Analysis
-
max time kernel
43s -
max time network
39s -
platform
windows11-21h2_x64 -
resource
win11-20241023-en -
resource tags
arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system -
submitted
02-02-2025 18:17
Behavioral task
behavioral1
Sample
adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe
Resource
win11-20241023-en
General
-
Target
adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe
-
Size
760KB
-
MD5
79549e64dc118988e997a209ef99567d
-
SHA1
48948a955e0266ac2d5fb7c61e3f48aca97a829c
-
SHA256
adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43
-
SHA512
3c58de1340c4a68509cc5c72b6eddc91ffca7d0d0038363632bd6abd51a165452e0a1d2bf0ecbffa0a1ec4e0e9a2f421deaae681f81373917d9dee72c283e4ea
-
SSDEEP
12288:WMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9KmKj:WnsJ39LyjbJkQFMhmC+6GD9c
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Xred family
-
Modifies Windows Firewall 2 TTPs 8 IoCs
pid Process 4468 netsh.exe 2156 netsh.exe 2628 netsh.exe 4128 netsh.exe 5032 netsh.exe 3408 netsh.exe 1576 netsh.exe 3220 netsh.exe -
Executes dropped EXE 3 IoCs
pid Process 3840 ._cache_adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe 3240 Synaptics.exe 3808 ._cache_Synaptics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe -
pid Process 4204 powershell.exe 3084 powershell.exe 2672 powershell.exe 3608 powershell.exe 3788 powershell.exe 2260 powershell.exe 1100 powershell.exe 1976 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 24 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1564 PING.EXE 3360 PING.EXE -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe -
Modifies registry class 43 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff taskmgr.exe Key created \Registry\User\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\NotificationData explorer.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel explorer.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 taskmgr.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WFlags = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings control.exe Set value (data) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f706806ee260aa0d7449371beb064c986830000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\ShowCmd = "1" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 taskmgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Synaptics.exe Set value (data) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 taskmgr.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "287309825" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 1e00718000000000000000000000e1a40ed25739d211a40b0c50205241530000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} explorer.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\HotKey = "0" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 0c0001008421de39050000000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell taskmgr.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 1564 PING.EXE 3360 PING.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 968 EXCEL.EXE 384 explorer.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
pid Process 3788 powershell.exe 3788 powershell.exe 2260 powershell.exe 2260 powershell.exe 1100 powershell.exe 1100 powershell.exe 1976 powershell.exe 1976 powershell.exe 4204 powershell.exe 4204 powershell.exe 4204 powershell.exe 3084 powershell.exe 3084 powershell.exe 3084 powershell.exe 2672 powershell.exe 2672 powershell.exe 2672 powershell.exe 3608 powershell.exe 3608 powershell.exe 3608 powershell.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 3788 powershell.exe Token: SeDebugPrivilege 2260 powershell.exe Token: SeDebugPrivilege 1100 powershell.exe Token: SeDebugPrivilege 1976 powershell.exe Token: SeDebugPrivilege 4204 powershell.exe Token: SeDebugPrivilege 3084 powershell.exe Token: SeDebugPrivilege 2672 powershell.exe Token: SeDebugPrivilege 3608 powershell.exe Token: SeShutdownPrivilege 5084 control.exe Token: SeCreatePagefilePrivilege 5084 control.exe Token: SeDebugPrivilege 2628 taskmgr.exe Token: SeSystemProfilePrivilege 2628 taskmgr.exe Token: SeCreateGlobalPrivilege 2628 taskmgr.exe -
Suspicious use of FindShellTrayWindow 51 IoCs
pid Process 384 explorer.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe -
Suspicious use of SendNotifyMessage 50 IoCs
pid Process 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe 2628 taskmgr.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 968 EXCEL.EXE 968 EXCEL.EXE 968 EXCEL.EXE 968 EXCEL.EXE 968 EXCEL.EXE 968 EXCEL.EXE 968 EXCEL.EXE 968 EXCEL.EXE -
Suspicious use of WriteProcessMemory 49 IoCs
description pid Process procid_target PID 2916 wrote to memory of 3840 2916 adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe 77 PID 2916 wrote to memory of 3840 2916 adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe 77 PID 3840 wrote to memory of 3788 3840 ._cache_adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe 78 PID 3840 wrote to memory of 3788 3840 ._cache_adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe 78 PID 2916 wrote to memory of 3240 2916 adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe 80 PID 2916 wrote to memory of 3240 2916 adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe 80 PID 2916 wrote to memory of 3240 2916 adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe 80 PID 3788 wrote to memory of 2628 3788 powershell.exe 81 PID 3788 wrote to memory of 2628 3788 powershell.exe 81 PID 3240 wrote to memory of 3808 3240 Synaptics.exe 82 PID 3240 wrote to memory of 3808 3240 Synaptics.exe 82 PID 3808 wrote to memory of 2260 3808 ._cache_Synaptics.exe 101 PID 3808 wrote to memory of 2260 3808 ._cache_Synaptics.exe 101 PID 2260 wrote to memory of 4128 2260 powershell.exe 87 PID 2260 wrote to memory of 4128 2260 powershell.exe 87 PID 3840 wrote to memory of 1100 3840 ._cache_adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe 110 PID 3840 wrote to memory of 1100 3840 ._cache_adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe 110 PID 3808 wrote to memory of 1976 3808 ._cache_Synaptics.exe 90 PID 3808 wrote to memory of 1976 3808 ._cache_Synaptics.exe 90 PID 1100 wrote to memory of 5032 1100 powershell.exe 92 PID 1100 wrote to memory of 5032 1100 powershell.exe 92 PID 1976 wrote to memory of 3408 1976 powershell.exe 93 PID 1976 wrote to memory of 3408 1976 powershell.exe 93 PID 3808 wrote to memory of 4204 3808 ._cache_Synaptics.exe 94 PID 3808 wrote to memory of 4204 3808 ._cache_Synaptics.exe 94 PID 3840 wrote to memory of 3084 3840 ._cache_adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe 96 PID 3840 wrote to memory of 3084 3840 ._cache_adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe 96 PID 4204 wrote to memory of 1576 4204 powershell.exe 98 PID 4204 wrote to memory of 1576 4204 powershell.exe 98 PID 3084 wrote to memory of 3220 3084 powershell.exe 99 PID 3084 wrote to memory of 3220 3084 powershell.exe 99 PID 3840 wrote to memory of 2672 3840 ._cache_adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe 100 PID 3840 wrote to memory of 2672 3840 ._cache_adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe 100 PID 2672 wrote to memory of 4468 2672 powershell.exe 102 PID 2672 wrote to memory of 4468 2672 powershell.exe 102 PID 3840 wrote to memory of 4108 3840 ._cache_adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe 103 PID 3840 wrote to memory of 4108 3840 ._cache_adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe 103 PID 3808 wrote to memory of 3608 3808 ._cache_Synaptics.exe 105 PID 3808 wrote to memory of 3608 3808 ._cache_Synaptics.exe 105 PID 4108 wrote to memory of 1564 4108 cmd.exe 107 PID 4108 wrote to memory of 1564 4108 cmd.exe 107 PID 3608 wrote to memory of 2156 3608 powershell.exe 108 PID 3608 wrote to memory of 2156 3608 powershell.exe 108 PID 3808 wrote to memory of 2244 3808 ._cache_Synaptics.exe 112 PID 3808 wrote to memory of 2244 3808 ._cache_Synaptics.exe 112 PID 2244 wrote to memory of 3360 2244 cmd.exe 114 PID 2244 wrote to memory of 3360 2244 cmd.exe 114 PID 384 wrote to memory of 2628 384 explorer.exe 117 PID 384 wrote to memory of 2628 384 explorer.exe 117
Processes
-
C:\Users\Admin\AppData\Local\Temp\adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe"C:\Users\Admin\AppData\Local\Temp\adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Users\Admin\AppData\Local\Temp\._cache_adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe"C:\Users\Admin\AppData\Local\Temp\._cache_adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall delete rule name=all dir=in program='C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe'"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name=all dir=in "program=C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe"4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2628
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall delete rule name=all dir=out program='C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe'"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name=all dir=out "program=C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe"4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:5032
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall add rule name='SSTP(Secure Socket Trade Protocol)(SSTF-IN) Inbound' dir=in action=allow program='C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe' enable=yes profile=private,public"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall add rule "name=SSTP(Secure Socket Trade Protocol)(SSTF-IN) Inbound" dir=in action=allow "program=C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe" enable=yes profile=private,public4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3220
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall add rule name='SSTP(Secure Socket Trade Protocol)(SSTF-IN) Outbound' dir=out action=allow program='C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe' enable=yes profile=private,public"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:2260
-
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall add rule "name=SSTP(Secure Socket Trade Protocol)(SSTF-IN) Outbound" dir=out action=allow "program=C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe" enable=yes profile=private,public4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp84FF.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1564
-
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3240 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall delete rule name=all dir=in program='C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe'"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name=all dir=in "program=C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe"5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4128
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall delete rule name=all dir=out program='C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe'"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name=all dir=out "program=C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe"5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3408
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall add rule name='SSTP(Secure Socket Trade Protocol)(SSTF-IN) Inbound' dir=in action=allow program='C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe' enable=yes profile=private,public"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall add rule "name=SSTP(Secure Socket Trade Protocol)(SSTF-IN) Inbound" dir=in action=allow "program=C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe" enable=yes profile=private,public5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1576
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall add rule name='SSTP(Secure Socket Trade Protocol)(SSTF-IN) Outbound' dir=out action=allow program='C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe' enable=yes profile=private,public"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall add rule "name=SSTP(Secure Socket Trade Protocol)(SSTF-IN) Outbound" dir=out action=allow "program=C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe" enable=yes profile=private,public5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp87FC.tmp.bat""4⤵
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 25⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3360
-
-
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:968
-
C:\Windows\system32\control.exe"C:\Windows\system32\control.exe" /name Microsoft.AdministrativeTools1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5084
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- System Location Discovery: System Language Discovery
PID:1100
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /72⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2628
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4268
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
760KB
MD579549e64dc118988e997a209ef99567d
SHA148948a955e0266ac2d5fb7c61e3f48aca97a829c
SHA256adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43
SHA5123c58de1340c4a68509cc5c72b6eddc91ffca7d0d0038363632bd6abd51a165452e0a1d2bf0ecbffa0a1ec4e0e9a2f421deaae681f81373917d9dee72c283e4ea
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
64B
MD50384058137c9cab33ce6ceb677fd200c
SHA1b33f68bc26ba8b74c8c8b43cefdba3776f9e3c95
SHA256961f8955d148572052738e9eaca16b818dc43d971446c6e70bf554f91ce5d034
SHA512ef2b43e095a5d18ba1b0d034a8038ead8c371a65c3a92e03fd714cefa05f9a4978ec1bdad0a10389d79934ac441ce06202846276ff47ac3412333f2ea205755d
-
Filesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
C:\Users\Admin\AppData\Local\Temp\._cache_adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe
Filesize7KB
MD54f335528745cc617396c5c7107e84dff
SHA1e90b4e0e888c43dde82662df49c7c054207a2961
SHA25650e64c6fb2a0fb6898a792d192c35b3f43996c6dea24d5f94c0e90e2be238671
SHA5120bb11a0577108a13ebd98323ea094d05205a07686ab355e9c6bf8976398be0a327306206c64a4d41109fbf2f47f8af0925a605023ea308109d7c80540129138c
-
Filesize
21KB
MD5c37874b2232541a896d57e02b9a8c984
SHA195a259bc122bc25886e63b138caa28eecdbf00a1
SHA2564faf85aff5ff77fbfbcf957ceadb6da9a45023e46bc4f5558d09bf09872cfccc
SHA5122dc4fe94df5197b95f0185587d568c6157061f69de3b99a67eab113da08cae102d421584f5bd21a6ed6c624ef38c6df23670e04795f7106915f28e64afd5da1a
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
213B
MD5a5adee0e51dca1359bb4013e967cbcda
SHA11b6316ceceb3e5db574984bc42cca03ab1bd13b2
SHA25608fc38691fe411b468d0df5f289ee88a62129eb3d82dbd17a29cce901b5c48eb
SHA512b70f5b60f5d341593dd4238ae5141cf6de47b159b6b82144a012d9af5cc84e87baeec8786ed872b77f5b8317942e640cb163273b4226ad846ac3b3c7e2d17d08
-
Filesize
158B
MD5f5b7d73f09d210ec9a00c6a92807fb31
SHA1a7de5a3f5189103d94072b333e5c2076d2c9c4ac
SHA256c2d463b7aea30c6691ee3d207cbe81c77ea414ab527f1b1016bac46cf69dccee
SHA512e55958ed63c5ec7a35a5f758fafe09afed32f21a2becae1dbc71e7930062f04bfe52700e977c9c9a13ee4a804afb49be7620ecd6a22a025fac64a051248066bd