Malware Analysis Report

2025-04-13 21:01

Sample ID 250102-xw36tavndm
Target file.exe
SHA256 f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682
Tags
xred backdoor discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

xred backdoor discovery persistence

Xred family

Xred

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Checks installed software on the system

Adds Run key to start application

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-02 19:13

Signatures

Xred family

xred

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-02 19:13

Reported

2025-01-02 19:15

Platform

win7-20240903-en

Max time kernel

147s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Xred

backdoor xred

Xred family

xred

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_file.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\tmpFCD8.tmp C:\Users\Admin\AppData\Local\Temp\._cache_file.exe N/A
File opened for modification C:\Windows\SysWOW64\tmp1538.tmp C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\SysWOW64\tmp153A.tmp C:\Users\Admin\AppData\Local\Temp\._cache_file.exe N/A
File opened for modification C:\Windows\SysWOW64\tmp153B.tmp C:\Users\Admin\AppData\Local\Temp\._cache_file.exe N/A
File opened for modification C:\Windows\SysWOW64\tmpFCD6.tmp C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\SysWOW64\tmpFCD7.tmp C:\Users\Admin\AppData\Local\Temp\._cache_file.exe N/A
File created C:\Windows\system32\OpenAL32.new C:\Users\Admin\AppData\Local\Temp\._cache_file.exe N/A
File opened for modification C:\Windows\system32\OpenAL32.new C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\SysWOW64\tmp1539.tmp C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File created C:\Windows\SysWOW64\OpenAL32.new C:\Users\Admin\AppData\Local\Temp\._cache_file.exe N/A
File created C:\Windows\system32\wrap_oal.new C:\Users\Admin\AppData\Local\Temp\._cache_file.exe N/A
File opened for modification C:\Windows\SysWOW64\OpenAL32.new C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\SysWOW64\wrap_oal.new C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File created C:\Windows\SysWOW64\OpenAL32.new C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\system32\OpenAL32.new C:\Users\Admin\AppData\Local\Temp\._cache_file.exe N/A
File created C:\Windows\SysWOW64\wrap_oal.new C:\Users\Admin\AppData\Local\Temp\._cache_file.exe N/A
File opened for modification C:\Windows\SysWOW64\tmpFD73.tmp C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\system32\wrap_oal.new C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\SysWOW64\wrap_oal.new C:\Users\Admin\AppData\Local\Temp\._cache_file.exe N/A
File created C:\Windows\system32\OpenAL32.new C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\system32\wrap_oal.new C:\Users\Admin\AppData\Local\Temp\._cache_file.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\OpenAL\._cache_file.exe C:\Users\Admin\AppData\Local\Temp\._cache_file.exe N/A
File created C:\Program Files (x86)\OpenAL\._cache_Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Program Files (x86)\OpenAL\._cache_Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Program Files (x86)\OpenAL\._cache_file.exe C:\Users\Admin\AppData\Local\Temp\._cache_file.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\._cache_file.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Synaptics\Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2176 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\._cache_file.exe
PID 2176 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\._cache_file.exe
PID 2176 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\._cache_file.exe
PID 2176 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\._cache_file.exe
PID 2176 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\._cache_file.exe
PID 2176 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\._cache_file.exe
PID 2176 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\._cache_file.exe
PID 2176 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2176 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2176 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2176 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2796 wrote to memory of 2832 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2796 wrote to memory of 2832 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2796 wrote to memory of 2832 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2796 wrote to memory of 2832 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2796 wrote to memory of 2832 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2796 wrote to memory of 2832 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2796 wrote to memory of 2832 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\._cache_file.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_file.exe"

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 xred.mooo.com udp
US 8.8.8.8:53 freedns.afraid.org udp
US 69.42.215.252:80 freedns.afraid.org tcp
US 8.8.8.8:53 docs.google.com udp
FR 216.58.214.174:443 docs.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
FR 142.250.179.67:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
FR 142.250.179.67:80 o.pki.goog tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
FR 142.250.74.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.252.143:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 95.100.245.144:80 www.microsoft.com tcp

Files

memory/2176-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

\Users\Admin\AppData\Local\Temp\._cache_file.exe

MD5 694f54bd227916b89fc3eb1db53f0685
SHA1 21fdc367291bbef14dac27925cae698d3928eead
SHA256 b8f39714d41e009f75efb183c37100f2cbabb71784bbd243be881ac5b42d86fd
SHA512 55bc0de75a7f27f11eb8f4ee8c9934dfe1acd044d8b7b2151c506bdcbead3ab179df7023f699c9139c77541bbc4b1c0657e93c34a6bc4309b665c6cb7636a7e5

C:\ProgramData\Synaptics\Synaptics.exe

MD5 2756afc3782b185d3c05dd880a8e8313
SHA1 82417bd86f1fb249e296bb6b073b560e47639dde
SHA256 f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682
SHA512 9ffea594cd493cbd6fcb9f6f63dffa9127b17487177e63a466b786bc2d24d8af270c56dc653720266e6ad410ddce0931423354b6fa2dc02a7b2cb91e42321fc2

memory/2176-25-0x0000000000400000-0x0000000000588000-memory.dmp

\Windows\SysWOW64\OpenAL32.new

MD5 235355a8dd26903e75d5e812ecf50e53
SHA1 8316319341a0f9054e19e4a7b21df3dc49386fee
SHA256 1797d150a2e23af4f390f5c33eb598c6f58d0454011d74941f5316add900bbdd
SHA512 5beb9343028790f993d0acb1007fd112b7e2ef6f9fbedfdb62b0140d2bbadf3b6368417ea19edb0bc8674d19418e5784fef4430ce1c329de8e83c304706d39ac

\Windows\SysWOW64\wrap_oal.new

MD5 d494267bc169604fac5e3679b9a97fed
SHA1 c093ce5a4f7dc40f7f604945bd1facfb2c805c4b
SHA256 a4e46e6d09c4b0966824a2f6628ebf738e813672692a52a0d63d982e1030ef4f
SHA512 7cfcfb570ecfa974054b5285c7d6ad3bccf502866ea70789750c3748394cb0991d1fa6dec9c50a506dbc697953663ec2605277a4451098bb8cd6699c4e506040

\Windows\System32\OpenAL32.new

MD5 2ad7b4f3c8d2bb686d231edff404b7a4
SHA1 f29676b96d04bd2765925a3834d9babfdce6a0b3
SHA256 87802322c8e63555c26fe473ce234ce7099745ccb28c02766c2224c726454039
SHA512 51a6c8cfe30e34c37437e6c5f8c602aa0759b65559a82521e2dbcf8a9865b826077854acb6497df6085d67b4c66083ae5f0f192b743a4b6f77ce7b18f01bf528

\Windows\System32\wrap_oal.new

MD5 549347bcd4aacd63243d78e8f869dbb1
SHA1 efc00d2a7c5acfe17b8a58023826e6840aef39a6
SHA256 5379373cf3eff41cdd8c912c65e27e1bd492bd84238d19a093aa846c9b1ce909
SHA512 c6789376d05deb8c5050225c37c023055c107a72b49afddfd3f91e7e7429d38db9346e2e5d38986c2000c3828389cfbe5d74d80423a79eebd0367bcc81137cd5

C:\Windows\SysWOW64\wrap_oal.new

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2796-93-0x0000000000400000-0x0000000000588000-memory.dmp

memory/3044-153-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DcmIxup1.xlsm

MD5 e566fc53051035e1e6fd0ed1823de0f9
SHA1 00bc96c48b98676ecd67e81a6f1d7754e4156044
SHA256 8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512 a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

C:\Users\Admin\AppData\Local\Temp\DcmIxup1.xlsm

MD5 a2c002fa2546ab0fc994bf674ffbeb14
SHA1 21cb66b68397b0a251f45b1a6703da03629ea837
SHA256 2bee2b13cac5f1191625d2ebca7288757a5adece80a9389320d7e69a18b1e3b6
SHA512 40a84e12ed80837f24b8a19964b24357f0a7633e8334e6813c839f0ffdddb1953f2300497c021b1e9c3e5280c07108e4dc514ff33f1d9a105efd052b31ae1528

memory/2796-196-0x0000000000400000-0x0000000000588000-memory.dmp

memory/2796-197-0x0000000000400000-0x0000000000588000-memory.dmp

memory/2796-231-0x0000000000400000-0x0000000000588000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-02 19:13

Reported

2025-01-02 19:15

Platform

win10v2004-20241007-en

Max time kernel

141s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Xred

backdoor xred

Xred family

xred

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\ProgramData\Synaptics\Synaptics.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\OpenAL32.new C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\SysWOW64\tmpA9DE.tmp C:\Users\Admin\AppData\Local\Temp\._cache_file.exe N/A
File opened for modification C:\Windows\SysWOW64\tmp91A2.tmp C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\SysWOW64\tmp91A1.tmp C:\Users\Admin\AppData\Local\Temp\._cache_file.exe N/A
File opened for modification C:\Windows\system32\OpenAL32.new C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File created C:\Windows\system32\OpenAL32.new C:\Users\Admin\AppData\Local\Temp\._cache_file.exe N/A
File opened for modification C:\Windows\system32\wrap_oal.new C:\Users\Admin\AppData\Local\Temp\._cache_file.exe N/A
File created C:\Windows\SysWOW64\OpenAL32.new C:\Users\Admin\AppData\Local\Temp\._cache_file.exe N/A
File created C:\Windows\SysWOW64\wrap_oal.new C:\Users\Admin\AppData\Local\Temp\._cache_file.exe N/A
File created C:\Windows\system32\wrap_oal.new C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\SysWOW64\tmpA9DE.tmp C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\SysWOW64\tmpA9DF.tmp C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\SysWOW64\tmpA9DF.tmp C:\Users\Admin\AppData\Local\Temp\._cache_file.exe N/A
File opened for modification C:\Windows\SysWOW64\tmp91A1.tmp C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\SysWOW64\tmp91A2.tmp C:\Users\Admin\AppData\Local\Temp\._cache_file.exe N/A
File created C:\Windows\SysWOW64\wrap_oal.new C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File created C:\Windows\system32\wrap_oal.new C:\Users\Admin\AppData\Local\Temp\._cache_file.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\OpenAL\._cache_file.exe C:\Users\Admin\AppData\Local\Temp\._cache_file.exe N/A
File created C:\Program Files (x86)\OpenAL\._cache_Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Program Files (x86)\OpenAL\._cache_file.exe C:\Users\Admin\AppData\Local\Temp\._cache_file.exe N/A
File opened for modification C:\Program Files (x86)\OpenAL\._cache_Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\._cache_file.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Synaptics\Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\ProgramData\Synaptics\Synaptics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\._cache_file.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_file.exe"

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 xred.mooo.com udp
US 8.8.8.8:53 freedns.afraid.org udp
US 69.42.215.252:80 freedns.afraid.org tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 252.215.42.69.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 11.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 docs.google.com udp
FR 216.58.214.174:443 docs.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
FR 142.250.179.67:80 c.pki.goog tcp
US 8.8.8.8:53 174.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 67.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 o.pki.goog udp
FR 142.250.179.67:80 o.pki.goog tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
FR 142.250.74.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 225.74.250.142.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp

Files

memory/1388-0-0x0000000000840000-0x0000000000841000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\._cache_file.exe

MD5 694f54bd227916b89fc3eb1db53f0685
SHA1 21fdc367291bbef14dac27925cae698d3928eead
SHA256 b8f39714d41e009f75efb183c37100f2cbabb71784bbd243be881ac5b42d86fd
SHA512 55bc0de75a7f27f11eb8f4ee8c9934dfe1acd044d8b7b2151c506bdcbead3ab179df7023f699c9139c77541bbc4b1c0657e93c34a6bc4309b665c6cb7636a7e5

C:\ProgramData\Synaptics\Synaptics.exe

MD5 2756afc3782b185d3c05dd880a8e8313
SHA1 82417bd86f1fb249e296bb6b073b560e47639dde
SHA256 f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682
SHA512 9ffea594cd493cbd6fcb9f6f63dffa9127b17487177e63a466b786bc2d24d8af270c56dc653720266e6ad410ddce0931423354b6fa2dc02a7b2cb91e42321fc2

memory/1388-127-0x0000000000400000-0x0000000000588000-memory.dmp

memory/3192-129-0x0000000000820000-0x0000000000821000-memory.dmp

memory/3156-190-0x00007FFCF27D0000-0x00007FFCF27E0000-memory.dmp

memory/3156-192-0x00007FFCF27D0000-0x00007FFCF27E0000-memory.dmp

memory/3156-191-0x00007FFCF27D0000-0x00007FFCF27E0000-memory.dmp

memory/3156-193-0x00007FFCF27D0000-0x00007FFCF27E0000-memory.dmp

memory/3156-194-0x00007FFCF27D0000-0x00007FFCF27E0000-memory.dmp

memory/3156-195-0x00007FFCEFE70000-0x00007FFCEFE80000-memory.dmp

memory/3156-196-0x00007FFCEFE70000-0x00007FFCEFE80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6dXZVGEi.xlsm

MD5 e566fc53051035e1e6fd0ed1823de0f9
SHA1 00bc96c48b98676ecd67e81a6f1d7754e4156044
SHA256 8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512 a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

C:\Windows\SysWOW64\OpenAL32.dll

MD5 235355a8dd26903e75d5e812ecf50e53
SHA1 8316319341a0f9054e19e4a7b21df3dc49386fee
SHA256 1797d150a2e23af4f390f5c33eb598c6f58d0454011d74941f5316add900bbdd
SHA512 5beb9343028790f993d0acb1007fd112b7e2ef6f9fbedfdb62b0140d2bbadf3b6368417ea19edb0bc8674d19418e5784fef4430ce1c329de8e83c304706d39ac

C:\Windows\system32\OpenAL32.new

MD5 2ad7b4f3c8d2bb686d231edff404b7a4
SHA1 f29676b96d04bd2765925a3834d9babfdce6a0b3
SHA256 87802322c8e63555c26fe473ce234ce7099745ccb28c02766c2224c726454039
SHA512 51a6c8cfe30e34c37437e6c5f8c602aa0759b65559a82521e2dbcf8a9865b826077854acb6497df6085d67b4c66083ae5f0f192b743a4b6f77ce7b18f01bf528

C:\Windows\system32\wrap_oal.new

MD5 549347bcd4aacd63243d78e8f869dbb1
SHA1 efc00d2a7c5acfe17b8a58023826e6840aef39a6
SHA256 5379373cf3eff41cdd8c912c65e27e1bd492bd84238d19a093aa846c9b1ce909
SHA512 c6789376d05deb8c5050225c37c023055c107a72b49afddfd3f91e7e7429d38db9346e2e5d38986c2000c3828389cfbe5d74d80423a79eebd0367bcc81137cd5

memory/3192-240-0x0000000000820000-0x0000000000821000-memory.dmp

memory/3192-239-0x0000000000400000-0x0000000000588000-memory.dmp

C:\Windows\SysWOW64\wrap_oal.new

MD5 d494267bc169604fac5e3679b9a97fed
SHA1 c093ce5a4f7dc40f7f604945bd1facfb2c805c4b
SHA256 a4e46e6d09c4b0966824a2f6628ebf738e813672692a52a0d63d982e1030ef4f
SHA512 7cfcfb570ecfa974054b5285c7d6ad3bccf502866ea70789750c3748394cb0991d1fa6dec9c50a506dbc697953663ec2605277a4451098bb8cd6699c4e506040

memory/3192-313-0x0000000000400000-0x0000000000588000-memory.dmp