xred | 71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1

Analysis

max time kernel
150s
max time network
146s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
31/12/2024, 02:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
Size

1.6MB
MD5

27bcc0d927e9f13250b1dff9e122e9af
SHA1

2f9f09f46fe7ee2a495247292b3f2be0777c2873
SHA256

71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1
SHA512

1bdf5d3ba61b8d99955b92b87377fcbea08db248aae1089a9028a0613eb06c43e330bd781edf66ec955b1042c811094207b8962e391b37fc516a4b93664c7653
SSDEEP

49152:cnsHyjtk2MYC5GDchloJf5fj22pkXaxMa:cnsmtk2alhlyLZ

Score

10^/10

xred backdoor discovery macro persistence upx

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Suspicious Office macro 2 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x000600000001961e-99.dat
behavioral1/files/0x00060000000196a1-123.dat

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MHDFGY.lnk	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe

Executes dropped EXE 5 IoCs

pid	Process
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2720	Synaptics.exe
2768	._cache_Synaptics.exe
2528	KQNALS.exe
2940	KQNALS.exe

Loads dropped DLL 6 IoCs

pid	Process
2136	71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2136	71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2136	71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2720	Synaptics.exe
2720	Synaptics.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MHDFGY = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windata\\KQNALS.exe\""	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe

AutoIT Executable 11 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2768-49-0x0000000000C90000-0x0000000000E7E000-memory.dmp	autoit_exe
behavioral1/memory/2384-131-0x0000000000840000-0x0000000000A2E000-memory.dmp	autoit_exe
behavioral1/memory/2384-133-0x0000000000840000-0x0000000000A2E000-memory.dmp	autoit_exe
behavioral1/memory/2384-140-0x0000000000840000-0x0000000000A2E000-memory.dmp	autoit_exe
behavioral1/memory/2528-144-0x00000000001E0000-0x00000000003CE000-memory.dmp	autoit_exe
behavioral1/memory/2528-145-0x00000000001E0000-0x00000000003CE000-memory.dmp	autoit_exe
behavioral1/memory/2384-178-0x0000000000840000-0x0000000000A2E000-memory.dmp	autoit_exe
behavioral1/memory/2384-180-0x0000000000840000-0x0000000000A2E000-memory.dmp	autoit_exe
behavioral1/memory/2384-184-0x0000000000840000-0x0000000000A2E000-memory.dmp	autoit_exe
behavioral1/memory/2940-189-0x0000000000E40000-0x000000000102E000-memory.dmp	autoit_exe
behavioral1/memory/2384-194-0x0000000000840000-0x0000000000A2E000-memory.dmp	autoit_exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a0000000122d0-4.dat	upx
behavioral1/memory/2384-18-0x0000000000840000-0x0000000000A2E000-memory.dmp	upx
behavioral1/memory/2768-41-0x0000000000C90000-0x0000000000E7E000-memory.dmp	upx
behavioral1/memory/2768-49-0x0000000000C90000-0x0000000000E7E000-memory.dmp	upx
behavioral1/memory/2384-131-0x0000000000840000-0x0000000000A2E000-memory.dmp	upx
behavioral1/memory/2384-133-0x0000000000840000-0x0000000000A2E000-memory.dmp	upx
behavioral1/memory/2384-140-0x0000000000840000-0x0000000000A2E000-memory.dmp	upx
behavioral1/memory/2528-144-0x00000000001E0000-0x00000000003CE000-memory.dmp	upx
behavioral1/memory/2528-145-0x00000000001E0000-0x00000000003CE000-memory.dmp	upx
behavioral1/memory/2384-178-0x0000000000840000-0x0000000000A2E000-memory.dmp	upx
behavioral1/memory/2384-180-0x0000000000840000-0x0000000000A2E000-memory.dmp	upx
behavioral1/memory/2384-184-0x0000000000840000-0x0000000000A2E000-memory.dmp	upx
behavioral1/memory/2940-187-0x0000000000E40000-0x000000000102E000-memory.dmp	upx
behavioral1/memory/2940-189-0x0000000000E40000-0x000000000102E000-memory.dmp	upx
behavioral1/memory/2384-194-0x0000000000840000-0x0000000000A2E000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WSCript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KQNALS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KQNALS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\root\SecurityCenter2	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1688	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2788	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2788	EXCEL.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2384	2136	71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe	30
PID 2136 wrote to memory of 2384	2136	71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe	30
PID 2136 wrote to memory of 2384	2136	71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe	30
PID 2136 wrote to memory of 2384	2136	71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe	30
PID 2136 wrote to memory of 2720	2136	71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe	31
PID 2136 wrote to memory of 2720	2136	71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe	31
PID 2136 wrote to memory of 2720	2136	71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe	31
PID 2136 wrote to memory of 2720	2136	71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe	31
PID 2720 wrote to memory of 2768	2720	Synaptics.exe	32
PID 2720 wrote to memory of 2768	2720	Synaptics.exe	32
PID 2720 wrote to memory of 2768	2720	Synaptics.exe	32
PID 2720 wrote to memory of 2768	2720	Synaptics.exe	32
PID 2384 wrote to memory of 1444	2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe	34
PID 2384 wrote to memory of 1444	2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe	34
PID 2384 wrote to memory of 1444	2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe	34
PID 2384 wrote to memory of 1444	2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe	34
PID 2384 wrote to memory of 2656	2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe	36
PID 2384 wrote to memory of 2656	2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe	36
PID 2384 wrote to memory of 2656	2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe	36
PID 2384 wrote to memory of 2656	2384	._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe	36
PID 1444 wrote to memory of 1688	1444	cmd.exe	37
PID 1444 wrote to memory of 1688	1444	cmd.exe	37
PID 1444 wrote to memory of 1688	1444	cmd.exe	37
PID 1444 wrote to memory of 1688	1444	cmd.exe	37
PID 1308 wrote to memory of 2528	1308	taskeng.exe	43
PID 1308 wrote to memory of 2528	1308	taskeng.exe	43
PID 1308 wrote to memory of 2528	1308	taskeng.exe	43
PID 1308 wrote to memory of 2528	1308	taskeng.exe	43
PID 1308 wrote to memory of 2940	1308	taskeng.exe	44
PID 1308 wrote to memory of 2940	1308	taskeng.exe	44
PID 1308 wrote to memory of 2940	1308	taskeng.exe	44
PID 1308 wrote to memory of 2940	1308	taskeng.exe	44

C:\Users\Admin\AppData\Local\Temp\71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
"C:\Users\Admin\AppData\Local\Temp\71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Admin\AppData\Local\Temp\._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks /create /tn MHDFGY.exe /tr C:\Users\Admin\AppData\Roaming\Windata\KQNALS.exe /sc minute /mo 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1444
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn MHDFGY.exe /tr C:\Users\Admin\AppData\Roaming\Windata\KQNALS.exe /sc minute /mo 1
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1688
- - C:\Windows\SysWOW64\WSCript.exe
    WSCript C:\Users\Admin\AppData\Local\Temp\MHDFGY.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2656
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2768

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2788

C:\Windows\system32\taskeng.exe
taskeng.exe {0D044ABB-7187-41C3-965A-74A40DFEA217} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Users\Admin\AppData\Roaming\Windata\KQNALS.exe
  C:\Users\Admin\AppData\Roaming\Windata\KQNALS.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2528
- C:\Users\Admin\AppData\Roaming\Windata\KQNALS.exe
  C:\Users\Admin\AppData\Roaming\Windata\KQNALS.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.6MB

MD5
27bcc0d927e9f13250b1dff9e122e9af

SHA1
2f9f09f46fe7ee2a495247292b3f2be0777c2873

SHA256
71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1

SHA512
1bdf5d3ba61b8d99955b92b87377fcbea08db248aae1089a9028a0613eb06c43e330bd781edf66ec955b1042c811094207b8962e391b37fc516a4b93664c7653

Download Submit
C:\Users\Admin\AppData\Local\Temp\36sENylN.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\36sENylN.xlsm

Filesize
21KB

MD5
89881af0e37940e7e3eacabc5662446a

SHA1
4b29c5e2c5c332e3732eff5d633a5bf075aa124b

SHA256
df995f102d99266843836e1a559dcb69e808804c887b8862a7cd797a84fa0e5c

SHA512
7daf492500bfa0c6555c4bb612b17e9d33c9ca5b6253bc765b70b52f9aa1c92d22a88da5ac3a54aa8102a955b422d9431985e9a8f8db7abca0f48bf0128ef93a

Download Submit
C:\Users\Admin\AppData\Local\Temp\36sENylN.xlsm

Filesize
23KB

MD5
3fa206d6d71483c5e2e2d0bc116754da

SHA1
acc7080ab932c25c85323153b6048fe04253171f

SHA256
ed87ac925bf1fd6e4d7c90603e30fb8bce12923111d2548e62e3b31d1c0c8e57

SHA512
4c6a4160b39b86088ebbaf15da9e302e3eebeac6c4f39f0b91dab19d0a2219ad107895821dca11055452754416152f03a7e9603348c52b0761392cf248567f97

Download Submit
C:\Users\Admin\AppData\Local\Temp\36sENylN.xlsm

Filesize
22KB

MD5
98ca2edb24cf9732c8d4e2e61efc2767

SHA1
bb688133039387c6782008739b6436cfc9403256

SHA256
5dc46e0506f898716d26c317f1752687b8307d369350d03e0011c255b986900a

SHA512
8bded5dc4e743ef39d0d8380767ed97990275ac48923cd8a2541c637501cb96184dc796a82078f2800fc69939d9d9300b368ecaedb96f8eaaa9266a35e3c0acf

Download Submit
C:\Users\Admin\AppData\Local\Temp\36sENylN.xlsm

Filesize
22KB

MD5
4fed354895f30d84701c4de8c18ebca6

SHA1
3a5751f6ef8b9a25d12c99e1a437fd3c2b19e0f9

SHA256
f916c146c34f8abee2c7c7279d96898db5feede41ed5dae66fa3be6bbaa16058

SHA512
c07f787f70922ba4df6c0a451783b3b1830869f63c73d7ca5a2b37bd2ed564ccf57684e1afd9f3e5fc7311f22efba5db999409163fdca49e7b677eae5c5582a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MHDFGY.vbs

Filesize
964B

MD5
d24e332b790bae46b2ce6cfe94a87f23

SHA1
1ac976f41b7d37aec4d95eb439bc8fadee11b1cf

SHA256
026bee439844067dcfb04c9cb9c5e20398b67e2225d0b857d66f0c85b7eff11d

SHA512
4aefd45dad7df7ae105ffc152f216187c7bd3923b508472ca587c79a98459e90dc4150ae9703afad766f6bde9082b272619f9758e8f464eeadad07e828db4552

Download Submit
C:\Users\Admin\Downloads\~$UseUninstall.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_71c45be1d4e8d17aee605f93ee991d9117572e1f79c8991bfa2f7b37b285b5f1.exe

Filesize
893KB

MD5
541fc19be6471027afb1dd324e4a8a80

SHA1
ed39e0a9aa016595f1ead34c221ce0b878e7cf64

SHA256
0a438a59e23472911fd3e08a50f58cad8008d01733a1159bb20b06b20b21aac0

SHA512
da7965709aded6570c282e02536e2fcdf51e6a42ced919adf75be4fb694017bcd332c229db4b07684265b471df6d2001d62a1c5327cd93f35520ff4fad83e086

Download Submit
memory/2136-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2136-16-0x0000000004380000-0x000000000456E000-memory.dmp

Filesize
1.9MB

Download
memory/2136-29-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/2384-140-0x0000000000840000-0x0000000000A2E000-memory.dmp

Filesize
1.9MB

Download
memory/2384-18-0x0000000000840000-0x0000000000A2E000-memory.dmp

Filesize
1.9MB

Download
memory/2384-48-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download
memory/2384-194-0x0000000000840000-0x0000000000A2E000-memory.dmp

Filesize
1.9MB

Download
memory/2384-184-0x0000000000840000-0x0000000000A2E000-memory.dmp

Filesize
1.9MB

Download
memory/2384-180-0x0000000000840000-0x0000000000A2E000-memory.dmp

Filesize
1.9MB

Download
memory/2384-131-0x0000000000840000-0x0000000000A2E000-memory.dmp

Filesize
1.9MB

Download
memory/2384-178-0x0000000000840000-0x0000000000A2E000-memory.dmp

Filesize
1.9MB

Download
memory/2384-133-0x0000000000840000-0x0000000000A2E000-memory.dmp

Filesize
1.9MB

Download
memory/2384-135-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download
memory/2528-145-0x00000000001E0000-0x00000000003CE000-memory.dmp

Filesize
1.9MB

Download
memory/2528-144-0x00000000001E0000-0x00000000003CE000-memory.dmp

Filesize
1.9MB

Download
memory/2720-137-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/2720-134-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/2720-132-0x0000000004370000-0x000000000455E000-memory.dmp

Filesize
1.9MB

Download
memory/2720-179-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/2720-39-0x0000000004370000-0x000000000455E000-memory.dmp

Filesize
1.9MB

Download
memory/2768-49-0x0000000000C90000-0x0000000000E7E000-memory.dmp

Filesize
1.9MB

Download
memory/2768-41-0x0000000000C90000-0x0000000000E7E000-memory.dmp

Filesize
1.9MB

Download
memory/2788-43-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2940-187-0x0000000000E40000-0x000000000102E000-memory.dmp

Filesize
1.9MB

Download
memory/2940-189-0x0000000000E40000-0x000000000102E000-memory.dmp

Filesize
1.9MB

Download