xred | 6f513f4b91acba47885d8b61e4da53eb233305956f18be998a5d56048e9c400c

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-01-2025 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Vnhax_new.exe
Size

7.0MB
MD5

1cfc313319188c7db6f2e77675101e7a
SHA1

d63cdf56928e870868867032bfb09550f2315dfc
SHA256

3dc0a471eebb84b66dc17e71c00ab6c70541237a870fbba297e3436053c55c66
SHA512

9d250f9d57ca2fd2d2da40f2f505562e5ed5fad502959f50de02053129152a05a86c6b57d50abf40c404b3c95d12ae53fe8612b65e390eb1f01e845d53611997
SSDEEP

196608:HLxlFP7GIFourQ6CJQbHdK3lgz8UXiU/0V:H9lFzJoNi94Uo

Score

10^/10

xred backdoor discovery macro persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Suspicious Office macro 2 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x0006000000019244-131.dat
behavioral1/files/0x0008000000019244-159.dat

Executes dropped EXE 7 IoCs

pid	Process
2816	._cache_Vnhax_new.exe
2572	Synaptics.exe
2028	._cache_Synaptics.exe
2432	Setup280.exe
1504	._cache_Setup280.exe
1580	Setup280.exe
2392	._cache_Setup280.exe

Loads dropped DLL 28 IoCs

pid	Process
2224	Vnhax_new.exe
2224	Vnhax_new.exe
2224	Vnhax_new.exe
2572	Synaptics.exe
2572	Synaptics.exe
2816	._cache_Vnhax_new.exe
2816	._cache_Vnhax_new.exe
2816	._cache_Vnhax_new.exe
2816	._cache_Vnhax_new.exe
2028	._cache_Synaptics.exe
2432	Setup280.exe
2432	Setup280.exe
2432	Setup280.exe
2432	Setup280.exe
2432	Setup280.exe
1504	._cache_Setup280.exe
1504	._cache_Setup280.exe
2028	._cache_Synaptics.exe
2028	._cache_Synaptics.exe
2028	._cache_Synaptics.exe
1580	Setup280.exe
1580	Setup280.exe
1580	Setup280.exe
1580	Setup280.exe
1580	Setup280.exe
1580	Setup280.exe
2392	._cache_Setup280.exe
2392	._cache_Setup280.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	Vnhax_new.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Vnhax_new.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup280.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Setup280.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Vnhax_new.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup280.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Setup280.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0FB21521-CB97-11EF-8F55-D60C98DC526F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000dd6b324440c34d4b8e65ac6c112e8bca000000000200000000001066000000010000200000008388bf165f5a923f32cb556018f06b0c51246f9100f33ad703898c9d26aaf529000000000e8000000002000020000000fcf5ace47bbd58c90e710426d0f5e3dd02df025c6a5eb062a67af003c74001f490000000136c0766bd0f8645ed34324c8599e48694021399d112e29fde6025a29394ab69832dd1a6995d84c6c4c6efbb24f608066f165f82968e0c24e828e02bda64abdfaaf771a3b6bb0ed1d1f0d6b5dbd8b6c1e92423438d11f8168ee50e45331073e556b74a9e0edcb6de2e07b15290d267bb029afb6873bd24634925565b388362743c828098dc1daee73aa46d7edf9a3f30400000004ab52c816f9ce50625d39f5fe8dd08e99825d7f031521c598fedb8e25f41658847a3203a7cab29f0586eb7ccd89c60b711979b65e1162434797df5cebb01a92b	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0060fde4a35fdb01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "442265380"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000dd6b324440c34d4b8e65ac6c112e8bca00000000020000000000106600000001000020000000cd27a571fd4ac3cfc464812ddad291740fcd23036d8496cf71bd4c566f3f21c1000000000e80000000020000200000007d3041b7cb049ef4da2b178ea38075b28ab978cc24b6fe9c2a56c39c3fa43ae92000000056ba9334abb5ffed005bae3700c231b3455a88f489a9bf2cf9c82efaab8d82a2400000008fa1bc89574be7508f21f44f8d4f0c58711990bc2044127889bde7ad77f9d36aee5c971db969ba39c7510d0b868d040f592982777245a33351b5329664649f10	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1516	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1504	._cache_Setup280.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1388	iexplore.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1516	EXCEL.EXE
1388	iexplore.exe
1388	iexplore.exe
1772	IEXPLORE.EXE
1772	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2816	2224	Vnhax_new.exe	31
PID 2224 wrote to memory of 2816	2224	Vnhax_new.exe	31
PID 2224 wrote to memory of 2816	2224	Vnhax_new.exe	31
PID 2224 wrote to memory of 2816	2224	Vnhax_new.exe	31
PID 2224 wrote to memory of 2816	2224	Vnhax_new.exe	31
PID 2224 wrote to memory of 2816	2224	Vnhax_new.exe	31
PID 2224 wrote to memory of 2816	2224	Vnhax_new.exe	31
PID 2224 wrote to memory of 2572	2224	Vnhax_new.exe	32
PID 2224 wrote to memory of 2572	2224	Vnhax_new.exe	32
PID 2224 wrote to memory of 2572	2224	Vnhax_new.exe	32
PID 2224 wrote to memory of 2572	2224	Vnhax_new.exe	32
PID 2572 wrote to memory of 2028	2572	Synaptics.exe	33
PID 2572 wrote to memory of 2028	2572	Synaptics.exe	33
PID 2572 wrote to memory of 2028	2572	Synaptics.exe	33
PID 2572 wrote to memory of 2028	2572	Synaptics.exe	33
PID 2572 wrote to memory of 2028	2572	Synaptics.exe	33
PID 2572 wrote to memory of 2028	2572	Synaptics.exe	33
PID 2572 wrote to memory of 2028	2572	Synaptics.exe	33
PID 2816 wrote to memory of 2432	2816	._cache_Vnhax_new.exe	35
PID 2816 wrote to memory of 2432	2816	._cache_Vnhax_new.exe	35
PID 2816 wrote to memory of 2432	2816	._cache_Vnhax_new.exe	35
PID 2816 wrote to memory of 2432	2816	._cache_Vnhax_new.exe	35
PID 2816 wrote to memory of 2432	2816	._cache_Vnhax_new.exe	35
PID 2816 wrote to memory of 2432	2816	._cache_Vnhax_new.exe	35
PID 2816 wrote to memory of 2432	2816	._cache_Vnhax_new.exe	35
PID 2028 wrote to memory of 1580	2028	._cache_Synaptics.exe	36
PID 2028 wrote to memory of 1580	2028	._cache_Synaptics.exe	36
PID 2028 wrote to memory of 1580	2028	._cache_Synaptics.exe	36
PID 2028 wrote to memory of 1580	2028	._cache_Synaptics.exe	36
PID 2028 wrote to memory of 1580	2028	._cache_Synaptics.exe	36
PID 2028 wrote to memory of 1580	2028	._cache_Synaptics.exe	36
PID 2028 wrote to memory of 1580	2028	._cache_Synaptics.exe	36
PID 2432 wrote to memory of 1504	2432	Setup280.exe	37
PID 2432 wrote to memory of 1504	2432	Setup280.exe	37
PID 2432 wrote to memory of 1504	2432	Setup280.exe	37
PID 2432 wrote to memory of 1504	2432	Setup280.exe	37
PID 2432 wrote to memory of 1504	2432	Setup280.exe	37
PID 2432 wrote to memory of 1504	2432	Setup280.exe	37
PID 2432 wrote to memory of 1504	2432	Setup280.exe	37
PID 1580 wrote to memory of 2392	1580	Setup280.exe	38
PID 1580 wrote to memory of 2392	1580	Setup280.exe	38
PID 1580 wrote to memory of 2392	1580	Setup280.exe	38
PID 1580 wrote to memory of 2392	1580	Setup280.exe	38
PID 1580 wrote to memory of 2392	1580	Setup280.exe	38
PID 1580 wrote to memory of 2392	1580	Setup280.exe	38
PID 1580 wrote to memory of 2392	1580	Setup280.exe	38
PID 1504 wrote to memory of 1388	1504	._cache_Setup280.exe	39
PID 1504 wrote to memory of 1388	1504	._cache_Setup280.exe	39
PID 1504 wrote to memory of 1388	1504	._cache_Setup280.exe	39
PID 1504 wrote to memory of 1388	1504	._cache_Setup280.exe	39
PID 1388 wrote to memory of 1772	1388	iexplore.exe	40
PID 1388 wrote to memory of 1772	1388	iexplore.exe	40
PID 1388 wrote to memory of 1772	1388	iexplore.exe	40
PID 1388 wrote to memory of 1772	1388	iexplore.exe	40
PID 1388 wrote to memory of 1772	1388	iexplore.exe	40
PID 1388 wrote to memory of 1772	1388	iexplore.exe	40
PID 1388 wrote to memory of 1772	1388	iexplore.exe	40

C:\Users\Admin\AppData\Local\Temp\Vnhax_new.exe
"C:\Users\Admin\AppData\Local\Temp\Vnhax_new.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Users\Admin\AppData\Local\Temp\._cache_Vnhax_new.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_Vnhax_new.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Users\Admin\AppData\Local\Temp\Setup280.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup280.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2432
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Setup280.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Setup280.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1504
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://www.vnhax.net/p/gflhfdokln.html
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1388
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1388 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1772
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2028
  - - C:\Users\Admin\AppData\Local\Temp\Setup280.exe
      "C:\Users\Admin\AppData\Local\Temp\Setup280.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1580
    - - C:\Users\Admin\AppData\Local\Temp\._cache_Setup280.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Setup280.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2392

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
7.0MB

MD5
1cfc313319188c7db6f2e77675101e7a

SHA1
d63cdf56928e870868867032bfb09550f2315dfc

SHA256
3dc0a471eebb84b66dc17e71c00ab6c70541237a870fbba297e3436053c55c66

SHA512
9d250f9d57ca2fd2d2da40f2f505562e5ed5fad502959f50de02053129152a05a86c6b57d50abf40c404b3c95d12ae53fe8612b65e390eb1f01e845d53611997

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
51fccb7ba61f8698e0e3a6944cd3d342

SHA1
e9952da764ffcabd78cd01c3c6c00d9caa3cae54

SHA256
61f8409059f18e6f02aff4c28a31c59175f50c7cab5d2112fbcb076d1e23b376

SHA512
bb9d414b896786122cdda679131bf84576e68d03e0b1f3ce6c37cd85fb88d839156aef321e36816dfb0f7d5eebae20c8fbf52475339cf07cb21e4b8da12cfb18

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b7a633a4ebf008892108ccdbbd551162

SHA1
b3a48324bb4c561b245edf0662b2245b51769718

SHA256
5b22d8609f7c2cc318f44e1d7236f70cadb9c254e3040f2c75e1a42064155929

SHA512
22fffc5fe423719d29dc344caa9a213dac9cf1856fcdbd6e8c9957581edf5d40e8246ea4e3721f177aa448d053b4081b1445c2e15954a1e7092a95d1b9ea183e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
22cf99bf1206c8dd0b1749e46fe64d4f

SHA1
d6d3da0edb94fd290b8995671eafd115f33e3a90

SHA256
b5f06b1d383f1cf9e464cf614beef0250c7362c9e9a659f8ca7a825a8cc47895

SHA512
288914a262a6396e836b6a4ea2170e5573d0cbd71e0030d0486c4ced3ea0b0c7403be96736eb62a0abe439e1f60f5cc6fe84b11cc95e1678b60325a777072d51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7d0653c6ac72be8c5ca5e8e63b46ad48

SHA1
b9d9f63adfc6e5d4ccda5004de0d9c01de150fe9

SHA256
4783a694ab9e25037748b8bc09eb12cb6e50a35d6cef8f20812bec575284662e

SHA512
2e3017a8a0194f7d520799e18de9e72259ca8d814501d7550d9e2c3d1848cb628bff48e816f320d1d212e4022409975435d44f1a8d45b54e409aa6d3de854419

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b081ace4c2df890fdb8e66edf860a8ef

SHA1
7d87da01241cfb4918aca194ee140f5651640dc4

SHA256
ecf99a08ce40590363fc08ba22338dc526f8704ab836057222453fb9b7a9d81d

SHA512
8abbdc5f728b58572792b0a486b75bf386e8487e93fb1f63924e63dfc325b7629ea75e0d5c83287e712ae27259cb54a2bbac6932e063259cf820b97df0c4c5b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0cb846a00a93e191c375f8afefda0ef1

SHA1
5b4d857ab89cdf645dccb15f411c8c49d8ae9eb0

SHA256
e4eaf812cefbc37a8fa3e6ed2e6861782fefcad019979a760143a661687e180b

SHA512
73b746639ef9510231b65189e66ea5339764203b5ae90c6fab8771e89e0d40dc1071479f50576aedb77d94b178ad38a725240cd304b90d4926bf99f4fe8c832e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aafa3def59a40444debadd15bd161753

SHA1
680e849919e3f5ae8123875a6cb3490fac5633d6

SHA256
858b03381f318a7aa37a8e8d41516bd3478c823df002f52b44d589ca185ffabd

SHA512
ccac76999de023cd8f0749a02d64414372cf513e64adc2b568408ab6c097f24b9a235bf3eff255f3d3613bd1ce3a527d0adc924e7a76ae4f1d7a425bdf2ed4cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a2b1301b950ce85c5a78328d05b373aa

SHA1
f32ce7344bb0641a014fb98747bf76dd67abcea4

SHA256
ca8187b4ae77e13552a6c3b167d06873dcfbb9c3255783dc618eb0a9281f3fad

SHA512
68498cb109a0be075199b27e8a8fb4afc8f6b4cf3e7539a441f04ab5339031ae3d9bff85f43126b236661b3b6f2cda188979b448fe316d9e671b3dabc11a6768

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
12ce13997d9db32f848d12ef1a4311f7

SHA1
105c3c5cc629b1330f00773603b764782e0088f2

SHA256
f6f41bf4d8f2dc9bf3aade8946c3f21129f596071fedb7175cfbb66b45303e8d

SHA512
029275fd9f977f341a8058bf9609d2e227c603028dc5fc7285d241dc690800d5feafaa1b1ed2039a5fcb063a44617e0e45532a0d483b60c9a87b5b638c30500f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a1f61484da0643aaeec50e319c81c319

SHA1
4a3fbffdccd46aee587dd3ff094e640c9b38bf7c

SHA256
8ca99a1202a8d2f22099a62584d10df1d02cbb36a78a794a5e432c439b79bc64

SHA512
45b3fd0f9714b6cd2eded707ac93b60e69341e8f3c40a710fcb41f6131bd636801658364c4fcf3e32aab4c4ee63feedabe50be38a56cfef4adfa5b3d6677d9ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
48b234914bbad26e673a9ecd92e24c0b

SHA1
f5349689e6994943e2934e8604df5298a6edf03e

SHA256
b95f7acff0365cbc21602eb8ce3342fcdbd96416a465fa180dae58b7925bad17

SHA512
120e462607e100a3b865c479c81fdf5be0997021580318155bfc82ead32614630acac7cb46924ecda224068d77e3390e68269b51b25818f17994e4a8ddfa7426

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5e445aa28aaf9c6ad9657271eb1d023b

SHA1
4335930322bf799e5a7f408eb8fd8b60ffb19b3d

SHA256
16bc5058df493853e6bf1e19b3f2968fce30f0135975fb105c205935bca731d4

SHA512
d285b332e698d15e071bbdb0ebc2499f4149ecc2980526b74a33bec1a11961bf3a598f5eb24bc7fb4176ccd4a97d769218afdb293418b7e1d09fe12b649c27aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
203e2e1f2d0ef73bedd781eb86e82b0e

SHA1
2e9cf27114bd956b55723a38b0a27d42c74c5889

SHA256
533d2d79cd02d04e25fa9188021cab10b0f163028f6c2ff1610e547da88ebc80

SHA512
4b17109b225cc9a52daee79c1a44ce44558c9f01334b6d6e3f537a1bf6b5c4ae002600af0be99cb40b4de71d725407eeace3626ef532b4faef332f26d6f28ae6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a91a6d50f7629f890c03064842e5a31b

SHA1
346f4e03368d97b622a93c6155e10ea99e7beb75

SHA256
f1abf594f4b2aab8235566a134c8353dd453d2b83a4915f527178b9b31bb4784

SHA512
9dd18b64cd280664ef12eb42a58944a578e12836cfab204a3454115476247ef71ca4c1088fc39f10e8345f9455b4fb6cf003b13f1735e17c46123491460e4d31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
32815de7f81d5ac32eaa727d7760c10e

SHA1
2afe053e4fad4af8bdd907687831fd3b0e22c2c1

SHA256
0d011105e68fbbcb352fd0941982a2e961e0f3f30d04a4b7fb50ff19d2f53867

SHA512
28b33e3512e7c9f5f5e81e7a0d798cd272f5a8428ca4fcc9c3090e5c4b0c14e04eb182b400a46aac36366e961e4bda2cf4c8384af96029c289d3dbb4f783b3cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8b889e042bfc4b062860bb4b1411318f

SHA1
930b12b2cdaf376b6bad35d0151351e3ac9e58f5

SHA256
746c3579df3955201f15ea3c1612bce2e37c110cf794871159c6e87f72b86c7c

SHA512
7bf5c5a68b2cc240fd4a332bfd7d0aa8c8f3ccae6bd28ca7aa8ac712cea0d16c9e4b24c117374075fd408064ef00d93e6da7fddcd4ebd824730a7945bdb9df00

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
616394082288b56c98a285c7996016e9

SHA1
89e38ed51e63b28ad2c8ed8c6b91c4ca312299d8

SHA256
93ca4e8cf9f6994072b3459dd8c4fd4fcc30548da9a2f04b67f0c7119d696036

SHA512
2f36681e9ab8a5aaba8a62c0fc7d3d81bd239c55df7efb28c389da788389d87be62017ae472a148353e7381f7462c8ea3fbbe07912910ffc56f160a23adcaec2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
33f861aa2f251f90af1843b6e8035d5f

SHA1
99277517643fc636ce8ede4d297153b1acfcea55

SHA256
876b1513d0c4df745f5ec3fa8b49e749b511d0dac8167333f9e12c486b1d719d

SHA512
af74cb55f67fc3dfedf62e487f602b8313c010727752f98cb8ba9cbc9474ced5049a4a5a5426a1b129dbda6e65a12995b8f70b1e499eea39b430538c35981da8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
670c4c4f41d5f6d9814f9107402f385f

SHA1
d2f62cf42ee625945ceacf101a37f48e846e6b14

SHA256
06d0c2e6d4878130103ce510c00682fa145ae8753bc03cd20391bc8507d4fb9e

SHA512
e08eb8f9f3283bf19d035cb79db964df80a9c7c208cf5ebff536e7da180a867c0dffe98c69a0fd344cad554a50d3479349e6afb8fd28de122d9e687258b8235e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
33d3d65d7fd24bda3861f2c10a556ecc

SHA1
52f5998cdcf01ca9c241b18c8716371fc9e746eb

SHA256
1b68a133f48836beed188da450ff8964ea8c48de5466e240a00d9452705c67b4

SHA512
71416b541de3085ff0881a10c7c31b9249e7c8ac94defddaaa5e71b4cd2a41ab529ea740b165c418bfc64633a224071755408e52dfdb50387ddb352fcc0f35dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
64d4f6f33642f26b122b3123903949e5

SHA1
65722fa6c89e7ec05f2c54ec6827c36277db731a

SHA256
665065a298771910c5debc3f334b971e0f295a666499865c61b1b83aacdd1f30

SHA512
a535b25005d144810e4314583e414934c3293baec6a07735631e1b7221abba73147d4dc3b16ad940afc21627495649ef090e2b38ba5688e530875ecbc5e22fb8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
c180112b5094c14a64f944d078f7b9bd

SHA1
ea6c1518e52a3a0e9f85d968bb96abe14d792c29

SHA256
35d42ac6c1c6db8ae5b7d63db404df98d41f6eccb70ad8bdfcc0c23331c65051

SHA512
4148645e97d08fc490acceb530089c9404a5be34d2d008fcc20739a43a6568696d071feb2e088acce12f95e9a0402bf654b01ec00991d46933bbb5f15673ed81

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1FF0.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\T4XW1Vat.xlsm

Filesize
20KB

MD5
4d3556cd0301cbc444eaf23951745407

SHA1
e58f965f3bceecc0c4aef70cc14d60c91e2f2b37

SHA256
1d39cf84a1fbb6bd73a2fe2331a720e51ff313e6bc1be95442009dae0877f968

SHA512
0a1cbb5a148a51d5169818a896c4df5788ad895e87b3e6f57ae04943ca4a47be754f646fc3b735f8e718305bfbaa0434c9ded913b034634d389405e9b527150c

Download Submit
C:\Users\Admin\AppData\Local\Temp\T4XW1Vat.xlsm

Filesize
24KB

MD5
dc6c883f6155418d7abec1545731458f

SHA1
cc456b3ec74a9622455fc0936f6bc4e7cbacf2f5

SHA256
f41a427deb320362b352ec3bd2d23a8c45dbeb34ed28b08238b77d61f6c2314a

SHA512
2a9f96db72face14ff069f8c4aab29f161968050499f42283bafb3ec4d8ff65f4cdbffcf72b8ef831862cfec25df4495a5455dd1ed7ead2c253379e2db50ae30

Download Submit
C:\Users\Admin\AppData\Local\Temp\T4XW1Vat.xlsm

Filesize
23KB

MD5
a5c1badcd84af504e5b7e6ee17a5bb93

SHA1
6c2c34dbc5b5c469d07f583e06be8cb4e692a4b0

SHA256
f619af2b62c402243e58c0965c89c69b3f2bf971be688c057613ed4da92a56ae

SHA512
2672df40593653ae749cceb3cf183a2a7f69fa70e0304425967b180f402f6245d1518b0962097b75cbced4cecf976ca95a61501d0e10045e75a4c2415a9a6013

Download Submit
C:\Users\Admin\AppData\Local\Temp\T4XW1Vat.xlsm

Filesize
28KB

MD5
5316762b31381820ed3e6fe7439bad7e

SHA1
7e938250cecedbe4d3627efc19073120701922a5

SHA256
304dd43b70b9e1ac8978ca76ce3b66b9afbbb69aa07911571e4939405df603e1

SHA512
697e7eb7b3affcaf95979472fdaca1939a496e5444437fbbf735c6ebacc94182287a18f6a965c9c14622ae8c2b95474bca8efc6f88a2e97ab134b1810bd15152

Download Submit
C:\Users\Admin\AppData\Local\Temp\T4XW1Vat.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2003.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\Documents\~$UsePush.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_Setup280.exe

Filesize
180KB

MD5
787b77ed4a3970d0565f1e22e3e72065

SHA1
c396438b5cce7729e756c53c5b43a2af63cdd6a1

SHA256
467c4a87b06cd1f0c71f0a912551e51bae533875f5b831afa6cba06dfaa53c8b

SHA512
6a74cdd984810202c6e532d2ba0121e12803844399fcb07af7f697c7b00fcde6013a764bd8e954dbb7d3713a1448929d1e2a08785635a3e52ef2db79b96958be

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_Vnhax_new.exe

Filesize
6.2MB

MD5
7e252e1a74bda7c621c9c45b9bff2df9

SHA1
f06c87842777d1cd9f5e0c2bb5ec3ffc0807f545

SHA256
21e920cf6b6741aea46a5548c4ddffc1ad079c834cc46e81dc091720eb3c4325

SHA512
69baefaf7ed0349ef50245d16f90255f2d00abbe253ccb001b0098243a38bb4fecabe14f90b8334e3bec9351dfe73726f0d7edb352ddb00fb671d01d9375c8a5

Download Submit
\Users\Admin\AppData\Local\Temp\Setup280.exe

Filesize
933KB

MD5
fd1247e7caf911c86f9a3ec6743d0ff8

SHA1
c43c2501f18b1454e2daef94f27bcfaf287b8023

SHA256
18f89cedbb9a651d268bbef4472575e026df00aa3625cfb98a2091e7791b8a44

SHA512
76bcd728a116b8784fd3a46c9f5c10bddbb45410ebfa7ff615b8b1c8ebb192a54b90f60abc28f3b167741f637be6d9aebf8e34666edbeae283cd8df2751ddac8

Download Submit
memory/1504-149-0x0000000000CC0000-0x0000000000CF6000-memory.dmp

Filesize
216KB

Download
memory/1516-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1580-134-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2224-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2224-25-0x0000000000400000-0x0000000000AFE000-memory.dmp

Filesize
7.0MB

Download
memory/2392-150-0x0000000000370000-0x0000000000380000-memory.dmp

Filesize
64KB

Download
memory/2432-72-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2572-192-0x0000000000400000-0x0000000000AFE000-memory.dmp

Filesize
7.0MB

Download
memory/2572-622-0x0000000000400000-0x0000000000AFE000-memory.dmp

Filesize
7.0MB

Download
memory/2572-659-0x0000000000400000-0x0000000000AFE000-memory.dmp

Filesize
7.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads