Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22/01/2025, 22:44
Behavioral task
behavioral1
Sample
95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4N.exe
Resource
win10v2004-20241007-en
General
-
Target
95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4N.exe
-
Size
3.6MB
-
MD5
575b18de3bde4f0bac81569918c71040
-
SHA1
fedcaebb7ac62e2cc2f792a6efd7b5feadfd387c
-
SHA256
95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4
-
SHA512
c131d03c17da866ffbb97c56c1fd0798f12ed60c17253f6fdabbb77eadd3650b18d20ad6e16e938219e54899b32c412006d0a2ff2a5aecf4cf572df00d0df6fb
-
SSDEEP
49152:/YZnsHyjtk2MYC5GD/YKnsHyjtk2MYC5GDsYS1Q+09xqoWh5GisYxMGyN0F:QZnsmtk2a/Knsmtk2aGS6bRWTGZYaG8Q
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Xred family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe -
Executes dropped EXE 17 IoCs
pid Process 2436 95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4n.exe 2968 icsys.icn.exe 2744 explorer.exe 2516 spoolsv.exe 2520 svchost.exe 2244 spoolsv.exe 1656 Synaptics.exe 1444 ._cache_Synaptics.exe 2080 ._cache_synaptics.exe 2332 icsys.icn.exe 660 explorer.exe 1188 Synaptics.exe 2876 ._cache_Synaptics.exe 1660 ._cache_synaptics.exe 2984 icsys.icn.exe 1732 explorer.exe 1696 Synaptics.exe -
Loads dropped DLL 39 IoCs
pid Process 1048 95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4N.exe 1048 95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4N.exe 1048 95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4N.exe 1048 95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4N.exe 2968 icsys.icn.exe 2968 icsys.icn.exe 2744 explorer.exe 2744 explorer.exe 2516 spoolsv.exe 2516 spoolsv.exe 2520 svchost.exe 2520 svchost.exe 2436 95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4n.exe 2436 95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4n.exe 2436 95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4n.exe 1656 Synaptics.exe 1656 Synaptics.exe 1656 Synaptics.exe 1444 ._cache_Synaptics.exe 1444 ._cache_Synaptics.exe 1444 ._cache_Synaptics.exe 1444 ._cache_Synaptics.exe 2332 icsys.icn.exe 2080 ._cache_synaptics.exe 2080 ._cache_synaptics.exe 2080 ._cache_synaptics.exe 1188 Synaptics.exe 1188 Synaptics.exe 1188 Synaptics.exe 1188 Synaptics.exe 2876 ._cache_Synaptics.exe 2876 ._cache_Synaptics.exe 1660 ._cache_synaptics.exe 2876 ._cache_Synaptics.exe 2876 ._cache_Synaptics.exe 2984 icsys.icn.exe 1660 ._cache_synaptics.exe 1660 ._cache_synaptics.exe 1660 ._cache_synaptics.exe -
Adds Run key to start application 2 TTPs 7 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" 95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4n.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" ._cache_synaptics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" ._cache_synaptics.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 23 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4n.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1992 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2968 icsys.icn.exe 2744 explorer.exe 2744 explorer.exe 2744 explorer.exe 2744 explorer.exe 2520 svchost.exe 2520 svchost.exe 2744 explorer.exe 2520 svchost.exe 2744 explorer.exe 2520 svchost.exe 2744 explorer.exe 2520 svchost.exe 2520 svchost.exe 2744 explorer.exe 2744 explorer.exe 2520 svchost.exe 2520 svchost.exe 2744 explorer.exe 2520 svchost.exe 2744 explorer.exe 2744 explorer.exe 2520 svchost.exe 2520 svchost.exe 2080 ._cache_synaptics.exe 2080 ._cache_synaptics.exe 2080 ._cache_synaptics.exe 2080 ._cache_synaptics.exe 2080 ._cache_synaptics.exe 2080 ._cache_synaptics.exe 2080 ._cache_synaptics.exe 2520 svchost.exe 2520 svchost.exe 2744 explorer.exe 2744 explorer.exe 2520 svchost.exe 2520 svchost.exe 2744 explorer.exe 2520 svchost.exe 2744 explorer.exe 2744 explorer.exe 2520 svchost.exe 2520 svchost.exe 2744 explorer.exe 2744 explorer.exe 2520 svchost.exe 2520 svchost.exe 2744 explorer.exe 2744 explorer.exe 2520 svchost.exe 2520 svchost.exe 2744 explorer.exe 2520 svchost.exe 2744 explorer.exe 2744 explorer.exe 2520 svchost.exe 2520 svchost.exe 2744 explorer.exe 2744 explorer.exe 2520 svchost.exe 2520 svchost.exe 1660 ._cache_synaptics.exe 2520 svchost.exe 2520 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2744 explorer.exe 2520 svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSystemProfilePrivilege 2080 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 2080 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 2080 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 2080 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 2080 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 2080 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 2080 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 1660 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 1660 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 1660 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 1660 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 1660 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 1660 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 1660 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 1660 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 1660 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 1660 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 1660 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 1660 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 1660 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 1660 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 1660 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 1660 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 1660 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 1660 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 1660 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 1660 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 1660 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 1660 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 1660 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 1660 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 1660 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 1660 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 1660 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 1660 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 1660 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 1660 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 1660 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 1660 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 1660 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 1660 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 1660 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 1660 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 1660 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 1660 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 1660 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 1660 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 1660 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 1660 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 1660 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 1660 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 1660 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 1660 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 1660 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 1660 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 1660 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 1660 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 1660 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 1660 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 1660 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 1660 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 1660 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 1660 ._cache_synaptics.exe Token: SeSystemProfilePrivilege 1660 ._cache_synaptics.exe -
Suspicious use of SetWindowsHookEx 29 IoCs
pid Process 1048 95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4N.exe 1048 95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4N.exe 2968 icsys.icn.exe 2968 icsys.icn.exe 2744 explorer.exe 2744 explorer.exe 2516 spoolsv.exe 2516 spoolsv.exe 2520 svchost.exe 2520 svchost.exe 2244 spoolsv.exe 2244 spoolsv.exe 2744 explorer.exe 2744 explorer.exe 1444 ._cache_Synaptics.exe 1444 ._cache_Synaptics.exe 2332 icsys.icn.exe 1992 EXCEL.EXE 2332 icsys.icn.exe 660 explorer.exe 660 explorer.exe 2876 ._cache_Synaptics.exe 2876 ._cache_Synaptics.exe 2984 icsys.icn.exe 2984 icsys.icn.exe 1732 explorer.exe 1732 explorer.exe 1856 EXCEL.EXE 2776 EXCEL.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1048 wrote to memory of 2436 1048 95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4N.exe 28 PID 1048 wrote to memory of 2436 1048 95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4N.exe 28 PID 1048 wrote to memory of 2436 1048 95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4N.exe 28 PID 1048 wrote to memory of 2436 1048 95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4N.exe 28 PID 1048 wrote to memory of 2968 1048 95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4N.exe 29 PID 1048 wrote to memory of 2968 1048 95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4N.exe 29 PID 1048 wrote to memory of 2968 1048 95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4N.exe 29 PID 1048 wrote to memory of 2968 1048 95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4N.exe 29 PID 2968 wrote to memory of 2744 2968 icsys.icn.exe 30 PID 2968 wrote to memory of 2744 2968 icsys.icn.exe 30 PID 2968 wrote to memory of 2744 2968 icsys.icn.exe 30 PID 2968 wrote to memory of 2744 2968 icsys.icn.exe 30 PID 2744 wrote to memory of 2516 2744 explorer.exe 31 PID 2744 wrote to memory of 2516 2744 explorer.exe 31 PID 2744 wrote to memory of 2516 2744 explorer.exe 31 PID 2744 wrote to memory of 2516 2744 explorer.exe 31 PID 2516 wrote to memory of 2520 2516 spoolsv.exe 32 PID 2516 wrote to memory of 2520 2516 spoolsv.exe 32 PID 2516 wrote to memory of 2520 2516 spoolsv.exe 32 PID 2516 wrote to memory of 2520 2516 spoolsv.exe 32 PID 2520 wrote to memory of 2244 2520 svchost.exe 33 PID 2520 wrote to memory of 2244 2520 svchost.exe 33 PID 2520 wrote to memory of 2244 2520 svchost.exe 33 PID 2520 wrote to memory of 2244 2520 svchost.exe 33 PID 2436 wrote to memory of 1656 2436 95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4n.exe 34 PID 2436 wrote to memory of 1656 2436 95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4n.exe 34 PID 2436 wrote to memory of 1656 2436 95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4n.exe 34 PID 2436 wrote to memory of 1656 2436 95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4n.exe 34 PID 2520 wrote to memory of 268 2520 svchost.exe 35 PID 2520 wrote to memory of 268 2520 svchost.exe 35 PID 2520 wrote to memory of 268 2520 svchost.exe 35 PID 2520 wrote to memory of 268 2520 svchost.exe 35 PID 1656 wrote to memory of 1444 1656 Synaptics.exe 37 PID 1656 wrote to memory of 1444 1656 Synaptics.exe 37 PID 1656 wrote to memory of 1444 1656 Synaptics.exe 37 PID 1656 wrote to memory of 1444 1656 Synaptics.exe 37 PID 1444 wrote to memory of 2080 1444 ._cache_Synaptics.exe 39 PID 1444 wrote to memory of 2080 1444 ._cache_Synaptics.exe 39 PID 1444 wrote to memory of 2080 1444 ._cache_Synaptics.exe 39 PID 1444 wrote to memory of 2080 1444 ._cache_Synaptics.exe 39 PID 1444 wrote to memory of 2332 1444 ._cache_Synaptics.exe 40 PID 1444 wrote to memory of 2332 1444 ._cache_Synaptics.exe 40 PID 1444 wrote to memory of 2332 1444 ._cache_Synaptics.exe 40 PID 1444 wrote to memory of 2332 1444 ._cache_Synaptics.exe 40 PID 2332 wrote to memory of 660 2332 icsys.icn.exe 41 PID 2332 wrote to memory of 660 2332 icsys.icn.exe 41 PID 2332 wrote to memory of 660 2332 icsys.icn.exe 41 PID 2332 wrote to memory of 660 2332 icsys.icn.exe 41 PID 2080 wrote to memory of 1188 2080 ._cache_synaptics.exe 42 PID 2080 wrote to memory of 1188 2080 ._cache_synaptics.exe 42 PID 2080 wrote to memory of 1188 2080 ._cache_synaptics.exe 42 PID 2080 wrote to memory of 1188 2080 ._cache_synaptics.exe 42 PID 1188 wrote to memory of 2876 1188 Synaptics.exe 43 PID 1188 wrote to memory of 2876 1188 Synaptics.exe 43 PID 1188 wrote to memory of 2876 1188 Synaptics.exe 43 PID 1188 wrote to memory of 2876 1188 Synaptics.exe 43 PID 2876 wrote to memory of 1660 2876 ._cache_Synaptics.exe 45 PID 2876 wrote to memory of 1660 2876 ._cache_Synaptics.exe 45 PID 2876 wrote to memory of 1660 2876 ._cache_Synaptics.exe 45 PID 2876 wrote to memory of 1660 2876 ._cache_Synaptics.exe 45 PID 2876 wrote to memory of 2984 2876 ._cache_Synaptics.exe 46 PID 2876 wrote to memory of 2984 2876 ._cache_Synaptics.exe 46 PID 2876 wrote to memory of 2984 2876 ._cache_Synaptics.exe 46 PID 2876 wrote to memory of 2984 2876 ._cache_Synaptics.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4N.exe"C:\Users\Admin\AppData\Local\Temp\95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1048 -
\??\c:\users\admin\appdata\local\temp\95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4n.exec:\users\admin\appdata\local\temp\95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4n.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1444 -
\??\c:\users\admin\appdata\local\temp\._cache_synaptics.exec:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2876 -
\??\c:\users\admin\appdata\local\temp\._cache_synaptics.exec:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate8⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1660 -
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1696
-
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2984 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1732
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2332 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:660
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2968 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2516 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2244
-
-
C:\Windows\SysWOW64\at.exeat 22:46 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:268
-
-
C:\Windows\SysWOW64\at.exeat 22:47 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:1596
-
-
-
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1992
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:1856
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:2776
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
753KB
MD5ceab064b6d1d8ba57444371889936da1
SHA1ed748ba18c6dadf05e9a6aa008443d055375e71e
SHA2566e0d8597ac91fcebce2757d5ccdff21f256c857b7a3ab06d7da3113ac24c6b3b
SHA512c65afe84060cdf24a8ebca454eca6aa0eb73cb5898c6106dec490f2c37cbac6173d3ea5302812787ff137fea219b4d7506b68f193b4709aff03a46157fc82b24
-
Filesize
1.7MB
MD5bc95b2206dd7637fe20a16798c406745
SHA1e77612a366109cd0359917b9a177aa114ba7ca83
SHA25609b41d9c265effd7b2bc78cbaee81c3e977c718ddcedcb506f69ffa178eb5a74
SHA5121d081aea628f10327649404114fa571cc87b053ae195a90ff5d4d59c21c8a932d716a32ea252aac324fa0c39bdab8c46bcc9fe85dccc7dc7312d1d22fb4f6540
-
Filesize
2.4MB
MD56aea658a809df0b4e0f2b52204fa1e31
SHA1a1819c28ce05dd8521d74dae1375ad9699791dc0
SHA256ea4087068126db22d789769a45831897cdd3060ea0d7f6368f515b479dde1208
SHA5129ed22b45fdbb4d17fce304d578b3387bfdf1fdca353c2011249987f25d264f443a3b6d1099449fb558f9821c634c2c0a4b5b16dda2c7a1b25076acb4d93c20d3
-
Filesize
22KB
MD504df9b4bafc1dd46f88317048e1c9613
SHA1960b4d2c826eed55e3fd94aeb7639fa4cffc399d
SHA25621ddd7c9a4200a5ab55165435a8f2a7eba626179f9352275c56214ab147aa713
SHA512becaf3413a8e5c43b46a111cdf581c53dda3ad93e94aefde847d0fefa739e200313d26b84768bd3b6b23c933d823d148e378058f38115c111995bbc68c6c391b
-
Filesize
23KB
MD5ca0d4caafdb0e68b837eabb999992200
SHA13d91172b06f5cce2bdd91df80b98e11ca8bc6252
SHA256ec2980acd7735671a44050a5756a802c918eeca3420f947e3c0c3a3a638f2000
SHA512a53c40e145197189d5c1d3cb6cf2d4f53992eb305a223051a49de2887792f7af665cc5d17fbdd168b913f86101d965ccb98085116d52ca5d535bd1e7a44906d7
-
Filesize
26KB
MD57d6215645778866a175f9bbe2f7fb71c
SHA11c6971ad647c47472720cd919884016c2643df10
SHA2567190f6c2bcd8ad580a908e610492198d043b5f503f0867e4e486693e528b8eb3
SHA51299bd01ae076605f972066481fa5909a3e03f2d0230d13e6520f9eeb7393b780d6d8a804a1d15daf83241cb587506acb653a468020b587ddc4c1e661a15cad85e
-
Filesize
24KB
MD5b8498de4a89ae9c248063d6414de8b3f
SHA13009b932155b15706867b102e0acccd1a0901c92
SHA256f455f3e4239b50d3c8cd054d92161687ccd8407a4c6255589969825582ca8d01
SHA512cbf605802c8638ec8973922820a80c2528ee30f410963937302495e19fda9480de7386404f185e73075db482b12a53b4718c8577dd5332924796ad2d011fbb6a
-
Filesize
206KB
MD583b3035df04728252d66100272d85e01
SHA115d784205aea26a3a93b7fcc7d56bad010c56890
SHA256d4dbb6ca603866cfa2168690ea3a523aa1c6d04d780da787451bdaada77e7269
SHA512a7ba03bf9cad80dc0449976b834cb91dafd2a51b037d8e9af7ee5325e172e9e1e963a5c6befeb5e758b7e42c38ac045a48e04b7414e2489f8448cc2984ed466a
-
Filesize
165B
MD5ff09371174f7c701e75f357a187c06e8
SHA157f9a638fd652922d7eb23236c80055a91724503
SHA256e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8
SHA512e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882
-
Filesize
207KB
MD51f9347ad916292acadc5468dd88adad0
SHA1689f8eb2168459ce92d8e1210afdd0d979fe4578
SHA25671ecbde4cd282b00873c25e98b4bb2736c3b29666ca148b933e8cd0022cdf24e
SHA51225485170a4afdb52304601dd48a9734b4a63a5aeb9ab7e86f0909232cc1c684586a7c9c5bf3d1448c818f2c2d382ca9353fd0243d489ce4b4385b5252df4dae0
-
Filesize
2.6MB
MD5ffa2e235448687e2b7e37bb8a99f38c9
SHA1153b873d572fb6bc8794f7aeec9c208d50182489
SHA256e6edb39132b26125704af6d10cd43f9153cadafa9e8692b809749ef0bb973161
SHA51232d3829bb1d0e0ac21b7cc3d3d3f0e71a5944ebccbdbe7837b0f8608a91859865cad7b26469ff230a2c7720d2f19784ae51cc62cc27c86553d01451cb72d792b
-
\Users\Admin\AppData\Local\Temp\95ac1cb5a12aa976d60eb2b2e0639c61311a8430f4b4656aebc56b85ec2abff4n.exe
Filesize3.4MB
MD5b7de67b0a46cb2b9323b251d34d34708
SHA1993564e1f3bde5422da5b8e74711868725e2c9df
SHA2564c3a7ee11791b181152ba80fc0c29eef05f6a6617aff56ef0edbb4919fde9581
SHA512b407a869cc5b5e86afff7bbfb24ee4c060cd4600d2fc5ef88de3c804299edcf63a0376209a6f2a9175da659608c12ddf0cea5225106646b83dbda10103fdf25f
-
Filesize
206KB
MD5bd7b5016453c5b3414a4eb30747f0f5e
SHA1f143f1bdaaafe645607024424dc8d8178ca89868
SHA256a3a6970b431c34714ee58bccf9668115194262a7e39f19a58fd8d94249568aae
SHA51282af27b4408c84bca5bad2737da410cb64f691131a603aad4aa4029d8b76194077118bd5147208d8a952248e0077de8db6c74aba247abefc6a1eadb2f0fbd139
-
Filesize
206KB
MD53343be9774d2c669a6cd6f1296ebeae8
SHA1cf675b229c99320d12201e2a1a3d7d32d26c8485
SHA256efc65b4655e6adef136bf0413e6fe45f70fe990528887fac719f9a03e945a0e2
SHA512f9048d3b02ed7ee56d48c9aa21e5ef2e7bfe1ae6a7517741238fc765568024de65fe82ac94e19e7ef8ac17666407462ed664be059db6b5f5c734f6f8780c14b1
-
Filesize
206KB
MD52174e16c77811eb61e9df75fd0f42e3e
SHA18c77d969048243715388e0627c7d58b2c0bace43
SHA2568fe86c314757a64803245fec53ef165d3513bec666bf94f498fc2eacb8c5c620
SHA512a27eb03b11dfd8c44a6852ddbc27d0de5bd062e080d81be9902cf151977630f4fb9a25b68430df21afc35477f43093b752e9563c7f30ea8cb217eca03a102ef3
-
Filesize
207KB
MD55cfe2fabee79270106ebf0c0a9cff3cf
SHA1a0dc3dbda456f05fe2a87bbfd0300c2a8108d4c5
SHA256289a0d3cdbe55f47a79bc93516902b4f777faed4a4956d139559c50852e86542
SHA5122dcf65eba28328f180d482f00ef6676e33324c0f251d3a4c62c7d764eb8bde4ad03e50f2a9a14ebfa4a8c79b6821e9e355050279aeeb4152ab1bcaf4b0d7bfbe