Overview

overview

8

Static

static

8862174f75...61.exe

windows7_x64

8

8862174f75...61.exe

windows10_x64

8

Analysis

  • max time kernel
    131s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    11-05-2021 17:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8862174f75144241ed94e5b40d2985c74a4d7d3c708b6820d89c957893c31a61.exe

  • Size

    1.3MB

  • MD5

    3a3559db7757ea0b902c221e89741319

  • SHA1

    13b015396f281c059c2d8def984e75f81bc656fe

  • SHA256

    8862174f75144241ed94e5b40d2985c74a4d7d3c708b6820d89c957893c31a61

  • SHA512

    529ffc076c2a9a47e124fd1fcf82633539e860df2a347acbd358d6ad82319236d6b0107704ee0bd404b018774248c04d4140867c649adaddbf76419718e8644c

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8862174f75144241ed94e5b40d2985c74a4d7d3c708b6820d89c957893c31a61.exe
    "C:\Users\Admin\AppData\Local\Temp\8862174f75144241ed94e5b40d2985c74a4d7d3c708b6820d89c957893c31a61.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:980
    • C:\Users\Admin\AppData\Local\Temp\._cache_8862174f75144241ed94e5b40d2985c74a4d7d3c708b6820d89c957893c31a61.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_8862174f75144241ed94e5b40d2985c74a4d7d3c708b6820d89c957893c31a61.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1776
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Executes dropped EXE
      PID:1408

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe
    MD5

    cf164330da0dde9201f74ebe2b580d3f

    SHA1

    2299e06512e6a849cc1765964e7c0cc26f6b188c

    SHA256

    3235b73709f9eae9b2ea5044a0e11f64a4612a02efb9e618eaf390c2a3edecbc

    SHA512

    ddd150ba9eb719fac7db15845b35686cff38b2f095fc20d0d48e74f67910ecaf5f36d6a89330efcf59b8e2e42c0c6abdf9b61baf7a52c3892e407baf189a7757

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\._cache_8862174f75144241ed94e5b40d2985c74a4d7d3c708b6820d89c957893c31a61.exe
    MD5

    123fb96f78d1c56b99821ecc9e7e8ad2

    SHA1

    83b3c4cdb302564b2c327da7ea03f1af749cc329

    SHA256

    fb9dd1a4ead9f943cf09820c74a6919d0f405e3defe6500142cb7ab8a799e862

    SHA512

    2d77fedb1fb41ebb2dbb3aead46742d59794521c54412923a80ad8dbacdde19dcda518c554f17c455f6db93bebeae707eb291169f48a051eb32b80d35ce86693

    Download Submit
  • \ProgramData\Synaptics\Synaptics.exe
    MD5

    cf164330da0dde9201f74ebe2b580d3f

    SHA1

    2299e06512e6a849cc1765964e7c0cc26f6b188c

    SHA256

    3235b73709f9eae9b2ea5044a0e11f64a4612a02efb9e618eaf390c2a3edecbc

    SHA512

    ddd150ba9eb719fac7db15845b35686cff38b2f095fc20d0d48e74f67910ecaf5f36d6a89330efcf59b8e2e42c0c6abdf9b61baf7a52c3892e407baf189a7757

    Download Submit
  • \ProgramData\Synaptics\Synaptics.exe
    MD5

    cf164330da0dde9201f74ebe2b580d3f

    SHA1

    2299e06512e6a849cc1765964e7c0cc26f6b188c

    SHA256

    3235b73709f9eae9b2ea5044a0e11f64a4612a02efb9e618eaf390c2a3edecbc

    SHA512

    ddd150ba9eb719fac7db15845b35686cff38b2f095fc20d0d48e74f67910ecaf5f36d6a89330efcf59b8e2e42c0c6abdf9b61baf7a52c3892e407baf189a7757

    Download Submit
  • \Users\Admin\AppData\Local\Temp\._cache_8862174f75144241ed94e5b40d2985c74a4d7d3c708b6820d89c957893c31a61.exe
    MD5

    123fb96f78d1c56b99821ecc9e7e8ad2

    SHA1

    83b3c4cdb302564b2c327da7ea03f1af749cc329

    SHA256

    fb9dd1a4ead9f943cf09820c74a6919d0f405e3defe6500142cb7ab8a799e862

    SHA512

    2d77fedb1fb41ebb2dbb3aead46742d59794521c54412923a80ad8dbacdde19dcda518c554f17c455f6db93bebeae707eb291169f48a051eb32b80d35ce86693

    Download Submit
  • \Users\Admin\AppData\Local\Temp\._cache_8862174f75144241ed94e5b40d2985c74a4d7d3c708b6820d89c957893c31a61.exe
    MD5

    123fb96f78d1c56b99821ecc9e7e8ad2

    SHA1

    83b3c4cdb302564b2c327da7ea03f1af749cc329

    SHA256

    fb9dd1a4ead9f943cf09820c74a6919d0f405e3defe6500142cb7ab8a799e862

    SHA512

    2d77fedb1fb41ebb2dbb3aead46742d59794521c54412923a80ad8dbacdde19dcda518c554f17c455f6db93bebeae707eb291169f48a051eb32b80d35ce86693

    Download Submit
  • memory/980-61-0x0000000000220000-0x0000000000221000-memory.dmp
    Filesize

    4KB

    Download
  • memory/980-60-0x0000000075FF1000-0x0000000075FF3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1408-68-0x0000000000000000-mapping.dmp
    Download
  • memory/1408-71-0x0000000000220000-0x0000000000221000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1776-64-0x0000000000000000-mapping.dmp
    Download
  • memory/1776-72-0x0000000001F50000-0x0000000001FC0000-memory.dmp
    Filesize

    448KB

    Download
  • memory/1776-75-0x0000000002182000-0x0000000002183000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1776-74-0x0000000002181000-0x0000000002182000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1776-76-0x0000000002184000-0x0000000002185000-memory.dmp
    Filesize

    4KB

    Download