9a91bf3b61e3d56dc937350267be50e1d325204b2ebee287dfbfa92f71db1a39

General

Target

9a91bf3b61e3d56dc937350267be50e1d325204b2ebee287dfbfa92f71db1a39.exe
Size

3.9MB
MD5

e1709314a69ea7f52ccdf4a88ac8e8bd
SHA1

56730e2f89bec0ab17fc37c4aa2b53ac49049728
SHA256

9a91bf3b61e3d56dc937350267be50e1d325204b2ebee287dfbfa92f71db1a39
SHA512

8e499137d5c71769bfd04ef5c4affc8c4b5f41298e0f188274d968ab00073483b7cc409644f819a49b7630aab9945be9fe06a23da26a85f1f931a531c72b6368

Score

8^/10

macro persistence upx

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

._cache_9a91bf3b61e3d56dc937350267be50e1d325204b2ebee287dfbfa92f71db1a39.exeSynaptics.exe

pid process

1384 ._cache_9a91bf3b61e3d56dc937350267be50e1d325204b2ebee287dfbfa92f71db1a39.exe
1364 Synaptics.exe

pid	process
1384	._cache_9a91bf3b61e3d56dc937350267be50e1d325204b2ebee287dfbfa92f71db1a39.exe
1364	Synaptics.exe

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Y2ymNpFC.xlsm	office_macros

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\._cache_9a91bf3b61e3d56dc937350267be50e1d325204b2ebee287dfbfa92f71db1a39.exe	upx
C:\Users\Admin\AppData\Local\Temp\._cache_9a91bf3b61e3d56dc937350267be50e1d325204b2ebee287dfbfa92f71db1a39.exe	upx
C:\Users\Admin\AppData\Local\Temp\._cache_9a91bf3b61e3d56dc937350267be50e1d325204b2ebee287dfbfa92f71db1a39.exe	upx
behavioral1/memory/1384-73-0x00000000003E0000-0x0000000000AA0000-memory.dmp	upx

Loads dropped DLL 3 IoCs

Processes:

9a91bf3b61e3d56dc937350267be50e1d325204b2ebee287dfbfa92f71db1a39.exe

pid	process
484	9a91bf3b61e3d56dc937350267be50e1d325204b2ebee287dfbfa92f71db1a39.exe
484	9a91bf3b61e3d56dc937350267be50e1d325204b2ebee287dfbfa92f71db1a39.exe
484	9a91bf3b61e3d56dc937350267be50e1d325204b2ebee287dfbfa92f71db1a39.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9a91bf3b61e3d56dc937350267be50e1d325204b2ebee287dfbfa92f71db1a39.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SS CRACK RETRIX = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	9a91bf3b61e3d56dc937350267be50e1d325204b2ebee287dfbfa92f71db1a39.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

._cache_9a91bf3b61e3d56dc937350267be50e1d325204b2ebee287dfbfa92f71db1a39.exe

pid process

1384 ._cache_9a91bf3b61e3d56dc937350267be50e1d325204b2ebee287dfbfa92f71db1a39.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

pid	process
1384	._cache_9a91bf3b61e3d56dc937350267be50e1d325204b2ebee287dfbfa92f71db1a39.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1636 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

._cache_9a91bf3b61e3d56dc937350267be50e1d325204b2ebee287dfbfa92f71db1a39.exe

pid process

1384 ._cache_9a91bf3b61e3d56dc937350267be50e1d325204b2ebee287dfbfa92f71db1a39.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

EXCEL.EXE

pid process

1636 EXCEL.EXE

pid	process
1636	EXCEL.EXE

pid	process
1384	._cache_9a91bf3b61e3d56dc937350267be50e1d325204b2ebee287dfbfa92f71db1a39.exe

pid	process
1636	EXCEL.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

9a91bf3b61e3d56dc937350267be50e1d325204b2ebee287dfbfa92f71db1a39.exe

description	pid	process	target process
PID 484 wrote to memory of 1384	484	9a91bf3b61e3d56dc937350267be50e1d325204b2ebee287dfbfa92f71db1a39.exe	._cache_9a91bf3b61e3d56dc937350267be50e1d325204b2ebee287dfbfa92f71db1a39.exe
PID 484 wrote to memory of 1384	484	9a91bf3b61e3d56dc937350267be50e1d325204b2ebee287dfbfa92f71db1a39.exe	._cache_9a91bf3b61e3d56dc937350267be50e1d325204b2ebee287dfbfa92f71db1a39.exe
PID 484 wrote to memory of 1384	484	9a91bf3b61e3d56dc937350267be50e1d325204b2ebee287dfbfa92f71db1a39.exe	._cache_9a91bf3b61e3d56dc937350267be50e1d325204b2ebee287dfbfa92f71db1a39.exe
PID 484 wrote to memory of 1384	484	9a91bf3b61e3d56dc937350267be50e1d325204b2ebee287dfbfa92f71db1a39.exe	._cache_9a91bf3b61e3d56dc937350267be50e1d325204b2ebee287dfbfa92f71db1a39.exe
PID 484 wrote to memory of 1364	484	9a91bf3b61e3d56dc937350267be50e1d325204b2ebee287dfbfa92f71db1a39.exe	Synaptics.exe
PID 484 wrote to memory of 1364	484	9a91bf3b61e3d56dc937350267be50e1d325204b2ebee287dfbfa92f71db1a39.exe	Synaptics.exe
PID 484 wrote to memory of 1364	484	9a91bf3b61e3d56dc937350267be50e1d325204b2ebee287dfbfa92f71db1a39.exe	Synaptics.exe
PID 484 wrote to memory of 1364	484	9a91bf3b61e3d56dc937350267be50e1d325204b2ebee287dfbfa92f71db1a39.exe	Synaptics.exe

C:\Users\Admin\AppData\Local\Temp\9a91bf3b61e3d56dc937350267be50e1d325204b2ebee287dfbfa92f71db1a39.exe
"C:\Users\Admin\AppData\Local\Temp\9a91bf3b61e3d56dc937350267be50e1d325204b2ebee287dfbfa92f71db1a39.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:484

C:\Users\Admin\AppData\Local\Temp\._cache_9a91bf3b61e3d56dc937350267be50e1d325204b2ebee287dfbfa92f71db1a39.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_9a91bf3b61e3d56dc937350267be50e1d325204b2ebee287dfbfa92f71db1a39.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1384

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
2⤵
- Executes dropped EXE
PID:1364

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1636

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe
MD5
2bae0e67ed715358e25efdbc69c56507

SHA1
f5426b9fca39a1d7904ca59d3d83dce1c54d9eb1

SHA256
a2edeb8e3e1cd7e9847cf189f521a8d22422f91fe0add3d2c3e6f5d4f206adc6

SHA512
0632a0164be78d6c97a572eb4aaa9b46df41e1f42e10bf6fb8b9705877dede98d11fa34a9e5855ecb2024e59c6ccde74c97c06b07d2c88fafc469d61d555ccdf

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe
MD5
2bae0e67ed715358e25efdbc69c56507

SHA1
f5426b9fca39a1d7904ca59d3d83dce1c54d9eb1

SHA256
a2edeb8e3e1cd7e9847cf189f521a8d22422f91fe0add3d2c3e6f5d4f206adc6

SHA512
0632a0164be78d6c97a572eb4aaa9b46df41e1f42e10bf6fb8b9705877dede98d11fa34a9e5855ecb2024e59c6ccde74c97c06b07d2c88fafc469d61d555ccdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_9a91bf3b61e3d56dc937350267be50e1d325204b2ebee287dfbfa92f71db1a39.exe
MD5
1b67d03d66fbd0be5278b726cc7c3fc4

SHA1
7d2771174786f2c950c1b278bd6f5e809b3401da

SHA256
1ea69ef631748d6e17fed5c3d101e4e45a7a0e6abeb5bb99ddd8e4ceeab31c9a

SHA512
1d0348beffbcf6f6f8e96bfe4cdb069a54c255ff185e805b94fc50bff2be8a9c4ebea112dae1bd991f74ef2d503a0987461daabed81ee6c5e2129e21475a83c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_9a91bf3b61e3d56dc937350267be50e1d325204b2ebee287dfbfa92f71db1a39.exe
MD5
1b67d03d66fbd0be5278b726cc7c3fc4

SHA1
7d2771174786f2c950c1b278bd6f5e809b3401da

SHA256
1ea69ef631748d6e17fed5c3d101e4e45a7a0e6abeb5bb99ddd8e4ceeab31c9a

SHA512
1d0348beffbcf6f6f8e96bfe4cdb069a54c255ff185e805b94fc50bff2be8a9c4ebea112dae1bd991f74ef2d503a0987461daabed81ee6c5e2129e21475a83c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Y2ymNpFC.xlsm
MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
\ProgramData\Synaptics\Synaptics.exe
MD5
2bae0e67ed715358e25efdbc69c56507

SHA1
f5426b9fca39a1d7904ca59d3d83dce1c54d9eb1

SHA256
a2edeb8e3e1cd7e9847cf189f521a8d22422f91fe0add3d2c3e6f5d4f206adc6

SHA512
0632a0164be78d6c97a572eb4aaa9b46df41e1f42e10bf6fb8b9705877dede98d11fa34a9e5855ecb2024e59c6ccde74c97c06b07d2c88fafc469d61d555ccdf

Download Submit
\ProgramData\Synaptics\Synaptics.exe
MD5
2bae0e67ed715358e25efdbc69c56507

SHA1
f5426b9fca39a1d7904ca59d3d83dce1c54d9eb1

SHA256
a2edeb8e3e1cd7e9847cf189f521a8d22422f91fe0add3d2c3e6f5d4f206adc6

SHA512
0632a0164be78d6c97a572eb4aaa9b46df41e1f42e10bf6fb8b9705877dede98d11fa34a9e5855ecb2024e59c6ccde74c97c06b07d2c88fafc469d61d555ccdf

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_9a91bf3b61e3d56dc937350267be50e1d325204b2ebee287dfbfa92f71db1a39.exe
MD5
1b67d03d66fbd0be5278b726cc7c3fc4

SHA1
7d2771174786f2c950c1b278bd6f5e809b3401da

SHA256
1ea69ef631748d6e17fed5c3d101e4e45a7a0e6abeb5bb99ddd8e4ceeab31c9a

SHA512
1d0348beffbcf6f6f8e96bfe4cdb069a54c255ff185e805b94fc50bff2be8a9c4ebea112dae1bd991f74ef2d503a0987461daabed81ee6c5e2129e21475a83c3

Download Submit
memory/484-59-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

Filesize
8KB

Download
memory/484-60-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1364-67-0x0000000000000000-mapping.dmp

Download
memory/1364-70-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1384-71-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1384-73-0x00000000003E0000-0x0000000000AA0000-memory.dmp

Filesize
6.8MB

Download
memory/1384-72-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1384-62-0x0000000000000000-mapping.dmp

Download
memory/1636-75-0x000000002F681000-0x000000002F684000-memory.dmp

Filesize
12KB

Download
memory/1636-76-0x0000000071981000-0x0000000071983000-memory.dmp

Filesize
8KB

Download
memory/1636-77-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads