xred | 7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910c

Analysis

max time kernel
120s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2024 21:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cN.exe
Size

1.7MB
MD5

53c464e46cda5fddb007f1789ba2c1e0
SHA1

d05df0b721019d87270b689abb3bd671335ade7e
SHA256

7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910c
SHA512

4212b27f5916d20a37d86e6e70298148a7d63e4f77d0a257285156c2f4c2ba6541edf7da85d54e6044afd0bb1449beca26d71ad7dff388a6cf60a67438b3e3f8
SSDEEP

24576:cFOaynsJ39LyjbJkQFMhmC+6GD9WFOaJ3rCEB0CEM:s2nsHyjtk2MYC5GD0F3rTB0TM

Score

10^/10

xred backdoor discovery evasion persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Synaptics.exe7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cn.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cn.exe

Executes dropped EXE 11 IoCs

Processes:

7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cn.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exeSynaptics.exe._cache_Synaptics.exe._cache_synaptics.exe icsys.icn.exeexplorer.exe

pid	Process
1692	7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cn.exe
1420	icsys.icn.exe
3124	explorer.exe
3976	spoolsv.exe
4580	svchost.exe
948	spoolsv.exe
2248	Synaptics.exe
1604	._cache_Synaptics.exe
388	._cache_synaptics.exe
1788	icsys.icn.exe
5028	explorer.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cn.exe explorer.exesvchost.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

Processes:

explorer.exesvchost.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 6 IoCs

Processes:

explorer.exe7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cN.exeicsys.icn.exespoolsv.exe._cache_Synaptics.exe

description	ioc	Process
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cN.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

._cache_Synaptics.exe._cache_synaptics.exe icsys.icn.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cN.exe7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cn.exe Synaptics.exeexplorer.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 2 IoCs

Processes:

7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cn.exe Synaptics.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid	Process
3032	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cN.exeicsys.icn.exe

pid	Process
1668	7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cN.exe
1668	7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cN.exe
1668	7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cN.exe
1668	7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cN.exe
1668	7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cN.exe
1668	7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cN.exe
1668	7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cN.exe
1668	7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cN.exe
1668	7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cN.exe
1668	7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cN.exe
1668	7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cN.exe
1668	7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cN.exe
1668	7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cN.exe
1668	7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cN.exe
1668	7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cN.exe
1668	7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cN.exe
1668	7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cN.exe
1668	7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cN.exe
1668	7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cN.exe
1668	7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cN.exe
1668	7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cN.exe
1668	7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cN.exe
1668	7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cN.exe
1668	7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cN.exe
1668	7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cN.exe
1668	7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cN.exe
1668	7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cN.exe
1668	7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cN.exe
1668	7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cN.exe
1668	7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cN.exe
1668	7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cN.exe
1668	7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cN.exe
1420	icsys.icn.exe
1420	icsys.icn.exe
1420	icsys.icn.exe
1420	icsys.icn.exe
1420	icsys.icn.exe
1420	icsys.icn.exe
1420	icsys.icn.exe
1420	icsys.icn.exe
1420	icsys.icn.exe
1420	icsys.icn.exe
1420	icsys.icn.exe
1420	icsys.icn.exe
1420	icsys.icn.exe
1420	icsys.icn.exe
1420	icsys.icn.exe
1420	icsys.icn.exe
1420	icsys.icn.exe
1420	icsys.icn.exe
1420	icsys.icn.exe
1420	icsys.icn.exe
1420	icsys.icn.exe
1420	icsys.icn.exe
1420	icsys.icn.exe
1420	icsys.icn.exe
1420	icsys.icn.exe
1420	icsys.icn.exe
1420	icsys.icn.exe
1420	icsys.icn.exe
1420	icsys.icn.exe
1420	icsys.icn.exe
1420	icsys.icn.exe
1420	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid	Process
3124	explorer.exe
4580	svchost.exe

Suspicious use of SetWindowsHookEx 26 IoCs

Processes:

7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cN.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe._cache_Synaptics.exeEXCEL.EXEicsys.icn.exeexplorer.exe

pid	Process
1668	7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cN.exe
1668	7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cN.exe
1420	icsys.icn.exe
1420	icsys.icn.exe
3124	explorer.exe
3124	explorer.exe
3976	spoolsv.exe
3976	spoolsv.exe
4580	svchost.exe
4580	svchost.exe
948	spoolsv.exe
948	spoolsv.exe
1604	._cache_Synaptics.exe
1604	._cache_Synaptics.exe
3032	EXCEL.EXE
3032	EXCEL.EXE
1788	icsys.icn.exe
1788	icsys.icn.exe
5028	explorer.exe
5028	explorer.exe
3032	EXCEL.EXE
3032	EXCEL.EXE
3032	EXCEL.EXE
3032	EXCEL.EXE
3032	EXCEL.EXE
3032	EXCEL.EXE

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cN.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cn.exe Synaptics.exe._cache_Synaptics.exeicsys.icn.exe

description	pid	Process	procid_target
PID 1668 wrote to memory of 1692	1668	7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cN.exe	82
PID 1668 wrote to memory of 1692	1668	7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cN.exe	82
PID 1668 wrote to memory of 1692	1668	7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cN.exe	82
PID 1668 wrote to memory of 1420	1668	7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cN.exe	83
PID 1668 wrote to memory of 1420	1668	7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cN.exe	83
PID 1668 wrote to memory of 1420	1668	7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cN.exe	83
PID 1420 wrote to memory of 3124	1420	icsys.icn.exe	84
PID 1420 wrote to memory of 3124	1420	icsys.icn.exe	84
PID 1420 wrote to memory of 3124	1420	icsys.icn.exe	84
PID 3124 wrote to memory of 3976	3124	explorer.exe	85
PID 3124 wrote to memory of 3976	3124	explorer.exe	85
PID 3124 wrote to memory of 3976	3124	explorer.exe	85
PID 3976 wrote to memory of 4580	3976	spoolsv.exe	86
PID 3976 wrote to memory of 4580	3976	spoolsv.exe	86
PID 3976 wrote to memory of 4580	3976	spoolsv.exe	86
PID 4580 wrote to memory of 948	4580	svchost.exe	87
PID 4580 wrote to memory of 948	4580	svchost.exe	87
PID 4580 wrote to memory of 948	4580	svchost.exe	87
PID 1692 wrote to memory of 2248	1692	7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cn.exe	88
PID 1692 wrote to memory of 2248	1692	7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cn.exe	88
PID 1692 wrote to memory of 2248	1692	7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cn.exe	88
PID 2248 wrote to memory of 1604	2248	Synaptics.exe	89
PID 2248 wrote to memory of 1604	2248	Synaptics.exe	89
PID 2248 wrote to memory of 1604	2248	Synaptics.exe	89
PID 1604 wrote to memory of 388	1604	._cache_Synaptics.exe	91
PID 1604 wrote to memory of 388	1604	._cache_Synaptics.exe	91
PID 1604 wrote to memory of 388	1604	._cache_Synaptics.exe	91
PID 1604 wrote to memory of 1788	1604	._cache_Synaptics.exe	95
PID 1604 wrote to memory of 1788	1604	._cache_Synaptics.exe	95
PID 1604 wrote to memory of 1788	1604	._cache_Synaptics.exe	95
PID 1788 wrote to memory of 5028	1788	icsys.icn.exe	96
PID 1788 wrote to memory of 5028	1788	icsys.icn.exe	96
PID 1788 wrote to memory of 5028	1788	icsys.icn.exe	96

C:\Users\Admin\AppData\Local\Temp\7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cN.exe
"C:\Users\Admin\AppData\Local\Temp\7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cN.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1668
- \??\c:\users\admin\appdata\local\temp\7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cn.exe
  c:\users\admin\appdata\local\temp\7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cn.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2248
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1604
    - - \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:388
    - - C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1788
      - \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5028
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1420
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3124
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3976
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4580
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:948

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
899KB

MD5
11a6fb4ad7b1fb1e0bcebdca0cf49edd

SHA1
a002a246a67ca8ceca167aff546ffd08b912cbd6

SHA256
75ce2a0f53b6b89d40a1da350abf2cafc46b67722606f8e5359115dc4934e15a

SHA512
8ba2cdea360058f3c10ebe3f01d5a4d5268d6a4f091619dd9ef21926e6607b6cdbc32128ed5f9e1a3223c5cf93b289262eb5a21517838bab471ef5cd0c7039fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_synaptics.exe

Filesize
764KB

MD5
aed655395747a6602479f6032d3c099f

SHA1
5fcbd5735ed0e4a013667652f4c1382abb45203a

SHA256
3d6123dc6ffbd1a11d73229988203052809bd17617b24a034c1122c8f4983db4

SHA512
1a3db9e195e9e504a0a6c24557f1e141f90a73a89a853b8ad3ab2248d8e3fd97ba1ae78b93ad33005590ef0a44c5237e608b66a9c9fffde39e4730c226d91637

Download Submit
C:\Users\Admin\AppData\Local\Temp\35B75E00

Filesize
25KB

MD5
6ec2b5917c7920efab6b8876a0803d6b

SHA1
caeb4b1e116e695c62376f710e3c33e3db36b65c

SHA256
4a6f119db3935f5794ff3248d6b556741034dd40bac52a9404f48e1a189f05a7

SHA512
c3cd05e8f1d4e6a701d25862a66809531b0805e367af508755a8aebf2e5aad5726a9f93074411fd1c8ae1533c583843e55e5c8de53215152125160dc39f49123

Download Submit
C:\Users\Admin\AppData\Local\Temp\7852dcf9b2ed09cec28c2b7bcfe8f04a1e110cdb65f42d27e4162dcb6993910cn.exe

Filesize
1.6MB

MD5
180d44a32e631c7ff3f3f2212d224607

SHA1
42c23652a3371298624924d5acbea00a78d26346

SHA256
58035e8b4a83c2a660a1fa095b4bfa13d605d286460fef6047eedf0648ecd49b

SHA512
c1026d1ff4fd707318ffd6b54d4ad63215fa95c8016144cbfffa941ff1b2fc41de4759e61ea442284bff5887a26a2d778f8fc4f16717b4dc64d842998ce8be5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX7zEPIw.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
3cfd036006e177d4b81a8064f9dbb754

SHA1
78d5c339cfe73090a4dcee53e51e8307ea39cdd5

SHA256
6ddc9e761b370e2a2ce6f3090cc1aca538825899dacd95bd371f714b8f2d8dd9

SHA512
31e7a3cb1f6230138599fcedd93212adf3881c9fcaaf9a02f2b11bd9a60382f4f66a18478dfeef396e5131da290289e99aa15197e0a3d12448d9cdcc9358e907

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
715b773374120a21ba36fd641fb15277

SHA1
2c7d08804de8b4f4b4a4e42d62ff163e749694c5

SHA256
2a56f333231c01b24044cb0b6f9d575cf2444afdd14911369ab884281797611f

SHA512
ffa207ebe401d557ef5ca2654e532543e104d6479cd525e48650e911047040593f490df01b0b25de2d77c0be25ee44b3646551a9fa560834bc97ed5c5a2f14e8

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
0176683043ae3c0f0d4c8de47b4f6161

SHA1
55b2a26aeacc2ce992115edfad100259764e55c4

SHA256
7f0d312dbdfce2d89c08936f469dd8376c68710eab96c2975165734825669588

SHA512
aa83a0353535b3965bf608c6b64e449fa3c3c2c79408f98b245e4e7cfa87ea148ffe7890356429968bc2e706fc1acc32a8673baf0cfeae0607ea77cfe87611de

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
c770f3c12a3da427c04f41d83e0bcdb1

SHA1
dfa5a441300372c4c368ffe7a6d87488aecc863f

SHA256
6035ec1861b8c8d12454936fbf17670974fc91c7c2465f163865356d0401a323

SHA512
49c2588f4ef7ebf1dd79097f567dff289375449cd03d9d6f380f3fdcebce6687cfe39844b9291d2c32f1f8ab2c7e745297d2356c94816ec14cf34b4a3dedb84c

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
e4fe653ff3e576f3d096b09560607e8a

SHA1
0c41936e52870de67a818fa3b3984e60795258d2

SHA256
bbaf72823690f2cd64f1ee31146224e8ff713edf312bab2ecefbf702aad0092d

SHA512
85874383af8f461aa14959120351597d090834403b7b478b5d34447f7a4ef2fbe702428dd444554f8456bc537fb8f5c1926659d5ee795ab3132b711f8f6ec5ae

Download Submit
memory/388-196-0x0000000005610000-0x000000000561A000-memory.dmp

Filesize
40KB

Download
memory/388-194-0x0000000005550000-0x00000000055E2000-memory.dmp

Filesize
584KB

Download
memory/388-193-0x0000000005C00000-0x00000000061A4000-memory.dmp

Filesize
5.6MB

Download
memory/388-191-0x0000000000AF0000-0x0000000000BB4000-memory.dmp

Filesize
784KB

Download
memory/948-55-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1420-99-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1604-211-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1668-106-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1668-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1692-117-0x0000000000400000-0x00000000005A3000-memory.dmp

Filesize
1.6MB

Download
memory/1692-9-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/1788-209-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2248-257-0x0000000000400000-0x00000000005A3000-memory.dmp

Filesize
1.6MB

Download
memory/2248-288-0x0000000000400000-0x00000000005A3000-memory.dmp

Filesize
1.6MB

Download
memory/3032-182-0x00007FF856DB0000-0x00007FF856DC0000-memory.dmp

Filesize
64KB

Download
memory/3032-185-0x00007FF856DB0000-0x00007FF856DC0000-memory.dmp

Filesize
64KB

Download
memory/3032-195-0x00007FF854450000-0x00007FF854460000-memory.dmp

Filesize
64KB

Download
memory/3032-183-0x00007FF856DB0000-0x00007FF856DC0000-memory.dmp

Filesize
64KB

Download
memory/3032-192-0x00007FF854450000-0x00007FF854460000-memory.dmp

Filesize
64KB

Download
memory/3032-187-0x00007FF856DB0000-0x00007FF856DC0000-memory.dmp

Filesize
64KB

Download
memory/3032-181-0x00007FF856DB0000-0x00007FF856DC0000-memory.dmp

Filesize
64KB

Download
memory/3124-289-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3976-86-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4580-290-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5028-210-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5028-204-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download