a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d

System Information Discovery

Processes:

a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Modifies registry class 1 IoCs

Processes:

a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Synaptics.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Synaptics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1340 EXCEL.EXE

pid	process
1340	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe

pid	process
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

616
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe

pid process

2612 ._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe

pid	process
616

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exeEXCEL.EXE

pid	process
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
1340	EXCEL.EXE
1340	EXCEL.EXE
1340	EXCEL.EXE
1340	EXCEL.EXE
1340	EXCEL.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.execmd.exe

description	pid	process	target process
PID 3680 wrote to memory of 2612	3680	a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
PID 3680 wrote to memory of 2612	3680	a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
PID 3680 wrote to memory of 2612	3680	a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
PID 3680 wrote to memory of 3932	3680	a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe	Synaptics.exe
PID 3680 wrote to memory of 3932	3680	a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe	Synaptics.exe
PID 3680 wrote to memory of 3932	3680	a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe	Synaptics.exe
PID 2612 wrote to memory of 1600	2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe	cmd.exe
PID 2612 wrote to memory of 1600	2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe	cmd.exe
PID 2612 wrote to memory of 1600	2612	._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe	cmd.exe
PID 1600 wrote to memory of 1308	1600	cmd.exe	sc.exe
PID 1600 wrote to memory of 1308	1600	cmd.exe	sc.exe
PID 1600 wrote to memory of 1308	1600	cmd.exe	sc.exe
PID 1600 wrote to memory of 3348	1600	cmd.exe	sc.exe
PID 1600 wrote to memory of 3348	1600	cmd.exe	sc.exe
PID 1600 wrote to memory of 3348	1600	cmd.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
"C:\Users\Admin\AppData\Local\Temp\a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3680

C:\Users\Admin\AppData\Local\Temp\._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_a9dcd6d87c80da090a059e31bcd02cb21107fd09e8ade76f38dfbcbcf8bfc99d.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc create zillut binpath= C:\Windows\KodeMonL.sys type= kernel & sc start zillut
3⤵
- Suspicious use of WriteProcessMemory
PID:1600

C:\Windows\SysWOW64\sc.exe
sc create zillut binpath= C:\Windows\KodeMonL.sys type= kernel
4⤵
PID:1308

C:\Windows\SysWOW64\sc.exe
sc start zillut
4⤵
PID:3348

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
2⤵
- Executes dropped EXE
- Modifies system certificate store
PID:3932

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1340

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Modify Registry

2

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

3

System Information Discovery

4