Overview
overview
10Static
static
1094975fe621...cd.exe
windows7-x64
1094975fe621...cd.exe
windows10-2004-x64
1094c020786b...1d.exe
windows7-x64
1094c020786b...1d.exe
windows10-2004-x64
1094c7c87a82...20.exe
windows7-x64
194c7c87a82...20.exe
windows10-2004-x64
194dd618932...a1.exe
windows7-x64
394dd618932...a1.exe
windows10-2004-x64
394e2ada20e...f6.exe
windows7-x64
1094e2ada20e...f6.exe
windows10-2004-x64
7952e0a7f82...33.exe
windows7-x64
7952e0a7f82...33.exe
windows10-2004-x64
7953e99960b...40.exe
windows7-x64
10953e99960b...40.exe
windows10-2004-x64
109576cc7c1d...3f.exe
windows7-x64
109576cc7c1d...3f.exe
windows10-2004-x64
10959c2d37a1...19.exe
windows7-x64
10959c2d37a1...19.exe
windows10-2004-x64
1095cc71e95c...eb.exe
windows7-x64
1095cc71e95c...eb.exe
windows10-2004-x64
1095fc2287fc...2c.exe
windows7-x64
1095fc2287fc...2c.exe
windows10-2004-x64
10960c033d30...04.exe
windows7-x64
1960c033d30...04.exe
windows10-2004-x64
196591b5749...ff.exe
windows7-x64
196591b5749...ff.exe
windows10-2004-x64
19695505ced...e7.exe
windows7-x64
19695505ced...e7.exe
windows10-2004-x64
196959cb142...76.exe
windows7-x64
1096959cb142...76.exe
windows10-2004-x64
1096985d97b0...da.exe
windows7-x64
1096985d97b0...da.exe
windows10-2004-x64
10Analysis
-
max time kernel
135s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
22/03/2025, 06:14
Behavioral task
behavioral1
Sample
94975fe621437bc551de379ca5db04f88554915fa00e95a8595116a5e91d35cd.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
94975fe621437bc551de379ca5db04f88554915fa00e95a8595116a5e91d35cd.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral3
Sample
94c020786bf74ea45e95666a68b1d21d.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
94c020786bf74ea45e95666a68b1d21d.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral5
Sample
94c7c87a82c5b86f793f2553cc5a6c20.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
94c7c87a82c5b86f793f2553cc5a6c20.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral7
Sample
94dd6189328a24ea86b9726e0ff01aba18c8b2d13cdd59dcdedf9ae19b9700a1.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
94dd6189328a24ea86b9726e0ff01aba18c8b2d13cdd59dcdedf9ae19b9700a1.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral9
Sample
94e2ada20e21670b71abcc87c81ea0f6.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
94e2ada20e21670b71abcc87c81ea0f6.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral11
Sample
952e0a7f82d06cd737223c4fe0c0d133.exe
Resource
win7-20240729-en
Behavioral task
behavioral12
Sample
952e0a7f82d06cd737223c4fe0c0d133.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral13
Sample
953e99960b6bb27c1953eb4c62949b32b63482f7f5613bf53ae7751bb9678140.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
953e99960b6bb27c1953eb4c62949b32b63482f7f5613bf53ae7751bb9678140.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral15
Sample
9576cc7c1d016017905b260b127b983f.exe
Resource
win7-20250207-en
Behavioral task
behavioral16
Sample
9576cc7c1d016017905b260b127b983f.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral17
Sample
959c2d37a1e94337957c5323aab9bf19.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
959c2d37a1e94337957c5323aab9bf19.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral19
Sample
95cc71e95ccf96ee404de6261589d09ec40cc8e5536356806e23b2b8ba21fdeb.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
95cc71e95ccf96ee404de6261589d09ec40cc8e5536356806e23b2b8ba21fdeb.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral21
Sample
95fc2287fc4fea75666b56cfd668d72c.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
95fc2287fc4fea75666b56cfd668d72c.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral23
Sample
960c033d3033f9058766fe5f229e94401874404c1df50c73856346dc7141a104.exe
Resource
win7-20240729-en
Behavioral task
behavioral24
Sample
960c033d3033f9058766fe5f229e94401874404c1df50c73856346dc7141a104.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral25
Sample
96591b574924a1846cfccfedd4cfd584f84e920dc06b5ce05a581a8a067c79ff.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
96591b574924a1846cfccfedd4cfd584f84e920dc06b5ce05a581a8a067c79ff.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral27
Sample
9695505ced3961f59e27022cd01b53f6a05fd1dc98c77f3f4d4b1c16aa72b8e7.exe
Resource
win7-20241023-en
Behavioral task
behavioral28
Sample
9695505ced3961f59e27022cd01b53f6a05fd1dc98c77f3f4d4b1c16aa72b8e7.exe
Resource
win10v2004-20250313-en
Behavioral task
behavioral29
Sample
96959cb1423fd801a2e3d718868a3776.exe
Resource
win7-20241010-en
Behavioral task
behavioral30
Sample
96959cb1423fd801a2e3d718868a3776.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral31
Sample
96985d97b017d4c59db75bdbab49f82d464e90407987be456b1b0ba7f1b748da.exe
Resource
win7-20241010-en
Behavioral task
behavioral32
Sample
96985d97b017d4c59db75bdbab49f82d464e90407987be456b1b0ba7f1b748da.exe
Resource
win10v2004-20250314-en
General
-
Target
95fc2287fc4fea75666b56cfd668d72c.exe
-
Size
9.7MB
-
MD5
95fc2287fc4fea75666b56cfd668d72c
-
SHA1
9de58712ca97a8b052b21f8ce7afa9708b671c2b
-
SHA256
16e39062569dd0ef3936b52c974370c6ef11b58149eae4f9d42b7f1079765091
-
SHA512
96371451474490e42cf2444eee70a1a1be4f0a32888f348e1d3ea004bc71621dce799b1190fd9388d2bde36a5d3c57ad9d79c602a798dad5ec626a161032bf70
-
SSDEEP
196608:2Nsg4AMgAINsg4AMgAFNsg4AMgAINsg4AMgAENsg4AMgAiNsg4AMgAANsg4AMgAu:2Gg4a3Gg4aqGg4ajGg4aDGg4a1Gg4aP9
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Xred family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4336 powershell.exe 5804 powershell.exe 6092 powershell.exe 2364 powershell.exe -
resource behavioral22/files/0x00030000000229c2-376.dat -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation 95fc2287fc4fea75666b56cfd668d72c.exe Key value queried \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation 95fc2287fc4fea75666b56cfd668d72c.exe Key value queried \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation Synaptics.exe Key value queried \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation Synaptics.exe -
Executes dropped EXE 4 IoCs
pid Process 5708 ._cache_95fc2287fc4fea75666b56cfd668d72c.exe 3452 Synaptics.exe 4500 Synaptics.exe 3200 ._cache_Synaptics.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ._cache_95fc2287fc4fea75666b56cfd668d72c.exe Key opened \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ._cache_95fc2287fc4fea75666b56cfd668d72c.exe Key opened \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ._cache_95fc2287fc4fea75666b56cfd668d72c.exe Key opened \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ._cache_Synaptics.exe Key opened \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ._cache_Synaptics.exe Key opened \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ._cache_Synaptics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" 95fc2287fc4fea75666b56cfd668d72c.exe -
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 72 reallyfreegeoip.org 52 checkip.dyndns.org 54 reallyfreegeoip.org 55 reallyfreegeoip.org 66 checkip.dyndns.org -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3032 set thread context of 2352 3032 95fc2287fc4fea75666b56cfd668d72c.exe 109 PID 3452 set thread context of 4500 3452 Synaptics.exe 120 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 95fc2287fc4fea75666b56cfd668d72c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_95fc2287fc4fea75666b56cfd668d72c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 95fc2287fc4fea75666b56cfd668d72c.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 95fc2287fc4fea75666b56cfd668d72c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Synaptics.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4280 schtasks.exe 2200 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 5212 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 36 IoCs
pid Process 3032 95fc2287fc4fea75666b56cfd668d72c.exe 3032 95fc2287fc4fea75666b56cfd668d72c.exe 3032 95fc2287fc4fea75666b56cfd668d72c.exe 3032 95fc2287fc4fea75666b56cfd668d72c.exe 3032 95fc2287fc4fea75666b56cfd668d72c.exe 3032 95fc2287fc4fea75666b56cfd668d72c.exe 3032 95fc2287fc4fea75666b56cfd668d72c.exe 3032 95fc2287fc4fea75666b56cfd668d72c.exe 4336 powershell.exe 4336 powershell.exe 2364 powershell.exe 2364 powershell.exe 3032 95fc2287fc4fea75666b56cfd668d72c.exe 3032 95fc2287fc4fea75666b56cfd668d72c.exe 4336 powershell.exe 2364 powershell.exe 5708 ._cache_95fc2287fc4fea75666b56cfd668d72c.exe 5708 ._cache_95fc2287fc4fea75666b56cfd668d72c.exe 3452 Synaptics.exe 3452 Synaptics.exe 3452 Synaptics.exe 3452 Synaptics.exe 3452 Synaptics.exe 3452 Synaptics.exe 3452 Synaptics.exe 3452 Synaptics.exe 6092 powershell.exe 5804 powershell.exe 5804 powershell.exe 6092 powershell.exe 3452 Synaptics.exe 3452 Synaptics.exe 6092 powershell.exe 5804 powershell.exe 3200 ._cache_Synaptics.exe 3200 ._cache_Synaptics.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 3032 95fc2287fc4fea75666b56cfd668d72c.exe Token: SeDebugPrivilege 4336 powershell.exe Token: SeDebugPrivilege 2364 powershell.exe Token: SeDebugPrivilege 5708 ._cache_95fc2287fc4fea75666b56cfd668d72c.exe Token: SeDebugPrivilege 3452 Synaptics.exe Token: SeDebugPrivilege 6092 powershell.exe Token: SeDebugPrivilege 5804 powershell.exe Token: SeDebugPrivilege 3200 ._cache_Synaptics.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 5212 EXCEL.EXE 5212 EXCEL.EXE 5212 EXCEL.EXE 5212 EXCEL.EXE 5212 EXCEL.EXE 5212 EXCEL.EXE -
Suspicious use of WriteProcessMemory 49 IoCs
description pid Process procid_target PID 3032 wrote to memory of 4336 3032 95fc2287fc4fea75666b56cfd668d72c.exe 103 PID 3032 wrote to memory of 4336 3032 95fc2287fc4fea75666b56cfd668d72c.exe 103 PID 3032 wrote to memory of 4336 3032 95fc2287fc4fea75666b56cfd668d72c.exe 103 PID 3032 wrote to memory of 2364 3032 95fc2287fc4fea75666b56cfd668d72c.exe 105 PID 3032 wrote to memory of 2364 3032 95fc2287fc4fea75666b56cfd668d72c.exe 105 PID 3032 wrote to memory of 2364 3032 95fc2287fc4fea75666b56cfd668d72c.exe 105 PID 3032 wrote to memory of 4280 3032 95fc2287fc4fea75666b56cfd668d72c.exe 106 PID 3032 wrote to memory of 4280 3032 95fc2287fc4fea75666b56cfd668d72c.exe 106 PID 3032 wrote to memory of 4280 3032 95fc2287fc4fea75666b56cfd668d72c.exe 106 PID 3032 wrote to memory of 2352 3032 95fc2287fc4fea75666b56cfd668d72c.exe 109 PID 3032 wrote to memory of 2352 3032 95fc2287fc4fea75666b56cfd668d72c.exe 109 PID 3032 wrote to memory of 2352 3032 95fc2287fc4fea75666b56cfd668d72c.exe 109 PID 3032 wrote to memory of 2352 3032 95fc2287fc4fea75666b56cfd668d72c.exe 109 PID 3032 wrote to memory of 2352 3032 95fc2287fc4fea75666b56cfd668d72c.exe 109 PID 3032 wrote to memory of 2352 3032 95fc2287fc4fea75666b56cfd668d72c.exe 109 PID 3032 wrote to memory of 2352 3032 95fc2287fc4fea75666b56cfd668d72c.exe 109 PID 3032 wrote to memory of 2352 3032 95fc2287fc4fea75666b56cfd668d72c.exe 109 PID 3032 wrote to memory of 2352 3032 95fc2287fc4fea75666b56cfd668d72c.exe 109 PID 3032 wrote to memory of 2352 3032 95fc2287fc4fea75666b56cfd668d72c.exe 109 PID 3032 wrote to memory of 2352 3032 95fc2287fc4fea75666b56cfd668d72c.exe 109 PID 2352 wrote to memory of 5708 2352 95fc2287fc4fea75666b56cfd668d72c.exe 110 PID 2352 wrote to memory of 5708 2352 95fc2287fc4fea75666b56cfd668d72c.exe 110 PID 2352 wrote to memory of 5708 2352 95fc2287fc4fea75666b56cfd668d72c.exe 110 PID 2352 wrote to memory of 3452 2352 95fc2287fc4fea75666b56cfd668d72c.exe 111 PID 2352 wrote to memory of 3452 2352 95fc2287fc4fea75666b56cfd668d72c.exe 111 PID 2352 wrote to memory of 3452 2352 95fc2287fc4fea75666b56cfd668d72c.exe 111 PID 3452 wrote to memory of 6092 3452 Synaptics.exe 114 PID 3452 wrote to memory of 6092 3452 Synaptics.exe 114 PID 3452 wrote to memory of 6092 3452 Synaptics.exe 114 PID 3452 wrote to memory of 5804 3452 Synaptics.exe 116 PID 3452 wrote to memory of 5804 3452 Synaptics.exe 116 PID 3452 wrote to memory of 5804 3452 Synaptics.exe 116 PID 3452 wrote to memory of 2200 3452 Synaptics.exe 118 PID 3452 wrote to memory of 2200 3452 Synaptics.exe 118 PID 3452 wrote to memory of 2200 3452 Synaptics.exe 118 PID 3452 wrote to memory of 4500 3452 Synaptics.exe 120 PID 3452 wrote to memory of 4500 3452 Synaptics.exe 120 PID 3452 wrote to memory of 4500 3452 Synaptics.exe 120 PID 3452 wrote to memory of 4500 3452 Synaptics.exe 120 PID 3452 wrote to memory of 4500 3452 Synaptics.exe 120 PID 3452 wrote to memory of 4500 3452 Synaptics.exe 120 PID 3452 wrote to memory of 4500 3452 Synaptics.exe 120 PID 3452 wrote to memory of 4500 3452 Synaptics.exe 120 PID 3452 wrote to memory of 4500 3452 Synaptics.exe 120 PID 3452 wrote to memory of 4500 3452 Synaptics.exe 120 PID 3452 wrote to memory of 4500 3452 Synaptics.exe 120 PID 4500 wrote to memory of 3200 4500 Synaptics.exe 121 PID 4500 wrote to memory of 3200 4500 Synaptics.exe 121 PID 4500 wrote to memory of 3200 4500 Synaptics.exe 121 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ._cache_Synaptics.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ._cache_Synaptics.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\95fc2287fc4fea75666b56cfd668d72c.exe"C:\Users\Admin\AppData\Local\Temp\95fc2287fc4fea75666b56cfd668d72c.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\95fc2287fc4fea75666b56cfd668d72c.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4336
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sXLAWJKdeDZVj.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2364
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sXLAWJKdeDZVj" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD84F.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4280
-
-
C:\Users\Admin\AppData\Local\Temp\95fc2287fc4fea75666b56cfd668d72c.exe"C:\Users\Admin\AppData\Local\Temp\95fc2287fc4fea75666b56cfd668d72c.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Users\Admin\AppData\Local\Temp\._cache_95fc2287fc4fea75666b56cfd668d72c.exe"C:\Users\Admin\AppData\Local\Temp\._cache_95fc2287fc4fea75666b56cfd668d72c.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5708
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\Synaptics\Synaptics.exe"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6092
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sXLAWJKdeDZVj.exe"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5804
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sXLAWJKdeDZVj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp59A4.tmp"4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2200
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"5⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3200
-
-
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5212
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.7MB
MD595fc2287fc4fea75666b56cfd668d72c
SHA19de58712ca97a8b052b21f8ce7afa9708b671c2b
SHA25616e39062569dd0ef3936b52c974370c6ef11b58149eae4f9d42b7f1079765091
SHA51296371451474490e42cf2444eee70a1a1be4f0a32888f348e1d3ea004bc71621dce799b1190fd9388d2bde36a5d3c57ad9d79c602a798dad5ec626a161032bf70
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
18KB
MD5fbb533e5215874eb566970b975a0613b
SHA1a45dd34ca6725ee0e3d83a3f9ba3cbb984c32d75
SHA256e9c69b4027d0896e07e584a1c0cbfa26e55790c459609e2329ff95cd8c7764b3
SHA5126a75d18a6fa47ec08d92d297c90e35752c182af4f76dfd4bc78bb2665605cda18d112549cab8119a16f3fa12e26cacbc9ec19523b269a0641a5e0b7d77ca4297
-
Filesize
18KB
MD5e0b2f9bf8c069da3ad1a75fa99e6dd3d
SHA1f7e01ddd2f2d9b70b5d4dcd983e5de51f0122db1
SHA256064ab815dc908924a8476d325487f46201d2825c489db9444bdc9780789c1bcb
SHA51244f02c07e68bb1ee2327d7c9cc054a125df6b24567ec2929ce6ff44628bbf55da09a4ee2d606874fedf0dd5afde6ce038bbf8bfcd23e55efe86b673555355c6c
-
Filesize
91KB
MD5b45e3c4c10da3da0c69e2f90dc3dfb10
SHA161a36473ced38978793a9af1aea1fc528eebe457
SHA256b6fe518ed8ca7ee32f79bb5dd52ab8250cc595d1aa8daec123cef383c6b0bdb6
SHA51244d0c2e0904702dd22c92004415ef3c821bf63de0fb0cc6d7cca41eab36f32531530dd5fdb48017fc5405c7554ae6387514ef3f4e74eea4b36a14d587742e15b
-
Filesize
23KB
MD5242927cd20c90961672475247f971560
SHA1af95d6684f1d389319ca2ebbc88ab4dfb7c27bdb
SHA256707dbe8e7475d9922ec237609633b1f0659f8b539d9c18e82ce4064b1c49b813
SHA512f88cb9e66a2f867a78219b147bcf523476b06a2817bc36655091db13a2683fa927d2f8d20a5344bc7f1bb65162420728f15ec1cf1462b9f8d43975627129d583
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD577eae26d27c39f4aa256905fcaab2f7b
SHA107ea96f702fc193cbf8a26b54666ba4a6b511610
SHA256401a9948039416657ac3dadca4406930e421c98c2b7f97bdfb68e944201eddd0
SHA512b17fbc2f8a272723d241d9b9f72013d61bdc9051c53ee3f12c99b82d3d30bf38de9a815bbb33fda9cbdae9b25c887f857a163d63d447981ec9cf8577e09ce321