floxif | b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0

Analysis

max time kernel
120s
max time network
105s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
27-11-2024 23:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
Size

1.9MB
MD5

ebb0ab45037d22cf27fad984742b524c
SHA1

57657b62190e2926d124a56351aa8a1bd957d4dc
SHA256

b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0
SHA512

de45c3c300bccd18bbf4f17ca4354a65041b861b551b388ba07aebee4659557190cf4d28953d7652ad32dcb0ee6cad4a969de2b2d7040f304dc19a86de1c3855
SSDEEP

24576:cnsJ39LyjbJkQFMhmC+6GD9vMRGJ/qofKc:cnsHyjtk2MYC5GDH1qdc

Score

10^/10

floxif xred backdoor discovery persistence trojan upx

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Detects Floxif payload 1 IoCs

backdoor

Processes:

resource	yara_rule
behavioral1/files/0x000a0000000170f8-25.dat	floxif

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
behavioral1/files/0x000a0000000170f8-25.dat	acprotect

Executes dropped EXE 3 IoCs

Processes:

._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exeSynaptics.exe._cache_Synaptics.exe

pid	Process
2060	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
2008	Synaptics.exe
2988	._cache_Synaptics.exe

Loads dropped DLL 10 IoCs

Processes:

b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exeSynaptics.exe._cache_Synaptics.exe

pid	Process
2880	b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
2880	b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
2060	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
2880	b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
2880	b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
2008	Synaptics.exe
2008	Synaptics.exe
2008	Synaptics.exe
2988	._cache_Synaptics.exe
2988	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe._cache_Synaptics.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Program Files\\system.caca"	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Program Files\\system.caca"	._cache_Synaptics.exe

Enumerates connected drives 3 TTPs 12 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe._cache_Synaptics.exe

description	ioc	Process
File opened (read-only)	\??\e:	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
File opened (read-only)	\??\h:	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
File opened (read-only)	\??\e:	._cache_Synaptics.exe
File opened (read-only)	\??\g:	._cache_Synaptics.exe
File opened (read-only)	\??\i:	._cache_Synaptics.exe
File opened (read-only)	\??\j:	._cache_Synaptics.exe
File opened (read-only)	\??\k:	._cache_Synaptics.exe
File opened (read-only)	\??\g:	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
File opened (read-only)	\??\i:	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
File opened (read-only)	\??\j:	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
File opened (read-only)	\??\k:	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
File opened (read-only)	\??\h:	._cache_Synaptics.exe

Network Service Discovery 1 TTPs 9 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

Processes:

arp.exearp.exearp.exearp.exearp.exearp.exearp.exearp.exearp.exe

pid	Process
2928	arp.exe
2708	arp.exe
2116	arp.exe
2620	arp.exe
2924	arp.exe
2196	arp.exe
2012	arp.exe
1136	arp.exe
2936	arp.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/files/0x000d0000000133b8-4.dat	upx
behavioral1/memory/2060-24-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/files/0x000a0000000170f8-25.dat	upx
behavioral1/memory/2060-27-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral1/memory/2988-55-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral1/memory/2060-114-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/memory/2060-115-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral1/memory/2060-121-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral1/memory/2988-123-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/memory/2988-124-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral1/memory/2060-131-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral1/memory/2060-190-0x0000000010000000-0x0000000010033000-memory.dmp	upx

Drops file in Program Files directory 4 IoCs

Processes:

._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe._cache_Synaptics.exe

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
File created	C:\Program Files\system.caca	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
File created	C:\Program Files\system.caca	._cache_Synaptics.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

arp.exe._cache_Synaptics.exeb9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exearp.exeEXCEL.EXESynaptics.exearp.exearp.exearp.exearp.exearp.exearp.exearp.exearp.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies registry class 11 IoCs

Processes:

._cache_Synaptics.exe._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cacafile\shell\open\command	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cacafile\shell\open\command\ = "C:\\Program Files\\Internet Explorer\\WINLOGON.exe"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.caca\ = "cacafile"	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cacafile\shell\open\command	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cacafile\shell\open	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cacafile\shell\open\command\ = "C:\\Program Files\\Internet Explorer\\WINLOGON.exe"	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.caca\ = "cacafile"	._cache_Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.caca	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cacafile	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cacafile\shell	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.caca	._cache_Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid	Process
2992	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

._cache_Synaptics.exe._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe

pid	Process
2988	._cache_Synaptics.exe
2060	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
2060	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
2060	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid	Process
464
464

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe._cache_Synaptics.exe

description	pid	Process
Token: SeDebugPrivilege	2060	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
Token: SeDebugPrivilege	2988	._cache_Synaptics.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

EXCEL.EXE

pid	Process
2992	EXCEL.EXE

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exeSynaptics.exe

description	pid	Process	procid_target
PID 2880 wrote to memory of 2060	2880	b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	30
PID 2880 wrote to memory of 2060	2880	b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	30
PID 2880 wrote to memory of 2060	2880	b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	30
PID 2880 wrote to memory of 2060	2880	b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	30
PID 2060 wrote to memory of 2708	2060	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	31
PID 2060 wrote to memory of 2708	2060	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	31
PID 2060 wrote to memory of 2708	2060	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	31
PID 2060 wrote to memory of 2708	2060	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	31
PID 2060 wrote to memory of 2116	2060	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	33
PID 2060 wrote to memory of 2116	2060	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	33
PID 2060 wrote to memory of 2116	2060	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	33
PID 2060 wrote to memory of 2116	2060	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	33
PID 2060 wrote to memory of 2196	2060	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	34
PID 2060 wrote to memory of 2196	2060	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	34
PID 2060 wrote to memory of 2196	2060	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	34
PID 2060 wrote to memory of 2196	2060	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	34
PID 2060 wrote to memory of 2012	2060	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	35
PID 2060 wrote to memory of 2012	2060	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	35
PID 2060 wrote to memory of 2012	2060	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	35
PID 2060 wrote to memory of 2012	2060	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	35
PID 2060 wrote to memory of 2620	2060	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	36
PID 2060 wrote to memory of 2620	2060	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	36
PID 2060 wrote to memory of 2620	2060	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	36
PID 2060 wrote to memory of 2620	2060	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	36
PID 2880 wrote to memory of 2008	2880	b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	40
PID 2880 wrote to memory of 2008	2880	b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	40
PID 2880 wrote to memory of 2008	2880	b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	40
PID 2880 wrote to memory of 2008	2880	b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	40
PID 2060 wrote to memory of 1136	2060	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	38
PID 2060 wrote to memory of 1136	2060	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	38
PID 2060 wrote to memory of 1136	2060	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	38
PID 2060 wrote to memory of 1136	2060	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	38
PID 2060 wrote to memory of 2928	2060	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	44
PID 2060 wrote to memory of 2928	2060	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	44
PID 2060 wrote to memory of 2928	2060	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	44
PID 2060 wrote to memory of 2928	2060	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	44
PID 2060 wrote to memory of 2924	2060	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	45
PID 2060 wrote to memory of 2924	2060	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	45
PID 2060 wrote to memory of 2924	2060	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	45
PID 2060 wrote to memory of 2924	2060	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	45
PID 2060 wrote to memory of 2936	2060	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	46
PID 2060 wrote to memory of 2936	2060	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	46
PID 2060 wrote to memory of 2936	2060	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	46
PID 2060 wrote to memory of 2936	2060	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	46
PID 2008 wrote to memory of 2988	2008	Synaptics.exe	48
PID 2008 wrote to memory of 2988	2008	Synaptics.exe	48
PID 2008 wrote to memory of 2988	2008	Synaptics.exe	48
PID 2008 wrote to memory of 2988	2008	Synaptics.exe	48
PID 2060 wrote to memory of 1960	2060	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	52
PID 2060 wrote to memory of 1960	2060	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	52
PID 2060 wrote to memory of 1960	2060	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	52
PID 2060 wrote to memory of 1960	2060	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	52

C:\Users\Admin\AppData\Local\Temp\b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
"C:\Users\Admin\AppData\Local\Temp\b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Users\Admin\AppData\Local\Temp\._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\SysWOW64\arp.exe
    arp -a
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:2708
- - C:\Windows\SysWOW64\arp.exe
    arp -s 10.127.0.1 de-a4-47-4d-00-1f
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:2116
- - C:\Windows\SysWOW64\arp.exe
    arp -s 10.127.255.255 9f-37-be-b1-65-b1
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:2196
- - C:\Windows\SysWOW64\arp.exe
    arp -s 154.61.71.51 54-8d-ed-be-f1-dd
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:2012
- - C:\Windows\SysWOW64\arp.exe
    arp -s 224.0.0.22 c3-8d-24-5c-36-7d
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:2620
- - C:\Windows\SysWOW64\arp.exe
    arp -s 224.0.0.251 9d-ec-f4-a7-14-c1
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:1136
- - C:\Windows\SysWOW64\arp.exe
    arp -s 224.0.0.252 24-72-96-f0-32-30
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:2928
- - C:\Windows\SysWOW64\arp.exe
    arp -s 239.255.255.250 33-d2-26-2d-04-27
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:2924
- - C:\Windows\SysWOW64\arp.exe
    arp -s 255.255.255.255 b1-fe-06-01-f7-4e
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:2936
- - C:\Windows\SysWOW64\arp.exe
    arp -d
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1960
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Enumerates connected drives
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2988

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.9MB

MD5
ebb0ab45037d22cf27fad984742b524c

SHA1
57657b62190e2926d124a56351aa8a1bd957d4dc

SHA256
b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0

SHA512
de45c3c300bccd18bbf4f17ca4354a65041b861b551b388ba07aebee4659557190cf4d28953d7652ad32dcb0ee6cad4a969de2b2d7040f304dc19a86de1c3855

Download Submit
C:\Users\Admin\AppData\Local\Temp\NXWT91vc.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\NXWT91vc.xlsm

Filesize
20KB

MD5
d62021dbd33ceedcf352fdb69b73431e

SHA1
50549b713fa3aba4a8249b150d7a2543a4462430

SHA256
6d4b9a99474e22c43219f0762c4baebe3d56196feb22381cd492c0095ccbab80

SHA512
1aa5e67efa5d12694644e7cbbbaa95b141a80dec8254c2949577c7b64573695a080ae0910f7b0c9dada69f3da27e6301d1e6467082d1e4edeb4e56abe59753db

Download Submit
C:\Users\Admin\AppData\Local\Temp\NXWT91vc.xlsm

Filesize
24KB

MD5
9c9ff717eb18545f20b945ddc7f74c9f

SHA1
6b5a048d6f9acc00beeb678654ed3300721b5062

SHA256
f0e5d80732994a1af14e55fc81b51f8a9e8646b6b405a333557cec0b82a6b66d

SHA512
e2c53108dcf5d2c541dfd0e60b1f6754d4747eb55127f41a2dc91376afdf174dd1a9e6dc3c2d6ddff6c4c0d6d154294685fa7ea0dd0175462b57fd06217a7b3c

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
71KB

MD5
4fcd7574537cebec8e75b4e646996643

SHA1
efa59bb9050fb656b90d5d40c942fb2a304f2a8b

SHA256
8ea3b17e4b783ffc0bc387b81b823bf87af0d57da74541d88ba85314bb232a5d

SHA512
7f1a7ef64d332a735db82506b47d84853af870785066d29ccaf4fdeab114079a9f0db400e01ba574776a0d652a248658fe1e8f9659cdced19ad6eea09644ea3e

Download Submit
\ProgramData\Synaptics\Synaptics.exe.tmp

Filesize
2.0MB

MD5
ade0ab991df2f96b1311ef5c77b875eb

SHA1
2e26109ce770251f51d042fa12984e93ccb133f0

SHA256
d0574d688f283eabc3519b9f38d0a184d0a0a577bf95dfea092c28206b9b97ad

SHA512
0a95bc93223dfa959a2952eab0715a4809e95cbac59fa440082ca24bbadf5ee4b6f3f203236226191a540fd5e03d02d91d11d5c110165b71445a3401f292970f

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe

Filesize
1.2MB

MD5
6c06a994695fca714484f634106e0a30

SHA1
8c2c9a454ca15d3a310e44576ce72db109c12ba3

SHA256
4269927cb66ec9c91b41b4c63c19c9d219b6b427a2797720f246ded873829054

SHA512
8a34c358fe8d52668b5785583f2e9000dacff2f93d5446561479b9aaa2f20121578649c120ef0673cb91492a0599d2a5a99c549e4b2fffce66ed80d262bcea0c

Download Submit
memory/2008-122-0x0000000003A70000-0x0000000003A8B000-memory.dmp

Filesize
108KB

Download
memory/2008-54-0x0000000003A70000-0x0000000003A8B000-memory.dmp

Filesize
108KB

Download
memory/2008-53-0x0000000003A70000-0x0000000003A8B000-memory.dmp

Filesize
108KB

Download
memory/2008-186-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/2008-132-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/2008-125-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/2060-121-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2060-190-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2060-131-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2060-27-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2060-24-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2060-114-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2060-115-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2880-10-0x0000000003A80000-0x0000000003A9B000-memory.dmp

Filesize
108KB

Download
memory/2880-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2880-11-0x0000000003A80000-0x0000000003A9B000-memory.dmp

Filesize
108KB

Download
memory/2880-37-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/2988-123-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2988-124-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2988-55-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2992-109-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2992-57-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download