xred | 0a6ba519cd28bce39d999a07d2b4dce17fdcd0a0f1ddef94158e377c40de8a26

Analysis

max time kernel
150s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
31/12/2024, 02:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0a6ba519cd28bce39d999a07d2b4dce17fdcd0a0f1ddef94158e377c40de8a26.msi
Size

1.7MB
MD5

cf5da0ce656559358c5d06876bbbff3e
SHA1

166f0b46a849adeaf1d01378d0db0bb6040c9ed3
SHA256

0a6ba519cd28bce39d999a07d2b4dce17fdcd0a0f1ddef94158e377c40de8a26
SHA512

ca0f530922d8168cb633f30a5cb97874654515a0c361f20f4490f9f85beedd3f74595141b6305b755fa18796c678d2a89848a069b4471fbb5f66b5ce33343cf7
SSDEEP

49152:uElnsHyjtk2MYC5GD8hloJfCAh9RMUBrNUFqtBZl:hnsmtk2a1hlPERBsiT

Score

10^/10

xred backdoor discovery macro persistence privilege_escalation upx

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Suspicious Office macro 3 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x000500000001870c-99.dat
behavioral1/files/0x000600000001871c-112.dat
behavioral1/files/0x000700000001870c-123.dat

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HBMQLS.lnk	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	MSIC66D.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\HBMQLS = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windata\\EWZJGF.exe\""	._cache_Synaptics.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe

AutoIT Executable 8 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1844-133-0x0000000000BC0000-0x0000000000DC0000-memory.dmp	autoit_exe
behavioral1/memory/1844-134-0x0000000000BC0000-0x0000000000DC0000-memory.dmp	autoit_exe
behavioral1/memory/1844-141-0x0000000000BC0000-0x0000000000DC0000-memory.dmp	autoit_exe
behavioral1/memory/1616-150-0x0000000000290000-0x0000000000490000-memory.dmp	autoit_exe
behavioral1/memory/1844-187-0x0000000000BC0000-0x0000000000DC0000-memory.dmp	autoit_exe
behavioral1/memory/1844-193-0x0000000000BC0000-0x0000000000DC0000-memory.dmp	autoit_exe
behavioral1/memory/2004-196-0x00000000012F0000-0x00000000014F0000-memory.dmp	autoit_exe
behavioral1/memory/1844-202-0x0000000000BC0000-0x0000000000DC0000-memory.dmp	autoit_exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\._cache_Synaptics.exe	Synaptics.exe
File opened for modification	C:\Windows\SysWOW64\winmgmts:\localhost\root\SecurityCenter2	._cache_Synaptics.exe
File created	C:\Windows\SysWOW64\._cache_MSIC66D.tmp	MSIC66D.tmp
File opened for modification	C:\Windows\SysWOW64\._cache_MSIC66D.tmp	MSIC66D.tmp
File created	C:\Windows\SysWOW64\._cache_Synaptics.exe	Synaptics.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000016edc-46.dat	upx
behavioral1/memory/1844-54-0x0000000000BC0000-0x0000000000DC0000-memory.dmp	upx
behavioral1/memory/1844-133-0x0000000000BC0000-0x0000000000DC0000-memory.dmp	upx
behavioral1/memory/1844-134-0x0000000000BC0000-0x0000000000DC0000-memory.dmp	upx
behavioral1/memory/1844-141-0x0000000000BC0000-0x0000000000DC0000-memory.dmp	upx
behavioral1/memory/1616-148-0x0000000000290000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/1616-150-0x0000000000290000-0x0000000000490000-memory.dmp	upx
behavioral1/memory/1844-187-0x0000000000BC0000-0x0000000000DC0000-memory.dmp	upx
behavioral1/memory/1844-193-0x0000000000BC0000-0x0000000000DC0000-memory.dmp	upx
behavioral1/memory/2004-195-0x00000000012F0000-0x00000000014F0000-memory.dmp	upx
behavioral1/memory/2004-196-0x00000000012F0000-0x00000000014F0000-memory.dmp	upx
behavioral1/memory/1844-202-0x0000000000BC0000-0x0000000000DC0000-memory.dmp	upx

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\f76ad43.ipi	msiexec.exe
File created	C:\Windows\Installer\f76ad40.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76ad40.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f76ad43.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC61D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC66D.tmp	msiexec.exe

Executes dropped EXE 5 IoCs

pid	Process
2460	MSIC66D.tmp
1596	Synaptics.exe
1844	._cache_Synaptics.exe
1616	EWZJGF.exe
2004	EWZJGF.exe

Loads dropped DLL 5 IoCs

pid	Process
2460	MSIC66D.tmp
2460	MSIC66D.tmp
1596	Synaptics.exe
1596	Synaptics.exe
1844	._cache_Synaptics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2276	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WSCript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIC66D.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EWZJGF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EWZJGF.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2184	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1044	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2408	msiexec.exe
2408	msiexec.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe
1844	._cache_Synaptics.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1844	._cache_Synaptics.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2276	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2276	msiexec.exe
Token: SeRestorePrivilege	2408	msiexec.exe
Token: SeTakeOwnershipPrivilege	2408	msiexec.exe
Token: SeSecurityPrivilege	2408	msiexec.exe
Token: SeCreateTokenPrivilege	2276	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2276	msiexec.exe
Token: SeLockMemoryPrivilege	2276	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2276	msiexec.exe
Token: SeMachineAccountPrivilege	2276	msiexec.exe
Token: SeTcbPrivilege	2276	msiexec.exe
Token: SeSecurityPrivilege	2276	msiexec.exe
Token: SeTakeOwnershipPrivilege	2276	msiexec.exe
Token: SeLoadDriverPrivilege	2276	msiexec.exe
Token: SeSystemProfilePrivilege	2276	msiexec.exe
Token: SeSystemtimePrivilege	2276	msiexec.exe
Token: SeProfSingleProcessPrivilege	2276	msiexec.exe
Token: SeIncBasePriorityPrivilege	2276	msiexec.exe
Token: SeCreatePagefilePrivilege	2276	msiexec.exe
Token: SeCreatePermanentPrivilege	2276	msiexec.exe
Token: SeBackupPrivilege	2276	msiexec.exe
Token: SeRestorePrivilege	2276	msiexec.exe
Token: SeShutdownPrivilege	2276	msiexec.exe
Token: SeDebugPrivilege	2276	msiexec.exe
Token: SeAuditPrivilege	2276	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2276	msiexec.exe
Token: SeChangeNotifyPrivilege	2276	msiexec.exe
Token: SeRemoteShutdownPrivilege	2276	msiexec.exe
Token: SeUndockPrivilege	2276	msiexec.exe
Token: SeSyncAgentPrivilege	2276	msiexec.exe
Token: SeEnableDelegationPrivilege	2276	msiexec.exe
Token: SeManageVolumePrivilege	2276	msiexec.exe
Token: SeImpersonatePrivilege	2276	msiexec.exe
Token: SeCreateGlobalPrivilege	2276	msiexec.exe
Token: SeBackupPrivilege	1768	vssvc.exe
Token: SeRestorePrivilege	1768	vssvc.exe
Token: SeAuditPrivilege	1768	vssvc.exe
Token: SeBackupPrivilege	2408	msiexec.exe
Token: SeRestorePrivilege	2408	msiexec.exe
Token: SeRestorePrivilege	2408	msiexec.exe
Token: SeTakeOwnershipPrivilege	2408	msiexec.exe
Token: SeBackupPrivilege	2636	vssvc.exe
Token: SeRestorePrivilege	2636	vssvc.exe
Token: SeAuditPrivilege	2636	vssvc.exe
Token: SeBackupPrivilege	2408	msiexec.exe
Token: SeRestorePrivilege	2408	msiexec.exe
Token: SeRestorePrivilege	2604	DrvInst.exe
Token: SeRestorePrivilege	2604	DrvInst.exe
Token: SeRestorePrivilege	2604	DrvInst.exe
Token: SeRestorePrivilege	2604	DrvInst.exe
Token: SeRestorePrivilege	2604	DrvInst.exe
Token: SeRestorePrivilege	2604	DrvInst.exe
Token: SeRestorePrivilege	2604	DrvInst.exe
Token: SeLoadDriverPrivilege	2604	DrvInst.exe
Token: SeLoadDriverPrivilege	2604	DrvInst.exe
Token: SeLoadDriverPrivilege	2604	DrvInst.exe
Token: SeRestorePrivilege	2408	msiexec.exe
Token: SeTakeOwnershipPrivilege	2408	msiexec.exe
Token: SeRestorePrivilege	2408	msiexec.exe
Token: SeTakeOwnershipPrivilege	2408	msiexec.exe
Token: SeRestorePrivilege	2408	msiexec.exe
Token: SeTakeOwnershipPrivilege	2408	msiexec.exe
Token: SeRestorePrivilege	2408	msiexec.exe
Token: SeTakeOwnershipPrivilege	2408	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2276	msiexec.exe
2276	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1044	EXCEL.EXE

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 2236	1768	vssvc.exe	31
PID 1768 wrote to memory of 2236	1768	vssvc.exe	31
PID 1768 wrote to memory of 2236	1768	vssvc.exe	31
PID 2408 wrote to memory of 2460	2408	msiexec.exe	34
PID 2408 wrote to memory of 2460	2408	msiexec.exe	34
PID 2408 wrote to memory of 2460	2408	msiexec.exe	34
PID 2408 wrote to memory of 2460	2408	msiexec.exe	34
PID 2460 wrote to memory of 1596	2460	MSIC66D.tmp	35
PID 2460 wrote to memory of 1596	2460	MSIC66D.tmp	35
PID 2460 wrote to memory of 1596	2460	MSIC66D.tmp	35
PID 2460 wrote to memory of 1596	2460	MSIC66D.tmp	35
PID 1596 wrote to memory of 1844	1596	Synaptics.exe	36
PID 1596 wrote to memory of 1844	1596	Synaptics.exe	36
PID 1596 wrote to memory of 1844	1596	Synaptics.exe	36
PID 1596 wrote to memory of 1844	1596	Synaptics.exe	36
PID 1844 wrote to memory of 1092	1844	._cache_Synaptics.exe	40
PID 1844 wrote to memory of 1092	1844	._cache_Synaptics.exe	40
PID 1844 wrote to memory of 1092	1844	._cache_Synaptics.exe	40
PID 1844 wrote to memory of 1092	1844	._cache_Synaptics.exe	40
PID 1844 wrote to memory of 1460	1844	._cache_Synaptics.exe	42
PID 1844 wrote to memory of 1460	1844	._cache_Synaptics.exe	42
PID 1844 wrote to memory of 1460	1844	._cache_Synaptics.exe	42
PID 1844 wrote to memory of 1460	1844	._cache_Synaptics.exe	42
PID 1092 wrote to memory of 2184	1092	cmd.exe	43
PID 1092 wrote to memory of 2184	1092	cmd.exe	43
PID 1092 wrote to memory of 2184	1092	cmd.exe	43
PID 1092 wrote to memory of 2184	1092	cmd.exe	43
PID 2284 wrote to memory of 1616	2284	taskeng.exe	48
PID 2284 wrote to memory of 1616	2284	taskeng.exe	48
PID 2284 wrote to memory of 1616	2284	taskeng.exe	48
PID 2284 wrote to memory of 1616	2284	taskeng.exe	48
PID 2284 wrote to memory of 2004	2284	taskeng.exe	49
PID 2284 wrote to memory of 2004	2284	taskeng.exe	49
PID 2284 wrote to memory of 2004	2284	taskeng.exe	49
PID 2284 wrote to memory of 2004	2284	taskeng.exe	49

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\0a6ba519cd28bce39d999a07d2b4dce17fdcd0a0f1ddef94158e377c40de8a26.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2276

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\Installer\MSIC66D.tmp
  "C:\Windows\Installer\MSIC66D.tmp"
  2⤵
  - Adds Run key to start application
  - Drops file in System32 directory
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Drops file in System32 directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1596
  - - C:\Windows\SysWOW64\._cache_Synaptics.exe
      "C:\Windows\system32\._cache_Synaptics.exe" InjUpdate
      4⤵
      Drops startup file
      Adds Run key to start application
      Drops file in System32 directory
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of WriteProcessMemory
      PID:1844
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks /create /tn HBMQLS.exe /tr C:\Users\Admin\AppData\Roaming\Windata\EWZJGF.exe /sc minute /mo 1
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1092
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn HBMQLS.exe /tr C:\Users\Admin\AppData\Roaming\Windata\EWZJGF.exe /sc minute /mo 1
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2184
    - - C:\Windows\SysWOW64\WSCript.exe
        
        WSCript C:\Users\Admin\AppData\Local\Temp\HBMQLS.vbs
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1460

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1768 -s 568
  2⤵
  PID:2236

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2636

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000488" "000000000000048C"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2604

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1044

C:\Windows\system32\taskeng.exe
taskeng.exe {772492FE-F65F-49C3-A5DF-1F2F9884B7D5} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Users\Admin\AppData\Roaming\Windata\EWZJGF.exe
  C:\Users\Admin\AppData\Roaming\Windata\EWZJGF.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1616
- C:\Users\Admin\AppData\Roaming\Windata\EWZJGF.exe
  C:\Users\Admin\AppData\Roaming\Windata\EWZJGF.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76ad44.rbs

Filesize
681B

MD5
47dd655a47640122a054aded6adedc30

SHA1
fc15ff696fce0035a3fc0937e184f1ed57db1df0

SHA256
f213cf3506c9f5e758d2232203a87ed12a3b6e4e21d1a518e330b5d5f0188d91

SHA512
71ff163af0cd316afbd17c3d6108b83db29f51f225fe95ae2e95e910aeaef58bf3dd0a4d1e6eaf90abd2f9167b026f81657dc52d26a93290b13fb7594c0fa3b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\HBMQLS.vbs

Filesize
840B

MD5
89137407cd4107effa2ff9f29a2a99ad

SHA1
99814ebc80118160841a2cf0f29eb578b57e4ac6

SHA256
cbee270ed61982f063979c013888bb288d5db2720d2d69f86ee13263a26ffe36

SHA512
d7f64023ef44e2f91195bd8950f211110f530ec751c39b4122925993e8da7c11e0c8bcd6b4286f67efb6df20cc1cde08ededbc241a8ddbde934b58a75592684b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tL9WajH2.xlsm

Filesize
25KB

MD5
cbb1ef4d5f76938cc03e9b6b4392c806

SHA1
cf85c61e008d0f593cb64df6f2c636a5b94dcbee

SHA256
74dced9e1020b768f46c5d1ce5b739b0c000dd597d8d29dca2ed42e4efae6e7e

SHA512
d56c44fc7e1a8990019e09cf4951e90973772617d16c1e4ea2158946f045bd12369b2dc4ec5270f66a8fa5a0c158dd64d4c59db058e4c170401d0f15a1619eb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tL9WajH2.xlsm

Filesize
28KB

MD5
b4ff2781620768bbdb1833410948dff6

SHA1
c52cb9d4c5a42046d3ac723da2c2d86f4e0ea18f

SHA256
ca0895ee75265fbfdd0dfe18ed40b6074b536c02bebe6843f815566458be401a

SHA512
5493556cbc57d49067e35e7fb23cb3c4c05c89abd01931dc0260b355a382dda9b03676b8024f7bfce8b705840e21742866c68fb0b7a3bc87adce69820a706ee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tL9WajH2.xlsm

Filesize
28KB

MD5
d58d1d9e45ec142030c5851aac20e3e5

SHA1
7be0ca3f1ba7b327651bfd187af8c55338fc42f6

SHA256
d415d08893078749ba0b87d34b00218d8ddee4be97ce0c241002130026bcce26

SHA512
febd2db9b5f9114d480d29e23e857b0e0dad1c433f5f103cb8027ba73808f7fcffa1fb5c253469931de857174ce87b160be27de5309ea97cd6fa6072e2290a57

Download Submit
C:\Users\Admin\AppData\Local\Temp\tL9WajH2.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Windows\Installer\MSIC66D.tmp

Filesize
1.6MB

MD5
71386f37f17778126296ca734975db6d

SHA1
353818dcd74d06565fc0e8ac4416e594d29ecd0b

SHA256
c1317da0fd0dc3d73b38634ea586016f6f651f52acc576fbae8b82721c83e9ae

SHA512
e5e0d87f91611bccfea16222c9afb7ac7b949f1762244ced01f9d8a78e2c992cfe8c1faaf1391f4cf107604a0e9f7a64fa4adda1c339d8dc85b27e7be610b83c

Download Submit
C:\Windows\SysWOW64\._cache_Synaptics.exe

Filesize
930KB

MD5
36f4c5372c6391f782c2db490081746f

SHA1
a0b1ec84b0a2db8f801981e247578217b71b38da

SHA256
1fe023f69f42fcd4be4baa180bbff00b7ffe51c553211dd0df45fb7ff71148b8

SHA512
111c1915d81141398b6bb7a0aa0e98896fb05d5548ace8fd1e0e23343eae60ea1e3d6617d3f5f883b96c8e05f5f868a280683341810896c00fa6ef1f68338992

Download Submit
memory/1044-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1596-132-0x0000000000400000-0x00000000005AB000-memory.dmp

Filesize
1.7MB

Download
memory/1596-186-0x0000000000400000-0x00000000005AB000-memory.dmp

Filesize
1.7MB

Download
memory/1596-52-0x00000000044C0000-0x00000000046C0000-memory.dmp

Filesize
2.0MB

Download
memory/1596-136-0x0000000000400000-0x00000000005AB000-memory.dmp

Filesize
1.7MB

Download
memory/1596-131-0x00000000044C0000-0x00000000046C0000-memory.dmp

Filesize
2.0MB

Download
memory/1616-148-0x0000000000290000-0x0000000000490000-memory.dmp

Filesize
2.0MB

Download
memory/1616-150-0x0000000000290000-0x0000000000490000-memory.dmp

Filesize
2.0MB

Download
memory/1844-135-0x0000000002660000-0x0000000002670000-memory.dmp

Filesize
64KB

Download
memory/1844-54-0x0000000000BC0000-0x0000000000DC0000-memory.dmp

Filesize
2.0MB

Download
memory/1844-141-0x0000000000BC0000-0x0000000000DC0000-memory.dmp

Filesize
2.0MB

Download
memory/1844-134-0x0000000000BC0000-0x0000000000DC0000-memory.dmp

Filesize
2.0MB

Download
memory/1844-133-0x0000000000BC0000-0x0000000000DC0000-memory.dmp

Filesize
2.0MB

Download
memory/1844-87-0x0000000002660000-0x0000000002670000-memory.dmp

Filesize
64KB

Download
memory/1844-187-0x0000000000BC0000-0x0000000000DC0000-memory.dmp

Filesize
2.0MB

Download
memory/1844-193-0x0000000000BC0000-0x0000000000DC0000-memory.dmp

Filesize
2.0MB

Download
memory/1844-202-0x0000000000BC0000-0x0000000000DC0000-memory.dmp

Filesize
2.0MB

Download
memory/2004-195-0x00000000012F0000-0x00000000014F0000-memory.dmp

Filesize
2.0MB

Download
memory/2004-196-0x00000000012F0000-0x00000000014F0000-memory.dmp

Filesize
2.0MB

Download
memory/2460-33-0x0000000000400000-0x00000000005AB000-memory.dmp

Filesize
1.7MB

Download