xred | ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2024, 03:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
Size

5.8MB
MD5

675f03db23d403573a3a6f708a0e4369
SHA1

78ee9afafe6bf18d2c42d816629b6f9ed1e3ea2f
SHA256

ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8
SHA512

c9055873fcbcefd7aeb8414627d4aa7645014bc2a609a4993317a45465a2ffdbeb38dbfb6c7677350203fe1e7d1f3906fc670ae74d1a75fbd91533044f513240
SSDEEP

98304:unsmtk2asgF0ET9HlrxRVwJMACNiREvBvlvwvCvxvD:wL8Z9HhxRVwJMAqoetRqA9D

Score

10^/10

xred backdoor bootkit discovery execution persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe

Executes dropped EXE 5 IoCs

pid	Process
2032	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
2560	Synaptics.exe
3364	._cache_Synaptics.exe
4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
2224	inst.exe

Loads dropped DLL 2 IoCs

pid	Process
2224	inst.exe
2224	inst.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3916	powershell.exe
3408	powershell.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
File opened (read-only)	\??\U:	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
File opened (read-only)	\??\H:	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
File opened (read-only)	\??\J:	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
File opened (read-only)	\??\K:	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
File opened (read-only)	\??\O:	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
File opened (read-only)	\??\Q:	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
File opened (read-only)	\??\Z:	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
File opened (read-only)	\??\G:	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
File opened (read-only)	\??\N:	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
File opened (read-only)	\??\V:	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
File opened (read-only)	\??\W:	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
File opened (read-only)	\??\X:	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
File opened (read-only)	\??\B:	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
File opened (read-only)	\??\I:	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
File opened (read-only)	\??\L:	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
File opened (read-only)	\??\M:	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
File opened (read-only)	\??\P:	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
File opened (read-only)	\??\S:	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
File opened (read-only)	\??\T:	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
File opened (read-only)	\??\Y:	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
File opened (read-only)	\??\E:	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	inst.exe
File opened for modification	\??\PHYSICALDRIVE0	inst.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\360\360Safe\{E6873584-6030-4f2c-A86D-520E4AAD65E7}.tf	inst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	inst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5060	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2224	inst.exe
2224	inst.exe
2032	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
2032	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
3916	powershell.exe
3408	powershell.exe
3916	powershell.exe
3408	powershell.exe
3408	powershell.exe
3408	powershell.exe
4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	2224	inst.exe
Token: SeDebugPrivilege	4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
Token: SeDebugPrivilege	3916	powershell.exe
Token: SeDebugPrivilege	3408	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2224	inst.exe
2224	inst.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2224	inst.exe
2224	inst.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2224	inst.exe
5060	EXCEL.EXE
5060	EXCEL.EXE
5060	EXCEL.EXE
5060	EXCEL.EXE
4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4720 wrote to memory of 2032	4720	ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe	83
PID 4720 wrote to memory of 2032	4720	ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe	83
PID 4720 wrote to memory of 2032	4720	ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe	83
PID 4720 wrote to memory of 2560	4720	ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe	84
PID 4720 wrote to memory of 2560	4720	ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe	84
PID 4720 wrote to memory of 2560	4720	ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe	84
PID 2560 wrote to memory of 3364	2560	Synaptics.exe	85
PID 2560 wrote to memory of 3364	2560	Synaptics.exe	85
PID 2560 wrote to memory of 3364	2560	Synaptics.exe	85
PID 2032 wrote to memory of 4548	2032	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe	86
PID 2032 wrote to memory of 4548	2032	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe	86
PID 2032 wrote to memory of 4548	2032	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe	86
PID 4548 wrote to memory of 2440	4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe	95
PID 4548 wrote to memory of 2440	4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe	95
PID 4548 wrote to memory of 2440	4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe	95
PID 4548 wrote to memory of 3212	4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe	96
PID 4548 wrote to memory of 3212	4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe	96
PID 4548 wrote to memory of 3212	4548	._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe	96
PID 3212 wrote to memory of 3916	3212	cmd.exe	100
PID 3212 wrote to memory of 3916	3212	cmd.exe	100
PID 3212 wrote to memory of 3916	3212	cmd.exe	100
PID 2440 wrote to memory of 3408	2440	cmd.exe	99
PID 2440 wrote to memory of 3408	2440	cmd.exe	99
PID 2440 wrote to memory of 3408	2440	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
"C:\Users\Admin\AppData\Local\Temp\ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4720
- C:\Users\Admin\AppData\Local\Temp\._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Users\Admin\AppData\Roaming\._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe
    "C:\Users\Admin\AppData\Roaming\._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe"
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4548
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2440
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3408
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\updated.ps1
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3212
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\updated.ps1
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3916
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3364

C:\Users\Admin\Downloads\inst.exe
C:\Users\Admin\Downloads\inst.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2224

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
5.8MB

MD5
675f03db23d403573a3a6f708a0e4369

SHA1
78ee9afafe6bf18d2c42d816629b6f9ed1e3ea2f

SHA256
ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8

SHA512
c9055873fcbcefd7aeb8414627d4aa7645014bc2a609a4993317a45465a2ffdbeb38dbfb6c7677350203fe1e7d1f3906fc670ae74d1a75fbd91533044f513240

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
74beabd4347b1ecc24fdc6cd9bb2ec64

SHA1
b793909bd2bf91d40eafb71194cc3eeb0c057110

SHA256
80d19c23e407ccffe9f5b43087c752b2157294a1e42d887705b9924ceb9e6af9

SHA512
f36be6d71e6ae79ffa79e9bc8d57e79cc14ace932fcc2106ab4df8f4ba99506dac3c007d986dfe3bf8884977a411ba1faa713489dc27b25c23bec49d42abd802

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
0075b0c47a6fb1e3cc34910757b39edf

SHA1
9248ee4cdf2bead841005c0758b9a036b3c8322b

SHA256
0da3bdee98c7b7d532dd0e4a406e9eb163e51fbc025fbb79a0c3a20d3cd0e987

SHA512
6d55403eff09ddb42706a8881c069404877982d7d0b2811ceafba3e2a0e82177636aab845d390f8e10aae98e3432d78f0cf940afa699c1747b4bc7b2a5cbf9f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_ee4c8a187e1e1bd62abe49faece1f327dc7718c736dd1e427c025d73fa796cf8.exe

Filesize
5.0MB

MD5
b4f00fba3327488d4cb6fd36b2d567c6

SHA1
4f0548a2f6bf73a85ff17f40f420098019ac05ff

SHA256
d6a84954e038ddf4a0026705e0942fc003cfdc04e58f658a6bd9e89c37c57d18

SHA512
c573147adfeba7d313cc79498a1c107679f0e69805e3aa8260b3e57dba282088bca082536d7866d4708529bf8c3bef56b2005bd9d59a870e3d29132f6fd3d897

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ehRtJT1.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_45510ty3.pew.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A44B7723-4283-41b8-B9C0-6B1983C61382}.tmp\sites.dll

Filesize
1.4MB

MD5
a2ff2c72e739e0cf4c73b623444ca39d

SHA1
ff886e63c894a20f30c136a8264cfa33d41b8331

SHA256
c1eb83993c85e01ee6ae84eb6e05744ff8c3ccc02c41d09c22286e3012ef46fc

SHA512
844dab35a1625d5bf1bd814a36fb80d5670d3dfee5cf65ad8be53784b486dcc08898b7577a323c7c7e1e83655f861ea86c5453cfa4c3d55353d329ef3af6320b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D1907DA8-315C-458c-ACBD-E20F56CA962A}.tmp\360P2SP.dll

Filesize
688KB

MD5
d875875eb3282b692ab10e946ea22361

SHA1
34bcef8a8cb0e1db44671892ac3cbd74d3c541a8

SHA256
0eca2e140f973b2011c633d4d92e512a1f77e1da610cfe0f4538c0b451270016

SHA512
972466310d3c145141320584b5f3e431c6888bda2ba1036f85e68e534ed6fb97ba04cbd46d8d9c401dc5857100dc1bff1bad82b50514f3e5c582522f22fd2b5c

Download Submit
C:\Users\Admin\AppData\Local\updated.ps1

Filesize
151B

MD5
aa0e1012d3b7c24fad1be4806756c2cf

SHA1
fe0d130af9105d9044ff3d657d1abeaf0b750516

SHA256
fc47e1fa89397c3139d9047dc667531a9153a339f8e29ac713e518d51a995897

SHA512
15fae192951747a0c71059f608700f88548f3e60bb5c708b206bf793a7e3d059a278f2058d4ac86b86781b202037401a29602ee4d6c0cbaaff532cef311975f4

Download Submit
C:\Users\Admin\Downloads\inst.exe

Filesize
3.9MB

MD5
aaa0f14bdfe3777eee342c27de409e6d

SHA1
6b5f9a7b71e6b105d1bfa26b0c7a4931ed9e5179

SHA256
b35314c2c3b1aab777d621c6fd8516a877b27efbde4dd4addd6843c411e96aa3

SHA512
d584d30083e34964d846c88eb558dba338e3b8982d6d71efec36461aea12127cfcba2be9510d9ef254a85680a2ba2ddb21583ce5e77d5cf3ac0a65800e5ab25a

Download Submit
memory/2032-253-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2032-189-0x0000000002BC0000-0x0000000002BDE000-memory.dmp

Filesize
120KB

Download
memory/2032-310-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2032-311-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/2032-70-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/2032-118-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/2032-190-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2560-355-0x0000000000400000-0x00000000009CE000-memory.dmp

Filesize
5.8MB

Download
memory/2560-472-0x0000000000400000-0x00000000009CE000-memory.dmp

Filesize
5.8MB

Download
memory/2560-425-0x0000000000400000-0x00000000009CE000-memory.dmp

Filesize
5.8MB

Download
memory/3364-365-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/3408-388-0x00000000071F0000-0x00000000071FA000-memory.dmp

Filesize
40KB

Download
memory/3408-345-0x0000000005840000-0x0000000005B94000-memory.dmp

Filesize
3.3MB

Download
memory/3408-395-0x0000000007380000-0x0000000007391000-memory.dmp

Filesize
68KB

Download
memory/3408-326-0x00000000057D0000-0x0000000005836000-memory.dmp

Filesize
408KB

Download
memory/3408-322-0x00000000048F0000-0x0000000004926000-memory.dmp

Filesize
216KB

Download
memory/3408-325-0x0000000005760000-0x00000000057C6000-memory.dmp

Filesize
408KB

Download
memory/3408-381-0x0000000006E40000-0x0000000006EE3000-memory.dmp

Filesize
652KB

Download
memory/3408-369-0x0000000006420000-0x0000000006452000-memory.dmp

Filesize
200KB

Download
memory/3408-380-0x0000000006460000-0x000000000647E000-memory.dmp

Filesize
120KB

Download
memory/3408-370-0x000000006DFF0000-0x000000006E03C000-memory.dmp

Filesize
304KB

Download
memory/3408-324-0x00000000055C0000-0x00000000055E2000-memory.dmp

Filesize
136KB

Download
memory/3916-364-0x00000000076D0000-0x0000000007766000-memory.dmp

Filesize
600KB

Download
memory/3916-382-0x0000000008950000-0x0000000008FCA000-memory.dmp

Filesize
6.5MB

Download
memory/3916-323-0x0000000005740000-0x0000000005D68000-memory.dmp

Filesize
6.2MB

Download
memory/3916-398-0x000000006DFF0000-0x000000006E03C000-memory.dmp

Filesize
304KB

Download
memory/3916-399-0x000000006E2A0000-0x000000006E5F4000-memory.dmp

Filesize
3.3MB

Download
memory/3916-367-0x0000000006C00000-0x0000000006C22000-memory.dmp

Filesize
136KB

Download
memory/3916-366-0x0000000006B80000-0x0000000006B9A000-memory.dmp

Filesize
104KB

Download
memory/3916-368-0x0000000007D20000-0x00000000082C4000-memory.dmp

Filesize
5.6MB

Download
memory/3916-354-0x00000000066A0000-0x00000000066EC000-memory.dmp

Filesize
304KB

Download
memory/3916-353-0x0000000006660000-0x000000000667E000-memory.dmp

Filesize
120KB

Download
memory/4548-422-0x0000000002C80000-0x0000000002CA4000-memory.dmp

Filesize
144KB

Download
memory/4548-419-0x0000000003890000-0x00000000038C8000-memory.dmp

Filesize
224KB

Download
memory/4548-474-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/4548-451-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/4548-386-0x0000000002C80000-0x0000000002CA4000-memory.dmp

Filesize
144KB

Download
memory/4548-387-0x0000000002C80000-0x0000000002CA4000-memory.dmp

Filesize
144KB

Download
memory/4548-446-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/4548-389-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/4548-346-0x0000000002C80000-0x0000000002CA4000-memory.dmp

Filesize
144KB

Download
memory/4548-442-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/4548-439-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/4548-414-0x0000000002C80000-0x0000000002CA4000-memory.dmp

Filesize
144KB

Download
memory/4548-415-0x0000000003890000-0x00000000038C8000-memory.dmp

Filesize
224KB

Download
memory/4548-352-0x0000000002C80000-0x0000000002CA4000-memory.dmp

Filesize
144KB

Download
memory/4548-436-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4548-433-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/4548-420-0x0000000003890000-0x00000000038C8000-memory.dmp

Filesize
224KB

Download
memory/4548-421-0x0000000003890000-0x00000000038C8000-memory.dmp

Filesize
224KB

Download
memory/4548-430-0x0000000000400000-0x0000000000919000-memory.dmp

Filesize
5.1MB

Download
memory/4548-423-0x0000000002C80000-0x0000000002CA4000-memory.dmp

Filesize
144KB

Download
memory/4548-316-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4720-0-0x0000000002770000-0x0000000002771000-memory.dmp

Filesize
4KB

Download
memory/4720-129-0x0000000000400000-0x00000000009CE000-memory.dmp

Filesize
5.8MB

Download
memory/5060-362-0x00007FFA4DC30000-0x00007FFA4DC40000-memory.dmp

Filesize
64KB

Download
memory/5060-358-0x00007FFA4FC90000-0x00007FFA4FCA0000-memory.dmp

Filesize
64KB

Download
memory/5060-363-0x00007FFA4DC30000-0x00007FFA4DC40000-memory.dmp

Filesize
64KB

Download
memory/5060-360-0x00007FFA4FC90000-0x00007FFA4FCA0000-memory.dmp

Filesize
64KB

Download
memory/5060-359-0x00007FFA4FC90000-0x00007FFA4FCA0000-memory.dmp

Filesize
64KB

Download
memory/5060-356-0x00007FFA4FC90000-0x00007FFA4FCA0000-memory.dmp

Filesize
64KB

Download
memory/5060-357-0x00007FFA4FC90000-0x00007FFA4FCA0000-memory.dmp

Filesize
64KB

Download