Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13/01/2025, 07:17
Behavioral task
behavioral1
Sample
db9fae14fff980af1185980403e8e5c65d757ebbf02732d1c46a9668898256f4.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
db9fae14fff980af1185980403e8e5c65d757ebbf02732d1c46a9668898256f4.exe
Resource
win10v2004-20241007-en
General
-
Target
db9fae14fff980af1185980403e8e5c65d757ebbf02732d1c46a9668898256f4.exe
-
Size
980KB
-
MD5
a98bb278468370c572610865052def56
-
SHA1
b3f61627939e0899cf0208d8070e4a38e625bb06
-
SHA256
db9fae14fff980af1185980403e8e5c65d757ebbf02732d1c46a9668898256f4
-
SHA512
87cf147589b1005891d78ea07f6596b3094d29b2fc812e63622f98f38ed068e02491ce143cc68b93a9015361f2e913f85b8edefb05b52bbd5c535ffe10e5aed1
-
SSDEEP
24576:nnsJ39LyjbJkQFMhmC+6GD975xolYQY6+I:nnsHyjtk2MYC5GDQYNI
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Xred family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation db9fae14fff980af1185980403e8e5c65d757ebbf02732d1c46a9668898256f4.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Synaptics.exe -
Executes dropped EXE 11 IoCs
pid Process 2592 ._cache_db9fae14fff980af1185980403e8e5c65d757ebbf02732d1c46a9668898256f4.exe 3936 Synaptics.exe 408 ._cache_db9fae14fff980af1185980403e8e5c65d757ebbf02732d1c46a9668898256f4.exe 4664 ._cache_Synaptics.exe 4344 ._cache_synaptics.exe 900 icsys.icn.exe 3880 explorer.exe 4116 icsys.icn.exe 3172 spoolsv.exe 4504 svchost.exe 1692 spoolsv.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" db9fae14fff980af1185980403e8e5c65d757ebbf02732d1c46a9668898256f4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 4744 408 WerFault.exe 84 2908 4344 WerFault.exe 90 -
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language db9fae14fff980af1185980403e8e5c65d757ebbf02732d1c46a9668898256f4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_db9fae14fff980af1185980403e8e5c65d757ebbf02732d1c46a9668898256f4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_db9fae14fff980af1185980403e8e5c65d757ebbf02732d1c46a9668898256f4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ db9fae14fff980af1185980403e8e5c65d757ebbf02732d1c46a9668898256f4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Synaptics.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2436 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 900 icsys.icn.exe 900 icsys.icn.exe 3880 explorer.exe 3880 explorer.exe 3880 explorer.exe 3880 explorer.exe 3880 explorer.exe 3880 explorer.exe 3880 explorer.exe 3880 explorer.exe 4504 svchost.exe 4504 svchost.exe 4504 svchost.exe 4504 svchost.exe 3880 explorer.exe 3880 explorer.exe 4504 svchost.exe 4504 svchost.exe 3880 explorer.exe 3880 explorer.exe 4504 svchost.exe 4504 svchost.exe 3880 explorer.exe 3880 explorer.exe 4504 svchost.exe 4504 svchost.exe 3880 explorer.exe 3880 explorer.exe 4504 svchost.exe 4504 svchost.exe 3880 explorer.exe 3880 explorer.exe 4504 svchost.exe 4504 svchost.exe 3880 explorer.exe 3880 explorer.exe 4504 svchost.exe 4504 svchost.exe 3880 explorer.exe 3880 explorer.exe 4504 svchost.exe 4504 svchost.exe 3880 explorer.exe 3880 explorer.exe 4504 svchost.exe 4504 svchost.exe 3880 explorer.exe 3880 explorer.exe 4504 svchost.exe 4504 svchost.exe 3880 explorer.exe 3880 explorer.exe 4504 svchost.exe 4504 svchost.exe 3880 explorer.exe 3880 explorer.exe 4504 svchost.exe 4504 svchost.exe 3880 explorer.exe 3880 explorer.exe 4504 svchost.exe 4504 svchost.exe 3880 explorer.exe 3880 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3880 explorer.exe 4504 svchost.exe -
Suspicious use of SetWindowsHookEx 26 IoCs
pid Process 2592 ._cache_db9fae14fff980af1185980403e8e5c65d757ebbf02732d1c46a9668898256f4.exe 2592 ._cache_db9fae14fff980af1185980403e8e5c65d757ebbf02732d1c46a9668898256f4.exe 4664 ._cache_Synaptics.exe 4664 ._cache_Synaptics.exe 2436 EXCEL.EXE 2436 EXCEL.EXE 900 icsys.icn.exe 900 icsys.icn.exe 3880 explorer.exe 4116 icsys.icn.exe 3880 explorer.exe 4116 icsys.icn.exe 3172 spoolsv.exe 3172 spoolsv.exe 4504 svchost.exe 2436 EXCEL.EXE 4504 svchost.exe 2436 EXCEL.EXE 1692 spoolsv.exe 1692 spoolsv.exe 3880 explorer.exe 3880 explorer.exe 2436 EXCEL.EXE 2436 EXCEL.EXE 2436 EXCEL.EXE 2436 EXCEL.EXE -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 1500 wrote to memory of 2592 1500 db9fae14fff980af1185980403e8e5c65d757ebbf02732d1c46a9668898256f4.exe 82 PID 1500 wrote to memory of 2592 1500 db9fae14fff980af1185980403e8e5c65d757ebbf02732d1c46a9668898256f4.exe 82 PID 1500 wrote to memory of 2592 1500 db9fae14fff980af1185980403e8e5c65d757ebbf02732d1c46a9668898256f4.exe 82 PID 1500 wrote to memory of 3936 1500 db9fae14fff980af1185980403e8e5c65d757ebbf02732d1c46a9668898256f4.exe 83 PID 1500 wrote to memory of 3936 1500 db9fae14fff980af1185980403e8e5c65d757ebbf02732d1c46a9668898256f4.exe 83 PID 1500 wrote to memory of 3936 1500 db9fae14fff980af1185980403e8e5c65d757ebbf02732d1c46a9668898256f4.exe 83 PID 2592 wrote to memory of 408 2592 ._cache_db9fae14fff980af1185980403e8e5c65d757ebbf02732d1c46a9668898256f4.exe 84 PID 2592 wrote to memory of 408 2592 ._cache_db9fae14fff980af1185980403e8e5c65d757ebbf02732d1c46a9668898256f4.exe 84 PID 2592 wrote to memory of 408 2592 ._cache_db9fae14fff980af1185980403e8e5c65d757ebbf02732d1c46a9668898256f4.exe 84 PID 3936 wrote to memory of 4664 3936 Synaptics.exe 88 PID 3936 wrote to memory of 4664 3936 Synaptics.exe 88 PID 3936 wrote to memory of 4664 3936 Synaptics.exe 88 PID 4664 wrote to memory of 4344 4664 ._cache_Synaptics.exe 90 PID 4664 wrote to memory of 4344 4664 ._cache_Synaptics.exe 90 PID 4664 wrote to memory of 4344 4664 ._cache_Synaptics.exe 90 PID 2592 wrote to memory of 900 2592 ._cache_db9fae14fff980af1185980403e8e5c65d757ebbf02732d1c46a9668898256f4.exe 93 PID 2592 wrote to memory of 900 2592 ._cache_db9fae14fff980af1185980403e8e5c65d757ebbf02732d1c46a9668898256f4.exe 93 PID 2592 wrote to memory of 900 2592 ._cache_db9fae14fff980af1185980403e8e5c65d757ebbf02732d1c46a9668898256f4.exe 93 PID 4664 wrote to memory of 4116 4664 ._cache_Synaptics.exe 96 PID 4664 wrote to memory of 4116 4664 ._cache_Synaptics.exe 96 PID 4664 wrote to memory of 4116 4664 ._cache_Synaptics.exe 96 PID 900 wrote to memory of 3880 900 icsys.icn.exe 95 PID 900 wrote to memory of 3880 900 icsys.icn.exe 95 PID 900 wrote to memory of 3880 900 icsys.icn.exe 95 PID 3880 wrote to memory of 3172 3880 explorer.exe 97 PID 3880 wrote to memory of 3172 3880 explorer.exe 97 PID 3880 wrote to memory of 3172 3880 explorer.exe 97 PID 3172 wrote to memory of 4504 3172 spoolsv.exe 98 PID 3172 wrote to memory of 4504 3172 spoolsv.exe 98 PID 3172 wrote to memory of 4504 3172 spoolsv.exe 98 PID 4504 wrote to memory of 1692 4504 svchost.exe 99 PID 4504 wrote to memory of 1692 4504 svchost.exe 99 PID 4504 wrote to memory of 1692 4504 svchost.exe 99 PID 4504 wrote to memory of 5116 4504 svchost.exe 100 PID 4504 wrote to memory of 5116 4504 svchost.exe 100 PID 4504 wrote to memory of 5116 4504 svchost.exe 100 PID 4504 wrote to memory of 2836 4504 svchost.exe 113 PID 4504 wrote to memory of 2836 4504 svchost.exe 113 PID 4504 wrote to memory of 2836 4504 svchost.exe 113 PID 4504 wrote to memory of 2400 4504 svchost.exe 115 PID 4504 wrote to memory of 2400 4504 svchost.exe 115 PID 4504 wrote to memory of 2400 4504 svchost.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\db9fae14fff980af1185980403e8e5c65d757ebbf02732d1c46a9668898256f4.exe"C:\Users\Admin\AppData\Local\Temp\db9fae14fff980af1185980403e8e5c65d757ebbf02732d1c46a9668898256f4.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Users\Admin\AppData\Local\Temp\._cache_db9fae14fff980af1185980403e8e5c65d757ebbf02732d1c46a9668898256f4.exe"C:\Users\Admin\AppData\Local\Temp\._cache_db9fae14fff980af1185980403e8e5c65d757ebbf02732d1c46a9668898256f4.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\users\admin\appdata\local\temp\._cache_db9fae14fff980af1185980403e8e5c65d757ebbf02732d1c46a9668898256f4.exec:\users\admin\appdata\local\temp\._cache_db9fae14fff980af1185980403e8e5c65d757ebbf02732d1c46a9668898256f4.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:408 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 8004⤵
- Program crash
PID:4744
-
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:900 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3880 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3172 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe6⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4504 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1692
-
-
C:\Windows\SysWOW64\at.exeat 07:19 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe7⤵
- System Location Discovery: System Language Discovery
PID:5116
-
-
C:\Windows\SysWOW64\at.exeat 07:20 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe7⤵
- System Location Discovery: System Language Discovery
PID:2836
-
-
C:\Windows\SysWOW64\at.exeat 07:21 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe7⤵
- System Location Discovery: System Language Discovery
PID:2400
-
-
-
-
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4664 -
\??\c:\users\admin\appdata\local\temp\._cache_synaptics.exec:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4344 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 8245⤵
- Program crash
PID:2908
-
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4116
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 408 -ip 4081⤵PID:1624
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2436
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4344 -ip 43441⤵PID:3712
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
980KB
MD5a98bb278468370c572610865052def56
SHA1b3f61627939e0899cf0208d8070e4a38e625bb06
SHA256db9fae14fff980af1185980403e8e5c65d757ebbf02732d1c46a9668898256f4
SHA51287cf147589b1005891d78ea07f6596b3094d29b2fc812e63622f98f38ed068e02491ce143cc68b93a9015361f2e913f85b8edefb05b52bbd5c535ffe10e5aed1
-
C:\Users\Admin\AppData\Local\Temp\._cache_db9fae14fff980af1185980403e8e5c65d757ebbf02732d1c46a9668898256f4.exe
Filesize226KB
MD5ebb8f5135ff7cb88580e27f9581ebc3f
SHA1e7a1e28ae53005278924c3a50df2da9037a4df02
SHA256831f7ca536139c61b78b3f02482994ea206d1c056dd12aabe3a3b8dcdc0a854c
SHA51222ebbf0f086ab3a9852ec7b0d783b30dbc2bcbb76401d379ff13538d3b452da8ad0b6fcb2b980168df2ef5643eeb5ab5da828c92697f96863c818cf734ab5046
-
C:\Users\Admin\AppData\Local\Temp\._cache_db9fae14fff980af1185980403e8e5c65d757ebbf02732d1c46a9668898256f4.exe
Filesize20KB
MD5f83e3d53d747b25e29df03c30eafcb1f
SHA1bf705087922f4c9ccf8cf4194c1ce67a7bfbd319
SHA25641b3a316dc3856ef958f3e9d7968f6fde0040e199fe61f85b00d188f24f50ba9
SHA51230d1c759e183ca054e03229b72f21878d906c8100be5c63fe1ba62a4926e7dabc3b0e71396a427671865f406135fa2a8d771ae919d8110fe592c95e3a589728f
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
21KB
MD5b03fd69189851f671bb2139f1dde213d
SHA16338a50c45501d15f143121c10c78591fad721cc
SHA256c98a4034f03344600bc848e708d9a15b4a4917f97f231896ff45ead59b5c0276
SHA5125d5d818159d60f179f4e60f3b38ee7b7db0b00f38d1c0187a5e25954e7650e15a976ce779126c3d94c7a9c7a1c4db29597b0ca0c34919bd0073a7e9db5c711c7
-
Filesize
206KB
MD5102899034e993b46a13a62d3ff2d9fdb
SHA1d784fd07ecdfe133fbeae14fd9785b6f4e490f76
SHA2564ea6b9830682272506a8ad0dd559379bbe8b5b7989609d14562353d34425d4f4
SHA51238faae6f4f267a0554d772cb99584f634d94b30e8769ae00a648011a82de16ac7cd725b094a6bc982c994f268da72caae9b2b880d8e8cf7a27f7e0e1fd73cca0
-
Filesize
206KB
MD5d926db8287b9624c5ef3c9d4b5b143b1
SHA1cdcef6638b5498c69ee0b3ec90ddd536c203cd65
SHA2563b2ecfd9f9815b922532f4e299a0002189ed1c901692265ff25c52cec900fb0f
SHA512f6649bc29f3c06610771f1bd04acc1681313242aca86d5aa8da0f7af97e5bc29af8eab1acfeaaaa0fe7c4ed827f8affc1f9cba1478dcb1f8341ca82625dd96fa
-
Filesize
207KB
MD5a6952fec156c0f537ab055af1a55906e
SHA1d1e2ac1cf55ef8ab76e49fe805aac1df25568e32
SHA2562c3b7223d4d1a1cecf752ae257a85ac1cf5368faf3c6e077855c72c4867451f1
SHA5126e4748c735b65b7d31c835e3ed65c5af9577a8658b517c1057d6d7c0869d8b4269bb34211a3fcfc44d25607aee4b575e0012403272c6c94430e7dcb9198f48a2
-
Filesize
206KB
MD57532601de1c6a8abe56e4d2f2353cc14
SHA1cd77425a774449efb350276608234c72112f67ab
SHA256dee15dfd991f2cd3047e50e38a21bbdf0f84286c6f9834f7f1958d3f427941a7
SHA512240f187128ba50a9819f333191478f339c07dc6dd23b3c4cb30a31466d4eec1e27218ed3b2303678a6dbae4787d1ddfb035766049023ad3a9ecef844afd859a0
-
Filesize
206KB
MD53ef258f85aa1a26136417b89bfaa1881
SHA1b6aac4d37dea2bd215f3d6d49756a1760ebd3d56
SHA256e9e4f8a2ea15fb5cb210120b49f501561a0473d54ca9a5d4ee6c8cf5f3cf1402
SHA5122739418fc843d8c32791e36446ecfb2719abefb21157b0b721c6e9ca5adcad5ad88643bd20f9816f901c1808d90ec20d8f3e9fb25de6d0e6ef10fb4988f96c48