xred | adcb154a472177f99055a2c7cc2b203737a9a63807782de66154d85d2921cd43

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
15-02-2025 00:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

grannycc.exe
Size

3.1MB
MD5

93bba25a98254755eaf3afdb7826bd31
SHA1

d9a2cc89eb523886710e485b5be703d9c7c1e53d
SHA256

adcb154a472177f99055a2c7cc2b203737a9a63807782de66154d85d2921cd43
SHA512

9e2142bf39d3b90ff3e170876b00e591c7473dd9462428932bb26ecfb213a5435a332ac8ce601367c8ef8872aaf66100f6523803593e541f48d5a027e41ef264
SSDEEP

49152:5nsHyjtk2MYC5GDSKOR8wgkLCEUMi1M8PPQg8N6ToOTCTDey7/t7+dxwYSQH:5nsmtk2aRtuwncM8UNla0T0SQ

Score

10^/10

xred xworm backdoor discovery persistence rat trojan

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

xworm

Version

5.0

noipedd.ddns.net:1193

Mutex

8V29vmvrMp98QQ8X

Attributes

Install_directory
%AppData%
install_file
qqwgjfggjd.exe

aes.plain

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral2/memory/5088-348-0x0000000000400000-0x00000000004DF000-memory.dmp	family_xworm
behavioral2/memory/5088-350-0x0000000000400000-0x00000000004DF000-memory.dmp	family_xworm
behavioral2/files/0x0007000000023e38-358.dat	family_xworm
behavioral2/memory/2884-416-0x0000000000C10000-0x0000000000C20000-memory.dmp	family_xworm

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Downloads MZ/PE file 1 IoCs

flow	pid	Process
78	4584	Process not Found

.NET Reactor proctector 5 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/files/0x0007000000023e2f-215.dat	net_reactor
behavioral2/files/0x0007000000023e32-228.dat	net_reactor
behavioral2/memory/1840-304-0x0000000000400000-0x000000000074D000-memory.dmp	net_reactor
behavioral2/memory/448-306-0x0000000000650000-0x00000000008CE000-memory.dmp	net_reactor
behavioral2/memory/1328-352-0x0000000000400000-0x000000000074D000-memory.dmp	net_reactor

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000\Control Panel\International\Geo\Nation	persistence.exe
Key value queried	\REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000\Control Panel\International\Geo\Nation	._cache_Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000\Control Panel\International\Geo\Nation	persistence.exe
Key value queried	\REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000\Control Panel\International\Geo\Nation	grannycc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000\Control Panel\International\Geo\Nation	._cache_grannycc.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	._cache_persistence.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	._cache_persistence.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qqwgjfggjd.lnk	._cache_MSBuild.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qqwgjfggjd.lnk	._cache_MSBuild.exe

Executes dropped EXE 11 IoCs

pid	Process
2884	._cache_grannycc.exe
5064	Synaptics.exe
2984	._cache_Synaptics.exe
1364	GrannyEscapeTogether.exe
1840	persistence.exe
448	._cache_persistence.exe
2216	GrannyEscapeTogether.exe
1328	persistence.exe
1956	._cache_persistence.exe
2884	._cache_MSBuild.exe
4656	._cache_MSBuild.exe

Loads dropped DLL 4 IoCs

pid	Process
1328	persistence.exe
1328	persistence.exe
1540	MSBuild.exe
1540	MSBuild.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	grannycc.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 448 set thread context of 5088	448	._cache_persistence.exe	102
PID 1956 set thread context of 1540	1956	._cache_persistence.exe	105

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	persistence.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_persistence.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	persistence.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_persistence.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grannycc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4304	MicrosoftEdgeUpdate.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2552	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	persistence.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	persistence.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MSBuild.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MSBuild.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	grannycc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1356	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2884	._cache_MSBuild.exe
Token: SeDebugPrivilege	4656	._cache_MSBuild.exe
Token: SeDebugPrivilege	2884	._cache_MSBuild.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1356	EXCEL.EXE
1356	EXCEL.EXE
1356	EXCEL.EXE
1356	EXCEL.EXE
1356	EXCEL.EXE
1356	EXCEL.EXE

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 2884	1456	grannycc.exe	87
PID 1456 wrote to memory of 2884	1456	grannycc.exe	87
PID 1456 wrote to memory of 5064	1456	grannycc.exe	88
PID 1456 wrote to memory of 5064	1456	grannycc.exe	88
PID 1456 wrote to memory of 5064	1456	grannycc.exe	88
PID 5064 wrote to memory of 2984	5064	Synaptics.exe	92
PID 5064 wrote to memory of 2984	5064	Synaptics.exe	92
PID 2884 wrote to memory of 1364	2884	._cache_grannycc.exe	95
PID 2884 wrote to memory of 1364	2884	._cache_grannycc.exe	95
PID 2884 wrote to memory of 1840	2884	._cache_grannycc.exe	96
PID 2884 wrote to memory of 1840	2884	._cache_grannycc.exe	96
PID 2884 wrote to memory of 1840	2884	._cache_grannycc.exe	96
PID 1840 wrote to memory of 448	1840	persistence.exe	99
PID 1840 wrote to memory of 448	1840	persistence.exe	99
PID 1840 wrote to memory of 448	1840	persistence.exe	99
PID 2984 wrote to memory of 2216	2984	._cache_Synaptics.exe	100
PID 2984 wrote to memory of 2216	2984	._cache_Synaptics.exe	100
PID 2984 wrote to memory of 1328	2984	._cache_Synaptics.exe	101
PID 2984 wrote to memory of 1328	2984	._cache_Synaptics.exe	101
PID 2984 wrote to memory of 1328	2984	._cache_Synaptics.exe	101
PID 448 wrote to memory of 5088	448	._cache_persistence.exe	102
PID 448 wrote to memory of 5088	448	._cache_persistence.exe	102
PID 448 wrote to memory of 5088	448	._cache_persistence.exe	102
PID 448 wrote to memory of 5088	448	._cache_persistence.exe	102
PID 448 wrote to memory of 5088	448	._cache_persistence.exe	102
PID 448 wrote to memory of 5088	448	._cache_persistence.exe	102
PID 448 wrote to memory of 5088	448	._cache_persistence.exe	102
PID 448 wrote to memory of 5088	448	._cache_persistence.exe	102
PID 448 wrote to memory of 5088	448	._cache_persistence.exe	102
PID 448 wrote to memory of 5088	448	._cache_persistence.exe	102
PID 448 wrote to memory of 5088	448	._cache_persistence.exe	102
PID 1328 wrote to memory of 1956	1328	persistence.exe	103
PID 1328 wrote to memory of 1956	1328	persistence.exe	103
PID 1328 wrote to memory of 1956	1328	persistence.exe	103
PID 5088 wrote to memory of 2884	5088	MSBuild.exe	104
PID 5088 wrote to memory of 2884	5088	MSBuild.exe	104
PID 1956 wrote to memory of 1540	1956	._cache_persistence.exe	105
PID 1956 wrote to memory of 1540	1956	._cache_persistence.exe	105
PID 1956 wrote to memory of 1540	1956	._cache_persistence.exe	105
PID 1956 wrote to memory of 1540	1956	._cache_persistence.exe	105
PID 1956 wrote to memory of 1540	1956	._cache_persistence.exe	105
PID 1956 wrote to memory of 1540	1956	._cache_persistence.exe	105
PID 1956 wrote to memory of 1540	1956	._cache_persistence.exe	105
PID 1956 wrote to memory of 1540	1956	._cache_persistence.exe	105
PID 1956 wrote to memory of 1540	1956	._cache_persistence.exe	105
PID 1956 wrote to memory of 1540	1956	._cache_persistence.exe	105
PID 1956 wrote to memory of 1540	1956	._cache_persistence.exe	105
PID 1540 wrote to memory of 4656	1540	MSBuild.exe	106
PID 1540 wrote to memory of 4656	1540	MSBuild.exe	106
PID 2884 wrote to memory of 2752	2884	._cache_MSBuild.exe	124
PID 2884 wrote to memory of 2752	2884	._cache_MSBuild.exe	124
PID 2752 wrote to memory of 2552	2752	cmd.exe	126
PID 2752 wrote to memory of 2552	2752	cmd.exe	126

C:\Users\Admin\AppData\Local\Temp\grannycc.exe
"C:\Users\Admin\AppData\Local\Temp\grannycc.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Users\Admin\AppData\Local\Temp\._cache_grannycc.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_grannycc.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Users\Admin\AppData\Local\Temp\GrannyEscapeTogether.exe
    "C:\Users\Admin\AppData\Local\Temp\GrannyEscapeTogether.exe"
    3⤵
    - Executes dropped EXE
    PID:1364
- - C:\Users\Admin\AppData\Local\Temp\persistence.exe
    "C:\Users\Admin\AppData\Local\Temp\persistence.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1840
  - - C:\Users\Admin\AppData\Local\Temp\._cache_persistence.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_persistence.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:448
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5088
      - C:\Users\Admin\AppData\Local\Temp\._cache_MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_MSBuild.exe"
        6⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp33EC.tmp.bat""
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        8⤵
        Delays execution with timeout.exe
        
        PID:2552
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5064
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2984
  - - C:\Users\Admin\AppData\Local\Temp\GrannyEscapeTogether.exe
      "C:\Users\Admin\AppData\Local\Temp\GrannyEscapeTogether.exe"
      4⤵
      Executes dropped EXE
      PID:2216
  - - C:\Users\Admin\AppData\Local\Temp\persistence.exe
      "C:\Users\Admin\AppData\Local\Temp\persistence.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1328
    - - C:\Users\Admin\AppData\Local\Temp\._cache_persistence.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_persistence.exe"
        5⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1956
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\._cache_MSBuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_MSBuild.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4656

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1356

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QTE2MDVEM0MtRjRDMy00RUIxLUI1NjItNDM5OTA5MUVCMThEfSIgdXNlcmlkPSJ7N0UyRDcyMEUtMDcxNS00Q0E4LUE4MEYtQkI4RTc2RTVDNDA3fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NUM2RUQ4NEUtRTI4RC00MzdCLUIwNDYtMzZGQkM3RjgyMzczfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI3IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU5MjEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODE5ODA3NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MjI5NDMwNTM1Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
3.1MB

MD5
93bba25a98254755eaf3afdb7826bd31

SHA1
d9a2cc89eb523886710e485b5be703d9c7c1e53d

SHA256
adcb154a472177f99055a2c7cc2b203737a9a63807782de66154d85d2921cd43

SHA512
9e2142bf39d3b90ff3e170876b00e591c7473dd9462428932bb26ecfb213a5435a332ac8ce601367c8ef8872aaf66100f6523803593e541f48d5a027e41ef264

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\._cache_MSBuild.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\._cache_persistence.exe.log

Filesize
617B

MD5
47504b42411e2c23666d08795adae488

SHA1
92ba780125e2fcedc6223478504aa501adf95c06

SHA256
4b2747d4a45ae359c415f11d2a2d9e09e6a036aad39b40e284850603b64bbc98

SHA512
a2d33cb21ec121b9f857c81df3992da216859f5df69cc8da9edbd91eeb21f45b7ac79459d0c6bc08f09bc33684dfff62a20feddd13d5367ad717095ac85fe9c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_MSBuild.exe

Filesize
35KB

MD5
023819bcc9e82d78de2da9cf54f6ed47

SHA1
706b6eda1e781904a153e8c4adc763ea7584b542

SHA256
c3b5245831f0d76db25b7497eefcc29ff59903ddc401524b3b8c49af982d2691

SHA512
857ec3b461b08c603288f90a18ba0b6b9b13069c4b4533b787edd5b3021a2e967c85e9d4001d7c263b69b7134aff68ab8b77d9cd2f1d06c36d686ea370f9254d

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_grannycc.exe

Filesize
2.3MB

MD5
92d66ee187b0065843621d7c5062ab9c

SHA1
9e5172b7584a6a227c44202f65a78059bee69cf5

SHA256
fa6629cf86bd23eaaf918dd1d527aff025cfb805be31456c644520c7f164486e

SHA512
96bb8769536fd3713e646238a31b96c9a2147cd5f818d115fd84fc0fb2a603fb39bbf62a4deef3406d3328db154306996b2e0702a5d3119420dea92ef9588cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_persistence.exe

Filesize
2.5MB

MD5
ae3d97bf016cebe68109d6c58ad59642

SHA1
1cb02cf2837af1e499c4306988344b12eb192312

SHA256
4fc1eeb5bfa1e22dbbe049cf40ebfae1b986593413f657e50d5956c500e8ef80

SHA512
656ed8de685d7525d76d0dbb47fa3326773f5233141106f66955b7459372cc0c442a6d7319afe5e2dee33043a589b2b0f5f55a287306301e0eea177d34d4e30e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7EA75E00

Filesize
23KB

MD5
ffd475f0abb36b0b2e268e8fc71fd0bc

SHA1
9cf97b8709461403c2a7d485c62361bc56c314b3

SHA256
9bdb2b380d8a1073ad02ba3305870a1b6523b07454cc9619d3ef1ad57174e6b7

SHA512
61e565c7f7ed4092beddb271a2bd8a2b39becdb4094e5a162ec72afe89aabd4843e86e7bd48c5104384f3f8eb80bcc747d0bcdc760eac5cf5d532368b9321182

Download Submit
C:\Users\Admin\AppData\Local\Temp\GrannyEscapeTogether.exe

Filesize
255KB

MD5
ab9ec0a0554187a55c49912026cf5b03

SHA1
f13fdcd81621a189917ce30fee700d95988a73a6

SHA256
676a4cbbdcd5327cc004ae2ae1b45aa4dace193968a579532646a92ad3874a64

SHA512
65637dc804c3d9f050df0ad764280332ed9fc55084aea985e954bdb8450070ac5342bd30e222553d67524a40d508da1fb7fb112ada9479dc14899edd9a71372e

Download Submit
C:\Users\Admin\AppData\Local\Temp\HiJUKODn.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\persistence.exe

Filesize
3.3MB

MD5
0cd8e614a8cfc0f571fd20db5b5913fe

SHA1
4fc13da917124435dd6b9413fbf553e9357023e8

SHA256
8d181ee22219a3ccc077679d2651ee64cf10f8fc315b5f0a42418d114f37b94e

SHA512
244968545242abb2d1cadaf8d56bb321a39040402dacbefaebaccb5f647103d2d77288fa3785cb6ec69f6c1760b8034a63a480caee8db66527385a8592c4db85

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp33EC.tmp.bat

Filesize
167B

MD5
80799bbc9c9cccab45590696b89d71ab

SHA1
4af20275cc700f6d29a4bdb152283872d2e86bff

SHA256
0f6aaa9ce8575997a4d53aa08553c7835e69e61232666f836c64dbe73444da3b

SHA512
bd3ec52f0448539ad7873fb4a87d50967ffbc8094da217d815b985dea2539e1851c880c9b6863b1d7328fd62bc5006f80dc21a59e0888bbb792469782d166674

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk

Filesize
1KB

MD5
e31d3ff0a24aa85e911c1041582fd424

SHA1
b1ed1399a5e1c22b6c61c5e21d4d0d7379c65583

SHA256
08ad4c32e69f6957631f3a34852254e1919ffeabcc4354b04a34d4dd0f4ed89d

SHA512
b77ff973a564bbdf8125e31b80016082ececd624398b1cada0c54cc5df90abf509b371caee92c736cc808a443e854047c895056d8153db56a2f8b2274770491d

Download Submit
memory/448-347-0x0000000005A00000-0x0000000005AB6000-memory.dmp

Filesize
728KB

Download
memory/448-342-0x0000000005FB0000-0x0000000006554000-memory.dmp

Filesize
5.6MB

Download
memory/448-338-0x00000000051B0000-0x000000000524C000-memory.dmp

Filesize
624KB

Download
memory/448-306-0x0000000000650000-0x00000000008CE000-memory.dmp

Filesize
2.5MB

Download
memory/1328-352-0x0000000000400000-0x000000000074D000-memory.dmp

Filesize
3.3MB

Download
memory/1356-195-0x00007FF7D8B50000-0x00007FF7D8B60000-memory.dmp

Filesize
64KB

Download
memory/1356-194-0x00007FF7D8B50000-0x00007FF7D8B60000-memory.dmp

Filesize
64KB

Download
memory/1356-198-0x00007FF7D6620000-0x00007FF7D6630000-memory.dmp

Filesize
64KB

Download
memory/1356-197-0x00007FF7D6620000-0x00007FF7D6630000-memory.dmp

Filesize
64KB

Download
memory/1356-193-0x00007FF7D8B50000-0x00007FF7D8B60000-memory.dmp

Filesize
64KB

Download
memory/1356-196-0x00007FF7D8B50000-0x00007FF7D8B60000-memory.dmp

Filesize
64KB

Download
memory/1356-192-0x00007FF7D8B50000-0x00007FF7D8B60000-memory.dmp

Filesize
64KB

Download
memory/1456-0-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/1456-130-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/1840-304-0x0000000000400000-0x000000000074D000-memory.dmp

Filesize
3.3MB

Download
memory/2884-416-0x0000000000C10000-0x0000000000C20000-memory.dmp

Filesize
64KB

Download
memory/2884-119-0x0000000000700000-0x000000000094A000-memory.dmp

Filesize
2.3MB

Download
memory/2884-71-0x00007FFFFA763000-0x00007FFFFA765000-memory.dmp

Filesize
8KB

Download
memory/5064-131-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/5064-427-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/5064-428-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/5064-465-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/5088-348-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/5088-350-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads