe75d829f0bade82cc712ca6786d6083921df9648d8c7a19ddc1e0de55cc526d42

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe

Filesize
2.6MB

MD5
070ace5223028f0a4c06686f6db20673

SHA1
eca46d16a18c723a83045cb912751621325e9021

SHA256
70594f83aa785ddeec6a020a9d63f7b1e73b343c318dbff5ab4e6e1cde40a09f

SHA512
55f7d1a11f9051d8492e742c745581f3bcac8da369071edf99be153547ec795e8decd962a171256658c4c7c793228e85090e6f2f66987bcbf29a88672382da6f

Download Submit
\Windows\Resources\Themes\explorer.exe

Filesize
2.6MB

MD5
e807e620cc49b875d1ffb007f6fe8cfa

SHA1
e222d9f1cc0a049bb2fafcaa9555608de489afa8

SHA256
36a2626dda6c8f337e5428502ab99a4716c874c2970508dfb26feb2e74dee6c1

SHA512
7f6d2db2ce512fbfc85631803b0d90e0ff59c58ed47f1911a6bde97926aa4a4c07068a2bb7decbf1b311285f2ebcab32508edcdfc153c6a0573a4b08ffdc0b4d

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
2.6MB

MD5
80b8b77f60453c1791915a7dd6efcf1c

SHA1
03f87a80884c48785dc72143ccc71d45140fa6a3

SHA256
a2d4355f383af2b962050bad4655e22e5f2a6c4abe93086a3668ac25b34d4b24

SHA512
47df9e0d327d967a476148e5ebc116b6c2ef9d6ad93ced6a0e3f58ef06c36adc4ad71014ff5499a83de1bb24f5a9a0ff4ba45da27cf8c3cb396ef995a407b13a

Download Submit
\Windows\Resources\svchost.exe

Filesize
2.6MB

MD5
79ed47b1c2a843587fabcf61b4f0d729

SHA1
ef1765b6519458627e03fb66d9cf8c21f6477f7b

SHA256
7770dd79220d1eb5d3406c76dab0617102f311a5f3d7b1f6d374d8e54e71089e

SHA512
d5ccd98ab747c5f5e2777356ef896b52beb16952925d41dc977839aa62e8b7805921165c74352974a5df40dc254a6efd720869f42a6003a3b5471dd6b966d918

Download Submit
memory/1080-174-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1080-145-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1272-222-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1272-184-0x0000000003150000-0x0000000003766000-memory.dmp

Filesize
6.1MB

Download
memory/1272-182-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1272-166-0x0000000003150000-0x0000000003766000-memory.dmp

Filesize
6.1MB

Download
memory/1272-159-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1424-176-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1424-120-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1424-132-0x0000000003630000-0x0000000003C46000-memory.dmp

Filesize
6.1MB

Download
memory/1604-172-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1604-169-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1672-179-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1672-205-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1672-183-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1672-251-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1672-133-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1672-235-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1672-142-0x00000000038F0000-0x0000000003F06000-memory.dmp

Filesize
6.1MB

Download
memory/2292-127-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2292-40-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2296-157-0x0000000005B10000-0x0000000006126000-memory.dmp

Filesize
6.1MB

Download
memory/2296-234-0x0000000000400000-0x000000000075F000-memory.dmp

Filesize
3.4MB

Download
memory/2296-37-0x0000000005B10000-0x0000000006126000-memory.dmp

Filesize
6.1MB

Download
memory/2296-181-0x0000000000400000-0x000000000075F000-memory.dmp

Filesize
3.4MB

Download
memory/2296-187-0x0000000000400000-0x000000000075F000-memory.dmp

Filesize
3.4MB

Download
memory/2364-27-0x0000000000400000-0x000000000075F000-memory.dmp

Filesize
3.4MB

Download
memory/2364-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2364-17-0x0000000005A50000-0x0000000006066000-memory.dmp

Filesize
6.1MB

Download
memory/2488-18-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2488-155-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2620-64-0x0000000000020000-0x000000000002E000-memory.dmp

Filesize
56KB

Download
memory/2840-38-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2840-178-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2840-118-0x0000000003390000-0x00000000039A6000-memory.dmp

Filesize
6.1MB

Download
memory/2840-158-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download