67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899

General

Target

67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899.exe
Size

4.8MB
MD5

4b3a879252b506e5e00e6c55213ad68e
SHA1

c069c6d519cbf34643fd3bdbd168372ce5158bfb
SHA256

67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899
SHA512

13975a184718beecdef603fd6c91eb4c28dbf8807e01767427fdc91a8fde662e08306f73e2765addaa5cd96f9cd43fc657de08160c6c70c93f1569dfb3ee573a

Score

8^/10

macro persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

._cache_67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899.exeSynaptics.exe

pid process

1956 ._cache_67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899.exe
1740 Synaptics.exe

pid	process
1956	._cache_67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899.exe
1740	Synaptics.exe

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\y8hAsqoZ.xlsm	office_macros

Loads dropped DLL 4 IoCs

Processes:

67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899.exe

pid	process
1688	67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899.exe
1688	67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899.exe
1688	67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899.exe
1688	67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

592 EXCEL.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

EXCEL.EXE

pid process

592 EXCEL.EXE

pid	process
592	EXCEL.EXE

pid	process
592	EXCEL.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899.exe

description	pid	process	target process
PID 1688 wrote to memory of 1956	1688	67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899.exe	._cache_67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899.exe
PID 1688 wrote to memory of 1956	1688	67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899.exe	._cache_67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899.exe
PID 1688 wrote to memory of 1956	1688	67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899.exe	._cache_67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899.exe
PID 1688 wrote to memory of 1956	1688	67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899.exe	._cache_67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899.exe
PID 1688 wrote to memory of 1740	1688	67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899.exe	Synaptics.exe
PID 1688 wrote to memory of 1740	1688	67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899.exe	Synaptics.exe
PID 1688 wrote to memory of 1740	1688	67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899.exe	Synaptics.exe
PID 1688 wrote to memory of 1740	1688	67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899.exe	Synaptics.exe

C:\Users\Admin\AppData\Local\Temp\67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899.exe
"C:\Users\Admin\AppData\Local\Temp\67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Users\Admin\AppData\Local\Temp\._cache_67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899.exe"
  2⤵
  - Executes dropped EXE
  PID:1956
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  PID:1740

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

MD5
85c4062ca855443ba02c2b83503ddc14

SHA1
5fa7451b7808c19a3d28dbbd4f662d0a584b6c77

SHA256
9770a6476b607f28077320caa244bbdde08611769338485faa64ad3bee4616cf

SHA512
851b48968e44604db4d02ec29744e6e2ca006e20bfb8883152860984dd4a648684e20b97b83a0b76afd21a922b3ac1afa9b2d54d9e3125b2e9b6958a8a7f5c7e

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

MD5
85c4062ca855443ba02c2b83503ddc14

SHA1
5fa7451b7808c19a3d28dbbd4f662d0a584b6c77

SHA256
9770a6476b607f28077320caa244bbdde08611769338485faa64ad3bee4616cf

SHA512
851b48968e44604db4d02ec29744e6e2ca006e20bfb8883152860984dd4a648684e20b97b83a0b76afd21a922b3ac1afa9b2d54d9e3125b2e9b6958a8a7f5c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899.exe

MD5
85343760d1c1526003559c74fc291b91

SHA1
d70031338a63bca3745e0fcac00c6719f4144f12

SHA256
c347da5bb6522de36bef498f438737100ad24a7c29894806be14cc829d38f9e8

SHA512
9db4e9264731c349c93451bb68535b932f034ba448563a021c2ace5d39f0587922dc0f5a647524e6189c23bd8eb131f8a50bf5172ad4470744a442a9ebe63e0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\y8hAsqoZ.xlsm

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
\ProgramData\Synaptics\Synaptics.exe

MD5
85c4062ca855443ba02c2b83503ddc14

SHA1
5fa7451b7808c19a3d28dbbd4f662d0a584b6c77

SHA256
9770a6476b607f28077320caa244bbdde08611769338485faa64ad3bee4616cf

SHA512
851b48968e44604db4d02ec29744e6e2ca006e20bfb8883152860984dd4a648684e20b97b83a0b76afd21a922b3ac1afa9b2d54d9e3125b2e9b6958a8a7f5c7e

Download Submit
\ProgramData\Synaptics\Synaptics.exe

MD5
85c4062ca855443ba02c2b83503ddc14

SHA1
5fa7451b7808c19a3d28dbbd4f662d0a584b6c77

SHA256
9770a6476b607f28077320caa244bbdde08611769338485faa64ad3bee4616cf

SHA512
851b48968e44604db4d02ec29744e6e2ca006e20bfb8883152860984dd4a648684e20b97b83a0b76afd21a922b3ac1afa9b2d54d9e3125b2e9b6958a8a7f5c7e

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899.exe

MD5
85343760d1c1526003559c74fc291b91

SHA1
d70031338a63bca3745e0fcac00c6719f4144f12

SHA256
c347da5bb6522de36bef498f438737100ad24a7c29894806be14cc829d38f9e8

SHA512
9db4e9264731c349c93451bb68535b932f034ba448563a021c2ace5d39f0587922dc0f5a647524e6189c23bd8eb131f8a50bf5172ad4470744a442a9ebe63e0d

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899.exe

MD5
85343760d1c1526003559c74fc291b91

SHA1
d70031338a63bca3745e0fcac00c6719f4144f12

SHA256
c347da5bb6522de36bef498f438737100ad24a7c29894806be14cc829d38f9e8

SHA512
9db4e9264731c349c93451bb68535b932f034ba448563a021c2ace5d39f0587922dc0f5a647524e6189c23bd8eb131f8a50bf5172ad4470744a442a9ebe63e0d

Download Submit
memory/592-73-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/592-71-0x000000002FE31000-0x000000002FE34000-memory.dmp

Filesize
12KB

Download
memory/592-72-0x0000000071361000-0x0000000071363000-memory.dmp

Filesize
8KB

Download
memory/1688-61-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1688-59-0x0000000075011000-0x0000000075013000-memory.dmp

Filesize
8KB

Download
memory/1740-67-0x0000000000000000-mapping.dmp

Download
memory/1740-70-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1956-63-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads