xred | 8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3

Analysis

max time kernel
150s
max time network
144s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
25-12-2024 02:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
Size

1.6MB
MD5

17fb4f9df5175e684a3427c5997b2007
SHA1

c7b207497e0171fbb8fca648d82753abbf42b0b8
SHA256

8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3
SHA512

ed454b9588ab5209a926395c03b7e1ee35231bb77f66895187ebe86a3e94fc3568a247983946021887def3e4f396705142134abfdeb857b9e040dd863fe6d51d
SSDEEP

49152:gnsHyjtk2MYC5GDGfhloJfKoKqh1X+T9f8z:gnsmtk2aNfhlHoKqzX+Sz

Score

10^/10

xred backdoor discovery persistence upx

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QHCPYO.lnk	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe

Executes dropped EXE 6 IoCs

pid	Process
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2840	Synaptics.exe
3016	._cache_Synaptics.exe
2400	NUHORT.exe
2572	NUHORT.exe
2264	NUHORT.exe

Loads dropped DLL 6 IoCs

pid	Process
3008	8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
3008	8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
3008	8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2840	Synaptics.exe
2840	Synaptics.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\QHCPYO = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windata\\NUHORT.exe\""	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe

AutoIT Executable 18 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/3016-48-0x0000000000C50000-0x0000000000E3E000-memory.dmp	autoit_exe
behavioral1/memory/2592-139-0x00000000009C0000-0x0000000000BAE000-memory.dmp	autoit_exe
behavioral1/memory/2592-140-0x00000000009C0000-0x0000000000BAE000-memory.dmp	autoit_exe
behavioral1/memory/2592-142-0x00000000009C0000-0x0000000000BAE000-memory.dmp	autoit_exe
behavioral1/memory/2400-147-0x0000000000E00000-0x0000000000FEE000-memory.dmp	autoit_exe
behavioral1/memory/2592-148-0x00000000009C0000-0x0000000000BAE000-memory.dmp	autoit_exe
behavioral1/memory/2592-150-0x00000000009C0000-0x0000000000BAE000-memory.dmp	autoit_exe
behavioral1/memory/2592-152-0x00000000009C0000-0x0000000000BAE000-memory.dmp	autoit_exe
behavioral1/memory/2592-154-0x00000000009C0000-0x0000000000BAE000-memory.dmp	autoit_exe
behavioral1/memory/2592-167-0x00000000009C0000-0x0000000000BAE000-memory.dmp	autoit_exe
behavioral1/memory/2572-171-0x0000000000E50000-0x000000000103E000-memory.dmp	autoit_exe
behavioral1/memory/2592-185-0x00000000009C0000-0x0000000000BAE000-memory.dmp	autoit_exe
behavioral1/memory/2592-194-0x00000000009C0000-0x0000000000BAE000-memory.dmp	autoit_exe
behavioral1/memory/2592-196-0x00000000009C0000-0x0000000000BAE000-memory.dmp	autoit_exe
behavioral1/memory/2592-198-0x00000000009C0000-0x0000000000BAE000-memory.dmp	autoit_exe
behavioral1/memory/2592-200-0x00000000009C0000-0x0000000000BAE000-memory.dmp	autoit_exe
behavioral1/memory/2592-202-0x00000000009C0000-0x0000000000BAE000-memory.dmp	autoit_exe
behavioral1/memory/2264-206-0x0000000000E50000-0x000000000103E000-memory.dmp	autoit_exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b000000012280-4.dat	upx
behavioral1/memory/2592-18-0x00000000009C0000-0x0000000000BAE000-memory.dmp	upx
behavioral1/memory/3016-41-0x0000000000C50000-0x0000000000E3E000-memory.dmp	upx
behavioral1/memory/3016-48-0x0000000000C50000-0x0000000000E3E000-memory.dmp	upx
behavioral1/memory/2592-139-0x00000000009C0000-0x0000000000BAE000-memory.dmp	upx
behavioral1/memory/2592-140-0x00000000009C0000-0x0000000000BAE000-memory.dmp	upx
behavioral1/memory/2592-142-0x00000000009C0000-0x0000000000BAE000-memory.dmp	upx
behavioral1/memory/2400-146-0x0000000000E00000-0x0000000000FEE000-memory.dmp	upx
behavioral1/memory/2400-147-0x0000000000E00000-0x0000000000FEE000-memory.dmp	upx
behavioral1/memory/2592-148-0x00000000009C0000-0x0000000000BAE000-memory.dmp	upx
behavioral1/memory/2592-150-0x00000000009C0000-0x0000000000BAE000-memory.dmp	upx
behavioral1/memory/2592-152-0x00000000009C0000-0x0000000000BAE000-memory.dmp	upx
behavioral1/memory/2592-154-0x00000000009C0000-0x0000000000BAE000-memory.dmp	upx
behavioral1/memory/2592-167-0x00000000009C0000-0x0000000000BAE000-memory.dmp	upx
behavioral1/memory/2572-169-0x0000000000E50000-0x000000000103E000-memory.dmp	upx
behavioral1/memory/2572-171-0x0000000000E50000-0x000000000103E000-memory.dmp	upx
behavioral1/memory/2592-185-0x00000000009C0000-0x0000000000BAE000-memory.dmp	upx
behavioral1/memory/2592-194-0x00000000009C0000-0x0000000000BAE000-memory.dmp	upx
behavioral1/memory/2592-196-0x00000000009C0000-0x0000000000BAE000-memory.dmp	upx
behavioral1/memory/2592-198-0x00000000009C0000-0x0000000000BAE000-memory.dmp	upx
behavioral1/memory/2592-200-0x00000000009C0000-0x0000000000BAE000-memory.dmp	upx
behavioral1/memory/2592-202-0x00000000009C0000-0x0000000000BAE000-memory.dmp	upx
behavioral1/memory/2264-205-0x0000000000E50000-0x000000000103E000-memory.dmp	upx
behavioral1/memory/2264-206-0x0000000000E50000-0x000000000103E000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NUHORT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NUHORT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NUHORT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WSCript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\root\SecurityCenter2	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2692	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2420	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2420	EXCEL.EXE

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 2592	3008	8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe	30
PID 3008 wrote to memory of 2592	3008	8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe	30
PID 3008 wrote to memory of 2592	3008	8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe	30
PID 3008 wrote to memory of 2592	3008	8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe	30
PID 3008 wrote to memory of 2840	3008	8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe	31
PID 3008 wrote to memory of 2840	3008	8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe	31
PID 3008 wrote to memory of 2840	3008	8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe	31
PID 3008 wrote to memory of 2840	3008	8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe	31
PID 2840 wrote to memory of 3016	2840	Synaptics.exe	32
PID 2840 wrote to memory of 3016	2840	Synaptics.exe	32
PID 2840 wrote to memory of 3016	2840	Synaptics.exe	32
PID 2840 wrote to memory of 3016	2840	Synaptics.exe	32
PID 2592 wrote to memory of 2708	2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe	33
PID 2592 wrote to memory of 2708	2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe	33
PID 2592 wrote to memory of 2708	2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe	33
PID 2592 wrote to memory of 2708	2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe	33
PID 2592 wrote to memory of 2660	2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe	35
PID 2592 wrote to memory of 2660	2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe	35
PID 2592 wrote to memory of 2660	2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe	35
PID 2592 wrote to memory of 2660	2592	._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe	35
PID 2708 wrote to memory of 2692	2708	cmd.exe	36
PID 2708 wrote to memory of 2692	2708	cmd.exe	36
PID 2708 wrote to memory of 2692	2708	cmd.exe	36
PID 2708 wrote to memory of 2692	2708	cmd.exe	36
PID 2392 wrote to memory of 2400	2392	taskeng.exe	43
PID 2392 wrote to memory of 2400	2392	taskeng.exe	43
PID 2392 wrote to memory of 2400	2392	taskeng.exe	43
PID 2392 wrote to memory of 2400	2392	taskeng.exe	43
PID 2392 wrote to memory of 2572	2392	taskeng.exe	44
PID 2392 wrote to memory of 2572	2392	taskeng.exe	44
PID 2392 wrote to memory of 2572	2392	taskeng.exe	44
PID 2392 wrote to memory of 2572	2392	taskeng.exe	44
PID 2392 wrote to memory of 2264	2392	taskeng.exe	45
PID 2392 wrote to memory of 2264	2392	taskeng.exe	45
PID 2392 wrote to memory of 2264	2392	taskeng.exe	45
PID 2392 wrote to memory of 2264	2392	taskeng.exe	45

C:\Users\Admin\AppData\Local\Temp\8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
"C:\Users\Admin\AppData\Local\Temp\8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Users\Admin\AppData\Local\Temp\._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks /create /tn QHCPYO.exe /tr C:\Users\Admin\AppData\Roaming\Windata\NUHORT.exe /sc minute /mo 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn QHCPYO.exe /tr C:\Users\Admin\AppData\Roaming\Windata\NUHORT.exe /sc minute /mo 1
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2692
- - C:\Windows\SysWOW64\WSCript.exe
    WSCript C:\Users\Admin\AppData\Local\Temp\QHCPYO.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2660
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3016

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2420

C:\Windows\system32\taskeng.exe
taskeng.exe {C8C48643-3B15-4192-B678-DBD1F9B44D99} S-1-5-21-1163522206-1469769407-485553996-1000:PJCSDMRP\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Users\Admin\AppData\Roaming\Windata\NUHORT.exe
  C:\Users\Admin\AppData\Roaming\Windata\NUHORT.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2400
- C:\Users\Admin\AppData\Roaming\Windata\NUHORT.exe
  C:\Users\Admin\AppData\Roaming\Windata\NUHORT.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2572
- C:\Users\Admin\AppData\Roaming\Windata\NUHORT.exe
  C:\Users\Admin\AppData\Roaming\Windata\NUHORT.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.6MB

MD5
17fb4f9df5175e684a3427c5997b2007

SHA1
c7b207497e0171fbb8fca648d82753abbf42b0b8

SHA256
8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3

SHA512
ed454b9588ab5209a926395c03b7e1ee35231bb77f66895187ebe86a3e94fc3568a247983946021887def3e4f396705142134abfdeb857b9e040dd863fe6d51d

Download Submit
C:\Users\Admin\AppData\Local\Temp\QHCPYO.vbs

Filesize
964B

MD5
729d2d77c447f1a8d3ab421a191afda3

SHA1
d77d5c93686b1e3b697e2c63b8cdf3f4060b161e

SHA256
b017e1a7b6be2d7a10d118bd07846d01326a31542103f26548c5d3f29d7b3352

SHA512
559231abf2716af90eec878aea850541e9bfcb0b5ab561175cefd5cd47ad4f986d4e9a116d05c04e2744000f535abab839f3c92372af77ee1fecd5cb14dcec27

Download Submit
C:\Users\Admin\AppData\Local\Temp\zOtvkYHr.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\zOtvkYHr.xlsm

Filesize
21KB

MD5
31107e7895feb14da797052f3a7a80dc

SHA1
90058a0bec5f0898cc80f50484584a2719b17cd7

SHA256
5bf4417722364e625aa7900a25bfc05f09984d15b9cf5ad9375e30a10fbca160

SHA512
96edf79eed4259a18c531e784e3373416bfb3576614328916864af2b35fbee20aaa40184dacae14ce5cd01be2af2f7656a126621e2c343bda81afa1018db08df

Download Submit
C:\Users\Admin\AppData\Local\Temp\zOtvkYHr.xlsm

Filesize
25KB

MD5
925cd8bd555345e9d0112dcbd90e2439

SHA1
b9369a5502bac63a18f180397323a8f93994f095

SHA256
2558378e9242338d3f14db473265dd55be0c07785efa22b99845925878501808

SHA512
24921530a0728436ffe8c5508ee7fb8b90d892fe226088ff023d4d8b98578b902c7b6058e0f870ef0c6ada16195c7e03a4edd02fe0302a55d28451fb523a7aa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zOtvkYHr.xlsm

Filesize
23KB

MD5
5fa5db3a37593567c93bc77f56e8e39b

SHA1
aee91e51d4bec3627d2a3eb1786c39628a72ef53

SHA256
82e082d0abade4cea2d07ae2d36523482b033a1729ca4ef0228a09040677f486

SHA512
32cb3a5cca8d90f7bd38d5fe3f311b3f4ffd5bc2da6cb1e7b77986910f2c30fbc0bb645030e78ed75df6323abf983cbcb4df6c448170d5991dacd87e62e59c66

Download Submit
C:\Users\Admin\AppData\Local\Temp\zOtvkYHr.xlsm

Filesize
21KB

MD5
afa670149e404b44fbe0c120d335c440

SHA1
4a59f7abd8134f0d5c45cd6e833339fe716264b0

SHA256
77f7031f9939c8881d1e36349771b1fdc48e78547d42505836dc8254c91679bf

SHA512
d578e0f6202f02f02d340e047aefb7f4db597f12a2bee80ab41b800994fc8d51d857b58276f24c556a981c18f570181409212b5b55d5d102c94e33cefc50a0d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zOtvkYHr.xlsm

Filesize
26KB

MD5
b871d194a9030ca154ca78b88308504d

SHA1
e7a611ff96175647dcebd3e540f6acc5dab3912a

SHA256
658b01d937c1706a97fdb1b98e746686591fb10a8028710e612b2c97360e8dca

SHA512
8f48efb4dd407384bb558934493a90f6e32e589e38a71f77408a61262d9fbb535a575e214f739beca9ef36bbf44ec262569b434abfbd0ab240aded0206ca3fa0

Download Submit
C:\Users\Admin\Desktop\~$OpenBackup.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3.exe

Filesize
892KB

MD5
7e05f5f77f8a0f63634cd734ae52ce55

SHA1
be8784d03a832aaddfdcd53a0d337fbfbf100ee6

SHA256
0b9a5d51c56644ecd7a0b0b9f31533da83d1d16d6fd2db55bbcda7b095ca8fdb

SHA512
29616b472141370252c58c827d733864a119fe87590aa3f2e41ac61cad18bc717de9afcadebfc4bfc0171ee54bc8126efcedd119aea67e260795d187f4bc2c87

Download Submit
memory/2264-206-0x0000000000E50000-0x000000000103E000-memory.dmp

Filesize
1.9MB

Download
memory/2264-205-0x0000000000E50000-0x000000000103E000-memory.dmp

Filesize
1.9MB

Download
memory/2400-147-0x0000000000E00000-0x0000000000FEE000-memory.dmp

Filesize
1.9MB

Download
memory/2400-146-0x0000000000E00000-0x0000000000FEE000-memory.dmp

Filesize
1.9MB

Download
memory/2420-138-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2420-51-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2572-169-0x0000000000E50000-0x000000000103E000-memory.dmp

Filesize
1.9MB

Download
memory/2572-171-0x0000000000E50000-0x000000000103E000-memory.dmp

Filesize
1.9MB

Download
memory/2592-167-0x00000000009C0000-0x0000000000BAE000-memory.dmp

Filesize
1.9MB

Download
memory/2592-154-0x00000000009C0000-0x0000000000BAE000-memory.dmp

Filesize
1.9MB

Download
memory/2592-139-0x00000000009C0000-0x0000000000BAE000-memory.dmp

Filesize
1.9MB

Download
memory/2592-140-0x00000000009C0000-0x0000000000BAE000-memory.dmp

Filesize
1.9MB

Download
memory/2592-18-0x00000000009C0000-0x0000000000BAE000-memory.dmp

Filesize
1.9MB

Download
memory/2592-202-0x00000000009C0000-0x0000000000BAE000-memory.dmp

Filesize
1.9MB

Download
memory/2592-142-0x00000000009C0000-0x0000000000BAE000-memory.dmp

Filesize
1.9MB

Download
memory/2592-46-0x00000000001D0000-0x00000000001E0000-memory.dmp

Filesize
64KB

Download
memory/2592-200-0x00000000009C0000-0x0000000000BAE000-memory.dmp

Filesize
1.9MB

Download
memory/2592-198-0x00000000009C0000-0x0000000000BAE000-memory.dmp

Filesize
1.9MB

Download
memory/2592-148-0x00000000009C0000-0x0000000000BAE000-memory.dmp

Filesize
1.9MB

Download
memory/2592-150-0x00000000009C0000-0x0000000000BAE000-memory.dmp

Filesize
1.9MB

Download
memory/2592-152-0x00000000009C0000-0x0000000000BAE000-memory.dmp

Filesize
1.9MB

Download
memory/2592-196-0x00000000009C0000-0x0000000000BAE000-memory.dmp

Filesize
1.9MB

Download
memory/2592-194-0x00000000009C0000-0x0000000000BAE000-memory.dmp

Filesize
1.9MB

Download
memory/2592-185-0x00000000009C0000-0x0000000000BAE000-memory.dmp

Filesize
1.9MB

Download
memory/2840-159-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download
memory/2840-195-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download
memory/2840-149-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download
memory/2840-39-0x0000000005610000-0x00000000057FE000-memory.dmp

Filesize
1.9MB

Download
memory/2840-143-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download
memory/2840-141-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download
memory/3008-28-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download
memory/3008-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/3008-16-0x0000000005640000-0x000000000582E000-memory.dmp

Filesize
1.9MB

Download
memory/3016-41-0x0000000000C50000-0x0000000000E3E000-memory.dmp

Filesize
1.9MB

Download
memory/3016-48-0x0000000000C50000-0x0000000000E3E000-memory.dmp

Filesize
1.9MB

Download