floxif | 64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90d

Analysis

max time kernel
120s
max time network
106s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
27-11-2024 08:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe
Size

1.9MB
MD5

62a63a6141a5b387ed0378d9c6bc63c0
SHA1

d372431f87c4329227e0c6d6cb90a30da8756528
SHA256

64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90d
SHA512

5a4f1a3f3ba6fce7dad0fa219ea806d4b0a30e657c545a8c0c29d80257545c1da681dcc24d8b05c910eb9be86dd4b9eed0706cebf085bf0de1b3afa81399239f
SSDEEP

24576:cnsJ39LyjbJkQFMhmC+6GD9vMRGJ/qofKE:cnsHyjtk2MYC5GDH1qdE

Score

10^/10

floxif xred backdoor discovery persistence privilege_escalation trojan upx

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral1/files/0x0008000000016c88-25.dat	floxif

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0008000000016c88-25.dat	acprotect

Executes dropped EXE 3 IoCs

pid	Process
2396	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe
2296	Synaptics.exe
2792	._cache_Synaptics.exe

Loads dropped DLL 13 IoCs

pid	Process
2412	64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe
2412	64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe
2396	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe
2412	64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe
2412	64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe
2296	Synaptics.exe
2296	Synaptics.exe
2296	Synaptics.exe
2792	._cache_Synaptics.exe
2396	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe
1756	arp.exe
924	EXCEL.EXE
2396	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Program Files\\system.caca"	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Program Files\\system.caca"	._cache_Synaptics.exe

Enumerates connected drives 3 TTPs 12 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\g:	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe
File opened (read-only)	\??\h:	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe
File opened (read-only)	\??\h:	._cache_Synaptics.exe
File opened (read-only)	\??\j:	._cache_Synaptics.exe
File opened (read-only)	\??\k:	._cache_Synaptics.exe
File opened (read-only)	\??\i:	._cache_Synaptics.exe
File opened (read-only)	\??\e:	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe
File opened (read-only)	\??\i:	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe
File opened (read-only)	\??\e:	._cache_Synaptics.exe
File opened (read-only)	\??\j:	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe
File opened (read-only)	\??\k:	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe
File opened (read-only)	\??\g:	._cache_Synaptics.exe

Network Service Discovery 1 TTPs 9 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
3044	arp.exe
2892	arp.exe
2256	arp.exe
2976	arp.exe
576	arp.exe
1476	arp.exe
2888	arp.exe
2852	arp.exe
3020	arp.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000d000000012281-4.dat	upx
behavioral1/memory/2396-23-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/memory/2396-27-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral1/files/0x0008000000016c88-25.dat	upx
behavioral1/memory/2792-56-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral1/memory/2792-55-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/memory/2396-62-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/memory/2396-63-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral1/memory/1756-69-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral1/memory/2792-68-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral1/memory/2792-67-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/memory/1756-71-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral1/memory/2396-73-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral1/memory/924-82-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral1/memory/2396-126-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral1/memory/924-131-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral1/memory/2396-133-0x0000000010000000-0x0000000010033000-memory.dmp	upx
behavioral1/memory/2396-199-0x0000000010000000-0x0000000010033000-memory.dmp	upx

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe
File created	C:\Program Files\system.caca	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe
File created	C:\Program Files\system.caca	._cache_Synaptics.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\gfx.dll	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\gfx.dll.tmp	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\gfx.dll.dat	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies registry class 11 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.caca\ = "cacafile"	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cacafile	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cacafile\shell\open\command\ = "C:\\Program Files\\Internet Explorer\\WINLOGON.exe"	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.caca	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.caca\ = "cacafile"	._cache_Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cacafile\shell\open\command	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cacafile\shell\open\command\ = "C:\\Program Files\\Internet Explorer\\WINLOGON.exe"	._cache_Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.caca	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cacafile\shell	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cacafile\shell\open	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cacafile\shell\open\command	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
924	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2396	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe
2396	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe
2396	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
476	Process not Found
476	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2396	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe
Token: SeDebugPrivilege	2792	._cache_Synaptics.exe
Token: SeDebugPrivilege	1756	arp.exe
Token: SeDebugPrivilege	924	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
924	EXCEL.EXE

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 2396	2412	64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe	30
PID 2412 wrote to memory of 2396	2412	64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe	30
PID 2412 wrote to memory of 2396	2412	64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe	30
PID 2412 wrote to memory of 2396	2412	64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe	30
PID 2396 wrote to memory of 1476	2396	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe	31
PID 2396 wrote to memory of 1476	2396	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe	31
PID 2396 wrote to memory of 1476	2396	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe	31
PID 2396 wrote to memory of 1476	2396	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe	31
PID 2412 wrote to memory of 2296	2412	64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe	32
PID 2412 wrote to memory of 2296	2412	64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe	32
PID 2412 wrote to memory of 2296	2412	64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe	32
PID 2412 wrote to memory of 2296	2412	64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe	32
PID 2396 wrote to memory of 576	2396	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe	34
PID 2396 wrote to memory of 576	2396	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe	34
PID 2396 wrote to memory of 576	2396	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe	34
PID 2396 wrote to memory of 576	2396	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe	34
PID 2396 wrote to memory of 2976	2396	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe	35
PID 2396 wrote to memory of 2976	2396	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe	35
PID 2396 wrote to memory of 2976	2396	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe	35
PID 2396 wrote to memory of 2976	2396	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe	35
PID 2396 wrote to memory of 2852	2396	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe	36
PID 2396 wrote to memory of 2852	2396	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe	36
PID 2396 wrote to memory of 2852	2396	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe	36
PID 2396 wrote to memory of 2852	2396	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe	36
PID 2396 wrote to memory of 2256	2396	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe	37
PID 2396 wrote to memory of 2256	2396	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe	37
PID 2396 wrote to memory of 2256	2396	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe	37
PID 2396 wrote to memory of 2256	2396	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe	37
PID 2396 wrote to memory of 2888	2396	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe	38
PID 2396 wrote to memory of 2888	2396	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe	38
PID 2396 wrote to memory of 2888	2396	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe	38
PID 2396 wrote to memory of 2888	2396	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe	38
PID 2396 wrote to memory of 2892	2396	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe	39
PID 2396 wrote to memory of 2892	2396	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe	39
PID 2396 wrote to memory of 2892	2396	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe	39
PID 2396 wrote to memory of 2892	2396	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe	39
PID 2396 wrote to memory of 3044	2396	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe	40
PID 2396 wrote to memory of 3044	2396	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe	40
PID 2396 wrote to memory of 3044	2396	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe	40
PID 2396 wrote to memory of 3044	2396	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe	40
PID 2396 wrote to memory of 3020	2396	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe	41
PID 2396 wrote to memory of 3020	2396	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe	41
PID 2396 wrote to memory of 3020	2396	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe	41
PID 2396 wrote to memory of 3020	2396	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe	41
PID 2296 wrote to memory of 2792	2296	Synaptics.exe	50
PID 2296 wrote to memory of 2792	2296	Synaptics.exe	50
PID 2296 wrote to memory of 2792	2296	Synaptics.exe	50
PID 2296 wrote to memory of 2792	2296	Synaptics.exe	50
PID 2396 wrote to memory of 1756	2396	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe	52
PID 2396 wrote to memory of 1756	2396	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe	52
PID 2396 wrote to memory of 1756	2396	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe	52
PID 2396 wrote to memory of 1756	2396	._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe	52

C:\Users\Admin\AppData\Local\Temp\64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe
"C:\Users\Admin\AppData\Local\Temp\64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Users\Admin\AppData\Local\Temp\._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\SysWOW64\arp.exe
    arp -a
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:1476
- - C:\Windows\SysWOW64\arp.exe
    arp -s 10.127.0.1 72-67-73-99-eb-40
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:576
- - C:\Windows\SysWOW64\arp.exe
    arp -s 10.127.255.255 a3-3f-be-21-d9-47
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:2976
- - C:\Windows\SysWOW64\arp.exe
    arp -s 37.27.61.182 f8-96-e8-3e-13-ef
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:2852
- - C:\Windows\SysWOW64\arp.exe
    arp -s 224.0.0.22 51-44-f5-2d-fd-43
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:2256
- - C:\Windows\SysWOW64\arp.exe
    arp -s 224.0.0.251 c6-67-94-1f-9c-74
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:2888
- - C:\Windows\SysWOW64\arp.exe
    arp -s 224.0.0.252 90-f0-1f-13-1f-d3
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:2892
- - C:\Windows\SysWOW64\arp.exe
    arp -s 239.255.255.250 ec-d1-b4-4c-e5-a9
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:3044
- - C:\Windows\SysWOW64\arp.exe
    arp -s 255.255.255.255 46-72-e6-40-ab-f8
    3⤵
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    PID:3020
- - C:\Windows\SysWOW64\arp.exe
    arp -d
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1756
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Enumerates connected drives
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:2792

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.9MB

MD5
62a63a6141a5b387ed0378d9c6bc63c0

SHA1
d372431f87c4329227e0c6d6cb90a30da8756528

SHA256
64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90d

SHA512
5a4f1a3f3ba6fce7dad0fa219ea806d4b0a30e657c545a8c0c29d80257545c1da681dcc24d8b05c910eb9be86dd4b9eed0706cebf085bf0de1b3afa81399239f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMaEnV2E.xlsm

Filesize
24KB

MD5
bdf35dea46b168950a27f56696cd66a4

SHA1
8dc0d0f1745069cee7c8448959e446faecf0060f

SHA256
ce2d216af8ba541f335bb4ca80e46c308a3b87f5337edfb1d1c562c6dd57ad99

SHA512
6182dd8ff1718c6c49fdab2b74d90f1b9618bfc6e63014ff1823f2de642cb97749692aade0a58f5e49f57f8016fcb5498cba85daffb53feacf2b7112fe08636f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMaEnV2E.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
\Program Files (x86)\Microsoft Office\Office14\gfx.dll.tmp

Filesize
1.7MB

MD5
59ddd86ce51052f039618f1a04832fbc

SHA1
111c2f73bfacb0354b30b510f2f639b394c5c92d

SHA256
f1c2679caaebcda78493afb57be54eed212b0b53198f935376b7e21b3e54e6f9

SHA512
4838bf8cf6cb525c6b4f26f19790db40e1f8731d51c3ace4f3e81e2efb0ec0daefa17a2e8d00f3c2c3d18d074b1169b9f4b59f3d2cdc2670407993be9981d083

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
71KB

MD5
4fcd7574537cebec8e75b4e646996643

SHA1
efa59bb9050fb656b90d5d40c942fb2a304f2a8b

SHA256
8ea3b17e4b783ffc0bc387b81b823bf87af0d57da74541d88ba85314bb232a5d

SHA512
7f1a7ef64d332a735db82506b47d84853af870785066d29ccaf4fdeab114079a9f0db400e01ba574776a0d652a248658fe1e8f9659cdced19ad6eea09644ea3e

Download Submit
\ProgramData\Synaptics\Synaptics.exe.tmp

Filesize
2.0MB

MD5
645788ab3b0fc5e00d73624c3b26d5da

SHA1
c1669fe564df14d61528edbac8db44b2fa55ce61

SHA256
541830dff14692ebfce22b696159c8994ae092ba5622d71ddb8a04ee91bf2714

SHA512
5ca24f1bc69cf60d6bbf4916af1f0430c9ee562f200948ed64f41d072800ffbfd25e1373216033b1847220682a7452a47c23a7109da99a48f38da1ebfd1797ec

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_64a511edf2e950215cc644beb0bea48d63212c1e416166e7c8c27a83ec4bf90dN.exe

Filesize
1.2MB

MD5
6c06a994695fca714484f634106e0a30

SHA1
8c2c9a454ca15d3a310e44576ce72db109c12ba3

SHA256
4269927cb66ec9c91b41b4c63c19c9d219b6b427a2797720f246ded873829054

SHA512
8a34c358fe8d52668b5785583f2e9000dacff2f93d5446561479b9aaa2f20121578649c120ef0673cb91492a0599d2a5a99c549e4b2fffce66ed80d262bcea0c

Download Submit
memory/924-131-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/924-83-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/924-82-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/1756-69-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/1756-71-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2296-134-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/2296-127-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/2296-65-0x0000000004140000-0x000000000415B000-memory.dmp

Filesize
108KB

Download
memory/2296-53-0x0000000004140000-0x000000000415B000-memory.dmp

Filesize
108KB

Download
memory/2296-54-0x0000000004140000-0x000000000415B000-memory.dmp

Filesize
108KB

Download
memory/2296-74-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/2296-191-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/2296-66-0x0000000004140000-0x000000000415B000-memory.dmp

Filesize
108KB

Download
memory/2396-27-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2396-133-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2396-73-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2396-199-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2396-126-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2396-63-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2396-23-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2396-62-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2412-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2412-37-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/2412-10-0x0000000003FD0000-0x0000000003FEB000-memory.dmp

Filesize
108KB

Download
memory/2412-11-0x0000000003FD0000-0x0000000003FEB000-memory.dmp

Filesize
108KB

Download
memory/2792-56-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2792-67-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2792-68-0x0000000010000000-0x0000000010033000-memory.dmp

Filesize
204KB

Download
memory/2792-55-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download