xred | 2a35078ec0d7fd71726e92e9f8c2c2614bea1843e5000e37c9ba5792ab5f249f

Analysis

max time kernel
120s
max time network
102s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
26-12-2024 01:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a35078ec0d7fd71726e92e9f8c2c2614bea1843e5000e37c9ba5792ab5f249f.exe
Size

1.5MB
MD5

541530d085f95820042277daebb1f623
SHA1

31d4b8fc956c9436c114e53524b0d80e8e5dfd4c
SHA256

2a35078ec0d7fd71726e92e9f8c2c2614bea1843e5000e37c9ba5792ab5f249f
SHA512

305724ce531d1b6b4cf8739a10d32551334e1a1e712790839c9a81d51cc5496e1f76cd28d9a680bcc251a795739c5f1a3471e2583005af53925fb47c0c77dbd7
SSDEEP

24576:ansJ39LyjbJkQFMhmC+6GD9u5xolYQY6dp7gAVKzarL:ansHyjtk2MYC5GDjYmp7gAVKS

Score

10^/10

xred backdoor discovery evasion macro persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe

Suspicious Office macro 2 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x000600000001998d-186.dat
behavioral1/files/0x0006000000019bf5-199.dat

Executes dropped EXE 11 IoCs

pid	Process
2212	._cache_2a35078ec0d7fd71726e92e9f8c2c2614bea1843e5000e37c9ba5792ab5f249f.exe
2764	Synaptics.exe
2852	._cache_2a35078ec0d7fd71726e92e9f8c2c2614bea1843e5000e37c9ba5792ab5f249f.exe
640	icsys.icn.exe
2720	._cache_Synaptics.exe
2648	explorer.exe
3048	._cache_synaptics.exe
2808	icsys.icn.exe
1068	spoolsv.exe
676	svchost.exe
2292	spoolsv.exe

Loads dropped DLL 20 IoCs

pid	Process
2820	2a35078ec0d7fd71726e92e9f8c2c2614bea1843e5000e37c9ba5792ab5f249f.exe
2820	2a35078ec0d7fd71726e92e9f8c2c2614bea1843e5000e37c9ba5792ab5f249f.exe
2820	2a35078ec0d7fd71726e92e9f8c2c2614bea1843e5000e37c9ba5792ab5f249f.exe
2820	2a35078ec0d7fd71726e92e9f8c2c2614bea1843e5000e37c9ba5792ab5f249f.exe
2212	._cache_2a35078ec0d7fd71726e92e9f8c2c2614bea1843e5000e37c9ba5792ab5f249f.exe
2212	._cache_2a35078ec0d7fd71726e92e9f8c2c2614bea1843e5000e37c9ba5792ab5f249f.exe
2212	._cache_2a35078ec0d7fd71726e92e9f8c2c2614bea1843e5000e37c9ba5792ab5f249f.exe
2764	Synaptics.exe
2764	Synaptics.exe
2764	Synaptics.exe
640	icsys.icn.exe
640	icsys.icn.exe
2720	._cache_Synaptics.exe
2648	explorer.exe
2648	explorer.exe
2720	._cache_Synaptics.exe
1068	spoolsv.exe
1068	spoolsv.exe
676	svchost.exe
676	svchost.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	2a35078ec0d7fd71726e92e9f8c2c2614bea1843e5000e37c9ba5792ab5f249f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	icsys.icn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_2a35078ec0d7fd71726e92e9f8c2c2614bea1843e5000e37c9ba5792ab5f249f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2a35078ec0d7fd71726e92e9f8c2c2614bea1843e5000e37c9ba5792ab5f249f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2184	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
640	icsys.icn.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
676	svchost.exe
676	svchost.exe
2648	explorer.exe
676	svchost.exe
2648	explorer.exe
676	svchost.exe
2648	explorer.exe
676	svchost.exe
2648	explorer.exe
676	svchost.exe
2648	explorer.exe
676	svchost.exe
2648	explorer.exe
676	svchost.exe
2648	explorer.exe
676	svchost.exe
2648	explorer.exe
676	svchost.exe
2648	explorer.exe
676	svchost.exe
2648	explorer.exe
676	svchost.exe
2648	explorer.exe
676	svchost.exe
2648	explorer.exe
676	svchost.exe
2648	explorer.exe
2648	explorer.exe
676	svchost.exe
2648	explorer.exe
676	svchost.exe
676	svchost.exe
2648	explorer.exe
2648	explorer.exe
676	svchost.exe
2648	explorer.exe
676	svchost.exe
676	svchost.exe
2648	explorer.exe
2648	explorer.exe
676	svchost.exe
676	svchost.exe
2648	explorer.exe
2648	explorer.exe
676	svchost.exe
2648	explorer.exe
676	svchost.exe
676	svchost.exe
2648	explorer.exe
676	svchost.exe
2648	explorer.exe
676	svchost.exe
2648	explorer.exe
2648	explorer.exe
676	svchost.exe
2648	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2648	explorer.exe
676	svchost.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
2212	._cache_2a35078ec0d7fd71726e92e9f8c2c2614bea1843e5000e37c9ba5792ab5f249f.exe
2212	._cache_2a35078ec0d7fd71726e92e9f8c2c2614bea1843e5000e37c9ba5792ab5f249f.exe
640	icsys.icn.exe
640	icsys.icn.exe
2720	._cache_Synaptics.exe
2720	._cache_Synaptics.exe
2648	explorer.exe
2648	explorer.exe
2808	icsys.icn.exe
2808	icsys.icn.exe
2184	EXCEL.EXE
1068	spoolsv.exe
1068	spoolsv.exe
676	svchost.exe
676	svchost.exe
2292	spoolsv.exe
2292	spoolsv.exe
2648	explorer.exe
2648	explorer.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 2212	2820	2a35078ec0d7fd71726e92e9f8c2c2614bea1843e5000e37c9ba5792ab5f249f.exe	30
PID 2820 wrote to memory of 2212	2820	2a35078ec0d7fd71726e92e9f8c2c2614bea1843e5000e37c9ba5792ab5f249f.exe	30
PID 2820 wrote to memory of 2212	2820	2a35078ec0d7fd71726e92e9f8c2c2614bea1843e5000e37c9ba5792ab5f249f.exe	30
PID 2820 wrote to memory of 2212	2820	2a35078ec0d7fd71726e92e9f8c2c2614bea1843e5000e37c9ba5792ab5f249f.exe	30
PID 2820 wrote to memory of 2764	2820	2a35078ec0d7fd71726e92e9f8c2c2614bea1843e5000e37c9ba5792ab5f249f.exe	31
PID 2820 wrote to memory of 2764	2820	2a35078ec0d7fd71726e92e9f8c2c2614bea1843e5000e37c9ba5792ab5f249f.exe	31
PID 2820 wrote to memory of 2764	2820	2a35078ec0d7fd71726e92e9f8c2c2614bea1843e5000e37c9ba5792ab5f249f.exe	31
PID 2820 wrote to memory of 2764	2820	2a35078ec0d7fd71726e92e9f8c2c2614bea1843e5000e37c9ba5792ab5f249f.exe	31
PID 2212 wrote to memory of 2852	2212	._cache_2a35078ec0d7fd71726e92e9f8c2c2614bea1843e5000e37c9ba5792ab5f249f.exe	32
PID 2212 wrote to memory of 2852	2212	._cache_2a35078ec0d7fd71726e92e9f8c2c2614bea1843e5000e37c9ba5792ab5f249f.exe	32
PID 2212 wrote to memory of 2852	2212	._cache_2a35078ec0d7fd71726e92e9f8c2c2614bea1843e5000e37c9ba5792ab5f249f.exe	32
PID 2212 wrote to memory of 2852	2212	._cache_2a35078ec0d7fd71726e92e9f8c2c2614bea1843e5000e37c9ba5792ab5f249f.exe	32
PID 2212 wrote to memory of 640	2212	._cache_2a35078ec0d7fd71726e92e9f8c2c2614bea1843e5000e37c9ba5792ab5f249f.exe	33
PID 2212 wrote to memory of 640	2212	._cache_2a35078ec0d7fd71726e92e9f8c2c2614bea1843e5000e37c9ba5792ab5f249f.exe	33
PID 2212 wrote to memory of 640	2212	._cache_2a35078ec0d7fd71726e92e9f8c2c2614bea1843e5000e37c9ba5792ab5f249f.exe	33
PID 2212 wrote to memory of 640	2212	._cache_2a35078ec0d7fd71726e92e9f8c2c2614bea1843e5000e37c9ba5792ab5f249f.exe	33
PID 2764 wrote to memory of 2720	2764	Synaptics.exe	34
PID 2764 wrote to memory of 2720	2764	Synaptics.exe	34
PID 2764 wrote to memory of 2720	2764	Synaptics.exe	34
PID 2764 wrote to memory of 2720	2764	Synaptics.exe	34
PID 640 wrote to memory of 2648	640	icsys.icn.exe	36
PID 640 wrote to memory of 2648	640	icsys.icn.exe	36
PID 640 wrote to memory of 2648	640	icsys.icn.exe	36
PID 640 wrote to memory of 2648	640	icsys.icn.exe	36
PID 2720 wrote to memory of 3048	2720	._cache_Synaptics.exe	37
PID 2720 wrote to memory of 3048	2720	._cache_Synaptics.exe	37
PID 2720 wrote to memory of 3048	2720	._cache_Synaptics.exe	37
PID 2720 wrote to memory of 3048	2720	._cache_Synaptics.exe	37
PID 2648 wrote to memory of 1068	2648	explorer.exe	38
PID 2648 wrote to memory of 1068	2648	explorer.exe	38
PID 2648 wrote to memory of 1068	2648	explorer.exe	38
PID 2648 wrote to memory of 1068	2648	explorer.exe	38
PID 2720 wrote to memory of 2808	2720	._cache_Synaptics.exe	39
PID 2720 wrote to memory of 2808	2720	._cache_Synaptics.exe	39
PID 2720 wrote to memory of 2808	2720	._cache_Synaptics.exe	39
PID 2720 wrote to memory of 2808	2720	._cache_Synaptics.exe	39
PID 1068 wrote to memory of 676	1068	spoolsv.exe	40
PID 1068 wrote to memory of 676	1068	spoolsv.exe	40
PID 1068 wrote to memory of 676	1068	spoolsv.exe	40
PID 1068 wrote to memory of 676	1068	spoolsv.exe	40
PID 676 wrote to memory of 2292	676	svchost.exe	41
PID 676 wrote to memory of 2292	676	svchost.exe	41
PID 676 wrote to memory of 2292	676	svchost.exe	41
PID 676 wrote to memory of 2292	676	svchost.exe	41
PID 676 wrote to memory of 2300	676	svchost.exe	42
PID 676 wrote to memory of 2300	676	svchost.exe	42
PID 676 wrote to memory of 2300	676	svchost.exe	42
PID 676 wrote to memory of 2300	676	svchost.exe	42
PID 676 wrote to memory of 2480	676	svchost.exe	46
PID 676 wrote to memory of 2480	676	svchost.exe	46
PID 676 wrote to memory of 2480	676	svchost.exe	46
PID 676 wrote to memory of 2480	676	svchost.exe	46

C:\Users\Admin\AppData\Local\Temp\2a35078ec0d7fd71726e92e9f8c2c2614bea1843e5000e37c9ba5792ab5f249f.exe
"C:\Users\Admin\AppData\Local\Temp\2a35078ec0d7fd71726e92e9f8c2c2614bea1843e5000e37c9ba5792ab5f249f.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Users\Admin\AppData\Local\Temp\._cache_2a35078ec0d7fd71726e92e9f8c2c2614bea1843e5000e37c9ba5792ab5f249f.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_2a35078ec0d7fd71726e92e9f8c2c2614bea1843e5000e37c9ba5792ab5f249f.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2212
- - \??\c:\users\admin\appdata\local\temp\._cache_2a35078ec0d7fd71726e92e9f8c2c2614bea1843e5000e37c9ba5792ab5f249f.exe
    c:\users\admin\appdata\local\temp\._cache_2a35078ec0d7fd71726e92e9f8c2c2614bea1843e5000e37c9ba5792ab5f249f.exe
    3⤵
    - Executes dropped EXE
    PID:2852
- - C:\Users\Admin\AppData\Local\icsys.icn.exe
    C:\Users\Admin\AppData\Local\icsys.icn.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:640
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2648
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1068
      - \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        6⤵
        Modifies WinLogon for persistence
        Modifies visiblity of hidden/system files in Explorer
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:676
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2292
        
        C:\Windows\SysWOW64\at.exe
        
        at 01:56 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2300
        
        C:\Windows\SysWOW64\at.exe
        
        at 01:57 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2480
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
      c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
      4⤵
      Executes dropped EXE
      PID:3048
  - - C:\Users\Admin\AppData\Local\icsys.icn.exe
      C:\Users\Admin\AppData\Local\icsys.icn.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2808

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.5MB

MD5
541530d085f95820042277daebb1f623

SHA1
31d4b8fc956c9436c114e53524b0d80e8e5dfd4c

SHA256
2a35078ec0d7fd71726e92e9f8c2c2614bea1843e5000e37c9ba5792ab5f249f

SHA512
305724ce531d1b6b4cf8739a10d32551334e1a1e712790839c9a81d51cc5496e1f76cd28d9a680bcc251a795739c5f1a3471e2583005af53925fb47c0c77dbd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_2a35078ec0d7fd71726e92e9f8c2c2614bea1843e5000e37c9ba5792ab5f249f.exe

Filesize
587KB

MD5
1799da063f7a1b0c93ea50bc000097f1

SHA1
362877bf4f45e2552524fde912a2e6ced309a1a5

SHA256
2e41ff11d78405149f88dd9a02347cb94eb044ce4ff4c5001c9e990f53d6e4ae

SHA512
cc6878d14930d2419eea813877e7e197441295d00d22f400b8f4354c57157742048c2954469eeb68381c6377dcc3d326480c15e24beb8429e67ed73da636efae

Download Submit
C:\Users\Admin\AppData\Local\Temp\lkq9b8bC.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\lkq9b8bC.xlsm

Filesize
21KB

MD5
5a00ab9446669a7ef996b79615e1309f

SHA1
d0827ed3cef46fa4009d05d9b123bf2ced734e14

SHA256
f0f2a55eda0b1aa46214ba56dc29b6b24752d307251ff5ce2cd48c8b76bf6609

SHA512
99a730c13fbd900cdc3ed54f4dddcce4d9f5690bbb8b9b56c5b4de731615e5c06512de9cc43019c7ef21caba73ac301b5907d11ae9c6966f62501478008f8240

Download Submit
C:\Users\Admin\AppData\Local\Temp\lkq9b8bC.xlsm

Filesize
25KB

MD5
f025f8e1321f33d1d12042280b49f2e4

SHA1
c83fbebcfc82fc2918b9b83b8a7bb46593a820ad

SHA256
f3b11d38819231c99d49712b8f8c57440e841017ad2d757ef75c18e1caedc79d

SHA512
f5e9006fcc1e663d11dc0a3a70e57d91ac4c26e60bef40dfffb7328252f55bb8c59a58f0931ea6bb9d7381cc36b8335443dfbfca13af2cc4168a3a5d41648c81

Download Submit
C:\Users\Admin\AppData\Local\Temp\lkq9b8bC.xlsm

Filesize
23KB

MD5
f2b485be92bf95da0bc361702cf1fe7b

SHA1
9047411044a2585175ee847d4ab32d8cb8eea50d

SHA256
512efa7ae21e28dd3fa5f7c6b1a54cb90ad79bc4b4f106635d676b415b65e8d8

SHA512
9cdda3263819115ce8da248b1f64188e9f2c7b56b19b90be4ce7075ab88e28cf8b97a4eba70140e564975a8db6d2d0c0379c5c5bca55b689e142d854c2e996cf

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe

Filesize
206KB

MD5
34a4e56b76b7a84797188bdc281c99ac

SHA1
a40b57f5ecaa1770f15be361a4f97468f054eaa5

SHA256
210a6be7ccb3a097ff5e26d97c242bfec0e87927e9a539a65e5613b0a2723b87

SHA512
ce505811c995b1b7f8e7451aad6768e0e2e552d6f7e7e577dafa2d4ed3c1543b60ea998e687d46f2ac2135d9b1aab9e41d2a5fd70c4b0976d2ee345a0864ece6

Download Submit
C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
7d11e3ff911e8f5896eda6f52863a054

SHA1
c319751f8a27f3e66296886c6fd52823c54ac891

SHA256
a3dc3ab56e48d1b45b5503f5f197a31e51acf901058cf1dc4d4b02ca121181af

SHA512
6ec13f6d62ec9e5715a91a1bf607766d5e5c71a0177555c8a92c0aa012fe3adce64c8f5522e66c1f6ad6998802f57832ebe469ad54f91808f7611d493cbe0d7a

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
206KB

MD5
dcdbc6e4b6ecf570cadd17235ceee119

SHA1
1d6052084e7017bab3ff2ac848ee5271d864ffe7

SHA256
4fb7238b9eb464a00ba610ad5ccc24757ab59eb38d52e5ed9a6a749ad113b3bb

SHA512
893be3ad06dcbeeb8e3cb1bb0fc91f6b937442b4994620aec49a105976b349274bb364cd82df5a956d9aa0af6c11a101735b1882f8895834d774b4fe851dc3ab

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_2a35078ec0d7fd71726e92e9f8c2c2614bea1843e5000e37c9ba5792ab5f249f.exe

Filesize
794KB

MD5
020e3a7e3dea3fa0efc7dfd92eec9b74

SHA1
41b784857d38376f5c56aed0fa8181e5810192ef

SHA256
0ca516bbce57427d0819d15a1d02f46cbdbe0729d8d79d8321176e91e3444e57

SHA512
2f68fef8d0bc9cea789a8963cf10dfe51ea6313c8cc2b862dde9c3b9da1fa55d787de28e8f076c56be7541f99624e80103c44b44dcfa0e81fb18f633bea68f53

Download Submit
\Windows\system\explorer.exe

Filesize
206KB

MD5
ed4778617c138ac214570b8561ada31a

SHA1
4c5e948df46920d64760d31f33fca8a36fe7570e

SHA256
b8ea74bd6d20317a95afa1902e780c069e99da54af1059107734464eba162a29

SHA512
08a8cfc34feac1bd9b66ee063de12ce578b67f7762143cfb4734effc30162c9733424f69da74b80832b284ad273e02d4b9629aefd927a37c3572fc39f9bd69d2

Download Submit
\Windows\system\svchost.exe

Filesize
206KB

MD5
f726f7c050357c99dff098018b41f239

SHA1
53b27f3b62395796e2a30b9ef5515a6ed7a14616

SHA256
f879333c81e7d229f4a88739dd84b4f32aaec7336533beaa97139bf00b12a671

SHA512
b8060536d20e1bd582064932fdd8ff01e8ca093c5f299318d67618362c5a7a4011f17e0146dc1ca7ac1241eb5a4b0fa9d1e1b92a3b18b0604d4a305d0128f608

Download Submit
memory/640-82-0x00000000025A0000-0x00000000025CF000-memory.dmp

Filesize
188KB

Download
memory/640-138-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/640-52-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/676-128-0x00000000004B0000-0x00000000004DF000-memory.dmp

Filesize
188KB

Download
memory/676-245-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1068-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2184-203-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2184-101-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2212-50-0x0000000002D50000-0x0000000002D7F000-memory.dmp

Filesize
188KB

Download
memory/2212-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2212-22-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2212-49-0x0000000002D50000-0x0000000002D7F000-memory.dmp

Filesize
188KB

Download
memory/2292-134-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2648-241-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2648-242-0x0000000002E30000-0x0000000002E5F000-memory.dmp

Filesize
188KB

Download
memory/2648-243-0x0000000002E30000-0x0000000002E5F000-memory.dmp

Filesize
188KB

Download
memory/2720-109-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2764-204-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2764-205-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2764-239-0x0000000003C80000-0x0000000003CAF000-memory.dmp

Filesize
188KB

Download
memory/2764-240-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2764-59-0x0000000003C80000-0x0000000003CAF000-memory.dmp

Filesize
188KB

Download
memory/2764-66-0x0000000003C80000-0x0000000003CAF000-memory.dmp

Filesize
188KB

Download
memory/2808-107-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2820-20-0x0000000003A50000-0x0000000003A7F000-memory.dmp

Filesize
188KB

Download
memory/2820-6-0x0000000003A50000-0x0000000003A7F000-memory.dmp

Filesize
188KB

Download
memory/2820-37-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2820-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download