67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899

General

Target

67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899.exe
Size

4.8MB
MD5

4b3a879252b506e5e00e6c55213ad68e
SHA1

c069c6d519cbf34643fd3bdbd168372ce5158bfb
SHA256

67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899
SHA512

13975a184718beecdef603fd6c91eb4c28dbf8807e01767427fdc91a8fde662e08306f73e2765addaa5cd96f9cd43fc657de08160c6c70c93f1569dfb3ee573a

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

._cache_67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899.exeSynaptics.exe

pid process

1772 ._cache_67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899.exe
2624 Synaptics.exe

pid	process
1772	._cache_67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899.exe
2624	Synaptics.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899.exe

description	pid	process	target process
PID 3904 wrote to memory of 1772	3904	67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899.exe	._cache_67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899.exe
PID 3904 wrote to memory of 1772	3904	67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899.exe	._cache_67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899.exe
PID 3904 wrote to memory of 1772	3904	67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899.exe	._cache_67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899.exe
PID 3904 wrote to memory of 2624	3904	67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899.exe	Synaptics.exe
PID 3904 wrote to memory of 2624	3904	67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899.exe	Synaptics.exe
PID 3904 wrote to memory of 2624	3904	67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899.exe	Synaptics.exe

C:\Users\Admin\AppData\Local\Temp\67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899.exe
"C:\Users\Admin\AppData\Local\Temp\67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3904
- C:\Users\Admin\AppData\Local\Temp\._cache_67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899.exe"
  2⤵
  - Executes dropped EXE
  PID:1772
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  PID:2624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

MD5
85c4062ca855443ba02c2b83503ddc14

SHA1
5fa7451b7808c19a3d28dbbd4f662d0a584b6c77

SHA256
9770a6476b607f28077320caa244bbdde08611769338485faa64ad3bee4616cf

SHA512
851b48968e44604db4d02ec29744e6e2ca006e20bfb8883152860984dd4a648684e20b97b83a0b76afd21a922b3ac1afa9b2d54d9e3125b2e9b6958a8a7f5c7e

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

MD5
85c4062ca855443ba02c2b83503ddc14

SHA1
5fa7451b7808c19a3d28dbbd4f662d0a584b6c77

SHA256
9770a6476b607f28077320caa244bbdde08611769338485faa64ad3bee4616cf

SHA512
851b48968e44604db4d02ec29744e6e2ca006e20bfb8883152860984dd4a648684e20b97b83a0b76afd21a922b3ac1afa9b2d54d9e3125b2e9b6958a8a7f5c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899.exe

MD5
85343760d1c1526003559c74fc291b91

SHA1
d70031338a63bca3745e0fcac00c6719f4144f12

SHA256
c347da5bb6522de36bef498f438737100ad24a7c29894806be14cc829d38f9e8

SHA512
9db4e9264731c349c93451bb68535b932f034ba448563a021c2ace5d39f0587922dc0f5a647524e6189c23bd8eb131f8a50bf5172ad4470744a442a9ebe63e0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_67a900d2d57f1e6a224009c00579b2d5bdf0d0b74d71c8bc4944da906a9e7899.exe

MD5
85343760d1c1526003559c74fc291b91

SHA1
d70031338a63bca3745e0fcac00c6719f4144f12

SHA256
c347da5bb6522de36bef498f438737100ad24a7c29894806be14cc829d38f9e8

SHA512
9db4e9264731c349c93451bb68535b932f034ba448563a021c2ace5d39f0587922dc0f5a647524e6189c23bd8eb131f8a50bf5172ad4470744a442a9ebe63e0d

Download Submit
memory/1772-115-0x0000000000000000-mapping.dmp

Download
memory/2624-118-0x0000000000000000-mapping.dmp

Download
memory/2624-121-0x00000000005F0000-0x000000000073A000-memory.dmp

Filesize
1.3MB

Download
memory/3904-114-0x0000000000A10000-0x0000000000B5A000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads