Overview
overview
10Static
static
10AntiPubs D...er.exe
windows7-x64
10AntiPubs D...er.exe
windows10-2004-x64
10AntiPubs D...er.exe
windows7-x64
3AntiPubs D...er.exe
windows10-2004-x64
3AntiPubs D...ol.dll
windows7-x64
1AntiPubs D...ol.dll
windows10-2004-x64
1AntiPubs D...er.dll
windows7-x64
1AntiPubs D...er.dll
windows10-2004-x64
1AntiPubs D...rk.dll
windows7-x64
1AntiPubs D...rk.dll
windows10-2004-x64
1AntiPubs D...ib.dll
windows7-x64
1AntiPubs D...ib.dll
windows10-2004-x64
1AntiPubs D...on.dll
windows7-x64
1AntiPubs D...on.dll
windows10-2004-x64
1AntiPubs D...er.exe
windows7-x64
10AntiPubs D...er.exe
windows10-2004-x64
10AntiPubs D...F6.dll
windows7-x64
1AntiPubs D...F6.dll
windows10-2004-x64
1AntiPubs D...nq.dll
windows7-x64
1AntiPubs D...nq.dll
windows10-2004-x64
1AntiPubs D...te.dll
windows7-x64
1AntiPubs D...te.dll
windows10-2004-x64
1AntiPubs D...te.exe
windows7-x64
10AntiPubs D...te.exe
windows10-2004-x64
10AntiPubs D...ar.dll
windows7-x64
1AntiPubs D...ar.dll
windows10-2004-x64
1AntiPubs D...er.exe
windows7-x64
3AntiPubs D...er.exe
windows10-2004-x64
3AntiPubs D...op.dll
windows7-x64
1AntiPubs D...op.dll
windows10-2004-x64
1AntiPubs D...op.dll
windows7-x64
3AntiPubs D...op.dll
windows10-2004-x64
3Analysis
-
max time kernel
153s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 12:23
Behavioral task
behavioral1
Sample
AntiPubs Dork Searcher EZ/._cache_Searcher.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
AntiPubs Dork Searcher EZ/._cache_Searcher.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
AntiPubs Dork Searcher EZ/._cache_searcher.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
AntiPubs Dork Searcher EZ/._cache_searcher.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
AntiPubs Dork Searcher EZ/Control.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
AntiPubs Dork Searcher EZ/Control.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
AntiPubs Dork Searcher EZ/EntityFramework.SqlServer.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
AntiPubs Dork Searcher EZ/EntityFramework.SqlServer.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
AntiPubs Dork Searcher EZ/EntityFramework.dll
Resource
win7-20241023-en
Behavioral task
behavioral10
Sample
AntiPubs Dork Searcher EZ/EntityFramework.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
AntiPubs Dork Searcher EZ/Interop.WMPLib.dll
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
AntiPubs Dork Searcher EZ/Interop.WMPLib.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
AntiPubs Dork Searcher EZ/Newtonsoft.Json.dll
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
AntiPubs Dork Searcher EZ/Newtonsoft.Json.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
AntiPubs Dork Searcher EZ/Searcher.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
AntiPubs Dork Searcher EZ/Searcher.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
AntiPubs Dork Searcher EZ/System.Data.SQLite.EF6.dll
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
AntiPubs Dork Searcher EZ/System.Data.SQLite.EF6.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
AntiPubs Dork Searcher EZ/System.Data.SQLite.Linq.dll
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
AntiPubs Dork Searcher EZ/System.Data.SQLite.Linq.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
AntiPubs Dork Searcher EZ/System.Data.SQLite.dll
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
AntiPubs Dork Searcher EZ/System.Data.SQLite.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
AntiPubs Dork Searcher EZ/Update.exe
Resource
win7-20241010-en
Behavioral task
behavioral24
Sample
AntiPubs Dork Searcher EZ/Update.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
AntiPubs Dork Searcher EZ/War.dll
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
AntiPubs Dork Searcher EZ/War.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
AntiPubs Dork Searcher EZ/searcher.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
AntiPubs Dork Searcher EZ/searcher.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
AntiPubs Dork Searcher EZ/x64/SQLite.Interop.dll
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
AntiPubs Dork Searcher EZ/x64/SQLite.Interop.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
AntiPubs Dork Searcher EZ/x86/SQLite.Interop.dll
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
AntiPubs Dork Searcher EZ/x86/SQLite.Interop.dll
Resource
win10v2004-20241007-en
General
-
Target
AntiPubs Dork Searcher EZ/Update.exe
-
Size
893KB
-
MD5
f0f73959988dd4d41de1445fb9075b6f
-
SHA1
a39d5fe0e269c062c1b7c64be09db16508f6cc4b
-
SHA256
f7c2e8367293c26805ea8f0efed61aba293a970eeab7883b7c40619499e4fc85
-
SHA512
bff75fa90f703faf4682061bdd609844d98d64b07b0109091f7c2983e4e1459a702e30a4ee06aa036c0e6bc7a508f39a0c6b95a2c27d25df343b4137deb0520c
-
SSDEEP
12288:UMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V94vFUNDasQ:UnsJ39LyjbJkQFMhmC+6GD9AFOaP
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Xred family
-
Executes dropped EXE 11 IoCs
pid Process 2916 ._cache_Update.exe 3016 ._cache_update.exe 2944 icsys.icn.exe 2828 Synaptics.exe 2316 ._cache_Synaptics.exe 1720 explorer.exe 784 spoolsv.exe 2860 svchost.exe 2024 spoolsv.exe 792 ._cache_synaptics.exe 2080 icsys.icn.exe -
Loads dropped DLL 32 IoCs
pid Process 2076 Update.exe 2916 ._cache_Update.exe 2916 ._cache_Update.exe 2916 ._cache_Update.exe 2916 ._cache_Update.exe 2076 Update.exe 2944 icsys.icn.exe 2076 Update.exe 2944 icsys.icn.exe 2828 Synaptics.exe 2828 Synaptics.exe 2828 Synaptics.exe 2828 Synaptics.exe 2828 Synaptics.exe 2944 icsys.icn.exe 1720 explorer.exe 1720 explorer.exe 2316 ._cache_Synaptics.exe 1720 explorer.exe 2316 ._cache_Synaptics.exe 784 spoolsv.exe 784 spoolsv.exe 784 spoolsv.exe 2860 svchost.exe 2860 svchost.exe 2860 svchost.exe 2024 spoolsv.exe 2024 spoolsv.exe 2316 ._cache_Synaptics.exe 2316 ._cache_Synaptics.exe 2080 icsys.icn.exe 2080 icsys.icn.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" Update.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe ._cache_Update.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe ._cache_Synaptics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Update.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_update.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Update.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2108 schtasks.exe 2068 schtasks.exe 836 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2700 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2916 ._cache_Update.exe 2916 ._cache_Update.exe 2916 ._cache_Update.exe 2916 ._cache_Update.exe 2916 ._cache_Update.exe 2916 ._cache_Update.exe 2916 ._cache_Update.exe 2916 ._cache_Update.exe 2916 ._cache_Update.exe 2916 ._cache_Update.exe 2916 ._cache_Update.exe 2916 ._cache_Update.exe 2916 ._cache_Update.exe 2916 ._cache_Update.exe 2916 ._cache_Update.exe 2916 ._cache_Update.exe 2944 icsys.icn.exe 2944 icsys.icn.exe 2944 icsys.icn.exe 2944 icsys.icn.exe 2944 icsys.icn.exe 2944 icsys.icn.exe 2944 icsys.icn.exe 2944 icsys.icn.exe 2944 icsys.icn.exe 2944 icsys.icn.exe 2944 icsys.icn.exe 2944 icsys.icn.exe 2944 icsys.icn.exe 2944 icsys.icn.exe 2944 icsys.icn.exe 2944 icsys.icn.exe 2944 icsys.icn.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 1720 explorer.exe 2316 ._cache_Synaptics.exe 2316 ._cache_Synaptics.exe 2316 ._cache_Synaptics.exe 2316 ._cache_Synaptics.exe 2316 ._cache_Synaptics.exe 2316 ._cache_Synaptics.exe 2316 ._cache_Synaptics.exe 2316 ._cache_Synaptics.exe 2316 ._cache_Synaptics.exe 2316 ._cache_Synaptics.exe 2316 ._cache_Synaptics.exe 2316 ._cache_Synaptics.exe 2316 ._cache_Synaptics.exe 2316 ._cache_Synaptics.exe 2316 ._cache_Synaptics.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1720 explorer.exe 2860 svchost.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
pid Process 2916 ._cache_Update.exe 2916 ._cache_Update.exe 2944 icsys.icn.exe 2944 icsys.icn.exe 1720 explorer.exe 1720 explorer.exe 784 spoolsv.exe 784 spoolsv.exe 2316 ._cache_Synaptics.exe 2316 ._cache_Synaptics.exe 2860 svchost.exe 2860 svchost.exe 2700 EXCEL.EXE 2024 spoolsv.exe 2080 icsys.icn.exe 2080 icsys.icn.exe 2024 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2076 wrote to memory of 2916 2076 Update.exe 30 PID 2076 wrote to memory of 2916 2076 Update.exe 30 PID 2076 wrote to memory of 2916 2076 Update.exe 30 PID 2076 wrote to memory of 2916 2076 Update.exe 30 PID 2076 wrote to memory of 2916 2076 Update.exe 30 PID 2076 wrote to memory of 2916 2076 Update.exe 30 PID 2076 wrote to memory of 2916 2076 Update.exe 30 PID 2916 wrote to memory of 3016 2916 ._cache_Update.exe 31 PID 2916 wrote to memory of 3016 2916 ._cache_Update.exe 31 PID 2916 wrote to memory of 3016 2916 ._cache_Update.exe 31 PID 2916 wrote to memory of 3016 2916 ._cache_Update.exe 31 PID 2916 wrote to memory of 3016 2916 ._cache_Update.exe 31 PID 2916 wrote to memory of 3016 2916 ._cache_Update.exe 31 PID 2916 wrote to memory of 3016 2916 ._cache_Update.exe 31 PID 2916 wrote to memory of 2944 2916 ._cache_Update.exe 33 PID 2916 wrote to memory of 2944 2916 ._cache_Update.exe 33 PID 2916 wrote to memory of 2944 2916 ._cache_Update.exe 33 PID 2916 wrote to memory of 2944 2916 ._cache_Update.exe 33 PID 2916 wrote to memory of 2944 2916 ._cache_Update.exe 33 PID 2916 wrote to memory of 2944 2916 ._cache_Update.exe 33 PID 2916 wrote to memory of 2944 2916 ._cache_Update.exe 33 PID 2076 wrote to memory of 2828 2076 Update.exe 34 PID 2076 wrote to memory of 2828 2076 Update.exe 34 PID 2076 wrote to memory of 2828 2076 Update.exe 34 PID 2076 wrote to memory of 2828 2076 Update.exe 34 PID 2076 wrote to memory of 2828 2076 Update.exe 34 PID 2076 wrote to memory of 2828 2076 Update.exe 34 PID 2076 wrote to memory of 2828 2076 Update.exe 34 PID 2828 wrote to memory of 2316 2828 Synaptics.exe 35 PID 2828 wrote to memory of 2316 2828 Synaptics.exe 35 PID 2828 wrote to memory of 2316 2828 Synaptics.exe 35 PID 2828 wrote to memory of 2316 2828 Synaptics.exe 35 PID 2828 wrote to memory of 2316 2828 Synaptics.exe 35 PID 2828 wrote to memory of 2316 2828 Synaptics.exe 35 PID 2828 wrote to memory of 2316 2828 Synaptics.exe 35 PID 2944 wrote to memory of 1720 2944 icsys.icn.exe 36 PID 2944 wrote to memory of 1720 2944 icsys.icn.exe 36 PID 2944 wrote to memory of 1720 2944 icsys.icn.exe 36 PID 2944 wrote to memory of 1720 2944 icsys.icn.exe 36 PID 2944 wrote to memory of 1720 2944 icsys.icn.exe 36 PID 2944 wrote to memory of 1720 2944 icsys.icn.exe 36 PID 2944 wrote to memory of 1720 2944 icsys.icn.exe 36 PID 1720 wrote to memory of 784 1720 explorer.exe 38 PID 1720 wrote to memory of 784 1720 explorer.exe 38 PID 1720 wrote to memory of 784 1720 explorer.exe 38 PID 1720 wrote to memory of 784 1720 explorer.exe 38 PID 1720 wrote to memory of 784 1720 explorer.exe 38 PID 1720 wrote to memory of 784 1720 explorer.exe 38 PID 1720 wrote to memory of 784 1720 explorer.exe 38 PID 784 wrote to memory of 2860 784 spoolsv.exe 39 PID 784 wrote to memory of 2860 784 spoolsv.exe 39 PID 784 wrote to memory of 2860 784 spoolsv.exe 39 PID 784 wrote to memory of 2860 784 spoolsv.exe 39 PID 784 wrote to memory of 2860 784 spoolsv.exe 39 PID 784 wrote to memory of 2860 784 spoolsv.exe 39 PID 784 wrote to memory of 2860 784 spoolsv.exe 39 PID 2860 wrote to memory of 2024 2860 svchost.exe 40 PID 2860 wrote to memory of 2024 2860 svchost.exe 40 PID 2860 wrote to memory of 2024 2860 svchost.exe 40 PID 2860 wrote to memory of 2024 2860 svchost.exe 40 PID 2860 wrote to memory of 2024 2860 svchost.exe 40 PID 2860 wrote to memory of 2024 2860 svchost.exe 40 PID 2860 wrote to memory of 2024 2860 svchost.exe 40 PID 2316 wrote to memory of 792 2316 ._cache_Synaptics.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\AntiPubs Dork Searcher EZ\Update.exe"C:\Users\Admin\AppData\Local\Temp\AntiPubs Dork Searcher EZ\Update.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Users\Admin\AppData\Local\Temp\AntiPubs Dork Searcher EZ\._cache_Update.exe"C:\Users\Admin\AppData\Local\Temp\AntiPubs Dork Searcher EZ\._cache_Update.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\users\admin\appdata\local\temp\antipubs dork searcher ez\._cache_update.exe"c:\users\admin\appdata\local\temp\antipubs dork searcher ez\._cache_update.exe "3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3016
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1720 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:784 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe6⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2024
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 12:26 /f7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2068
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 12:27 /f7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:836
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 12:28 /f7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2108
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe5⤵PID:2312
-
-
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Users\Admin\AppData\Local\Temp\AntiPubs Dork Searcher EZ\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\AntiPubs Dork Searcher EZ\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\users\admin\appdata\local\temp\antipubs dork searcher ez\._cache_synaptics.exe"c:\users\admin\appdata\local\temp\antipubs dork searcher ez\._cache_synaptics.exe " InjUpdate4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:792
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2080
-
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2700
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
893KB
MD5f0f73959988dd4d41de1445fb9075b6f
SHA1a39d5fe0e269c062c1b7c64be09db16508f6cc4b
SHA256f7c2e8367293c26805ea8f0efed61aba293a970eeab7883b7c40619499e4fc85
SHA512bff75fa90f703faf4682061bdd609844d98d64b07b0109091f7c2983e4e1459a702e30a4ee06aa036c0e6bc7a508f39a0c6b95a2c27d25df343b4137deb0520c
-
Filesize
27KB
MD53023fa12641a0ce6589aa9829fb57213
SHA14f1177ae770be3fbbe29c10d5516b655ec581395
SHA2566e4e0d1d79d2fff58319a9e12d9bb8fc2b0045d4c745d45d5289334ee5ee0900
SHA51270cab686613638066651d5231641f9ce041061103326001577239629007e586fe1769e9f8bd3e45d60f21e775b33f300f0cfa7b117bc688b15d2cbb06b7d76e3
-
Filesize
28KB
MD5a0e6bede8b904c54fc7614315b332cf2
SHA13d2457fb729c41ff1c4593efbd1de8c4a72bbded
SHA256f318433222281039e938d575798f60550462ff8f30c34418e3eaba8a1b0a5615
SHA5122ddf9c01c1289026f0c7f335e3a62576c33682019d1f17cc2b9ecfbd755052884e575418ae78e9dfdb390ab1b099f077574e8f78f1f0aa4c4f425f38c86e15c7
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
29KB
MD53d3405c4f62123f7cf2ae657e4c594a4
SHA102dc3730a168be85f7afe2a99ef45af9ffb54aff
SHA256c4433765e3f9e8d700750551a02c565f5bad4ec31425723da12f9d89eda0e840
SHA512fa76f3b3a636e07f4366f5b737a750bc37abaf8742c103842fcb41e5c9045b74eb8ec251ddd515231bd104f386a26d8daa195b472a1e99e0986cea4a863ac766
-
Filesize
135KB
MD56fedcf3675911bf77cbf996196a36343
SHA17c8d83be693fe454475b8cd26b83e50498374113
SHA256452b91c70791a0e09ebd3e2d834a2b7fef94de023d672b627419c6f980d8de7e
SHA51214f37e4cd4f28ac31990e3de2957beac1ab74ad246b9d2c36ccf6b7419db00cc551e156e70691be3e57a20aaac3158b385d01b9722795c4c0f4c8c250eb7920b
-
Filesize
140KB
MD5570ddad76b94dd6156587b6f98ce8f6d
SHA1c4b4b2655cc181add7a1e90d840a6735ca4bbace
SHA256324fd9c87d5311ad7ab72f6238afda44f7bd7532daaf2a3d639a4dea81d95c86
SHA512be0be9826d2e6dcb0f3bcbe16ef624154f6357892d4c57d8d1f87508cb3d1b37966d1ceb679487305ea3236acdcd5871a6cda315a89510264850b0629e36aa0f
-
Filesize
5KB
MD5e2032456744fd06c43c2097f8fcd1a1f
SHA1df474bbbd27166ef9a935457c44130fa20fbda5d
SHA256bf9ba9e515c43c1c7d394cbc528e2fa500d98c423df89958485f61d2bd7bb874
SHA512e3520f05508bcd44d989b7e92102586235a1187afbea8e9d903244e5487679190fc83aaf831ded2b9e0da0803b3298c93ff1be0396bbe54e57b5c3a428c6d7ae
-
Filesize
135KB
MD5fe07e43d610bef7a346eef8f8c5b9a95
SHA1f782e9115af0f9cd8f5d88179476614fd84e1a10
SHA25683caed8278b264c26235d659bf80924ba0969a6209d984cf6a38ac66635af4d3
SHA5122e1539602e62dc13a303f71760a4ed6a155daae438804d5bde7f6ff9aa67818e66ada7eea2fa1eff76144513695e91783f481f5fe7ef1c56dfe15251033c2f65
-
Filesize
135KB
MD5acd359672ab8d7d68e69c443e8c92f10
SHA142fbdf002519ab91ad15b39b4a56eb9e2354e63c
SHA2568ad2e3bcc2bb53bd33249d8edd5483a1b23cbb03e0967610bfb1337b80efa808
SHA512b0c8e2a752945987c0bbc858cd6574e4e2cf64d17c90e4ff40421a75858db75a2d4aa09b6af323b80f027aeebf42d656e47ee649c756bf04f28a706cff300b03
-
Filesize
135KB
MD5cfd682b7bff942e1e6874e0eefcb30f9
SHA18479183686a10ffcbc9378f122dd1b51885f176e
SHA25682c860229b83325db3cc5511ab8856182f3c213cd7b18c5d5f7e4f1711346509
SHA51269de5542da6af1d61dff2f9407b111b3992436b8355603814336aa4d8a043d9bd858f4cacf1bfdb445371b23bbbfdaffb6ce284942ab1020ded063c3fff06bd9