neshta | 91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a

Analysis

max time kernel
142s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-12-2024 03:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
Size

821KB
MD5

787709d6e539595f98261ba53a1b6a38
SHA1

5aa7c7c9ad1bab83a325bd837d8986979738036d
SHA256

91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a
SHA512

a06fc6dd142d60254bf361981f50a292ebd8ba8bf3be9188d2e25891c0d39926bbad0c40c4d909a468eebf78cd9cf8cdfd22d0c10cacd8d5fabf97a96ddc4945
SSDEEP

12288:9pJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9dhWNUMS9:DJ39LyjbJkQFMhmC+6GD9HVn9

Score

10^/10

neshta xred backdoor discovery persistence spyware stealer upx

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Detect Neshta payload 5 IoCs

resource	yara_rule
behavioral2/files/0x0006000000020228-149.dat	family_neshta
behavioral2/memory/2876-292-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2876-299-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2876-301-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2876-303-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 4 IoCs

pid	Process
3924	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
2888	._cache_91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
1848	Synaptics.exe
3940	._cache_Synaptics.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000023b7d-18.dat	upx
behavioral2/memory/2888-50-0x00000000007C0000-0x00000000007D5000-memory.dmp	upx
behavioral2/memory/2888-121-0x00000000007C0000-0x00000000007D5000-memory.dmp	upx
behavioral2/memory/3940-166-0x0000000000520000-0x0000000000535000-memory.dmp	upx
behavioral2/memory/3940-174-0x0000000000520000-0x0000000000535000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~3\SYNAPT~1\SYNAPT~1.EXE	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 3 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3220	EXCEL.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3220	EXCEL.EXE
3220	EXCEL.EXE
3220	EXCEL.EXE
3220	EXCEL.EXE
3220	EXCEL.EXE
3220	EXCEL.EXE
3220	EXCEL.EXE
3220	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 3924	2876	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe	83
PID 2876 wrote to memory of 3924	2876	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe	83
PID 2876 wrote to memory of 3924	2876	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe	83
PID 3924 wrote to memory of 2888	3924	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe	84
PID 3924 wrote to memory of 2888	3924	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe	84
PID 3924 wrote to memory of 2888	3924	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe	84
PID 3924 wrote to memory of 1848	3924	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe	86
PID 3924 wrote to memory of 1848	3924	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe	86
PID 3924 wrote to memory of 1848	3924	91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe	86
PID 1848 wrote to memory of 3940	1848	Synaptics.exe	87
PID 1848 wrote to memory of 3940	1848	Synaptics.exe	87
PID 1848 wrote to memory of 3940	1848	Synaptics.exe	87

C:\Users\Admin\AppData\Local\Temp\91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
"C:\Users\Admin\AppData\Local\Temp\91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe"
1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Users\Admin\AppData\Local\Temp\3582-490\91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3924
- - C:\Users\Admin\AppData\Local\Temp\._cache_91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2888
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1848
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3940

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

Filesize
86KB

MD5
3b73078a714bf61d1c19ebc3afc0e454

SHA1
9abeabd74613a2f533e2244c9ee6f967188e4e7e

SHA256
ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

SHA512
75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe

Filesize
27KB

MD5
d102cb5b0ec7dffa6ba6809069cf91ec

SHA1
e58b1b3b4697d67d32ccd22e2db39f614418f4f9

SHA256
6cf332f21fb773bd8f9cbc2d03980976b2923981416ac4b4884a4aa203fa55ad

SHA512
c34c42e46bb4477ff8364cd546aea03454feab21d37d2c8f9a4694cfecac7a6ee99ef7baecc16f3236cb369d703882835f6aebd2be759752d0a63b64c9d9a48e

Download Submit
C:\Users\Admin\AppData\Local\Temp\0DB75E00

Filesize
23KB

MD5
e35deea45435fee8f8ed1584ce92ae2f

SHA1
a8331026454fd5a543e8015ae042b51cdf9edd6f

SHA256
f7e78083433cd2963238b05111979f8b76e561b50c526f5a4022a9808736b8c7

SHA512
834a0883fc758ec302d1f57a0735a1b1990facb85518f5cfd57a49b87d97a308f2621d83ebf4103b4ec29e1402909a5863249b53fb9a2b825253a9c6d35c89f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\91d10089fdb8b6f9aa6a51c6f9b494ca751e117de909d5e38e3e185bb665d75a.exe

Filesize
781KB

MD5
91a41978a937e7a696a28a66b4d390bc

SHA1
f6ddf789e48e33f44e557d4db57c2f148c7fb195

SHA256
de44eae2af529ccc977187e765719315623e50be1995a4a2d9eb733d8959128c

SHA512
76ef3479e04ceab08572e70eca33460dc2da4fb372b48632ba7126f3fdba71b23d3a94d71f8d0360ae005f43592dca75fd0bff040db1e8742de4499674a50bea

Download Submit
C:\Users\Admin\AppData\Local\Temp\qT4wTA8J.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
memory/1848-117-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/1848-295-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1848-294-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/1848-293-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1848-330-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2876-299-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2876-301-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2876-303-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2876-292-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2888-121-0x00000000007C0000-0x00000000007D5000-memory.dmp

Filesize
84KB

Download
memory/2888-50-0x00000000007C0000-0x00000000007D5000-memory.dmp

Filesize
84KB

Download
memory/3220-172-0x00007FFB25730000-0x00007FFB25740000-memory.dmp

Filesize
64KB

Download
memory/3220-176-0x00007FFB22ED0000-0x00007FFB22EE0000-memory.dmp

Filesize
64KB

Download
memory/3220-169-0x00007FFB25730000-0x00007FFB25740000-memory.dmp

Filesize
64KB

Download
memory/3220-170-0x00007FFB25730000-0x00007FFB25740000-memory.dmp

Filesize
64KB

Download
memory/3220-171-0x00007FFB25730000-0x00007FFB25740000-memory.dmp

Filesize
64KB

Download
memory/3220-168-0x00007FFB25730000-0x00007FFB25740000-memory.dmp

Filesize
64KB

Download
memory/3220-175-0x00007FFB22ED0000-0x00007FFB22EE0000-memory.dmp

Filesize
64KB

Download
memory/3924-115-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/3924-13-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/3924-12-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/3940-174-0x0000000000520000-0x0000000000535000-memory.dmp

Filesize
84KB

Download
memory/3940-166-0x0000000000520000-0x0000000000535000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads