xred | 7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276

Analysis

max time kernel
118s
max time network
144s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
31/12/2024, 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
Size

1.9MB
MD5

290a46d2614f4ce4f7ad75d2cea2ce23
SHA1

cc9f762b21f649252881087b2ff56e88d4b5a6f1
SHA256

7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276
SHA512

2a6d87585971cf166d4df1b2bcfe80a8b066d1cf4cbf646addf0735b62644ab5d9624b635aa1ba89b0b36107fd2899bec2f95d6a55d2faff579272e1e758fe98
SSDEEP

24576:8nsJ39LyjbJkQFMhmC+6GD9bhloDX0XOf44e7JFtxAnWe2fxYBQl:8nsHyjtk2MYC5GDxhloJfXnWbfxp

Score

10^/10

xred backdoor discovery persistence upx

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BQQQVU.lnk	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe

Executes dropped EXE 5 IoCs

pid	Process
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2984	Synaptics.exe
2800	._cache_Synaptics.exe
2160	XNLAGO.exe
536	XNLAGO.exe

Loads dropped DLL 6 IoCs

pid	Process
1656	7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
1656	7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
1656	7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2984	Synaptics.exe
2984	Synaptics.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\BQQQVU = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windata\\XNLAGO.exe\""	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe

AutoIT Executable 12 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2800-43-0x0000000001080000-0x0000000001302000-memory.dmp	autoit_exe
behavioral1/memory/2288-129-0x0000000001140000-0x00000000013C2000-memory.dmp	autoit_exe
behavioral1/memory/2288-131-0x0000000001140000-0x00000000013C2000-memory.dmp	autoit_exe
behavioral1/memory/2160-142-0x0000000000CE0000-0x0000000000F62000-memory.dmp	autoit_exe
behavioral1/memory/2288-143-0x0000000001140000-0x00000000013C2000-memory.dmp	autoit_exe
behavioral1/memory/2288-145-0x0000000001140000-0x00000000013C2000-memory.dmp	autoit_exe
behavioral1/memory/2288-179-0x0000000001140000-0x00000000013C2000-memory.dmp	autoit_exe
behavioral1/memory/2288-181-0x0000000001140000-0x00000000013C2000-memory.dmp	autoit_exe
behavioral1/memory/536-187-0x0000000000CE0000-0x0000000000F62000-memory.dmp	autoit_exe
behavioral1/memory/2288-188-0x0000000001140000-0x00000000013C2000-memory.dmp	autoit_exe
behavioral1/memory/2288-190-0x0000000001140000-0x00000000013C2000-memory.dmp	autoit_exe
behavioral1/memory/2288-194-0x0000000001140000-0x00000000013C2000-memory.dmp	autoit_exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00080000000120fd-4.dat	upx
behavioral1/memory/2288-18-0x0000000001140000-0x00000000013C2000-memory.dmp	upx
behavioral1/memory/2800-40-0x0000000001080000-0x0000000001302000-memory.dmp	upx
behavioral1/memory/2800-43-0x0000000001080000-0x0000000001302000-memory.dmp	upx
behavioral1/memory/2288-129-0x0000000001140000-0x00000000013C2000-memory.dmp	upx
behavioral1/memory/2288-131-0x0000000001140000-0x00000000013C2000-memory.dmp	upx
behavioral1/memory/2160-140-0x0000000000CE0000-0x0000000000F62000-memory.dmp	upx
behavioral1/memory/2160-142-0x0000000000CE0000-0x0000000000F62000-memory.dmp	upx
behavioral1/memory/2288-143-0x0000000001140000-0x00000000013C2000-memory.dmp	upx
behavioral1/memory/2288-145-0x0000000001140000-0x00000000013C2000-memory.dmp	upx
behavioral1/memory/2288-179-0x0000000001140000-0x00000000013C2000-memory.dmp	upx
behavioral1/memory/2288-181-0x0000000001140000-0x00000000013C2000-memory.dmp	upx
behavioral1/memory/536-186-0x0000000000CE0000-0x0000000000F62000-memory.dmp	upx
behavioral1/memory/536-187-0x0000000000CE0000-0x0000000000F62000-memory.dmp	upx
behavioral1/memory/2288-188-0x0000000001140000-0x00000000013C2000-memory.dmp	upx
behavioral1/memory/2288-190-0x0000000001140000-0x00000000013C2000-memory.dmp	upx
behavioral1/memory/2288-194-0x0000000001140000-0x00000000013C2000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WSCript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XNLAGO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XNLAGO.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\root\SecurityCenter2	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
672	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2656	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2656	EXCEL.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 2288	1656	7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe	30
PID 1656 wrote to memory of 2288	1656	7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe	30
PID 1656 wrote to memory of 2288	1656	7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe	30
PID 1656 wrote to memory of 2288	1656	7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe	30
PID 1656 wrote to memory of 2984	1656	7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe	31
PID 1656 wrote to memory of 2984	1656	7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe	31
PID 1656 wrote to memory of 2984	1656	7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe	31
PID 1656 wrote to memory of 2984	1656	7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe	31
PID 2984 wrote to memory of 2800	2984	Synaptics.exe	32
PID 2984 wrote to memory of 2800	2984	Synaptics.exe	32
PID 2984 wrote to memory of 2800	2984	Synaptics.exe	32
PID 2984 wrote to memory of 2800	2984	Synaptics.exe	32
PID 2288 wrote to memory of 2704	2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe	34
PID 2288 wrote to memory of 2704	2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe	34
PID 2288 wrote to memory of 2704	2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe	34
PID 2288 wrote to memory of 2704	2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe	34
PID 2288 wrote to memory of 1708	2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe	36
PID 2288 wrote to memory of 1708	2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe	36
PID 2288 wrote to memory of 1708	2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe	36
PID 2288 wrote to memory of 1708	2288	._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe	36
PID 2704 wrote to memory of 672	2704	cmd.exe	37
PID 2704 wrote to memory of 672	2704	cmd.exe	37
PID 2704 wrote to memory of 672	2704	cmd.exe	37
PID 2704 wrote to memory of 672	2704	cmd.exe	37
PID 1384 wrote to memory of 2160	1384	taskeng.exe	42
PID 1384 wrote to memory of 2160	1384	taskeng.exe	42
PID 1384 wrote to memory of 2160	1384	taskeng.exe	42
PID 1384 wrote to memory of 2160	1384	taskeng.exe	42
PID 1384 wrote to memory of 536	1384	taskeng.exe	43
PID 1384 wrote to memory of 536	1384	taskeng.exe	43
PID 1384 wrote to memory of 536	1384	taskeng.exe	43
PID 1384 wrote to memory of 536	1384	taskeng.exe	43

C:\Users\Admin\AppData\Local\Temp\7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
"C:\Users\Admin\AppData\Local\Temp\7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Users\Admin\AppData\Local\Temp\._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks /create /tn BQQQVU.exe /tr C:\Users\Admin\AppData\Roaming\Windata\XNLAGO.exe /sc minute /mo 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn BQQQVU.exe /tr C:\Users\Admin\AppData\Roaming\Windata\XNLAGO.exe /sc minute /mo 1
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:672
- - C:\Windows\SysWOW64\WSCript.exe
    WSCript C:\Users\Admin\AppData\Local\Temp\BQQQVU.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1708
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2800

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2656

C:\Windows\system32\taskeng.exe
taskeng.exe {57E5DC73-0B3C-485D-AEED-3C7207CC7721} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Users\Admin\AppData\Roaming\Windata\XNLAGO.exe
  C:\Users\Admin\AppData\Roaming\Windata\XNLAGO.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2160
- C:\Users\Admin\AppData\Roaming\Windata\XNLAGO.exe
  C:\Users\Admin\AppData\Roaming\Windata\XNLAGO.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.9MB

MD5
290a46d2614f4ce4f7ad75d2cea2ce23

SHA1
cc9f762b21f649252881087b2ff56e88d4b5a6f1

SHA256
7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276

SHA512
2a6d87585971cf166d4df1b2bcfe80a8b066d1cf4cbf646addf0735b62644ab5d9624b635aa1ba89b0b36107fd2899bec2f95d6a55d2faff579272e1e758fe98

Download Submit
C:\Users\Admin\AppData\Local\Temp\BCYyUtAs.xlsm

Filesize
22KB

MD5
53c6fb367fceaef647da26c560715776

SHA1
754ea1e4c774fc08bdccb3ebcc5ca2df97ad4524

SHA256
7e465f17d51a8ca6de11ce11aa693d73dd13fc860a59c3a84320f20fa71bed48

SHA512
72764e8b21b14f940492ffa7c89adaac0f901e49ada0e9ff21c2468f35ddf40d74a3e27f5a42098ad09f631f8c2d80ef92fbb88f6a3dd97b1b1a4782d872decb

Download Submit
C:\Users\Admin\AppData\Local\Temp\BCYyUtAs.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\BCYyUtAs.xlsm

Filesize
28KB

MD5
76884d075c2d74d95031f3680f0a8a9f

SHA1
3f7974b9d949b37dae1fc02c0814e93e235496ec

SHA256
723be2190c31201b092907284f7b299de110e89f459e8ed4a4705573e4f0eafb

SHA512
5777ff3709d01df60d1d778992eb3ec949d1e5cee2d6cbe5dde6463072cc1e1b11f663b0992c9749aec34ce9de6c830bc48d112c0db4ee4bedfeb105097ef824

Download Submit
C:\Users\Admin\AppData\Local\Temp\BCYyUtAs.xlsm

Filesize
23KB

MD5
4f4da5d5d3b38084fe75af22640d0dec

SHA1
6af9c93ebb7758a348593cbbf027c975936ef47a

SHA256
b018a0fd0a14cad0cb67e85926032c53e2a6b1b965bb1925592dee49962dae2c

SHA512
6f75acdb95391dff2630c4972d65c1797a87d9a0bd8fe6ea5c680e87348ba7842516cd6176395a26c93f76266e8e7165fcc3b3c4603ec325804f4888c5362cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\BCYyUtAs.xlsm

Filesize
25KB

MD5
fec07a0508034efccec2054a133767f3

SHA1
4d7a8212e30bbe095315b0a70f42546fa01723c0

SHA256
aa53bccb64365e4d91b68a820177ab9f544dfcd4b343734223978be3fbc154ee

SHA512
5e87d22cdd1b7111d6a0ce19e7872810c42e1daff5177ce913059e117be17aacb1e603ebe96a634a0c0b290701d6660917874e2bd289f7c3c70a1723df7afc4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\BQQQVU.vbs

Filesize
964B

MD5
5bcad3be7b81f021d4019aa4ffbca6d0

SHA1
67e883be08115fb8e88048c4882bd96a3242c509

SHA256
bf3c40ac2445a91c8907f2638588a6a68570e745eec8113b119bdc5e6198f648

SHA512
e22675a7c1a1cd3497892a9036b7f4cdf620cf3c6524d3daeac27668e093d0955fb16902bc44026d1d54c4f6bfb13cb1389133976e91cda89bf0ea4e6b1c607f

Download Submit
C:\Users\Admin\AppData\Local\Temp\~$BCYyUtAs.xlsm

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_7cbe965fa1278ba09c31e191c19ac1e2b52f940b656273872c805833ae03e276.exe

Filesize
1.2MB

MD5
fbe9e7e00a80a2321badfa4e962fe15e

SHA1
ce7d9083a3a7a5a7f627cf1cdc4946756df3aaa9

SHA256
7df6c8d2b3479312e1e8bf177d58e7f69c11b932177f288c0fc0d2aee2f869d7

SHA512
a27903f33a6b7b6b003ee5cb80b7ff640ef24d1ca635ce79d15de94f69e6b2bdc8ca3e6e699f130bbc9e6d629312cc48216624a6110caa068c532aa9133646e2

Download Submit
memory/536-186-0x0000000000CE0000-0x0000000000F62000-memory.dmp

Filesize
2.5MB

Download
memory/536-187-0x0000000000CE0000-0x0000000000F62000-memory.dmp

Filesize
2.5MB

Download
memory/1656-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1656-26-0x0000000000400000-0x00000000005EC000-memory.dmp

Filesize
1.9MB

Download
memory/1656-16-0x0000000004570000-0x00000000047F2000-memory.dmp

Filesize
2.5MB

Download
memory/2160-142-0x0000000000CE0000-0x0000000000F62000-memory.dmp

Filesize
2.5MB

Download
memory/2160-140-0x0000000000CE0000-0x0000000000F62000-memory.dmp

Filesize
2.5MB

Download
memory/2288-133-0x00000000002E0000-0x00000000002F0000-memory.dmp

Filesize
64KB

Download
memory/2288-145-0x0000000001140000-0x00000000013C2000-memory.dmp

Filesize
2.5MB

Download
memory/2288-181-0x0000000001140000-0x00000000013C2000-memory.dmp

Filesize
2.5MB

Download
memory/2288-129-0x0000000001140000-0x00000000013C2000-memory.dmp

Filesize
2.5MB

Download
memory/2288-76-0x00000000002E0000-0x00000000002F0000-memory.dmp

Filesize
64KB

Download
memory/2288-131-0x0000000001140000-0x00000000013C2000-memory.dmp

Filesize
2.5MB

Download
memory/2288-188-0x0000000001140000-0x00000000013C2000-memory.dmp

Filesize
2.5MB

Download
memory/2288-194-0x0000000001140000-0x00000000013C2000-memory.dmp

Filesize
2.5MB

Download
memory/2288-190-0x0000000001140000-0x00000000013C2000-memory.dmp

Filesize
2.5MB

Download
memory/2288-18-0x0000000001140000-0x00000000013C2000-memory.dmp

Filesize
2.5MB

Download
memory/2288-179-0x0000000001140000-0x00000000013C2000-memory.dmp

Filesize
2.5MB

Download
memory/2288-143-0x0000000001140000-0x00000000013C2000-memory.dmp

Filesize
2.5MB

Download
memory/2656-44-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2656-128-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2800-40-0x0000000001080000-0x0000000001302000-memory.dmp

Filesize
2.5MB

Download
memory/2800-43-0x0000000001080000-0x0000000001302000-memory.dmp

Filesize
2.5MB

Download
memory/2984-130-0x0000000004290000-0x0000000004512000-memory.dmp

Filesize
2.5MB

Download
memory/2984-39-0x0000000004290000-0x0000000004512000-memory.dmp

Filesize
2.5MB

Download
memory/2984-180-0x0000000000400000-0x00000000005EC000-memory.dmp

Filesize
1.9MB

Download
memory/2984-135-0x0000000000400000-0x00000000005EC000-memory.dmp

Filesize
1.9MB

Download
memory/2984-132-0x0000000000400000-0x00000000005EC000-memory.dmp

Filesize
1.9MB

Download