xred | ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
31/12/2024, 03:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
Size

5.8MB
MD5

675f03db23d403573a3a6f708a0e4369
SHA1

78ee9afafe6bf18d2c42d816629b6f9ed1e3ea2f
SHA256

ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8
SHA512

c9055873fcbcefd7aeb8414627d4aa7645014bc2a609a4993317a45465a2ffdbeb38dbfb6c7677350203fe1e7d1f3906fc670ae74d1a75fbd91533044f513240
SSDEEP

98304:unsmtk2asgF0ET9HlrxRVwJMACNiREvBvlvwvCvxvD:wL8Z9HhxRVwJMAqoetRqA9D

Score

10^/10

xred backdoor discovery execution persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
2948	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
2660	Synaptics.exe
2396	._cache_Synaptics.exe
1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe

Loads dropped DLL 11 IoCs

pid	Process
2280	ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
2280	ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
2280	ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
2660	Synaptics.exe
2660	Synaptics.exe
2948	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
848	WerFault.exe
848	WerFault.exe
848	WerFault.exe
848	WerFault.exe
848	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
844	powershell.exe
1176	powershell.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
File opened (read-only)	\??\W:	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
File opened (read-only)	\??\X:	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
File opened (read-only)	\??\I:	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
File opened (read-only)	\??\J:	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
File opened (read-only)	\??\R:	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
File opened (read-only)	\??\Z:	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
File opened (read-only)	\??\B:	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
File opened (read-only)	\??\E:	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
File opened (read-only)	\??\L:	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
File opened (read-only)	\??\N:	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
File opened (read-only)	\??\O:	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
File opened (read-only)	\??\S:	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
File opened (read-only)	\??\U:	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
File opened (read-only)	\??\V:	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
File opened (read-only)	\??\G:	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
File opened (read-only)	\??\K:	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
File opened (read-only)	\??\Y:	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
File opened (read-only)	\??\P:	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
File opened (read-only)	\??\Q:	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
File opened (read-only)	\??\H:	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
File opened (read-only)	\??\M:	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
848	2948	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1136	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
844	powershell.exe
1176	powershell.exe
844	powershell.exe
1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
Token: SeDebugPrivilege	844	powershell.exe
Token: SeDebugPrivilege	1176	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1136	EXCEL.EXE
1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2948	2280	ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe	30
PID 2280 wrote to memory of 2948	2280	ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe	30
PID 2280 wrote to memory of 2948	2280	ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe	30
PID 2280 wrote to memory of 2948	2280	ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe	30
PID 2280 wrote to memory of 2660	2280	ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe	31
PID 2280 wrote to memory of 2660	2280	ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe	31
PID 2280 wrote to memory of 2660	2280	ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe	31
PID 2280 wrote to memory of 2660	2280	ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe	31
PID 2660 wrote to memory of 2396	2660	Synaptics.exe	32
PID 2660 wrote to memory of 2396	2660	Synaptics.exe	32
PID 2660 wrote to memory of 2396	2660	Synaptics.exe	32
PID 2660 wrote to memory of 2396	2660	Synaptics.exe	32
PID 2948 wrote to memory of 1248	2948	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe	34
PID 2948 wrote to memory of 1248	2948	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe	34
PID 2948 wrote to memory of 1248	2948	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe	34
PID 2948 wrote to memory of 1248	2948	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe	34
PID 2948 wrote to memory of 848	2948	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe	36
PID 2948 wrote to memory of 848	2948	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe	36
PID 2948 wrote to memory of 848	2948	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe	36
PID 2948 wrote to memory of 848	2948	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe	36
PID 1248 wrote to memory of 1292	1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe	37
PID 1248 wrote to memory of 1292	1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe	37
PID 1248 wrote to memory of 1292	1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe	37
PID 1248 wrote to memory of 1292	1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe	37
PID 1248 wrote to memory of 2512	1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe	38
PID 1248 wrote to memory of 2512	1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe	38
PID 1248 wrote to memory of 2512	1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe	38
PID 1248 wrote to memory of 2512	1248	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe	38
PID 1292 wrote to memory of 844	1292	cmd.exe	41
PID 1292 wrote to memory of 844	1292	cmd.exe	41
PID 1292 wrote to memory of 844	1292	cmd.exe	41
PID 1292 wrote to memory of 844	1292	cmd.exe	41
PID 2512 wrote to memory of 1176	2512	cmd.exe	42
PID 2512 wrote to memory of 1176	2512	cmd.exe	42
PID 2512 wrote to memory of 1176	2512	cmd.exe	42
PID 2512 wrote to memory of 1176	2512	cmd.exe	42

C:\Users\Admin\AppData\Local\Temp\ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
"C:\Users\Admin\AppData\Local\Temp\ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Users\Admin\AppData\Local\Temp\._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Users\Admin\AppData\Roaming\._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
    "C:\Users\Admin\AppData\Roaming\._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe"
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1248
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1292
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:844
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\updated.ps1
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2512
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\updated.ps1
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1176
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 1076
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:848
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2396

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
5.8MB

MD5
675f03db23d403573a3a6f708a0e4369

SHA1
78ee9afafe6bf18d2c42d816629b6f9ed1e3ea2f

SHA256
ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8

SHA512
c9055873fcbcefd7aeb8414627d4aa7645014bc2a609a4993317a45465a2ffdbeb38dbfb6c7677350203fe1e7d1f3906fc670ae74d1a75fbd91533044f513240

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9c18c47ccd7d17532ff8bfecb1f80d38

SHA1
fea53bd1763e0c3860f9ee6bdb8d1b28db383c4e

SHA256
12d1363fe668949f72b93bb55cb6fe98ae7cc6e68e5caffaf9a3b93521d93bb2

SHA512
93d1d7ddd12b26b04bf0ca0891e0f18ce1a29a5c18d34e73aa78fb0016ee0af8644fcbc8e78394ccb517c8a6c10c493d1447d9159e017b0cf93eaa8dda7ee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4DB3.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GbOwlaLn.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\updated.ps1

Filesize
151B

MD5
aa0e1012d3b7c24fad1be4806756c2cf

SHA1
fe0d130af9105d9044ff3d657d1abeaf0b750516

SHA256
fc47e1fa89397c3139d9047dc667531a9153a339f8e29ac713e518d51a995897

SHA512
15fae192951747a0c71059f608700f88548f3e60bb5c708b206bf793a7e3d059a278f2058d4ac86b86781b202037401a29602ee4d6c0cbaaff532cef311975f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
2421d203840b85e9e786157cd252dbb1

SHA1
a58f882187f523468c40d1e323b6d30242fa288d

SHA256
d57a70b920850d21402c001201f7a29fb79b882252347bc8ed84581cf304e2ba

SHA512
def2b8f92e2314415a18f6871232c76b27a6408cc9031c51aade38b518978accf232f3442ca5e64138f0f397e105b447952e676715274de90be011fd9bd18418

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe

Filesize
5.0MB

MD5
b4f00fba3327488d4cb6fd36b2d567c6

SHA1
4f0548a2f6bf73a85ff17f40f420098019ac05ff

SHA256
d6a84954e038ddf4a0026705e0942fc003cfdc04e58f658a6bd9e89c37c57d18

SHA512
c573147adfeba7d313cc79498a1c107679f0e69805e3aa8260b3e57dba282088bca082536d7866d4708529bf8c3bef56b2005bd9d59a870e3d29132f6fd3d897

Download Submit
memory/1136-35-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1248-132-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/1248-126-0x0000000003960000-0x0000000003998000-memory.dmp

Filesize
224KB

Download
memory/1248-189-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/1248-113-0x0000000002AA0000-0x0000000002AC4000-memory.dmp

Filesize
144KB

Download
memory/1248-107-0x0000000002AA0000-0x0000000002AC4000-memory.dmp

Filesize
144KB

Download
memory/1248-186-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/1248-183-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/1248-180-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/1248-117-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/1248-119-0x0000000002AA0000-0x0000000002AC4000-memory.dmp

Filesize
144KB

Download
memory/1248-118-0x0000000002AA0000-0x0000000002AC4000-memory.dmp

Filesize
144KB

Download
memory/1248-167-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/1248-144-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/1248-122-0x0000000002AA0000-0x0000000002AC4000-memory.dmp

Filesize
144KB

Download
memory/1248-123-0x0000000003960000-0x0000000003998000-memory.dmp

Filesize
224KB

Download
memory/1248-124-0x0000000003960000-0x0000000003998000-memory.dmp

Filesize
224KB

Download
memory/1248-125-0x0000000003960000-0x0000000003998000-memory.dmp

Filesize
224KB

Download
memory/1248-94-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1248-127-0x0000000002AA0000-0x0000000002AC4000-memory.dmp

Filesize
144KB

Download
memory/1248-128-0x0000000002AA0000-0x0000000002AC4000-memory.dmp

Filesize
144KB

Download
memory/1248-141-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/1248-138-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1248-135-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/2280-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2280-25-0x0000000000400000-0x00000000009CE000-memory.dmp

Filesize
5.8MB

Download
memory/2396-131-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/2396-116-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/2660-130-0x0000000000400000-0x00000000009CE000-memory.dmp

Filesize
5.8MB

Download
memory/2660-178-0x0000000000400000-0x00000000009CE000-memory.dmp

Filesize
5.8MB

Download
memory/2660-115-0x0000000000400000-0x00000000009CE000-memory.dmp

Filesize
5.8MB

Download
memory/2948-121-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/2948-36-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2948-120-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2948-114-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/2948-66-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download