floxif | b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2024 23:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
Size

1.9MB
MD5

ebb0ab45037d22cf27fad984742b524c
SHA1

57657b62190e2926d124a56351aa8a1bd957d4dc
SHA256

b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0
SHA512

de45c3c300bccd18bbf4f17ca4354a65041b861b551b388ba07aebee4659557190cf4d28953d7652ad32dcb0ee6cad4a969de2b2d7040f304dc19a86de1c3855
SSDEEP

24576:cnsJ39LyjbJkQFMhmC+6GD9vMRGJ/qofKc:cnsHyjtk2MYC5GDH1qdc

Score

10^/10

floxif xred backdoor discovery persistence privilege_escalation trojan upx

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Detects Floxif payload 1 IoCs

backdoor

Processes:

resource	yara_rule
behavioral2/files/0x0007000000023c8b-45.dat	floxif

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
behavioral2/files/0x0007000000023c8b-45.dat	acprotect

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exeSynaptics.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 3 IoCs

Processes:

._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exeSynaptics.exe._cache_Synaptics.exe

pid	Process
2320	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
4568	Synaptics.exe
2032	._cache_Synaptics.exe

Loads dropped DLL 7 IoCs

Processes:

._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exeSynaptics.exe._cache_Synaptics.exe

pid	Process
2320	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
4568	Synaptics.exe
2032	._cache_Synaptics.exe
2032	._cache_Synaptics.exe
2032	._cache_Synaptics.exe
2032	._cache_Synaptics.exe
2032	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe._cache_Synaptics.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Program Files\\system.caca"	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Program Files\\system.caca"	._cache_Synaptics.exe

Enumerates connected drives 3 TTPs 12 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe._cache_Synaptics.exe

description	ioc	Process
File opened (read-only)	\??\h:	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
File opened (read-only)	\??\i:	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
File opened (read-only)	\??\j:	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
File opened (read-only)	\??\e:	._cache_Synaptics.exe
File opened (read-only)	\??\g:	._cache_Synaptics.exe
File opened (read-only)	\??\h:	._cache_Synaptics.exe
File opened (read-only)	\??\i:	._cache_Synaptics.exe
File opened (read-only)	\??\e:	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
File opened (read-only)	\??\g:	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
File opened (read-only)	\??\k:	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
File opened (read-only)	\??\j:	._cache_Synaptics.exe
File opened (read-only)	\??\k:	._cache_Synaptics.exe

Network Service Discovery 1 TTPs 9 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

Processes:

arp.exearp.exearp.exearp.exearp.exearp.exearp.exearp.exearp.exe

pid	Process
3340	arp.exe
840	arp.exe
3152	arp.exe
3840	arp.exe
2944	arp.exe
2904	arp.exe
3632	arp.exe
2544	arp.exe
2084	arp.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/files/0x000c000000023b90-5.dat	upx
behavioral2/memory/2320-33-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/memory/2320-48-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral2/files/0x0007000000023c8b-45.dat	upx
behavioral2/memory/4568-84-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral2/memory/2032-119-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/memory/2032-123-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral2/memory/2320-198-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/memory/2320-199-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral2/memory/4568-202-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral2/memory/2032-204-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/memory/2032-205-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral2/memory/2320-209-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral2/memory/2320-217-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral2/memory/4568-268-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral2/memory/2320-272-0x0000000010000000-0x0000000010033000-memory.dmp	upx

Drops file in Program Files directory 4 IoCs

Processes:

._cache_Synaptics.exe._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe

description	ioc	Process
File created	C:\Program Files\system.caca	._cache_Synaptics.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
File created	C:\Program Files\Common Files\System\symsrv.dll	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
File created	C:\Program Files\system.caca	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

._cache_Synaptics.exearp.exearp.exearp.exearp.exearp.exearp.exearp.exe._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exeSynaptics.exearp.exeb9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exearp.exearp.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Modifies registry class 13 IoCs

Processes:

._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe._cache_Synaptics.exeSynaptics.exeb9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.caca\ = "cacafile"	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cacafile\shell\open\command	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cacafile	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cacafile\shell	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cacafile\shell\open\command	._cache_Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.caca	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cacafile\shell\open	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cacafile\shell\open\command\ = "C:\\Program Files\\Internet Explorer\\WINLOGON.exe"	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.caca	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.caca\ = "cacafile"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cacafile\shell\open\command\ = "C:\\Program Files\\Internet Explorer\\WINLOGON.exe"	._cache_Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid	Process
1500	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

._cache_Synaptics.exe._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe

pid	Process
2032	._cache_Synaptics.exe
2032	._cache_Synaptics.exe
2320	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
2320	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
2320	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
2320	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
2320	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
2320	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
2320	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
2320	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid	Process
660
660

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exeSynaptics.exe._cache_Synaptics.exe

description	pid	Process
Token: SeDebugPrivilege	2320	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
Token: SeDebugPrivilege	4568	Synaptics.exe
Token: SeDebugPrivilege	2032	._cache_Synaptics.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

EXCEL.EXE

pid	Process
1500	EXCEL.EXE
1500	EXCEL.EXE
1500	EXCEL.EXE
1500	EXCEL.EXE
1500	EXCEL.EXE
1500	EXCEL.EXE

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exeSynaptics.exe

description	pid	Process	procid_target
PID 3496 wrote to memory of 2320	3496	b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	82
PID 3496 wrote to memory of 2320	3496	b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	82
PID 3496 wrote to memory of 2320	3496	b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	82
PID 2320 wrote to memory of 3340	2320	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	83
PID 2320 wrote to memory of 3340	2320	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	83
PID 2320 wrote to memory of 3340	2320	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	83
PID 3496 wrote to memory of 4568	3496	b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	84
PID 3496 wrote to memory of 4568	3496	b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	84
PID 3496 wrote to memory of 4568	3496	b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	84
PID 2320 wrote to memory of 2944	2320	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	86
PID 2320 wrote to memory of 2944	2320	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	86
PID 2320 wrote to memory of 2944	2320	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	86
PID 2320 wrote to memory of 3840	2320	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	87
PID 2320 wrote to memory of 3840	2320	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	87
PID 2320 wrote to memory of 3840	2320	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	87
PID 2320 wrote to memory of 3152	2320	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	88
PID 2320 wrote to memory of 3152	2320	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	88
PID 2320 wrote to memory of 3152	2320	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	88
PID 2320 wrote to memory of 2084	2320	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	89
PID 2320 wrote to memory of 2084	2320	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	89
PID 2320 wrote to memory of 2084	2320	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	89
PID 2320 wrote to memory of 2544	2320	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	90
PID 2320 wrote to memory of 2544	2320	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	90
PID 2320 wrote to memory of 2544	2320	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	90
PID 2320 wrote to memory of 840	2320	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	91
PID 2320 wrote to memory of 840	2320	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	91
PID 2320 wrote to memory of 840	2320	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	91
PID 2320 wrote to memory of 3632	2320	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	92
PID 2320 wrote to memory of 3632	2320	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	92
PID 2320 wrote to memory of 3632	2320	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	92
PID 2320 wrote to memory of 2904	2320	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	93
PID 2320 wrote to memory of 2904	2320	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	93
PID 2320 wrote to memory of 2904	2320	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	93
PID 4568 wrote to memory of 2032	4568	Synaptics.exe	102
PID 4568 wrote to memory of 2032	4568	Synaptics.exe	102
PID 4568 wrote to memory of 2032	4568	Synaptics.exe	102
PID 2320 wrote to memory of 2892	2320	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	113
PID 2320 wrote to memory of 2892	2320	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	113
PID 2320 wrote to memory of 2892	2320	._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe	113

C:\Users\Admin\AppData\Local\Temp\b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
"C:\Users\Admin\AppData\Local\Temp\b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3496
- C:\Users\Admin\AppData\Local\Temp\._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\SysWOW64\arp.exe
    arp -a
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:3340
- - C:\Windows\SysWOW64\arp.exe
    arp -s 10.127.0.1 3b-ee-a1-2d-68-3a
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:2944
- - C:\Windows\SysWOW64\arp.exe
    arp -s 10.127.255.255 37-7b-15-05-b9-21
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:3840
- - C:\Windows\SysWOW64\arp.exe
    arp -s 49.12.169.207 da-6f-32-0c-f5-2e
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:3152
- - C:\Windows\SysWOW64\arp.exe
    arp -s 224.0.0.22 c5-df-d8-c6-c6-a7
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:2084
- - C:\Windows\SysWOW64\arp.exe
    arp -s 224.0.0.251 0a-2b-a8-13-6a-11
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:2544
- - C:\Windows\SysWOW64\arp.exe
    arp -s 224.0.0.252 db-96-ff-58-cc-a8
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:840
- - C:\Windows\SysWOW64\arp.exe
    arp -s 239.255.255.250 d5-05-87-26-77-e3
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:3632
- - C:\Windows\SysWOW64\arp.exe
    arp -s 255.255.255.255 9b-4d-4c-09-7f-fa
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:2904
- - C:\Windows\SysWOW64\arp.exe
    arp -d
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2892
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4568
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Enumerates connected drives
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2032

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll

Filesize
71KB

MD5
4fcd7574537cebec8e75b4e646996643

SHA1
efa59bb9050fb656b90d5d40c942fb2a304f2a8b

SHA256
8ea3b17e4b783ffc0bc387b81b823bf87af0d57da74541d88ba85314bb232a5d

SHA512
7f1a7ef64d332a735db82506b47d84853af870785066d29ccaf4fdeab114079a9f0db400e01ba574776a0d652a248658fe1e8f9659cdced19ad6eea09644ea3e

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.9MB

MD5
ebb0ab45037d22cf27fad984742b524c

SHA1
57657b62190e2926d124a56351aa8a1bd957d4dc

SHA256
b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0

SHA512
de45c3c300bccd18bbf4f17ca4354a65041b861b551b388ba07aebee4659557190cf4d28953d7652ad32dcb0ee6cad4a969de2b2d7040f304dc19a86de1c3855

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe.tmp

Filesize
2.0MB

MD5
021cfae6e3cf543df45843ffd1cf0819

SHA1
1016e0d310a225e694c2f51e761fde61f66cacb7

SHA256
ade9cf5ea4fee20a1780c1bddfc5109f9b3f683514950849063a807b3827a407

SHA512
36c03dececee3125aa1e0e9a52766bcae1fd2a01237562f4ac2710fb90702d511fed73023aec871aa405f90351cd92506e1b5c821711249570425763e240f0ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_b9172b102bc725011a574efea752f18d211fe99eef083ac93b8dc9334ffbd8b0.exe

Filesize
1.2MB

MD5
6c06a994695fca714484f634106e0a30

SHA1
8c2c9a454ca15d3a310e44576ce72db109c12ba3

SHA256
4269927cb66ec9c91b41b4c63c19c9d219b6b427a2797720f246ded873829054

SHA512
8a34c358fe8d52668b5785583f2e9000dacff2f93d5446561479b9aaa2f20121578649c120ef0673cb91492a0599d2a5a99c549e4b2fffce66ed80d262bcea0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\97FRE4iO.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\D8875E00

Filesize
25KB

MD5
9e20e9de76cbe678e97e69bf97ff8e3c

SHA1
cf667e35d823876b1d44b1c274732193f422404c

SHA256
9cd170b6f3d1063bbfbf6f93bcbf312cabc9e8d5f9250dcda7c1081df648eeec

SHA512
012b0049dbb2717b2e827efa790adeee9b271591518c2b0ffda340edb3534995bf0d6aae47083de0bd93c25ef447522e19973608e5495d507d74127652310d09

Download Submit
memory/1500-195-0x00007FF7DC3B0000-0x00007FF7DC3C0000-memory.dmp

Filesize
64KB

Download
memory/1500-194-0x00007FF7DC3B0000-0x00007FF7DC3C0000-memory.dmp

Filesize
64KB

Download
memory/1500-126-0x00007FF7DC3B0000-0x00007FF7DC3C0000-memory.dmp

Filesize
64KB

Download
memory/1500-196-0x00007FF7DC3B0000-0x00007FF7DC3C0000-memory.dmp

Filesize
64KB

Download
memory/1500-197-0x00007FF7DC3B0000-0x00007FF7DC3C0000-memory.dmp

Filesize
64KB

Download
memory/1500-132-0x00007FF7DA1E0000-0x00007FF7DA1F0000-memory.dmp

Filesize
64KB

Download
memory/1500-131-0x00007FF7DA1E0000-0x00007FF7DA1F0000-memory.dmp

Filesize
64KB

Download
memory/1500-128-0x00007FF7DC3B0000-0x00007FF7DC3C0000-memory.dmp

Filesize
64KB

Download
memory/1500-130-0x00007FF7DC3B0000-0x00007FF7DC3C0000-memory.dmp

Filesize
64KB

Download
memory/1500-129-0x00007FF7DC3B0000-0x00007FF7DC3C0000-memory.dmp

Filesize
64KB

Download
memory/1500-127-0x00007FF7DC3B0000-0x00007FF7DC3C0000-memory.dmp

Filesize
64KB

Download
memory/2032-125-0x00000000020F0000-0x0000000002123000-memory.dmp

Filesize
204KB

Download
memory/2032-123-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2032-124-0x00000000020F0000-0x0000000002123000-memory.dmp

Filesize
204KB

Download
memory/2032-205-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2032-119-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2032-207-0x00000000020F0000-0x0000000002123000-memory.dmp

Filesize
204KB

Download
memory/2032-206-0x00000000020F0000-0x0000000002123000-memory.dmp

Filesize
204KB

Download
memory/2032-204-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2320-199-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2320-33-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2320-198-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2320-48-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2320-272-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2320-217-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2320-209-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/3496-83-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/3496-0-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/4568-87-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/4568-84-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/4568-210-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/4568-203-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/4568-268-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/4568-267-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/4568-202-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download