xred | 805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2024, 01:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299.exe
Size

3.3MB
MD5

e3a3e6d5bcdf3fe8c6c525429e401b1f
SHA1

a1b2370bd81715b63dd6268e301a7101d39d3ebc
SHA256

805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299
SHA512

be86d4785df2de0b0f4e74c9f56988d7df0dc6ed2bd2d2632b83266a73ed72491b50a3db557d83ce5cca65ed1b98c97d6c63a90045188896b02d2fa3484e8743
SSDEEP

98304:dnsmtk2a9XzhW148Pd+Tf1mpcOldJQ3/VL4:BL6FK4s0TfLOdo/K

Score

10^/10

xred backdoor discovery evasion persistence themida trojan

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	._cache_805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	spoolsv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	spoolsv.exe

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	icsys.icn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	._cache_805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	._cache_805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	icsys.icn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 9 IoCs

pid	Process
4668	._cache_805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299.exe
4984	Synaptics.exe
5068	._cache_Synaptics.exe
2252	._cache_synaptics.exe
1908	icsys.icn.exe
2084	explorer.exe
1676	spoolsv.exe
4936	svchost.exe
5012	spoolsv.exe

Themida packer 21 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000c000000023b2b-5.dat	themida
behavioral2/memory/4668-71-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/files/0x000a000000023b8c-206.dat	themida
behavioral2/files/0x000b000000023b91-215.dat	themida
behavioral2/memory/2084-217-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/files/0x000b000000023b93-224.dat	themida
behavioral2/memory/1676-227-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/files/0x000b000000023b96-236.dat	themida
behavioral2/memory/4936-237-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/5012-243-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/5012-248-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/1676-249-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/1908-251-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/5068-253-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/4668-272-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/2084-301-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/4936-307-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/4936-306-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/2084-328-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/2084-352-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/2084-376-0x0000000000400000-0x0000000000A16000-memory.dmp	themida

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe

Checks whether UAC is enabled 1 TTPs 7 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	._cache_805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	icsys.icn.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
4668	._cache_805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299.exe
5068	._cache_Synaptics.exe
1908	icsys.icn.exe
2084	explorer.exe
1676	spoolsv.exe
4936	svchost.exe
5012	spoolsv.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2756	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5068	._cache_Synaptics.exe
5068	._cache_Synaptics.exe
5068	._cache_Synaptics.exe
5068	._cache_Synaptics.exe
5068	._cache_Synaptics.exe
5068	._cache_Synaptics.exe
5068	._cache_Synaptics.exe
5068	._cache_Synaptics.exe
5068	._cache_Synaptics.exe
5068	._cache_Synaptics.exe
5068	._cache_Synaptics.exe
5068	._cache_Synaptics.exe
5068	._cache_Synaptics.exe
5068	._cache_Synaptics.exe
5068	._cache_Synaptics.exe
5068	._cache_Synaptics.exe
5068	._cache_Synaptics.exe
5068	._cache_Synaptics.exe
5068	._cache_Synaptics.exe
5068	._cache_Synaptics.exe
5068	._cache_Synaptics.exe
5068	._cache_Synaptics.exe
5068	._cache_Synaptics.exe
5068	._cache_Synaptics.exe
5068	._cache_Synaptics.exe
5068	._cache_Synaptics.exe
5068	._cache_Synaptics.exe
5068	._cache_Synaptics.exe
5068	._cache_Synaptics.exe
5068	._cache_Synaptics.exe
5068	._cache_Synaptics.exe
5068	._cache_Synaptics.exe
1908	icsys.icn.exe
1908	icsys.icn.exe
1908	icsys.icn.exe
1908	icsys.icn.exe
1908	icsys.icn.exe
1908	icsys.icn.exe
1908	icsys.icn.exe
1908	icsys.icn.exe
1908	icsys.icn.exe
1908	icsys.icn.exe
1908	icsys.icn.exe
1908	icsys.icn.exe
1908	icsys.icn.exe
1908	icsys.icn.exe
1908	icsys.icn.exe
1908	icsys.icn.exe
1908	icsys.icn.exe
1908	icsys.icn.exe
1908	icsys.icn.exe
1908	icsys.icn.exe
1908	icsys.icn.exe
1908	icsys.icn.exe
1908	icsys.icn.exe
1908	icsys.icn.exe
1908	icsys.icn.exe
1908	icsys.icn.exe
1908	icsys.icn.exe
1908	icsys.icn.exe
1908	icsys.icn.exe
1908	icsys.icn.exe
1908	icsys.icn.exe
1908	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2084	explorer.exe
4936	svchost.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
5068	._cache_Synaptics.exe
5068	._cache_Synaptics.exe
2756	EXCEL.EXE
2756	EXCEL.EXE
1908	icsys.icn.exe
1908	icsys.icn.exe
2084	explorer.exe
2084	explorer.exe
2756	EXCEL.EXE
2756	EXCEL.EXE
1676	spoolsv.exe
1676	spoolsv.exe
4936	svchost.exe
4936	svchost.exe
5012	spoolsv.exe
5012	spoolsv.exe
2756	EXCEL.EXE
2756	EXCEL.EXE

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 4668	2044	805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299.exe	83
PID 2044 wrote to memory of 4668	2044	805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299.exe	83
PID 2044 wrote to memory of 4668	2044	805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299.exe	83
PID 2044 wrote to memory of 4984	2044	805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299.exe	84
PID 2044 wrote to memory of 4984	2044	805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299.exe	84
PID 2044 wrote to memory of 4984	2044	805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299.exe	84
PID 4984 wrote to memory of 5068	4984	Synaptics.exe	85
PID 4984 wrote to memory of 5068	4984	Synaptics.exe	85
PID 4984 wrote to memory of 5068	4984	Synaptics.exe	85
PID 5068 wrote to memory of 2252	5068	._cache_Synaptics.exe	87
PID 5068 wrote to memory of 2252	5068	._cache_Synaptics.exe	87
PID 5068 wrote to memory of 1908	5068	._cache_Synaptics.exe	89
PID 5068 wrote to memory of 1908	5068	._cache_Synaptics.exe	89
PID 5068 wrote to memory of 1908	5068	._cache_Synaptics.exe	89
PID 1908 wrote to memory of 2084	1908	icsys.icn.exe	91
PID 1908 wrote to memory of 2084	1908	icsys.icn.exe	91
PID 1908 wrote to memory of 2084	1908	icsys.icn.exe	91
PID 2084 wrote to memory of 1676	2084	explorer.exe	92
PID 2084 wrote to memory of 1676	2084	explorer.exe	92
PID 2084 wrote to memory of 1676	2084	explorer.exe	92
PID 1676 wrote to memory of 4936	1676	spoolsv.exe	93
PID 1676 wrote to memory of 4936	1676	spoolsv.exe	93
PID 1676 wrote to memory of 4936	1676	spoolsv.exe	93
PID 4936 wrote to memory of 5012	4936	svchost.exe	94
PID 4936 wrote to memory of 5012	4936	svchost.exe	94
PID 4936 wrote to memory of 5012	4936	svchost.exe	94

C:\Users\Admin\AppData\Local\Temp\805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299.exe
"C:\Users\Admin\AppData\Local\Temp\805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Users\Admin\AppData\Local\Temp\._cache_805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:4668
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5068
  - - \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
      c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
      4⤵
      Executes dropped EXE
      PID:2252
  - - C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1908
    - - \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2084
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        7⤵
        Modifies visiblity of hidden/system files in Explorer
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        8⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5012

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
3.3MB

MD5
e3a3e6d5bcdf3fe8c6c525429e401b1f

SHA1
a1b2370bd81715b63dd6268e301a7101d39d3ebc

SHA256
805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299

SHA512
be86d4785df2de0b0f4e74c9f56988d7df0dc6ed2bd2d2632b83266a73ed72491b50a3db557d83ce5cca65ed1b98c97d6c63a90045188896b02d2fa3484e8743

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_805c795be5f0324f0e1d2bca61beabaf1d1d054eca2ad0224588295bb9d41299.exe

Filesize
2.6MB

MD5
b2126004e0cfc780aa831d168000852f

SHA1
4251dd9b19f247b83c4606b529693967a72c5f28

SHA256
693ac357b98fad2cbdb51b8bc1c793a0845944f15dea373b4c461065ec27a65e

SHA512
9d0d1f8928f9e24ceafb5c9cc78dafb25181844bc71caee71c5c239585db0a70a5e00f62478c20228747fa477d3833b46417eebfe075030f8768640588489755

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_synaptics.exe

Filesize
25KB

MD5
430e3b88d419c28a6bad535825054894

SHA1
1657fd5ed8ab28f34df264f39cfc44f539704778

SHA256
eacba1545f69917190d13efea6558c23cdb04a13cfffeb2c5b27ffdf10781a2b

SHA512
728406141cbeed5357ced6073cd75c75afb24a916eed9bbdc64c034a8b2c080c110828cc241cc5ec1248d64c3a67487a88ad7d4351878d3ec0bec37a67de7256

Download Submit
C:\Users\Admin\AppData\Local\Temp\17975E00

Filesize
22KB

MD5
abfc3b7ac9dea001c1d328df45be9109

SHA1
2871ac7c739d3c1ab88edaa172663b8c883d2e65

SHA256
1409d109d4f119eceeaaea8ff8cd93921c471b56c2be4d693607aa855e7d6e0b

SHA512
738a2bc7987c802cf29c25156a0afeb18e37e388f99a68f62b60240ba7393ecd6163c5afc210aeb27cd09648229aeb3fe720b03a9bfd9481ef8248e082ac887e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZFhOlBYh.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
2.6MB

MD5
b51e66a1ca91e93f909075431182c9a8

SHA1
7fcd5904584a5cdae9a0b5fa5afacda3621c55d4

SHA256
0624a40f8c8d5efc19729525106e3c8a5619e3762269ef7f98bd8793929e1cdf

SHA512
d8a14eb4e7e72abde67e7a779414eeb1c2d67e80dfda6ee3b9b6c31b50b1fe27c9a070608d2c8cbef39c60a999cb07505be611560040127875b963b3905216d3

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
2.6MB

MD5
4b81c8d3c1781a5450d47e893b843fda

SHA1
cf1486374f07285e5f322c77bcac15afa796b1d0

SHA256
4e66e9dbdae2842ed7e82e4a760efe02b5095ba9c9d5c14b8f2d7af4dda06949

SHA512
563004c3d69e852fe08acac123b8ec2ff0504807ad64e5c020c5aba0f825960c0bdcbf909bf265a2f88c66f4cc39edbde8dd2bde775cc6118e16e68570311c98

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
2.6MB

MD5
7afac37e40b98ed6261698ecc374d34f

SHA1
cd473164f5db2afa06dbc7feb303336e515c6d29

SHA256
e8b120330244d7cd999cc14f9941c30994b925b37020354e1ce7260171b02b64

SHA512
d29089c8fb5da877e7e2cc5366d0515a0cfbd5c3b8f6e083c9cc47a2141108c52f4fb82e1d4465c136e1cd8807b0978b8d1006be44323e23f30c10095e6f3779

Download Submit
\??\c:\windows\resources\svchost.exe

Filesize
2.6MB

MD5
282d80f79555acd2610f299b88dc8f2d

SHA1
cdd2f41668dc1ebc4bd12605096f741f557a253d

SHA256
70bde2eca71311e7f94b1c0acb2d217245e40443ee110e7a21e2e6d389e5de03

SHA512
ba794d932e13d0b6b5027b0d823ec5872c3ebe19d2d953d5a934384e4d62a447bd441dc816ad29f4f8c1174c29f516a18fef4fb97a95e651ed26ce186cc38160

Download Submit
memory/1676-249-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1676-227-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1908-251-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2044-0-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/2044-132-0x0000000000400000-0x000000000075E000-memory.dmp

Filesize
3.4MB

Download
memory/2084-376-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2084-352-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2084-301-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2084-217-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2084-328-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2756-195-0x00007FFDEEDB0000-0x00007FFDEEDC0000-memory.dmp

Filesize
64KB

Download
memory/2756-194-0x00007FFDEEDB0000-0x00007FFDEEDC0000-memory.dmp

Filesize
64KB

Download
memory/2756-201-0x00007FFDECD50000-0x00007FFDECD60000-memory.dmp

Filesize
64KB

Download
memory/2756-198-0x00007FFDEEDB0000-0x00007FFDEEDC0000-memory.dmp

Filesize
64KB

Download
memory/2756-192-0x00007FFDEEDB0000-0x00007FFDEEDC0000-memory.dmp

Filesize
64KB

Download
memory/2756-193-0x00007FFDEEDB0000-0x00007FFDEEDC0000-memory.dmp

Filesize
64KB

Download
memory/2756-207-0x00007FFDECD50000-0x00007FFDECD60000-memory.dmp

Filesize
64KB

Download
memory/4668-126-0x0000000077B14000-0x0000000077B16000-memory.dmp

Filesize
8KB

Download
memory/4668-71-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/4668-272-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/4936-237-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/4936-306-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/4936-307-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/4984-298-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/4984-300-0x0000000000400000-0x000000000075E000-memory.dmp

Filesize
3.4MB

Download
memory/4984-309-0x0000000000400000-0x000000000075E000-memory.dmp

Filesize
3.4MB

Download
memory/4984-351-0x0000000000400000-0x000000000075E000-memory.dmp

Filesize
3.4MB

Download
memory/4984-133-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/5012-248-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/5012-243-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/5068-253-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download