xred | 5d9f409feaadc0e3b7d36aa8c3987ca70104e172b65faf8ab252d57a7d3dc273

Analysis

max time kernel
141s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2025 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe
Size

760KB
MD5

79549e64dc118988e997a209ef99567d
SHA1

48948a955e0266ac2d5fb7c61e3f48aca97a829c
SHA256

adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43
SHA512

3c58de1340c4a68509cc5c72b6eddc91ffca7d0d0038363632bd6abd51a165452e0a1d2bf0ecbffa0a1ec4e0e9a2f421deaae681f81373917d9dee72c283e4ea
SSDEEP

12288:WMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9KmKj:WnsJ39LyjbJkQFMhmC+6GD9c

Score

10^/10

xred backdoor defense_evasion discovery execution persistence privilege_escalation

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Modifies Windows Firewall 2 TTPs 8 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2860	netsh.exe
3576	netsh.exe
1476	netsh.exe
5104	netsh.exe
4276	netsh.exe
684	netsh.exe
1124	netsh.exe
3664	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Control Panel\International\Geo\Nation	adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe
Key value queried	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 3 IoCs

pid	Process
1324	._cache_adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe
1976	Synaptics.exe
1580	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4296	powershell.exe
2600	powershell.exe
4212	powershell.exe
5092	powershell.exe
4492	powershell.exe
1712	powershell.exe
3532	powershell.exe
5060	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 24 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1804	PING.EXE
3412	PING.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1804	PING.EXE
3412	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2084	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3532	powershell.exe
3532	powershell.exe
5060	powershell.exe
5060	powershell.exe
4296	powershell.exe
4296	powershell.exe
2600	powershell.exe
2600	powershell.exe
4212	powershell.exe
4212	powershell.exe
5092	powershell.exe
5092	powershell.exe
4492	powershell.exe
4492	powershell.exe
1712	powershell.exe
1712	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	3532	powershell.exe
Token: SeDebugPrivilege	5060	powershell.exe
Token: SeDebugPrivilege	4296	powershell.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	4212	powershell.exe
Token: SeDebugPrivilege	5092	powershell.exe
Token: SeDebugPrivilege	4492	powershell.exe
Token: SeDebugPrivilege	1712	powershell.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2084	EXCEL.EXE
2084	EXCEL.EXE
2084	EXCEL.EXE
2084	EXCEL.EXE
2084	EXCEL.EXE
2084	EXCEL.EXE
2084	EXCEL.EXE
2084	EXCEL.EXE

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 1324	5004	adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe	86
PID 5004 wrote to memory of 1324	5004	adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe	86
PID 1324 wrote to memory of 3532	1324	._cache_adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe	87
PID 1324 wrote to memory of 3532	1324	._cache_adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe	87
PID 5004 wrote to memory of 1976	5004	adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe	89
PID 5004 wrote to memory of 1976	5004	adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe	89
PID 5004 wrote to memory of 1976	5004	adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe	89
PID 3532 wrote to memory of 3576	3532	powershell.exe	90
PID 3532 wrote to memory of 3576	3532	powershell.exe	90
PID 1976 wrote to memory of 1580	1976	Synaptics.exe	91
PID 1976 wrote to memory of 1580	1976	Synaptics.exe	91
PID 1580 wrote to memory of 5060	1580	._cache_Synaptics.exe	92
PID 1580 wrote to memory of 5060	1580	._cache_Synaptics.exe	92
PID 5060 wrote to memory of 1476	5060	powershell.exe	95
PID 5060 wrote to memory of 1476	5060	powershell.exe	95
PID 1324 wrote to memory of 4296	1324	._cache_adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe	97
PID 1324 wrote to memory of 4296	1324	._cache_adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe	97
PID 1580 wrote to memory of 2600	1580	._cache_Synaptics.exe	99
PID 1580 wrote to memory of 2600	1580	._cache_Synaptics.exe	99
PID 4296 wrote to memory of 5104	4296	powershell.exe	101
PID 4296 wrote to memory of 5104	4296	powershell.exe	101
PID 2600 wrote to memory of 4276	2600	powershell.exe	102
PID 2600 wrote to memory of 4276	2600	powershell.exe	102
PID 1580 wrote to memory of 4212	1580	._cache_Synaptics.exe	103
PID 1580 wrote to memory of 4212	1580	._cache_Synaptics.exe	103
PID 4212 wrote to memory of 684	4212	powershell.exe	105
PID 4212 wrote to memory of 684	4212	powershell.exe	105
PID 1324 wrote to memory of 5092	1324	._cache_adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe	106
PID 1324 wrote to memory of 5092	1324	._cache_adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe	106
PID 5092 wrote to memory of 1124	5092	powershell.exe	108
PID 5092 wrote to memory of 1124	5092	powershell.exe	108
PID 1580 wrote to memory of 4492	1580	._cache_Synaptics.exe	109
PID 1580 wrote to memory of 4492	1580	._cache_Synaptics.exe	109
PID 4492 wrote to memory of 3664	4492	powershell.exe	111
PID 4492 wrote to memory of 3664	4492	powershell.exe	111
PID 1580 wrote to memory of 1048	1580	._cache_Synaptics.exe	112
PID 1580 wrote to memory of 1048	1580	._cache_Synaptics.exe	112
PID 1324 wrote to memory of 1712	1324	._cache_adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe	114
PID 1324 wrote to memory of 1712	1324	._cache_adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe	114
PID 1048 wrote to memory of 1804	1048	cmd.exe	116
PID 1048 wrote to memory of 1804	1048	cmd.exe	116
PID 1712 wrote to memory of 2860	1712	powershell.exe	117
PID 1712 wrote to memory of 2860	1712	powershell.exe	117
PID 1324 wrote to memory of 1784	1324	._cache_adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe	118
PID 1324 wrote to memory of 1784	1324	._cache_adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe	118
PID 1784 wrote to memory of 3412	1784	cmd.exe	120
PID 1784 wrote to memory of 3412	1784	cmd.exe	120

C:\Users\Admin\AppData\Local\Temp\adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe
"C:\Users\Admin\AppData\Local\Temp\adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Users\Admin\AppData\Local\Temp\._cache_adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall delete rule name=all dir=in program='C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3532
  - - C:\Windows\system32\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name=all dir=in "program=C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:3576
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall delete rule name=all dir=out program='C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4296
  - - C:\Windows\system32\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name=all dir=out "program=C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:5104
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall add rule name='SSTP(Secure Socket Trade Protocol)(SSTF-IN) Inbound' dir=in action=allow program='C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe' enable=yes profile=private,public"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5092
  - - C:\Windows\system32\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule "name=SSTP(Secure Socket Trade Protocol)(SSTF-IN) Inbound" dir=in action=allow "program=C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe" enable=yes profile=private,public
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:1124
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall add rule name='SSTP(Secure Socket Trade Protocol)(SSTF-IN) Outbound' dir=out action=allow program='C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe' enable=yes profile=private,public"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\Windows\system32\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule "name=SSTP(Secure Socket Trade Protocol)(SSTF-IN) Outbound" dir=out action=allow "program=C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe" enable=yes profile=private,public
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC4B7.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1784
  - - C:\Windows\system32\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3412
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1580
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall delete rule name=all dir=in program='C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5060
    - - C:\Windows\system32\netsh.exe
        
        "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name=all dir=in "program=C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1476
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall delete rule name=all dir=out program='C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2600
    - - C:\Windows\system32\netsh.exe
        
        "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name=all dir=out "program=C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4276
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall add rule name='SSTP(Secure Socket Trade Protocol)(SSTF-IN) Inbound' dir=in action=allow program='C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe' enable=yes profile=private,public"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4212
    - - C:\Windows\system32\netsh.exe
        
        "C:\Windows\system32\netsh.exe" advfirewall firewall add rule "name=SSTP(Secure Socket Trade Protocol)(SSTF-IN) Inbound" dir=in action=allow "program=C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe" enable=yes profile=private,public
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:684
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall add rule name='SSTP(Secure Socket Trade Protocol)(SSTF-IN) Outbound' dir=out action=allow program='C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe' enable=yes profile=private,public"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4492
    - - C:\Windows\system32\netsh.exe
        
        "C:\Windows\system32\netsh.exe" advfirewall firewall add rule "name=SSTP(Secure Socket Trade Protocol)(SSTF-IN) Outbound" dir=out action=allow "program=C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe" enable=yes profile=private,public
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3664
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC17B.tmp.bat""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1048
    - - C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 2
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1804

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
760KB

MD5
79549e64dc118988e997a209ef99567d

SHA1
48948a955e0266ac2d5fb7c61e3f48aca97a829c

SHA256
adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43

SHA512
3c58de1340c4a68509cc5c72b6eddc91ffca7d0d0038363632bd6abd51a165452e0a1d2bf0ecbffa0a1ec4e0e9a2f421deaae681f81373917d9dee72c283e4ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43.exe

Filesize
7KB

MD5
4f335528745cc617396c5c7107e84dff

SHA1
e90b4e0e888c43dde82662df49c7c054207a2961

SHA256
50e64c6fb2a0fb6898a792d192c35b3f43996c6dea24d5f94c0e90e2be238671

SHA512
0bb11a0577108a13ebd98323ea094d05205a07686ab355e9c6bf8976398be0a327306206c64a4d41109fbf2f47f8af0925a605023ea308109d7c80540129138c

Download Submit
C:\Users\Admin\AppData\Local\Temp\31C75E00

Filesize
22KB

MD5
6152b47e5501dd1357481894bc2d1da1

SHA1
5bf1e527d349a79974c54bc683325d0a7ed4a7c8

SHA256
3a4499f3e4cb1599419835f86787925fdae3aedf4b45c427f2d398a6b1fa35a7

SHA512
78ab63758d68e54f471682edd424a3bc445a8a3edd287029ebdaa48d92e3b1cf5d95c182a52f3bceb216706b6f6b670c92453c06a6ba15916c5e194f2a2a163d

Download Submit
C:\Users\Admin\AppData\Local\Temp\KdvL4GDe.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yz4zoy1m.fyl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC17B.tmp.bat

Filesize
158B

MD5
93a258860ad58d74639f510fa834ff3b

SHA1
407cb368545e99a26ce1604688bae11cabca28d2

SHA256
95daa6841c0e02f7992f82be69d0eb5bd25de7c8e1afa140ae685df96c19947f

SHA512
7f34f91fd82a67b52c1c7cee5492b7a6c55c7ced73f47ee24837967d8d092211c658499eab5a69ee203631bded74d085e1358f4a2a5d8a6a141b63483bdbebb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC4B7.tmp.bat

Filesize
213B

MD5
b151802383ad40aee21c464cbb782f04

SHA1
035bdbb2a4d366afd447b3b93eb8f1fb8fbdbceb

SHA256
c486cdb287e43d4fe95f0171e29cd305fa849c3f300224e9b8b9463cb4af8f7f

SHA512
a2547923424ce50ffa9fcdc9edcf4c095de36c141e6345caced72152b883c063aefc1f7dfc3ad50658e6ea525f9c2e25af23c503257ff11730f55c14c961a3cb

Download Submit
memory/1324-71-0x000001E76EF70000-0x000001E76EF78000-memory.dmp

Filesize
32KB

Download
memory/1324-72-0x00007FFA24813000-0x00007FFA24815000-memory.dmp

Filesize
8KB

Download
memory/1976-346-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1976-374-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2084-206-0x00007FFA028D0000-0x00007FFA028E0000-memory.dmp

Filesize
64KB

Download
memory/2084-217-0x00007FFA00180000-0x00007FFA00190000-memory.dmp

Filesize
64KB

Download
memory/2084-216-0x00007FFA00180000-0x00007FFA00190000-memory.dmp

Filesize
64KB

Download
memory/2084-205-0x00007FFA028D0000-0x00007FFA028E0000-memory.dmp

Filesize
64KB

Download
memory/2084-202-0x00007FFA028D0000-0x00007FFA028E0000-memory.dmp

Filesize
64KB

Download
memory/2084-203-0x00007FFA028D0000-0x00007FFA028E0000-memory.dmp

Filesize
64KB

Download
memory/2084-204-0x00007FFA028D0000-0x00007FFA028E0000-memory.dmp

Filesize
64KB

Download
memory/3532-220-0x00007FFA24810000-0x00007FFA252D1000-memory.dmp

Filesize
10.8MB

Download
memory/3532-139-0x0000027CA9780000-0x0000027CA97A2000-memory.dmp

Filesize
136KB

Download
memory/3532-133-0x00007FFA24810000-0x00007FFA252D1000-memory.dmp

Filesize
10.8MB

Download
memory/5004-0-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/5004-130-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download