Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/11/2024, 01:13
Behavioral task
behavioral1
Sample
805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299.exe
Resource
win7-20240903-en
General
-
Target
805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299.exe
-
Size
3.3MB
-
MD5
e3a3e6d5bcdf3fe8c6c525429e401b1f
-
SHA1
a1b2370bd81715b63dd6268e301a7101d39d3ebc
-
SHA256
805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299
-
SHA512
be86d4785df2de0b0f4e74c9f56988d7df0dc6ed2bd2d2632b83266a73ed72491b50a3db557d83ce5cca65ed1b98c97d6c63a90045188896b02d2fa3484e8743
-
SSDEEP
98304:dnsmtk2a9XzhW148Pd+Tf1mpcOldJQ3/VL4:BL6FK4s0TfLOdo/K
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Xred family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ._cache_805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ._cache_Synaptics.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ icsys.icn.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorer.exe -
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ._cache_805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ._cache_Synaptics.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion icsys.icn.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ._cache_Synaptics.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion icsys.icn.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ._cache_805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe -
Executes dropped EXE 10 IoCs
pid Process 3000 ._cache_805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299.exe 2160 Synaptics.exe 2692 ._cache_Synaptics.exe 2320 ._cache_synaptics.exe 1160 Process not Found 2628 icsys.icn.exe 1388 explorer.exe 1648 spoolsv.exe 1188 svchost.exe 2268 spoolsv.exe -
Loads dropped DLL 13 IoCs
pid Process 2516 805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299.exe 2516 805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299.exe 2516 805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299.exe 2160 Synaptics.exe 2160 Synaptics.exe 2692 ._cache_Synaptics.exe 2576 Process not Found 2692 ._cache_Synaptics.exe 1160 Process not Found 2628 icsys.icn.exe 1388 explorer.exe 1648 spoolsv.exe 1188 svchost.exe -
resource yara_rule behavioral1/files/0x000c000000012263-4.dat themida behavioral1/memory/2516-17-0x00000000059F0000-0x0000000006006000-memory.dmp themida behavioral1/memory/3000-18-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral1/memory/2692-38-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral1/memory/2628-58-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral1/files/0x0007000000016d24-56.dat themida behavioral1/files/0x00070000000174ac-71.dat themida behavioral1/memory/1388-72-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral1/files/0x000a000000018678-91.dat themida behavioral1/memory/1648-96-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral1/memory/1388-93-0x0000000003820000-0x0000000003E36000-memory.dmp themida behavioral1/memory/3000-118-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral1/files/0x00070000000190cd-115.dat themida behavioral1/memory/1188-121-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral1/memory/2268-135-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral1/memory/2268-137-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral1/memory/2692-130-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral1/memory/1648-139-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral1/memory/2628-141-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral1/memory/2692-143-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral1/memory/1388-160-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral1/memory/1188-164-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral1/memory/1188-163-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral1/memory/1388-185-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral1/memory/1388-215-0x0000000000400000-0x0000000000A16000-memory.dmp themida behavioral1/memory/1188-220-0x0000000000400000-0x0000000000A16000-memory.dmp themida -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" 805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ._cache_805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ._cache_Synaptics.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA icsys.icn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
pid Process 3000 ._cache_805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299.exe 2692 ._cache_Synaptics.exe 2628 icsys.icn.exe 1388 explorer.exe 1648 spoolsv.exe 1188 svchost.exe 2268 spoolsv.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe ._cache_Synaptics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 888 schtasks.exe 1580 schtasks.exe 1832 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2600 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2692 ._cache_Synaptics.exe 2692 ._cache_Synaptics.exe 2692 ._cache_Synaptics.exe 2692 ._cache_Synaptics.exe 2692 ._cache_Synaptics.exe 2692 ._cache_Synaptics.exe 2692 ._cache_Synaptics.exe 2692 ._cache_Synaptics.exe 2692 ._cache_Synaptics.exe 2692 ._cache_Synaptics.exe 2692 ._cache_Synaptics.exe 2692 ._cache_Synaptics.exe 2692 ._cache_Synaptics.exe 2692 ._cache_Synaptics.exe 2692 ._cache_Synaptics.exe 2692 ._cache_Synaptics.exe 2628 icsys.icn.exe 2628 icsys.icn.exe 2628 icsys.icn.exe 2628 icsys.icn.exe 2628 icsys.icn.exe 2628 icsys.icn.exe 2628 icsys.icn.exe 2628 icsys.icn.exe 2628 icsys.icn.exe 2628 icsys.icn.exe 2628 icsys.icn.exe 2628 icsys.icn.exe 2628 icsys.icn.exe 2628 icsys.icn.exe 2628 icsys.icn.exe 2628 icsys.icn.exe 2628 icsys.icn.exe 1388 explorer.exe 1388 explorer.exe 1388 explorer.exe 1388 explorer.exe 1388 explorer.exe 1388 explorer.exe 1388 explorer.exe 1388 explorer.exe 1388 explorer.exe 1388 explorer.exe 1388 explorer.exe 1388 explorer.exe 1388 explorer.exe 1388 explorer.exe 1388 explorer.exe 1388 explorer.exe 1188 svchost.exe 1188 svchost.exe 1188 svchost.exe 1188 svchost.exe 1188 svchost.exe 1188 svchost.exe 1188 svchost.exe 1188 svchost.exe 1188 svchost.exe 1188 svchost.exe 1188 svchost.exe 1188 svchost.exe 1188 svchost.exe 1188 svchost.exe 1188 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1388 explorer.exe 1188 svchost.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 2692 ._cache_Synaptics.exe 2692 ._cache_Synaptics.exe 2600 EXCEL.EXE 2628 icsys.icn.exe 2628 icsys.icn.exe 1388 explorer.exe 1388 explorer.exe 1648 spoolsv.exe 1648 spoolsv.exe 1188 svchost.exe 1188 svchost.exe 2268 spoolsv.exe 2268 spoolsv.exe -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 2516 wrote to memory of 3000 2516 805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299.exe 30 PID 2516 wrote to memory of 3000 2516 805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299.exe 30 PID 2516 wrote to memory of 3000 2516 805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299.exe 30 PID 2516 wrote to memory of 3000 2516 805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299.exe 30 PID 2516 wrote to memory of 2160 2516 805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299.exe 31 PID 2516 wrote to memory of 2160 2516 805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299.exe 31 PID 2516 wrote to memory of 2160 2516 805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299.exe 31 PID 2516 wrote to memory of 2160 2516 805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299.exe 31 PID 2160 wrote to memory of 2692 2160 Synaptics.exe 32 PID 2160 wrote to memory of 2692 2160 Synaptics.exe 32 PID 2160 wrote to memory of 2692 2160 Synaptics.exe 32 PID 2160 wrote to memory of 2692 2160 Synaptics.exe 32 PID 2692 wrote to memory of 2320 2692 ._cache_Synaptics.exe 34 PID 2692 wrote to memory of 2320 2692 ._cache_Synaptics.exe 34 PID 2692 wrote to memory of 2320 2692 ._cache_Synaptics.exe 34 PID 2692 wrote to memory of 2320 2692 ._cache_Synaptics.exe 34 PID 2692 wrote to memory of 2628 2692 ._cache_Synaptics.exe 36 PID 2692 wrote to memory of 2628 2692 ._cache_Synaptics.exe 36 PID 2692 wrote to memory of 2628 2692 ._cache_Synaptics.exe 36 PID 2692 wrote to memory of 2628 2692 ._cache_Synaptics.exe 36 PID 2628 wrote to memory of 1388 2628 icsys.icn.exe 37 PID 2628 wrote to memory of 1388 2628 icsys.icn.exe 37 PID 2628 wrote to memory of 1388 2628 icsys.icn.exe 37 PID 2628 wrote to memory of 1388 2628 icsys.icn.exe 37 PID 1388 wrote to memory of 1648 1388 explorer.exe 38 PID 1388 wrote to memory of 1648 1388 explorer.exe 38 PID 1388 wrote to memory of 1648 1388 explorer.exe 38 PID 1388 wrote to memory of 1648 1388 explorer.exe 38 PID 1648 wrote to memory of 1188 1648 spoolsv.exe 39 PID 1648 wrote to memory of 1188 1648 spoolsv.exe 39 PID 1648 wrote to memory of 1188 1648 spoolsv.exe 39 PID 1648 wrote to memory of 1188 1648 spoolsv.exe 39 PID 1188 wrote to memory of 2268 1188 svchost.exe 40 PID 1188 wrote to memory of 2268 1188 svchost.exe 40 PID 1188 wrote to memory of 2268 1188 svchost.exe 40 PID 1188 wrote to memory of 2268 1188 svchost.exe 40 PID 1388 wrote to memory of 536 1388 explorer.exe 41 PID 1388 wrote to memory of 536 1388 explorer.exe 41 PID 1388 wrote to memory of 536 1388 explorer.exe 41 PID 1388 wrote to memory of 536 1388 explorer.exe 41 PID 1188 wrote to memory of 1832 1188 svchost.exe 42 PID 1188 wrote to memory of 1832 1188 svchost.exe 42 PID 1188 wrote to memory of 1832 1188 svchost.exe 42 PID 1188 wrote to memory of 1832 1188 svchost.exe 42 PID 1188 wrote to memory of 888 1188 svchost.exe 47 PID 1188 wrote to memory of 888 1188 svchost.exe 47 PID 1188 wrote to memory of 888 1188 svchost.exe 47 PID 1188 wrote to memory of 888 1188 svchost.exe 47 PID 1188 wrote to memory of 1580 1188 svchost.exe 49 PID 1188 wrote to memory of 1580 1188 svchost.exe 49 PID 1188 wrote to memory of 1580 1188 svchost.exe 49 PID 1188 wrote to memory of 1580 1188 svchost.exe 49
Processes
-
C:\Users\Admin\AppData\Local\Temp\805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299.exe"C:\Users\Admin\AppData\Local\Temp\805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Users\Admin\AppData\Local\Temp\._cache_805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299.exe"C:\Users\Admin\AppData\Local\Temp\._cache_805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:3000
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\users\admin\appdata\local\temp\._cache_synaptics.exec:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate4⤵
- Executes dropped EXE
PID:2320
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1388 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1648 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe7⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1188 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR8⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2268
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:15 /f8⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1832
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:16 /f8⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:888
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:17 /f8⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1580
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe6⤵PID:536
-
-
-
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2600
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.3MB
MD5e3a3e6d5bcdf3fe8c6c525429e401b1f
SHA1a1b2370bd81715b63dd6268e301a7101d39d3ebc
SHA256805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299
SHA512be86d4785df2de0b0f4e74c9f56988d7df0dc6ed2bd2d2632b83266a73ed72491b50a3db557d83ce5cca65ed1b98c97d6c63a90045188896b02d2fa3484e8743
-
Filesize
22KB
MD572142dd2919c46f691a676cb273c34c2
SHA11a7e49ae3beea2ab0e5ffa5c871c32276bc0e887
SHA256e01d1fada70005a26b33365a117dfd1b0c4c6d0e941f2e4856a1ef6fde15da00
SHA5123828140efdcf1c9ec2d11cba332f1bf90cfea0e5d1419ced40870b258ca2b3c595f3a3bdf461240ab456728bba84356e48c54c1236a0718633ec25d891ec9b36
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
2.6MB
MD50c4affeb1489e7e5d679e6aed9760f7f
SHA1b6e2e4a78db3f362acfefc30f2e8d94f832d9289
SHA25630029729e153a417ff21f4a6cf66945e99e9a02e35c94ca07812dc293163bcb3
SHA512186aa0959e3d5537ee117d3a2048c52e4490052b70f1358a7b8d1457e9fb854ebacfa82b61bcf044c0d8e71de10213a56bd3fdd5c78de91c20d5f54886c9eb14
-
Filesize
2.6MB
MD54b81c8d3c1781a5450d47e893b843fda
SHA1cf1486374f07285e5f322c77bcac15afa796b1d0
SHA2564e66e9dbdae2842ed7e82e4a760efe02b5095ba9c9d5c14b8f2d7af4dda06949
SHA512563004c3d69e852fe08acac123b8ec2ff0504807ad64e5c020c5aba0f825960c0bdcbf909bf265a2f88c66f4cc39edbde8dd2bde775cc6118e16e68570311c98
-
\Users\Admin\AppData\Local\Temp\._cache_805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299.exe
Filesize2.6MB
MD5b2126004e0cfc780aa831d168000852f
SHA14251dd9b19f247b83c4606b529693967a72c5f28
SHA256693ac357b98fad2cbdb51b8bc1c793a0845944f15dea373b4c461065ec27a65e
SHA5129d0d1f8928f9e24ceafb5c9cc78dafb25181844bc71caee71c5c239585db0a70a5e00f62478c20228747fa477d3833b46417eebfe075030f8768640588489755
-
Filesize
25KB
MD5430e3b88d419c28a6bad535825054894
SHA11657fd5ed8ab28f34df264f39cfc44f539704778
SHA256eacba1545f69917190d13efea6558c23cdb04a13cfffeb2c5b27ffdf10781a2b
SHA512728406141cbeed5357ced6073cd75c75afb24a916eed9bbdc64c034a8b2c080c110828cc241cc5ec1248d64c3a67487a88ad7d4351878d3ec0bec37a67de7256
-
Filesize
2.6MB
MD5d1929226f5bef2d52cb5e351c25f5984
SHA1840d781ada05101d65b2249bbe0f46e3c4aff3e8
SHA256ac05b18c41d977a498d66c27b6618305d00ec5570567357c1822e3419c734109
SHA5126e30d9aeea6cc7118c02dc7a3d70b466fd97d173fc2043432230ad7cce462adf233506796a5f4ef02fc825b497e155c8ffbc7defac06afb9105ba3f13a71aa61
-
Filesize
2.6MB
MD5861c5dd8097bf9d9be9715d84670c5b5
SHA152864caa07749659054cf58cd67ad640f5d6a746
SHA256dc76955d22f67c1c736bbd96838fa51b064dfff633fb169031cc1c80056381aa
SHA5129f1361d8f1e48020c15a128f514954135ce86ba098c535fb9fd077e82b401233843416d1807d2faa6ce72644169ef923dbe8a03136cc0097dc7d86831f9d6b09