xred | d7050a5f0d4b273c3af37748eeb54b175552dd5699e9723361712b7140925c25

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-01-2025 21:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7050a5f0d4b273c3af37748eeb54b175552dd5699e9723361712b7140925c25N.exe
Size

2.4MB
MD5

aea5c112e24c2f2ff9898c22f3a16130
SHA1

36d742ff012a1ec17f2326155b1b55a71fc9a3b9
SHA256

d7050a5f0d4b273c3af37748eeb54b175552dd5699e9723361712b7140925c25
SHA512

61697b48897a88943530b48fd3273fa3ec5a79687b098abf22922b65e9f2ad555be90ee84c0409b4a4e82e6a3f4b3a1b7ee6ad0030a911333867bac58b851780
SSDEEP

49152:InsHyjtk2MYC5GDcj0c1qaggaqW+2JsKomXNqSf0E7T3rOL:Insmtk2arjnxC5sHmQXE7GL

Score

10^/10

xred backdoor discovery persistence upx

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 3 IoCs

pid	Process
3048	._cache_d7050a5f0d4b273c3af37748eeb54b175552dd5699e9723361712b7140925c25N.exe
2988	Synaptics.exe
2772	._cache_Synaptics.exe

Loads dropped DLL 7 IoCs

pid	Process
1732	d7050a5f0d4b273c3af37748eeb54b175552dd5699e9723361712b7140925c25N.exe
1732	d7050a5f0d4b273c3af37748eeb54b175552dd5699e9723361712b7140925c25N.exe
1732	d7050a5f0d4b273c3af37748eeb54b175552dd5699e9723361712b7140925c25N.exe
1732	d7050a5f0d4b273c3af37748eeb54b175552dd5699e9723361712b7140925c25N.exe
2988	Synaptics.exe
2988	Synaptics.exe
2988	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	d7050a5f0d4b273c3af37748eeb54b175552dd5699e9723361712b7140925c25N.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000012118-4.dat	upx
behavioral1/memory/3048-22-0x0000000000400000-0x0000000000955000-memory.dmp	upx
behavioral1/memory/2772-45-0x0000000000400000-0x0000000000955000-memory.dmp	upx
behavioral1/memory/3048-125-0x0000000000400000-0x0000000000955000-memory.dmp	upx
behavioral1/memory/3048-127-0x0000000000400000-0x0000000000955000-memory.dmp	upx
behavioral1/memory/2772-130-0x0000000000400000-0x0000000000955000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_d7050a5f0d4b273c3af37748eeb54b175552dd5699e9723361712b7140925c25N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d7050a5f0d4b273c3af37748eeb54b175552dd5699e9723361712b7140925c25N.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies registry class 40 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	._cache_d7050a5f0d4b273c3af37748eeb54b175552dd5699e9723361712b7140925c25N.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	._cache_Synaptics.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 4c003100000000002359e72a10204c6f63616c00380008000400efbe2359ac292359e72a2a000000000200000000020000000000000000000000000000004c006f00630061006c00000014000000	._cache_d7050a5f0d4b273c3af37748eeb54b175552dd5699e9723361712b7140925c25N.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	._cache_Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	._cache_Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings	._cache_d7050a5f0d4b273c3af37748eeb54b175552dd5699e9723361712b7140925c25N.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	._cache_Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	._cache_d7050a5f0d4b273c3af37748eeb54b175552dd5699e9723361712b7140925c25N.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	._cache_Synaptics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	._cache_d7050a5f0d4b273c3af37748eeb54b175552dd5699e9723361712b7140925c25N.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	._cache_d7050a5f0d4b273c3af37748eeb54b175552dd5699e9723361712b7140925c25N.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	._cache_d7050a5f0d4b273c3af37748eeb54b175552dd5699e9723361712b7140925c25N.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	._cache_d7050a5f0d4b273c3af37748eeb54b175552dd5699e9723361712b7140925c25N.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	._cache_d7050a5f0d4b273c3af37748eeb54b175552dd5699e9723361712b7140925c25N.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	._cache_d7050a5f0d4b273c3af37748eeb54b175552dd5699e9723361712b7140925c25N.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	._cache_d7050a5f0d4b273c3af37748eeb54b175552dd5699e9723361712b7140925c25N.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	._cache_d7050a5f0d4b273c3af37748eeb54b175552dd5699e9723361712b7140925c25N.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	._cache_d7050a5f0d4b273c3af37748eeb54b175552dd5699e9723361712b7140925c25N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	._cache_Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	._cache_Synaptics.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	._cache_d7050a5f0d4b273c3af37748eeb54b175552dd5699e9723361712b7140925c25N.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 7e0074001c004346534616003100000000002359ac29122041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f3c0008000400efbe2359ac292359ac292a000000ed0100000000020000000000000000000000000000004100700070004400610074006100000042000000	._cache_d7050a5f0d4b273c3af37748eeb54b175552dd5699e9723361712b7140925c25N.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	._cache_d7050a5f0d4b273c3af37748eeb54b175552dd5699e9723361712b7140925c25N.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	._cache_d7050a5f0d4b273c3af37748eeb54b175552dd5699e9723361712b7140925c25N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	._cache_Synaptics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	._cache_d7050a5f0d4b273c3af37748eeb54b175552dd5699e9723361712b7140925c25N.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	._cache_d7050a5f0d4b273c3af37748eeb54b175552dd5699e9723361712b7140925c25N.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings	._cache_Synaptics.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	._cache_Synaptics.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4a00310000000000305a63af102054656d700000360008000400efbe2359ac29305a63af2a00000001020000000002000000000000000000000000000000540065006d007000000014000000	._cache_d7050a5f0d4b273c3af37748eeb54b175552dd5699e9723361712b7140925c25N.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	._cache_d7050a5f0d4b273c3af37748eeb54b175552dd5699e9723361712b7140925c25N.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	._cache_d7050a5f0d4b273c3af37748eeb54b175552dd5699e9723361712b7140925c25N.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	._cache_d7050a5f0d4b273c3af37748eeb54b175552dd5699e9723361712b7140925c25N.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	._cache_Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	._cache_Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	._cache_Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	._cache_Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	._cache_d7050a5f0d4b273c3af37748eeb54b175552dd5699e9723361712b7140925c25N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	._cache_d7050a5f0d4b273c3af37748eeb54b175552dd5699e9723361712b7140925c25N.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	._cache_Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2700	EXCEL.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2700	EXCEL.EXE
3048	._cache_d7050a5f0d4b273c3af37748eeb54b175552dd5699e9723361712b7140925c25N.exe
2772	._cache_Synaptics.exe
3048	._cache_d7050a5f0d4b273c3af37748eeb54b175552dd5699e9723361712b7140925c25N.exe
3048	._cache_d7050a5f0d4b273c3af37748eeb54b175552dd5699e9723361712b7140925c25N.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 3048	1732	d7050a5f0d4b273c3af37748eeb54b175552dd5699e9723361712b7140925c25N.exe	30
PID 1732 wrote to memory of 3048	1732	d7050a5f0d4b273c3af37748eeb54b175552dd5699e9723361712b7140925c25N.exe	30
PID 1732 wrote to memory of 3048	1732	d7050a5f0d4b273c3af37748eeb54b175552dd5699e9723361712b7140925c25N.exe	30
PID 1732 wrote to memory of 3048	1732	d7050a5f0d4b273c3af37748eeb54b175552dd5699e9723361712b7140925c25N.exe	30
PID 1732 wrote to memory of 2988	1732	d7050a5f0d4b273c3af37748eeb54b175552dd5699e9723361712b7140925c25N.exe	31
PID 1732 wrote to memory of 2988	1732	d7050a5f0d4b273c3af37748eeb54b175552dd5699e9723361712b7140925c25N.exe	31
PID 1732 wrote to memory of 2988	1732	d7050a5f0d4b273c3af37748eeb54b175552dd5699e9723361712b7140925c25N.exe	31
PID 1732 wrote to memory of 2988	1732	d7050a5f0d4b273c3af37748eeb54b175552dd5699e9723361712b7140925c25N.exe	31
PID 2988 wrote to memory of 2772	2988	Synaptics.exe	32
PID 2988 wrote to memory of 2772	2988	Synaptics.exe	32
PID 2988 wrote to memory of 2772	2988	Synaptics.exe	32
PID 2988 wrote to memory of 2772	2988	Synaptics.exe	32

C:\Users\Admin\AppData\Local\Temp\d7050a5f0d4b273c3af37748eeb54b175552dd5699e9723361712b7140925c25N.exe
"C:\Users\Admin\AppData\Local\Temp\d7050a5f0d4b273c3af37748eeb54b175552dd5699e9723361712b7140925c25N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Admin\AppData\Local\Temp\._cache_d7050a5f0d4b273c3af37748eeb54b175552dd5699e9723361712b7140925c25N.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_d7050a5f0d4b273c3af37748eeb54b175552dd5699e9723361712b7140925c25N.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:3048
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:2772

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
2.4MB

MD5
aea5c112e24c2f2ff9898c22f3a16130

SHA1
36d742ff012a1ec17f2326155b1b55a71fc9a3b9

SHA256
d7050a5f0d4b273c3af37748eeb54b175552dd5699e9723361712b7140925c25

SHA512
61697b48897a88943530b48fd3273fa3ec5a79687b098abf22922b65e9f2ad555be90ee84c0409b4a4e82e6a3f4b3a1b7ee6ad0030a911333867bac58b851780

Download Submit
C:\Users\Admin\AppData\Local\Temp\2Tfkh1JF.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\2Tfkh1JF.xlsm

Filesize
23KB

MD5
4dcc3cd6d3661667f493e41254c14071

SHA1
3a8f47378d244fee0c27913759b9a4c2877f5e0e

SHA256
f2b25ea186a51c44f37cc344bacd75598db3a27f9fb2652be043185757f381f4

SHA512
dbe6334bde459ffe417506bbaac23d90fa4e7e48f57924771ea314f13668594ded8dd8dcd3bdac172705bfb7fd68162d367af2864cef8fbbc12abe295d92eece

Download Submit
C:\Users\Admin\AppData\Local\Temp\2Tfkh1JF.xlsm

Filesize
22KB

MD5
37c17907a9b140ee74b8374e5a4e559b

SHA1
fdfa0417c85d45c2d64ea81466565c0cfedd8f32

SHA256
a23f9e75dbe5ad994fe0c34c3eb757cd8f72e333c78f3a6addfbd998d66d3323

SHA512
07bb1b7682726448dc6601c7514f27a9ffa212c46b006535797ef63fc3f053af6ec785123a8e1e62bdf94328b689858e5d6362ea2234520892fcf8e8abb79c22

Download Submit
C:\Users\Admin\AppData\Local\Temp\2Tfkh1JF.xlsm

Filesize
21KB

MD5
1548d73c07eb13eb6ba601a1701ff18f

SHA1
3a312abd5c5bbfe06fb90af0ec44590cd3c7c7dd

SHA256
c57c88b27fef5b15969565f27eeb6efee542f2aab948e7d376d755f32655191e

SHA512
3dac9b4b73ed299f735fa262da8bdb8c2ed839f468294ecab1e4b2524d171a297e38c553bec533d5caa0f27065cda44fc3af0f582f800f1b8d4daf133e3e6b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2Tfkh1JF.xlsm

Filesize
23KB

MD5
faa009d8a33292a9c4fdc28584f623ca

SHA1
27a9a65529379cf60f3ba698943114d2795f1979

SHA256
e7728860f891baf4899a3e0e1b626304a831340ec067f1ae8a43bad723866ab7

SHA512
2fa64149ed5e041bcff7d987e17fa2171634aabf5f09f853c689bdbc5f22a19c221157d1fc9a9f44a59be93a20420e638a83a3594f7a19ac7e929b786c82144f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ur6VtJT.ini

Filesize
1KB

MD5
f310a5b807c0cc24d83003e64d026a53

SHA1
a3c5bb38fcbeb399c8d46583307465702bd273fb

SHA256
db6c3bfd3b35f6e10532b475a7dd6559103009cf39a8c0be614d94d281a946e4

SHA512
b72c5386bf6f62714901d443c950e2a540a4d955a5e984e693a4a3e5dc1aa92503df47cdf9a313bf33bf8c189672a431ae0298fb44d0c236784bc78c1f0458f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\~$2Tfkh1JF.xlsm

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_d7050a5f0d4b273c3af37748eeb54b175552dd5699e9723361712b7140925c25N.exe

Filesize
1.7MB

MD5
0d853b382746e7b22d99baeb1cc4d9fa

SHA1
e58eaea35d749d454307be8f9014f70bf8f3924e

SHA256
2af92c02377acaca3c387d8a807a56bb29b1b223f1197ec84e7eb965bb21cd0b

SHA512
979900535be82b489cc8fa0a87425b7211eb30a893356bd5779ec56b5bcdeab651e08f77a6958cc3a2037ed2055c53537ca9b5f109f19d57dde0b0437617de22

Download Submit
memory/1732-31-0x0000000000400000-0x000000000066A000-memory.dmp

Filesize
2.4MB

Download
memory/1732-20-0x0000000005790000-0x0000000005CE5000-memory.dmp

Filesize
5.3MB

Download
memory/1732-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1732-19-0x0000000005790000-0x0000000005CE5000-memory.dmp

Filesize
5.3MB

Download
memory/2700-122-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2700-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2772-130-0x0000000000400000-0x0000000000955000-memory.dmp

Filesize
5.3MB

Download
memory/2772-45-0x0000000000400000-0x0000000000955000-memory.dmp

Filesize
5.3MB

Download
memory/2988-126-0x0000000005630000-0x0000000005B85000-memory.dmp

Filesize
5.3MB

Download
memory/2988-128-0x0000000005630000-0x0000000005B85000-memory.dmp

Filesize
5.3MB

Download
memory/2988-43-0x0000000005630000-0x0000000005B85000-memory.dmp

Filesize
5.3MB

Download
memory/2988-129-0x0000000000400000-0x000000000066A000-memory.dmp

Filesize
2.4MB

Download
memory/2988-132-0x0000000000400000-0x000000000066A000-memory.dmp

Filesize
2.4MB

Download
memory/2988-177-0x0000000000400000-0x000000000066A000-memory.dmp

Filesize
2.4MB

Download
memory/3048-22-0x0000000000400000-0x0000000000955000-memory.dmp

Filesize
5.3MB

Download
memory/3048-123-0x0000000004E90000-0x0000000004E92000-memory.dmp

Filesize
8KB

Download
memory/3048-125-0x0000000000400000-0x0000000000955000-memory.dmp

Filesize
5.3MB

Download
memory/3048-127-0x0000000000400000-0x0000000000955000-memory.dmp

Filesize
5.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads