xred | 673e03c5d3ca3a05343ba673ed9d06ff4ac4b86d9bd764a093086b0ebe5ddd34

Analysis

max time kernel
52s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2024 22:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EXTERIUM MENU.rar
Size

1.2MB
MD5

98fe9547f290025b42b069b59eca8792
SHA1

2684c40ed1f1dc335ee7205bf0c1c59f3ece5011
SHA256

673e03c5d3ca3a05343ba673ed9d06ff4ac4b86d9bd764a093086b0ebe5ddd34
SHA512

cea048e9890f06940e62032acabf86b116076aa125611df7db7cbbb1b8869c056082a6a2894de769277e4125401b579f7d7ab1f627ef4ff7f660c20f43ea0209
SSDEEP

24576:4p1dhrNxZowKmD1deLaG2FwBjwNMxttcNMHDLYoE26eNe:4jdhrNxZoXmfeLaXWtOMxttcWj0oE26r

Score

10^/10

xred backdoor discovery evasion execution persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Ronaldinho.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 4 IoCs

pid	Process
4548	Ronaldinho.exe
4800	._cache_Ronaldinho.exe
2540	Synaptics.exe
4844	._cache_Synaptics.exe

Loads dropped DLL 4 IoCs

pid	Process
4548	Ronaldinho.exe
4548	Ronaldinho.exe
2540	Synaptics.exe
2540	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	Ronaldinho.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MTA San Andreas 1.6\server\mods\deathmatch\deathmatch.dll	._cache_Ronaldinho.exe
File created	C:\Program Files (x86)\MTA San Andreas 1.6\server\mods\deathmatch\deathmatch.dll	._cache_Synaptics.exe

Launches sc.exe 19 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1056	sc.exe
1444	sc.exe
3036	sc.exe
3400	sc.exe
3516	sc.exe
2992	sc.exe
3772	sc.exe
8	sc.exe
3856	sc.exe
4736	sc.exe
3560	sc.exe
3500	sc.exe
2832	sc.exe
2632	sc.exe
3400	sc.exe
4060	sc.exe
3132	sc.exe
1664	sc.exe
2324	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3492	powershell.exe
5028	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ronaldinho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Ronaldinho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4092	PING.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Ronaldinho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4092	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4632	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe
4800	._cache_Ronaldinho.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	1448	7zFM.exe
Token: 35	1448	7zFM.exe
Token: SeSecurityPrivilege	1448	7zFM.exe
Token: SeDebugPrivilege	3492	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1448	7zFM.exe
1448	7zFM.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4632	EXCEL.EXE
4632	EXCEL.EXE
4632	EXCEL.EXE
4632	EXCEL.EXE
4632	EXCEL.EXE
4632	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4548 wrote to memory of 4800	4548	Ronaldinho.exe	96
PID 4548 wrote to memory of 4800	4548	Ronaldinho.exe	96
PID 4548 wrote to memory of 4800	4548	Ronaldinho.exe	96
PID 4800 wrote to memory of 1404	4800	._cache_Ronaldinho.exe	98
PID 4800 wrote to memory of 1404	4800	._cache_Ronaldinho.exe	98
PID 4800 wrote to memory of 1404	4800	._cache_Ronaldinho.exe	98
PID 4548 wrote to memory of 2540	4548	Ronaldinho.exe	99
PID 4548 wrote to memory of 2540	4548	Ronaldinho.exe	99
PID 4548 wrote to memory of 2540	4548	Ronaldinho.exe	99
PID 1404 wrote to memory of 3400	1404	cmd.exe	100
PID 1404 wrote to memory of 3400	1404	cmd.exe	100
PID 1404 wrote to memory of 3400	1404	cmd.exe	100
PID 4800 wrote to memory of 1948	4800	._cache_Ronaldinho.exe	101
PID 4800 wrote to memory of 1948	4800	._cache_Ronaldinho.exe	101
PID 4800 wrote to memory of 1948	4800	._cache_Ronaldinho.exe	101
PID 1948 wrote to memory of 4736	1948	cmd.exe	102
PID 1948 wrote to memory of 4736	1948	cmd.exe	102
PID 1948 wrote to memory of 4736	1948	cmd.exe	102
PID 4800 wrote to memory of 2132	4800	._cache_Ronaldinho.exe	103
PID 4800 wrote to memory of 2132	4800	._cache_Ronaldinho.exe	103
PID 4800 wrote to memory of 2132	4800	._cache_Ronaldinho.exe	103
PID 2132 wrote to memory of 4060	2132	cmd.exe	104
PID 2132 wrote to memory of 4060	2132	cmd.exe	104
PID 2132 wrote to memory of 4060	2132	cmd.exe	104
PID 4800 wrote to memory of 1052	4800	._cache_Ronaldinho.exe	105
PID 4800 wrote to memory of 1052	4800	._cache_Ronaldinho.exe	105
PID 4800 wrote to memory of 1052	4800	._cache_Ronaldinho.exe	105
PID 1052 wrote to memory of 3560	1052	cmd.exe	106
PID 1052 wrote to memory of 3560	1052	cmd.exe	106
PID 1052 wrote to memory of 3560	1052	cmd.exe	106
PID 2540 wrote to memory of 4844	2540	Synaptics.exe	107
PID 2540 wrote to memory of 4844	2540	Synaptics.exe	107
PID 2540 wrote to memory of 4844	2540	Synaptics.exe	107
PID 4844 wrote to memory of 4476	4844	._cache_Synaptics.exe	110
PID 4844 wrote to memory of 4476	4844	._cache_Synaptics.exe	110
PID 4844 wrote to memory of 4476	4844	._cache_Synaptics.exe	110
PID 4476 wrote to memory of 3516	4476	cmd.exe	111
PID 4476 wrote to memory of 3516	4476	cmd.exe	111
PID 4476 wrote to memory of 3516	4476	cmd.exe	111
PID 4844 wrote to memory of 3636	4844	._cache_Synaptics.exe	112
PID 4844 wrote to memory of 3636	4844	._cache_Synaptics.exe	112
PID 4844 wrote to memory of 3636	4844	._cache_Synaptics.exe	112
PID 3636 wrote to memory of 3500	3636	cmd.exe	113
PID 3636 wrote to memory of 3500	3636	cmd.exe	113
PID 3636 wrote to memory of 3500	3636	cmd.exe	113
PID 4844 wrote to memory of 4992	4844	._cache_Synaptics.exe	114
PID 4844 wrote to memory of 4992	4844	._cache_Synaptics.exe	114
PID 4844 wrote to memory of 4992	4844	._cache_Synaptics.exe	114
PID 4992 wrote to memory of 8	4992	cmd.exe	115
PID 4992 wrote to memory of 8	4992	cmd.exe	115
PID 4992 wrote to memory of 8	4992	cmd.exe	115
PID 4844 wrote to memory of 3564	4844	._cache_Synaptics.exe	117
PID 4844 wrote to memory of 3564	4844	._cache_Synaptics.exe	117
PID 4844 wrote to memory of 3564	4844	._cache_Synaptics.exe	117
PID 3564 wrote to memory of 2992	3564	cmd.exe	118
PID 3564 wrote to memory of 2992	3564	cmd.exe	118
PID 3564 wrote to memory of 2992	3564	cmd.exe	118
PID 3044 wrote to memory of 3772	3044	cmd.exe	124
PID 3044 wrote to memory of 3772	3044	cmd.exe	124
PID 3044 wrote to memory of 3132	3044	cmd.exe	125
PID 3044 wrote to memory of 3132	3044	cmd.exe	125
PID 3044 wrote to memory of 1056	3044	cmd.exe	126
PID 3044 wrote to memory of 1056	3044	cmd.exe	126
PID 3044 wrote to memory of 1444	3044	cmd.exe	127

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\EXTERIUM MENU.rar"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1448

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1244

C:\Users\Admin\Desktop\EXTERIUM MENU\Ronaldinho.exe
"C:\Users\Admin\Desktop\EXTERIUM MENU\Ronaldinho.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4548
- C:\Users\Admin\Desktop\EXTERIUM MENU\._cache_Ronaldinho.exe
  "C:\Users\Admin\Desktop\EXTERIUM MENU\._cache_Ronaldinho.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop FairplayKD >nul
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1404
  - - C:\Windows\SysWOW64\sc.exe
      sc stop FairplayKD
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:3400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete FairplayKD >nul
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1948
  - - C:\Windows\SysWOW64\sc.exe
      sc delete FairplayKD
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:4736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop FairplayKD1 >nul
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2132
  - - C:\Windows\SysWOW64\sc.exe
      sc stop FairplayKD1
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:4060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc delete FairplayKD1 >nul
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1052
  - - C:\Windows\SysWOW64\sc.exe
      sc delete FairplayKD1
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:3560
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Users\Admin\Desktop\EXTERIUM MENU\._cache_Synaptics.exe
    "C:\Users\Admin\Desktop\EXTERIUM MENU\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4844
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop FairplayKD >nul
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4476
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop FairplayKD
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3516
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete FairplayKD >nul
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3636
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete FairplayKD
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3500
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop FairplayKD1 >nul
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4992
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop FairplayKD1
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:8
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete FairplayKD1 >nul
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3564
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete FairplayKD1
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2992

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\EXTERIUM MENU\ClearAndInject.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\system32\sc.exe
  sc delete FairplayKD
  2⤵
  - Launches sc.exe
  PID:3772
- C:\Windows\system32\sc.exe
  sc delete FairplayKD1
  2⤵
  - Launches sc.exe
  PID:3132
- C:\Windows\system32\sc.exe
  sc delete FairplayKD2
  2⤵
  - Launches sc.exe
  PID:1056
- C:\Windows\system32\sc.exe
  sc delete FairplayKD3
  2⤵
  - Launches sc.exe
  PID:1444
- C:\Windows\system32\sc.exe
  sc delete FairplayKD4
  2⤵
  - Launches sc.exe
  PID:1664
- C:\Windows\system32\sc.exe
  sc delete FairplayKD5
  2⤵
  - Launches sc.exe
  PID:3856
- C:\Windows\system32\sc.exe
  sc delete FairplayKD6
  2⤵
  - Launches sc.exe
  PID:3036
- C:\Windows\system32\sc.exe
  sc delete FairplayKD7
  2⤵
  - Launches sc.exe
  PID:2832
- C:\Windows\system32\sc.exe
  sc delete FairplayKD8
  2⤵
  - Launches sc.exe
  PID:3400
- C:\Windows\system32\sc.exe
  sc delete FairplayKD9
  2⤵
  - Launches sc.exe
  PID:2632
- C:\Windows\system32\sc.exe
  sc delete FairplayKD10
  2⤵
  - Launches sc.exe
  PID:2324
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 2
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -ExecutionPolicy Bypass -File C:\Users\service.ps1
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Temp\86285E00

Filesize
23KB

MD5
ceb29d3af123a5f4814b81ab4adde70c

SHA1
330d3847f300ed309cce5fec9838d472c15a0771

SHA256
a27d4d1162b153d6ea19f5cbd124260882a3431f8e36e5936fdaaaf060a1138a

SHA512
2b26f166274ee792d6b2114a8674e3330a600741ba93ac5cc4f94c511a956b8e5b9a879be5bdfe9e4d7f06eb1502ed7d27bb36a0761de65c577cbea6754f0d9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\PEkaslJA.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pvhg1yns.khy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\EXTERIUM MENU\._cache_Ronaldinho.exe

Filesize
81KB

MD5
fc828e19b493a58ea76e7ce0a1b65f75

SHA1
c85104b82ab6c30ead886d7502c01a9d9f40462f

SHA256
f60e78737ada1406899b5a611cb58708eff8fdfefc1776849d3f25352b32ea3e

SHA512
f4cdf06d90e852a0c019f5ff533c8325b4699975da90cf7f035b47e157ac5f3d908cdfe8a9977107511253df1773d72a39db76b768b47f562ae2b307c97275ab

Download Submit
C:\Users\Admin\Desktop\EXTERIUM MENU\ClearAndInject.bat

Filesize
2KB

MD5
8ac5e8da6322972aa04a3633bb6e722b

SHA1
6f8dfb8bdd3e3a193d63b1afb6cb9be1dfa6d318

SHA256
2db06ea0d8ce19bdf0cd6658e02f0839e2cc0936eb579813413762de609b2364

SHA512
e74c5389049907ac197d77cdf6273486d4c7d8765555ceb46492dcdf2eeb4e55f9cb5c6ac57746e06d2bfcedbfc92de0a21f049a24bc50daa249950fd888ca7a

Download Submit
C:\Users\Admin\Desktop\EXTERIUM MENU\Ronaldinho.exe

Filesize
925KB

MD5
763b51147ac485d8bb0637807b01c640

SHA1
14c4e1a70881b4f068da923d54bb7b663d2f10b3

SHA256
2fce332966c26536102e950d12e3606e40d1bbe77337255c34e53bab858c2a1e

SHA512
51fd34524e46a0be5454573ed9d9d6454016790b79c173127874fa980d2c95f79b5f8cbfb7b79c7d6cbaeb6927bf50e791e7a3739274ec601c114fb25731d3b9

Download Submit
C:\Users\Admin\Desktop\EXTERIUM MENU\dutchlove2.dll

Filesize
1.6MB

MD5
687932f2f49a6665e8fecaa522c7dfc2

SHA1
029a0b9e8e10e83caad07202625fd0b4e53bdc87

SHA256
5b25c651d62c0e0fcc143a409a8783c876522b3fe861d81e4d8338e22f630f1b

SHA512
1ebbf0aa8f46b1a2fed7fefc1478efbbb8e242cab1fa3a336d94cf2f6e0f318d4958fca4c10a22dc239d6a226e8dd3cd95a4976f188f3ce098b7fd2834b24b68

Download Submit
C:\Users\service.ps1

Filesize
1KB

MD5
55cee1bfb2bb685c8886fef55e2f0eed

SHA1
c52eab8b690bfc94ff354d10f3d944af76d49f9a

SHA256
728ecfc271c6117ff28b278845cd18614e79e69d4a8c9ee7d3266b274452ad95

SHA512
1ac4aa4ea02d513d66f39e0ebab8d64d6c03bdbb7ed84eff2fac6bebffb1bf0516e16f90baaf8c3d5a67b53c10b07518b3fbd37057b54966fcfd177a557ca02a

Download Submit
memory/2540-197-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/3492-186-0x000001E072150000-0x000001E072172000-memory.dmp

Filesize
136KB

Download
memory/4548-10-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/4548-81-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/4632-124-0x00007FFF23D30000-0x00007FFF23D40000-memory.dmp

Filesize
64KB

Download
memory/4632-182-0x00007FFF26690000-0x00007FFF266A0000-memory.dmp

Filesize
64KB

Download
memory/4632-183-0x00007FFF26690000-0x00007FFF266A0000-memory.dmp

Filesize
64KB

Download
memory/4632-181-0x00007FFF26690000-0x00007FFF266A0000-memory.dmp

Filesize
64KB

Download
memory/4632-180-0x00007FFF26690000-0x00007FFF266A0000-memory.dmp

Filesize
64KB

Download
memory/4632-121-0x00007FFF26690000-0x00007FFF266A0000-memory.dmp

Filesize
64KB

Download
memory/4632-125-0x00007FFF23D30000-0x00007FFF23D40000-memory.dmp

Filesize
64KB

Download
memory/4632-120-0x00007FFF26690000-0x00007FFF266A0000-memory.dmp

Filesize
64KB

Download
memory/4632-123-0x00007FFF26690000-0x00007FFF266A0000-memory.dmp

Filesize
64KB

Download
memory/4632-122-0x00007FFF26690000-0x00007FFF266A0000-memory.dmp

Filesize
64KB

Download
memory/4632-119-0x00007FFF26690000-0x00007FFF266A0000-memory.dmp

Filesize
64KB

Download