971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd

Analysis

max time kernel
148s
max time network
145s
platform
windows7_x64
resource
win7v20210410
submitted
09-05-2021 16:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe
Size

13.2MB
MD5

9632b1f804ec7e7e67f16d6395574ede
SHA1

5b3747e53335523cdc2305f83a7fa803d969f72b
SHA256

971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd
SHA512

21cbd99c9b727824dc855a3198826c828300b2d36409b8ed0c9a52c2a11ea7b3fdcad37c4244f4e6957fd0d269f40566e218e982d4ea8fb4f88d03e3845c8ba0

Score

8^/10

macro persistence

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

Processes:

._cache_971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	._cache_971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts.ics	._cache_971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe

Executes dropped EXE 2 IoCs

Processes:

._cache_971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exeSynaptics.exe

pid process

1812 ._cache_971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe
1752 Synaptics.exe

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\11wGwYKA.xlsm	office_macros

Loads dropped DLL 3 IoCs

Processes:

971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe

pid	process
368	971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe
368	971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe
368	971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

._cache_971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe

pid process

1812 ._cache_971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXEiexplore.exeiexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3111B8E1-B0F6-11EB-9117-4E8833708825} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{3111B8E3-B0F6-11EB-9117-4E8833708825}.dat = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5069a4080345d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "327350675"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051618adbbbd0f84eb34ff59fe7045e8f00000000020000000000106600000001000020000000adb4b517573a4235bb6c1c1b3333a8bddc998a27b20d8be330d7cc479f5f3b13000000000e8000000002000020000000e01b458029ad6fd8f8f563b3f14c3133559fb8bfafb06f6ac0491bca5aee4bf7200000008298d72d3abeea6072b0cc70b003ee2b14fa341dfcca558832fd1a1fc6584c8640000000bfd57c16e4c59525deb82b5563e8c75a1b8bdaa486ec922cc8a07524140263a747c691f26702871274ec0ac9abc8dc3a9f4bd280be882e715b3a64c5e0641f79	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{311B3E61-B0F6-11EB-9117-4E8833708825} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051618adbbbd0f84eb34ff59fe7045e8f000000000200000000001066000000010000200000000b71c191f3920eca2e9ca4b02e24b471dd9d615b6fb33f4c6718c1ceeb7ed6a1000000000e8000000002000020000000d3ebec25aefecce59b45e3a956889b0d2854f5744a07ed38de0e87e049f13204900000006c7b50d81f0db426511197aa400ec0034a57806eae6f8bf7d3272ae8d2a7c93983c9d3217714e5cebf3087024f5de9de76e920ed3aff9c9265c5753988f4fe506ac52f9927d3dcb0a03a238265c8b5f84185bd4c51a6320753e02fa226267ca093804c44ee51f44ff50cdaeb171819db297a7db9e5986755eaf01f23bda14b1837777217588d03ad923a7f7e1c88aabe40000000bb9b65382de35707b1d5665b1947e9fb7348ec6b88ec4da04d3c17914f7c5f09ea0ca7b175aff4aa20a0c115a61f00d0234066b0386aa9d93b0bfc5533cb581d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE

Modifies registry class 7 IoCs

Processes:

._cache_971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\r2e9edf139dc9325579be4dcd89a4951\shell\Open\Command	._cache_971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\r2e9edf139dc9325579be4dcd89a4951\shell\Open\Command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\._cache_971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe\"\"%1\""	._cache_971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\r2e9edf139dc9325579be4dcd89a4951	._cache_971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\r2e9edf139dc9325579be4dcd89a4951\ = "URL:r2e9edf139dc9325579be4dcd89a4951 Protocol"	._cache_971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\r2e9edf139dc9325579be4dcd89a4951\URL Protocol	._cache_971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\r2e9edf139dc9325579be4dcd89a4951\shell	._cache_971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\r2e9edf139dc9325579be4dcd89a4951\shell\Open	._cache_971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Synaptics.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Synaptics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

._cache_971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exeEXCEL.EXE

pid process

1812 ._cache_971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe
896 EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

._cache_971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe

pid	process
1812	._cache_971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe
1812	._cache_971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

960 iexplore.exe

pid	process
960	iexplore.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

._cache_971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exeEXCEL.EXEiexplore.exeiexplore.exeIEXPLORE.EXE

pid	process
1812	._cache_971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe
1812	._cache_971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe
1812	._cache_971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe
896	EXCEL.EXE
1812	._cache_971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe
1812	._cache_971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe
1812	._cache_971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe
1176	iexplore.exe
1176	iexplore.exe
960	iexplore.exe
960	iexplore.exe
1732	IEXPLORE.EXE
1732	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe._cache_971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 368 wrote to memory of 1812	368	971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe	._cache_971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe
PID 368 wrote to memory of 1812	368	971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe	._cache_971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe
PID 368 wrote to memory of 1812	368	971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe	._cache_971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe
PID 368 wrote to memory of 1812	368	971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe	._cache_971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe
PID 368 wrote to memory of 1752	368	971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe	Synaptics.exe
PID 368 wrote to memory of 1752	368	971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe	Synaptics.exe
PID 368 wrote to memory of 1752	368	971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe	Synaptics.exe
PID 368 wrote to memory of 1752	368	971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe	Synaptics.exe
PID 1812 wrote to memory of 1176	1812	._cache_971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe	iexplore.exe
PID 1812 wrote to memory of 1176	1812	._cache_971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe	iexplore.exe
PID 1812 wrote to memory of 1176	1812	._cache_971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe	iexplore.exe
PID 1812 wrote to memory of 1176	1812	._cache_971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe	iexplore.exe
PID 1812 wrote to memory of 960	1812	._cache_971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe	iexplore.exe
PID 1812 wrote to memory of 960	1812	._cache_971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe	iexplore.exe
PID 1812 wrote to memory of 960	1812	._cache_971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe	iexplore.exe
PID 1812 wrote to memory of 960	1812	._cache_971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe	iexplore.exe
PID 1176 wrote to memory of 1808	1176	iexplore.exe	IEXPLORE.EXE
PID 1176 wrote to memory of 1808	1176	iexplore.exe	IEXPLORE.EXE
PID 1176 wrote to memory of 1808	1176	iexplore.exe	IEXPLORE.EXE
PID 1176 wrote to memory of 1808	1176	iexplore.exe	IEXPLORE.EXE
PID 960 wrote to memory of 1732	960	iexplore.exe	IEXPLORE.EXE
PID 960 wrote to memory of 1732	960	iexplore.exe	IEXPLORE.EXE
PID 960 wrote to memory of 1732	960	iexplore.exe	IEXPLORE.EXE
PID 960 wrote to memory of 1732	960	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe
"C:\Users\Admin\AppData\Local\Temp\971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:368

C:\Users\Admin\AppData\Local\Temp\._cache_971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe"
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1812

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://memoryhackers.org/
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1176

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1176 CREDAT:275457 /prefetch:2
4⤵
PID:1808

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://memoryhackers.org/konular/memoryhackers-loader-guncellemesi-indirme-linkleri-loader-updated.56267/
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:960

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:960 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1732

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
2⤵
- Executes dropped EXE
- Modifies system certificate store
PID:1752

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:896

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe
MD5
af4f848c5d2fd90c5e0d81d7672497b9

SHA1
153669eb359603d17b1872422057a2cb4c0934d6

SHA256
6c7dee509814ac1779f7bd29cc3f504b7b4e50cdc136324add91e748ce971530

SHA512
cb672b273a6594ec75730ea6e1cf3105781cb8fffcde8b2dbd77d79e04ae0a0a6ba971cdbe8dc47a5b552fe0dbb58557346f751808eae9f5d7edd2acbf3c28b4

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe
MD5
af4f848c5d2fd90c5e0d81d7672497b9

SHA1
153669eb359603d17b1872422057a2cb4c0934d6

SHA256
6c7dee509814ac1779f7bd29cc3f504b7b4e50cdc136324add91e748ce971530

SHA512
cb672b273a6594ec75730ea6e1cf3105781cb8fffcde8b2dbd77d79e04ae0a0a6ba971cdbe8dc47a5b552fe0dbb58557346f751808eae9f5d7edd2acbf3c28b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
15775d95513782f99cdfb17e65dfceb1

SHA1
6c11f8bee799b093f9ff4841e31041b081b23388

SHA256
477a9559194edf48848fce59e05105168745a46bdc0871ea742a2588ca9fbe00

SHA512
ac09ce01122d7a837bd70277badd58ff71d8c5335f8fc599d5e3ed42c8fee2108dd043bce562c82ba12a81b9b08bd24b961c0961bf8fd3a0b8341c87483cd1e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
a7650b24df52b0bbe2da6a470b779309

SHA1
c5aa5141f978a46b5b8ddff1c50cf5f47dfaf0f8

SHA256
df9c92491c0a2f3b4da344fcbe87c4fcefb15089ddf0422daa1656bb86d8b550

SHA512
1a8712bf2a60d105542117c5fe37c1176bcc80d81f8c798f778b20873b5bd39910f2ca31145aed24c056cedd79bdf68e543bfd325d0fcb1f415674e9ef456787

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
a7650b24df52b0bbe2da6a470b779309

SHA1
c5aa5141f978a46b5b8ddff1c50cf5f47dfaf0f8

SHA256
df9c92491c0a2f3b4da344fcbe87c4fcefb15089ddf0422daa1656bb86d8b550

SHA512
1a8712bf2a60d105542117c5fe37c1176bcc80d81f8c798f778b20873b5bd39910f2ca31145aed24c056cedd79bdf68e543bfd325d0fcb1f415674e9ef456787

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
MD5
3da465cc4fafcaf001a2fcfc2171eae8

SHA1
c8103200f4eb684d4874d3e32ccbe1bc6e9c1c98

SHA256
1c2e544b27086f55770b82ea9050b0291d6d129f469195be886b593d8b7b84e3

SHA512
062c12676570248bbc1de8b22e9c250cf72ca7e50803cb081e695c6475fb5c48ca4e17d6d5d88aca6b29adddbb3378d6b0a33286b992d389d5bd2cf70380c72e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3111B8E1-B0F6-11EB-9117-4E8833708825}.dat
MD5
969e7e64fab55fe688baedfad1bd21ca

SHA1
3457836c85f9a179d622d28f60a4d89d35f134d0

SHA256
ee855d9c63d8e31005e491a2aee20e66b943673c24726a26d608a3fbeabddae1

SHA512
d29f9d4143cf6c9a693432a777cc51601d1463c00ade43bd998c34448af01de06cd9e976be60487b0bf96a81f8ef4cb49821b9d0286cf20d43a30beb20b8c014

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{311B3E61-B0F6-11EB-9117-4E8833708825}.dat
MD5
7574df1fcdd62a6e2f9d85c2957d3b9e

SHA1
e90fd9e4e029ca923619926a3a5bd1269f0dfe9b

SHA256
2955916cf9383cb9fc8aed8364dcbc2be5ef13c0513212eaecf13eb537f29d9c

SHA512
3008323448bc9d6fe1f2beef1cab990893793e05386a8e592e15b81b321ab24a12693c8634fdfa1bbdc8d268f353835014118d08bd2a4da3b96e776563788085

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe
MD5
88cd3369ceb3a4e22fd54a852fd4258d

SHA1
18a7e0eb41eb6dbf9314a7f472d4d60210142e5f

SHA256
f0fd284e05d346eebec8c3aa8640edf2e1e7e1f45d7a28af23719b1a8b925c85

SHA512
eec7aed2168ca929e8455e76a64082bb545145e37d84dd173eb5500f16ab8cd29724f27344d6cf49f6fcc0e0428a6936af55603f34ca8f4f46c693415cc8d63a

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe
MD5
88cd3369ceb3a4e22fd54a852fd4258d

SHA1
18a7e0eb41eb6dbf9314a7f472d4d60210142e5f

SHA256
f0fd284e05d346eebec8c3aa8640edf2e1e7e1f45d7a28af23719b1a8b925c85

SHA512
eec7aed2168ca929e8455e76a64082bb545145e37d84dd173eb5500f16ab8cd29724f27344d6cf49f6fcc0e0428a6936af55603f34ca8f4f46c693415cc8d63a

Download Submit
C:\Users\Admin\AppData\Local\Temp\11wGwYKA.xlsm
MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\2M71UJE6.txt
MD5
cfefb9371ea43df872bdbed9e94a7a9e

SHA1
bfdf931091e68b7cce79b9807e7fcff3fe439806

SHA256
b25c9fee09386eae18c5afadaee0222a5432149369b2032a2a710e25367ea228

SHA512
e3d3e4a1e9b5833c208e9e329957611595adb2e853c64f8298c3f5e581fde6467b4dc899b213fd5bd73ecdfce106ea4d8515e7da844c1e49ae5d720fca20850f

Download Submit
\ProgramData\Synaptics\Synaptics.exe
MD5
af4f848c5d2fd90c5e0d81d7672497b9

SHA1
153669eb359603d17b1872422057a2cb4c0934d6

SHA256
6c7dee509814ac1779f7bd29cc3f504b7b4e50cdc136324add91e748ce971530

SHA512
cb672b273a6594ec75730ea6e1cf3105781cb8fffcde8b2dbd77d79e04ae0a0a6ba971cdbe8dc47a5b552fe0dbb58557346f751808eae9f5d7edd2acbf3c28b4

Download Submit
\ProgramData\Synaptics\Synaptics.exe
MD5
af4f848c5d2fd90c5e0d81d7672497b9

SHA1
153669eb359603d17b1872422057a2cb4c0934d6

SHA256
6c7dee509814ac1779f7bd29cc3f504b7b4e50cdc136324add91e748ce971530

SHA512
cb672b273a6594ec75730ea6e1cf3105781cb8fffcde8b2dbd77d79e04ae0a0a6ba971cdbe8dc47a5b552fe0dbb58557346f751808eae9f5d7edd2acbf3c28b4

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe
MD5
88cd3369ceb3a4e22fd54a852fd4258d

SHA1
18a7e0eb41eb6dbf9314a7f472d4d60210142e5f

SHA256
f0fd284e05d346eebec8c3aa8640edf2e1e7e1f45d7a28af23719b1a8b925c85

SHA512
eec7aed2168ca929e8455e76a64082bb545145e37d84dd173eb5500f16ab8cd29724f27344d6cf49f6fcc0e0428a6936af55603f34ca8f4f46c693415cc8d63a

Download Submit
memory/368-61-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/368-60-0x0000000076661000-0x0000000076663000-memory.dmp

Filesize
8KB

Download
memory/896-79-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/896-73-0x000000002F261000-0x000000002F264000-memory.dmp

Filesize
12KB

Download
memory/896-77-0x0000000071671000-0x0000000071673000-memory.dmp

Filesize
8KB

Download
memory/960-84-0x000007FEFBDC1000-0x000007FEFBDC3000-memory.dmp

Filesize
8KB

Download
memory/960-83-0x0000000000000000-mapping.dmp

Download
memory/1176-82-0x0000000000000000-mapping.dmp

Download
memory/1732-86-0x0000000000000000-mapping.dmp

Download
memory/1752-69-0x0000000000000000-mapping.dmp

Download
memory/1752-72-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1808-85-0x0000000000000000-mapping.dmp

Download
memory/1808-88-0x0000000000D90000-0x0000000000D92000-memory.dmp

Filesize
8KB

Download
memory/1812-76-0x0000000000400000-0x0000000001EDE000-memory.dmp

Filesize
26.9MB

Download
memory/1812-74-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1812-75-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1812-63-0x0000000000000000-mapping.dmp

Download

pid	process
1812	._cache_971b5e84c8f1244ecee167dbce3b0007fb988c5676d6fae10c2dd2d1b85454bd.exe
1752	Synaptics.exe