Overview
overview
10Static
static
102695e9c340...f2.exe
windows7-x64
102695e9c340...f2.exe
windows10-2004-x64
1026988aa536...1a.exe
windows7-x64
1026988aa536...1a.exe
windows10-2004-x64
1026c11dac9d...ae.exe
windows7-x64
726c11dac9d...ae.exe
windows10-2004-x64
726cf08ffef...d4.exe
windows7-x64
1026cf08ffef...d4.exe
windows10-2004-x64
102731468d18...e0.exe
windows7-x64
102731468d18...e0.exe
windows10-2004-x64
102743ade13f...5f.exe
windows7-x64
102743ade13f...5f.exe
windows10-2004-x64
10275ed71ebe...da.exe
windows7-x64
7275ed71ebe...da.exe
windows10-2004-x64
1027603eafb6...aa.exe
windows7-x64
1027603eafb6...aa.exe
windows10-2004-x64
102774cc3c00...0f.exe
windows7-x64
102774cc3c00...0f.exe
windows10-2004-x64
10277de6643c...86.exe
windows7-x64
10277de6643c...86.exe
windows10-2004-x64
10279ceeb4db...19.exe
windows7-x64
10279ceeb4db...19.exe
windows10-2004-x64
10279dab20ac...0d.exe
windows7-x64
10279dab20ac...0d.exe
windows10-2004-x64
1027aa584234...04.exe
windows7-x64
1027aa584234...04.exe
windows10-2004-x64
1027b356f4e4...60.exe
windows7-x64
1027b356f4e4...60.exe
windows10-2004-x64
1027f2cdcc8e...20.exe
windows7-x64
1027f2cdcc8e...20.exe
windows10-2004-x64
1027f9837794...54.exe
windows7-x64
727f9837794...54.exe
windows10-2004-x64
10Analysis
-
max time kernel
148s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
22/03/2025, 06:09
Static task
static1
Behavioral task
behavioral1
Sample
2695e9c3407b633d957cf77bb878f5f2.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2695e9c3407b633d957cf77bb878f5f2.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral3
Sample
26988aa536baefc2f8043cdb0d2e49e800d009b362f5cbd38692511fc5198f1a.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
26988aa536baefc2f8043cdb0d2e49e800d009b362f5cbd38692511fc5198f1a.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral5
Sample
26c11dac9dc4d37ddb0c44f4fba7be9fe1bf84f46cc3f369c46b099fbef02bae.exe
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
26c11dac9dc4d37ddb0c44f4fba7be9fe1bf84f46cc3f369c46b099fbef02bae.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral7
Sample
26cf08ffef5a40b6849f2afec99ac8d4.exe
Resource
win7-20250207-en
Behavioral task
behavioral8
Sample
26cf08ffef5a40b6849f2afec99ac8d4.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral9
Sample
2731468d18a92b65fce6a2c8a04538e0.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
2731468d18a92b65fce6a2c8a04538e0.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral11
Sample
2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral13
Sample
275ed71ebe32729141c2916b8abcca8763d60d2a4af82de387b9979a37495ada.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
275ed71ebe32729141c2916b8abcca8763d60d2a4af82de387b9979a37495ada.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral15
Sample
27603eafb6dd5000efc17b4d67e142aa.exe
Resource
win7-20241010-en
Behavioral task
behavioral16
Sample
27603eafb6dd5000efc17b4d67e142aa.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral17
Sample
2774cc3c0042f6c83a21daa4b7ea0d0f.exe
Resource
win7-20240729-en
Behavioral task
behavioral18
Sample
2774cc3c0042f6c83a21daa4b7ea0d0f.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral19
Sample
277de6643cae0dcc918de5342ba5f386.exe
Resource
win7-20250207-en
Behavioral task
behavioral20
Sample
277de6643cae0dcc918de5342ba5f386.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral21
Sample
279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral23
Sample
279dab20ac900bec30b0f1793b059f0d.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
279dab20ac900bec30b0f1793b059f0d.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral25
Sample
27aa584234053a57f89d2e393478ef04.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
27aa584234053a57f89d2e393478ef04.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral27
Sample
27b356f4e4551c76a9bd9011156ba560.exe
Resource
win7-20250207-en
Behavioral task
behavioral28
Sample
27b356f4e4551c76a9bd9011156ba560.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral29
Sample
27f2cdcc8ecc897dfe40d5af2b4122fc9a40843d60a0506a4a2d5044650a5f20.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
27f2cdcc8ecc897dfe40d5af2b4122fc9a40843d60a0506a4a2d5044650a5f20.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral31
Sample
27f98377943c5b084728d381bf46e854.exe
Resource
win7-20241023-en
Behavioral task
behavioral32
Sample
27f98377943c5b084728d381bf46e854.exe
Resource
win10v2004-20250314-en
General
-
Target
2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe
-
Size
15.2MB
-
MD5
6d2849c0ff4b4cf3ef02f4fde0d92351
-
SHA1
1173bd4bd5c3c107ac9cb9b6b92379b85d0ace71
-
SHA256
2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f
-
SHA512
553b31e4c338239be5aca5b58722432c7e9cb7dfa96950952035a5f316f44127c4cec3978db80312b80196be319f0ca920a687204de3367a0a10d82728266743
-
SSDEEP
393216:LGg4aQGg4aDGg4aRGg4aTGg4akGg4auGg4awGg4aDGg4a1Gg4aPGg4at:r+zZDSsezdPt
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Xred family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1640 powershell.exe 4532 powershell.exe 4116 powershell.exe 2944 powershell.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation Synaptics.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation Synaptics.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation 2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation 2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe -
Executes dropped EXE 4 IoCs
pid Process 2360 ._cache_2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe 3336 Synaptics.exe 4016 Synaptics.exe 3660 ._cache_Synaptics.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ._cache_2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe Key opened \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ._cache_2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe Key opened \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ._cache_2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe Key opened \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ._cache_Synaptics.exe Key opened \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ._cache_Synaptics.exe Key opened \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ._cache_Synaptics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" 2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 49 reallyfreegeoip.org 73 reallyfreegeoip.org 44 checkip.dyndns.org 48 reallyfreegeoip.org -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4152 set thread context of 1880 4152 2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe 101 PID 3336 set thread context of 4016 3336 Synaptics.exe 116 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Synaptics.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 316 schtasks.exe 3524 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4356 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 34 IoCs
pid Process 4152 2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe 4152 2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe 4152 2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe 4152 2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe 4152 2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe 4152 2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe 4152 2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe 4152 2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe 4116 powershell.exe 2944 powershell.exe 4152 2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe 4152 2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe 4116 powershell.exe 4152 2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe 2944 powershell.exe 2360 ._cache_2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe 3336 Synaptics.exe 3336 Synaptics.exe 3336 Synaptics.exe 3336 Synaptics.exe 3336 Synaptics.exe 3336 Synaptics.exe 3336 Synaptics.exe 3336 Synaptics.exe 1640 powershell.exe 1640 powershell.exe 4532 powershell.exe 4532 powershell.exe 3336 Synaptics.exe 3336 Synaptics.exe 1640 powershell.exe 4532 powershell.exe 3660 ._cache_Synaptics.exe 3660 ._cache_Synaptics.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 4152 2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe Token: SeDebugPrivilege 4116 powershell.exe Token: SeDebugPrivilege 2944 powershell.exe Token: SeDebugPrivilege 2360 ._cache_2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe Token: SeDebugPrivilege 3336 Synaptics.exe Token: SeDebugPrivilege 1640 powershell.exe Token: SeDebugPrivilege 4532 powershell.exe Token: SeDebugPrivilege 3660 ._cache_Synaptics.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4356 EXCEL.EXE 4356 EXCEL.EXE 4356 EXCEL.EXE 4356 EXCEL.EXE -
Suspicious use of WriteProcessMemory 49 IoCs
description pid Process procid_target PID 4152 wrote to memory of 4116 4152 2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe 95 PID 4152 wrote to memory of 4116 4152 2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe 95 PID 4152 wrote to memory of 4116 4152 2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe 95 PID 4152 wrote to memory of 2944 4152 2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe 97 PID 4152 wrote to memory of 2944 4152 2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe 97 PID 4152 wrote to memory of 2944 4152 2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe 97 PID 4152 wrote to memory of 316 4152 2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe 99 PID 4152 wrote to memory of 316 4152 2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe 99 PID 4152 wrote to memory of 316 4152 2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe 99 PID 4152 wrote to memory of 1880 4152 2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe 101 PID 4152 wrote to memory of 1880 4152 2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe 101 PID 4152 wrote to memory of 1880 4152 2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe 101 PID 4152 wrote to memory of 1880 4152 2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe 101 PID 4152 wrote to memory of 1880 4152 2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe 101 PID 4152 wrote to memory of 1880 4152 2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe 101 PID 4152 wrote to memory of 1880 4152 2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe 101 PID 4152 wrote to memory of 1880 4152 2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe 101 PID 4152 wrote to memory of 1880 4152 2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe 101 PID 4152 wrote to memory of 1880 4152 2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe 101 PID 4152 wrote to memory of 1880 4152 2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe 101 PID 1880 wrote to memory of 2360 1880 2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe 102 PID 1880 wrote to memory of 2360 1880 2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe 102 PID 1880 wrote to memory of 2360 1880 2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe 102 PID 1880 wrote to memory of 3336 1880 2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe 103 PID 1880 wrote to memory of 3336 1880 2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe 103 PID 1880 wrote to memory of 3336 1880 2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe 103 PID 3336 wrote to memory of 1640 3336 Synaptics.exe 110 PID 3336 wrote to memory of 1640 3336 Synaptics.exe 110 PID 3336 wrote to memory of 1640 3336 Synaptics.exe 110 PID 3336 wrote to memory of 4532 3336 Synaptics.exe 112 PID 3336 wrote to memory of 4532 3336 Synaptics.exe 112 PID 3336 wrote to memory of 4532 3336 Synaptics.exe 112 PID 3336 wrote to memory of 3524 3336 Synaptics.exe 113 PID 3336 wrote to memory of 3524 3336 Synaptics.exe 113 PID 3336 wrote to memory of 3524 3336 Synaptics.exe 113 PID 3336 wrote to memory of 4016 3336 Synaptics.exe 116 PID 3336 wrote to memory of 4016 3336 Synaptics.exe 116 PID 3336 wrote to memory of 4016 3336 Synaptics.exe 116 PID 3336 wrote to memory of 4016 3336 Synaptics.exe 116 PID 3336 wrote to memory of 4016 3336 Synaptics.exe 116 PID 3336 wrote to memory of 4016 3336 Synaptics.exe 116 PID 3336 wrote to memory of 4016 3336 Synaptics.exe 116 PID 3336 wrote to memory of 4016 3336 Synaptics.exe 116 PID 3336 wrote to memory of 4016 3336 Synaptics.exe 116 PID 3336 wrote to memory of 4016 3336 Synaptics.exe 116 PID 3336 wrote to memory of 4016 3336 Synaptics.exe 116 PID 4016 wrote to memory of 3660 4016 Synaptics.exe 117 PID 4016 wrote to memory of 3660 4016 Synaptics.exe 117 PID 4016 wrote to memory of 3660 4016 Synaptics.exe 117 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ._cache_Synaptics.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ._cache_Synaptics.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe"C:\Users\Admin\AppData\Local\Temp\2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4116
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sXLAWJKdeDZVj.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2944
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sXLAWJKdeDZVj" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDE3A.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:316
-
-
C:\Users\Admin\AppData\Local\Temp\2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe"C:\Users\Admin\AppData\Local\Temp\2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Users\Admin\AppData\Local\Temp\._cache_2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe"C:\Users\Admin\AppData\Local\Temp\._cache_2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2360
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\Synaptics\Synaptics.exe"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1640
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sXLAWJKdeDZVj.exe"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4532
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sXLAWJKdeDZVj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp657B.tmp"4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3524
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"5⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3660
-
-
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4356
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15.2MB
MD56d2849c0ff4b4cf3ef02f4fde0d92351
SHA11173bd4bd5c3c107ac9cb9b6b92379b85d0ace71
SHA2562743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f
SHA512553b31e4c338239be5aca5b58722432c7e9cb7dfa96950952035a5f316f44127c4cec3978db80312b80196be319f0ca920a687204de3367a0a10d82728266743
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD5837fbaf921476a7359d58f3d69da6aeb
SHA14f5b3f4c0eb6673305847424401681932b208c9b
SHA256626d9139e9716ffc7b6ec2ef9edbae18cc520b254117adf7d4afcc9fde9034c6
SHA5124e62269a3bfaeadfcb556abe73edab083e45d7f2a91e8b0c4a1d337bee5fb4f6b83eb95e3734a630dc6706fcc8c85f72d7451488412fc9b97a611c161f6e2cf4
-
Filesize
18KB
MD5ba555e415fa687933c170d13caf5548f
SHA1f8f8e7060eaee0fb67db5d6a08c55e8e57cd2ba6
SHA2564af9ae3aafdf7e546537c2306cefa1d6bb6c994b9a9c6ae5d173b9e44b5dfeac
SHA51285c36ff8dc654671aff4f6ef94fab475e0e6ce9bfaa45fc5b00457a99e32cf10997cce282bd27826e5ac11264e77c3357f9bf4314c50d8a3015b34d066387379
-
C:\Users\Admin\AppData\Local\Temp\._cache_2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe
Filesize91KB
MD5b45e3c4c10da3da0c69e2f90dc3dfb10
SHA161a36473ced38978793a9af1aea1fc528eebe457
SHA256b6fe518ed8ca7ee32f79bb5dd52ab8250cc595d1aa8daec123cef383c6b0bdb6
SHA51244d0c2e0904702dd22c92004415ef3c821bf63de0fb0cc6d7cca41eab36f32531530dd5fdb48017fc5405c7554ae6387514ef3f4e74eea4b36a14d587742e15b
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5c6219afb8359ad58e1d48a9f55b6898c
SHA1fc1638c0b8b371ffd049fda4855d1c08338b8342
SHA256aa3b4a572e2a109cbf6f9aee84bba4c910988b573e292a4c67a58bc70a135b57
SHA51265a2b8fa59e34ee43000fc0f9a9807a1f78a8185e4e8dc49b9c576ec3252716e5910eaa1d1d0f51a72f33af7a85cc252123c94a285b6ca56b4898db814ce62b9