Malware Analysis Report

2025-04-13 21:02

Sample ID 250102-xvcmgasjay
Target file.exe
SHA256 457a62394c53eba3c5ef6d569230487c17aaabc837a4a9361670b1c2ee9f5c34
Tags
xred xworm backdoor discovery persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

457a62394c53eba3c5ef6d569230487c17aaabc837a4a9361670b1c2ee9f5c34

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

xred xworm backdoor discovery persistence rat trojan

Xred family

Xworm

Xworm family

Xred

Detect Xworm Payload

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Looks up external IP address via web service

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Modifies registry class

Suspicious use of SetWindowsHookEx

Scheduled Task/Job: Scheduled Task

Suspicious behavior: AddClipboardFormatListener

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-02 19:10

Signatures

Xred family

xred

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-02 19:10

Reported

2025-01-02 19:12

Platform

win7-20240903-en

Max time kernel

141s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xred

backdoor xred

Xred family

xred

Xworm

trojan rat xworm

Xworm family

xworm

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Synaptics\Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2084 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\._cache_file.exe
PID 2084 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\._cache_file.exe
PID 2084 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\._cache_file.exe
PID 2084 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\._cache_file.exe
PID 2084 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2084 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2084 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2084 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2856 wrote to memory of 2816 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2856 wrote to memory of 2816 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2856 wrote to memory of 2816 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2856 wrote to memory of 2816 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 1444 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\._cache_file.exe C:\Users\Admin\AppData\Roaming\Fulloptionnew_by elegance.exe
PID 1444 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\._cache_file.exe C:\Users\Admin\AppData\Roaming\Fulloptionnew_by elegance.exe
PID 1444 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\._cache_file.exe C:\Users\Admin\AppData\Roaming\Fulloptionnew_by elegance.exe
PID 1444 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\._cache_file.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1444 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\._cache_file.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1444 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\._cache_file.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1444 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\._cache_file.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2544 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe
PID 2544 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe
PID 2544 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe
PID 2544 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe
PID 1672 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe C:\Windows\System32\schtasks.exe
PID 1672 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe C:\Windows\System32\schtasks.exe
PID 1672 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe C:\Windows\System32\schtasks.exe
PID 2184 wrote to memory of 236 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\svchost.exe
PID 2184 wrote to memory of 236 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\svchost.exe
PID 2184 wrote to memory of 236 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\svchost.exe
PID 2184 wrote to memory of 1560 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\svchost.exe
PID 2184 wrote to memory of 1560 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\svchost.exe
PID 2184 wrote to memory of 1560 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\svchost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\._cache_file.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_file.exe"

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Users\Admin\AppData\Roaming\Fulloptionnew_by elegance.exe

"C:\Users\Admin\AppData\Roaming\Fulloptionnew_by elegance.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\svchost.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {34C7F247-18C9-45D3-A782-8E77A03C2982} S-1-5-21-1846800975-3917212583-2893086201-1000:ZQABOPWE\Admin:Interactive:[1]

C:\Users\Admin\svchost.exe

C:\Users\Admin\svchost.exe

C:\Users\Admin\svchost.exe

C:\Users\Admin\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 xred.mooo.com udp
US 8.8.8.8:53 freedns.afraid.org udp
US 69.42.215.252:80 freedns.afraid.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
TH 45.141.26.134:7000 tcp
US 8.8.8.8:53 docs.google.com udp
FR 216.58.214.174:443 docs.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
FR 142.250.179.67:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
FR 142.250.179.67:80 o.pki.goog tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
FR 142.250.74.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.252.143:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 2.18.109.131:80 www.microsoft.com tcp

Files

memory/2084-0-0x0000000000220000-0x0000000000221000-memory.dmp

\Users\Admin\AppData\Local\Temp\._cache_file.exe

MD5 adc3667c6060dfdcb6f41bd2b01c31a3
SHA1 54c39168b2d76c54f62f9ba266754581ff599d2d
SHA256 bab41ee900b96a6c768996d935ba44c391c14003c30a278a8ac1e32ebe49a1a6
SHA512 f57a33b28854855eb00ebdd3b0bc8b644bfbacbad9eb2a66364a662640d237202613ff43348cf405c28f6045855d97ca6928da4fc88906ec47bce2282530d726

C:\ProgramData\Synaptics\Synaptics.exe

MD5 100620cd1016f9b7aed030b8eced2afd
SHA1 f98f52d52fa58ea5d9b179d28422109958e1b3e2
SHA256 457a62394c53eba3c5ef6d569230487c17aaabc837a4a9361670b1c2ee9f5c34
SHA512 b092244989f027692ee5cc4475611469c8ead213dde075493a6f6a5d3b81371d428958617c58a6c16dbadf75cb878fe279c0140f1629a169392e5f14e6c0f08d

memory/1444-25-0x0000000000B30000-0x0000000000FFA000-memory.dmp

memory/2084-24-0x0000000000400000-0x00000000009BF000-memory.dmp

memory/2816-37-0x0000000000A80000-0x0000000000F4A000-memory.dmp

memory/2840-38-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Users\Admin\AppData\Roaming\Fulloptionnew_by elegance.exe

MD5 15dc7dde51858f43e9845f72213c042d
SHA1 b38343e5a2237127be195c758cbd7a403e876a7e
SHA256 f71edea8c4ae6c4c3a44f352e9d6cb89124fea7c7fc48e1585bb11d7bbefd74b
SHA512 322ed64c448e3ad02d83b2c48a2927230647073ffd020aceb4868de8e783b57446a7274099cdf58cf4bf02a125284990b5bc8be20bed548fd7c34354bcf37182

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 9f3ee8aef394f4fdb98ead98ec6c1f9b
SHA1 c84a6c4f0a9d0060eacf0a4d5cd46d3955bec846
SHA256 3a6bbe08bb25bb2612f38d254f484e51f69182b3d0fa876660887ed57575a361
SHA512 e5f7a6494c0d53388314dcf8cac5016d7ec7936f1ca91ae4af936749ac164dbd11046dd56e704e03b609e74b9a8698d235c2ca82e9587d610d028f3fa047ead8

C:\Users\Admin\AppData\Local\Temp\Z4Qgum8Y.xlsm

MD5 e566fc53051035e1e6fd0ed1823de0f9
SHA1 00bc96c48b98676ecd67e81a6f1d7754e4156044
SHA256 8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512 a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Users\Admin\AppData\Local\Temp\._cache_svchost.exe

MD5 5390ed74a0c3c880fdd6d0e2d135bfe1
SHA1 0dbe542e0fe98e17e877f2e5d1dd6dc252943f41
SHA256 48ca5393cc5f72125e9677a9833e86b4bd65aa4a9c167c6171a2d38359b100d9
SHA512 54699e0c3dba1d2df00aca934264fbf728bc2185024d577f3ce2325a9a04467e5b52d15e5f3a5689fe839afa48175765d55f941879076de8012f4bb84fab9cd7

memory/2544-78-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/1672-80-0x00000000003F0000-0x0000000000400000-memory.dmp

memory/2856-82-0x0000000000400000-0x00000000009BF000-memory.dmp

memory/2856-83-0x0000000000400000-0x00000000009BF000-memory.dmp

memory/236-90-0x0000000001150000-0x0000000001160000-memory.dmp

memory/2856-119-0x0000000000400000-0x00000000009BF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-02 19:10

Reported

2025-01-02 19:12

Platform

win10v2004-20241007-en

Max time kernel

141s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xred

backdoor xred

Xred family

xred

Xworm

trojan rat xworm

Xworm family

xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\._cache_file.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\ProgramData\Synaptics\Synaptics.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Synaptics\Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\ProgramData\Synaptics\Synaptics.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 452 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\._cache_file.exe
PID 452 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\._cache_file.exe
PID 452 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 452 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 452 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 4968 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\._cache_file.exe C:\Users\Admin\AppData\Roaming\Fulloptionnew_by elegance.exe
PID 4968 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\._cache_file.exe C:\Users\Admin\AppData\Roaming\Fulloptionnew_by elegance.exe
PID 4968 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\._cache_file.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 4968 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\._cache_file.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 4968 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\._cache_file.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2980 wrote to memory of 424 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2980 wrote to memory of 424 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 424 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Roaming\Fulloptionnew_by elegance.exe
PID 424 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Roaming\Fulloptionnew_by elegance.exe
PID 424 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 424 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 424 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2320 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe
PID 2320 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe
PID 3444 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe
PID 3444 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe
PID 2904 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe C:\Windows\System32\schtasks.exe
PID 2904 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\._cache_file.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_file.exe"

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Roaming\Fulloptionnew_by elegance.exe

"C:\Users\Admin\AppData\Roaming\Fulloptionnew_by elegance.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Users\Admin\AppData\Roaming\Fulloptionnew_by elegance.exe

"C:\Users\Admin\AppData\Roaming\Fulloptionnew_by elegance.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe"

C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\svchost.exe"

C:\Users\Admin\svchost.exe

C:\Users\Admin\svchost.exe

C:\Users\Admin\svchost.exe

C:\Users\Admin\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 xred.mooo.com udp
US 8.8.8.8:53 freedns.afraid.org udp
US 69.42.215.252:80 freedns.afraid.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 252.215.42.69.in-addr.arpa udp
TH 45.141.26.134:7000 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 134.26.141.45.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 196.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 133.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 docs.google.com udp
FR 216.58.214.174:443 docs.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
FR 142.250.179.67:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
FR 142.250.179.67:80 o.pki.goog tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
FR 142.250.74.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 174.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 67.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 225.74.250.142.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/452-0-0x0000000002750000-0x0000000002751000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\._cache_file.exe

MD5 adc3667c6060dfdcb6f41bd2b01c31a3
SHA1 54c39168b2d76c54f62f9ba266754581ff599d2d
SHA256 bab41ee900b96a6c768996d935ba44c391c14003c30a278a8ac1e32ebe49a1a6
SHA512 f57a33b28854855eb00ebdd3b0bc8b644bfbacbad9eb2a66364a662640d237202613ff43348cf405c28f6045855d97ca6928da4fc88906ec47bce2282530d726

C:\ProgramData\Synaptics\Synaptics.exe

MD5 100620cd1016f9b7aed030b8eced2afd
SHA1 f98f52d52fa58ea5d9b179d28422109958e1b3e2
SHA256 457a62394c53eba3c5ef6d569230487c17aaabc837a4a9361670b1c2ee9f5c34
SHA512 b092244989f027692ee5cc4475611469c8ead213dde075493a6f6a5d3b81371d428958617c58a6c16dbadf75cb878fe279c0140f1629a169392e5f14e6c0f08d

memory/4968-70-0x00007FFEC6873000-0x00007FFEC6875000-memory.dmp

memory/4968-78-0x0000000000330000-0x00000000007FA000-memory.dmp

memory/452-131-0x0000000000400000-0x00000000009BF000-memory.dmp

C:\Users\Admin\AppData\Roaming\Fulloptionnew_by elegance.exe

MD5 15dc7dde51858f43e9845f72213c042d
SHA1 b38343e5a2237127be195c758cbd7a403e876a7e
SHA256 f71edea8c4ae6c4c3a44f352e9d6cb89124fea7c7fc48e1585bb11d7bbefd74b
SHA512 322ed64c448e3ad02d83b2c48a2927230647073ffd020aceb4868de8e783b57446a7274099cdf58cf4bf02a125284990b5bc8be20bed548fd7c34354bcf37182

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 9f3ee8aef394f4fdb98ead98ec6c1f9b
SHA1 c84a6c4f0a9d0060eacf0a4d5cd46d3955bec846
SHA256 3a6bbe08bb25bb2612f38d254f484e51f69182b3d0fa876660887ed57575a361
SHA512 e5f7a6494c0d53388314dcf8cac5016d7ec7936f1ca91ae4af936749ac164dbd11046dd56e704e03b609e74b9a8698d235c2ca82e9587d610d028f3fa047ead8

C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe

MD5 5390ed74a0c3c880fdd6d0e2d135bfe1
SHA1 0dbe542e0fe98e17e877f2e5d1dd6dc252943f41
SHA256 48ca5393cc5f72125e9677a9833e86b4bd65aa4a9c167c6171a2d38359b100d9
SHA512 54699e0c3dba1d2df00aca934264fbf728bc2185024d577f3ce2325a9a04467e5b52d15e5f3a5689fe839afa48175765d55f941879076de8012f4bb84fab9cd7

memory/2964-216-0x00007FFEA5130000-0x00007FFEA5140000-memory.dmp

memory/2964-265-0x00007FFEA5130000-0x00007FFEA5140000-memory.dmp

memory/2964-264-0x00007FFEA5130000-0x00007FFEA5140000-memory.dmp

memory/2964-215-0x00007FFEA5130000-0x00007FFEA5140000-memory.dmp

memory/2964-213-0x00007FFEA5130000-0x00007FFEA5140000-memory.dmp

memory/2964-272-0x00007FFEA2BB0000-0x00007FFEA2BC0000-memory.dmp

memory/2320-274-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/2904-275-0x0000000000860000-0x0000000000870000-memory.dmp

memory/2964-276-0x00007FFEA2BB0000-0x00007FFEA2BC0000-memory.dmp

memory/3444-278-0x0000000000400000-0x00000000004CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JjQ3I4fY.xlsm

MD5 e566fc53051035e1e6fd0ed1823de0f9
SHA1 00bc96c48b98676ecd67e81a6f1d7754e4156044
SHA256 8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512 a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

C:\Users\Admin\AppData\Local\Temp\03C75E00

MD5 d890d1afde636796f3936fd89856000f
SHA1 b25a9735663c2680417fe26a11f0a24148192fda
SHA256 58666d81ffa1c363a3226dd80e08bba132d71915ad4f66b9928902cd2abd0fc5
SHA512 3da83801f181d5a4948f6b591107a1563f1d4f8dec82e5a75ecd5e8a2af43afffa48b16657b43af6a1c9fb08fd87b23f4df514a8586a4e2b4a3a4a449bfb6d15

memory/2980-329-0x0000000000400000-0x00000000009BF000-memory.dmp

memory/2980-363-0x0000000000400000-0x00000000009BF000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1