a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d

General

Target

a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
Size

834KB
MD5

63d23949144c09b33cd549e2fbd692da
SHA1

c2090ce4c360783151a34b89fe6c17470a73bf21
SHA256

a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d
SHA512

c4735fef33fc054ffd73ffed9df93893dda125229cc17cfcbf1cd968abf6e3a7746f2c9752d4c5b971824627b950907a2916cf9d20839a03ea0a7545ee20f5c1

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exeSynaptics.exe

pid process

1984 ._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
532 Synaptics.exe

pid	process
1984	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
532	Synaptics.exe

Loads dropped DLL 4 IoCs

Processes:

a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe

pid	process
980	a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
980	a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
980	a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
980	a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Synaptics.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Synaptics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Synaptics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Synaptics.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe

pid process

1984 ._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe

pid	process
1984	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe

description	pid	process	target process
PID 980 wrote to memory of 1984	980	a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
PID 980 wrote to memory of 1984	980	a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
PID 980 wrote to memory of 1984	980	a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
PID 980 wrote to memory of 1984	980	a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
PID 980 wrote to memory of 532	980	a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe	Synaptics.exe
PID 980 wrote to memory of 532	980	a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe	Synaptics.exe
PID 980 wrote to memory of 532	980	a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe	Synaptics.exe
PID 980 wrote to memory of 532	980	a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe	Synaptics.exe

C:\Users\Admin\AppData\Local\Temp\a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
"C:\Users\Admin\AppData\Local\Temp\a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:980

C:\Users\Admin\AppData\Local\Temp\._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1984

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
2⤵
- Executes dropped EXE
- Modifies system certificate store
PID:532

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe
MD5
d1be37912cb77d7c99b6eedcc490c274

SHA1
969f26b526b8d961581710f51991601cc3506e71

SHA256
7af850627b2fc57ea8302d1606785d2c29f693e558fe6be5f51326e51434e412

SHA512
a4b06c9a669ce7cf0804669be3af504323aeffe1914d4d2b22994d1bf37b41c579ec575bda57bf28fbbe7818aeb26d8786b520e2e8d2231dcc2585f7c35c26e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
MD5
df8fd99187d89cbfb5c30766cf37ffe5

SHA1
32405616f7c291b44b844b4ccbd3667cc596a622

SHA256
d70a79d4bbb7d32cc4e71f7bd245faaa46581fa2fcd5724fd96a9ad171c9e3cb

SHA512
e510d2483d2e1b7db73e0cc8a46cb321a75a9ba94a964feaaebc485ae1729e8d1c911ff4d3618f54ecf8104548fbd9be3ba4e2e1aedd6fcfca4c89cde7758cf9

Download Submit
\ProgramData\Synaptics\Synaptics.exe
MD5
d1be37912cb77d7c99b6eedcc490c274

SHA1
969f26b526b8d961581710f51991601cc3506e71

SHA256
7af850627b2fc57ea8302d1606785d2c29f693e558fe6be5f51326e51434e412

SHA512
a4b06c9a669ce7cf0804669be3af504323aeffe1914d4d2b22994d1bf37b41c579ec575bda57bf28fbbe7818aeb26d8786b520e2e8d2231dcc2585f7c35c26e4

Download Submit
\ProgramData\Synaptics\Synaptics.exe
MD5
d1be37912cb77d7c99b6eedcc490c274

SHA1
969f26b526b8d961581710f51991601cc3506e71

SHA256
7af850627b2fc57ea8302d1606785d2c29f693e558fe6be5f51326e51434e412

SHA512
a4b06c9a669ce7cf0804669be3af504323aeffe1914d4d2b22994d1bf37b41c579ec575bda57bf28fbbe7818aeb26d8786b520e2e8d2231dcc2585f7c35c26e4

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
MD5
df8fd99187d89cbfb5c30766cf37ffe5

SHA1
32405616f7c291b44b844b4ccbd3667cc596a622

SHA256
d70a79d4bbb7d32cc4e71f7bd245faaa46581fa2fcd5724fd96a9ad171c9e3cb

SHA512
e510d2483d2e1b7db73e0cc8a46cb321a75a9ba94a964feaaebc485ae1729e8d1c911ff4d3618f54ecf8104548fbd9be3ba4e2e1aedd6fcfca4c89cde7758cf9

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
MD5
df8fd99187d89cbfb5c30766cf37ffe5

SHA1
32405616f7c291b44b844b4ccbd3667cc596a622

SHA256
d70a79d4bbb7d32cc4e71f7bd245faaa46581fa2fcd5724fd96a9ad171c9e3cb

SHA512
e510d2483d2e1b7db73e0cc8a46cb321a75a9ba94a964feaaebc485ae1729e8d1c911ff4d3618f54ecf8104548fbd9be3ba4e2e1aedd6fcfca4c89cde7758cf9

Download Submit
memory/532-70-0x0000000000000000-mapping.dmp

Download
memory/532-73-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/980-60-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

Filesize
8KB

Download
memory/980-61-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1984-64-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads