xred | 63b2109d651e58bdceb6dcd68821e723f4a5ce45875405cf395ff04937ea26b8

Analysis

max time kernel
130s
max time network
160s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe
Size

11.1MB
MD5

a22ee5e739a2ac8369547f4fce22b08a
SHA1

8e4a30c3f03682b057307548e83af8b3a5ff12f6
SHA256

9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0
SHA512

aa0a9be779940a26d2adb13f3380d1556d4de6a1f2b6eb7e5bf05e02342cb9fbc6b5417b903fd49382d1d0508af4189aca1f528c496e7c111e93ccdca50669fd
SSDEEP

196608:INsg4AMgAyNsg4AMgAINsg4AMgAFNsg4AMgAINsg4AMgAENsg4AMgAiNsg4AMgA8:IGg4adGg4a3Gg4aqGg4ajGg4aDGg4a1f

Score

10^/10

xred backdoor collection discovery execution macro persistence spyware stealer

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3000	powershell.exe
2660	powershell.exe
1004	powershell.exe
2164	powershell.exe

Suspicious Office macro 3 IoCs

Office document equipped with macros.

macro

resource
behavioral31/files/0x000500000001945c-139.dat
behavioral31/files/0x000600000001946b-152.dat
behavioral31/files/0x000700000001945c-163.dat

Executes dropped EXE 5 IoCs

pid	Process
1276	._cache_9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe
1260	Synaptics.exe
1272	Synaptics.exe
1728	Synaptics.exe
2624	._cache_Synaptics.exe

Loads dropped DLL 4 IoCs

pid	Process
2564	9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe
2564	9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe
1272	Synaptics.exe
1272	Synaptics.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	reallyfreegeoip.org
4	checkip.dyndns.org
8	reallyfreegeoip.org
9	reallyfreegeoip.org

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2324 set thread context of 2564	2324	9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe	37
PID 1260 set thread context of 1272	1260	Synaptics.exe	47

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2856	schtasks.exe
1136	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1704	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2324	9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe
2324	9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe
2324	9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe
2324	9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe
2324	9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe
2324	9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe
2324	9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe
2324	9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe
3000	powershell.exe
2660	powershell.exe
2324	9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe
1260	Synaptics.exe
1260	Synaptics.exe
1260	Synaptics.exe
1276	._cache_9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe
1260	Synaptics.exe
1260	Synaptics.exe
1260	Synaptics.exe
1260	Synaptics.exe
1260	Synaptics.exe
1004	powershell.exe
2164	powershell.exe
1260	Synaptics.exe
1260	Synaptics.exe
1260	Synaptics.exe
2624	._cache_Synaptics.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2324	9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	1276	._cache_9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe
Token: SeDebugPrivilege	1260	Synaptics.exe
Token: SeDebugPrivilege	1004	powershell.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	2624	._cache_Synaptics.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1704	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 3000	2324	9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe	31
PID 2324 wrote to memory of 3000	2324	9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe	31
PID 2324 wrote to memory of 3000	2324	9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe	31
PID 2324 wrote to memory of 3000	2324	9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe	31
PID 2324 wrote to memory of 2660	2324	9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe	33
PID 2324 wrote to memory of 2660	2324	9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe	33
PID 2324 wrote to memory of 2660	2324	9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe	33
PID 2324 wrote to memory of 2660	2324	9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe	33
PID 2324 wrote to memory of 2856	2324	9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe	35
PID 2324 wrote to memory of 2856	2324	9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe	35
PID 2324 wrote to memory of 2856	2324	9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe	35
PID 2324 wrote to memory of 2856	2324	9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe	35
PID 2324 wrote to memory of 2564	2324	9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe	37
PID 2324 wrote to memory of 2564	2324	9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe	37
PID 2324 wrote to memory of 2564	2324	9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe	37
PID 2324 wrote to memory of 2564	2324	9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe	37
PID 2324 wrote to memory of 2564	2324	9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe	37
PID 2324 wrote to memory of 2564	2324	9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe	37
PID 2324 wrote to memory of 2564	2324	9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe	37
PID 2324 wrote to memory of 2564	2324	9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe	37
PID 2324 wrote to memory of 2564	2324	9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe	37
PID 2324 wrote to memory of 2564	2324	9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe	37
PID 2324 wrote to memory of 2564	2324	9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe	37
PID 2324 wrote to memory of 2564	2324	9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe	37
PID 2564 wrote to memory of 1276	2564	9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe	38
PID 2564 wrote to memory of 1276	2564	9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe	38
PID 2564 wrote to memory of 1276	2564	9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe	38
PID 2564 wrote to memory of 1276	2564	9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe	38
PID 2564 wrote to memory of 1260	2564	9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe	39
PID 2564 wrote to memory of 1260	2564	9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe	39
PID 2564 wrote to memory of 1260	2564	9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe	39
PID 2564 wrote to memory of 1260	2564	9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe	39
PID 1260 wrote to memory of 1004	1260	Synaptics.exe	40
PID 1260 wrote to memory of 1004	1260	Synaptics.exe	40
PID 1260 wrote to memory of 1004	1260	Synaptics.exe	40
PID 1260 wrote to memory of 1004	1260	Synaptics.exe	40
PID 1260 wrote to memory of 2164	1260	Synaptics.exe	42
PID 1260 wrote to memory of 2164	1260	Synaptics.exe	42
PID 1260 wrote to memory of 2164	1260	Synaptics.exe	42
PID 1260 wrote to memory of 2164	1260	Synaptics.exe	42
PID 1260 wrote to memory of 1136	1260	Synaptics.exe	44
PID 1260 wrote to memory of 1136	1260	Synaptics.exe	44
PID 1260 wrote to memory of 1136	1260	Synaptics.exe	44
PID 1260 wrote to memory of 1136	1260	Synaptics.exe	44
PID 1260 wrote to memory of 1728	1260	Synaptics.exe	46
PID 1260 wrote to memory of 1728	1260	Synaptics.exe	46
PID 1260 wrote to memory of 1728	1260	Synaptics.exe	46
PID 1260 wrote to memory of 1728	1260	Synaptics.exe	46
PID 1260 wrote to memory of 1272	1260	Synaptics.exe	47
PID 1260 wrote to memory of 1272	1260	Synaptics.exe	47
PID 1260 wrote to memory of 1272	1260	Synaptics.exe	47
PID 1260 wrote to memory of 1272	1260	Synaptics.exe	47
PID 1260 wrote to memory of 1272	1260	Synaptics.exe	47
PID 1260 wrote to memory of 1272	1260	Synaptics.exe	47
PID 1260 wrote to memory of 1272	1260	Synaptics.exe	47
PID 1260 wrote to memory of 1272	1260	Synaptics.exe	47
PID 1260 wrote to memory of 1272	1260	Synaptics.exe	47
PID 1260 wrote to memory of 1272	1260	Synaptics.exe	47
PID 1260 wrote to memory of 1272	1260	Synaptics.exe	47
PID 1260 wrote to memory of 1272	1260	Synaptics.exe	47
PID 1272 wrote to memory of 2624	1272	Synaptics.exe	48
PID 1272 wrote to memory of 2624	1272	Synaptics.exe	48
PID 1272 wrote to memory of 2624	1272	Synaptics.exe	48
PID 1272 wrote to memory of 2624	1272	Synaptics.exe	48

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	._cache_Synaptics.exe

C:\Users\Admin\AppData\Local\Temp\9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe
"C:\Users\Admin\AppData\Local\Temp\9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3000
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sXLAWJKdeDZVj.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2660
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sXLAWJKdeDZVj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp71F5.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2856
- C:\Users\Admin\AppData\Local\Temp\9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe
  "C:\Users\Admin\AppData\Local\Temp\9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Users\Admin\AppData\Local\Temp\._cache_9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1276
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1260
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1004
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sXLAWJKdeDZVj.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2164
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sXLAWJKdeDZVj" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEB68.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1136
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      Executes dropped EXE
      PID:1728
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1272
    - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"
        5⤵
        Executes dropped EXE
        Accesses Microsoft Outlook profiles
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:2624

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
11.1MB

MD5
a22ee5e739a2ac8369547f4fce22b08a

SHA1
8e4a30c3f03682b057307548e83af8b3a5ff12f6

SHA256
9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0

SHA512
aa0a9be779940a26d2adb13f3380d1556d4de6a1f2b6eb7e5bf05e02342cb9fbc6b5417b903fd49382d1d0508af4189aca1f528c496e7c111e93ccdca50669fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_9ff5970462c67be2a3276d50e2caaccef892d83239ae7ab8c9e634995796bee0.exe

Filesize
91KB

MD5
b45e3c4c10da3da0c69e2f90dc3dfb10

SHA1
61a36473ced38978793a9af1aea1fc528eebe457

SHA256
b6fe518ed8ca7ee32f79bb5dd52ab8250cc595d1aa8daec123cef383c6b0bdb6

SHA512
44d0c2e0904702dd22c92004415ef3c821bf63de0fb0cc6d7cca41eab36f32531530dd5fdb48017fc5405c7554ae6387514ef3f4e74eea4b36a14d587742e15b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jyCH38d3.xlsm

Filesize
25KB

MD5
85c5bd4aa371d940d286aa719b7a66ce

SHA1
7ffdc06e3fe539acac135b5218e5468f98e37fee

SHA256
eed32ca88cf512c2cbf51c2c4bb1ea89754b3f53bf6e4e0fc6b2af6fc929d966

SHA512
03d25ab385a84701532d82e1cb7ce7699422b2806f6d22050ecafcc8db8b69c94cdc1f286ca82d2dab842ebc6c98c912f038973ced53bf79b4887c0731feaf2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jyCH38d3.xlsm

Filesize
27KB

MD5
45c52029801b229d5c7859c192e9fd41

SHA1
2434da2572c5888504a0f0dbf9d81d7fe980d8ce

SHA256
2c6b7b03d8789888992466faa4073a0ffc6eb065eff3f2cd4df87f99ff97102b

SHA512
0a2d559b074f269b9e1106457dd64556c3721bf80a615715584898b6c449305a639615eb4ee1c0ec9b78c9801f18f6442191ddd4d59cf6cec0416c3e7a027ce0

Download Submit
C:\Users\Admin\AppData\Local\Temp\jyCH38d3.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\jyCH38d3.xlsm

Filesize
32KB

MD5
21aba3ce031b8967f86c6c9b04c554ef

SHA1
aa71b6588904e0e55b0a03d22d3761237942430b

SHA256
d07f0dd0d2af76bbdad20579c60a0d4d666ae70fa0ec1d34ca208a02649cfc41

SHA512
ef90feab33a862d55bbb8844ded9b53cfa70061603c80b9f83c3327e3c29d0ef4bd1d2a2a987225f444556f74305a8065e546402eb37cb77e21b4e4b7b9d7c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp71F5.tmp

Filesize
1KB

MD5
1a6f091575e68f2f425396e53a9effc9

SHA1
24b391e2e075a4ab0e587ecc098d9750486a220a

SHA256
0366be5662d005ef118b923e5eebdadc839beeb6e3af6b6c78e856963015eb7d

SHA512
a876c85a51459376f3d68f55741ed4d503760d9949aa7eada0ff5e12f4a688b378f01c1e2f3d252e58fb0a638c3206e788c18e6431bcf13e976da557cb3e81df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\J3MGPW91LCMHCKPT56IU.temp

Filesize
7KB

MD5
ab6748433311fa38294fb6d56b3d5dca

SHA1
7ea42648465d12246f4083bc4cf5e7b253bb56f3

SHA256
5df43188dad0ce725d0b17ca1dc5fe36d59e70104092b43b52b96cf4d20958f0

SHA512
5281bea59810ed2f9bc65ea7fe8c0b97ee64ec5c8258fb7ae5b7968f13af01b5c25512dfed6573705d2cc90b753dac5c841c339b3f4307d3359fce5b33e5962d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
6cb65d611c54bdb8f7b68232db8e0d60

SHA1
375420accc50db86e1097b3db525fa368acaf548

SHA256
019613801382eb8a0681dbaca90dd42497b547f7ff409448cfb09d5a921c79d5

SHA512
42e2bc36b90dcb54ab6cd7ea7ea23894bb79b40ed055a276d632f6d9f20397158e58f5b73eee56c8fdd7dba92446b161e93cabdac1879378fa79d290da422e91

Download Submit
memory/1260-62-0x0000000000F70000-0x0000000001A86000-memory.dmp

Filesize
11.1MB

Download
memory/1272-170-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1272-172-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1272-169-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1272-89-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1272-200-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1272-92-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1276-55-0x0000000000B40000-0x0000000000B5E000-memory.dmp

Filesize
120KB

Download
memory/1704-104-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1704-171-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2324-6-0x0000000074DC0000-0x00000000754AE000-memory.dmp

Filesize
6.9MB

Download
memory/2324-5-0x0000000074DCE000-0x0000000074DCF000-memory.dmp

Filesize
4KB

Download
memory/2324-4-0x00000000005B0000-0x00000000005CE000-memory.dmp

Filesize
120KB

Download
memory/2324-7-0x0000000006530000-0x000000000664E000-memory.dmp

Filesize
1.1MB

Download
memory/2324-3-0x00000000059B0000-0x0000000005B0C000-memory.dmp

Filesize
1.4MB

Download
memory/2324-2-0x0000000074DC0000-0x00000000754AE000-memory.dmp

Filesize
6.9MB

Download
memory/2324-1-0x0000000000970000-0x0000000001486000-memory.dmp

Filesize
11.1MB

Download
memory/2324-0-0x0000000074DCE000-0x0000000074DCF000-memory.dmp

Filesize
4KB

Download
memory/2324-39-0x0000000074DC0000-0x00000000754AE000-memory.dmp

Filesize
6.9MB

Download
memory/2564-35-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2564-20-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2564-22-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2564-24-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2564-26-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2564-28-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2564-30-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2564-32-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2564-34-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2564-36-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2624-103-0x00000000001E0000-0x00000000001FE000-memory.dmp

Filesize
120KB

Download