e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44

Analysis

max time kernel
149s
max time network
153s
platform
windows10_x64
resource
win10v20210410
submitted
09-05-2021 00:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe
Size

1.6MB
MD5

9b7eac5bd1fee50966a3b444ee80b342
SHA1

620bf8b1391c05126a59f9b04f54fb4fbe5d6036
SHA256

e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44
SHA512

cdf632ed79ee1ad15c1c13d357596b8008fe7cb5b2b295237af6f4f3033ebabacc97973a447ce246f44430b6b8b5adff1a95905ec9f322e91d47b2ba92e1c3fe

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 6 IoCs

Processes:

._cache_e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exeSynaptics.exeTempSetup.exeTempSetup.exe~TSP_Dork_generator_v_15_0.exesvchost.exe

pid	process
5020	._cache_e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe
5060	Synaptics.exe
3304	TempSetup.exe
3940	TempSetup.exe
3116	~TSP_Dork_generator_v_15_0.exe
4184	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

TempSetup.exee03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exeTempSetup.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Intel(R) Common Networking System = "C:\\Users\\Admin\\AppData\\Roaming\\Intel Corporation\\Intel(R) Common User Interface\\8.1.1.7900\\svchost.exe"	TempSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Intel(R) Common Networking System = "C:\\Users\\Admin\\AppData\\Roaming\\Intel Corporation\\Intel(R) Common User Interface\\8.1.1.7900\\svchost.exe"	TempSetup.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

TempSetup.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	TempSetup.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	TempSetup.exe

Drops file in Windows directory 3 IoCs

Processes:

TempSetup.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	TempSetup.exe
File created	C:\Windows\assembly\Desktop.ini	TempSetup.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	TempSetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Synaptics.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Synaptics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Synaptics.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

TempSetup.exeTempSetup.exesvchost.exe

description pid process

Token: SeDebugPrivilege 3940 TempSetup.exe
Token: SeDebugPrivilege 3304 TempSetup.exe
Token: SeDebugPrivilege 4184 svchost.exe

description	pid	process
Token: SeDebugPrivilege	3940	TempSetup.exe
Token: SeDebugPrivilege	3304	TempSetup.exe
Token: SeDebugPrivilege	4184	svchost.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe._cache_e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exeTempSetup.exe

description	pid	process	target process
PID 4432 wrote to memory of 5020	4432	e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe	._cache_e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe
PID 4432 wrote to memory of 5020	4432	e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe	._cache_e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe
PID 4432 wrote to memory of 5060	4432	e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe	Synaptics.exe
PID 4432 wrote to memory of 5060	4432	e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe	Synaptics.exe
PID 4432 wrote to memory of 5060	4432	e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe	Synaptics.exe
PID 5020 wrote to memory of 3304	5020	._cache_e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe	TempSetup.exe
PID 5020 wrote to memory of 3304	5020	._cache_e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe	TempSetup.exe
PID 5020 wrote to memory of 3940	5020	._cache_e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe	TempSetup.exe
PID 5020 wrote to memory of 3940	5020	._cache_e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe	TempSetup.exe
PID 5020 wrote to memory of 3116	5020	._cache_e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe	~TSP_Dork_generator_v_15_0.exe
PID 5020 wrote to memory of 3116	5020	._cache_e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe	~TSP_Dork_generator_v_15_0.exe
PID 3304 wrote to memory of 4184	3304	TempSetup.exe	svchost.exe
PID 3304 wrote to memory of 4184	3304	TempSetup.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe
"C:\Users\Admin\AppData\Local\Temp\e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4432

C:\Users\Admin\AppData\Local\Temp\._cache_e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5020

C:\Users\Admin\AppData\Local\TempSetup.exe
"C:\Users\Admin\AppData\Local\TempSetup.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3304

C:\Users\Admin\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7900\svchost.exe
"C:\Users\Admin\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7900\svchost.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4184

C:\Users\Admin\AppData\Local\TempSetup.exe
"C:\Users\Admin\AppData\Local\TempSetup.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3940

C:\Users\Admin\AppData\Local\Temp\~TSP_Dork_generator_v_15_0.exe
"C:\Users\Admin\AppData\Local\Temp\~TSP_Dork_generator_v_15_0.exe"
3⤵
- Executes dropped EXE
PID:3116

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
2⤵
- Executes dropped EXE
- Modifies system certificate store
PID:5060

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe
MD5
15c37b29b6170fb154d18749115b94ec

SHA1
a7c1a1dcababa9fdc88c14cbdbbac1b7f33d4d3e

SHA256
86c9fd53c68f00b586fdc12c37596d427a06b2ac36081e5132486b3a5ae3bb54

SHA512
2b88231b43510700118d7a648e67df80bd87baf1b0432fafdaa517f271032ae4baf3b463ef52c950eff2e160840a43bb1a1df7bcc54313c64fb4e4dc97138622

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe
MD5
15c37b29b6170fb154d18749115b94ec

SHA1
a7c1a1dcababa9fdc88c14cbdbbac1b7f33d4d3e

SHA256
86c9fd53c68f00b586fdc12c37596d427a06b2ac36081e5132486b3a5ae3bb54

SHA512
2b88231b43510700118d7a648e67df80bd87baf1b0432fafdaa517f271032ae4baf3b463ef52c950eff2e160840a43bb1a1df7bcc54313c64fb4e4dc97138622

Download Submit
C:\Users\Admin\AppData\Local\TempSetup.exe
MD5
1d26acfd119d4f1122588a421765ff3c

SHA1
2bc59f88356862633afaa75b26eb9d5febd9f9e9

SHA256
b999d0bde7c191f8897a9f5657c0c171320845669a2483e52df8ab09cf2d5421

SHA512
4da04e0cd1266c0a975319fadd16442093d01b72a074819913a398c0f85f8a4b54191c225455759cfa5d6ff5e133ebd415611c975b9af019eda15beff2c33dac

Download Submit
C:\Users\Admin\AppData\Local\TempSetup.exe
MD5
1d26acfd119d4f1122588a421765ff3c

SHA1
2bc59f88356862633afaa75b26eb9d5febd9f9e9

SHA256
b999d0bde7c191f8897a9f5657c0c171320845669a2483e52df8ab09cf2d5421

SHA512
4da04e0cd1266c0a975319fadd16442093d01b72a074819913a398c0f85f8a4b54191c225455759cfa5d6ff5e133ebd415611c975b9af019eda15beff2c33dac

Download Submit
C:\Users\Admin\AppData\Local\TempSetup.exe
MD5
1d26acfd119d4f1122588a421765ff3c

SHA1
2bc59f88356862633afaa75b26eb9d5febd9f9e9

SHA256
b999d0bde7c191f8897a9f5657c0c171320845669a2483e52df8ab09cf2d5421

SHA512
4da04e0cd1266c0a975319fadd16442093d01b72a074819913a398c0f85f8a4b54191c225455759cfa5d6ff5e133ebd415611c975b9af019eda15beff2c33dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe
MD5
1e492acc3fada41dbade170550fa827f

SHA1
475f04705b725d445382988d6443a6490af93c17

SHA256
fb1e10eff8178b1fed9c14a4a76c3dd5736ba2879fd7f0160e485d931925c6d1

SHA512
475180ebd1057622f446b32e2a64541d2fec46897fd14a74cc27037f0102fe130418afd968929d7cf724ff7c109617c01080099f457eb6ec962fe2aa69a07dec

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe
MD5
1e492acc3fada41dbade170550fa827f

SHA1
475f04705b725d445382988d6443a6490af93c17

SHA256
fb1e10eff8178b1fed9c14a4a76c3dd5736ba2879fd7f0160e485d931925c6d1

SHA512
475180ebd1057622f446b32e2a64541d2fec46897fd14a74cc27037f0102fe130418afd968929d7cf724ff7c109617c01080099f457eb6ec962fe2aa69a07dec

Download Submit
C:\Users\Admin\AppData\Local\Temp\~TSP_Dork_generator_v_15_0.exe
MD5
59e02b754902f1d61d67e386db256590

SHA1
0acf056d3a4ed2a02e4769914eb6bef050f6b7f1

SHA256
a97419010956d614699f565b4f8a78c34c184638a8ed03d83017c6db76da2806

SHA512
d356cc5e360ad0dfb0f39d5459209d60ce38102fbae2fd2fbed037b89af211b90dabe29087c2d5990a0ed40773c8ce2f6c1f8fff9d81349eecdbf775e29d3b88

Download Submit
C:\Users\Admin\AppData\Local\Temp\~TSP_Dork_generator_v_15_0.exe
MD5
59e02b754902f1d61d67e386db256590

SHA1
0acf056d3a4ed2a02e4769914eb6bef050f6b7f1

SHA256
a97419010956d614699f565b4f8a78c34c184638a8ed03d83017c6db76da2806

SHA512
d356cc5e360ad0dfb0f39d5459209d60ce38102fbae2fd2fbed037b89af211b90dabe29087c2d5990a0ed40773c8ce2f6c1f8fff9d81349eecdbf775e29d3b88

Download Submit
C:\Users\Admin\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7900\server.zip
MD5
d03d2f9693d89efc80c6e8117149e140

SHA1
df3651d494e8f51ff802a047b86ece929c1bd4d1

SHA256
208b8c399265533130e67ffb9a2daa6970ff5f94375c9cbad6e3bf1cb6c224a4

SHA512
98218447f9ecc985ba494540cd38003d6a5bc14b141676d86b762e0e35faa7373aa711811a430117a385b01f561e3ce26e64ecbcce86dbf832c7d0ed03db79f6

Download Submit
C:\Users\Admin\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7900\svchost.exe
MD5
248b2767cad501ee9927da00c80f3c26

SHA1
c948475d1b44a737370d9068312b0ee7c323ecb2

SHA256
5de29b1fd0d3452ede3264c156342c18115eb076138330eae8ab2b984c8e75fd

SHA512
e25341c8aedda93525cd79f6c52e45c4060e378bf42ac6ce3aefe15417daa081f410ac0f9f818edcbd95e1d555bef9472be37e7d73f30de05025990fd1850cb8

Download Submit
C:\Users\Admin\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7900\svchost.exe
MD5
248b2767cad501ee9927da00c80f3c26

SHA1
c948475d1b44a737370d9068312b0ee7c323ecb2

SHA256
5de29b1fd0d3452ede3264c156342c18115eb076138330eae8ab2b984c8e75fd

SHA512
e25341c8aedda93525cd79f6c52e45c4060e378bf42ac6ce3aefe15417daa081f410ac0f9f818edcbd95e1d555bef9472be37e7d73f30de05025990fd1850cb8

Download Submit
C:\Users\Admin\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7900\svchost.exe
MD5
248b2767cad501ee9927da00c80f3c26

SHA1
c948475d1b44a737370d9068312b0ee7c323ecb2

SHA256
5de29b1fd0d3452ede3264c156342c18115eb076138330eae8ab2b984c8e75fd

SHA512
e25341c8aedda93525cd79f6c52e45c4060e378bf42ac6ce3aefe15417daa081f410ac0f9f818edcbd95e1d555bef9472be37e7d73f30de05025990fd1850cb8

Download Submit
memory/3116-135-0x000001EC53E70000-0x000001EC53E72000-memory.dmp

Filesize
8KB

Download
memory/3116-137-0x000001EC53E72000-0x000001EC53E74000-memory.dmp

Filesize
8KB

Download
memory/3116-130-0x0000000000000000-mapping.dmp

Download
memory/3116-133-0x000001EC39880000-0x000001EC39881000-memory.dmp

Filesize
4KB

Download
memory/3304-121-0x0000000000000000-mapping.dmp

Download
memory/3304-138-0x0000000000FA2000-0x0000000000FA4000-memory.dmp

Filesize
8KB

Download
memory/3304-129-0x0000000000FA0000-0x0000000000FA2000-memory.dmp

Filesize
8KB

Download
memory/3940-128-0x0000000000C30000-0x0000000000C32000-memory.dmp

Filesize
8KB

Download
memory/3940-136-0x0000000000C32000-0x0000000000C34000-memory.dmp

Filesize
8KB

Download
memory/3940-124-0x0000000000000000-mapping.dmp

Download
memory/4184-142-0x0000000000000000-mapping.dmp

Download
memory/4184-144-0x0000000002802000-0x0000000002803000-memory.dmp

Filesize
4KB

Download
memory/4432-114-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/5020-125-0x0000000001020000-0x0000000001022000-memory.dmp

Filesize
8KB

Download
memory/5020-115-0x0000000000000000-mapping.dmp

Download
memory/5060-126-0x0000000000540000-0x000000000068A000-memory.dmp

Filesize
1.3MB

Download
memory/5060-118-0x0000000000000000-mapping.dmp

Download