xred | 51ea8a1a589648019e45927862599af8b7de7fe1d6f9485709a287582b15e642

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-01-2025 15:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51ea8a1a589648019e45927862599af8b7de7fe1d6f9485709a287582b15e642.exe
Size

793KB
MD5

675cfa9a4100baab4bc4f678f64ebae0
SHA1

ddaf05fa6eaf47a2adbc56ee6af5969aaae23303
SHA256

51ea8a1a589648019e45927862599af8b7de7fe1d6f9485709a287582b15e642
SHA512

0882f9d8993cf965146d2d253b1123557331c5f2db953f9ced2231a6b311df32734783ab9e4b8a1391bcd1be4ecc1e87e4f7b64d419a2e5ad5a7b1302eb311b5
SSDEEP

12288:mMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9TuQj:mnsJ39LyjbJkQFMhmC+6GD9ig

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 3 IoCs

pid	Process
2836	._cache_51ea8a1a589648019e45927862599af8b7de7fe1d6f9485709a287582b15e642.exe
2776	Synaptics.exe
2584	._cache_Synaptics.exe

Loads dropped DLL 7 IoCs

pid	Process
2324	51ea8a1a589648019e45927862599af8b7de7fe1d6f9485709a287582b15e642.exe
2324	51ea8a1a589648019e45927862599af8b7de7fe1d6f9485709a287582b15e642.exe
2324	51ea8a1a589648019e45927862599af8b7de7fe1d6f9485709a287582b15e642.exe
2324	51ea8a1a589648019e45927862599af8b7de7fe1d6f9485709a287582b15e642.exe
2776	Synaptics.exe
2776	Synaptics.exe
2776	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	51ea8a1a589648019e45927862599af8b7de7fe1d6f9485709a287582b15e642.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 40 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	51ea8a1a589648019e45927862599af8b7de7fe1d6f9485709a287582b15e642.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_51ea8a1a589648019e45927862599af8b7de7fe1d6f9485709a287582b15e642.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2744	EXCEL.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2836	._cache_51ea8a1a589648019e45927862599af8b7de7fe1d6f9485709a287582b15e642.exe
2584	._cache_Synaptics.exe
2744	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 2836	2324	51ea8a1a589648019e45927862599af8b7de7fe1d6f9485709a287582b15e642.exe	30
PID 2324 wrote to memory of 2836	2324	51ea8a1a589648019e45927862599af8b7de7fe1d6f9485709a287582b15e642.exe	30
PID 2324 wrote to memory of 2836	2324	51ea8a1a589648019e45927862599af8b7de7fe1d6f9485709a287582b15e642.exe	30
PID 2324 wrote to memory of 2836	2324	51ea8a1a589648019e45927862599af8b7de7fe1d6f9485709a287582b15e642.exe	30
PID 2324 wrote to memory of 2776	2324	51ea8a1a589648019e45927862599af8b7de7fe1d6f9485709a287582b15e642.exe	31
PID 2324 wrote to memory of 2776	2324	51ea8a1a589648019e45927862599af8b7de7fe1d6f9485709a287582b15e642.exe	31
PID 2324 wrote to memory of 2776	2324	51ea8a1a589648019e45927862599af8b7de7fe1d6f9485709a287582b15e642.exe	31
PID 2324 wrote to memory of 2776	2324	51ea8a1a589648019e45927862599af8b7de7fe1d6f9485709a287582b15e642.exe	31
PID 2776 wrote to memory of 2584	2776	Synaptics.exe	32
PID 2776 wrote to memory of 2584	2776	Synaptics.exe	32
PID 2776 wrote to memory of 2584	2776	Synaptics.exe	32
PID 2776 wrote to memory of 2584	2776	Synaptics.exe	32
PID 2836 wrote to memory of 1596	2836	._cache_51ea8a1a589648019e45927862599af8b7de7fe1d6f9485709a287582b15e642.exe	36
PID 2836 wrote to memory of 1596	2836	._cache_51ea8a1a589648019e45927862599af8b7de7fe1d6f9485709a287582b15e642.exe	36
PID 2836 wrote to memory of 1596	2836	._cache_51ea8a1a589648019e45927862599af8b7de7fe1d6f9485709a287582b15e642.exe	36
PID 2836 wrote to memory of 1596	2836	._cache_51ea8a1a589648019e45927862599af8b7de7fe1d6f9485709a287582b15e642.exe	36
PID 2584 wrote to memory of 1052	2584	._cache_Synaptics.exe	37
PID 2584 wrote to memory of 1052	2584	._cache_Synaptics.exe	37
PID 2584 wrote to memory of 1052	2584	._cache_Synaptics.exe	37
PID 2584 wrote to memory of 1052	2584	._cache_Synaptics.exe	37
PID 2836 wrote to memory of 1524	2836	._cache_51ea8a1a589648019e45927862599af8b7de7fe1d6f9485709a287582b15e642.exe	40
PID 2836 wrote to memory of 1524	2836	._cache_51ea8a1a589648019e45927862599af8b7de7fe1d6f9485709a287582b15e642.exe	40
PID 2836 wrote to memory of 1524	2836	._cache_51ea8a1a589648019e45927862599af8b7de7fe1d6f9485709a287582b15e642.exe	40
PID 2836 wrote to memory of 1524	2836	._cache_51ea8a1a589648019e45927862599af8b7de7fe1d6f9485709a287582b15e642.exe	40
PID 2836 wrote to memory of 1676	2836	._cache_51ea8a1a589648019e45927862599af8b7de7fe1d6f9485709a287582b15e642.exe	43
PID 2836 wrote to memory of 1676	2836	._cache_51ea8a1a589648019e45927862599af8b7de7fe1d6f9485709a287582b15e642.exe	43
PID 2836 wrote to memory of 1676	2836	._cache_51ea8a1a589648019e45927862599af8b7de7fe1d6f9485709a287582b15e642.exe	43
PID 2836 wrote to memory of 1676	2836	._cache_51ea8a1a589648019e45927862599af8b7de7fe1d6f9485709a287582b15e642.exe	43
PID 2584 wrote to memory of 1600	2584	._cache_Synaptics.exe	42
PID 2584 wrote to memory of 1600	2584	._cache_Synaptics.exe	42
PID 2584 wrote to memory of 1600	2584	._cache_Synaptics.exe	42
PID 2584 wrote to memory of 1600	2584	._cache_Synaptics.exe	42
PID 2836 wrote to memory of 1248	2836	._cache_51ea8a1a589648019e45927862599af8b7de7fe1d6f9485709a287582b15e642.exe	47
PID 2836 wrote to memory of 1248	2836	._cache_51ea8a1a589648019e45927862599af8b7de7fe1d6f9485709a287582b15e642.exe	47
PID 2836 wrote to memory of 1248	2836	._cache_51ea8a1a589648019e45927862599af8b7de7fe1d6f9485709a287582b15e642.exe	47
PID 2836 wrote to memory of 1248	2836	._cache_51ea8a1a589648019e45927862599af8b7de7fe1d6f9485709a287582b15e642.exe	47
PID 2584 wrote to memory of 2460	2584	._cache_Synaptics.exe	46
PID 2584 wrote to memory of 2460	2584	._cache_Synaptics.exe	46
PID 2584 wrote to memory of 2460	2584	._cache_Synaptics.exe	46
PID 2584 wrote to memory of 2460	2584	._cache_Synaptics.exe	46
PID 2584 wrote to memory of 2852	2584	._cache_Synaptics.exe	51
PID 2584 wrote to memory of 2852	2584	._cache_Synaptics.exe	51
PID 2584 wrote to memory of 2852	2584	._cache_Synaptics.exe	51
PID 2584 wrote to memory of 2852	2584	._cache_Synaptics.exe	51
PID 2836 wrote to memory of 1792	2836	._cache_51ea8a1a589648019e45927862599af8b7de7fe1d6f9485709a287582b15e642.exe	50
PID 2836 wrote to memory of 1792	2836	._cache_51ea8a1a589648019e45927862599af8b7de7fe1d6f9485709a287582b15e642.exe	50
PID 2836 wrote to memory of 1792	2836	._cache_51ea8a1a589648019e45927862599af8b7de7fe1d6f9485709a287582b15e642.exe	50
PID 2836 wrote to memory of 1792	2836	._cache_51ea8a1a589648019e45927862599af8b7de7fe1d6f9485709a287582b15e642.exe	50
PID 2836 wrote to memory of 2032	2836	._cache_51ea8a1a589648019e45927862599af8b7de7fe1d6f9485709a287582b15e642.exe	55
PID 2836 wrote to memory of 2032	2836	._cache_51ea8a1a589648019e45927862599af8b7de7fe1d6f9485709a287582b15e642.exe	55
PID 2836 wrote to memory of 2032	2836	._cache_51ea8a1a589648019e45927862599af8b7de7fe1d6f9485709a287582b15e642.exe	55
PID 2836 wrote to memory of 2032	2836	._cache_51ea8a1a589648019e45927862599af8b7de7fe1d6f9485709a287582b15e642.exe	55
PID 2584 wrote to memory of 2920	2584	._cache_Synaptics.exe	54
PID 2584 wrote to memory of 2920	2584	._cache_Synaptics.exe	54
PID 2584 wrote to memory of 2920	2584	._cache_Synaptics.exe	54
PID 2584 wrote to memory of 2920	2584	._cache_Synaptics.exe	54
PID 2584 wrote to memory of 892	2584	._cache_Synaptics.exe	58
PID 2584 wrote to memory of 892	2584	._cache_Synaptics.exe	58
PID 2584 wrote to memory of 892	2584	._cache_Synaptics.exe	58
PID 2584 wrote to memory of 892	2584	._cache_Synaptics.exe	58
PID 2836 wrote to memory of 2096	2836	._cache_51ea8a1a589648019e45927862599af8b7de7fe1d6f9485709a287582b15e642.exe	59
PID 2836 wrote to memory of 2096	2836	._cache_51ea8a1a589648019e45927862599af8b7de7fe1d6f9485709a287582b15e642.exe	59
PID 2836 wrote to memory of 2096	2836	._cache_51ea8a1a589648019e45927862599af8b7de7fe1d6f9485709a287582b15e642.exe	59
PID 2836 wrote to memory of 2096	2836	._cache_51ea8a1a589648019e45927862599af8b7de7fe1d6f9485709a287582b15e642.exe	59

C:\Users\Admin\AppData\Local\Temp\51ea8a1a589648019e45927862599af8b7de7fe1d6f9485709a287582b15e642.exe
"C:\Users\Admin\AppData\Local\Temp\51ea8a1a589648019e45927862599af8b7de7fe1d6f9485709a287582b15e642.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Users\Admin\AppData\Local\Temp\._cache_51ea8a1a589648019e45927862599af8b7de7fe1d6f9485709a287582b15e642.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_51ea8a1a589648019e45927862599af8b7de7fe1d6f9485709a287582b15e642.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\SysWOW64\cmd.exe
    cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1596
- - C:\Windows\SysWOW64\cmd.exe
    cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1524
- - C:\Windows\SysWOW64\cmd.exe
    cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1676
- - C:\Windows\SysWOW64\cmd.exe
    cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1248
- - C:\Windows\SysWOW64\cmd.exe
    cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1792
- - C:\Windows\SysWOW64\cmd.exe
    cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2032
- - C:\Windows\SysWOW64\cmd.exe
    cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2096
- - C:\Windows\SysWOW64\cmd.exe
    cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2716
- - C:\Windows\SysWOW64\cmd.exe
    cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1216
- - C:\Windows\SysWOW64\cmd.exe
    cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2880
- - C:\Windows\SysWOW64\cmd.exe
    cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1972
- - C:\Windows\SysWOW64\cmd.exe
    cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
    3⤵
    - System Location Discovery: System Language Discovery
    PID:596
- - C:\Windows\SysWOW64\cmd.exe
    cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1352
- - C:\Windows\SysWOW64\cmd.exe
    cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
    3⤵
    - System Location Discovery: System Language Discovery
    PID:300
- - C:\Windows\SysWOW64\cmd.exe
    cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2188
- - C:\Windows\SysWOW64\cmd.exe
    cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1520
- - C:\Windows\SysWOW64\cmd.exe
    cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
    3⤵
    - System Location Discovery: System Language Discovery
    PID:984
- - C:\Windows\SysWOW64\cmd.exe
    cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2580
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
      4⤵
      System Location Discovery: System Language Discovery
      PID:1052
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
      4⤵
      System Location Discovery: System Language Discovery
      PID:1600
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
      4⤵
      System Location Discovery: System Language Discovery
      PID:2460
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
      4⤵
      System Location Discovery: System Language Discovery
      PID:2852
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
      4⤵
      System Location Discovery: System Language Discovery
      PID:2920
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
      4⤵
      System Location Discovery: System Language Discovery
      PID:892
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
      4⤵
      System Location Discovery: System Language Discovery
      PID:2724
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
      4⤵
      System Location Discovery: System Language Discovery
      PID:2568
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
      4⤵
      System Location Discovery: System Language Discovery
      PID:2888
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
      4⤵
      System Location Discovery: System Language Discovery
      PID:1480
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
      4⤵
      System Location Discovery: System Language Discovery
      PID:1516
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
      4⤵
      System Location Discovery: System Language Discovery
      PID:2184
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
      4⤵
      System Location Discovery: System Language Discovery
      PID:2420
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
      4⤵
      System Location Discovery: System Language Discovery
      PID:1756
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
      4⤵
      System Location Discovery: System Language Discovery
      PID:1732
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
      4⤵
      System Location Discovery: System Language Discovery
      PID:2364
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /K C:\Users\Admin\AppData\Local\Temp\mdcrack.exe -d
      4⤵
      System Location Discovery: System Language Discovery
      PID:2840

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
793KB

MD5
675cfa9a4100baab4bc4f678f64ebae0

SHA1
ddaf05fa6eaf47a2adbc56ee6af5969aaae23303

SHA256
51ea8a1a589648019e45927862599af8b7de7fe1d6f9485709a287582b15e642

SHA512
0882f9d8993cf965146d2d253b1123557331c5f2db953f9ced2231a6b311df32734783ab9e4b8a1391bcd1be4ecc1e87e4f7b64d419a2e5ad5a7b1302eb311b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\NcRg485B.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\NcRg485B.xlsm

Filesize
20KB

MD5
5149e791b5b7b49a2212bf0146882704

SHA1
296ecc0f9527cb0ef3e2d263f52db0823c65f3f4

SHA256
ad5da803fb5fad3186af623fc28734082655c352ea0ceca16f619d328c80877b

SHA512
c3e1ea6f46d3a04bd977bf3312294aad608a219ed3c6ac638a7d0aeef1c2af537453b0ddfe381383972a669e323aa107f633b14811bf311842d6e53a5b7b5b59

Download Submit
C:\Users\Admin\AppData\Local\Temp\NcRg485B.xlsm

Filesize
25KB

MD5
44eefabaddd683ebc3acfc6a2c147a60

SHA1
3b95d43e0f0af20011dd570a303805e8054d74eb

SHA256
8571afec1d6cdfac145b3ca018a3b1641ecfc4de8e5382d1ce06110b94463851

SHA512
d52e786b1034e82cb35b237552e37be3eb550053669b38c6d3419c60c32205ea18f50bc17fb06a5689cbc6e2ced9e82e7c7627e5f8c64c7735f94ac27f11f4cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\NcRg485B.xlsm

Filesize
25KB

MD5
8e5b256b1f39e505cbb6adf0fb6f2319

SHA1
e4dcbd791f19c602a34c6f738079913109da25e6

SHA256
3e5264a6f4ebfcdf73f0b05382f0f5fc25fe24c28ed496e2204abbcda131e1c0

SHA512
6fda1b20e9abf4bbb635729d76c94d141b180332f798d6c6c51a3f4e43eea8767dfcc782d1b39ef7dd5a932e41fcee8570148f841695ba6dd30ed8cc21d2b90e

Download Submit
C:\Users\Admin\AppData\Local\Temp\NcRg485B.xlsm

Filesize
24KB

MD5
74323a4742dd996140681a566712ad8b

SHA1
552a947bc23f5ba4be5cff20699b2432919974f9

SHA256
c55577cbd85a212a42de529076806e411f2b42fc517c298431b835f7acd2f382

SHA512
70dfc67320968d076620bf35c4a2b6f881e6df3f96d6a00eb8d31ba3b334fb0d904f875a10707d7debb0d23ac8c77cffdde5b77fe91af201447d898b420f3333

Download Submit
C:\Users\Admin\Downloads\~$SaveRedo.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_51ea8a1a589648019e45927862599af8b7de7fe1d6f9485709a287582b15e642.exe

Filesize
40KB

MD5
83db3f55c5a97402b73de7fb23b77add

SHA1
7812537505190566cfc04c4708404e25c0750b4d

SHA256
af7120cdf209e98bfe63bbc98c176b57987976ab671ab25c5f71d3e72a13a168

SHA512
eee63a61b3e86ed029c2ab29bf477e3cc56c956321b29c7a36e947a9441c28bd46ebe629e3955b2339d494cc9cc905581e52af838d088c15b48fdcc557caa916

Download Submit
memory/2324-30-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2324-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2744-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2776-125-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2776-160-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads