Malware Analysis Report

2025-04-13 21:02

Sample ID 250103-fb9z7azmcx
Target f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe
SHA256 f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682
Tags
xred backdoor discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682

Threat Level: Known bad

The file f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe was found to be: Known bad.

Malicious Activity Summary

xred backdoor discovery persistence

Xred

Xred family

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Checks installed software on the system

Adds Run key to start application

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Modifies registry class

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-03 04:43

Signatures

Xred family

xred

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-03 04:43

Reported

2025-01-03 04:45

Platform

win10v2004-20241007-en

Max time kernel

141s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe"

Signatures

Xred

backdoor xred

Xred family

xred

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\ProgramData\Synaptics\Synaptics.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\tmpDF28.tmp C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File created C:\Windows\system32\wrap_oal.new C:\Users\Admin\AppData\Local\Temp\._cache_f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe N/A
File created C:\Windows\system32\wrap_oal.new C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\SysWOW64\tmpDF27.tmp C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\SysWOW64\tmpDF27.tmp C:\Users\Admin\AppData\Local\Temp\._cache_f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe N/A
File opened for modification C:\Windows\SysWOW64\tmpC6EA.tmp C:\Users\Admin\AppData\Local\Temp\._cache_f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe N/A
File created C:\Windows\SysWOW64\OpenAL32.new C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File created C:\Windows\SysWOW64\OpenAL32.new C:\Users\Admin\AppData\Local\Temp\._cache_f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe N/A
File opened for modification C:\Windows\SysWOW64\wrap_oal.new C:\Users\Admin\AppData\Local\Temp\._cache_f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe N/A
File created C:\Windows\SysWOW64\wrap_oal.new C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File created C:\Windows\system32\OpenAL32.new C:\Users\Admin\AppData\Local\Temp\._cache_f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe N/A
File opened for modification C:\Windows\SysWOW64\tmpDF28.tmp C:\Users\Admin\AppData\Local\Temp\._cache_f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe N/A
File created C:\Windows\SysWOW64\wrap_oal.new C:\Users\Admin\AppData\Local\Temp\._cache_f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe N/A
File opened for modification C:\Windows\SysWOW64\tmpC6EB.tmp C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\system32\OpenAL32.new C:\Users\Admin\AppData\Local\Temp\._cache_f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe N/A
File opened for modification C:\Windows\SysWOW64\tmpC6EB.tmp C:\Users\Admin\AppData\Local\Temp\._cache_f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe N/A
File created C:\Windows\system32\OpenAL32.new C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\SysWOW64\tmpC6EA.tmp C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\OpenAL\._cache_f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe C:\Users\Admin\AppData\Local\Temp\._cache_f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe N/A
File created C:\Program Files (x86)\OpenAL\._cache_Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File created C:\Program Files (x86)\OpenAL\._cache_f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe C:\Users\Admin\AppData\Local\Temp\._cache_f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe N/A
File opened for modification C:\Program Files (x86)\OpenAL\._cache_Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\._cache_f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Synaptics\Synaptics.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\ProgramData\Synaptics\Synaptics.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2404 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe C:\Users\Admin\AppData\Local\Temp\._cache_f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe
PID 2404 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe C:\Users\Admin\AppData\Local\Temp\._cache_f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe
PID 2404 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe C:\Users\Admin\AppData\Local\Temp\._cache_f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe
PID 2404 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2404 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2404 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 684 wrote to memory of 460 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 684 wrote to memory of 460 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 684 wrote to memory of 460 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe

"C:\Users\Admin\AppData\Local\Temp\f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe"

C:\Users\Admin\AppData\Local\Temp\._cache_f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe"

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 134.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 18.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 xred.mooo.com udp
US 8.8.8.8:53 freedns.afraid.org udp
US 69.42.215.252:80 freedns.afraid.org tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 252.215.42.69.in-addr.arpa udp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 22.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 docs.google.com udp
FR 216.58.214.174:443 docs.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
FR 142.250.179.67:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
FR 142.250.179.67:80 o.pki.goog tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
FR 142.250.74.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 174.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 67.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 225.74.250.142.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 85.49.80.91.in-addr.arpa udp

Files

memory/2404-0-0x0000000002530000-0x0000000002531000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\._cache_f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe

MD5 694f54bd227916b89fc3eb1db53f0685
SHA1 21fdc367291bbef14dac27925cae698d3928eead
SHA256 b8f39714d41e009f75efb183c37100f2cbabb71784bbd243be881ac5b42d86fd
SHA512 55bc0de75a7f27f11eb8f4ee8c9934dfe1acd044d8b7b2151c506bdcbead3ab179df7023f699c9139c77541bbc4b1c0657e93c34a6bc4309b665c6cb7636a7e5

C:\ProgramData\Synaptics\Synaptics.exe

MD5 2756afc3782b185d3c05dd880a8e8313
SHA1 82417bd86f1fb249e296bb6b073b560e47639dde
SHA256 f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682
SHA512 9ffea594cd493cbd6fcb9f6f63dffa9127b17487177e63a466b786bc2d24d8af270c56dc653720266e6ad410ddce0931423354b6fa2dc02a7b2cb91e42321fc2

memory/2404-127-0x0000000000400000-0x0000000000588000-memory.dmp

memory/684-129-0x00000000022D0000-0x00000000022D1000-memory.dmp

memory/2652-190-0x00007FFCE9070000-0x00007FFCE9080000-memory.dmp

memory/2652-191-0x00007FFCE9070000-0x00007FFCE9080000-memory.dmp

memory/2652-192-0x00007FFCE9070000-0x00007FFCE9080000-memory.dmp

memory/2652-193-0x00007FFCE9070000-0x00007FFCE9080000-memory.dmp

memory/2652-194-0x00007FFCE9070000-0x00007FFCE9080000-memory.dmp

memory/2652-195-0x00007FFCE6E20000-0x00007FFCE6E30000-memory.dmp

memory/2652-196-0x00007FFCE6E20000-0x00007FFCE6E30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZRQgjWeZ.xlsm

MD5 e566fc53051035e1e6fd0ed1823de0f9
SHA1 00bc96c48b98676ecd67e81a6f1d7754e4156044
SHA256 8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512 a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

C:\Users\Admin\AppData\Local\Temp\4AB75E00

MD5 950ee9b20330b4d132d9996a8d279858
SHA1 49c4b8387a1b1abec01c03096739ec58d846bab8
SHA256 e0d3e8c7dca842cbbb056eb6378b921d5cc822fbc7552b28ce35781d478cfda5
SHA512 f7fcff50ece846108beaaa397294ba79fd5bfeff8d5b203c702fcf6a769d2fe56f323346efed405791f2af1cb8847a60f5bea7f61a668a3239130334bc097e37

C:\Windows\SysWOW64\wrap_oal.new

MD5 d494267bc169604fac5e3679b9a97fed
SHA1 c093ce5a4f7dc40f7f604945bd1facfb2c805c4b
SHA256 a4e46e6d09c4b0966824a2f6628ebf738e813672692a52a0d63d982e1030ef4f
SHA512 7cfcfb570ecfa974054b5285c7d6ad3bccf502866ea70789750c3748394cb0991d1fa6dec9c50a506dbc697953663ec2605277a4451098bb8cd6699c4e506040

C:\Windows\System32\OpenAL32.new

MD5 2ad7b4f3c8d2bb686d231edff404b7a4
SHA1 f29676b96d04bd2765925a3834d9babfdce6a0b3
SHA256 87802322c8e63555c26fe473ce234ce7099745ccb28c02766c2224c726454039
SHA512 51a6c8cfe30e34c37437e6c5f8c602aa0759b65559a82521e2dbcf8a9865b826077854acb6497df6085d67b4c66083ae5f0f192b743a4b6f77ce7b18f01bf528

C:\Windows\System32\wrap_oal.new

MD5 549347bcd4aacd63243d78e8f869dbb1
SHA1 efc00d2a7c5acfe17b8a58023826e6840aef39a6
SHA256 5379373cf3eff41cdd8c912c65e27e1bd492bd84238d19a093aa846c9b1ce909
SHA512 c6789376d05deb8c5050225c37c023055c107a72b49afddfd3f91e7e7429d38db9346e2e5d38986c2000c3828389cfbe5d74d80423a79eebd0367bcc81137cd5

memory/684-279-0x00000000022D0000-0x00000000022D1000-memory.dmp

memory/684-278-0x0000000000400000-0x0000000000588000-memory.dmp

C:\Windows\SysWOW64\OpenAL32.dll

MD5 235355a8dd26903e75d5e812ecf50e53
SHA1 8316319341a0f9054e19e4a7b21df3dc49386fee
SHA256 1797d150a2e23af4f390f5c33eb598c6f58d0454011d74941f5316add900bbdd
SHA512 5beb9343028790f993d0acb1007fd112b7e2ef6f9fbedfdb62b0140d2bbadf3b6368417ea19edb0bc8674d19418e5784fef4430ce1c329de8e83c304706d39ac

memory/684-360-0x0000000000400000-0x0000000000588000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-03 04:43

Reported

2025-01-03 04:45

Platform

win7-20240903-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe"

Signatures

Xred

backdoor xred

Xred family

xred

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\wrap_oal.new C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File created C:\Windows\system32\OpenAL32.new C:\Users\Admin\AppData\Local\Temp\._cache_f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe N/A
File opened for modification C:\Windows\SysWOW64\tmp1097.tmp C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\SysWOW64\tmp1098.tmp C:\Users\Admin\AppData\Local\Temp\._cache_f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe N/A
File opened for modification C:\Windows\SysWOW64\OpenAL32.new C:\Users\Admin\AppData\Local\Temp\._cache_f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe N/A
File opened for modification C:\Windows\system32\OpenAL32.new C:\Users\Admin\AppData\Local\Temp\._cache_f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe N/A
File opened for modification C:\Windows\SysWOW64\tmpF824.tmp C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\SysWOW64\tmpF827.tmp C:\Users\Admin\AppData\Local\Temp\._cache_f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe N/A
File created C:\Windows\SysWOW64\OpenAL32.new C:\Users\Admin\AppData\Local\Temp\._cache_f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe N/A
File opened for modification C:\Windows\SysWOW64\tmp1086.tmp C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\SysWOW64\tmpF825.tmp C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File created C:\Windows\SysWOW64\wrap_oal.new C:\Users\Admin\AppData\Local\Temp\._cache_f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe N/A
File opened for modification C:\Windows\SysWOW64\wrap_oal.new C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File created C:\Windows\system32\wrap_oal.new C:\Users\Admin\AppData\Local\Temp\._cache_f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe N/A
File opened for modification C:\Windows\SysWOW64\tmp1096.tmp C:\Users\Admin\AppData\Local\Temp\._cache_f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe N/A
File created C:\Windows\SysWOW64\OpenAL32.new C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\SysWOW64\tmpF826.tmp C:\Users\Admin\AppData\Local\Temp\._cache_f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe N/A
File created C:\Windows\system32\OpenAL32.new C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification C:\Windows\system32\wrap_oal.new C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\OpenAL\._cache_Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File created C:\Program Files (x86)\OpenAL\._cache_f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe C:\Users\Admin\AppData\Local\Temp\._cache_f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe N/A
File opened for modification C:\Program Files (x86)\OpenAL\._cache_f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe C:\Users\Admin\AppData\Local\Temp\._cache_f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe N/A
File opened for modification C:\Program Files (x86)\OpenAL\._cache_Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\._cache_f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Synaptics\Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1044 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe C:\Users\Admin\AppData\Local\Temp\._cache_f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe
PID 1044 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe C:\Users\Admin\AppData\Local\Temp\._cache_f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe
PID 1044 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe C:\Users\Admin\AppData\Local\Temp\._cache_f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe
PID 1044 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe C:\Users\Admin\AppData\Local\Temp\._cache_f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe
PID 1044 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe C:\Users\Admin\AppData\Local\Temp\._cache_f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe
PID 1044 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe C:\Users\Admin\AppData\Local\Temp\._cache_f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe
PID 1044 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe C:\Users\Admin\AppData\Local\Temp\._cache_f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe
PID 1044 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 1044 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 1044 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 1044 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2236 wrote to memory of 2844 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2236 wrote to memory of 2844 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2236 wrote to memory of 2844 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2236 wrote to memory of 2844 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2236 wrote to memory of 2844 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2236 wrote to memory of 2844 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2236 wrote to memory of 2844 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe

"C:\Users\Admin\AppData\Local\Temp\f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe"

C:\Users\Admin\AppData\Local\Temp\._cache_f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe"

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 xred.mooo.com udp
US 8.8.8.8:53 freedns.afraid.org udp
US 69.42.215.252:80 freedns.afraid.org tcp
US 8.8.8.8:53 docs.google.com udp
FR 216.58.214.174:443 docs.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
FR 142.250.179.67:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
FR 142.250.179.67:80 o.pki.goog tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
FR 142.250.74.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 88.221.134.146:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 95.100.245.144:80 www.microsoft.com tcp

Files

memory/1044-0-0x0000000000220000-0x0000000000221000-memory.dmp

\Users\Admin\AppData\Local\Temp\._cache_f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe

MD5 694f54bd227916b89fc3eb1db53f0685
SHA1 21fdc367291bbef14dac27925cae698d3928eead
SHA256 b8f39714d41e009f75efb183c37100f2cbabb71784bbd243be881ac5b42d86fd
SHA512 55bc0de75a7f27f11eb8f4ee8c9934dfe1acd044d8b7b2151c506bdcbead3ab179df7023f699c9139c77541bbc4b1c0657e93c34a6bc4309b665c6cb7636a7e5

C:\ProgramData\Synaptics\Synaptics.exe

MD5 2756afc3782b185d3c05dd880a8e8313
SHA1 82417bd86f1fb249e296bb6b073b560e47639dde
SHA256 f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682
SHA512 9ffea594cd493cbd6fcb9f6f63dffa9127b17487177e63a466b786bc2d24d8af270c56dc653720266e6ad410ddce0931423354b6fa2dc02a7b2cb91e42321fc2

memory/1044-25-0x0000000000400000-0x0000000000588000-memory.dmp

\Windows\SysWOW64\OpenAL32.new

MD5 235355a8dd26903e75d5e812ecf50e53
SHA1 8316319341a0f9054e19e4a7b21df3dc49386fee
SHA256 1797d150a2e23af4f390f5c33eb598c6f58d0454011d74941f5316add900bbdd
SHA512 5beb9343028790f993d0acb1007fd112b7e2ef6f9fbedfdb62b0140d2bbadf3b6368417ea19edb0bc8674d19418e5784fef4430ce1c329de8e83c304706d39ac

\Windows\SysWOW64\wrap_oal.new

MD5 d494267bc169604fac5e3679b9a97fed
SHA1 c093ce5a4f7dc40f7f604945bd1facfb2c805c4b
SHA256 a4e46e6d09c4b0966824a2f6628ebf738e813672692a52a0d63d982e1030ef4f
SHA512 7cfcfb570ecfa974054b5285c7d6ad3bccf502866ea70789750c3748394cb0991d1fa6dec9c50a506dbc697953663ec2605277a4451098bb8cd6699c4e506040

\Windows\System32\OpenAL32.new

MD5 2ad7b4f3c8d2bb686d231edff404b7a4
SHA1 f29676b96d04bd2765925a3834d9babfdce6a0b3
SHA256 87802322c8e63555c26fe473ce234ce7099745ccb28c02766c2224c726454039
SHA512 51a6c8cfe30e34c37437e6c5f8c602aa0759b65559a82521e2dbcf8a9865b826077854acb6497df6085d67b4c66083ae5f0f192b743a4b6f77ce7b18f01bf528

C:\Windows\system32\wrap_oal.new

MD5 549347bcd4aacd63243d78e8f869dbb1
SHA1 efc00d2a7c5acfe17b8a58023826e6840aef39a6
SHA256 5379373cf3eff41cdd8c912c65e27e1bd492bd84238d19a093aa846c9b1ce909
SHA512 c6789376d05deb8c5050225c37c023055c107a72b49afddfd3f91e7e7429d38db9346e2e5d38986c2000c3828389cfbe5d74d80423a79eebd0367bcc81137cd5

memory/2236-67-0x0000000000400000-0x0000000000588000-memory.dmp

memory/1292-101-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uiSPUA3r.xlsm

MD5 e566fc53051035e1e6fd0ed1823de0f9
SHA1 00bc96c48b98676ecd67e81a6f1d7754e4156044
SHA256 8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512 a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

C:\Users\Admin\AppData\Local\Temp\uiSPUA3r.xlsm

MD5 83d42837e90ff7448c03667abfa16f0f
SHA1 95364e28682983fd33d2eef6d9f5dfba0a9c1f0f
SHA256 a820e62b0af767fd6e2a0fce99d96a4145a5580ab87ff0658f81a34523468c12
SHA512 c36e6c5973e692a423870f493aa3b6b6dc50ca0bef195305d74d125046c203f60efcd92fe4d2801eb94c6f3dd705f54269198ffd48f7fe293e030f526cbb5952

C:\Users\Admin\AppData\Local\Temp\uiSPUA3r.xlsm

MD5 6d6e3aa762a418992452a1d4bb22ad9a
SHA1 deb6997c7df4712128c01a998519eaabcf94114d
SHA256 b8b431aeae80e61078e94c8ee7911c927279e2fc2e962eaf50020675730b0f29
SHA512 7d37051266d577127e37e2052aa1d55e6566468e9a86a26822d88ba5cfefc8464cd82770cd6e35b45202da193c806dda75ead0519475b6dd97c3714b641d56c8

C:\Users\Admin\AppData\Local\Temp\uiSPUA3r.xlsm

MD5 bdba097c25dfec639767390de30aca92
SHA1 4770ea7d483ef5eabb3a8b419063d508502e9f95
SHA256 afd69e701b6aaed1082bcd78fad105c0a789932f2a8eca6c96a600b3fb58908d
SHA512 03790c24dd8100eedac95064a5e77e4a58c384d8bea47a788bad0858aeaad0308c8be7260d0472dfc445ebdeaef153e71ac91e6d46379d744b733dd4c0841142

C:\Users\Admin\AppData\Local\Temp\uiSPUA3r.xlsm

MD5 1b325be293990a33879ecbcfbe49fcd5
SHA1 2f01f577fdb0f9fe3bd96d9fd4b86565b867a7fd
SHA256 2066e0e22da27893acf088db81fd7ee5caa3a083e16fcb66ac0938dfb53fce85
SHA512 4b59ba5ed9c655684509bc743ad3846c7f2282bc7d84fa27b1887fab66dd88515163b85ee71bef1eb598e24e7740651d47663dff7c3f1d7dd56e7be426a6aa7a

C:\Users\Admin\AppData\Local\Temp\~$uiSPUA3r.xlsm

MD5 ff09371174f7c701e75f357a187c06e8
SHA1 57f9a638fd652922d7eb23236c80055a91724503
SHA256 e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8
SHA512 e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

memory/1292-177-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2236-178-0x0000000000400000-0x0000000000588000-memory.dmp

memory/2236-179-0x0000000000400000-0x0000000000588000-memory.dmp

memory/2236-211-0x0000000000400000-0x0000000000588000-memory.dmp