cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b

Analysis

max time kernel
149s
max time network
146s
platform
windows7_x64
resource
win7v20210408
submitted
08-05-2021 20:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe
Size

3.3MB
MD5

ff36e55c32797704f09e344148c66cf2
SHA1

f3ee023dbfc31ed8881932b25511155ade5ab633
SHA256

cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b
SHA512

987fc3b7a46ef9ac6643c16173af0f81d6bc15887de695c794b0a1d133a50d00a914814423c5cd69ba1019c5c3fcb2c5626c1561cec295e028a5eb871ba4ddab

Score

8^/10

macro persistence upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exeSynaptics.exe

pid process

2000 ._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe
1960 Synaptics.exe

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\WNvY5v5z.xlsm	office_macros

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe	upx
\Users\Admin\AppData\Local\Temp\._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe	upx
C:\Users\Admin\AppData\Local\Temp\._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe	upx
C:\Users\Admin\AppData\Local\Temp\._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe	upx
behavioral1/memory/2000-84-0x0000000000400000-0x0000000000848000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe	upx
\Users\Admin\AppData\Local\Temp\._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe	upx
\Users\Admin\AppData\Local\Temp\._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe	upx
\Users\Admin\AppData\Local\Temp\._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe	upx
\Users\Admin\AppData\Local\Temp\._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe	upx
\Users\Admin\AppData\Local\Temp\._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe	upx
\Users\Admin\AppData\Local\Temp\._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe	upx

Loads dropped DLL 11 IoCs

Processes:

cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exeWerFault.exe

pid	process
1684	cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe
1684	cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe
1684	cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe
1684	cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe
588	WerFault.exe
588	WerFault.exe
588	WerFault.exe
588	WerFault.exe
588	WerFault.exe
588	WerFault.exe
588	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SS CRACK RETRIX = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs

Processes:

._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe

pid	process
2000	._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe
2000	._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe
2000	._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe
2000	._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe
2000	._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe
2000	._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe
2000	._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe
2000	._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe
2000	._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe
2000	._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe
2000	._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe
2000	._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe
2000	._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

588 2000 WerFault.exe ._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe

pid	pid_target	process	target process
588	2000	WerFault.exe	._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exeEXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeEXCEL.EXEIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "327288207"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BD9B2351-B064-11EB-83FC-FEBA24881352} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Synaptics.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Synaptics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1316 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

588 WerFault.exe
588 WerFault.exe
588 WerFault.exe
588 WerFault.exe
588 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

588 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 588 WerFault.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1576 iexplore.exe

pid	process
1316	EXCEL.EXE

pid	process
588	WerFault.exe
588	WerFault.exe
588	WerFault.exe
588	WerFault.exe
588	WerFault.exe

pid	process
588	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	588	WerFault.exe

pid	process
1576	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exeiexplore.exeIEXPLORE.EXEEXCEL.EXE

pid	process
2000	._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe
2000	._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe
1576	iexplore.exe
1576	iexplore.exe
1676	IEXPLORE.EXE
1676	IEXPLORE.EXE
1316	EXCEL.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exeiexplore.exe

description	pid	process	target process
PID 1684 wrote to memory of 2000	1684	cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe	._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe
PID 1684 wrote to memory of 2000	1684	cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe	._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe
PID 1684 wrote to memory of 2000	1684	cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe	._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe
PID 1684 wrote to memory of 2000	1684	cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe	._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe
PID 1684 wrote to memory of 1960	1684	cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe	Synaptics.exe
PID 1684 wrote to memory of 1960	1684	cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe	Synaptics.exe
PID 1684 wrote to memory of 1960	1684	cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe	Synaptics.exe
PID 1684 wrote to memory of 1960	1684	cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe	Synaptics.exe
PID 2000 wrote to memory of 1576	2000	._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe	iexplore.exe
PID 2000 wrote to memory of 1576	2000	._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe	iexplore.exe
PID 2000 wrote to memory of 1576	2000	._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe	iexplore.exe
PID 2000 wrote to memory of 1576	2000	._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe	iexplore.exe
PID 1576 wrote to memory of 1676	1576	iexplore.exe	IEXPLORE.EXE
PID 1576 wrote to memory of 1676	1576	iexplore.exe	IEXPLORE.EXE
PID 1576 wrote to memory of 1676	1576	iexplore.exe	IEXPLORE.EXE
PID 1576 wrote to memory of 1676	1576	iexplore.exe	IEXPLORE.EXE
PID 2000 wrote to memory of 588	2000	._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe	WerFault.exe
PID 2000 wrote to memory of 588	2000	._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe	WerFault.exe
PID 2000 wrote to memory of 588	2000	._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe	WerFault.exe
PID 2000 wrote to memory of 588	2000	._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe
"C:\Users\Admin\AppData\Local\Temp\cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Users\Admin\AppData\Local\Temp\._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Enumerates system info in registry
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.52xsu.com/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1576
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1576 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1676
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 320
    3⤵
    - Loads dropped DLL
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:588
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  PID:1960

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

MD5
6e163085114a0f35940c93f0d3760f5a

SHA1
3ba820bdab95cd6455a741da830f82809155fe39

SHA256
84acaf5d2eb4a13e1f13386026b1372e1633a3d2bc069062eaddf1aa9d227586

SHA512
e2270070b6bb1f25b2a016237e1691c42ff66cb2a00d3a2407957a812a953c69ca0c0c15c241f17ae83c8c668f7fdc983098f69ada467301f2d8029dd10cb836

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

MD5
6e163085114a0f35940c93f0d3760f5a

SHA1
3ba820bdab95cd6455a741da830f82809155fe39

SHA256
84acaf5d2eb4a13e1f13386026b1372e1633a3d2bc069062eaddf1aa9d227586

SHA512
e2270070b6bb1f25b2a016237e1691c42ff66cb2a00d3a2407957a812a953c69ca0c0c15c241f17ae83c8c668f7fdc983098f69ada467301f2d8029dd10cb836

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5
15775d95513782f99cdfb17e65dfceb1

SHA1
6c11f8bee799b093f9ff4841e31041b081b23388

SHA256
477a9559194edf48848fce59e05105168745a46bdc0871ea742a2588ca9fbe00

SHA512
ac09ce01122d7a837bd70277badd58ff71d8c5335f8fc599d5e3ed42c8fee2108dd043bce562c82ba12a81b9b08bd24b961c0961bf8fd3a0b8341c87483cd1e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5
46b306c64309144ded9655577263702b

SHA1
f8f73f671c547eda82c0ac8481dd92f98fe14b95

SHA256
f4215ca8069c39716d27f5d812a08e0c7f35f063d6fffc22d8f738d9e81f7041

SHA512
7e0fd4cf9c1851100c24e6898198438d473eb2d3feb730b11c781cbf1ae86e01c2dd75f478f3bee5b750845a87c7e0cbe2be80274cfc0974f3087ba76739a857

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5
7c050118df1fa4edbac3942c6e1e1d2d

SHA1
120d6cb63f984901106927ab0d6e3243308ef6b4

SHA256
1475c1978cc47e40d916d844f98b0a70e7c89c69bc5b9395a9e00aea1210bc9b

SHA512
653432e4605c13cba519483a26a53135394313e946b5ba3a8076187f298e90c3c26031571ff4781da11b4bd464621090df91b0c0009a58982dfa7854e8c8d9c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5
c6320a24eddf5f9acc297bb099f5f0ea

SHA1
320a7e38130615cc37c2e93d5bea5b211c24191a

SHA256
02d9bbc9b67bf232a088266f16c0b15fc3b238aae6d6af2207f29ba90cbc7ab3

SHA512
e5e2b378b632b9a5eef4fa71f587a8323db581abd937e6d8eb3feb9b69267c6c88191b984305ea5190795de221f10c8b5b5f256fc8d1abdf1a6c161b93fcc6f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe

MD5
44c56c84ffceeb978c8fb5a782086ec4

SHA1
e3d4f0eda5fd7ebe455b9f55c00768c281b7416c

SHA256
5e75ad26b452c9801f09c6c87424faf28af9814749430331021dd1de8fcbe90d

SHA512
25286ac53e1468206619105baca4c0dfbb49737fac45c1c0cc814ab6182514caeafbcb7dacf3d61248d06abc4a0d3f5d23bab372d6fb69f084a5c18d990165a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe

MD5
44c56c84ffceeb978c8fb5a782086ec4

SHA1
e3d4f0eda5fd7ebe455b9f55c00768c281b7416c

SHA256
5e75ad26b452c9801f09c6c87424faf28af9814749430331021dd1de8fcbe90d

SHA512
25286ac53e1468206619105baca4c0dfbb49737fac45c1c0cc814ab6182514caeafbcb7dacf3d61248d06abc4a0d3f5d23bab372d6fb69f084a5c18d990165a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\WNvY5v5z.xlsm

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\YFVLLSV1.txt

MD5
2f0eb66b447c7952fcfc1f77f729afc6

SHA1
93618e936921c48e7ad4c3b9e7c5d679a319cd98

SHA256
2b59b5fc8d07cc477f34b4d74a22dcd8ee2d6bf9998e1b6d8f55294139a17518

SHA512
28b7aef6dce38e19c957208e4bb4a14a2f1a405379fad1157bd422b3c4977335a177c373aefb6d63d4ac640950c68f1808ed18da7480f1bfa6786ff988c4ef0d

Download Submit
\ProgramData\Synaptics\Synaptics.exe

MD5
6e163085114a0f35940c93f0d3760f5a

SHA1
3ba820bdab95cd6455a741da830f82809155fe39

SHA256
84acaf5d2eb4a13e1f13386026b1372e1633a3d2bc069062eaddf1aa9d227586

SHA512
e2270070b6bb1f25b2a016237e1691c42ff66cb2a00d3a2407957a812a953c69ca0c0c15c241f17ae83c8c668f7fdc983098f69ada467301f2d8029dd10cb836

Download Submit
\ProgramData\Synaptics\Synaptics.exe

MD5
6e163085114a0f35940c93f0d3760f5a

SHA1
3ba820bdab95cd6455a741da830f82809155fe39

SHA256
84acaf5d2eb4a13e1f13386026b1372e1633a3d2bc069062eaddf1aa9d227586

SHA512
e2270070b6bb1f25b2a016237e1691c42ff66cb2a00d3a2407957a812a953c69ca0c0c15c241f17ae83c8c668f7fdc983098f69ada467301f2d8029dd10cb836

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe

MD5
44c56c84ffceeb978c8fb5a782086ec4

SHA1
e3d4f0eda5fd7ebe455b9f55c00768c281b7416c

SHA256
5e75ad26b452c9801f09c6c87424faf28af9814749430331021dd1de8fcbe90d

SHA512
25286ac53e1468206619105baca4c0dfbb49737fac45c1c0cc814ab6182514caeafbcb7dacf3d61248d06abc4a0d3f5d23bab372d6fb69f084a5c18d990165a7

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe

MD5
44c56c84ffceeb978c8fb5a782086ec4

SHA1
e3d4f0eda5fd7ebe455b9f55c00768c281b7416c

SHA256
5e75ad26b452c9801f09c6c87424faf28af9814749430331021dd1de8fcbe90d

SHA512
25286ac53e1468206619105baca4c0dfbb49737fac45c1c0cc814ab6182514caeafbcb7dacf3d61248d06abc4a0d3f5d23bab372d6fb69f084a5c18d990165a7

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe

MD5
44c56c84ffceeb978c8fb5a782086ec4

SHA1
e3d4f0eda5fd7ebe455b9f55c00768c281b7416c

SHA256
5e75ad26b452c9801f09c6c87424faf28af9814749430331021dd1de8fcbe90d

SHA512
25286ac53e1468206619105baca4c0dfbb49737fac45c1c0cc814ab6182514caeafbcb7dacf3d61248d06abc4a0d3f5d23bab372d6fb69f084a5c18d990165a7

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe

MD5
44c56c84ffceeb978c8fb5a782086ec4

SHA1
e3d4f0eda5fd7ebe455b9f55c00768c281b7416c

SHA256
5e75ad26b452c9801f09c6c87424faf28af9814749430331021dd1de8fcbe90d

SHA512
25286ac53e1468206619105baca4c0dfbb49737fac45c1c0cc814ab6182514caeafbcb7dacf3d61248d06abc4a0d3f5d23bab372d6fb69f084a5c18d990165a7

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe

MD5
44c56c84ffceeb978c8fb5a782086ec4

SHA1
e3d4f0eda5fd7ebe455b9f55c00768c281b7416c

SHA256
5e75ad26b452c9801f09c6c87424faf28af9814749430331021dd1de8fcbe90d

SHA512
25286ac53e1468206619105baca4c0dfbb49737fac45c1c0cc814ab6182514caeafbcb7dacf3d61248d06abc4a0d3f5d23bab372d6fb69f084a5c18d990165a7

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe

MD5
44c56c84ffceeb978c8fb5a782086ec4

SHA1
e3d4f0eda5fd7ebe455b9f55c00768c281b7416c

SHA256
5e75ad26b452c9801f09c6c87424faf28af9814749430331021dd1de8fcbe90d

SHA512
25286ac53e1468206619105baca4c0dfbb49737fac45c1c0cc814ab6182514caeafbcb7dacf3d61248d06abc4a0d3f5d23bab372d6fb69f084a5c18d990165a7

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe

MD5
44c56c84ffceeb978c8fb5a782086ec4

SHA1
e3d4f0eda5fd7ebe455b9f55c00768c281b7416c

SHA256
5e75ad26b452c9801f09c6c87424faf28af9814749430331021dd1de8fcbe90d

SHA512
25286ac53e1468206619105baca4c0dfbb49737fac45c1c0cc814ab6182514caeafbcb7dacf3d61248d06abc4a0d3f5d23bab372d6fb69f084a5c18d990165a7

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe

MD5
44c56c84ffceeb978c8fb5a782086ec4

SHA1
e3d4f0eda5fd7ebe455b9f55c00768c281b7416c

SHA256
5e75ad26b452c9801f09c6c87424faf28af9814749430331021dd1de8fcbe90d

SHA512
25286ac53e1468206619105baca4c0dfbb49737fac45c1c0cc814ab6182514caeafbcb7dacf3d61248d06abc4a0d3f5d23bab372d6fb69f084a5c18d990165a7

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe

MD5
44c56c84ffceeb978c8fb5a782086ec4

SHA1
e3d4f0eda5fd7ebe455b9f55c00768c281b7416c

SHA256
5e75ad26b452c9801f09c6c87424faf28af9814749430331021dd1de8fcbe90d

SHA512
25286ac53e1468206619105baca4c0dfbb49737fac45c1c0cc814ab6182514caeafbcb7dacf3d61248d06abc4a0d3f5d23bab372d6fb69f084a5c18d990165a7

Download Submit
memory/588-90-0x0000000000000000-mapping.dmp

Download
memory/588-101-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1316-85-0x000000002F381000-0x000000002F384000-memory.dmp

Filesize
12KB

Download
memory/1316-87-0x0000000071931000-0x0000000071933000-memory.dmp

Filesize
8KB

Download
memory/1316-97-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1576-86-0x0000000000000000-mapping.dmp

Download
memory/1676-88-0x0000000000000000-mapping.dmp

Download
memory/1684-60-0x0000000075B31000-0x0000000075B33000-memory.dmp

Filesize
8KB

Download
memory/1684-61-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1960-74-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1960-69-0x0000000000000000-mapping.dmp

Download
memory/2000-84-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2000-81-0x0000000002340000-0x0000000002451000-memory.dmp

Filesize
1.1MB

Download
memory/2000-80-0x0000000002480000-0x0000000002601000-memory.dmp

Filesize
1.5MB

Download
memory/2000-77-0x0000000075730000-0x00000000757D0000-memory.dmp

Filesize
640KB

Download
memory/2000-78-0x0000000000300000-0x0000000000349000-memory.dmp

Filesize
292KB

Download
memory/2000-73-0x0000000075890000-0x00000000758D7000-memory.dmp

Filesize
284KB

Download
memory/2000-83-0x0000000002130000-0x00000000021D1000-memory.dmp

Filesize
644KB

Download
memory/2000-64-0x0000000000000000-mapping.dmp

Download
memory/2000-82-0x0000000002610000-0x0000000002711000-memory.dmp

Filesize
1.0MB

Download

pid	process
2000	._cache_cfce93d80c442194d4750ff22eab13e2a37e545caff4d448ba93760590f63f3b.exe
1960	Synaptics.exe