a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7v20210410
submitted
11-05-2021 10:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe
Size

15.5MB
MD5

a6be4e2fbf011eec327a6394b72af75c
SHA1

9b5ed8b2a72aeb978019b2bdf105e083c11be184
SHA256

a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec
SHA512

4f3c9fdd96f877fae22ec31ab6ac7163c9b77eb26f7b1c1829d58f077e9e00b6b164dba3eef67432f049682ca01df5048acfb406049d18a72a769c02feb2185c

Score

8^/10

macro persistence vmprotect

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

._cache_a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exeSynaptics.exeLogin Menu.exe

pid process

1960 ._cache_a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe
1712 Synaptics.exe
300 Login Menu.exe

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\YTxJrFsv.xlsm	office_macros

VMProtect packed file 7 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\._cache_a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\._cache_a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\._cache_a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe	vmprotect
behavioral1/memory/1960-66-0x00000000012A0000-0x00000000012A1000-memory.dmp	vmprotect
C:\Windows\Fonts\Login Menu.exe	vmprotect
C:\Windows\Fonts\Login Menu.exe	vmprotect
behavioral1/memory/300-88-0x0000000000950000-0x0000000000951000-memory.dmp	vmprotect

Loads dropped DLL 3 IoCs

Processes:

a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe

pid	process
1268	a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe
1268	a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe
1268	a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe

Drops file in Windows directory 2 IoCs

Processes:

._cache_a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe

description	ioc	process
File created	C:\Windows\Fonts\Bunifu_UI_v1.4.dll	._cache_a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe
File created	C:\Windows\Fonts\Login Menu.exe	._cache_a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1192 EXCEL.EXE

pid	process
1192	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

._cache_a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exeLogin Menu.exe

pid	process
1960	._cache_a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe
1960	._cache_a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe
1960	._cache_a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe
300	Login Menu.exe
300	Login Menu.exe
300	Login Menu.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

._cache_a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exeLogin Menu.exe

description	pid	process
Token: SeDebugPrivilege	1960	._cache_a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe
Token: SeDebugPrivilege	300	Login Menu.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

EXCEL.EXE

pid process

1192 EXCEL.EXE

pid	process
1192	EXCEL.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe._cache_a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe

description	pid	process	target process
PID 1268 wrote to memory of 1960	1268	a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe	._cache_a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe
PID 1268 wrote to memory of 1960	1268	a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe	._cache_a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe
PID 1268 wrote to memory of 1960	1268	a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe	._cache_a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe
PID 1268 wrote to memory of 1960	1268	a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe	._cache_a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe
PID 1268 wrote to memory of 1712	1268	a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe	Synaptics.exe
PID 1268 wrote to memory of 1712	1268	a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe	Synaptics.exe
PID 1268 wrote to memory of 1712	1268	a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe	Synaptics.exe
PID 1268 wrote to memory of 1712	1268	a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe	Synaptics.exe
PID 1960 wrote to memory of 300	1960	._cache_a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe	Login Menu.exe
PID 1960 wrote to memory of 300	1960	._cache_a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe	Login Menu.exe
PID 1960 wrote to memory of 300	1960	._cache_a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe	Login Menu.exe

C:\Users\Admin\AppData\Local\Temp\a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe
"C:\Users\Admin\AppData\Local\Temp\a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1268

C:\Users\Admin\AppData\Local\Temp\._cache_a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\Fonts\Login Menu.exe
"C:\Windows\Fonts\Login Menu.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:300

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
2⤵
- Executes dropped EXE
PID:1712

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1192

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe
MD5
5b2fb0659bfda91df53b4e1ac14a087d

SHA1
df04fb68c0cb775da8fe9c8a43d561f2932aaa2f

SHA256
ba305f580b127a449688ef03d63e6bcee58e60500036280398456bbfb5f41059

SHA512
0741dd076dcd946c043fec5c730cd7d49551b35e9eb4d0704b152d8aa834f096bb3e012dab17109b17de1d6aae3311c0a1e9ab6c56d45ef59e73326dc4d44e5a

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe
MD5
5b2fb0659bfda91df53b4e1ac14a087d

SHA1
df04fb68c0cb775da8fe9c8a43d561f2932aaa2f

SHA256
ba305f580b127a449688ef03d63e6bcee58e60500036280398456bbfb5f41059

SHA512
0741dd076dcd946c043fec5c730cd7d49551b35e9eb4d0704b152d8aa834f096bb3e012dab17109b17de1d6aae3311c0a1e9ab6c56d45ef59e73326dc4d44e5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe
MD5
45271eb8bd0a6c1ff17bc95c7f5db7d9

SHA1
172434d42d9fbc9e7a7f7e06df36c8e674daf472

SHA256
8af889771de321daf952327fdc173b68ed9560ddc25747894ee2c4596dcf336c

SHA512
2f9d8ac0bec09bc9f388a51eb89a535fade2ff24f767715afe85f1c28d8df3e2445b8e776f67352ba07aba99356b47a2af8ee9d46be7b3a4942389cf09a77761

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe
MD5
45271eb8bd0a6c1ff17bc95c7f5db7d9

SHA1
172434d42d9fbc9e7a7f7e06df36c8e674daf472

SHA256
8af889771de321daf952327fdc173b68ed9560ddc25747894ee2c4596dcf336c

SHA512
2f9d8ac0bec09bc9f388a51eb89a535fade2ff24f767715afe85f1c28d8df3e2445b8e776f67352ba07aba99356b47a2af8ee9d46be7b3a4942389cf09a77761

Download Submit
C:\Users\Admin\AppData\Local\Temp\YTxJrFsv.xlsm
MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Windows\Fonts\Bunifu_UI_v1.4.dll
MD5
44897233a89b82c11fa5339bd0c4d4bb

SHA1
6517d2868494ac883a421f2bbbc90900544f789c

SHA256
1328161c84ff5e739b610b43051a5eb7fd8f2a6f643c9b3163f2ea6f35fced79

SHA512
6790da1f3b7add625442ed666403f32ee1c39766ed40f191cfecaa1c1503dfc45f5480944277b8ee64241959394296ab93a676f00e89d68721b0e0d932031c85

Download Submit
C:\Windows\Fonts\Login Menu.exe
MD5
643946384a1da7ff4a44b931ffbd6d2a

SHA1
7e43c3e7ca7230cf903e05d7a2079ea8698399ad

SHA256
3661d39d75fdd38085b983d48d38ceff64dbe5f771630926e91a8fee6c915792

SHA512
7242aecf09470e0d7b680327cbf02f5d017c9246287f2feeef4207985479171027578796afe161a3d0dac82934d02862c96f0757df62decda2e2dbc0f4012fc2

Download Submit
C:\Windows\Fonts\Login Menu.exe
MD5
643946384a1da7ff4a44b931ffbd6d2a

SHA1
7e43c3e7ca7230cf903e05d7a2079ea8698399ad

SHA256
3661d39d75fdd38085b983d48d38ceff64dbe5f771630926e91a8fee6c915792

SHA512
7242aecf09470e0d7b680327cbf02f5d017c9246287f2feeef4207985479171027578796afe161a3d0dac82934d02862c96f0757df62decda2e2dbc0f4012fc2

Download Submit
\ProgramData\Synaptics\Synaptics.exe
MD5
5b2fb0659bfda91df53b4e1ac14a087d

SHA1
df04fb68c0cb775da8fe9c8a43d561f2932aaa2f

SHA256
ba305f580b127a449688ef03d63e6bcee58e60500036280398456bbfb5f41059

SHA512
0741dd076dcd946c043fec5c730cd7d49551b35e9eb4d0704b152d8aa834f096bb3e012dab17109b17de1d6aae3311c0a1e9ab6c56d45ef59e73326dc4d44e5a

Download Submit
\ProgramData\Synaptics\Synaptics.exe
MD5
5b2fb0659bfda91df53b4e1ac14a087d

SHA1
df04fb68c0cb775da8fe9c8a43d561f2932aaa2f

SHA256
ba305f580b127a449688ef03d63e6bcee58e60500036280398456bbfb5f41059

SHA512
0741dd076dcd946c043fec5c730cd7d49551b35e9eb4d0704b152d8aa834f096bb3e012dab17109b17de1d6aae3311c0a1e9ab6c56d45ef59e73326dc4d44e5a

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe
MD5
45271eb8bd0a6c1ff17bc95c7f5db7d9

SHA1
172434d42d9fbc9e7a7f7e06df36c8e674daf472

SHA256
8af889771de321daf952327fdc173b68ed9560ddc25747894ee2c4596dcf336c

SHA512
2f9d8ac0bec09bc9f388a51eb89a535fade2ff24f767715afe85f1c28d8df3e2445b8e776f67352ba07aba99356b47a2af8ee9d46be7b3a4942389cf09a77761

Download Submit
memory/300-98-0x000000001B116000-0x000000001B135000-memory.dmp

Filesize
124KB

Download
memory/300-88-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/300-99-0x000000001B135000-0x000000001B136000-memory.dmp

Filesize
4KB

Download
memory/300-94-0x000000001B110000-0x000000001B112000-memory.dmp

Filesize
8KB

Download
memory/300-85-0x0000000000000000-mapping.dmp

Download
memory/300-92-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/1192-80-0x0000000071191000-0x0000000071193000-memory.dmp

Filesize
8KB

Download
memory/1192-81-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1192-79-0x000000002F631000-0x000000002F634000-memory.dmp

Filesize
12KB

Download
memory/1268-61-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1268-60-0x0000000075591000-0x0000000075593000-memory.dmp

Filesize
8KB

Download
memory/1712-73-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1712-70-0x0000000000000000-mapping.dmp

Download
memory/1960-76-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1960-84-0x000000001FD60000-0x00000000204DC000-memory.dmp

Filesize
7.5MB

Download
memory/1960-63-0x0000000000000000-mapping.dmp

Download
memory/1960-75-0x000000001CA50000-0x000000001CA52000-memory.dmp

Filesize
8KB

Download
memory/1960-66-0x00000000012A0000-0x00000000012A1000-memory.dmp

Filesize
4KB

Download

pid	process
1960	._cache_a1ee406d1c88cbb3f4ceabd527b2b8fce144d4187a3b0cf100db8f06dfa533ec.exe
1712	Synaptics.exe
300	Login Menu.exe