Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 19:56
Static task
static1
Behavioral task
behavioral1
Sample
2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe
Resource
win7-20240903-en
General
-
Target
2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe
-
Size
3.1MB
-
MD5
555437a35bbb26dc74ccbbff9241eef4
-
SHA1
6913cb4ed72eb3788885d8eebedae60e9d88cdd2
-
SHA256
562ef514baef9536a3bca3ef76d72ac1e37ae587377da7449782936619e19771
-
SHA512
c68e5bbea164e0185042f79183e2be501528e57516b5a3825f1e4223595376f8dfa82f8c09acf3f323b861fc216f03363a2ac2849a95904abd5dbceddaf3d509
-
SSDEEP
49152:TIAE0miU9mNKtcsS1OU/zXNUfEeXAxhF2rl/IuOryOvKODjj3POMjUfkptVxp/:+EUhcsaOU/jIEeQfoR/IuOFVjUu5
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
104.219.215.160:4449
104.219.215.160:8008
jjzxklegwjqz
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Xred family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x0010000000013a51-39.dat family_asyncrat -
Executes dropped EXE 5 IoCs
pid Process 2328 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 2620 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 476 Synaptics.exe 1152 Synaptics.exe 2868 ._cache_Synaptics.exe -
Loads dropped DLL 6 IoCs
pid Process 2092 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 2328 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 2328 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 2328 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 1152 Synaptics.exe 1152 Synaptics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AnyDVD HD v6.7.4.0 Final = "C:\\ProgramData\\Synaptics\\Synaptics.exe" 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to get system information.
pid Process 2952 powershell.exe 2428 powershell.exe 1980 powershell.exe 752 powershell.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2092 set thread context of 2328 2092 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 38 PID 476 set thread context of 1152 476 Synaptics.exe 47 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1236 schtasks.exe 2744 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2872 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 40 IoCs
pid Process 2952 powershell.exe 1980 powershell.exe 2428 powershell.exe 752 powershell.exe 2620 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 2620 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 2620 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 2620 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 2620 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 2620 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 2620 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 2620 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 2620 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 2620 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 2620 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 2620 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 2620 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 2620 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 2620 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 2620 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 2620 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 2620 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 2620 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 2620 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 2620 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 2620 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 2620 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 2620 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 2620 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 2620 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 2620 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 2620 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 2620 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 2620 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 2620 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 2620 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 2620 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 2620 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 2620 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 2620 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2952 powershell.exe Token: SeDebugPrivilege 1980 powershell.exe Token: SeDebugPrivilege 2428 powershell.exe Token: SeDebugPrivilege 2620 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe Token: SeDebugPrivilege 752 powershell.exe Token: SeDebugPrivilege 2868 ._cache_Synaptics.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2872 EXCEL.EXE 2620 ._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2092 wrote to memory of 2952 2092 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 31 PID 2092 wrote to memory of 2952 2092 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 31 PID 2092 wrote to memory of 2952 2092 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 31 PID 2092 wrote to memory of 2952 2092 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 31 PID 2092 wrote to memory of 1980 2092 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 33 PID 2092 wrote to memory of 1980 2092 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 33 PID 2092 wrote to memory of 1980 2092 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 33 PID 2092 wrote to memory of 1980 2092 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 33 PID 2092 wrote to memory of 112 2092 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 35 PID 2092 wrote to memory of 112 2092 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 35 PID 2092 wrote to memory of 112 2092 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 35 PID 2092 wrote to memory of 112 2092 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 35 PID 112 wrote to memory of 2744 112 cmd.exe 37 PID 112 wrote to memory of 2744 112 cmd.exe 37 PID 112 wrote to memory of 2744 112 cmd.exe 37 PID 112 wrote to memory of 2744 112 cmd.exe 37 PID 2092 wrote to memory of 2328 2092 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 38 PID 2092 wrote to memory of 2328 2092 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 38 PID 2092 wrote to memory of 2328 2092 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 38 PID 2092 wrote to memory of 2328 2092 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 38 PID 2092 wrote to memory of 2328 2092 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 38 PID 2092 wrote to memory of 2328 2092 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 38 PID 2092 wrote to memory of 2328 2092 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 38 PID 2092 wrote to memory of 2328 2092 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 38 PID 2092 wrote to memory of 2328 2092 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 38 PID 2092 wrote to memory of 2328 2092 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 38 PID 2092 wrote to memory of 2328 2092 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 38 PID 2092 wrote to memory of 2328 2092 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 38 PID 2328 wrote to memory of 2620 2328 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 39 PID 2328 wrote to memory of 2620 2328 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 39 PID 2328 wrote to memory of 2620 2328 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 39 PID 2328 wrote to memory of 2620 2328 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 39 PID 2328 wrote to memory of 476 2328 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 40 PID 2328 wrote to memory of 476 2328 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 40 PID 2328 wrote to memory of 476 2328 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 40 PID 2328 wrote to memory of 476 2328 2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe 40 PID 476 wrote to memory of 2428 476 Synaptics.exe 41 PID 476 wrote to memory of 2428 476 Synaptics.exe 41 PID 476 wrote to memory of 2428 476 Synaptics.exe 41 PID 476 wrote to memory of 2428 476 Synaptics.exe 41 PID 476 wrote to memory of 752 476 Synaptics.exe 43 PID 476 wrote to memory of 752 476 Synaptics.exe 43 PID 476 wrote to memory of 752 476 Synaptics.exe 43 PID 476 wrote to memory of 752 476 Synaptics.exe 43 PID 476 wrote to memory of 2188 476 Synaptics.exe 44 PID 476 wrote to memory of 2188 476 Synaptics.exe 44 PID 476 wrote to memory of 2188 476 Synaptics.exe 44 PID 476 wrote to memory of 2188 476 Synaptics.exe 44 PID 476 wrote to memory of 1152 476 Synaptics.exe 47 PID 476 wrote to memory of 1152 476 Synaptics.exe 47 PID 476 wrote to memory of 1152 476 Synaptics.exe 47 PID 476 wrote to memory of 1152 476 Synaptics.exe 47 PID 2188 wrote to memory of 1236 2188 cmd.exe 48 PID 2188 wrote to memory of 1236 2188 cmd.exe 48 PID 2188 wrote to memory of 1236 2188 cmd.exe 48 PID 2188 wrote to memory of 1236 2188 cmd.exe 48 PID 476 wrote to memory of 1152 476 Synaptics.exe 47 PID 476 wrote to memory of 1152 476 Synaptics.exe 47 PID 476 wrote to memory of 1152 476 Synaptics.exe 47 PID 476 wrote to memory of 1152 476 Synaptics.exe 47 PID 476 wrote to memory of 1152 476 Synaptics.exe 47 PID 476 wrote to memory of 1152 476 Synaptics.exe 47 PID 476 wrote to memory of 1152 476 Synaptics.exe 47 PID 476 wrote to memory of 1152 476 Synaptics.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" (Get-CimInstance -ClassName Win32_ComputerSystem).TotalPhysicalMemory2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2952
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '' -Value '"C:\Users\Admin\AppData\Roaming\.exe"' -PropertyType 'String'2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1980
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /C schtasks /create /tn \ /tr "C:\Users\Admin\AppData\Roaming\.exe" /st 00:00 /du 9999:59 /sc once /ri 30 /rl HIGHEST /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn \ /tr "C:\Users\Admin\AppData\Roaming\.exe" /st 00:00 /du 9999:59 /sc once /ri 30 /rl HIGHEST /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2744
-
-
-
C:\Users\Admin\AppData\Local\Temp\2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe#by-unknown2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Users\Admin\AppData\Local\Temp\._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2620
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:476 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" (Get-CimInstance -ClassName Win32_ComputerSystem).TotalPhysicalMemory4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2428
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '' -Value '"C:\Users\Admin\AppData\Roaming\.exe"' -PropertyType 'String'4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:752
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /C schtasks /create /tn \ /tr "C:\Users\Admin\AppData\Roaming\.exe" /st 00:00 /du 9999:59 /sc once /ri 30 /rl HIGHEST /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn \ /tr "C:\Users\Admin\AppData\Roaming\.exe" /st 00:00 /du 9999:59 /sc once /ri 30 /rl HIGHEST /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1236
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe#by-unknown4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1152 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2868
-
-
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2872
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD59f4999cac510d7a2a67278591d9c98a2
SHA13e5c252be742512f80f59b252fc8430f46cac8a5
SHA25639dd9b7380effc2f484167fc8c213a3f67ec849621c94c4a8144aad4f243c12b
SHA5125d9f104e036c6564286ba2fde2d8eb3623fe7669ded629ddd490b998166a249e446f2955e74b0d42adb4de1091c46c93e3bb3bf5127bc94f1b2deaf1f4992eb9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5d255475004e1f5cfe30fcc07f5033a74
SHA1943c08e7c0f0a3053b804728122731aa5857c4f4
SHA2569fb18c80947053b5f07e512bc77a941a31a5c5ad3cbaa988b0b5de31f7c4684f
SHA512819ad72df2df42a4fe5c40c00988e4778150e69f24eb2fd9334c2287659b18cfbcdd4c0118e2963afde0918547c9b01e702f685aa15c41db1b8f946eddd71d1d
-
Filesize
8B
MD5cf759e4c5f14fe3eec41b87ed756cea8
SHA1c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b
-
\Users\Admin\AppData\Local\Temp\._cache_2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe
Filesize74KB
MD58ce78f483110d74e5eff82f76e78a0b0
SHA1ea39826209a5084b5cfbf4a89366856fd330b72d
SHA2567a573f3735077c7a97662456d8c5f5001559bc6dd2356ff6e4ef92f5e8a9acad
SHA51269654e33c7ccf5300b92c1e8d4e713671fb0676f01f02e93e500aa62ccd94a96aa6fc2ec9e928b1e8498c7950fa606ba2480bd63a11c379f949d247ff8dc399d
-
\Users\Admin\AppData\Local\Temp\2024-12-22_555437a35bbb26dc74ccbbff9241eef4_avoslocker_hijackloader_luca-stealer.exe
Filesize3.1MB
MD5555437a35bbb26dc74ccbbff9241eef4
SHA16913cb4ed72eb3788885d8eebedae60e9d88cdd2
SHA256562ef514baef9536a3bca3ef76d72ac1e37ae587377da7449782936619e19771
SHA512c68e5bbea164e0185042f79183e2be501528e57516b5a3825f1e4223595376f8dfa82f8c09acf3f323b861fc216f03363a2ac2849a95904abd5dbceddaf3d509