Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
16-01-2025 05:13
General
-
Target
7b3d84cf9e2bb957cdf2bde4a694890dfa3b0ee28df8771f21da8fea5323eea4N.exe
-
Size
2.9MB
-
MD5
7a1a9085e0f549ec511d7d2663099c70
-
SHA1
3b21d3dbc01758bd15fdaab3e3c51513436b6a46
-
SHA256
7b3d84cf9e2bb957cdf2bde4a694890dfa3b0ee28df8771f21da8fea5323eea4
-
SHA512
3f0561bcc0583d5b8d68f0666f5de1676e8dbaa817720519a25fa014cc46715ed6c3f2928b976c0e6ab0558939945e6478292a0936f5695d344f4ca58dd6c245
-
SSDEEP
49152:RnsHyjtk2MYC5GDiYBnsHyjtk2MYC5GDTYdnsHyjtk2MYC5GD6Yx:Rnsmtk2a0Bnsmtk2andnsmtk2aox
Score
10/10
Malware Config
Extracted
Family
xred
C2
xred.mooo.com
Attributes
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Xred
Xred is backdoor written in Delphi.
-
Xred family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings 2 TTPs 35 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 64 IoCs
-
Loads dropped DLL 64 IoCs
-
Adds Run key to start application 2 TTPs 22 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 35 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b3d84cf9e2bb957cdf2bde4a694890dfa3b0ee28df8771f21da8fea5323eea4N.exe"C:\Users\Admin\AppData\Local\Temp\7b3d84cf9e2bb957cdf2bde4a694890dfa3b0ee28df8771f21da8fea5323eea4N.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_7b3d84cf9e2bb957cdf2bde4a694890dfa3b0ee28df8771f21da8fea5323eea4N.exe"C:\Users\Admin\AppData\Local\Temp\._cache_7b3d84cf9e2bb957cdf2bde4a694890dfa3b0ee28df8771f21da8fea5323eea4N.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\temp\._cache_7b3d84cf9e2bb957cdf2bde4a694890dfa3b0ee28df8771f21da8fea5323eea4n.exec:\users\admin\appdata\local\temp\._cache_7b3d84cf9e2bb957cdf2bde4a694890dfa3b0ee28df8771f21da8fea5323eea4n.exe3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe6⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\at.exeat 05:15 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\at.exeat 05:16 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe7⤵
-
-
-
-
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\temp\._cache_synaptics.exec:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate4⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate5⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\temp\._cache_synaptics.exec:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate7⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate8⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\temp\._cache_synaptics.exec:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate10⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate11⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
\??\c:\users\admin\appdata\local\temp\._cache_synaptics.exec:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate13⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate14⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
\??\c:\users\admin\appdata\local\temp\._cache_synaptics.exec:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate16⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate17⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
\??\c:\users\admin\appdata\local\temp\._cache_synaptics.exec:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate19⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate20⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
\??\c:\users\admin\appdata\local\temp\._cache_synaptics.exec:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate22⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate23⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
\??\c:\users\admin\appdata\local\temp\._cache_synaptics.exec:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate25⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate26⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate27⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\users\admin\appdata\local\temp\._cache_synaptics.exec:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate28⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate29⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate30⤵
- Executes dropped EXE
-
\??\c:\users\admin\appdata\local\temp\._cache_synaptics.exec:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate31⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate32⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate33⤵
- Executes dropped EXE
-
\??\c:\users\admin\appdata\local\temp\._cache_synaptics.exec:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate34⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate35⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate36⤵
- Executes dropped EXE
-
\??\c:\users\admin\appdata\local\temp\._cache_synaptics.exec:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate37⤵
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate38⤵
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate39⤵
-
\??\c:\users\admin\appdata\local\temp\._cache_synaptics.exec:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate40⤵
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate41⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate42⤵
- System Location Discovery: System Language Discovery
-
\??\c:\users\admin\appdata\local\temp\._cache_synaptics.exec:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate43⤵
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate44⤵
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate45⤵
- System Location Discovery: System Language Discovery
-
\??\c:\users\admin\appdata\local\temp\._cache_synaptics.exec:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate46⤵
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate47⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate48⤵
- System Location Discovery: System Language Discovery
-
\??\c:\users\admin\appdata\local\temp\._cache_synaptics.exec:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate49⤵
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate50⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate51⤵
-
\??\c:\users\admin\appdata\local\temp\._cache_synaptics.exec:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate52⤵
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate53⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe52⤵
- System Location Discovery: System Language Discovery
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe53⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe49⤵
- System Location Discovery: System Language Discovery
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe50⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe46⤵
- System Location Discovery: System Language Discovery
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe47⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe43⤵
- System Location Discovery: System Language Discovery
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe44⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe40⤵
- System Location Discovery: System Language Discovery
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe41⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe37⤵
- System Location Discovery: System Language Discovery
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe38⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe32⤵
- Executes dropped EXE
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe23⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe20⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe16⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe17⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
753KB
MD51cdbeea56a97090c2f052185c334f9b0
SHA14833d6b5b4930dc9645628bed2e9926c3bf4e1ed
SHA256f154450a0fffcb44f0a5c5c7cafaff34d34ade7bf22c179fe8940c751c696bb4
SHA512c53502086e0ba66029b754be2046d9a478cfd200b96aba529d33a539c59635f8bb339a9b0408b8829f2f9b67a2bc570048f7360e8f23ae49bc96a8b36a3beee3
-
Filesize
2.9MB
MD57a1a9085e0f549ec511d7d2663099c70
SHA13b21d3dbc01758bd15fdaab3e3c51513436b6a46
SHA2567b3d84cf9e2bb957cdf2bde4a694890dfa3b0ee28df8771f21da8fea5323eea4
SHA5123f0561bcc0583d5b8d68f0666f5de1676e8dbaa817720519a25fa014cc46715ed6c3f2928b976c0e6ab0558939945e6478292a0936f5695d344f4ca58dd6c245
-
Filesize
1.2MB
MD53bec3aeb9f99dbf9c2b6bb89b4add39a
SHA1f401abce66e942f966607d67a432a628622d6516
SHA256eb717518e0e2a90a3e061792ee5b380ee6634fb982c62682e9c6170af8ca46b8
SHA512cb278d7d83c84fe64bd3bde517d29e52df6fa2c94d063d48a2543c296e4e962763b883317844c08e47e8b9dbaf3505cc27782703608b98603e11d776eb7777b7
-
Filesize
2.1MB
MD5e3faeb35f56273ecce987a94379d3683
SHA17cb189451c6c4af1efee17453f90c1a6aae2fabb
SHA2564f5f4b955e6659bcf44c5abab6d692f1adf2f9677751035bf422106af8442180
SHA5127d316bad87a9f895311628a3abf7eebd77dd5774f8935044bd317e50961d2dc60983299acb7aff13f4285b141ab352991ba8ebba64fb9d28f60726a3f6e244cf
-
Filesize
206KB
MD520602f77608fd2bdebecb54d6ddad08f
SHA1bba0a2150a4fea15db48ea7d2398eb1344cf749f
SHA2560b0ac637272ff103bcf0e0e79df4ab4f36307f1d4386dd2c49f39031969dce62
SHA51282beb0f477c5c5eaa7dedd710ab883b377ce55c385aff0d40136ebc45db2e340664325cbffd52e5604fe0716f9cf91453b0e1b8e1ce0fa1f0291930e1f0e8a1b
-
Filesize
206KB
MD5c44dc10e9c0739c64f19120934f43ec2
SHA11eac846660d46a776364db7da52359e3bd425870
SHA256b714862cc1b542b907b03642a6219bf1bba8baff8ce5f721846572d5968ae6f4
SHA5129152ef8f9c19624c4e85aef5b5dc2eb4f8af8d906abb048233548517d5e5eb31125701dc780268ee5edf14586b7d008ca208eca9859defd448e9c26d356b6ddf
-
Filesize
206KB
MD502bb77daf9c08ba9e34b54409796de1d
SHA1fdb55c133ed9940b7d4536ddeda9d5631ff25513
SHA2567b3c8b347669bca71161c8b2f4d048baff565ae98dbb00fd0ae63e776eba4af8
SHA512e25a6111022ae7d0f33f76565cb0a82fe0c706781ba9b8b7df8ebecb5ea6142c1e0e949c6bbabdc89cdeafe1579ceddeef5470649e71d37a9f6621ce8dfb09a2
-
Filesize
1.9MB
MD568dbfb2c9a0951dac513985e40e89d3a
SHA18083d2cea9e0bf96160b051f19860d2f6e06d65a
SHA25694ca6644e8842c073b9b19ab260214cf9c89bbb4ff65e332d2104ec67b316093
SHA512f7fd4efca17edc8771909b279554e57ed2451db8c41591e8c1dbef2583f24a5e90f9c43a1f16fe874e157b5604ce820cf8f88ee07e8a5ab2010245f18545bebc
-
Filesize
206KB
MD5c3dda635c2d32883b6ac4214941f2fa0
SHA158938345aeea61e94c7c2f92df6eac4fab3c7f35
SHA2562210d9bad42b2a329dad18b94dd42ec6c5f86ff6f5fe3f17668c6e26de88e208
SHA5123d274594f24ebe171db110586bd7ffbdab8f82d9e696f291046254c4a0959b38e7d0d15e0fa276237e0b4fbf9f62654c4286e43a479a1d7f0955d0f8954f6560
-
Filesize
206KB
MD559929b07ff3e10cd04e0336cfd2178b9
SHA1e3aa807dc9dd6222901b627e7ee4761f336db0d7
SHA2566eaed3a0469ec5d042ea2f020c757ae72b15d270fdca508f0ae3d750eebad7fc
SHA5120902406d87e934ea263a053f225392448682eb6f5dc5b4dc067ebeb1cb9ab2666954af888569df53d4f8f9c8dd925af7b6bb763b7dfd93f6b06aac5573dc9014
-
Filesize
1.9MB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
1.9MB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
1.9MB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
1.9MB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
4KB
-
Filesize
2.9MB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
1.9MB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
1.9MB
-
Filesize
260KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
1.9MB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
1.9MB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
1.9MB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
1.9MB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
1.9MB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
2.9MB
-
Filesize
4KB
-
Filesize
1.9MB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
1.9MB
-
Filesize
260KB
-
Filesize
1.9MB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
1.9MB
-
Filesize
260KB
-
Filesize
1.9MB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
260KB
-
Filesize
1.9MB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
1.9MB
-
Filesize
260KB
-
Filesize
1.9MB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
1.9MB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
1.9MB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
1.9MB
-
Filesize
260KB
-
Filesize
776KB
-
Filesize
776KB
-
Filesize
1.9MB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
1.9MB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
1.9MB
-
Filesize
260KB
-
Filesize
1.9MB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
1.9MB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
1.9MB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
1.9MB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
1.9MB
-
Filesize
260KB