xred | 026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2025 19:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
Size

1.0MB
MD5

bed8e067a2554b876daa76c61af143bd
SHA1

eb17ee360e17beee03c10b09f774a478bafb49fa
SHA256

026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd
SHA512

cd8b16aee1d375f6ebc1c8c1f77830ec6e7b8d2fae168da6938b64791a81750c533a4ca5138c05a42a47144e7f2141a2adbd37276bb5fe6b8b567ef21830fc98
SSDEEP

24576:6nsJ39LyjbJkQFMhmC+6GD9GFOasRUjXfYr:6nsHyjtk2MYC5GDMaqXAr

Score

10^/10

xred backdoor defense_evasion discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 12 IoCs

pid	Process
4292	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
4592	Synaptics.exe
3152	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
3468	icsys.icn.exe
4844	explorer.exe
1056	._cache_Synaptics.exe
2860	spoolsv.exe
1760	svchost.exe
2880	spoolsv.exe
1112	._cache_synaptics.exe
4872	icsys.icn.exe
1384	explorer.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3288	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4292	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
4292	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
4292	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
4292	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
4292	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
4292	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
4292	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
4292	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
4292	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
4292	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
4292	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
4292	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
4292	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
4292	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
4292	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
4292	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
4292	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
4292	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
4292	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
4292	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
4292	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
4292	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
4292	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
4292	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
4292	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
4292	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
4292	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
4292	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
4292	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
4292	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
4292	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
4292	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
3468	icsys.icn.exe
3468	icsys.icn.exe
3468	icsys.icn.exe
3468	icsys.icn.exe
3468	icsys.icn.exe
3468	icsys.icn.exe
3468	icsys.icn.exe
3468	icsys.icn.exe
3468	icsys.icn.exe
3468	icsys.icn.exe
3468	icsys.icn.exe
3468	icsys.icn.exe
3468	icsys.icn.exe
3468	icsys.icn.exe
3468	icsys.icn.exe
3468	icsys.icn.exe
3468	icsys.icn.exe
3468	icsys.icn.exe
3468	icsys.icn.exe
3468	icsys.icn.exe
3468	icsys.icn.exe
3468	icsys.icn.exe
3468	icsys.icn.exe
3468	icsys.icn.exe
3468	icsys.icn.exe
3468	icsys.icn.exe
3468	icsys.icn.exe
3468	icsys.icn.exe
3468	icsys.icn.exe
3468	icsys.icn.exe
3468	icsys.icn.exe
3468	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4844	explorer.exe
1760	svchost.exe

Suspicious use of SetWindowsHookEx 26 IoCs

pid	Process
4292	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
4292	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
3468	icsys.icn.exe
3468	icsys.icn.exe
4844	explorer.exe
4844	explorer.exe
1056	._cache_Synaptics.exe
2860	spoolsv.exe
1056	._cache_Synaptics.exe
2860	spoolsv.exe
1760	svchost.exe
1760	svchost.exe
2880	spoolsv.exe
2880	spoolsv.exe
3288	EXCEL.EXE
3288	EXCEL.EXE
4872	icsys.icn.exe
4872	icsys.icn.exe
1384	explorer.exe
1384	explorer.exe
3288	EXCEL.EXE
3288	EXCEL.EXE
3288	EXCEL.EXE
3288	EXCEL.EXE
3288	EXCEL.EXE
3288	EXCEL.EXE

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3996 wrote to memory of 4292	3996	026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe	82
PID 3996 wrote to memory of 4292	3996	026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe	82
PID 3996 wrote to memory of 4292	3996	026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe	82
PID 3996 wrote to memory of 4592	3996	026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe	83
PID 3996 wrote to memory of 4592	3996	026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe	83
PID 3996 wrote to memory of 4592	3996	026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe	83
PID 4292 wrote to memory of 3152	4292	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe	84
PID 4292 wrote to memory of 3152	4292	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe	84
PID 4292 wrote to memory of 3152	4292	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe	84
PID 4292 wrote to memory of 3468	4292	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe	85
PID 4292 wrote to memory of 3468	4292	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe	85
PID 4292 wrote to memory of 3468	4292	._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe	85
PID 3468 wrote to memory of 4844	3468	icsys.icn.exe	86
PID 3468 wrote to memory of 4844	3468	icsys.icn.exe	86
PID 3468 wrote to memory of 4844	3468	icsys.icn.exe	86
PID 4592 wrote to memory of 1056	4592	Synaptics.exe	87
PID 4592 wrote to memory of 1056	4592	Synaptics.exe	87
PID 4592 wrote to memory of 1056	4592	Synaptics.exe	87
PID 4844 wrote to memory of 2860	4844	explorer.exe	88
PID 4844 wrote to memory of 2860	4844	explorer.exe	88
PID 4844 wrote to memory of 2860	4844	explorer.exe	88
PID 2860 wrote to memory of 1760	2860	spoolsv.exe	90
PID 2860 wrote to memory of 1760	2860	spoolsv.exe	90
PID 2860 wrote to memory of 1760	2860	spoolsv.exe	90
PID 1760 wrote to memory of 2880	1760	svchost.exe	91
PID 1760 wrote to memory of 2880	1760	svchost.exe	91
PID 1760 wrote to memory of 2880	1760	svchost.exe	91
PID 1056 wrote to memory of 1112	1056	._cache_Synaptics.exe	92
PID 1056 wrote to memory of 1112	1056	._cache_Synaptics.exe	92
PID 1056 wrote to memory of 1112	1056	._cache_Synaptics.exe	92
PID 1056 wrote to memory of 4872	1056	._cache_Synaptics.exe	93
PID 1056 wrote to memory of 4872	1056	._cache_Synaptics.exe	93
PID 1056 wrote to memory of 4872	1056	._cache_Synaptics.exe	93
PID 4872 wrote to memory of 1384	4872	icsys.icn.exe	95
PID 4872 wrote to memory of 1384	4872	icsys.icn.exe	95
PID 4872 wrote to memory of 1384	4872	icsys.icn.exe	95

C:\Users\Admin\AppData\Local\Temp\026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
"C:\Users\Admin\AppData\Local\Temp\026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3996
- C:\Users\Admin\AppData\Local\Temp\._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4292
- - \??\c:\users\admin\appdata\local\temp\._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
    c:\users\admin\appdata\local\temp\._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3152
- - C:\Windows\Resources\Themes\icsys.icn.exe
    C:\Windows\Resources\Themes\icsys.icn.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3468
  - - \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4844
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2860
      - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        6⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2880
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4592
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1056
  - - \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
      c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1112
  - - C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4872
    - - \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1384

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.0MB

MD5
bed8e067a2554b876daa76c61af143bd

SHA1
eb17ee360e17beee03c10b09f774a478bafb49fa

SHA256
026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd

SHA512
cd8b16aee1d375f6ebc1c8c1f77830ec6e7b8d2fae168da6938b64791a81750c533a4ca5138c05a42a47144e7f2141a2adbd37276bb5fe6b8b567ef21830fc98

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe

Filesize
283KB

MD5
6e825f028af5e0e83ef8bc8a95263ea4

SHA1
703851f68eb8cbd301089cb1f1cfcc9dd0b24881

SHA256
3cebb99d2422d6efd579e4db9d11e9572a3380b8ecd6a73529d6f21a593b6b05

SHA512
82d9c62602080f6e8b836b333552df9acd5b8f2e0db2e3304d90fc91b5939202e631a24c34740f4f86a9312c452e5ba2c7ce8c0a4a09c61375f0ae59793b5526

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_026d9e117eabe72d021e7696a453b3da4bc68d255f70468e79c8cb9de73875dd.exe

Filesize
148KB

MD5
8e84aa749ac62d5dceb600cec8d86c96

SHA1
3a224340c4e361b2383e96ad86f2d515f40f7d8f

SHA256
fcfaa10af53eebef4a986b002006a7acf7af9c2465caed7e37edab9626bcfc4d

SHA512
8cda75b9954ffc3df9f0b9f00b943372a6be5637603ef392959439f0509662832b7ff73aea5cac1afaa2d76281b23f85c5d2a99d6e92f8c1fe9253598a8dbf1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8yUmANWG.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\C5A75E00

Filesize
26KB

MD5
53f334a83c90aaa0f111819c4a9c2123

SHA1
b3de05232f4aada804cff39688b08dd3f1a18750

SHA256
4c018d14a911bac779f56bfe658db9b2cba08c4b630d4a8670f9120f5a91f5cd

SHA512
2dc086bec086bdbc0e19ebbf1772d3d2cbde02579c1bfe3aec859699979284ae0a62b69f4bbddada9d805fe8812acf2460d63d2e67f04e221bc323dd1552406f

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
4921c43d4cd81beca47f03baa94a2133

SHA1
3c7bf9f8e382e32ef4cf6a53ad9b5e80e0985c18

SHA256
246d895ebcc640affd36f8e2cbbebc273994a461eb81c2e9da995cf8af4c27d4

SHA512
a5baa727fe03bf11aac6d90d341b3d5c4b1c64afd3b8c5af0a454d573058ec0489943874c32eb668e04f0f03ffb8437932fc399ce36600435e353771f3080542

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
eba7be3c0b7c0223fc8d3acfb6bd6969

SHA1
fe643cdf74859648995614b37e4c4f667448cce8

SHA256
ba902294f2946d7172b7e5ec95b0cf7cfc30b6b7df330fc90b506c2efdc2c907

SHA512
730f078a3b77c79302de1fb050cd8f4ccd0a0e6821892d562dcabef0f4a21c529083316e526456064b6960985ce013402bd9c86be6a37c48a91651adb65c5c14

Download Submit
\??\c:\windows\resources\svchost.exe

Filesize
135KB

MD5
2e84863bfa202540c19f5540965c1e96

SHA1
6a8169431251c44646274e98f89b33158e11f823

SHA256
5fb6d7f54ca7b28c6d86b994a01c94e519f26335907567edd8c2ade5da11272e

SHA512
d1f38802eaec61566abea06bb3f5d56ec335640c193733f98a1a5c65d321528b95cba8c814d8b0fc236f6b11d3ebe69858dbf6c055d270372e206e2aec8e3b5d

Download Submit
\??\c:\windows\resources\themes\explorer.exe

Filesize
135KB

MD5
6a303371afca36174b5617fe0598717b

SHA1
aad25d1e8b9c5144b380fdbf0c958e60c471d51f

SHA256
6cdafa0ea785c0faadf10a3abd9ccb037facac52e0c365b65f96688db86c05ae

SHA512
0a93c1d0d8bd780e81fb04418a84b7893aa8bd121be1a242b3cc36ceadb6c45644fb2e9c0f43d97005d466643a75e47b9cf8f08c9d4fc1c5e6313df0c53e5b7c

Download Submit
memory/1056-262-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1384-260-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1760-343-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2860-247-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2880-242-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2880-244-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3288-237-0x00007FFAE8730000-0x00007FFAE8740000-memory.dmp

Filesize
64KB

Download
memory/3288-232-0x00007FFAE8730000-0x00007FFAE8740000-memory.dmp

Filesize
64KB

Download
memory/3288-236-0x00007FFAE8730000-0x00007FFAE8740000-memory.dmp

Filesize
64KB

Download
memory/3288-234-0x00007FFAE8730000-0x00007FFAE8740000-memory.dmp

Filesize
64KB

Download
memory/3288-243-0x00007FFAE6360000-0x00007FFAE6370000-memory.dmp

Filesize
64KB

Download
memory/3288-233-0x00007FFAE8730000-0x00007FFAE8740000-memory.dmp

Filesize
64KB

Download
memory/3288-251-0x00007FFAE6360000-0x00007FFAE6370000-memory.dmp

Filesize
64KB

Download
memory/3468-249-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3468-192-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3996-0-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/3996-132-0x0000000000400000-0x0000000000509000-memory.dmp

Filesize
1.0MB

Download
memory/4292-250-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4292-60-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4592-137-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/4592-309-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/4592-310-0x0000000000400000-0x0000000000509000-memory.dmp

Filesize
1.0MB

Download
memory/4592-341-0x0000000000400000-0x0000000000509000-memory.dmp

Filesize
1.0MB

Download
memory/4844-342-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4872-261-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download