xred | db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85

Analysis

max time kernel
9s
max time network
10s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/01/2025, 04:42

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe
Size

6KB
MD5

06303600a3a44eb2fbce248eb0fe9fc1
SHA1

ccfb720a50808469da5d67eea306d08f51e11538
SHA256

db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85
SHA512

b135f23760aba312cb0c0cab697d2ec4f735f5cad9011d3b11310eb9cc59f65c4ffdc757e4f39bdcf6c8abb3badb6865301ffd5ed817c1251b6ecabe21f17df9
SSDEEP

192:DfaOBqbo/qmA2LEnrtDINynT+vCgcJXB:OOY8tLqltJXB

Score

10^/10

xred backdoor discovery macro persistence upx

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
Downloads MZ/PE file

Suspicious Office macro 3 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x0006000000019319-147.dat
behavioral1/files/0x000700000001929a-170.dat
behavioral1/files/0x000500000001946a-188.dat

Drops startup file 9 IoCs

description	ioc	Process
File created	C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cghqi.exe	4.exe
File opened for modification	C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cghqi.exe	4.exe
File created	C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\clxa.exe	4.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\cbas.lnk	wic.exe
File created	C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\__tmp_rar_sfx_access_check_259456541	4.exe
File created	C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bykcxw.exe	4.exe
File opened for modification	C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bykcxw.exe	4.exe
File opened for modification	C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\clxa.exe	4.exe
File created	C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cbas.lnk	wic.exe

Executes dropped EXE 9 IoCs

pid	Process
2932	1.exe
2712	._cache_1.exe
2068	Synaptics.exe
576	2.exe
1988	._cache_Synaptics.exe
1664	._cache_2.exe
1704	3.exe
1348	4.exe
896	wic.exe

Loads dropped DLL 17 IoCs

pid	Process
2112	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe
2112	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe
2932	1.exe
2932	1.exe
2932	1.exe
2932	1.exe
2932	1.exe
2112	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe
2112	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe
576	2.exe
2068	Synaptics.exe
2068	Synaptics.exe
2068	Synaptics.exe
576	2.exe
2112	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe
2112	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe
2112	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	1.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2112-0-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x0008000000016edb-21.dat	upx
behavioral1/memory/2932-27-0x0000000004000000-0x00000000040A4000-memory.dmp	upx
behavioral1/memory/1988-78-0x0000000000400000-0x00000000004A4000-memory.dmp	upx
behavioral1/files/0x0005000000019217-88.dat	upx
behavioral1/memory/1704-97-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2112-180-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2112-212-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1988-224-0x0000000000400000-0x00000000004A4000-memory.dmp	upx
behavioral1/memory/2712-227-0x0000000000400000-0x00000000004A4000-memory.dmp	upx

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\2.exe	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe
File created	C:\Program Files (x86)\3.exe	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe
File created	C:\Program Files (x86)\4.exe	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe
File created	C:\Program Files (x86)\1.exe	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\msslac.dll	wic.exe
File created	C:\Windows\wic.exe	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe
File created	C:\Windows\cbas.exe	wic.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	._cache_2.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
812	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2700	shutdown.exe
Token: SeRemoteShutdownPrivilege	2700	shutdown.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2112	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe
812	EXCEL.EXE
1664	._cache_2.exe
1664	._cache_2.exe
896	wic.exe
896	wic.exe
812	EXCEL.EXE
812	EXCEL.EXE

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2932	2112	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	30
PID 2112 wrote to memory of 2932	2112	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	30
PID 2112 wrote to memory of 2932	2112	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	30
PID 2112 wrote to memory of 2932	2112	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	30
PID 2932 wrote to memory of 2712	2932	1.exe	31
PID 2932 wrote to memory of 2712	2932	1.exe	31
PID 2932 wrote to memory of 2712	2932	1.exe	31
PID 2932 wrote to memory of 2712	2932	1.exe	31
PID 2932 wrote to memory of 2068	2932	1.exe	32
PID 2932 wrote to memory of 2068	2932	1.exe	32
PID 2932 wrote to memory of 2068	2932	1.exe	32
PID 2932 wrote to memory of 2068	2932	1.exe	32
PID 2112 wrote to memory of 576	2112	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	33
PID 2112 wrote to memory of 576	2112	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	33
PID 2112 wrote to memory of 576	2112	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	33
PID 2112 wrote to memory of 576	2112	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	33
PID 2068 wrote to memory of 1988	2068	Synaptics.exe	35
PID 2068 wrote to memory of 1988	2068	Synaptics.exe	35
PID 2068 wrote to memory of 1988	2068	Synaptics.exe	35
PID 2068 wrote to memory of 1988	2068	Synaptics.exe	35
PID 576 wrote to memory of 1664	576	2.exe	36
PID 576 wrote to memory of 1664	576	2.exe	36
PID 576 wrote to memory of 1664	576	2.exe	36
PID 576 wrote to memory of 1664	576	2.exe	36
PID 2112 wrote to memory of 1704	2112	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	38
PID 2112 wrote to memory of 1704	2112	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	38
PID 2112 wrote to memory of 1704	2112	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	38
PID 2112 wrote to memory of 1704	2112	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	38
PID 2112 wrote to memory of 1348	2112	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	39
PID 2112 wrote to memory of 1348	2112	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	39
PID 2112 wrote to memory of 1348	2112	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	39
PID 2112 wrote to memory of 1348	2112	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	39
PID 2112 wrote to memory of 896	2112	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	41
PID 2112 wrote to memory of 896	2112	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	41
PID 2112 wrote to memory of 896	2112	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	41
PID 2112 wrote to memory of 896	2112	db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe	41
PID 896 wrote to memory of 2840	896	wic.exe	42
PID 896 wrote to memory of 2840	896	wic.exe	42
PID 896 wrote to memory of 2840	896	wic.exe	42
PID 896 wrote to memory of 2840	896	wic.exe	42
PID 2840 wrote to memory of 2700	2840	cmd.exe	44
PID 2840 wrote to memory of 2700	2840	cmd.exe	44
PID 2840 wrote to memory of 2700	2840	cmd.exe	44
PID 2840 wrote to memory of 2700	2840	cmd.exe	44

C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe
"C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Program Files (x86)\1.exe
  "C:\Program Files (x86)\1.exe" 0
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Users\Admin\AppData\Local\Temp\._cache_1.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_1.exe" 0
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2712
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2068
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1988
- C:\Program Files (x86)\2.exe
  "C:\Program Files (x86)\2.exe" 0
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:576
- - C:\Users\Admin\AppData\Local\Temp\._cache_2.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_2.exe" 0
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1664
- C:\Program Files (x86)\3.exe
  "C:\Program Files (x86)\3.exe" 0
  2⤵
  - Executes dropped EXE
  PID:1704
- C:\Program Files (x86)\4.exe
  "C:\Program Files (x86)\4.exe" 0
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1348
- C:\Windows\wic.exe
  "C:\Windows\wic.exe" 0
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "shutdown /r /t 0"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Windows\SysWOW64\shutdown.exe
      shutdown /r /t 0
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2700

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:812

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2608

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\2.exe

Filesize
4.4MB

MD5
85a57509db3e9dfa7b4e451b8243220d

SHA1
ee21f93372218959f8b3dcefaa2c680d857e9e52

SHA256
fcd8d4592cf92fb9f9235a2774cdc8aff4265d4015269fb7aa995182f8ce26e1

SHA512
104615f2366e06cbba58a87f2e01d6806c1871c29af8277e06fcdb385f4ae6beb37c3bafd861c320a01303a287a68ae9b5d8640f29a39c21fe38ad9803ebe00d

Download Submit
C:\Program Files (x86)\3.exe

Filesize
9KB

MD5
1edb88f9ee745eaaee2cbd8219318eb0

SHA1
6561c12d51090972b6f866f38f8ed281c5c83313

SHA256
0ac1125284e2600d3714c0226f800f4d8d9aa291fa299bb1d33b7d8984b5e1c0

SHA512
a2a20a70c9e1db729f716706796027a5c9002ad000e75c0dced3ece6f26d76ee0803acc31d3a116266e711ec6a16d33c0668412238dfe0f128f3a841232ff4c5

Download Submit
C:\Program Files (x86)\4.exe

Filesize
338KB

MD5
39e7be73c7531ac895f75834fdc1bcd6

SHA1
646b88b488cf673c38b56fe7748c70b31bb29fc3

SHA256
a176e32335d81e69906f1c062e62247e97b8863f2c6148a36713e5bed5d16195

SHA512
e5c34ef2d309ef2071495a359999b9f8dbeb6d7db1daa67e82494d71b0f1e888d0958b5a503cb3b0e505b70f26cfefe362d6301599143bedb40a19fdb60ef072

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_2.exe

Filesize
3.7MB

MD5
b7176450aebb9572b34e875984456ac1

SHA1
5d9d1824c5c235dcfc82e6e3af48b63d70016393

SHA256
f78dcb1b389c99240befde490f8c74d9c9487f54e1f523397aa056072003a4c2

SHA512
4c9aba9b92972312c87d2b875246b22dafcb49a0f519291fba823ce57dd9282e25489a7cddf7dfb432caa921602db6266b0e625aae780845824f91cf48d8f85d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ughWqWjh.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\ughWqWjh.xlsm

Filesize
20KB

MD5
48304f418dc31d7da21164c9348c4447

SHA1
94d36451bb536a154f7a49c7d2b5f444d19ca1fd

SHA256
bf04d6775e419ea58119cc9156b43bc310f165053b9835099abdd5cc2183ddf0

SHA512
1642f59c27aa6da6b59d104b481761d65f4c1fce8b1ff7670fc517994cba3aa94d0688d70ef1e28af5368d48ff5707b9de0799bcc29d3347f815e65cf4aa974f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ughWqWjh.xlsm

Filesize
24KB

MD5
a1f3be91f832b24975f7a8b2a701bc13

SHA1
7c5afa2db5f41079a7ddfd91d3c4a34c44ae0e6d

SHA256
843658c5c8d32b6a683e0d754ab472c11171e06f1ecc2cf79d4d651fcaa816f4

SHA512
f2245768fd65bab2e57ef441f0cf201357f7ef398f95e0b7ba02741530489a524aa9c264c5e2fbba2bd905b6eb86063e6f341dfe8b19bf1d72daa80fd316ec3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ughWqWjh.xlsm

Filesize
25KB

MD5
cc822b71bdbb94eb1947e7c7657abc24

SHA1
a327c0fb98be5a90073ef98e613e21f62365720b

SHA256
e235ab1e2b2422cd03bab3ec7b64b5efcc3873b9dee6d70e30835200856fff43

SHA512
16a8a8c74e79a107642bb3f2cac28827973cfc8f5cbdc941239c1782d7e72faef9a2ecdd57cc20eeb5fbe43d415779d9d12b0815257e90127e410c72fb8691f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ughWqWjh.xlsm

Filesize
25KB

MD5
3cc7f22220491d8bcbae53366374b3fd

SHA1
dd4a52a445ed5ff1c2e49d5173a252206c6ff241

SHA256
0f2b38d29ee7bcefd71826178015c0eba1d6c5227c7142ef7f93ca20340799a9

SHA512
5741a69349651bfc68b07024eace4bbcb1d1c98a127c2af92017ec05496eff7b9611a8b4ebb24d1b54a2e2f1cc0d57602d0fc8c41006aa6f8b075dea7ac967d2

Download Submit
C:\Users\Admin\Downloads\~$SaveRedo.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
C:\Windows\wic.exe

Filesize
3.3MB

MD5
6ad65b03e75bc5509ba3104510178ee6

SHA1
dba73f97938d2dab4bf8fb8076b363db82ad3a16

SHA256
4d74eb72321c5137ed364541deef19ddc30593fff62abab2a3d17a0bad7bd5c6

SHA512
976c7aba50e17271f6aea4ab80e7bc89e68727164d98d99566e0752b4989d716a849b0cc53f0321a53dce6086ef4cab1604aae8456ce76bfeacf185137aa8ba8

Download Submit
\Program Files (x86)\1.exe

Filesize
811KB

MD5
d026cfe00b08da14b0a8b7f8860887d7

SHA1
08ef96351067f151c19b9cc21605ea018fb43a18

SHA256
e261d309f30de33a1ba0aa43604db15f3326c6c8c5b291bdd52f18ea361fe3dd

SHA512
4ef560ff8c6a9a143b9365884c0c999a1fbf5ee638f170ad96add2b8b56933038d573cb31f45724a7f1a7b6a35cd2557344bd55c746fc9e9da38ecd3bdd6361d

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_1.exe

Filesize
58KB

MD5
aed710082d6986c6dceed09d3a5edcc6

SHA1
02456d21cef29be4cb63004aea6aa225a90fd882

SHA256
5cbe5888cd034b95b14f4ad7c63f84f9c9bc605558c5cc484e26c13f1978399e

SHA512
4bccab62e816e296becd7318ff76d8fefa1f1cd25bdfcfb092c4424f3cc37e9edb46c90dae78d364c4406c954eaf75a6e18b7499d51b164d1ddf0136e4f52050

Download Submit
memory/576-82-0x0000000000400000-0x0000000000874000-memory.dmp

Filesize
4.5MB

Download
memory/812-99-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1704-97-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1988-224-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/1988-78-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/2068-225-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/2068-77-0x0000000004120000-0x00000000041C4000-memory.dmp

Filesize
656KB

Download
memory/2112-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2112-180-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2112-212-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2112-96-0x0000000003090000-0x000000000309C000-memory.dmp

Filesize
48KB

Download
memory/2712-227-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/2932-47-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/2932-37-0x0000000004000000-0x00000000040A4000-memory.dmp

Filesize
656KB

Download
memory/2932-27-0x0000000004000000-0x00000000040A4000-memory.dmp

Filesize
656KB

Download
memory/2932-15-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads