floxif | b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0

Analysis

max time kernel
120s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2024, 23:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
Size

1.9MB
MD5

ebb0ab45037d22cf27fad984742b524c
SHA1

57657b62190e2926d124a56351aa8a1bd957d4dc
SHA256

b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0
SHA512

de45c3c300bccd18bbf4f17ca4354a65041b861b551b388ba07aebee4659557190cf4d28953d7652ad32dcb0ee6cad4a969de2b2d7040f304dc19a86de1c3855
SSDEEP

24576:cnsJ39LyjbJkQFMhmC+6GD9vMRGJ/qofKc:cnsHyjtk2MYC5GDH1qdc

Score

10^/10

floxif xred backdoor discovery persistence privilege_escalation trojan upx

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral2/files/0x0008000000023c6f-46.dat	floxif

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0008000000023c6f-46.dat	acprotect

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe

Executes dropped EXE 3 IoCs

pid	Process
2332	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
4956	Synaptics.exe
4744	._cache_Synaptics.exe

Loads dropped DLL 6 IoCs

pid	Process
2332	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
4744	._cache_Synaptics.exe
4744	._cache_Synaptics.exe
4744	._cache_Synaptics.exe
4744	._cache_Synaptics.exe
4744	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Program Files\\system.caca"	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Program Files\\system.caca"	._cache_Synaptics.exe

Enumerates connected drives 3 TTPs 12 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\i:	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
File opened (read-only)	\??\g:	._cache_Synaptics.exe
File opened (read-only)	\??\i:	._cache_Synaptics.exe
File opened (read-only)	\??\j:	._cache_Synaptics.exe
File opened (read-only)	\??\k:	._cache_Synaptics.exe
File opened (read-only)	\??\h:	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
File opened (read-only)	\??\g:	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
File opened (read-only)	\??\j:	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
File opened (read-only)	\??\k:	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
File opened (read-only)	\??\e:	._cache_Synaptics.exe
File opened (read-only)	\??\h:	._cache_Synaptics.exe
File opened (read-only)	\??\e:	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe

Network Service Discovery 1 TTPs 9 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2128	arp.exe
2496	arp.exe
2376	arp.exe
1960	arp.exe
2372	arp.exe
440	arp.exe
5004	arp.exe
2692	arp.exe
2920	arp.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000c000000023b88-5.dat	upx
behavioral2/memory/2332-38-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/memory/2332-49-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral2/files/0x0008000000023c6f-46.dat	upx
behavioral2/memory/4744-115-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/memory/4744-119-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral2/memory/2332-183-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/memory/2332-185-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral2/memory/4744-188-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/memory/4744-189-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral2/memory/2332-191-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral2/memory/2332-203-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral2/memory/2332-255-0x0000000010000000-0x0000000010033000-memory.dmp	upx

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
File created	C:\Program Files\system.caca	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
File created	C:\Program Files\system.caca	._cache_Synaptics.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cacafile\shell\open\command	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cacafile\shell	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cacafile\shell\open	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.caca\ = "cacafile"	._cache_Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cacafile\shell\open\command	._cache_Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.caca\ = "cacafile"	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cacafile\shell\open\command\ = "C:\\Program Files\\Internet Explorer\\WINLOGON.exe"	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.caca	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cacafile\shell\open\command\ = "C:\\Program Files\\Internet Explorer\\WINLOGON.exe"	._cache_Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.caca	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cacafile	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
232	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4744	._cache_Synaptics.exe
4744	._cache_Synaptics.exe
2332	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
2332	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
2332	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
2332	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
2332	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
2332	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2332	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
Token: SeDebugPrivilege	4744	._cache_Synaptics.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
232	EXCEL.EXE
232	EXCEL.EXE
232	EXCEL.EXE
232	EXCEL.EXE
232	EXCEL.EXE
232	EXCEL.EXE
232	EXCEL.EXE
232	EXCEL.EXE

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 4848 wrote to memory of 2332	4848	b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	83
PID 4848 wrote to memory of 2332	4848	b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	83
PID 4848 wrote to memory of 2332	4848	b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	83
PID 4848 wrote to memory of 4956	4848	b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	84
PID 4848 wrote to memory of 4956	4848	b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	84
PID 4848 wrote to memory of 4956	4848	b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	84
PID 2332 wrote to memory of 2372	2332	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	85
PID 2332 wrote to memory of 2372	2332	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	85
PID 2332 wrote to memory of 2372	2332	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	85
PID 2332 wrote to memory of 1960	2332	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	87
PID 2332 wrote to memory of 1960	2332	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	87
PID 2332 wrote to memory of 1960	2332	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	87
PID 2332 wrote to memory of 2376	2332	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	88
PID 2332 wrote to memory of 2376	2332	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	88
PID 2332 wrote to memory of 2376	2332	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	88
PID 2332 wrote to memory of 2496	2332	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	89
PID 2332 wrote to memory of 2496	2332	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	89
PID 2332 wrote to memory of 2496	2332	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	89
PID 2332 wrote to memory of 2920	2332	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	90
PID 2332 wrote to memory of 2920	2332	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	90
PID 2332 wrote to memory of 2920	2332	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	90
PID 2332 wrote to memory of 2128	2332	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	91
PID 2332 wrote to memory of 2128	2332	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	91
PID 2332 wrote to memory of 2128	2332	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	91
PID 2332 wrote to memory of 2692	2332	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	92
PID 2332 wrote to memory of 2692	2332	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	92
PID 2332 wrote to memory of 2692	2332	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	92
PID 2332 wrote to memory of 5004	2332	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	93
PID 2332 wrote to memory of 5004	2332	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	93
PID 2332 wrote to memory of 5004	2332	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	93
PID 2332 wrote to memory of 440	2332	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	94
PID 2332 wrote to memory of 440	2332	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	94
PID 2332 wrote to memory of 440	2332	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	94
PID 4956 wrote to memory of 4744	4956	Synaptics.exe	103
PID 4956 wrote to memory of 4744	4956	Synaptics.exe	103
PID 4956 wrote to memory of 4744	4956	Synaptics.exe	103
PID 2332 wrote to memory of 1968	2332	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	117
PID 2332 wrote to memory of 1968	2332	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	117
PID 2332 wrote to memory of 1968	2332	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	117

C:\Users\Admin\AppData\Local\Temp\b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
"C:\Users\Admin\AppData\Local\Temp\b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Users\Admin\AppData\Local\Temp\._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\SysWOW64\arp.exe
    arp -a
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:2372
- - C:\Windows\SysWOW64\arp.exe
    arp -s 10.127.0.1 65-a0-68-4f-a8-2a
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:1960
- - C:\Windows\SysWOW64\arp.exe
    arp -s 10.127.255.255 2f-b3-7a-be-e7-fe
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:2376
- - C:\Windows\SysWOW64\arp.exe
    arp -s 37.27.61.184 e0-a1-a7-8f-e0-f6
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:2496
- - C:\Windows\SysWOW64\arp.exe
    arp -s 224.0.0.22 a3-59-30-f2-70-cf
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:2920
- - C:\Windows\SysWOW64\arp.exe
    arp -s 224.0.0.251 72-08-d9-94-5f-28
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:2128
- - C:\Windows\SysWOW64\arp.exe
    arp -s 224.0.0.252 0d-f8-d0-8b-f1-7d
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:2692
- - C:\Windows\SysWOW64\arp.exe
    arp -s 239.255.255.250 e0-64-de-63-5b-d4
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:5004
- - C:\Windows\SysWOW64\arp.exe
    arp -s 255.255.255.255 6a-36-b1-91-22-71
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:440
- - C:\Windows\SysWOW64\arp.exe
    arp -d
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1968
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Enumerates connected drives
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4744

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll

Filesize
71KB

MD5
4fcd7574537cebec8e75b4e646996643

SHA1
efa59bb9050fb656b90d5d40c942fb2a304f2a8b

SHA256
8ea3b17e4b783ffc0bc387b81b823bf87af0d57da74541d88ba85314bb232a5d

SHA512
7f1a7ef64d332a735db82506b47d84853af870785066d29ccaf4fdeab114079a9f0db400e01ba574776a0d652a248658fe1e8f9659cdced19ad6eea09644ea3e

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.9MB

MD5
ebb0ab45037d22cf27fad984742b524c

SHA1
57657b62190e2926d124a56351aa8a1bd957d4dc

SHA256
b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0

SHA512
de45c3c300bccd18bbf4f17ca4354a65041b861b551b388ba07aebee4659557190cf4d28953d7652ad32dcb0ee6cad4a969de2b2d7040f304dc19a86de1c3855

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe.tmp

Filesize
2.0MB

MD5
673c21e0992b1e01304a9f3a219ef000

SHA1
25ff2c057f1891245a0ca95ecc88da41c2aec114

SHA256
d331fe92af8e07fc9875acd0643efadc68fc327d3e5572c93ca7cffe92b0d630

SHA512
9b387545d6f8cf17e262e4ea35022d8887b03df57a84d954c37c8e0d444291458d33f261750dafa55da3cee72b27527810733d6cffc42790a8684066cc201158

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe

Filesize
1.2MB

MD5
6c06a994695fca714484f634106e0a30

SHA1
8c2c9a454ca15d3a310e44576ce72db109c12ba3

SHA256
4269927cb66ec9c91b41b4c63c19c9d219b6b427a2797720f246ded873829054

SHA512
8a34c358fe8d52668b5785583f2e9000dacff2f93d5446561479b9aaa2f20121578649c120ef0673cb91492a0599d2a5a99c549e4b2fffce66ed80d262bcea0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\55085E00

Filesize
21KB

MD5
40cbd7dc169437fc809853fb850fb055

SHA1
657a0abb461fedf2e505633e37304b2051998e48

SHA256
315dcd860cf59c3d297ad659f11d97ae602627184e625df83bcfa3616e2970f3

SHA512
5f137264c2a349e53cafa39b98a1a4d74f28d38bc0b10b5100fe1c6bb8e33df8c5f6ec98f63f6b8c7c691e3f802ded8b7a201832a38d994d7603668bd03d3eb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IWCgePrZ.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
memory/232-123-0x00007FF88A750000-0x00007FF88A760000-memory.dmp

Filesize
64KB

Download
memory/232-128-0x00007FF8886F0000-0x00007FF888700000-memory.dmp

Filesize
64KB

Download
memory/232-130-0x00007FF8886F0000-0x00007FF888700000-memory.dmp

Filesize
64KB

Download
memory/232-124-0x00007FF88A750000-0x00007FF88A760000-memory.dmp

Filesize
64KB

Download
memory/232-127-0x00007FF88A750000-0x00007FF88A760000-memory.dmp

Filesize
64KB

Download
memory/232-125-0x00007FF88A750000-0x00007FF88A760000-memory.dmp

Filesize
64KB

Download
memory/232-126-0x00007FF88A750000-0x00007FF88A760000-memory.dmp

Filesize
64KB

Download
memory/2332-183-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2332-185-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2332-255-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2332-203-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2332-191-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2332-49-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2332-38-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4744-115-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4744-122-0x00000000020F0000-0x0000000002123000-memory.dmp

Filesize
204KB

Download
memory/4744-119-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/4744-188-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4744-189-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/4744-193-0x00000000020F0000-0x0000000002123000-memory.dmp

Filesize
204KB

Download
memory/4744-194-0x00000000020F0000-0x0000000002123000-memory.dmp

Filesize
204KB

Download
memory/4848-0-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/4848-81-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/4956-187-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/4956-192-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/4956-251-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/4956-82-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download