neshta | c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05

Analysis

max time kernel
2s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
16-12-2024 06:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05N.exe
Size

2.6MB
MD5

b78e2c578bae5735a163d4c7f07edd20
SHA1

31bc51da25b88d7f8eb8ab6a383c46d7a685b35e
SHA256

c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05
SHA512

3733cda9f98a2f3e3a4ed8f3c3c69678b27dfda62f29d214d61eff0662bf4e79ebcdc88c9aea8bfcb4207107f1ad94492504eef1a600c3292d57b762ac674ec9
SSDEEP

49152:dnsHyjtk2MYC5GDzHyjtk2MYC5GDbHyjtk2MYC5GDRRDdz3sC4nYn9:dnsmtk2ammtk2aemtk2aoRDp3shnYn9

Score

10^/10

neshta xred backdoor discovery macro persistence spyware

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Detect Neshta payload 41 IoCs

resource	yara_rule
behavioral1/files/0x00080000000120fe-4.dat	family_neshta
behavioral1/files/0x000800000001727e-16.dat	family_neshta
behavioral1/files/0x00080000000175ae-31.dat	family_neshta
behavioral1/memory/848-38-0x0000000000400000-0x0000000000694000-memory.dmp	family_neshta
behavioral1/files/0x0001000000010319-65.dat	family_neshta
behavioral1/files/0x0001000000010317-64.dat	family_neshta
behavioral1/memory/2212-105-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/files/0x00060000000186ca-92.dat	family_neshta
behavioral1/memory/1460-91-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2788-87-0x0000000000400000-0x00000000005CE000-memory.dmp	family_neshta
behavioral1/files/0x001a000000016dc9-85.dat	family_neshta
behavioral1/files/0x000100000001064f-63.dat	family_neshta
behavioral1/files/0x000b000000010326-62.dat	family_neshta
behavioral1/memory/2540-189-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2948-210-0x0000000000400000-0x0000000000694000-memory.dmp	family_neshta
behavioral1/memory/1664-215-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/files/0x000100000000f7d0-233.dat	family_neshta
behavioral1/memory/1652-243-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/files/0x000100000000f7ec-245.dat	family_neshta
behavioral1/memory/2976-256-0x0000000000400000-0x00000000005CE000-memory.dmp	family_neshta
behavioral1/memory/2748-286-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1720-326-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2868-311-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2836-346-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2440-350-0x0000000000400000-0x00000000005CE000-memory.dmp	family_neshta
behavioral1/memory/2928-351-0x0000000000400000-0x00000000005CE000-memory.dmp	family_neshta
behavioral1/memory/768-367-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2648-370-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2980-376-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1828-377-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1280-378-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2760-379-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2860-381-0x0000000000400000-0x00000000005CE000-memory.dmp	family_neshta
behavioral1/memory/1528-380-0x0000000000400000-0x00000000005CE000-memory.dmp	family_neshta
behavioral1/memory/1280-384-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2760-385-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1280-390-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2760-391-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2760-398-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1280-399-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1528-404-0x0000000000400000-0x00000000005CE000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Suspicious Office macro 4 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x000500000001961c-147.dat
behavioral1/files/0x000600000001961e-160.dat
behavioral1/files/0x0006000000019667-171.dat
behavioral1/files/0x000700000001961c-184.dat

Executes dropped EXE 9 IoCs

pid	Process
1280	._cache_c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05N.exe
2948	Synaptics.exe
2788	._cache_c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05N.exe
2760	._cache_Synaptics.exe
2540	svchost.com
2976	_CACHE~2.EXE
1460	._cache_._cache_c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05N.exe
2212	svchost.com
1540	_CACHE~3.EXE

Loads dropped DLL 16 IoCs

pid	Process
848	c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05N.exe
848	c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05N.exe
848	c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05N.exe
848	c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05N.exe
1280	._cache_c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05N.exe
1280	._cache_c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05N.exe
2948	Synaptics.exe
2948	Synaptics.exe
2948	Synaptics.exe
2540	svchost.com
2540	svchost.com
2788	._cache_c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05N.exe
2788	._cache_c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05N.exe
2788	._cache_c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05N.exe
2212	svchost.com
2212	svchost.com

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	._cache_c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05N.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	._cache_c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05N.exe
File opened for modification	C:\Windows\svchost.com	._cache_Synaptics.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	._cache_._cache_c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05N.exe
File opened for modification	C:\Windows\svchost.com	._cache_._cache_c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05N.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_._cache_c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_CACHE~2.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_CACHE~3.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	._cache_c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05N.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2864	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2864	EXCEL.EXE

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 1280	848	c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05N.exe	28
PID 848 wrote to memory of 1280	848	c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05N.exe	28
PID 848 wrote to memory of 1280	848	c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05N.exe	28
PID 848 wrote to memory of 1280	848	c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05N.exe	28
PID 848 wrote to memory of 2948	848	c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05N.exe	29
PID 848 wrote to memory of 2948	848	c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05N.exe	29
PID 848 wrote to memory of 2948	848	c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05N.exe	29
PID 848 wrote to memory of 2948	848	c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05N.exe	29
PID 1280 wrote to memory of 2788	1280	._cache_c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05N.exe	30
PID 1280 wrote to memory of 2788	1280	._cache_c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05N.exe	30
PID 1280 wrote to memory of 2788	1280	._cache_c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05N.exe	30
PID 1280 wrote to memory of 2788	1280	._cache_c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05N.exe	30
PID 2948 wrote to memory of 2760	2948	Synaptics.exe	31
PID 2948 wrote to memory of 2760	2948	Synaptics.exe	31
PID 2948 wrote to memory of 2760	2948	Synaptics.exe	31
PID 2948 wrote to memory of 2760	2948	Synaptics.exe	31
PID 2760 wrote to memory of 2540	2760	._cache_Synaptics.exe	32
PID 2760 wrote to memory of 2540	2760	._cache_Synaptics.exe	32
PID 2760 wrote to memory of 2540	2760	._cache_Synaptics.exe	32
PID 2760 wrote to memory of 2540	2760	._cache_Synaptics.exe	32
PID 2540 wrote to memory of 2976	2540	svchost.com	34
PID 2540 wrote to memory of 2976	2540	svchost.com	34
PID 2540 wrote to memory of 2976	2540	svchost.com	34
PID 2540 wrote to memory of 2976	2540	svchost.com	34
PID 2788 wrote to memory of 1460	2788	._cache_c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05N.exe	35
PID 2788 wrote to memory of 1460	2788	._cache_c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05N.exe	35
PID 2788 wrote to memory of 1460	2788	._cache_c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05N.exe	35
PID 2788 wrote to memory of 1460	2788	._cache_c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05N.exe	35
PID 1460 wrote to memory of 2212	1460	._cache_._cache_c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05N.exe	36
PID 1460 wrote to memory of 2212	1460	._cache_._cache_c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05N.exe	36
PID 1460 wrote to memory of 2212	1460	._cache_._cache_c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05N.exe	36
PID 1460 wrote to memory of 2212	1460	._cache_._cache_c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05N.exe	36
PID 2212 wrote to memory of 1540	2212	svchost.com	37
PID 2212 wrote to memory of 1540	2212	svchost.com	37
PID 2212 wrote to memory of 1540	2212	svchost.com	37
PID 2212 wrote to memory of 1540	2212	svchost.com	37

C:\Users\Admin\AppData\Local\Temp\c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05N.exe
"C:\Users\Admin\AppData\Local\Temp\c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:848
- C:\Users\Admin\AppData\Local\Temp\._cache_c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05N.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05N.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05N.exe
    "C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05N.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Users\Admin\AppData\Local\Temp\._cache_._cache_c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05N.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_._cache_c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05N.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1460
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2212
      - C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE"
        7⤵
        
        PID:112
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2540
    - - C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2976
      - C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
        6⤵
        
        PID:1664
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
        7⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
        8⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate
        9⤵
        
        PID:2880
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        9⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        10⤵
        
        PID:1720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
        11⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        12⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
        13⤵
        
        PID:768
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
        14⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
        15⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate
        16⤵
        
        PID:2052
      - C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        6⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        7⤵
        
        PID:2748
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE" InjUpdate
        8⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~2.EXE InjUpdate
        9⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~2.EXE" InjUpdate
        10⤵
        
        PID:2648
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
        11⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
        12⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~1.EXE" InjUpdate
        13⤵
        
        PID:1672

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2864

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

Filesize
859KB

MD5
02ee6a3424782531461fb2f10713d3c1

SHA1
b581a2c365d93ebb629e8363fd9f69afc673123f

SHA256
ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc

SHA512
6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

Download Submit
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

Filesize
186KB

MD5
58b58875a50a0d8b5e7be7d6ac685164

SHA1
1e0b89c1b2585c76e758e9141b846ed4477b0662

SHA256
2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae

SHA512
d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe

Filesize
1.1MB

MD5
566ed4f62fdc96f175afedd811fa0370

SHA1
d4b47adc40e0d5a9391d3f6f2942d1889dd2a451

SHA256
e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460

SHA512
cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE

Filesize
569KB

MD5
eef2f834c8d65585af63916d23b07c36

SHA1
8cb85449d2cdb21bd6def735e1833c8408b8a9c6

SHA256
3cd34a88e3ae7bd3681a7e3c55832af026834055020add33e6bd6f552fc0aabd

SHA512
2ee8766e56e5b1e71c86f7d1a1aa1882706d0bca8f84b2b2c54dd4c255e04f037a6eb265302449950e5f5937b0e57f17a6aa45e88a407ace4b3945e65043d9b7

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe

Filesize
178KB

MD5
6570f18406183e572b1f8d4cea13bc66

SHA1
838e8537f613a33d9828defeb4cb1af2f8ed5f2b

SHA256
0466a343fc8ec05657758df972183869b74dd15936f9ac18663462128c88be64

SHA512
0b6807b721ec3934de420498014be32d1cb66d2d6ccb57f86b996d4423a7fa9d719f864317ffe1d48ca7c2bc5a72cb7b93f32fa03d09f144b1dba8006e0ebdf4

Download Submit
C:\ProgramData\Synaptics\RCXF40F.tmp

Filesize
753KB

MD5
85c4062ca855443ba02c2b83503ddc14

SHA1
5fa7451b7808c19a3d28dbbd4f662d0a584b6c77

SHA256
9770a6476b607f28077320caa244bbdde08611769338485faa64ad3bee4616cf

SHA512
851b48968e44604db4d02ec29744e6e2ca006e20bfb8883152860984dd4a648684e20b97b83a0b76afd21a922b3ac1afa9b2d54d9e3125b2e9b6958a8a7f5c7e

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
2.6MB

MD5
b78e2c578bae5735a163d4c7f07edd20

SHA1
31bc51da25b88d7f8eb8ab6a383c46d7a685b35e

SHA256
c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05

SHA512
3733cda9f98a2f3e3a4ed8f3c3c69678b27dfda62f29d214d61eff0662bf4e79ebcdc88c9aea8bfcb4207107f1ad94492504eef1a600c3292d57b762ac674ec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_._cache_c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05N.exe

Filesize
1.0MB

MD5
e9547e006568dee8b8e79afc3b76c0ef

SHA1
a729dbc501778086b03ec4e4e86c88380e8f643c

SHA256
ab4717953af5514b20795a5224cab1c4ac4d1d1c72ab054a1c12f360b48044d2

SHA512
6f3deb3086ad59a88848e94137babdcdba3a2cc131e762d20f7ff9c3304761b3c3ce0af4359a1eb3c441c60b6a97af3b45feff1324c360823f26304894a7b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache__CACHE~3.EXE

Filesize
276KB

MD5
01e8b340b9351f827bb8e6723d1f33cc

SHA1
8250370c86210376465249b155b5de2416b0a4e3

SHA256
37882834092d599c76073846832f79bcd6543a814543b8f1ebaab159d09c9013

SHA512
12274d75f5a3bab634a6a918ee838543f1fca1d35b9c82d8f85e1df4bf0e7999f267f2931d10e7002f864b1fc000f296045296727951a5d74294b6f94a5d713e

Download Submit
C:\Users\Admin\AppData\Local\Temp\VWhTfXyu.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\VWhTfXyu.xlsm

Filesize
20KB

MD5
35e6ce1373c31291a99b5fa31e5a313c

SHA1
d9794e717c9b7aea39e3ae2fc92d1924429699d9

SHA256
21c9efdee662db4a69126fc156bb4f9c1dfc5d5d277bac31fd69fdb1a111bb20

SHA512
88880d09db82228cce23c38e12e36dbc10161e96371f677cbab083e91d4b7cb2353ce565f9f70763deb59c6ba153cde079c1912cd6caa41ed54a9b1c416c0ae9

Download Submit
C:\Users\Admin\AppData\Local\Temp\VWhTfXyu.xlsm

Filesize
22KB

MD5
45ccf80f9ab9bb504caf8bd6818cd36c

SHA1
dcb7958f1a20b6ebd2138fdfc511909397e763bc

SHA256
5d0055f14e68afd56dc5f41956ac8f681595a145b58a45e3d8524ba20a3a2624

SHA512
5ae09979da7de470dd01bcb555c03ab6aa135c5662777654b9f740f3f1c40f9a9c2ec6e5f12d4bf8030f8941e57b579e980a627782a98b662f74ac2f4eca0632

Download Submit
C:\Users\Admin\AppData\Local\Temp\VWhTfXyu.xlsm

Filesize
22KB

MD5
700b4d7ff1aa42e1fb293d81841f240a

SHA1
3c98d7e20979d7eea582aebe6bf48ce1e4fbd2dd

SHA256
546cab8d4a1acff083c8221f760ad874990f479b9f8dc79c75a5722cab2897d7

SHA512
90c7bd72b516cfc878052313dcc6c798a49560335be0cf9bde86c8bd1a536d05145b321207685f948f5dfe54f7272c7108b5c36fe1515dbf5cac24c633627336

Download Submit
C:\Users\Admin\AppData\Local\Temp\VWhTfXyu.xlsm

Filesize
23KB

MD5
29506205cdabf5b5a4a30a0a564eabed

SHA1
67637f42c6a249360deadc23e6b0d10e35f7a3c7

SHA256
78822e938e1aa6de4ee9c9670c3676343352f0ad265c1a1e15b5341c6a9c34f1

SHA512
9ab1e887d4eb77f2634af9b58b9fc5e0105ed5f17b0458a4cb683d55dfbb8ccc3d32eba5f2a3214a0ec09c9963eaa26161fd8320b837dfaf61a0ad38930221bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\VWhTfXyu.xlsm

Filesize
23KB

MD5
3974efca533e08da2e00d461c38ab756

SHA1
1b562f72eaa020ff2a81d1cac9e99224609f22fd

SHA256
9efb82528c580c484f07d5ca1f3081684046ef2d104607e0b1119acfc03cfb3e

SHA512
49cabb901295875bef5d24c9ea0a91dbeea350f5599f106c12f72e56af8254f66e30bc8c6ad93f3737a1efe583a3db74d1f14ac35870655d840a0d86da218540

Download Submit
C:\Users\Admin\Desktop\~$SendClose.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
56abc40d1e45c091d8afddb90a4ce6b4

SHA1
08db549484467b32b79958700300cabefc659848

SHA256
a43fa861957415e3b0f25e2b54d931961cd309ff1d5354a9362852895b90b3e1

SHA512
51625c015a7c8fcf6fb51d3396aa08d2068772e3fcacaf32c409e82071af4ba1eb2ee94f36c06a98c32ba59d23bbaa6b540f7bd418a9472303cc225151daa698

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
6b3bfceb3942a9508a2148acbee89007

SHA1
3622ac7466cc40f50515eb6fcdc15d1f34ad3be3

SHA256
e0a7bae2a9ac263cff5d725922e40272d8854278d901233a93a5267859c00a3c

SHA512
fa222bfcade636824af32124b45450c92b1abec7a33e6e647a9248eef5371c127d22ccb7cc5a096b4d5d52e2457f3841293a1b34304e8e5523549856ac02f224

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
b42f2603883dadf133cee3ae5d767bb2

SHA1
dc4161551044405353e870b029afff27c8030e22

SHA256
998e1546bc98d29ffccb70e81ed00a01f3dbd3015e947d1aabca4cb01775ce28

SHA512
a4c33c9b87f84b4aba84ecf8b0b2d8a90703ef8523f1d057824196e584451072ab5bbc96e0c95a319baaffd16ba7a26f940fec2e28e9228e1275c87fb061c02d

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
0be604ce6cb13ac46c5f5fa37c9abb41

SHA1
1c4a555867778586b2727fa6f7331510b93234a8

SHA256
efb23890eba9d105120819fe1c25da2e314a9e10618aa2dd40a97c8a9dd79bdd

SHA512
06cdf862c495b99520e946b59a8721bfa4d89be284bcf9c155a38a1b25c281cc4d580d2af791034ef6c04c4a677ecaa56205ba21d740980d7985d45432038f21

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05N.exe

Filesize
1.8MB

MD5
ccc892ac8f3041c1d55f00e546f9f0aa

SHA1
fc76af338d037875d41db72cfdf2edec33489e54

SHA256
5dd75d1d7011a2ad365688ae2346b76abd18db3f38a7e8f8296e400ebeead54b

SHA512
096438e5c79f8dfc10064e32fab11f87b3a2d7596a76b196e20c21166eaca7d8be474cdf67fca2bb89a0063dbc4eb0902bdbc13baecd3712bd98d4a4933780bf

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\._cache_c1ffccb9eff1a60e6d5c984bbb447f18aa3872286f4dae3c4a513546c8e24f05N.exe

Filesize
1.8MB

MD5
0cb853589875389cae3b81e8f78c720e

SHA1
3cf13c6bda0b91d4151c73afb8895c5b469d4b6f

SHA256
d9c9fb3fdce47b2770d1f57c7a9e76d0f73060e8bcca8311c2421f145765eb04

SHA512
b5f64e5685470d7147cdde3ce3a38a93192e0f67ae47882775db61cdfd62b4d33ba442a4c924f7829e1576f93c6df9b7f84b8eea17ec9cdd9e8da5bb6a33c3ae

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~3.EXE

Filesize
1.0MB

MD5
36f3194058831a6e0161d612620464ce

SHA1
9a42967c7cb502695f0becbdb8420f82dc667601

SHA256
d0eea504cb7906782bc6450b24beb5defb279fe20ea160578d96feb3d8b557da

SHA512
bd53140ee667eeee40086ec20691f1972a83e523fd090baaecea37b4cc153c3d55b4d169bf3cdc631baa534fcb256bb0fb0f0367bce2ef5ea942eddfe56e1504

Download Submit
memory/768-367-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/848-0-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/848-38-0x0000000000400000-0x0000000000694000-memory.dmp

Filesize
2.6MB

Download
memory/1280-384-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1280-378-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1280-399-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1280-390-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1460-91-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1528-380-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/1528-404-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/1540-112-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/1652-243-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1664-215-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1720-326-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1756-383-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/1756-395-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/1828-377-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1864-268-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/2212-105-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2440-350-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/2540-189-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2648-370-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2748-286-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2760-391-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2760-398-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2760-385-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2760-379-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2788-87-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/2816-382-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/2816-418-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/2836-346-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2860-381-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/2864-77-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2868-311-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2928-351-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/2948-210-0x0000000000400000-0x0000000000694000-memory.dmp

Filesize
2.6MB

Download
memory/2976-256-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/2980-376-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads