xred | 7b3d84cf9e2bb957cdf2bde4a694890dfa3b0ee28df8771f21da8fea5323eea4

Analysis

max time kernel
120s
max time network
112s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-01-2025 05:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b3d84cf9e2bb957cdf2bde4a694890dfa3b0ee28df8771f21da8fea5323eea4N.exe
Size

2.9MB
MD5

7a1a9085e0f549ec511d7d2663099c70
SHA1

3b21d3dbc01758bd15fdaab3e3c51513436b6a46
SHA256

7b3d84cf9e2bb957cdf2bde4a694890dfa3b0ee28df8771f21da8fea5323eea4
SHA512

3f0561bcc0583d5b8d68f0666f5de1676e8dbaa817720519a25fa014cc46715ed6c3f2928b976c0e6ab0558939945e6478292a0936f5695d344f4ca58dd6c245
SSDEEP

49152:RnsHyjtk2MYC5GDiYBnsHyjtk2MYC5GDTYdnsHyjtk2MYC5GD6Yx:Rnsmtk2a0Bnsmtk2andnsmtk2aox

Score

10^/10

xred backdoor discovery evasion persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe

Executes dropped EXE 20 IoCs

pid	Process
2704	._cache_7b3d84cf9e2bb957cdf2bde4a694890dfa3b0ee28df8771f21da8fea5323eea4N.exe
2588	._cache_7b3d84cf9e2bb957cdf2bde4a694890dfa3b0ee28df8771f21da8fea5323eea4n.exe
2368	icsys.icn.exe
596	Synaptics.exe
372	explorer.exe
2096	spoolsv.exe
2976	._cache_Synaptics.exe
1444	svchost.exe
2792	spoolsv.exe
2008	._cache_synaptics.exe
308	icsys.icn.exe
1532	Synaptics.exe
1812	._cache_Synaptics.exe
1392	._cache_synaptics.exe
2388	icsys.icn.exe
1292	explorer.exe
2492	Synaptics.exe
996	._cache_Synaptics.exe
2716	icsys.icn.exe
2476	explorer.exe

Loads dropped DLL 43 IoCs

pid	Process
2888	7b3d84cf9e2bb957cdf2bde4a694890dfa3b0ee28df8771f21da8fea5323eea4N.exe
2888	7b3d84cf9e2bb957cdf2bde4a694890dfa3b0ee28df8771f21da8fea5323eea4N.exe
2704	._cache_7b3d84cf9e2bb957cdf2bde4a694890dfa3b0ee28df8771f21da8fea5323eea4N.exe
2704	._cache_7b3d84cf9e2bb957cdf2bde4a694890dfa3b0ee28df8771f21da8fea5323eea4N.exe
2704	._cache_7b3d84cf9e2bb957cdf2bde4a694890dfa3b0ee28df8771f21da8fea5323eea4N.exe
2704	._cache_7b3d84cf9e2bb957cdf2bde4a694890dfa3b0ee28df8771f21da8fea5323eea4N.exe
2888	7b3d84cf9e2bb957cdf2bde4a694890dfa3b0ee28df8771f21da8fea5323eea4N.exe
2888	7b3d84cf9e2bb957cdf2bde4a694890dfa3b0ee28df8771f21da8fea5323eea4N.exe
2368	icsys.icn.exe
2368	icsys.icn.exe
372	explorer.exe
372	explorer.exe
596	Synaptics.exe
596	Synaptics.exe
596	Synaptics.exe
2096	spoolsv.exe
2096	spoolsv.exe
1444	svchost.exe
2976	._cache_Synaptics.exe
2976	._cache_Synaptics.exe
1444	svchost.exe
2976	._cache_Synaptics.exe
2008	._cache_synaptics.exe
2008	._cache_synaptics.exe
1532	Synaptics.exe
1532	Synaptics.exe
1532	Synaptics.exe
1532	Synaptics.exe
1812	._cache_Synaptics.exe
1812	._cache_Synaptics.exe
1392	._cache_synaptics.exe
1812	._cache_Synaptics.exe
1812	._cache_Synaptics.exe
2388	icsys.icn.exe
1392	._cache_synaptics.exe
1392	._cache_synaptics.exe
2492	Synaptics.exe
2492	Synaptics.exe
2492	Synaptics.exe
2492	Synaptics.exe
996	._cache_Synaptics.exe
996	._cache_Synaptics.exe
2716	icsys.icn.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	._cache_synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	7b3d84cf9e2bb957cdf2bde4a694890dfa3b0ee28df8771f21da8fea5323eea4N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_7b3d84cf9e2bb957cdf2bde4a694890dfa3b0ee28df8771f21da8fea5323eea4n.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_7b3d84cf9e2bb957cdf2bde4a694890dfa3b0ee28df8771f21da8fea5323eea4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7b3d84cf9e2bb957cdf2bde4a694890dfa3b0ee28df8771f21da8fea5323eea4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2748	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2368	icsys.icn.exe
2008	._cache_synaptics.exe
2008	._cache_synaptics.exe
2008	._cache_synaptics.exe
2008	._cache_synaptics.exe
2008	._cache_synaptics.exe
2008	._cache_synaptics.exe
2008	._cache_synaptics.exe
2008	._cache_synaptics.exe
2008	._cache_synaptics.exe
2008	._cache_synaptics.exe
2008	._cache_synaptics.exe
2008	._cache_synaptics.exe
2008	._cache_synaptics.exe
2008	._cache_synaptics.exe
2008	._cache_synaptics.exe
2008	._cache_synaptics.exe
2008	._cache_synaptics.exe
2008	._cache_synaptics.exe
2008	._cache_synaptics.exe
2008	._cache_synaptics.exe
2008	._cache_synaptics.exe
2008	._cache_synaptics.exe
2008	._cache_synaptics.exe
2008	._cache_synaptics.exe
2008	._cache_synaptics.exe
2008	._cache_synaptics.exe
2008	._cache_synaptics.exe
2008	._cache_synaptics.exe
2008	._cache_synaptics.exe
2008	._cache_synaptics.exe
2008	._cache_synaptics.exe
2008	._cache_synaptics.exe
2008	._cache_synaptics.exe
2008	._cache_synaptics.exe
2008	._cache_synaptics.exe
2008	._cache_synaptics.exe
2008	._cache_synaptics.exe
2008	._cache_synaptics.exe
2008	._cache_synaptics.exe
2008	._cache_synaptics.exe
2008	._cache_synaptics.exe
372	explorer.exe
1444	svchost.exe
372	explorer.exe
372	explorer.exe
1444	svchost.exe
1444	svchost.exe
372	explorer.exe
372	explorer.exe
1444	svchost.exe
372	explorer.exe
1444	svchost.exe
1444	svchost.exe
372	explorer.exe
372	explorer.exe
1444	svchost.exe
372	explorer.exe
1444	svchost.exe
372	explorer.exe
1444	svchost.exe
372	explorer.exe
1444	svchost.exe
372	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
372	explorer.exe
1444	svchost.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeSystemProfilePrivilege	2008	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2008	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2008	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2008	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2008	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2008	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2008	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2008	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2008	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2008	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2008	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2008	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2008	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2008	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2008	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2008	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2008	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2008	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2008	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2008	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2008	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2008	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2008	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2008	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2008	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2008	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2008	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2008	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2008	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2008	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2008	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2008	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2008	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2008	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2008	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2008	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2008	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2008	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2008	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2008	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	2008	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1392	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1392	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1392	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1392	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1392	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1392	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1392	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1392	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1392	._cache_synaptics.exe
Token: SeSystemProfilePrivilege	1392	._cache_synaptics.exe

Suspicious use of SetWindowsHookEx 31 IoCs

pid	Process
2704	._cache_7b3d84cf9e2bb957cdf2bde4a694890dfa3b0ee28df8771f21da8fea5323eea4N.exe
2704	._cache_7b3d84cf9e2bb957cdf2bde4a694890dfa3b0ee28df8771f21da8fea5323eea4N.exe
2368	icsys.icn.exe
2368	icsys.icn.exe
372	explorer.exe
372	explorer.exe
2976	._cache_Synaptics.exe
2976	._cache_Synaptics.exe
2096	spoolsv.exe
2096	spoolsv.exe
1444	svchost.exe
1444	svchost.exe
308	icsys.icn.exe
308	icsys.icn.exe
2792	spoolsv.exe
2792	spoolsv.exe
372	explorer.exe
372	explorer.exe
1812	._cache_Synaptics.exe
1812	._cache_Synaptics.exe
2388	icsys.icn.exe
2388	icsys.icn.exe
1292	explorer.exe
1292	explorer.exe
996	._cache_Synaptics.exe
996	._cache_Synaptics.exe
2716	icsys.icn.exe
2716	icsys.icn.exe
2476	explorer.exe
2476	explorer.exe
2748	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 2704	2888	7b3d84cf9e2bb957cdf2bde4a694890dfa3b0ee28df8771f21da8fea5323eea4N.exe	30
PID 2888 wrote to memory of 2704	2888	7b3d84cf9e2bb957cdf2bde4a694890dfa3b0ee28df8771f21da8fea5323eea4N.exe	30
PID 2888 wrote to memory of 2704	2888	7b3d84cf9e2bb957cdf2bde4a694890dfa3b0ee28df8771f21da8fea5323eea4N.exe	30
PID 2888 wrote to memory of 2704	2888	7b3d84cf9e2bb957cdf2bde4a694890dfa3b0ee28df8771f21da8fea5323eea4N.exe	30
PID 2704 wrote to memory of 2588	2704	._cache_7b3d84cf9e2bb957cdf2bde4a694890dfa3b0ee28df8771f21da8fea5323eea4N.exe	31
PID 2704 wrote to memory of 2588	2704	._cache_7b3d84cf9e2bb957cdf2bde4a694890dfa3b0ee28df8771f21da8fea5323eea4N.exe	31
PID 2704 wrote to memory of 2588	2704	._cache_7b3d84cf9e2bb957cdf2bde4a694890dfa3b0ee28df8771f21da8fea5323eea4N.exe	31
PID 2704 wrote to memory of 2588	2704	._cache_7b3d84cf9e2bb957cdf2bde4a694890dfa3b0ee28df8771f21da8fea5323eea4N.exe	31
PID 2704 wrote to memory of 2368	2704	._cache_7b3d84cf9e2bb957cdf2bde4a694890dfa3b0ee28df8771f21da8fea5323eea4N.exe	32
PID 2704 wrote to memory of 2368	2704	._cache_7b3d84cf9e2bb957cdf2bde4a694890dfa3b0ee28df8771f21da8fea5323eea4N.exe	32
PID 2704 wrote to memory of 2368	2704	._cache_7b3d84cf9e2bb957cdf2bde4a694890dfa3b0ee28df8771f21da8fea5323eea4N.exe	32
PID 2704 wrote to memory of 2368	2704	._cache_7b3d84cf9e2bb957cdf2bde4a694890dfa3b0ee28df8771f21da8fea5323eea4N.exe	32
PID 2888 wrote to memory of 596	2888	7b3d84cf9e2bb957cdf2bde4a694890dfa3b0ee28df8771f21da8fea5323eea4N.exe	33
PID 2888 wrote to memory of 596	2888	7b3d84cf9e2bb957cdf2bde4a694890dfa3b0ee28df8771f21da8fea5323eea4N.exe	33
PID 2888 wrote to memory of 596	2888	7b3d84cf9e2bb957cdf2bde4a694890dfa3b0ee28df8771f21da8fea5323eea4N.exe	33
PID 2888 wrote to memory of 596	2888	7b3d84cf9e2bb957cdf2bde4a694890dfa3b0ee28df8771f21da8fea5323eea4N.exe	33
PID 2368 wrote to memory of 372	2368	icsys.icn.exe	34
PID 2368 wrote to memory of 372	2368	icsys.icn.exe	34
PID 2368 wrote to memory of 372	2368	icsys.icn.exe	34
PID 2368 wrote to memory of 372	2368	icsys.icn.exe	34
PID 372 wrote to memory of 2096	372	explorer.exe	35
PID 372 wrote to memory of 2096	372	explorer.exe	35
PID 372 wrote to memory of 2096	372	explorer.exe	35
PID 372 wrote to memory of 2096	372	explorer.exe	35
PID 596 wrote to memory of 2976	596	Synaptics.exe	36
PID 596 wrote to memory of 2976	596	Synaptics.exe	36
PID 596 wrote to memory of 2976	596	Synaptics.exe	36
PID 596 wrote to memory of 2976	596	Synaptics.exe	36
PID 2096 wrote to memory of 1444	2096	spoolsv.exe	37
PID 2096 wrote to memory of 1444	2096	spoolsv.exe	37
PID 2096 wrote to memory of 1444	2096	spoolsv.exe	37
PID 2096 wrote to memory of 1444	2096	spoolsv.exe	37
PID 2976 wrote to memory of 2008	2976	._cache_Synaptics.exe	39
PID 2976 wrote to memory of 2008	2976	._cache_Synaptics.exe	39
PID 2976 wrote to memory of 2008	2976	._cache_Synaptics.exe	39
PID 2976 wrote to memory of 2008	2976	._cache_Synaptics.exe	39
PID 1444 wrote to memory of 2792	1444	svchost.exe	38
PID 1444 wrote to memory of 2792	1444	svchost.exe	38
PID 1444 wrote to memory of 2792	1444	svchost.exe	38
PID 1444 wrote to memory of 2792	1444	svchost.exe	38
PID 2976 wrote to memory of 308	2976	._cache_Synaptics.exe	40
PID 2976 wrote to memory of 308	2976	._cache_Synaptics.exe	40
PID 2976 wrote to memory of 308	2976	._cache_Synaptics.exe	40
PID 2976 wrote to memory of 308	2976	._cache_Synaptics.exe	40
PID 1444 wrote to memory of 1056	1444	svchost.exe	41
PID 1444 wrote to memory of 1056	1444	svchost.exe	41
PID 1444 wrote to memory of 1056	1444	svchost.exe	41
PID 1444 wrote to memory of 1056	1444	svchost.exe	41
PID 2008 wrote to memory of 1532	2008	._cache_synaptics.exe	43
PID 2008 wrote to memory of 1532	2008	._cache_synaptics.exe	43
PID 2008 wrote to memory of 1532	2008	._cache_synaptics.exe	43
PID 2008 wrote to memory of 1532	2008	._cache_synaptics.exe	43
PID 1532 wrote to memory of 1812	1532	Synaptics.exe	44
PID 1532 wrote to memory of 1812	1532	Synaptics.exe	44
PID 1532 wrote to memory of 1812	1532	Synaptics.exe	44
PID 1532 wrote to memory of 1812	1532	Synaptics.exe	44
PID 1812 wrote to memory of 1392	1812	._cache_Synaptics.exe	45
PID 1812 wrote to memory of 1392	1812	._cache_Synaptics.exe	45
PID 1812 wrote to memory of 1392	1812	._cache_Synaptics.exe	45
PID 1812 wrote to memory of 1392	1812	._cache_Synaptics.exe	45
PID 1812 wrote to memory of 2388	1812	._cache_Synaptics.exe	46
PID 1812 wrote to memory of 2388	1812	._cache_Synaptics.exe	46
PID 1812 wrote to memory of 2388	1812	._cache_Synaptics.exe	46
PID 1812 wrote to memory of 2388	1812	._cache_Synaptics.exe	46

C:\Users\Admin\AppData\Local\Temp\7b3d84cf9e2bb957cdf2bde4a694890dfa3b0ee28df8771f21da8fea5323eea4N.exe
"C:\Users\Admin\AppData\Local\Temp\7b3d84cf9e2bb957cdf2bde4a694890dfa3b0ee28df8771f21da8fea5323eea4N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Users\Admin\AppData\Local\Temp\._cache_7b3d84cf9e2bb957cdf2bde4a694890dfa3b0ee28df8771f21da8fea5323eea4N.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_7b3d84cf9e2bb957cdf2bde4a694890dfa3b0ee28df8771f21da8fea5323eea4N.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2704
- - \??\c:\users\admin\appdata\local\temp\._cache_7b3d84cf9e2bb957cdf2bde4a694890dfa3b0ee28df8771f21da8fea5323eea4n.exe
    c:\users\admin\appdata\local\temp\._cache_7b3d84cf9e2bb957cdf2bde4a694890dfa3b0ee28df8771f21da8fea5323eea4n.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2588
- - C:\Users\Admin\AppData\Local\icsys.icn.exe
    C:\Users\Admin\AppData\Local\icsys.icn.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2368
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:372
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2096
      - \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        6⤵
        Modifies WinLogon for persistence
        Modifies visiblity of hidden/system files in Explorer
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2792
        
        C:\Windows\SysWOW64\at.exe
        
        at 05:15 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1056
        
        C:\Windows\SysWOW64\at.exe
        
        at 05:16 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2232
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:596
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
      c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2008
    - - C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1532
      - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1392
        
        C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:996
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2716
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2388
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1292
  - - C:\Users\Admin\AppData\Local\icsys.icn.exe
      C:\Users\Admin\AppData\Local\icsys.icn.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:308

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
2.9MB

MD5
7a1a9085e0f549ec511d7d2663099c70

SHA1
3b21d3dbc01758bd15fdaab3e3c51513436b6a46

SHA256
7b3d84cf9e2bb957cdf2bde4a694890dfa3b0ee28df8771f21da8fea5323eea4

SHA512
3f0561bcc0583d5b8d68f0666f5de1676e8dbaa817720519a25fa014cc46715ed6c3f2928b976c0e6ab0558939945e6478292a0936f5695d344f4ca58dd6c245

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_._cache_synaptics.exe

Filesize
1.2MB

MD5
3bec3aeb9f99dbf9c2b6bb89b4add39a

SHA1
f401abce66e942f966607d67a432a628622d6516

SHA256
eb717518e0e2a90a3e061792ee5b380ee6634fb982c62682e9c6170af8ca46b8

SHA512
cb278d7d83c84fe64bd3bde517d29e52df6fa2c94d063d48a2543c296e4e962763b883317844c08e47e8b9dbaf3505cc27782703608b98603e11d776eb7777b7

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe

Filesize
206KB

MD5
20602f77608fd2bdebecb54d6ddad08f

SHA1
bba0a2150a4fea15db48ea7d2398eb1344cf749f

SHA256
0b0ac637272ff103bcf0e0e79df4ab4f36307f1d4386dd2c49f39031969dce62

SHA512
82beb0f477c5c5eaa7dedd710ab883b377ce55c385aff0d40136ebc45db2e340664325cbffd52e5604fe0716f9cf91453b0e1b8e1ce0fa1f0291930e1f0e8a1b

Download Submit
C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
54e5e910e9c070e25b78ec5d8ce312f1

SHA1
27da17c205fcfb29c1ede93b9259d39fe1d58bc8

SHA256
e72d7d6e28a668759f712d41c542339a0a387d951e028e1af1403a50569a55cb

SHA512
d5042715ce91c971a30a7237132312dbb02ee281805ff82576249bd7a4d10ad5be42e33812aa4d89a059c176bfb1eccfcf15cb22453fdc41ecf877e9050058ce

Download Submit
C:\Windows\system\explorer.exe

Filesize
206KB

MD5
9ca2d8133525d19c32ef5d962393bfbe

SHA1
15e3a7210bd103b8e24fe02b4da04227c4cb4eb4

SHA256
000ac8d96f969c67762046b2fc858e9dc7d00354fd3cb5a57b20382b45c5cf5d

SHA512
f674f4b1d4b538bd5be4d66d5f758a963ba30ee276201719f2c19f0e2d85756ba2b1245c3dac3003e909a86f438290fa4389ba489fd3e673def8f95b60479f26

Download Submit
C:\Windows\system\svchost.exe

Filesize
207KB

MD5
4b80edefec197f9678a6dbcedc2c3967

SHA1
2eccd8e33b91c13959a785bd1a563eb68e6e58a6

SHA256
b4fdde404d2d665069fadf92e9fc7f308aa186c33ca923e3af9fac6c503a59b5

SHA512
e1824233eba34f8b02a181f7bf6e4f8f19a4871fac86ef587ba3dccc37172e86bd356b9be20c52d5e1522b930d8fdadf39e3d736e752ddf0e919088e86937072

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_7b3d84cf9e2bb957cdf2bde4a694890dfa3b0ee28df8771f21da8fea5323eea4N.exe

Filesize
2.1MB

MD5
e3faeb35f56273ecce987a94379d3683

SHA1
7cb189451c6c4af1efee17453f90c1a6aae2fabb

SHA256
4f5f4b955e6659bcf44c5abab6d692f1adf2f9677751035bf422106af8442180

SHA512
7d316bad87a9f895311628a3abf7eebd77dd5774f8935044bd317e50961d2dc60983299acb7aff13f4285b141ab352991ba8ebba64fb9d28f60726a3f6e244cf

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_7b3d84cf9e2bb957cdf2bde4a694890dfa3b0ee28df8771f21da8fea5323eea4n.exe

Filesize
1.9MB

MD5
68dbfb2c9a0951dac513985e40e89d3a

SHA1
8083d2cea9e0bf96160b051f19860d2f6e06d65a

SHA256
94ca6644e8842c073b9b19ab260214cf9c89bbb4ff65e332d2104ec67b316093

SHA512
f7fd4efca17edc8771909b279554e57ed2451db8c41591e8c1dbef2583f24a5e90f9c43a1f16fe874e157b5604ce820cf8f88ee07e8a5ab2010245f18545bebc

Download Submit
\Windows\system\spoolsv.exe

Filesize
206KB

MD5
6b8cf6f15399e7a3aa7ed379332c38cf

SHA1
6091ad876909c7a9ecc3beb123a8b763742c43d6

SHA256
49876f4990a593adada35d8fab2887ac5516a781c666feaa12cb2c1f84dbe918

SHA512
b9edde13e3ea8cc7e46547648886e6e0cf2a0f08645bd05930cd669d7562e5aea94316a7427e51371bfdbb824f7e37090e02d614d6302246a58a651c413ce1be

Download Submit
memory/308-133-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/372-233-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/596-137-0x0000000000400000-0x00000000006E0000-memory.dmp

Filesize
2.9MB

Download
memory/996-200-0x0000000003140000-0x0000000003181000-memory.dmp

Filesize
260KB

Download
memory/996-209-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1292-186-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1392-190-0x0000000000400000-0x00000000005F0000-memory.dmp

Filesize
1.9MB

Download
memory/1392-166-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/1444-235-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1532-152-0x00000000007E0000-0x0000000000821000-memory.dmp

Filesize
260KB

Download
memory/1532-189-0x0000000000400000-0x00000000006E0000-memory.dmp

Filesize
2.9MB

Download
memory/1812-188-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1812-174-0x0000000002AD0000-0x0000000002B11000-memory.dmp

Filesize
260KB

Download
memory/1812-175-0x0000000002AD0000-0x0000000002B11000-memory.dmp

Filesize
260KB

Download
memory/2008-150-0x0000000000400000-0x00000000005F0000-memory.dmp

Filesize
1.9MB

Download
memory/2096-142-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2368-55-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2368-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2368-67-0x0000000002C10000-0x0000000002C51000-memory.dmp

Filesize
260KB

Download
memory/2388-187-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2476-207-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2492-231-0x0000000000400000-0x00000000006E0000-memory.dmp

Filesize
2.9MB

Download
memory/2492-230-0x0000000000400000-0x00000000006E0000-memory.dmp

Filesize
2.9MB

Download
memory/2492-267-0x0000000000400000-0x00000000006E0000-memory.dmp

Filesize
2.9MB

Download
memory/2492-210-0x0000000000400000-0x00000000006E0000-memory.dmp

Filesize
2.9MB

Download
memory/2492-191-0x00000000041C0000-0x0000000004201000-memory.dmp

Filesize
260KB

Download
memory/2588-98-0x0000000000400000-0x00000000005F0000-memory.dmp

Filesize
1.9MB

Download
memory/2704-43-0x00000000025B0000-0x00000000025F1000-memory.dmp

Filesize
260KB

Download
memory/2704-144-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2716-208-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2748-211-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2792-139-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2888-0-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2888-59-0x0000000000400000-0x00000000006E0000-memory.dmp

Filesize
2.9MB

Download
memory/2888-5-0x0000000004250000-0x0000000004291000-memory.dmp

Filesize
260KB

Download
memory/2976-134-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download