xred | 92de8c03f7003ecd6293b803ff0e4bafb01132168317e05c394770b61c431d50

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-11-2024 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92de8c03f7003ecd6293b803ff0e4bafb01132168317e05c394770b61c431d50.exe
Size

3.3MB
MD5

04488c40a9580dfc929d2092be854233
SHA1

4858c2d053e458114ba775091950f731af61fac8
SHA256

92de8c03f7003ecd6293b803ff0e4bafb01132168317e05c394770b61c431d50
SHA512

20e2310982fec89dd19c8be4b81613b89ca9bcfe1fa11302cbeeb24c96d4dfb8cdc0d451a93fd9d85807f320ddbc744d62566263a482329663ebaa71f7185c58
SSDEEP

98304:tnsmtk2atXzhW148Pd+Tf1mpcOldJQ3/VL:RLCFK4s0TfLOdo/R

Score

10^/10

xred backdoor discovery evasion macro persistence themida trojan

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

spoolsv.exesvchost.exespoolsv.exe._cache_92de8c03f7003ecd6293b803ff0e4bafb01132168317e05c394770b61c431d50.exe._cache_Synaptics.exeicsys.icn.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	spoolsv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	spoolsv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	._cache_92de8c03f7003ecd6293b803ff0e4bafb01132168317e05c394770b61c431d50.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorer.exe

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

Processes:

resource
C:\Users\Admin\AppData\Local\Temp\YTbcRQPQ.xlsm

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

._cache_92de8c03f7003ecd6293b803ff0e4bafb01132168317e05c394770b61c431d50.exe._cache_Synaptics.exeicsys.icn.exespoolsv.exespoolsv.exeexplorer.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	._cache_92de8c03f7003ecd6293b803ff0e4bafb01132168317e05c394770b61c431d50.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	icsys.icn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	._cache_92de8c03f7003ecd6293b803ff0e4bafb01132168317e05c394770b61c431d50.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	icsys.icn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	spoolsv.exe

Executes dropped EXE 9 IoCs

Processes:

._cache_92de8c03f7003ecd6293b803ff0e4bafb01132168317e05c394770b61c431d50.exeSynaptics.exe._cache_Synaptics.exe._cache_synaptics.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
3064	._cache_92de8c03f7003ecd6293b803ff0e4bafb01132168317e05c394770b61c431d50.exe
2812	Synaptics.exe
2148	._cache_Synaptics.exe
2648	._cache_synaptics.exe
580	icsys.icn.exe
448	explorer.exe
3020	spoolsv.exe
2416	svchost.exe
3028	spoolsv.exe

Loads dropped DLL 11 IoCs

Processes:

92de8c03f7003ecd6293b803ff0e4bafb01132168317e05c394770b61c431d50.exeSynaptics.exe._cache_Synaptics.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

pid	process
1884	92de8c03f7003ecd6293b803ff0e4bafb01132168317e05c394770b61c431d50.exe
1884	92de8c03f7003ecd6293b803ff0e4bafb01132168317e05c394770b61c431d50.exe
1884	92de8c03f7003ecd6293b803ff0e4bafb01132168317e05c394770b61c431d50.exe
2812	Synaptics.exe
2812	Synaptics.exe
2148	._cache_Synaptics.exe
2148	._cache_Synaptics.exe
580	icsys.icn.exe
448	explorer.exe
3020	spoolsv.exe
2416	svchost.exe

Themida packer 27 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\._cache_92de8c03f7003ecd6293b803ff0e4bafb01132168317e05c394770b61c431d50.exe	themida
behavioral1/memory/3064-18-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/2148-38-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
\Windows\Resources\Themes\icsys.icn.exe	themida
behavioral1/memory/580-95-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
\Windows\Resources\Themes\explorer.exe	themida
behavioral1/memory/3064-123-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/448-122-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
\Windows\Resources\spoolsv.exe	themida
behavioral1/memory/2148-133-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/448-134-0x00000000037D0000-0x0000000003DE6000-memory.dmp	themida
behavioral1/memory/3020-137-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
\Windows\Resources\svchost.exe	themida
behavioral1/memory/2416-153-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/3028-157-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/3028-162-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/580-163-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/3020-165-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/2148-167-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/580-169-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/448-171-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/2416-174-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/448-173-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/448-191-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/2416-192-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/448-196-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral1/memory/448-226-0x0000000000400000-0x0000000000A16000-memory.dmp	themida

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe92de8c03f7003ecd6293b803ff0e4bafb01132168317e05c394770b61c431d50.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	92de8c03f7003ecd6293b803ff0e4bafb01132168317e05c394770b61c431d50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe

Checks whether UAC is enabled 1 TTPs 7 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

._cache_92de8c03f7003ecd6293b803ff0e4bafb01132168317e05c394770b61c431d50.exe._cache_Synaptics.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	._cache_92de8c03f7003ecd6293b803ff0e4bafb01132168317e05c394770b61c431d50.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	icsys.icn.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe

Drops file in System32 directory 2 IoCs

Processes:

explorer.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

Processes:

._cache_92de8c03f7003ecd6293b803ff0e4bafb01132168317e05c394770b61c431d50.exe._cache_Synaptics.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
3064	._cache_92de8c03f7003ecd6293b803ff0e4bafb01132168317e05c394770b61c431d50.exe
2148	._cache_Synaptics.exe
580	icsys.icn.exe
448	explorer.exe
3020	spoolsv.exe
2416	svchost.exe
3028	spoolsv.exe

Drops file in Windows directory 5 IoCs

Processes:

._cache_Synaptics.exeicsys.icn.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

EXCEL.EXEicsys.icn.exeexplorer.exesvchost.exe._cache_92de8c03f7003ecd6293b803ff0e4bafb01132168317e05c394770b61c431d50.exeSynaptics.exe._cache_Synaptics.exeschtasks.exeschtasks.exe92de8c03f7003ecd6293b803ff0e4bafb01132168317e05c394770b61c431d50.exespoolsv.exespoolsv.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_92de8c03f7003ecd6293b803ff0e4bafb01132168317e05c394770b61c431d50.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	92de8c03f7003ecd6293b803ff0e4bafb01132168317e05c394770b61c431d50.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

1376 schtasks.exe
2356 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2948 EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1376	schtasks.exe
2356	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

._cache_Synaptics.exeicsys.icn.exeexplorer.exesvchost.exe

pid	process
2148	._cache_Synaptics.exe
2148	._cache_Synaptics.exe
2148	._cache_Synaptics.exe
2148	._cache_Synaptics.exe
2148	._cache_Synaptics.exe
2148	._cache_Synaptics.exe
2148	._cache_Synaptics.exe
2148	._cache_Synaptics.exe
2148	._cache_Synaptics.exe
2148	._cache_Synaptics.exe
2148	._cache_Synaptics.exe
2148	._cache_Synaptics.exe
2148	._cache_Synaptics.exe
2148	._cache_Synaptics.exe
2148	._cache_Synaptics.exe
2148	._cache_Synaptics.exe
580	icsys.icn.exe
580	icsys.icn.exe
580	icsys.icn.exe
580	icsys.icn.exe
580	icsys.icn.exe
580	icsys.icn.exe
580	icsys.icn.exe
580	icsys.icn.exe
580	icsys.icn.exe
580	icsys.icn.exe
580	icsys.icn.exe
580	icsys.icn.exe
580	icsys.icn.exe
580	icsys.icn.exe
580	icsys.icn.exe
580	icsys.icn.exe
580	icsys.icn.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe
448	explorer.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe
2416	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

448 explorer.exe
2416 svchost.exe

pid	process
448	explorer.exe
2416	svchost.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

EXCEL.EXE._cache_Synaptics.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
2948	EXCEL.EXE
2148	._cache_Synaptics.exe
2148	._cache_Synaptics.exe
580	icsys.icn.exe
580	icsys.icn.exe
448	explorer.exe
448	explorer.exe
3020	spoolsv.exe
3020	spoolsv.exe
2416	svchost.exe
2416	svchost.exe
3028	spoolsv.exe
3028	spoolsv.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

92de8c03f7003ecd6293b803ff0e4bafb01132168317e05c394770b61c431d50.exeSynaptics.exe._cache_Synaptics.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 1884 wrote to memory of 3064	1884	92de8c03f7003ecd6293b803ff0e4bafb01132168317e05c394770b61c431d50.exe	._cache_92de8c03f7003ecd6293b803ff0e4bafb01132168317e05c394770b61c431d50.exe
PID 1884 wrote to memory of 3064	1884	92de8c03f7003ecd6293b803ff0e4bafb01132168317e05c394770b61c431d50.exe	._cache_92de8c03f7003ecd6293b803ff0e4bafb01132168317e05c394770b61c431d50.exe
PID 1884 wrote to memory of 3064	1884	92de8c03f7003ecd6293b803ff0e4bafb01132168317e05c394770b61c431d50.exe	._cache_92de8c03f7003ecd6293b803ff0e4bafb01132168317e05c394770b61c431d50.exe
PID 1884 wrote to memory of 3064	1884	92de8c03f7003ecd6293b803ff0e4bafb01132168317e05c394770b61c431d50.exe	._cache_92de8c03f7003ecd6293b803ff0e4bafb01132168317e05c394770b61c431d50.exe
PID 1884 wrote to memory of 2812	1884	92de8c03f7003ecd6293b803ff0e4bafb01132168317e05c394770b61c431d50.exe	Synaptics.exe
PID 1884 wrote to memory of 2812	1884	92de8c03f7003ecd6293b803ff0e4bafb01132168317e05c394770b61c431d50.exe	Synaptics.exe
PID 1884 wrote to memory of 2812	1884	92de8c03f7003ecd6293b803ff0e4bafb01132168317e05c394770b61c431d50.exe	Synaptics.exe
PID 1884 wrote to memory of 2812	1884	92de8c03f7003ecd6293b803ff0e4bafb01132168317e05c394770b61c431d50.exe	Synaptics.exe
PID 2812 wrote to memory of 2148	2812	Synaptics.exe	._cache_Synaptics.exe
PID 2812 wrote to memory of 2148	2812	Synaptics.exe	._cache_Synaptics.exe
PID 2812 wrote to memory of 2148	2812	Synaptics.exe	._cache_Synaptics.exe
PID 2812 wrote to memory of 2148	2812	Synaptics.exe	._cache_Synaptics.exe
PID 2148 wrote to memory of 2648	2148	._cache_Synaptics.exe	._cache_synaptics.exe
PID 2148 wrote to memory of 2648	2148	._cache_Synaptics.exe	._cache_synaptics.exe
PID 2148 wrote to memory of 2648	2148	._cache_Synaptics.exe	._cache_synaptics.exe
PID 2148 wrote to memory of 2648	2148	._cache_Synaptics.exe	._cache_synaptics.exe
PID 2148 wrote to memory of 580	2148	._cache_Synaptics.exe	icsys.icn.exe
PID 2148 wrote to memory of 580	2148	._cache_Synaptics.exe	icsys.icn.exe
PID 2148 wrote to memory of 580	2148	._cache_Synaptics.exe	icsys.icn.exe
PID 2148 wrote to memory of 580	2148	._cache_Synaptics.exe	icsys.icn.exe
PID 580 wrote to memory of 448	580	icsys.icn.exe	explorer.exe
PID 580 wrote to memory of 448	580	icsys.icn.exe	explorer.exe
PID 580 wrote to memory of 448	580	icsys.icn.exe	explorer.exe
PID 580 wrote to memory of 448	580	icsys.icn.exe	explorer.exe
PID 448 wrote to memory of 3020	448	explorer.exe	spoolsv.exe
PID 448 wrote to memory of 3020	448	explorer.exe	spoolsv.exe
PID 448 wrote to memory of 3020	448	explorer.exe	spoolsv.exe
PID 448 wrote to memory of 3020	448	explorer.exe	spoolsv.exe
PID 3020 wrote to memory of 2416	3020	spoolsv.exe	svchost.exe
PID 3020 wrote to memory of 2416	3020	spoolsv.exe	svchost.exe
PID 3020 wrote to memory of 2416	3020	spoolsv.exe	svchost.exe
PID 3020 wrote to memory of 2416	3020	spoolsv.exe	svchost.exe
PID 2416 wrote to memory of 3028	2416	svchost.exe	spoolsv.exe
PID 2416 wrote to memory of 3028	2416	svchost.exe	spoolsv.exe
PID 2416 wrote to memory of 3028	2416	svchost.exe	spoolsv.exe
PID 2416 wrote to memory of 3028	2416	svchost.exe	spoolsv.exe
PID 448 wrote to memory of 1416	448	explorer.exe	Explorer.exe
PID 448 wrote to memory of 1416	448	explorer.exe	Explorer.exe
PID 448 wrote to memory of 1416	448	explorer.exe	Explorer.exe
PID 448 wrote to memory of 1416	448	explorer.exe	Explorer.exe
PID 2416 wrote to memory of 1376	2416	svchost.exe	schtasks.exe
PID 2416 wrote to memory of 1376	2416	svchost.exe	schtasks.exe
PID 2416 wrote to memory of 1376	2416	svchost.exe	schtasks.exe
PID 2416 wrote to memory of 1376	2416	svchost.exe	schtasks.exe
PID 2416 wrote to memory of 2356	2416	svchost.exe	schtasks.exe
PID 2416 wrote to memory of 2356	2416	svchost.exe	schtasks.exe
PID 2416 wrote to memory of 2356	2416	svchost.exe	schtasks.exe
PID 2416 wrote to memory of 2356	2416	svchost.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\92de8c03f7003ecd6293b803ff0e4bafb01132168317e05c394770b61c431d50.exe
"C:\Users\Admin\AppData\Local\Temp\92de8c03f7003ecd6293b803ff0e4bafb01132168317e05c394770b61c431d50.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Users\Admin\AppData\Local\Temp\._cache_92de8c03f7003ecd6293b803ff0e4bafb01132168317e05c394770b61c431d50.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_92de8c03f7003ecd6293b803ff0e4bafb01132168317e05c394770b61c431d50.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:3064
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2148
  - - \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
      c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
      4⤵
      Executes dropped EXE
      PID:2648
  - - C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:580
    - - \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:448
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        7⤵
        Modifies visiblity of hidden/system files in Explorer
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        8⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3028
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 14:32 /f
        8⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1376
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 14:33 /f
        8⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2356
      - C:\Windows\Explorer.exe
        
        C:\Windows\Explorer.exe
        6⤵
        
        PID:1416

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
3.3MB

MD5
04488c40a9580dfc929d2092be854233

SHA1
4858c2d053e458114ba775091950f731af61fac8

SHA256
92de8c03f7003ecd6293b803ff0e4bafb01132168317e05c394770b61c431d50

SHA512
20e2310982fec89dd19c8be4b81613b89ca9bcfe1fa11302cbeeb24c96d4dfb8cdc0d451a93fd9d85807f320ddbc744d62566263a482329663ebaa71f7185c58

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_synaptics.exe

Filesize
29KB

MD5
dbd2194b7a5b38636edf7112ebc6fe91

SHA1
6fea8daee367fbdee5a299a214c0419ef04ea7bb

SHA256
927004a7ed771954853acfd331baf0a2d74c84037d4adff5a4a65fb1b287e586

SHA512
238cf410957b64bc0f8997fb3669b6f362e6b170c942fecca43ddc72a73ebffe75d829f0bade82cc712ca6786d6083921df9648d8c7a19ddc1e0de55cc526d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\YTbcRQPQ.xlsm

Filesize
24KB

MD5
2624f54ebfaa89e5792556c869700887

SHA1
d0fefcbb481e57092587af1eef3cc86def3c8b3f

SHA256
1888e1e4fc62d1bead8dfcd1ef5d89fc225deb6e0b05665a90595d2a78d06bb5

SHA512
427668b9a5ccb6f2edc7423616a14b49ffc9b29bed9abb1c14a5bb21b9418cf09241951ca923f6aa963b6a2318adaeec0524b72d59cdc78a899d378d9b7106ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\YTbcRQPQ.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\YTbcRQPQ.xlsm

Filesize
29KB

MD5
27534061f24741f84f26bf6933eb7173

SHA1
0b005244204f7ba078b5380eb20eba6d83676c70

SHA256
273b00c1416d72613c41b35b4896c8e103b70c5d061a3d3fdd7a517c52b0bcb9

SHA512
6ace7fe89d20bb1b6115ae8b58ba2575c55867ecd1f670e7107c9616fb9d290df304c1608195e179de2176c90c6fe33d39e9e858284b89c4e9dfd12020f7aa94

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_92de8c03f7003ecd6293b803ff0e4bafb01132168317e05c394770b61c431d50.exe

Filesize
2.6MB

MD5
070ace5223028f0a4c06686f6db20673

SHA1
eca46d16a18c723a83045cb912751621325e9021

SHA256
70594f83aa785ddeec6a020a9d63f7b1e73b343c318dbff5ab4e6e1cde40a09f

SHA512
55f7d1a11f9051d8492e742c745581f3bcac8da369071edf99be153547ec795e8decd962a171256658c4c7c793228e85090e6f2f66987bcbf29a88672382da6f

Download Submit
\Windows\Resources\Themes\explorer.exe

Filesize
2.6MB

MD5
cac54955724b18eb82bf7888c1503f34

SHA1
dc3cfefec5c96e8f13543a85a8897dfb66ab22b6

SHA256
6c7731856a6a712378455c026f1fcb9b139c636d74b5d91c153e665981a43d18

SHA512
e476a32bb26ba968215d50e6bfc3de6eb1058431a8c3a7972f5204a595ed2267947e48a5a272a9e9ab5f90bb2bb78a12f18ce6ff702fd082dd3ef500fa27cd8b

Download Submit
\Windows\Resources\Themes\icsys.icn.exe

Filesize
2.6MB

MD5
cb1a029520fcbcd453c91074475fe3cd

SHA1
5050f39b5110aae1b3ca4196d424f15bc5362eb0

SHA256
3ec7a56ade24d41b83b3105e6987966fc6ee47c0c7a6f585b73540cff0739f8f

SHA512
522a77819c9108127e697750d160e4609c1a4d2d3d440f389b6069bf2fcedaf8cb87137422aea0a39e3f3f812e7996d2978d4e22f8f89fd1632a4db1a133ee92

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
2.6MB

MD5
1aacd816963f5ce97cb80d0088ed19c6

SHA1
da396b236d70b539cd2792c9f4e71d207af34dc5

SHA256
f80694fb20daa7bfa06ff0d6cf9c8b2ec07bbe5216808f45e3c72bbdc81d6209

SHA512
71bb894e31fa0b55b2bab03959488fbf8ea2a03847782b94695b3c2ece71da430a1d77138499d98d702527c814dd9bd4e867bdb8eb9cdddbd9fe88503fd6d83b

Download Submit
\Windows\Resources\svchost.exe

Filesize
2.6MB

MD5
29f5fbd04eaaeed559ddaf3eafe2c4f8

SHA1
619da5059f2e4da0038eb9580b027f103e5b70f8

SHA256
790d7dd5ce80637864d71ab87e3ac6f8606280d573a077ea3d064edfb23dc381

SHA512
ef677b01144a1d18d2d53176fc49c2b5b575fefcd3c8433ddaf1e56085d5ea0048aa108d3c21d08bcb9be0e1c00c14067b96d527792bfd63ba385ece3f1e6d12

Download Submit
memory/448-171-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/448-173-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/448-134-0x00000000037D0000-0x0000000003DE6000-memory.dmp

Filesize
6.1MB

Download
memory/448-191-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/448-196-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/448-122-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/448-226-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/580-169-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/580-95-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/580-121-0x0000000003840000-0x0000000003E56000-memory.dmp

Filesize
6.1MB

Download
memory/580-163-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1884-17-0x00000000058F0000-0x0000000005F06000-memory.dmp

Filesize
6.1MB

Download
memory/1884-27-0x0000000000400000-0x000000000075F000-memory.dmp

Filesize
3.4MB

Download
memory/1884-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2148-156-0x00000000032C0000-0x00000000038D6000-memory.dmp

Filesize
6.1MB

Download
memory/2148-94-0x00000000032C0000-0x00000000038D6000-memory.dmp

Filesize
6.1MB

Download
memory/2148-133-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2148-167-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2148-38-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2416-192-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2416-153-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2416-174-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2416-176-0x0000000003490000-0x0000000003AA6000-memory.dmp

Filesize
6.1MB

Download
memory/2648-50-0x0000000000270000-0x000000000027E000-memory.dmp

Filesize
56KB

Download
memory/2812-37-0x0000000005720000-0x0000000005D36000-memory.dmp

Filesize
6.1MB

Download
memory/2812-225-0x0000000000400000-0x000000000075F000-memory.dmp

Filesize
3.4MB

Download
memory/2812-132-0x0000000005720000-0x0000000005D36000-memory.dmp

Filesize
6.1MB

Download
memory/2812-182-0x0000000000400000-0x000000000075F000-memory.dmp

Filesize
3.4MB

Download
memory/2812-172-0x0000000000400000-0x000000000075F000-memory.dmp

Filesize
3.4MB

Download
memory/2948-116-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2948-39-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3020-137-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/3020-146-0x0000000003780000-0x0000000003D96000-memory.dmp

Filesize
6.1MB

Download
memory/3020-165-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/3028-157-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/3028-162-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/3064-18-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/3064-123-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download