Overview
overview
10Static
static
104b5d342b8c...86.exe
windows7-x64
94b5d342b8c...86.exe
windows10-2004-x64
94bb452a3de...a3.exe
windows7-x64
104bb452a3de...a3.exe
windows10-2004-x64
74bbf1f33d0...4d.exe
windows7-x64
84bbf1f33d0...4d.exe
windows10-2004-x64
84bc17871c1...64.exe
windows7-x64
104bc17871c1...64.exe
windows10-2004-x64
104be84836f6...c8.exe
windows7-x64
104be84836f6...c8.exe
windows10-2004-x64
104c2f38b994...d5.exe
windows7-x64
104c2f38b994...d5.exe
windows10-2004-x64
104c948e4226...26.exe
windows7-x64
104c948e4226...26.exe
windows10-2004-x64
104ca1d61a24...2e.exe
windows7-x64
104ca1d61a24...2e.exe
windows10-2004-x64
104cc3e6fe69...22.exe
windows7-x64
104cc3e6fe69...22.exe
windows10-2004-x64
104cf9706999...8e.exe
windows7-x64
104cf9706999...8e.exe
windows10-2004-x64
104d8cd82fa6...d5.exe
windows7-x64
104d8cd82fa6...d5.exe
windows10-2004-x64
104d947659fe...19.exe
windows7-x64
104d947659fe...19.exe
windows10-2004-x64
104dac62ad00...ec.exe
windows7-x64
104dac62ad00...ec.exe
windows10-2004-x64
104dde57eed0...7b.exe
windows7-x64
104dde57eed0...7b.exe
windows10-2004-x64
104e1fdde317...d3.exe
windows7-x64
104e1fdde317...d3.exe
windows10-2004-x64
104e248cce2f...a7.exe
windows7-x64
104e248cce2f...a7.exe
windows10-2004-x64
10Analysis
-
max time kernel
124s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
22/03/2025, 06:10
Behavioral task
behavioral1
Sample
4b5d342b8c5a5b19fac86b1315802786.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
4b5d342b8c5a5b19fac86b1315802786.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral3
Sample
4bb452a3de5825053bceee8fd5ee6db144ef8c4615a71a8408ee7de4df789fa3.exe
Resource
win7-20240729-en
Behavioral task
behavioral4
Sample
4bb452a3de5825053bceee8fd5ee6db144ef8c4615a71a8408ee7de4df789fa3.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral5
Sample
4bbf1f33d0196e9a4ffae1877690bd000c7f728d546252ced45e60ecfe25e04d.exe
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
4bbf1f33d0196e9a4ffae1877690bd000c7f728d546252ced45e60ecfe25e04d.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral7
Sample
4bc17871c10bb28c4e2b5e2f1d9e4664.exe
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
4bc17871c10bb28c4e2b5e2f1d9e4664.exe
Resource
win10v2004-20250313-en
Behavioral task
behavioral9
Sample
4be84836f68985fd15cbf992a7b0e782d1bab4439960e27c6e252e76a89ce2c8.exe
Resource
win7-20250207-en
Behavioral task
behavioral10
Sample
4be84836f68985fd15cbf992a7b0e782d1bab4439960e27c6e252e76a89ce2c8.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral11
Sample
4c2f38b99403c4aaca4e0a524b094c17b8d7b462af1041dee9e7562c512af4d5.exe
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
4c2f38b99403c4aaca4e0a524b094c17b8d7b462af1041dee9e7562c512af4d5.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral13
Sample
4c948e42267877c379b01be5faa66926.exe
Resource
win7-20240729-en
Behavioral task
behavioral14
Sample
4c948e42267877c379b01be5faa66926.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral15
Sample
4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral17
Sample
4cc3e6fe699a661d5a6ea786a93cfacd887570860b351476e5f5a1d3616bf922.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
4cc3e6fe699a661d5a6ea786a93cfacd887570860b351476e5f5a1d3616bf922.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral19
Sample
4cf97069999c57b9ff02fc34f4efbe8e.exe
Resource
win7-20241010-en
Behavioral task
behavioral20
Sample
4cf97069999c57b9ff02fc34f4efbe8e.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral21
Sample
4d8cd82fa6662df02eb5af2abbf815d5.exe
Resource
win7-20241023-en
Behavioral task
behavioral22
Sample
4d8cd82fa6662df02eb5af2abbf815d5.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral23
Sample
4d947659fef83a302fd6b7451b980b19.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
4d947659fef83a302fd6b7451b980b19.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral25
Sample
4dac62ad007ffed0e0d4b738af6da8ec.exe
Resource
win7-20250207-en
Behavioral task
behavioral26
Sample
4dac62ad007ffed0e0d4b738af6da8ec.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral27
Sample
4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral29
Sample
4e1fdde317913d69f35aa03397b5ded3.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
4e1fdde317913d69f35aa03397b5ded3.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral31
Sample
4e248cce2fb9b5f155ca62d21c6e9da7.exe
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
4e248cce2fb9b5f155ca62d21c6e9da7.exe
Resource
win10v2004-20250314-en
General
-
Target
4d8cd82fa6662df02eb5af2abbf815d5.exe
-
Size
14.3MB
-
MD5
4d8cd82fa6662df02eb5af2abbf815d5
-
SHA1
9a204dbafb47d5b1e40908011bac6201c4699abc
-
SHA256
1c96153b02b612f06efaea43f046bc0e3e8d9f2248faf8e4d19026d87a0ce8ba
-
SHA512
dbd290b3e39f1ab3f8d99241e4d0cdb9645762ca7ca6436f5fc2ebea6db9caff1de5a6788ec0f83ad75e2b4d9af25f72048550b2e1da9b24ea21c7c90aa19fb5
-
SSDEEP
393216:SGg4a7Gg4anGg4aDGg4aDGg4anGg4aOGg4aS:AbXzzXMS
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Xred family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2984 powershell.exe 2940 powershell.exe 1640 powershell.exe 2260 powershell.exe -
resource behavioral21/files/0x0005000000019627-139.dat behavioral21/files/0x0007000000019627-163.dat behavioral21/files/0x0008000000019629-174.dat behavioral21/files/0x000600000001962b-187.dat behavioral21/files/0x000a000000019629-198.dat -
Executes dropped EXE 4 IoCs
pid Process 2364 ._cache_4d8cd82fa6662df02eb5af2abbf815d5.exe 1704 Synaptics.exe 984 Synaptics.exe 1556 ._cache_Synaptics.exe -
Loads dropped DLL 4 IoCs
pid Process 2696 4d8cd82fa6662df02eb5af2abbf815d5.exe 2696 4d8cd82fa6662df02eb5af2abbf815d5.exe 984 Synaptics.exe 984 Synaptics.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ._cache_4d8cd82fa6662df02eb5af2abbf815d5.exe Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ._cache_4d8cd82fa6662df02eb5af2abbf815d5.exe Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ._cache_4d8cd82fa6662df02eb5af2abbf815d5.exe Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ._cache_Synaptics.exe Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ._cache_Synaptics.exe Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ._cache_Synaptics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" 4d8cd82fa6662df02eb5af2abbf815d5.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 9 reallyfreegeoip.org 18 reallyfreegeoip.org 4 checkip.dyndns.org 8 reallyfreegeoip.org -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2604 set thread context of 2696 2604 4d8cd82fa6662df02eb5af2abbf815d5.exe 37 PID 1704 set thread context of 984 1704 Synaptics.exe 46 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4d8cd82fa6662df02eb5af2abbf815d5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4d8cd82fa6662df02eb5af2abbf815d5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_4d8cd82fa6662df02eb5af2abbf815d5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2252 schtasks.exe 1448 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 848 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 2604 4d8cd82fa6662df02eb5af2abbf815d5.exe 2604 4d8cd82fa6662df02eb5af2abbf815d5.exe 2604 4d8cd82fa6662df02eb5af2abbf815d5.exe 2604 4d8cd82fa6662df02eb5af2abbf815d5.exe 2604 4d8cd82fa6662df02eb5af2abbf815d5.exe 2604 4d8cd82fa6662df02eb5af2abbf815d5.exe 2604 4d8cd82fa6662df02eb5af2abbf815d5.exe 2604 4d8cd82fa6662df02eb5af2abbf815d5.exe 2604 4d8cd82fa6662df02eb5af2abbf815d5.exe 2940 powershell.exe 2984 powershell.exe 2364 ._cache_4d8cd82fa6662df02eb5af2abbf815d5.exe 1704 Synaptics.exe 1704 Synaptics.exe 1704 Synaptics.exe 1704 Synaptics.exe 1704 Synaptics.exe 1704 Synaptics.exe 1704 Synaptics.exe 1704 Synaptics.exe 2260 powershell.exe 1640 powershell.exe 1704 Synaptics.exe 1556 ._cache_Synaptics.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 2604 4d8cd82fa6662df02eb5af2abbf815d5.exe Token: SeDebugPrivilege 2940 powershell.exe Token: SeDebugPrivilege 2984 powershell.exe Token: SeDebugPrivilege 2364 ._cache_4d8cd82fa6662df02eb5af2abbf815d5.exe Token: SeDebugPrivilege 1704 Synaptics.exe Token: SeDebugPrivilege 2260 powershell.exe Token: SeDebugPrivilege 1640 powershell.exe Token: SeDebugPrivilege 1556 ._cache_Synaptics.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 848 EXCEL.EXE -
Suspicious use of WriteProcessMemory 60 IoCs
description pid Process procid_target PID 2604 wrote to memory of 2940 2604 4d8cd82fa6662df02eb5af2abbf815d5.exe 31 PID 2604 wrote to memory of 2940 2604 4d8cd82fa6662df02eb5af2abbf815d5.exe 31 PID 2604 wrote to memory of 2940 2604 4d8cd82fa6662df02eb5af2abbf815d5.exe 31 PID 2604 wrote to memory of 2940 2604 4d8cd82fa6662df02eb5af2abbf815d5.exe 31 PID 2604 wrote to memory of 2984 2604 4d8cd82fa6662df02eb5af2abbf815d5.exe 33 PID 2604 wrote to memory of 2984 2604 4d8cd82fa6662df02eb5af2abbf815d5.exe 33 PID 2604 wrote to memory of 2984 2604 4d8cd82fa6662df02eb5af2abbf815d5.exe 33 PID 2604 wrote to memory of 2984 2604 4d8cd82fa6662df02eb5af2abbf815d5.exe 33 PID 2604 wrote to memory of 2252 2604 4d8cd82fa6662df02eb5af2abbf815d5.exe 35 PID 2604 wrote to memory of 2252 2604 4d8cd82fa6662df02eb5af2abbf815d5.exe 35 PID 2604 wrote to memory of 2252 2604 4d8cd82fa6662df02eb5af2abbf815d5.exe 35 PID 2604 wrote to memory of 2252 2604 4d8cd82fa6662df02eb5af2abbf815d5.exe 35 PID 2604 wrote to memory of 2696 2604 4d8cd82fa6662df02eb5af2abbf815d5.exe 37 PID 2604 wrote to memory of 2696 2604 4d8cd82fa6662df02eb5af2abbf815d5.exe 37 PID 2604 wrote to memory of 2696 2604 4d8cd82fa6662df02eb5af2abbf815d5.exe 37 PID 2604 wrote to memory of 2696 2604 4d8cd82fa6662df02eb5af2abbf815d5.exe 37 PID 2604 wrote to memory of 2696 2604 4d8cd82fa6662df02eb5af2abbf815d5.exe 37 PID 2604 wrote to memory of 2696 2604 4d8cd82fa6662df02eb5af2abbf815d5.exe 37 PID 2604 wrote to memory of 2696 2604 4d8cd82fa6662df02eb5af2abbf815d5.exe 37 PID 2604 wrote to memory of 2696 2604 4d8cd82fa6662df02eb5af2abbf815d5.exe 37 PID 2604 wrote to memory of 2696 2604 4d8cd82fa6662df02eb5af2abbf815d5.exe 37 PID 2604 wrote to memory of 2696 2604 4d8cd82fa6662df02eb5af2abbf815d5.exe 37 PID 2604 wrote to memory of 2696 2604 4d8cd82fa6662df02eb5af2abbf815d5.exe 37 PID 2604 wrote to memory of 2696 2604 4d8cd82fa6662df02eb5af2abbf815d5.exe 37 PID 2696 wrote to memory of 2364 2696 4d8cd82fa6662df02eb5af2abbf815d5.exe 38 PID 2696 wrote to memory of 2364 2696 4d8cd82fa6662df02eb5af2abbf815d5.exe 38 PID 2696 wrote to memory of 2364 2696 4d8cd82fa6662df02eb5af2abbf815d5.exe 38 PID 2696 wrote to memory of 2364 2696 4d8cd82fa6662df02eb5af2abbf815d5.exe 38 PID 2696 wrote to memory of 1704 2696 4d8cd82fa6662df02eb5af2abbf815d5.exe 39 PID 2696 wrote to memory of 1704 2696 4d8cd82fa6662df02eb5af2abbf815d5.exe 39 PID 2696 wrote to memory of 1704 2696 4d8cd82fa6662df02eb5af2abbf815d5.exe 39 PID 2696 wrote to memory of 1704 2696 4d8cd82fa6662df02eb5af2abbf815d5.exe 39 PID 1704 wrote to memory of 2260 1704 Synaptics.exe 40 PID 1704 wrote to memory of 2260 1704 Synaptics.exe 40 PID 1704 wrote to memory of 2260 1704 Synaptics.exe 40 PID 1704 wrote to memory of 2260 1704 Synaptics.exe 40 PID 1704 wrote to memory of 1640 1704 Synaptics.exe 42 PID 1704 wrote to memory of 1640 1704 Synaptics.exe 42 PID 1704 wrote to memory of 1640 1704 Synaptics.exe 42 PID 1704 wrote to memory of 1640 1704 Synaptics.exe 42 PID 1704 wrote to memory of 1448 1704 Synaptics.exe 44 PID 1704 wrote to memory of 1448 1704 Synaptics.exe 44 PID 1704 wrote to memory of 1448 1704 Synaptics.exe 44 PID 1704 wrote to memory of 1448 1704 Synaptics.exe 44 PID 1704 wrote to memory of 984 1704 Synaptics.exe 46 PID 1704 wrote to memory of 984 1704 Synaptics.exe 46 PID 1704 wrote to memory of 984 1704 Synaptics.exe 46 PID 1704 wrote to memory of 984 1704 Synaptics.exe 46 PID 1704 wrote to memory of 984 1704 Synaptics.exe 46 PID 1704 wrote to memory of 984 1704 Synaptics.exe 46 PID 1704 wrote to memory of 984 1704 Synaptics.exe 46 PID 1704 wrote to memory of 984 1704 Synaptics.exe 46 PID 1704 wrote to memory of 984 1704 Synaptics.exe 46 PID 1704 wrote to memory of 984 1704 Synaptics.exe 46 PID 1704 wrote to memory of 984 1704 Synaptics.exe 46 PID 1704 wrote to memory of 984 1704 Synaptics.exe 46 PID 984 wrote to memory of 1556 984 Synaptics.exe 47 PID 984 wrote to memory of 1556 984 Synaptics.exe 47 PID 984 wrote to memory of 1556 984 Synaptics.exe 47 PID 984 wrote to memory of 1556 984 Synaptics.exe 47 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ._cache_Synaptics.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ._cache_Synaptics.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d8cd82fa6662df02eb5af2abbf815d5.exe"C:\Users\Admin\AppData\Local\Temp\4d8cd82fa6662df02eb5af2abbf815d5.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\4d8cd82fa6662df02eb5af2abbf815d5.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2940
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sXLAWJKdeDZVj.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2984
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sXLAWJKdeDZVj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1E1B.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2252
-
-
C:\Users\Admin\AppData\Local\Temp\4d8cd82fa6662df02eb5af2abbf815d5.exe"C:\Users\Admin\AppData\Local\Temp\4d8cd82fa6662df02eb5af2abbf815d5.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Users\Admin\AppData\Local\Temp\._cache_4d8cd82fa6662df02eb5af2abbf815d5.exe"C:\Users\Admin\AppData\Local\Temp\._cache_4d8cd82fa6662df02eb5af2abbf815d5.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2364
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\Synaptics\Synaptics.exe"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2260
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sXLAWJKdeDZVj.exe"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1640
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sXLAWJKdeDZVj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp97BD.tmp"4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1448
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"5⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1556
-
-
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:848
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14.3MB
MD54d8cd82fa6662df02eb5af2abbf815d5
SHA19a204dbafb47d5b1e40908011bac6201c4699abc
SHA2561c96153b02b612f06efaea43f046bc0e3e8d9f2248faf8e4d19026d87a0ce8ba
SHA512dbd290b3e39f1ab3f8d99241e4d0cdb9645762ca7ca6436f5fc2ebea6db9caff1de5a6788ec0f83ad75e2b4d9af25f72048550b2e1da9b24ea21c7c90aa19fb5
-
Filesize
91KB
MD5b45e3c4c10da3da0c69e2f90dc3dfb10
SHA161a36473ced38978793a9af1aea1fc528eebe457
SHA256b6fe518ed8ca7ee32f79bb5dd52ab8250cc595d1aa8daec123cef383c6b0bdb6
SHA51244d0c2e0904702dd22c92004415ef3c821bf63de0fb0cc6d7cca41eab36f32531530dd5fdb48017fc5405c7554ae6387514ef3f4e74eea4b36a14d587742e15b
-
Filesize
21KB
MD522f4907b583c2771aeb79ac5dd475dfd
SHA1ff3858bea918d2c7ae95568a946e35266a7e0247
SHA2561be6d333f7743909914b8c9ebcf360ae379b2a0fedcb08a332fe00ad3543f9f6
SHA512c827a4a266fd7cd819bccbaa61f0a12aa0b11313dbf50289f500394227df90ba5a9068c98b0a94ba65d67e45a79036d7bba7a65b2349b73ebc0bd17b419fb9fd
-
Filesize
22KB
MD5eb3ee18db21f684f0720dbebbf4d3860
SHA1defce84e2475d16d631fe995254fe4d33b4a1c90
SHA25674fd6592ee2ddbb1473a9ea0e08e2cdd6a96a8f11275a23b7c76e111cce2ed85
SHA512b628021ac899cbefcbc2156a544f79733e6017a38320d209cb4b38c37f89afa8abbadefa0c1df23d38ec84de6ea99e987ecc71673ab5277cb928ace11b92b573
-
Filesize
22KB
MD52348fc086762d3e930299cc05b225129
SHA1f86d381b3a8852cf6e15b46f96e2611cab7e4bd5
SHA25691a6ccc1532ef5451bd40afc972f5ce2adee49ce2dbfba02cc8a2591af409e05
SHA512b029717885b029c3ab06ff15e996be8bd66343cb16903aeb1cd097b7db152948232d10b82811f07cea7d32e353314d9c8955197af9ba0c6a3752ea2c7b7f4328
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
23KB
MD5c2911f0cf087d8d17ff985d8c503a0a2
SHA10a97e011901c3f02d9bbb30b43e3552104148f18
SHA256eb4a9e31394eee37a7c5ba83730ff200b031a0ad81f747bbb17afad9652d8508
SHA5120712d740b025629640d916964b50de4b4d60505f287c163c126179e22088febcab76c66e32aa3a06d997417a053d71e83527d2b516e11486cc85e12deca9c8e0
-
Filesize
24KB
MD5b465f1d11b2b5ac74cfd0c2ae4342a28
SHA1aef51047528d093aa1427ec9183160eafdd3ee94
SHA2563c05dd21bcd379ef18c2414b3ba27dd85af5a9af344ddd18c55f5bf7c9d7697e
SHA51229eb67c56308bc1ef3378194fc54d070c6b20256b4b38e0a1f47e9e5ad31b8cc08d94b3ad1a9e98bf704ac94e4ade8a1dbd4b0b5f6ede1d988e3580e04112fe5
-
Filesize
25KB
MD59a7697effaf89f768f71d5d6f1533649
SHA1e00630164ef2baa99e30c9ab40cf9ba8b902b52e
SHA2565ec1be913847017c6ef156fbc189454451fe17851eb08be57c4316d88eb92508
SHA5120b1ef8174b07b168f8a32722c1bbe5bbdda0da846c6109a4bed15c7ea35bedfd710f8a1603c24eb5d6515255310fbbb234a0f391cf8447149e50a29fd6eaccf6
-
Filesize
1KB
MD5291fd49b659a743a35a07ecd6cc41339
SHA193e38e28ac3a0e7f0ed33ccebeee46c001d58633
SHA256b7cd96f0e91293f82c301c50f4c2b4178251b9bdd9379eb65619720504924705
SHA5120a9f8928c9092404cdf639724510183b3023c78b9880832c82dac26a3991e6d613c1f0ca15dc835c2a8d0f81d43446263abf53d6d7a576c6de33841f992f3b9e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1R4ECGTXBUWLQ5WAT21O.temp
Filesize7KB
MD5c8843efa93b59bb18509f0b0707699f3
SHA190f2f42a44b70c8d879b0eb6bcf1f1225f0bf93b
SHA2564ff1af889e636cad74dcd78baa66c7b0cfe5fc8a3b2dd454320fdc222ac0d18c
SHA51271ad725f16455899831f7684b8328bb4904c82d858fcacd3cfb0559b66e4d0a0c1fb65dda27a02aba6a77b073ed0a27760be849e2542e6567df4b2b676c68f81
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\85C84F6J8G6BX2B35A0C.temp
Filesize7KB
MD5fd2551c0f17f0dff4bd51406e3152bde
SHA1489179d67e2ba8db87f4286a0b51574fe0716da2
SHA256a1af113c814ae0e69ffd5fa437291317ad887fa6fa96d4abc658b3d0d1a95c45
SHA51205a6252d26e7f49e868fb6601b406e17e30b4b79f5cf6e10a4f59c1fd17fc8d598391d32e7ad1621ad9eca62e0ce0388c4b388a69db27c61d947664357460fbf
-
Filesize
165B
MD5ff09371174f7c701e75f357a187c06e8
SHA157f9a638fd652922d7eb23236c80055a91724503
SHA256e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8
SHA512e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882