Malware Analysis Report

2025-04-13 21:02

Sample ID 250103-d6schs1kfq
Target 70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe
SHA256 70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435
Tags
xred backdoor discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435

Threat Level: Known bad

The file 70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe was found to be: Known bad.

Malicious Activity Summary

xred backdoor discovery persistence

Xred

Xred family

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Checks installed software on the system

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: AddClipboardFormatListener

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-03 03:37

Signatures

Xred family

xred

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-03 03:37

Reported

2025-01-03 03:40

Platform

win7-20240903-en

Max time kernel

144s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe"

Signatures

Xred

backdoor xred

Xred family

xred

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\{22015C37-1906-48AA-BC4F-73B6BA618102}\.cr\._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Synaptics\Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\{82637216-CAE8-4BCF-858B-F9CE2AF2FEAC}\.cr\._cache_Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3060 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe C:\Users\Admin\AppData\Local\Temp\._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe
PID 3060 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe C:\Users\Admin\AppData\Local\Temp\._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe
PID 3060 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe C:\Users\Admin\AppData\Local\Temp\._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe
PID 3060 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe C:\Users\Admin\AppData\Local\Temp\._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe
PID 3060 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe C:\Users\Admin\AppData\Local\Temp\._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe
PID 3060 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe C:\Users\Admin\AppData\Local\Temp\._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe
PID 3060 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe C:\Users\Admin\AppData\Local\Temp\._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe
PID 1972 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe C:\Windows\Temp\{22015C37-1906-48AA-BC4F-73B6BA618102}\.cr\._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe
PID 1972 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe C:\Windows\Temp\{22015C37-1906-48AA-BC4F-73B6BA618102}\.cr\._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe
PID 1972 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe C:\Windows\Temp\{22015C37-1906-48AA-BC4F-73B6BA618102}\.cr\._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe
PID 1972 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe C:\Windows\Temp\{22015C37-1906-48AA-BC4F-73B6BA618102}\.cr\._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe
PID 1972 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe C:\Windows\Temp\{22015C37-1906-48AA-BC4F-73B6BA618102}\.cr\._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe
PID 1972 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe C:\Windows\Temp\{22015C37-1906-48AA-BC4F-73B6BA618102}\.cr\._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe
PID 1972 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe C:\Windows\Temp\{22015C37-1906-48AA-BC4F-73B6BA618102}\.cr\._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe
PID 3060 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 3060 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 3060 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 3060 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2652 wrote to memory of 1084 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2652 wrote to memory of 1084 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2652 wrote to memory of 1084 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2652 wrote to memory of 1084 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2652 wrote to memory of 1084 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2652 wrote to memory of 1084 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2652 wrote to memory of 1084 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 1084 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\Temp\{82637216-CAE8-4BCF-858B-F9CE2AF2FEAC}\.cr\._cache_Synaptics.exe
PID 1084 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\Temp\{82637216-CAE8-4BCF-858B-F9CE2AF2FEAC}\.cr\._cache_Synaptics.exe
PID 1084 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\Temp\{82637216-CAE8-4BCF-858B-F9CE2AF2FEAC}\.cr\._cache_Synaptics.exe
PID 1084 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\Temp\{82637216-CAE8-4BCF-858B-F9CE2AF2FEAC}\.cr\._cache_Synaptics.exe
PID 1084 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\Temp\{82637216-CAE8-4BCF-858B-F9CE2AF2FEAC}\.cr\._cache_Synaptics.exe
PID 1084 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\Temp\{82637216-CAE8-4BCF-858B-F9CE2AF2FEAC}\.cr\._cache_Synaptics.exe
PID 1084 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\Temp\{82637216-CAE8-4BCF-858B-F9CE2AF2FEAC}\.cr\._cache_Synaptics.exe

Processes

C:\Users\Admin\AppData\Local\Temp\70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe

"C:\Users\Admin\AppData\Local\Temp\70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe"

C:\Users\Admin\AppData\Local\Temp\._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe"

C:\Windows\Temp\{22015C37-1906-48AA-BC4F-73B6BA618102}\.cr\._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe

"C:\Windows\Temp\{22015C37-1906-48AA-BC4F-73B6BA618102}\.cr\._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Windows\Temp\{82637216-CAE8-4BCF-858B-F9CE2AF2FEAC}\.cr\._cache_Synaptics.exe

"C:\Windows\Temp\{82637216-CAE8-4BCF-858B-F9CE2AF2FEAC}\.cr\._cache_Synaptics.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188 InjUpdate

Network

Country Destination Domain Proto
US 8.8.8.8:53 xred.mooo.com udp
US 8.8.8.8:53 freedns.afraid.org udp
US 69.42.215.252:80 freedns.afraid.org tcp
US 8.8.8.8:53 docs.google.com udp
FR 216.58.214.174:443 docs.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
FR 142.250.179.67:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
FR 142.250.179.67:80 o.pki.goog tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
FR 142.250.74.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 88.221.134.146:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 23.192.26.94:80 www.microsoft.com tcp

Files

memory/3060-0-0x0000000000220000-0x0000000000221000-memory.dmp

\Users\Admin\AppData\Local\Temp\._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe

MD5 de34b1c517e0463602624bbc8294c08d
SHA1 5ce7923ffea712468c05e7ac376dd9c29ea9f6be
SHA256 ac96016f1511ae3eb5ec9de04551146fe351b7f97858dcd67163912e2302f5d6
SHA512 114bca1ecd17e419ad617a1a4341e607250bcb02626cdc0670eb60be734bbad1f3c84e38f077af9a32a6b1607b8ce6e4b3641c0faefaa779c0fec0d3ac022dac

C:\ProgramData\Synaptics\Synaptics.exe

MD5 7274b0b15c4e6d5bbe8db5aa93c65a12
SHA1 643418b70ee7242fb4cf797e54ec78c910d32824
SHA256 70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435
SHA512 241ca5eaa520a22a1c264f2fd3307c95d78fb56c2433602e42dcf9f2eb419ed2d43d40f6524a61a1d6e696375f7ea722fd502fa939d4453d88ca63ac068be224

\Windows\Temp\{22015C37-1906-48AA-BC4F-73B6BA618102}\.cr\._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe

MD5 2f9d2b6ce54f9095695b53d1aa217c7b
SHA1 3f54934c240f1955301811d2c399728a3e6d1272
SHA256 0009d3f27837c3af3f6fff7973faf07afaa4b53119846f55b6f2a79f1759c757
SHA512 692857f960f26039c7b0af6329e65a71e8588ff71eaac6b956bd6e437994a8d5a470c7e75dd776e0772e473967b64d5ea0e1d8396546691316daf4d6b8ccc237

\Windows\Temp\{F334285F-72CA-46DE-8C3B-1EEB68BD0DAB}\.ba\wixstdba.dll

MD5 eab9caf4277829abdf6223ec1efa0edd
SHA1 74862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256 a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA512 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

memory/3060-67-0x0000000000400000-0x0000000001281000-memory.dmp

C:\Windows\Temp\{F334285F-72CA-46DE-8C3B-1EEB68BD0DAB}\.ba\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

memory/572-135-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ghkOwGk4.xlsm

MD5 e566fc53051035e1e6fd0ed1823de0f9
SHA1 00bc96c48b98676ecd67e81a6f1d7754e4156044
SHA256 8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512 a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

C:\Users\Admin\AppData\Local\Temp\ghkOwGk4.xlsm

MD5 955962bcb3fb38fc32e84a85af7ec14a
SHA1 615808b78f03ef029a31e9c90f2aca4c3e3fd8e5
SHA256 068c29b84dce0e70c53ff86c738c5b0d33f84ea8e3bda8baabafc126b994c74d
SHA512 298320e195fbb996a383693c8ef108ae5d34f082029e9cf51f88683d80c57b60286672ece75cc661587f927b5be482bd015628802fe31a119c0001eb7c35e977

C:\Users\Admin\AppData\Local\Temp\ghkOwGk4.xlsm

MD5 c103d59378ed4bc475b7e3aa893cec70
SHA1 c71448efa09c5f956ffe1bb7db6827ab2f0ef836
SHA256 f74d7ce43c5a65c3d9c285bc179fa4ab6374e2aa224e4cf941a7eed5c3f81e37
SHA512 8028535c059484d4b832771f7af4d5bae2eb3f89c9382a3c0cc7c08fc221c67fe8a46c343e8e0086a8501b026d8be5a123406c1f9e4f916836abc3d758dde3cb

C:\Users\Admin\AppData\Local\Temp\ghkOwGk4.xlsm

MD5 4902c345b9db73ca26e4bb9b65e0e6d1
SHA1 4a687843fa1ce4ecaafcf04535d0e4147553f9a2
SHA256 6467833674170d5f3c470f2189111e8817576cb3c50579e03a9b37e3e6ddcc2a
SHA512 98c02e3dbfbd4bfc66ab69fb45245958b9a7255ea93ea22182cc61f5e8188bda4adb6f46da14bb998565384fbf13916f8fa3551021aa2d97d85f186477f794f0

C:\Users\Admin\AppData\Local\Temp\ghkOwGk4.xlsm

MD5 6331dabfaff67e686a38d50040613882
SHA1 0d198576b441c4136180502cc097b8f0739bd957
SHA256 49746b5b74ed7e725a2c485f3cec2389198a2c6f470cac1a1c6c91549074ff65
SHA512 77eae6110be75406c80e23a2f5591c80ab3926fabd34ce2cf410a166cce9cc4314911bca5a21ce4260fcd05cfc20c8ee75e22791da51e530fedff843bbf713c6

C:\Users\Admin\Desktop\~$LimitTrace.xlsx

MD5 ff09371174f7c701e75f357a187c06e8
SHA1 57f9a638fd652922d7eb23236c80055a91724503
SHA256 e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8
SHA512 e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

C:\Users\Admin\AppData\Local\Temp\ghkOwGk4.xlsm

MD5 52457299604c539ce8411e0715c319d5
SHA1 b962722e6dfdcf548878546fe29d5a9957a10a53
SHA256 df0ed27c2ef12bfcf7ad64e29881cc255a6907ded0b9c2511481992af2176e59
SHA512 326ab24d2608620b7b6db0fcc0346e6a027b005c257074f75c717f794d813c5c62109de836b5242a4af0c97fc6a6441cf62a122f9b486e1cc2a1aa7080a2e81d

C:\Users\Admin\AppData\Local\Temp\ghkOwGk4.xlsm

MD5 49d6bffd6cac4075fd9d2d33d5f1a406
SHA1 6f15b0167d3f90ba34c1cb47fdbc28ba45f73c94
SHA256 f7a7c7fe1230a17144be19dadc15f45d7f10da35e8b46fa6000348341ddbca22
SHA512 2ee44218587a7f3977748c8bfc2c436596a6b32428cd36ceee0da97e8163cc79a30901ce5e619027c6e536cd2206a9bf0b8b6841059ee1c4f9d7d9ac1b4aa4d6

memory/572-233-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2652-234-0x0000000000400000-0x0000000001281000-memory.dmp

memory/2652-301-0x0000000000400000-0x0000000001281000-memory.dmp

memory/2652-333-0x0000000000400000-0x0000000001281000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-03 03:37

Reported

2025-01-03 03:40

Platform

win10v2004-20241007-en

Max time kernel

141s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe"

Signatures

Xred

backdoor xred

Xred family

xred

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\ProgramData\Synaptics\Synaptics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\{9975FC24-4B7F-40B4-9F6D-8AC9F88A45D4}\.cr\._cache_Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\{B141C5DE-CAB7-472A-AA69-D194E25AF2ED}\.cr\._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Synaptics\Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\ProgramData\Synaptics\Synaptics.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 964 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe C:\Users\Admin\AppData\Local\Temp\._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe
PID 964 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe C:\Users\Admin\AppData\Local\Temp\._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe
PID 964 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe C:\Users\Admin\AppData\Local\Temp\._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe
PID 3556 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe C:\Windows\Temp\{B141C5DE-CAB7-472A-AA69-D194E25AF2ED}\.cr\._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe
PID 3556 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe C:\Windows\Temp\{B141C5DE-CAB7-472A-AA69-D194E25AF2ED}\.cr\._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe
PID 3556 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe C:\Windows\Temp\{B141C5DE-CAB7-472A-AA69-D194E25AF2ED}\.cr\._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe
PID 964 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 964 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 964 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 3592 wrote to memory of 396 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 3592 wrote to memory of 396 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 3592 wrote to memory of 396 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 396 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\Temp\{9975FC24-4B7F-40B4-9F6D-8AC9F88A45D4}\.cr\._cache_Synaptics.exe
PID 396 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\Temp\{9975FC24-4B7F-40B4-9F6D-8AC9F88A45D4}\.cr\._cache_Synaptics.exe
PID 396 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\Temp\{9975FC24-4B7F-40B4-9F6D-8AC9F88A45D4}\.cr\._cache_Synaptics.exe

Processes

C:\Users\Admin\AppData\Local\Temp\70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe

"C:\Users\Admin\AppData\Local\Temp\70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe"

C:\Users\Admin\AppData\Local\Temp\._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe"

C:\Windows\Temp\{B141C5DE-CAB7-472A-AA69-D194E25AF2ED}\.cr\._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe

"C:\Windows\Temp\{B141C5DE-CAB7-472A-AA69-D194E25AF2ED}\.cr\._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Windows\Temp\{9975FC24-4B7F-40B4-9F6D-8AC9F88A45D4}\.cr\._cache_Synaptics.exe

"C:\Windows\Temp\{9975FC24-4B7F-40B4-9F6D-8AC9F88A45D4}\.cr\._cache_Synaptics.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" -burn.filehandle.attached=540 -burn.filehandle.self=648 InjUpdate

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 xred.mooo.com udp
US 8.8.8.8:53 freedns.afraid.org udp
US 69.42.215.252:80 freedns.afraid.org tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 252.215.42.69.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 167.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 docs.google.com udp
FR 216.58.214.174:443 docs.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
FR 142.250.179.67:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
FR 142.250.179.67:80 o.pki.goog tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
FR 142.250.74.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 67.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 174.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 225.74.250.142.in-addr.arpa udp
US 8.8.8.8:53 8.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/964-0-0x0000000001490000-0x0000000001491000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe

MD5 de34b1c517e0463602624bbc8294c08d
SHA1 5ce7923ffea712468c05e7ac376dd9c29ea9f6be
SHA256 ac96016f1511ae3eb5ec9de04551146fe351b7f97858dcd67163912e2302f5d6
SHA512 114bca1ecd17e419ad617a1a4341e607250bcb02626cdc0670eb60be734bbad1f3c84e38f077af9a32a6b1607b8ce6e4b3641c0faefaa779c0fec0d3ac022dac

C:\ProgramData\Synaptics\Synaptics.exe

MD5 7274b0b15c4e6d5bbe8db5aa93c65a12
SHA1 643418b70ee7242fb4cf797e54ec78c910d32824
SHA256 70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435
SHA512 241ca5eaa520a22a1c264f2fd3307c95d78fb56c2433602e42dcf9f2eb419ed2d43d40f6524a61a1d6e696375f7ea722fd502fa939d4453d88ca63ac068be224

C:\Windows\Temp\{B141C5DE-CAB7-472A-AA69-D194E25AF2ED}\.cr\._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe

MD5 2f9d2b6ce54f9095695b53d1aa217c7b
SHA1 3f54934c240f1955301811d2c399728a3e6d1272
SHA256 0009d3f27837c3af3f6fff7973faf07afaa4b53119846f55b6f2a79f1759c757
SHA512 692857f960f26039c7b0af6329e65a71e8588ff71eaac6b956bd6e437994a8d5a470c7e75dd776e0772e473967b64d5ea0e1d8396546691316daf4d6b8ccc237

C:\Windows\Temp\{FA80963A-62D9-4FC3-803D-F0E8383801A0}\.ba\wixstdba.dll

MD5 eab9caf4277829abdf6223ec1efa0edd
SHA1 74862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256 a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA512 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

memory/964-164-0x0000000000400000-0x0000000001281000-memory.dmp

C:\Windows\Temp\{FA80963A-62D9-4FC3-803D-F0E8383801A0}\.ba\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

memory/2092-276-0x00007FF909DD0000-0x00007FF909DE0000-memory.dmp

memory/2092-275-0x00007FF909DD0000-0x00007FF909DE0000-memory.dmp

memory/2092-274-0x00007FF909DD0000-0x00007FF909DE0000-memory.dmp

memory/2092-273-0x00007FF909DD0000-0x00007FF909DE0000-memory.dmp

memory/2092-269-0x00007FF909DD0000-0x00007FF909DE0000-memory.dmp

memory/2092-288-0x00007FF907570000-0x00007FF907580000-memory.dmp

memory/2092-289-0x00007FF907570000-0x00007FF907580000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RxvTEFaP.xlsm

MD5 e566fc53051035e1e6fd0ed1823de0f9
SHA1 00bc96c48b98676ecd67e81a6f1d7754e4156044
SHA256 8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512 a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

C:\Users\Admin\AppData\Local\Temp\EB775E00

MD5 275f71f5fda10488aeba312ed8c192bc
SHA1 fec8f6a7f0692afe323eedfd25c72bd1c815b41b
SHA256 04fdc087dd6d4d2306355457ac65e4bf46c43c1ebf0c64137516927e8816ee30
SHA512 82528e6081be240d3824f2c2b71536bc5ebf8f351e6b7b01f49d32fc0ce599230851605c95dfb7393aabbd17745309895160b54cd4e4470e867f241ad97cf868

memory/3592-338-0x0000000000400000-0x0000000001281000-memory.dmp

memory/3592-435-0x0000000000400000-0x0000000001281000-memory.dmp