xred | f1c82a831b4dbcc5869fe60ea8879f073902d358f80b3525fa2682a895715730

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-12-2024 20:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1c82a831b4dbcc5869fe60ea8879f073902d358f80b3525fa2682a895715730N.exe
Size

1.5MB
MD5

92fc1b64d702ebee25b1cabea2a81ae0
SHA1

1d3d5ec151eae49d8186d755db49c0d2b1df1a76
SHA256

f1c82a831b4dbcc5869fe60ea8879f073902d358f80b3525fa2682a895715730
SHA512

ac8ad02121c75db44ce5c67c4e7ec7cfdcb2fdcb5577c2675d8c7c63fca27c86626ee45e92c8ec58efedfb35bf9e863b76d482e45eb4dd1427b9a88c73e1981d
SSDEEP

24576:ansJ39LyjbJkQFMhmC+6GD9u5xolYQY6dp7gAVKzar5:ansHyjtk2MYC5GDjYmp7gAVK2

Score

10^/10

xred backdoor discovery evasion persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Executes dropped EXE 12 IoCs

pid	Process
1684	._cache_f1c82a831b4dbcc5869fe60ea8879f073902d358f80b3525fa2682a895715730N.exe
2276	._cache_f1c82a831b4dbcc5869fe60ea8879f073902d358f80b3525fa2682a895715730n.exe
2840	Synaptics.exe
2984	icsys.icn.exe
2948	explorer.exe
2648	spoolsv.exe
1284	svchost.exe
1820	._cache_Synaptics.exe
756	spoolsv.exe
1516	._cache_synaptics.exe
2924	icsys.icn.exe
2932	explorer.exe

Loads dropped DLL 23 IoCs

pid	Process
2120	f1c82a831b4dbcc5869fe60ea8879f073902d358f80b3525fa2682a895715730N.exe
2120	f1c82a831b4dbcc5869fe60ea8879f073902d358f80b3525fa2682a895715730N.exe
1684	._cache_f1c82a831b4dbcc5869fe60ea8879f073902d358f80b3525fa2682a895715730N.exe
2120	f1c82a831b4dbcc5869fe60ea8879f073902d358f80b3525fa2682a895715730N.exe
2120	f1c82a831b4dbcc5869fe60ea8879f073902d358f80b3525fa2682a895715730N.exe
1684	._cache_f1c82a831b4dbcc5869fe60ea8879f073902d358f80b3525fa2682a895715730N.exe
1684	._cache_f1c82a831b4dbcc5869fe60ea8879f073902d358f80b3525fa2682a895715730N.exe
2984	icsys.icn.exe
2984	icsys.icn.exe
2948	explorer.exe
2948	explorer.exe
2648	spoolsv.exe
2648	spoolsv.exe
2840	Synaptics.exe
2840	Synaptics.exe
2840	Synaptics.exe
1284	svchost.exe
1284	svchost.exe
1820	._cache_Synaptics.exe
1820	._cache_Synaptics.exe
1820	._cache_Synaptics.exe
2924	icsys.icn.exe
2924	icsys.icn.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	f1c82a831b4dbcc5869fe60ea8879f073902d358f80b3525fa2682a895715730N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	icsys.icn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_f1c82a831b4dbcc5869fe60ea8879f073902d358f80b3525fa2682a895715730N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f1c82a831b4dbcc5869fe60ea8879f073902d358f80b3525fa2682a895715730N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2372	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2984	icsys.icn.exe
2948	explorer.exe
2948	explorer.exe
2948	explorer.exe
1284	svchost.exe
1284	svchost.exe
1284	svchost.exe
2948	explorer.exe
2948	explorer.exe
1284	svchost.exe
1284	svchost.exe
2948	explorer.exe
1284	svchost.exe
2948	explorer.exe
2948	explorer.exe
1284	svchost.exe
1284	svchost.exe
2948	explorer.exe
1284	svchost.exe
2948	explorer.exe
1284	svchost.exe
2948	explorer.exe
1284	svchost.exe
2948	explorer.exe
2948	explorer.exe
1284	svchost.exe
1284	svchost.exe
2948	explorer.exe
1284	svchost.exe
2948	explorer.exe
1284	svchost.exe
2948	explorer.exe
2948	explorer.exe
1284	svchost.exe
1284	svchost.exe
2948	explorer.exe
2948	explorer.exe
1284	svchost.exe
1284	svchost.exe
2948	explorer.exe
2948	explorer.exe
1284	svchost.exe
1284	svchost.exe
2948	explorer.exe
2948	explorer.exe
1284	svchost.exe
1284	svchost.exe
2948	explorer.exe
1284	svchost.exe
2948	explorer.exe
2948	explorer.exe
1284	svchost.exe
1284	svchost.exe
2948	explorer.exe
2948	explorer.exe
1284	svchost.exe
1284	svchost.exe
2948	explorer.exe
2948	explorer.exe
1284	svchost.exe
1284	svchost.exe
2948	explorer.exe
2948	explorer.exe
1284	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1284	svchost.exe
2948	explorer.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
1684	._cache_f1c82a831b4dbcc5869fe60ea8879f073902d358f80b3525fa2682a895715730N.exe
1684	._cache_f1c82a831b4dbcc5869fe60ea8879f073902d358f80b3525fa2682a895715730N.exe
2984	icsys.icn.exe
2984	icsys.icn.exe
2948	explorer.exe
2948	explorer.exe
2648	spoolsv.exe
2648	spoolsv.exe
1284	svchost.exe
1284	svchost.exe
1820	._cache_Synaptics.exe
756	spoolsv.exe
1820	._cache_Synaptics.exe
756	spoolsv.exe
2948	explorer.exe
2948	explorer.exe
2924	icsys.icn.exe
2924	icsys.icn.exe
2372	EXCEL.EXE
2932	explorer.exe
2932	explorer.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 1684	2120	f1c82a831b4dbcc5869fe60ea8879f073902d358f80b3525fa2682a895715730N.exe	30
PID 2120 wrote to memory of 1684	2120	f1c82a831b4dbcc5869fe60ea8879f073902d358f80b3525fa2682a895715730N.exe	30
PID 2120 wrote to memory of 1684	2120	f1c82a831b4dbcc5869fe60ea8879f073902d358f80b3525fa2682a895715730N.exe	30
PID 2120 wrote to memory of 1684	2120	f1c82a831b4dbcc5869fe60ea8879f073902d358f80b3525fa2682a895715730N.exe	30
PID 1684 wrote to memory of 2276	1684	._cache_f1c82a831b4dbcc5869fe60ea8879f073902d358f80b3525fa2682a895715730N.exe	31
PID 1684 wrote to memory of 2276	1684	._cache_f1c82a831b4dbcc5869fe60ea8879f073902d358f80b3525fa2682a895715730N.exe	31
PID 1684 wrote to memory of 2276	1684	._cache_f1c82a831b4dbcc5869fe60ea8879f073902d358f80b3525fa2682a895715730N.exe	31
PID 1684 wrote to memory of 2276	1684	._cache_f1c82a831b4dbcc5869fe60ea8879f073902d358f80b3525fa2682a895715730N.exe	31
PID 2120 wrote to memory of 2840	2120	f1c82a831b4dbcc5869fe60ea8879f073902d358f80b3525fa2682a895715730N.exe	32
PID 2120 wrote to memory of 2840	2120	f1c82a831b4dbcc5869fe60ea8879f073902d358f80b3525fa2682a895715730N.exe	32
PID 2120 wrote to memory of 2840	2120	f1c82a831b4dbcc5869fe60ea8879f073902d358f80b3525fa2682a895715730N.exe	32
PID 2120 wrote to memory of 2840	2120	f1c82a831b4dbcc5869fe60ea8879f073902d358f80b3525fa2682a895715730N.exe	32
PID 1684 wrote to memory of 2984	1684	._cache_f1c82a831b4dbcc5869fe60ea8879f073902d358f80b3525fa2682a895715730N.exe	33
PID 1684 wrote to memory of 2984	1684	._cache_f1c82a831b4dbcc5869fe60ea8879f073902d358f80b3525fa2682a895715730N.exe	33
PID 1684 wrote to memory of 2984	1684	._cache_f1c82a831b4dbcc5869fe60ea8879f073902d358f80b3525fa2682a895715730N.exe	33
PID 1684 wrote to memory of 2984	1684	._cache_f1c82a831b4dbcc5869fe60ea8879f073902d358f80b3525fa2682a895715730N.exe	33
PID 2984 wrote to memory of 2948	2984	icsys.icn.exe	34
PID 2984 wrote to memory of 2948	2984	icsys.icn.exe	34
PID 2984 wrote to memory of 2948	2984	icsys.icn.exe	34
PID 2984 wrote to memory of 2948	2984	icsys.icn.exe	34
PID 2948 wrote to memory of 2648	2948	explorer.exe	35
PID 2948 wrote to memory of 2648	2948	explorer.exe	35
PID 2948 wrote to memory of 2648	2948	explorer.exe	35
PID 2948 wrote to memory of 2648	2948	explorer.exe	35
PID 2648 wrote to memory of 1284	2648	spoolsv.exe	36
PID 2648 wrote to memory of 1284	2648	spoolsv.exe	36
PID 2648 wrote to memory of 1284	2648	spoolsv.exe	36
PID 2648 wrote to memory of 1284	2648	spoolsv.exe	36
PID 2840 wrote to memory of 1820	2840	Synaptics.exe	37
PID 2840 wrote to memory of 1820	2840	Synaptics.exe	37
PID 2840 wrote to memory of 1820	2840	Synaptics.exe	37
PID 2840 wrote to memory of 1820	2840	Synaptics.exe	37
PID 1284 wrote to memory of 756	1284	svchost.exe	38
PID 1284 wrote to memory of 756	1284	svchost.exe	38
PID 1284 wrote to memory of 756	1284	svchost.exe	38
PID 1284 wrote to memory of 756	1284	svchost.exe	38
PID 1820 wrote to memory of 1516	1820	._cache_Synaptics.exe	40
PID 1820 wrote to memory of 1516	1820	._cache_Synaptics.exe	40
PID 1820 wrote to memory of 1516	1820	._cache_Synaptics.exe	40
PID 1820 wrote to memory of 1516	1820	._cache_Synaptics.exe	40
PID 1820 wrote to memory of 2924	1820	._cache_Synaptics.exe	41
PID 1820 wrote to memory of 2924	1820	._cache_Synaptics.exe	41
PID 1820 wrote to memory of 2924	1820	._cache_Synaptics.exe	41
PID 1820 wrote to memory of 2924	1820	._cache_Synaptics.exe	41
PID 2924 wrote to memory of 2932	2924	icsys.icn.exe	42
PID 2924 wrote to memory of 2932	2924	icsys.icn.exe	42
PID 2924 wrote to memory of 2932	2924	icsys.icn.exe	42
PID 2924 wrote to memory of 2932	2924	icsys.icn.exe	42
PID 1284 wrote to memory of 1972	1284	svchost.exe	43
PID 1284 wrote to memory of 1972	1284	svchost.exe	43
PID 1284 wrote to memory of 1972	1284	svchost.exe	43
PID 1284 wrote to memory of 1972	1284	svchost.exe	43
PID 1284 wrote to memory of 1560	1284	svchost.exe	47
PID 1284 wrote to memory of 1560	1284	svchost.exe	47
PID 1284 wrote to memory of 1560	1284	svchost.exe	47
PID 1284 wrote to memory of 1560	1284	svchost.exe	47

C:\Users\Admin\AppData\Local\Temp\f1c82a831b4dbcc5869fe60ea8879f073902d358f80b3525fa2682a895715730N.exe
"C:\Users\Admin\AppData\Local\Temp\f1c82a831b4dbcc5869fe60ea8879f073902d358f80b3525fa2682a895715730N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Users\Admin\AppData\Local\Temp\._cache_f1c82a831b4dbcc5869fe60ea8879f073902d358f80b3525fa2682a895715730N.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_f1c82a831b4dbcc5869fe60ea8879f073902d358f80b3525fa2682a895715730N.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1684
- - \??\c:\users\admin\appdata\local\temp\._cache_f1c82a831b4dbcc5869fe60ea8879f073902d358f80b3525fa2682a895715730n.exe
    c:\users\admin\appdata\local\temp\._cache_f1c82a831b4dbcc5869fe60ea8879f073902d358f80b3525fa2682a895715730n.exe
    3⤵
    - Executes dropped EXE
    PID:2276
- - C:\Users\Admin\AppData\Local\icsys.icn.exe
    C:\Users\Admin\AppData\Local\icsys.icn.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2984
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2948
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2648
      - \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        6⤵
        Modifies WinLogon for persistence
        Modifies visiblity of hidden/system files in Explorer
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1284
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:756
        
        C:\Windows\SysWOW64\at.exe
        
        at 20:24 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1972
        
        C:\Windows\SysWOW64\at.exe
        
        at 20:25 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1560
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1820
  - - \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
      c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
      4⤵
      Executes dropped EXE
      PID:1516
  - - C:\Users\Admin\AppData\Local\icsys.icn.exe
      C:\Users\Admin\AppData\Local\icsys.icn.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2924
    - - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2932

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.5MB

MD5
92fc1b64d702ebee25b1cabea2a81ae0

SHA1
1d3d5ec151eae49d8186d755db49c0d2b1df1a76

SHA256
f1c82a831b4dbcc5869fe60ea8879f073902d358f80b3525fa2682a895715730

SHA512
ac8ad02121c75db44ce5c67c4e7ec7cfdcb2fdcb5577c2675d8c7c63fca27c86626ee45e92c8ec58efedfb35bf9e863b76d482e45eb4dd1427b9a88c73e1981d

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_f1c82a831b4dbcc5869fe60ea8879f073902d358f80b3525fa2682a895715730n.exe

Filesize
587KB

MD5
1799da063f7a1b0c93ea50bc000097f1

SHA1
362877bf4f45e2552524fde912a2e6ced309a1a5

SHA256
2e41ff11d78405149f88dd9a02347cb94eb044ce4ff4c5001c9e990f53d6e4ae

SHA512
cc6878d14930d2419eea813877e7e197441295d00d22f400b8f4354c57157742048c2954469eeb68381c6377dcc3d326480c15e24beb8429e67ed73da636efae

Download Submit
C:\Users\Admin\AppData\Local\Temp\UqZw7BFf.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
c7f25895435384843a1ac89bea6ac604

SHA1
3450edcb2b6f2f61851bcf9c7ee77257e8a6ddc7

SHA256
6f777d397b138ebca5cfb9d2e638d7a99fbf5a6119246fdca8ec2d4802eacf15

SHA512
d653ed0d2a58ff11e39dc3e22176a9341c233dff4dae135539ce077ac6a26d1c3335b74752461edbbb6f858ef9bdaef4a8cfa044246eeecc73d219e04469bcd2

Download Submit
C:\Windows\system\explorer.exe

Filesize
207KB

MD5
2a1ce10398410e156941fa35c088c19f

SHA1
79e0b444887ce4f0dde994c49808c9e03ed664ce

SHA256
b9f7411ba0d3c7dc4817b0dbeafa59330a4cbd7e7fa5422c928bcaac5fe801a5

SHA512
0ee024221d6e27cceb2b85aff1482b7ead2591abe01f6aebf0ee8882920d87ad09e0703a20c61ef3c54aff0db01f94b163176d658a36d9fdceab6869d44f6a5e

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
206KB

MD5
e5905bf52292e8d7d7c95b04c241330c

SHA1
851ed3d6297199da45be559371436a15cecbe101

SHA256
139f80e990971765973294409c3a22175f79c56f7f3f22111c18d390b69979f3

SHA512
aa328bc4bffbbeb2b330d75cae9206c4c163392a94a2cfabbaa34db2aeafea20e616e068929af38f70b2d99ae2592322e1c0cbd1b63561105d7d6c5a6a64b5b9

Download Submit
C:\Windows\system\svchost.exe

Filesize
206KB

MD5
94a22a20e54326e679f066f6cc1eec91

SHA1
b6e5d8981c87184ac850a15d4afe5a8b8b2c5051

SHA256
af60ccc6ce8874499ae4032973bc8b90a36a27b7ede0ec435baabf3e1be92730

SHA512
c8bab2c2fc8edce1a1ade0162ad86ad27ee2439e5edb29fe99f086cb52fee406f294a4d82fec3a716af891b6c8d3be3509c5705640c99bb286d6f7502b89d6ba

Download Submit
\??\c:\users\admin\appdata\local\icsys.icn.exe

Filesize
206KB

MD5
34a4e56b76b7a84797188bdc281c99ac

SHA1
a40b57f5ecaa1770f15be361a4f97468f054eaa5

SHA256
210a6be7ccb3a097ff5e26d97c242bfec0e87927e9a539a65e5613b0a2723b87

SHA512
ce505811c995b1b7f8e7451aad6768e0e2e552d6f7e7e577dafa2d4ed3c1543b60ea998e687d46f2ac2135d9b1aab9e41d2a5fd70c4b0976d2ee345a0864ece6

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_f1c82a831b4dbcc5869fe60ea8879f073902d358f80b3525fa2682a895715730N.exe

Filesize
794KB

MD5
020e3a7e3dea3fa0efc7dfd92eec9b74

SHA1
41b784857d38376f5c56aed0fa8181e5810192ef

SHA256
0ca516bbce57427d0819d15a1d02f46cbdbe0729d8d79d8321176e91e3444e57

SHA512
2f68fef8d0bc9cea789a8963cf10dfe51ea6313c8cc2b862dde9c3b9da1fa55d787de28e8f076c56be7541f99624e80103c44b44dcfa0e81fb18f633bea68f53

Download Submit
memory/756-125-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/756-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1284-100-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1284-181-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1684-47-0x0000000001F00000-0x0000000001F2F000-memory.dmp

Filesize
188KB

Download
memory/1684-22-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1684-48-0x0000000001F00000-0x0000000001F2F000-memory.dmp

Filesize
188KB

Download
memory/1684-129-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1820-139-0x0000000002340000-0x000000000236F000-memory.dmp

Filesize
188KB

Download
memory/1820-115-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1820-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2120-11-0x0000000004100000-0x000000000412F000-memory.dmp

Filesize
188KB

Download
memory/2120-6-0x0000000004100000-0x000000000412F000-memory.dmp

Filesize
188KB

Download
memory/2120-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2120-49-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2372-132-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2648-124-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2648-99-0x00000000023F0000-0x000000000241F000-memory.dmp

Filesize
188KB

Download
memory/2648-81-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2648-98-0x00000000023F0000-0x000000000241F000-memory.dmp

Filesize
188KB

Download
memory/2840-173-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2840-208-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2840-114-0x00000000040D0000-0x00000000040FF000-memory.dmp

Filesize
188KB

Download
memory/2840-180-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2840-172-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/2924-150-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2924-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2932-146-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2932-147-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2932-149-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2932-145-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2948-179-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2948-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2984-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download