xred | 99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-12-2024 00:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe
Size

6.1MB
MD5

3836fdeaf179df63b904a0498fefc3ca
SHA1

81127b3089ca41b081647b13c6ec0474638343ed
SHA256

99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056
SHA512

212dcb46234115aaa3a36cdb5983bbefa4e4766089689eaf7fe7f9de6fe59de0f3f4e7ce613dcb3726d753901fe256a325d8c6521de57429ba072fe388b9ffad
SSDEEP

98304:knsmtk2aNFd7Xy1VkHK5mi8P4aR8qLf3gbz2FSmaI7dl0c:KLsFVXy1KHKQjQbz2FSmaI7dlN

Score

10^/10

xred adware backdoor discovery macro persistence spyware stealer

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x000700000001a07b-97.dat

Executes dropped EXE 3 IoCs

pid	Process
2332	._cache_99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe
784	Synaptics.exe
2904	._cache_Synaptics.exe

Loads dropped DLL 6 IoCs

pid	Process
2228	99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe
2228	99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe
2228	99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe
784	Synaptics.exe
784	Synaptics.exe
2904	._cache_Synaptics.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\IDMan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\._cache_Synaptics.exe /onboot"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\IDMan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\._cache_99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe /onboot"	._cache_99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	._cache_Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	._cache_Synaptics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	._cache_Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	._cache_Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	._cache_Synaptics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	._cache_Synaptics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Low Rights	._cache_99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "._cache_99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe"	._cache_99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop	._cache_Synaptics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "._cache_Synaptics.exe"	._cache_Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM	._cache_99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop	._cache_99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	._cache_Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	._cache_99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}	._cache_99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\contexts = "243"	._cache_Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}	._cache_99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	._cache_Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	._cache_99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3"	._cache_99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	._cache_99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM	._cache_Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}	._cache_Synaptics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	._cache_99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IEExt.htm"	._cache_Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Low Rights	._cache_Synaptics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	._cache_Synaptics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3"	._cache_99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3"	._cache_99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	._cache_Synaptics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "._cache_Synaptics.exe"	._cache_Synaptics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "._cache_99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe"	._cache_99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}	._cache_99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	._cache_99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe"	._cache_Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}	._cache_Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	._cache_99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3"	._cache_Synaptics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe"	._cache_99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	._cache_Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}	._cache_Synaptics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	._cache_Synaptics.exe

Modifies registry class 30 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID\ = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"	._cache_Synaptics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ROTFlags = "1"	._cache_Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\AppID = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"	._cache_99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\._cache_99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe"	._cache_99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ROTFlags = "1"	._cache_99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\RunAs = "Interactive User"	._cache_Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}	._cache_99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\AppID = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\._cache_Synaptics.exe"	._cache_Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID	._cache_99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID\ = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"	._cache_99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan"	._cache_99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}	._cache_Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32	._cache_Synaptics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}\Model = "353"	._cache_Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter	._cache_99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan.CIDMLinkTransmitter"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\RunAs = "Interactive User"	._cache_99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}	._cache_99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID	._cache_Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan.CIDMLinkTransmitter"	._cache_99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}	._cache_99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}	._cache_Synaptics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}\Therad = "1"	._cache_Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Wow6432Node\CLSID	._cache_Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32	._cache_99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}	._cache_Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1840	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2332	._cache_99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe
2332	._cache_99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2904	._cache_Synaptics.exe
2332	._cache_99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	2332	._cache_99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe
Token: SeRestorePrivilege	2904	._cache_Synaptics.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2904	._cache_Synaptics.exe
2332	._cache_99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2904	._cache_Synaptics.exe
2332	._cache_99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2904	._cache_Synaptics.exe
2904	._cache_Synaptics.exe
2904	._cache_Synaptics.exe
2904	._cache_Synaptics.exe
1840	EXCEL.EXE
2332	._cache_99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe
2904	._cache_Synaptics.exe
2332	._cache_99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe
2332	._cache_99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe
2332	._cache_99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe
2332	._cache_99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe
2332	._cache_99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 2332	2228	99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe	31
PID 2228 wrote to memory of 2332	2228	99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe	31
PID 2228 wrote to memory of 2332	2228	99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe	31
PID 2228 wrote to memory of 2332	2228	99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe	31
PID 2228 wrote to memory of 784	2228	99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe	32
PID 2228 wrote to memory of 784	2228	99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe	32
PID 2228 wrote to memory of 784	2228	99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe	32
PID 2228 wrote to memory of 784	2228	99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe	32
PID 784 wrote to memory of 2904	784	Synaptics.exe	33
PID 784 wrote to memory of 2904	784	Synaptics.exe	33
PID 784 wrote to memory of 2904	784	Synaptics.exe	33
PID 784 wrote to memory of 2904	784	Synaptics.exe	33
PID 2904 wrote to memory of 2568	2904	._cache_Synaptics.exe	34
PID 2904 wrote to memory of 2568	2904	._cache_Synaptics.exe	34
PID 2904 wrote to memory of 2568	2904	._cache_Synaptics.exe	34
PID 2904 wrote to memory of 2568	2904	._cache_Synaptics.exe	34
PID 2904 wrote to memory of 2568	2904	._cache_Synaptics.exe	34
PID 2904 wrote to memory of 2568	2904	._cache_Synaptics.exe	34
PID 2904 wrote to memory of 2568	2904	._cache_Synaptics.exe	34

C:\Users\Admin\AppData\Local\Temp\99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe
"C:\Users\Admin\AppData\Local\Temp\99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Users\Admin\AppData\Local\Temp\._cache_99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2332
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:784
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Installs/modifies Browser Helper Object
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2568

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
6.1MB

MD5
3836fdeaf179df63b904a0498fefc3ca

SHA1
81127b3089ca41b081647b13c6ec0474638343ed

SHA256
99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056

SHA512
212dcb46234115aaa3a36cdb5983bbefa4e4766089689eaf7fe7f9de6fe59de0f3f4e7ce613dcb3726d753901fe256a325d8c6521de57429ba072fe388b9ffad

Download Submit
C:\Users\Admin\AppData\Local\Temp\AiU7y2qZ.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\AiU7y2qZ.xlsm

Filesize
24KB

MD5
28b12cdcadb7e4cbaa1fb39c0b3be394

SHA1
7b47ff1902d984a123135e3b0d1fcc70f04af42a

SHA256
f2a2a5a35aaf33a06e8109d6da66073c326d6a9c1891bb12fbe86666c86d0099

SHA512
d08e5e776e197059492c5e94470a03cfb532dc9eac840afd213059213de66ca6a602647fad4abef049cc97e2baf5ba8f7b385135ebe738adfd362cdfe4bc43ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\AiU7y2qZ.xlsm

Filesize
31KB

MD5
05eb0a228004b3651557c22384c23751

SHA1
ff7666553b34e725c2b45ad35eec2bed0ef3f3e2

SHA256
c335bd2edebf446f38b834013acfe6ed43cac7fedd4c1f413a3ddce0b0876f81

SHA512
42e5ac7590cd70dd00ff964c0fdcee2f9e097d81f346acd13c425d9a73dfbebf95e50a1263c023bd22e141c1f166d42a000bddb901b5f5769a4319322314eb3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AiU7y2qZ.xlsm

Filesize
26KB

MD5
c95880f45604fc5aae7c8cde23bc3359

SHA1
3f5e1c028e54e78fc2e829446541511785f0a85e

SHA256
6978b3d77317d8a587897bb46c97e0ef0acd98044ffdfb7d68a2e360fed01778

SHA512
c65a426c129ccef3d8a158e00b0fac57c9e2f3036f421e766d6e0e276e416606f20e5ab1f4a851f58e7ab40e7e3d611e14c27e4ce13593c656036e910947dc3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AiU7y2qZ.xlsm

Filesize
26KB

MD5
5260e8a98cc2546fc25a94565d2678fa

SHA1
ac671487356c0c6559cab66cfc598238572f4306

SHA256
5e5acbef2e085d0a9a5bea1339ce567573370ef81af08e95478e43eaebdf7931

SHA512
e846658048763ccedf1b7c9dc68e8bc3cb6f88ba92ede3fb06e6980131c9cab3461ef8bb2bf9c9e58c3903cc9ddb2ba8173baa28c1782d96a04da58bc9bf0043

Download Submit
C:\Users\Admin\AppData\Local\Temp\~$AiU7y2qZ.xlsm

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
C:\Users\Admin\AppData\Roaming\IDM\Scheduler\s_1.dt

Filesize
316B

MD5
2639455c21b61de370e5e4e500a9c008

SHA1
b68a4bc7c4b521a2544459e603fbe706027f4e4e

SHA256
6d059e9c4670699aaa1b1594917d1be5fe752517d7c7e505f227e8dd181dcebb

SHA512
e7cf7fe5eebec79f70ed6b2fae0fdfe2c992fc240b0e6bc4a73e00aad01fdb1e13fd69a55b8b2a3b7a2c314c1ccbfc18284293f06ff5e875f0b64a86054db404

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe

Filesize
5.4MB

MD5
f1c022844d082a85c760b33c133921b5

SHA1
4b48a8c17260c5548a8275135ebb07fe12ac8730

SHA256
fe6765341fa4be1316f296e714228a2e0e3e475b6820e6344a293821fcc0859d

SHA512
06877660b23fd862dba27af3d86dc12bbecf3c047f722a7681ebf665ad90a9ba0219ac0d5619b7926ad27a5a490cf896a8fc081d290ef10c9d829ccb12cf96fb

Download Submit
memory/784-37-0x0000000000400000-0x0000000000A2C000-memory.dmp

Filesize
6.2MB

Download
memory/784-119-0x0000000000400000-0x0000000000A2C000-memory.dmp

Filesize
6.2MB

Download
memory/784-120-0x0000000000400000-0x0000000000A2C000-memory.dmp

Filesize
6.2MB

Download
memory/784-154-0x0000000000400000-0x0000000000A2C000-memory.dmp

Filesize
6.2MB

Download
memory/1840-38-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1840-114-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2228-0-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2228-25-0x0000000000400000-0x0000000000A2C000-memory.dmp

Filesize
6.2MB

Download