xred | 026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-01-2025 19:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
Size

1.0MB
MD5

bed8e067a2554b876daa76c61af143bd
SHA1

eb17ee360e17beee03c10b09f774a478bafb49fa
SHA256

026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd
SHA512

cd8b16aee1d375f6ebc1c8c1f77830ec6e7b8d2fae168da6938b64791a81750c533a4ca5138c05a42a47144e7f2141a2adbd37276bb5fe6b8b567ef21830fc98
SSDEEP

24576:6nsJ39LyjbJkQFMhmC+6GD9GFOasRUjXfYr:6nsHyjtk2MYC5GDMaqXAr

Score

10^/10

xred backdoor defense_evasion discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 11 IoCs

pid	Process
1280	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
2396	Synaptics.exe
2852	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
2620	icsys.icn.exe
2736	._cache_Synaptics.exe
2784	explorer.exe
2624	._cache_synaptics.exe
3052	spoolsv.exe
2484	icsys.icn.exe
1880	svchost.exe
2152	spoolsv.exe

Loads dropped DLL 13 IoCs

pid	Process
1704	026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
1704	026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
1704	026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
1280	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
1280	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
2396	Synaptics.exe
2396	Synaptics.exe
2620	icsys.icn.exe
2736	._cache_Synaptics.exe
2784	explorer.exe
2736	._cache_Synaptics.exe
3052	spoolsv.exe
1880	svchost.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2280	schtasks.exe
2684	schtasks.exe
2116	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
404	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1280	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
1280	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
1280	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
1280	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
1280	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
1280	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
1280	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
1280	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
1280	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
1280	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
1280	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
1280	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
1280	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
1280	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
1280	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
1280	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
2620	icsys.icn.exe
2620	icsys.icn.exe
2620	icsys.icn.exe
2620	icsys.icn.exe
2620	icsys.icn.exe
2620	icsys.icn.exe
2620	icsys.icn.exe
2620	icsys.icn.exe
2620	icsys.icn.exe
2620	icsys.icn.exe
2620	icsys.icn.exe
2620	icsys.icn.exe
2620	icsys.icn.exe
2620	icsys.icn.exe
2620	icsys.icn.exe
2620	icsys.icn.exe
2620	icsys.icn.exe
2736	._cache_Synaptics.exe
2736	._cache_Synaptics.exe
2736	._cache_Synaptics.exe
2736	._cache_Synaptics.exe
2736	._cache_Synaptics.exe
2736	._cache_Synaptics.exe
2736	._cache_Synaptics.exe
2736	._cache_Synaptics.exe
2736	._cache_Synaptics.exe
2736	._cache_Synaptics.exe
2736	._cache_Synaptics.exe
2736	._cache_Synaptics.exe
2736	._cache_Synaptics.exe
2736	._cache_Synaptics.exe
2736	._cache_Synaptics.exe
2736	._cache_Synaptics.exe
2784	explorer.exe
2784	explorer.exe
2784	explorer.exe
2784	explorer.exe
2784	explorer.exe
2784	explorer.exe
2784	explorer.exe
2784	explorer.exe
2784	explorer.exe
2784	explorer.exe
2784	explorer.exe
2784	explorer.exe
2784	explorer.exe
2784	explorer.exe
2784	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2784	explorer.exe
1880	svchost.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
1280	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
1280	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
2620	icsys.icn.exe
2620	icsys.icn.exe
2736	._cache_Synaptics.exe
2736	._cache_Synaptics.exe
2784	explorer.exe
2784	explorer.exe
3052	spoolsv.exe
3052	spoolsv.exe
2484	icsys.icn.exe
2484	icsys.icn.exe
1880	svchost.exe
1880	svchost.exe
2152	spoolsv.exe
2152	spoolsv.exe
404	EXCEL.EXE

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 1280	1704	026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe	30
PID 1704 wrote to memory of 1280	1704	026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe	30
PID 1704 wrote to memory of 1280	1704	026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe	30
PID 1704 wrote to memory of 1280	1704	026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe	30
PID 1704 wrote to memory of 2396	1704	026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe	31
PID 1704 wrote to memory of 2396	1704	026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe	31
PID 1704 wrote to memory of 2396	1704	026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe	31
PID 1704 wrote to memory of 2396	1704	026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe	31
PID 1280 wrote to memory of 2852	1280	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe	32
PID 1280 wrote to memory of 2852	1280	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe	32
PID 1280 wrote to memory of 2852	1280	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe	32
PID 1280 wrote to memory of 2852	1280	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe	32
PID 1280 wrote to memory of 2620	1280	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe	33
PID 1280 wrote to memory of 2620	1280	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe	33
PID 1280 wrote to memory of 2620	1280	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe	33
PID 1280 wrote to memory of 2620	1280	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe	33
PID 2396 wrote to memory of 2736	2396	Synaptics.exe	34
PID 2396 wrote to memory of 2736	2396	Synaptics.exe	34
PID 2396 wrote to memory of 2736	2396	Synaptics.exe	34
PID 2396 wrote to memory of 2736	2396	Synaptics.exe	34
PID 2620 wrote to memory of 2784	2620	icsys.icn.exe	35
PID 2620 wrote to memory of 2784	2620	icsys.icn.exe	35
PID 2620 wrote to memory of 2784	2620	icsys.icn.exe	35
PID 2620 wrote to memory of 2784	2620	icsys.icn.exe	35
PID 2736 wrote to memory of 2624	2736	._cache_Synaptics.exe	36
PID 2736 wrote to memory of 2624	2736	._cache_Synaptics.exe	36
PID 2736 wrote to memory of 2624	2736	._cache_Synaptics.exe	36
PID 2736 wrote to memory of 2624	2736	._cache_Synaptics.exe	36
PID 2784 wrote to memory of 3052	2784	explorer.exe	37
PID 2784 wrote to memory of 3052	2784	explorer.exe	37
PID 2784 wrote to memory of 3052	2784	explorer.exe	37
PID 2784 wrote to memory of 3052	2784	explorer.exe	37
PID 2736 wrote to memory of 2484	2736	._cache_Synaptics.exe	38
PID 2736 wrote to memory of 2484	2736	._cache_Synaptics.exe	38
PID 2736 wrote to memory of 2484	2736	._cache_Synaptics.exe	38
PID 2736 wrote to memory of 2484	2736	._cache_Synaptics.exe	38
PID 3052 wrote to memory of 1880	3052	spoolsv.exe	39
PID 3052 wrote to memory of 1880	3052	spoolsv.exe	39
PID 3052 wrote to memory of 1880	3052	spoolsv.exe	39
PID 3052 wrote to memory of 1880	3052	spoolsv.exe	39
PID 1880 wrote to memory of 2152	1880	svchost.exe	40
PID 1880 wrote to memory of 2152	1880	svchost.exe	40
PID 1880 wrote to memory of 2152	1880	svchost.exe	40
PID 1880 wrote to memory of 2152	1880	svchost.exe	40
PID 2784 wrote to memory of 2720	2784	explorer.exe	41
PID 2784 wrote to memory of 2720	2784	explorer.exe	41
PID 2784 wrote to memory of 2720	2784	explorer.exe	41
PID 2784 wrote to memory of 2720	2784	explorer.exe	41
PID 1880 wrote to memory of 2280	1880	svchost.exe	42
PID 1880 wrote to memory of 2280	1880	svchost.exe	42
PID 1880 wrote to memory of 2280	1880	svchost.exe	42
PID 1880 wrote to memory of 2280	1880	svchost.exe	42
PID 1880 wrote to memory of 2684	1880	svchost.exe	49
PID 1880 wrote to memory of 2684	1880	svchost.exe	49
PID 1880 wrote to memory of 2684	1880	svchost.exe	49
PID 1880 wrote to memory of 2684	1880	svchost.exe	49
PID 1880 wrote to memory of 2116	1880	svchost.exe	51
PID 1880 wrote to memory of 2116	1880	svchost.exe	51
PID 1880 wrote to memory of 2116	1880	svchost.exe	51
PID 1880 wrote to memory of 2116	1880	svchost.exe	51

C:\Users\Admin\AppData\Local\Temp\026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
"C:\Users\Admin\AppData\Local\Temp\026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Users\Admin\AppData\Local\Temp\._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1280
- - \??\c:\users\admin\appdata\local\temp\._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
    c:\users\admin\appdata\local\temp\._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2852
- - C:\Windows\Resources\Themes\icsys.icn.exe
    C:\Windows\Resources\Themes\icsys.icn.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2784
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3052
      - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        6⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2152
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 19:14 /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2280
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 19:15 /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2684
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 19:16 /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2116
    - - C:\Windows\Explorer.exe
        
        C:\Windows\Explorer.exe
        5⤵
        
        PID:2720
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
      c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2624
  - - C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2484

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.0MB

MD5
bed8e067a2554b876daa76c61af143bd

SHA1
eb17ee360e17beee03c10b09f774a478bafb49fa

SHA256
026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd

SHA512
cd8b16aee1d375f6ebc1c8c1f77830ec6e7b8d2fae168da6938b64791a81750c533a4ca5138c05a42a47144e7f2141a2adbd37276bb5fe6b8b567ef21830fc98

Download Submit
C:\Users\Admin\AppData\Local\Temp\i3W4hneF.xlsm

Filesize
21KB

MD5
1d26012ccace605655ba32bc9300a2b5

SHA1
86f0267cd53604a4d95e142b24db2f5a250d220e

SHA256
e2a02fc408f0283e9c8c51a510ed80daf6b8ae825409668d7c8030d9fb48718f

SHA512
023293b5d2163ac4ef997a8a4a5e1a3e4efcedc80d61813dc8f37ddef6846dffd218db360e7542154e67b6ee052a05b5017ead605eeb8108e3b310062150f339

Download Submit
C:\Users\Admin\AppData\Local\Temp\i3W4hneF.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\i3W4hneF.xlsm

Filesize
25KB

MD5
000c3840bcfd70b893ff5227675496d5

SHA1
968f4c4578c18e4b712f56e78cbe424abcc1223e

SHA256
e9eee5c38420c1a7b50d7d800db33cf0d45fc9dde34978438bb9b34ae3d88a64

SHA512
bd6608cf75a373060580641a4bc0262e330a627bef5f4aedbe64068bed5593bc1ef4c90059a78233359efa8e6329c40f851208a5592fe7bc7903e300c531c736

Download Submit
C:\Users\Admin\AppData\Local\Temp\i3W4hneF.xlsm

Filesize
23KB

MD5
2774307dd14f13302225259e66caa42a

SHA1
993e08c3f08a0822fc55ceb334f09bb01fe4c146

SHA256
876aa01dca0fad4a94977b8519d04be92e8c544c5db116f4ff7efba409e1c727

SHA512
8fb25970289266170edf6582596e216d6a9cf219008d7905d9695e58ac7ad3a6b0f7b69455a5387907f99cf35a67fd40630dad96e4db4fa049b684970f47448a

Download Submit
C:\Users\Admin\AppData\Local\Temp\i3W4hneF.xlsm

Filesize
21KB

MD5
274b5b60332866bc4935a7f405e85bb0

SHA1
3d0f6baddd7b0c251a0d293ad5eac589c86c21bd

SHA256
5e7b76880fc99c19c9128c9c26d1cbe493c4a150f852ea325410fc3e1912aa63

SHA512
84bfe8636541a8f182b5bc46ec3a072291096584814e16a98435305d3363b32ad8f5a39fade065572b21ee4e1db96517fbf4d4792ea67a7f9144edfe6fe43318

Download Submit
C:\Users\Admin\AppData\Local\Temp\i3W4hneF.xlsm

Filesize
26KB

MD5
6c8e6bd12324e387a55651266655bcc8

SHA1
07718701054a2d40a994234d57c9bc9473fb2175

SHA256
423f90c732cb7654be00919822e49ae7e63c1641264d7387b0c26c45a9220e29

SHA512
2e32d3fb6d925ff080b4b8b3524d309349f6a5d77ef6c6643b192f078de0e655f79e265d2fdba9e5d8d7aaecdf7bbe29ca50c9c169b0d2c2a9bf1501fccc3bca

Download Submit
C:\Users\Admin\Desktop\~$OpenBackup.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
6d56a3e47fe8d70244a97dab42962423

SHA1
cddc05c01a90cbd11cd4574936b0fe3c97151300

SHA256
00afb3d1379a31f2d8cef9d322f5c6a3c00d23038ef9ef6a08e3aeb033c54257

SHA512
50a057f6b128c6ea9c3454cd61d1742b888a94992f45a722b4a4681203b5feb61401d4eeb9a1c35620133849000c374b930b6c6b5e97a6ed0d3d39b400942df2

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe

Filesize
283KB

MD5
6e825f028af5e0e83ef8bc8a95263ea4

SHA1
703851f68eb8cbd301089cb1f1cfcc9dd0b24881

SHA256
3cebb99d2422d6efd579e4db9d11e9572a3380b8ecd6a73529d6f21a593b6b05

SHA512
82d9c62602080f6e8b836b333552df9acd5b8f2e0db2e3304d90fc91b5939202e631a24c34740f4f86a9312c452e5ba2c7ce8c0a4a09c61375f0ae59793b5526

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe

Filesize
148KB

MD5
8e84aa749ac62d5dceb600cec8d86c96

SHA1
3a224340c4e361b2383e96ad86f2d515f40f7d8f

SHA256
fcfaa10af53eebef4a986b002006a7acf7af9c2465caed7e37edab9626bcfc4d

SHA512
8cda75b9954ffc3df9f0b9f00b943372a6be5637603ef392959439f0509662832b7ff73aea5cac1afaa2d76281b23f85c5d2a99d6e92f8c1fe9253598a8dbf1a

Download Submit
\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
4921c43d4cd81beca47f03baa94a2133

SHA1
3c7bf9f8e382e32ef4cf6a53ad9b5e80e0985c18

SHA256
246d895ebcc640affd36f8e2cbbebc273994a461eb81c2e9da995cf8af4c27d4

SHA512
a5baa727fe03bf11aac6d90d341b3d5c4b1c64afd3b8c5af0a454d573058ec0489943874c32eb668e04f0f03ffb8437932fc399ce36600435e353771f3080542

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
c02392bdce91c5970f84ad5a6f714b3e

SHA1
d8abb98800a97a763fe2c3ae614297a4b638e3d4

SHA256
2cfda771e4acccd6043058fbc8ea0b42d912b87c58fa8777dc6980794b732a88

SHA512
7a1d54a982c47793c4cbf0b13b7694dfc66e0370002fd102ec158dee54174968843410568af70eceb133a437f4685af3a4863824b6ac0ab656065ad98ca4ac82

Download Submit
\Windows\Resources\svchost.exe

Filesize
135KB

MD5
3a96deceff2df5e3afbfb7b623603b7d

SHA1
229df7772fb4cf96362ec97cfff1b5822e7728b9

SHA256
36be6acf1134863274ff09a778ce1df442744fb8e226f0fb8a8a90bed5935f38

SHA512
09ebc50489a74fc7da4b13ffa046acaf5469be50ef708e744789c826244381d73f0340cb5b12125a2f278352b50d2818c80efd34d31945e578061b8198a1e0e3

Download Submit
memory/404-203-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/404-116-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1280-18-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1280-113-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1704-29-0x0000000000400000-0x0000000000509000-memory.dmp

Filesize
1.0MB

Download
memory/1704-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1704-6-0x0000000003F00000-0x0000000003F1F000-memory.dmp

Filesize
124KB

Download
memory/1880-106-0x0000000000370000-0x000000000038F000-memory.dmp

Filesize
124KB

Download
memory/1880-238-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2152-111-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2396-115-0x0000000000400000-0x0000000000509000-memory.dmp

Filesize
1.0MB

Download
memory/2396-49-0x0000000004030000-0x000000000404F000-memory.dmp

Filesize
124KB

Download
memory/2396-204-0x0000000000400000-0x0000000000509000-memory.dmp

Filesize
1.0MB

Download
memory/2396-205-0x0000000000400000-0x0000000000509000-memory.dmp

Filesize
1.0MB

Download
memory/2396-239-0x0000000000400000-0x0000000000509000-memory.dmp

Filesize
1.0MB

Download
memory/2484-101-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2620-114-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2620-66-0x00000000025E0000-0x00000000025FF000-memory.dmp

Filesize
124KB

Download
memory/2736-102-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2784-82-0x00000000002A0000-0x00000000002BF000-memory.dmp

Filesize
124KB

Download
memory/2784-211-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3052-112-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download