njrat | 277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7v20201028
submitted
28-02-2021 07:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe
Size

1.2MB
MD5

6382e1ba0bdcd1a586f97e1e20f77868
SHA1

2cc4ae531be8b82dccf3c4c14e326307e2926658
SHA256

277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2
SHA512

c87b8082c6e4e58772fc189f64c64c89ced21cee1530dbf785e3e540163821f30fe9113671e5ddab3922468713f21c0a0784de869c2863ba362e09c9a1765ad3

Score

10^/10

njrat hnz-shop evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HNZ-SHOP

*TI3LjAu*C4x:5552

Mutex

316cc8fdf2ba11b55349f6a002cabe83

Attributes

reg_key
316cc8fdf2ba11b55349f6a002cabe83
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 5 IoCs

Processes:

._cache_277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exeSynaptics.exeSynaptics.exe._cache_Synaptics.exeServer.exe

pid	process
1756	._cache_277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe
1736	Synaptics.exe
1136	Synaptics.exe
1584	._cache_Synaptics.exe
1576	Server.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 2 IoCs

Processes:

Server.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\316cc8fdf2ba11b55349f6a002cabe83.exe	Server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\316cc8fdf2ba11b55349f6a002cabe83.exe	Server.exe

Loads dropped DLL 6 IoCs

Processes:

277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exeSynaptics.exeSynaptics.exe._cache_277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe

pid	process
1984	277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe
1984	277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe
1736	Synaptics.exe
1136	Synaptics.exe
1136	Synaptics.exe
1756	._cache_277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exeServer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\XaMRHtkAYM = "C:\\Users\\Admin\\AppData\\Roaming\\ZyXeWNHWdo\\NpYKCcBqCA.exe"	277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\316cc8fdf2ba11b55349f6a002cabe83 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe\" .."	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\316cc8fdf2ba11b55349f6a002cabe83 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe\" .."	Server.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exeSynaptics.exe

description	pid	process	target process
PID 776 set thread context of 1984	776	277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe	277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe
PID 1736 set thread context of 1136	1736	Synaptics.exe	Synaptics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Synaptics.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Synaptics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Synaptics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Synaptics.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

Server.exe

description	pid	process
Token: SeDebugPrivilege	1576	Server.exe
Token: 33	1576	Server.exe
Token: SeIncBasePriorityPrivilege	1576	Server.exe
Token: 33	1576	Server.exe
Token: SeIncBasePriorityPrivilege	1576	Server.exe
Token: 33	1576	Server.exe
Token: SeIncBasePriorityPrivilege	1576	Server.exe
Token: 33	1576	Server.exe
Token: SeIncBasePriorityPrivilege	1576	Server.exe
Token: 33	1576	Server.exe
Token: SeIncBasePriorityPrivilege	1576	Server.exe
Token: 33	1576	Server.exe
Token: SeIncBasePriorityPrivilege	1576	Server.exe
Token: 33	1576	Server.exe
Token: SeIncBasePriorityPrivilege	1576	Server.exe
Token: 33	1576	Server.exe
Token: SeIncBasePriorityPrivilege	1576	Server.exe
Token: 33	1576	Server.exe
Token: SeIncBasePriorityPrivilege	1576	Server.exe
Token: 33	1576	Server.exe
Token: SeIncBasePriorityPrivilege	1576	Server.exe
Token: 33	1576	Server.exe
Token: SeIncBasePriorityPrivilege	1576	Server.exe
Token: 33	1576	Server.exe
Token: SeIncBasePriorityPrivilege	1576	Server.exe
Token: 33	1576	Server.exe
Token: SeIncBasePriorityPrivilege	1576	Server.exe
Token: 33	1576	Server.exe
Token: SeIncBasePriorityPrivilege	1576	Server.exe
Token: 33	1576	Server.exe
Token: SeIncBasePriorityPrivilege	1576	Server.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exeSynaptics.exeSynaptics.exe._cache_277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exeServer.exe

description	pid	process	target process
PID 776 wrote to memory of 1984	776	277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe	277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe
PID 776 wrote to memory of 1984	776	277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe	277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe
PID 776 wrote to memory of 1984	776	277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe	277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe
PID 776 wrote to memory of 1984	776	277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe	277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe
PID 776 wrote to memory of 1984	776	277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe	277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe
PID 776 wrote to memory of 1984	776	277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe	277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe
PID 776 wrote to memory of 1984	776	277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe	277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe
PID 776 wrote to memory of 1984	776	277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe	277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe
PID 776 wrote to memory of 1984	776	277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe	277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe
PID 776 wrote to memory of 1984	776	277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe	277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe
PID 776 wrote to memory of 1984	776	277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe	277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe
PID 776 wrote to memory of 1984	776	277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe	277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe
PID 1984 wrote to memory of 1756	1984	277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe	._cache_277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe
PID 1984 wrote to memory of 1756	1984	277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe	._cache_277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe
PID 1984 wrote to memory of 1756	1984	277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe	._cache_277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe
PID 1984 wrote to memory of 1756	1984	277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe	._cache_277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe
PID 1984 wrote to memory of 1736	1984	277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe	Synaptics.exe
PID 1984 wrote to memory of 1736	1984	277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe	Synaptics.exe
PID 1984 wrote to memory of 1736	1984	277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe	Synaptics.exe
PID 1984 wrote to memory of 1736	1984	277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe	Synaptics.exe
PID 1736 wrote to memory of 1136	1736	Synaptics.exe	Synaptics.exe
PID 1736 wrote to memory of 1136	1736	Synaptics.exe	Synaptics.exe
PID 1736 wrote to memory of 1136	1736	Synaptics.exe	Synaptics.exe
PID 1736 wrote to memory of 1136	1736	Synaptics.exe	Synaptics.exe
PID 1736 wrote to memory of 1136	1736	Synaptics.exe	Synaptics.exe
PID 1736 wrote to memory of 1136	1736	Synaptics.exe	Synaptics.exe
PID 1736 wrote to memory of 1136	1736	Synaptics.exe	Synaptics.exe
PID 1736 wrote to memory of 1136	1736	Synaptics.exe	Synaptics.exe
PID 1736 wrote to memory of 1136	1736	Synaptics.exe	Synaptics.exe
PID 1736 wrote to memory of 1136	1736	Synaptics.exe	Synaptics.exe
PID 1736 wrote to memory of 1136	1736	Synaptics.exe	Synaptics.exe
PID 1736 wrote to memory of 1136	1736	Synaptics.exe	Synaptics.exe
PID 1136 wrote to memory of 1584	1136	Synaptics.exe	._cache_Synaptics.exe
PID 1136 wrote to memory of 1584	1136	Synaptics.exe	._cache_Synaptics.exe
PID 1136 wrote to memory of 1584	1136	Synaptics.exe	._cache_Synaptics.exe
PID 1136 wrote to memory of 1584	1136	Synaptics.exe	._cache_Synaptics.exe
PID 1756 wrote to memory of 1576	1756	._cache_277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe	Server.exe
PID 1756 wrote to memory of 1576	1756	._cache_277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe	Server.exe
PID 1756 wrote to memory of 1576	1756	._cache_277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe	Server.exe
PID 1756 wrote to memory of 1576	1756	._cache_277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe	Server.exe
PID 1576 wrote to memory of 896	1576	Server.exe	netsh.exe
PID 1576 wrote to memory of 896	1576	Server.exe	netsh.exe
PID 1576 wrote to memory of 896	1576	Server.exe	netsh.exe
PID 1576 wrote to memory of 896	1576	Server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe
"C:\Users\Admin\AppData\Local\Temp\277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:776

C:\Users\Admin\AppData\Local\Temp\277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe
"C:\Users\Admin\AppData\Local\Temp\277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe"
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1984

C:\Users\Admin\AppData\Local\Temp\._cache_277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
4⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE
5⤵
PID:896

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1736

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1136

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"
5⤵
- Executes dropped EXE
PID:1584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe
MD5
8f8c7dcde2d43feb843d321584f091eb

SHA1
322bf412068ce42bf377c896227afcc4ee633bc1

SHA256
c622c9ef2fb3ef6249753165d6991a0dc4f03862cdada6c52ed6f603614da667

SHA512
f2f73a7d18ee61413fc05a62793ea161fcf200486b2d9d4da0c4b11e3f6d92b4af7e8209f967a446e5be327027bc433c7c00a29240f6b59bd4c4945de9a785f3

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe
MD5
8f8c7dcde2d43feb843d321584f091eb

SHA1
322bf412068ce42bf377c896227afcc4ee633bc1

SHA256
c622c9ef2fb3ef6249753165d6991a0dc4f03862cdada6c52ed6f603614da667

SHA512
f2f73a7d18ee61413fc05a62793ea161fcf200486b2d9d4da0c4b11e3f6d92b4af7e8209f967a446e5be327027bc433c7c00a29240f6b59bd4c4945de9a785f3

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe
MD5
8f8c7dcde2d43feb843d321584f091eb

SHA1
322bf412068ce42bf377c896227afcc4ee633bc1

SHA256
c622c9ef2fb3ef6249753165d6991a0dc4f03862cdada6c52ed6f603614da667

SHA512
f2f73a7d18ee61413fc05a62793ea161fcf200486b2d9d4da0c4b11e3f6d92b4af7e8209f967a446e5be327027bc433c7c00a29240f6b59bd4c4945de9a785f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe
MD5
7b1c629c3fba23c2f0da5b89818c1731

SHA1
10df1ce94976452ac3fc8736f41b3031d948c530

SHA256
956a1bd3a13f1421099325462c6b1c7a4f1ba4dafa94c8ea07bbcb2ef3994d01

SHA512
f225d96a3f8f464d4169525bf2ea28ff73c77031928bdaa4e8b1885a0a3db3ea6a91eac20ff7dbeb774c73d101c32d4d8bb5fa53b0e7585d43076d681369473b

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe
MD5
7b1c629c3fba23c2f0da5b89818c1731

SHA1
10df1ce94976452ac3fc8736f41b3031d948c530

SHA256
956a1bd3a13f1421099325462c6b1c7a4f1ba4dafa94c8ea07bbcb2ef3994d01

SHA512
f225d96a3f8f464d4169525bf2ea28ff73c77031928bdaa4e8b1885a0a3db3ea6a91eac20ff7dbeb774c73d101c32d4d8bb5fa53b0e7585d43076d681369473b

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
MD5
7b1c629c3fba23c2f0da5b89818c1731

SHA1
10df1ce94976452ac3fc8736f41b3031d948c530

SHA256
956a1bd3a13f1421099325462c6b1c7a4f1ba4dafa94c8ea07bbcb2ef3994d01

SHA512
f225d96a3f8f464d4169525bf2ea28ff73c77031928bdaa4e8b1885a0a3db3ea6a91eac20ff7dbeb774c73d101c32d4d8bb5fa53b0e7585d43076d681369473b

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
MD5
7b1c629c3fba23c2f0da5b89818c1731

SHA1
10df1ce94976452ac3fc8736f41b3031d948c530

SHA256
956a1bd3a13f1421099325462c6b1c7a4f1ba4dafa94c8ea07bbcb2ef3994d01

SHA512
f225d96a3f8f464d4169525bf2ea28ff73c77031928bdaa4e8b1885a0a3db3ea6a91eac20ff7dbeb774c73d101c32d4d8bb5fa53b0e7585d43076d681369473b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
MD5
7b1c629c3fba23c2f0da5b89818c1731

SHA1
10df1ce94976452ac3fc8736f41b3031d948c530

SHA256
956a1bd3a13f1421099325462c6b1c7a4f1ba4dafa94c8ea07bbcb2ef3994d01

SHA512
f225d96a3f8f464d4169525bf2ea28ff73c77031928bdaa4e8b1885a0a3db3ea6a91eac20ff7dbeb774c73d101c32d4d8bb5fa53b0e7585d43076d681369473b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
MD5
7b1c629c3fba23c2f0da5b89818c1731

SHA1
10df1ce94976452ac3fc8736f41b3031d948c530

SHA256
956a1bd3a13f1421099325462c6b1c7a4f1ba4dafa94c8ea07bbcb2ef3994d01

SHA512
f225d96a3f8f464d4169525bf2ea28ff73c77031928bdaa4e8b1885a0a3db3ea6a91eac20ff7dbeb774c73d101c32d4d8bb5fa53b0e7585d43076d681369473b

Download Submit
\ProgramData\Synaptics\Synaptics.exe
MD5
8f8c7dcde2d43feb843d321584f091eb

SHA1
322bf412068ce42bf377c896227afcc4ee633bc1

SHA256
c622c9ef2fb3ef6249753165d6991a0dc4f03862cdada6c52ed6f603614da667

SHA512
f2f73a7d18ee61413fc05a62793ea161fcf200486b2d9d4da0c4b11e3f6d92b4af7e8209f967a446e5be327027bc433c7c00a29240f6b59bd4c4945de9a785f3

Download Submit
\ProgramData\Synaptics\Synaptics.exe
MD5
8f8c7dcde2d43feb843d321584f091eb

SHA1
322bf412068ce42bf377c896227afcc4ee633bc1

SHA256
c622c9ef2fb3ef6249753165d6991a0dc4f03862cdada6c52ed6f603614da667

SHA512
f2f73a7d18ee61413fc05a62793ea161fcf200486b2d9d4da0c4b11e3f6d92b4af7e8209f967a446e5be327027bc433c7c00a29240f6b59bd4c4945de9a785f3

Download Submit
\ProgramData\Synaptics\Synaptics.exe
MD5
8f8c7dcde2d43feb843d321584f091eb

SHA1
322bf412068ce42bf377c896227afcc4ee633bc1

SHA256
c622c9ef2fb3ef6249753165d6991a0dc4f03862cdada6c52ed6f603614da667

SHA512
f2f73a7d18ee61413fc05a62793ea161fcf200486b2d9d4da0c4b11e3f6d92b4af7e8209f967a446e5be327027bc433c7c00a29240f6b59bd4c4945de9a785f3

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2.exe
MD5
7b1c629c3fba23c2f0da5b89818c1731

SHA1
10df1ce94976452ac3fc8736f41b3031d948c530

SHA256
956a1bd3a13f1421099325462c6b1c7a4f1ba4dafa94c8ea07bbcb2ef3994d01

SHA512
f225d96a3f8f464d4169525bf2ea28ff73c77031928bdaa4e8b1885a0a3db3ea6a91eac20ff7dbeb774c73d101c32d4d8bb5fa53b0e7585d43076d681369473b

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
MD5
7b1c629c3fba23c2f0da5b89818c1731

SHA1
10df1ce94976452ac3fc8736f41b3031d948c530

SHA256
956a1bd3a13f1421099325462c6b1c7a4f1ba4dafa94c8ea07bbcb2ef3994d01

SHA512
f225d96a3f8f464d4169525bf2ea28ff73c77031928bdaa4e8b1885a0a3db3ea6a91eac20ff7dbeb774c73d101c32d4d8bb5fa53b0e7585d43076d681369473b

Download Submit
\Users\Admin\AppData\Local\Temp\Server.exe
MD5
7b1c629c3fba23c2f0da5b89818c1731

SHA1
10df1ce94976452ac3fc8736f41b3031d948c530

SHA256
956a1bd3a13f1421099325462c6b1c7a4f1ba4dafa94c8ea07bbcb2ef3994d01

SHA512
f225d96a3f8f464d4169525bf2ea28ff73c77031928bdaa4e8b1885a0a3db3ea6a91eac20ff7dbeb774c73d101c32d4d8bb5fa53b0e7585d43076d681369473b

Download Submit
memory/776-5-0x0000000000250000-0x0000000000253000-memory.dmp

Filesize
12KB

Download
memory/776-3-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/776-2-0x0000000073F20000-0x000000007460E000-memory.dmp

Filesize
6.9MB

Download
memory/896-46-0x0000000000000000-mapping.dmp

Download
memory/1136-26-0x000000000049AB80-mapping.dmp

Download
memory/1136-30-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1136-31-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1576-40-0x0000000000000000-mapping.dmp

Download
memory/1576-44-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/1584-38-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/1584-34-0x0000000000000000-mapping.dmp

Download
memory/1736-21-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/1736-20-0x0000000072C50000-0x000000007333E000-memory.dmp

Filesize
6.9MB

Download
memory/1736-16-0x0000000000000000-mapping.dmp

Download
memory/1756-28-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

Filesize
4KB

Download
memory/1756-12-0x0000000000000000-mapping.dmp

Download
memory/1816-45-0x000007FEF6200000-0x000007FEF647A000-memory.dmp

Filesize
2.5MB

Download
memory/1984-6-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1984-7-0x000000000049AB80-mapping.dmp

Download
memory/1984-8-0x0000000076071000-0x0000000076073000-memory.dmp

Filesize
8KB

Download
memory/1984-9-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1984-10-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download