Analysis
-
max time kernel
53s -
max time network
82s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
08-07-2021 08:45
Static task
static1
Behavioral task
behavioral1
Sample
sample.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
sample.exe
Resource
win10v20210408
General
-
Target
sample.exe
-
Size
4.6MB
-
MD5
97a2004028b9687561993ed9cabc0ee4
-
SHA1
3d35d423479b1b8a755144c30a4b347d4f915175
-
SHA256
5ceca4728f509e3b8b58f71296472de6572c63db934b2e9c2530cae561ae608a
-
SHA512
e0c196fd1e70d01910ea2a944ad46d7aeb87a34efc305a904ec2dde2848ce76e744beb638611c45d292c2733b7a4bcf93e76297fda80ddd2b8c9e103c35c1de0
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
._cache_sample.exeSynaptics.exeyykymu.exepid process 612 ._cache_sample.exe 1964 Synaptics.exe 772 yykymu.exe -
Loads dropped DLL 3 IoCs
Processes:
sample.exepid process 1724 sample.exe 1724 sample.exe 1724 sample.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
sample.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" sample.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
yykymu.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 yykymu.exe -
Drops file in System32 directory 2 IoCs
Processes:
._cache_sample.exedescription ioc process File created C:\Windows\SysWOW64\yykymu.exe ._cache_sample.exe File opened for modification C:\Windows\SysWOW64\yykymu.exe ._cache_sample.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
Processes:
._cache_sample.exeyykymu.exepid process 612 ._cache_sample.exe 612 ._cache_sample.exe 612 ._cache_sample.exe 612 ._cache_sample.exe 612 ._cache_sample.exe 612 ._cache_sample.exe 612 ._cache_sample.exe 612 ._cache_sample.exe 612 ._cache_sample.exe 612 ._cache_sample.exe 612 ._cache_sample.exe 612 ._cache_sample.exe 612 ._cache_sample.exe 772 yykymu.exe 772 yykymu.exe 772 yykymu.exe 772 yykymu.exe 772 yykymu.exe 772 yykymu.exe 772 yykymu.exe 612 ._cache_sample.exe 612 ._cache_sample.exe 612 ._cache_sample.exe 612 ._cache_sample.exe 612 ._cache_sample.exe 612 ._cache_sample.exe 772 yykymu.exe 772 yykymu.exe 772 yykymu.exe 772 yykymu.exe 772 yykymu.exe 772 yykymu.exe 612 ._cache_sample.exe 612 ._cache_sample.exe 612 ._cache_sample.exe 612 ._cache_sample.exe 612 ._cache_sample.exe 612 ._cache_sample.exe 772 yykymu.exe 772 yykymu.exe 772 yykymu.exe 772 yykymu.exe 772 yykymu.exe 772 yykymu.exe 772 yykymu.exe 772 yykymu.exe 772 yykymu.exe 772 yykymu.exe 772 yykymu.exe 772 yykymu.exe 772 yykymu.exe 772 yykymu.exe 772 yykymu.exe 772 yykymu.exe 772 yykymu.exe 772 yykymu.exe 772 yykymu.exe 772 yykymu.exe 772 yykymu.exe 772 yykymu.exe 772 yykymu.exe 772 yykymu.exe 772 yykymu.exe 772 yykymu.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
yykymu.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 yykymu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz yykymu.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
._cache_sample.exeyykymu.exedescription pid process Token: SeIncBasePriorityPrivilege 612 ._cache_sample.exe Token: SeShutdownPrivilege 772 yykymu.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
sample.exe._cache_sample.exedescription pid process target process PID 1724 wrote to memory of 612 1724 sample.exe ._cache_sample.exe PID 1724 wrote to memory of 612 1724 sample.exe ._cache_sample.exe PID 1724 wrote to memory of 612 1724 sample.exe ._cache_sample.exe PID 1724 wrote to memory of 612 1724 sample.exe ._cache_sample.exe PID 1724 wrote to memory of 1964 1724 sample.exe Synaptics.exe PID 1724 wrote to memory of 1964 1724 sample.exe Synaptics.exe PID 1724 wrote to memory of 1964 1724 sample.exe Synaptics.exe PID 1724 wrote to memory of 1964 1724 sample.exe Synaptics.exe PID 612 wrote to memory of 816 612 ._cache_sample.exe cmd.exe PID 612 wrote to memory of 816 612 ._cache_sample.exe cmd.exe PID 612 wrote to memory of 816 612 ._cache_sample.exe cmd.exe PID 612 wrote to memory of 816 612 ._cache_sample.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_sample.exe"C:\Users\Admin\AppData\Local\Temp\._cache_sample.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\_CACHE~1.EXE > nul3⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\yykymu.exeC:\Windows\SysWOW64\yykymu.exe1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Synaptics\Synaptics.exeMD5
e1230466283011778b5ddb2c622a9beb
SHA1a6e476c1821d6ee42ead730843331e0661e3bad2
SHA256bf3cccf8a6099b0f5788d11d7c26532e89d03eb22f019dff9f17803508e071f1
SHA51223449bb0a1fc8d6fc1db86554b07771e95a816d6299fcffbb35dd229769d261f820d0fb27b5536235b1de7364cf4701de6245b9cc47ea53ef96c42aaa0724449
-
C:\Users\Admin\AppData\Local\Temp\._cache_sample.exeMD5
0c77a192f14fbf587e4f7fbf7abe03f6
SHA121373d839c4392046254d9afee6bcd4bed344db6
SHA2569a3802de337c11336c8b40a7cdbbe4668eec13d86f7db7c4a8e20bd20932496d
SHA512abbf7585ae9c97b40200c777ca58b9df87d0591debdacebe56f9ccc49d1cf8a56644a9771b1e719eeab285456dbabeb8963df95ee25693860006b09e8cb89c20
-
C:\Users\Admin\AppData\Local\Temp\._cache_sample.exeMD5
0c77a192f14fbf587e4f7fbf7abe03f6
SHA121373d839c4392046254d9afee6bcd4bed344db6
SHA2569a3802de337c11336c8b40a7cdbbe4668eec13d86f7db7c4a8e20bd20932496d
SHA512abbf7585ae9c97b40200c777ca58b9df87d0591debdacebe56f9ccc49d1cf8a56644a9771b1e719eeab285456dbabeb8963df95ee25693860006b09e8cb89c20
-
C:\Windows\SysWOW64\yykymu.exeMD5
0c77a192f14fbf587e4f7fbf7abe03f6
SHA121373d839c4392046254d9afee6bcd4bed344db6
SHA2569a3802de337c11336c8b40a7cdbbe4668eec13d86f7db7c4a8e20bd20932496d
SHA512abbf7585ae9c97b40200c777ca58b9df87d0591debdacebe56f9ccc49d1cf8a56644a9771b1e719eeab285456dbabeb8963df95ee25693860006b09e8cb89c20
-
C:\Windows\SysWOW64\yykymu.exeMD5
0c77a192f14fbf587e4f7fbf7abe03f6
SHA121373d839c4392046254d9afee6bcd4bed344db6
SHA2569a3802de337c11336c8b40a7cdbbe4668eec13d86f7db7c4a8e20bd20932496d
SHA512abbf7585ae9c97b40200c777ca58b9df87d0591debdacebe56f9ccc49d1cf8a56644a9771b1e719eeab285456dbabeb8963df95ee25693860006b09e8cb89c20
-
\ProgramData\Synaptics\Synaptics.exeMD5
e1230466283011778b5ddb2c622a9beb
SHA1a6e476c1821d6ee42ead730843331e0661e3bad2
SHA256bf3cccf8a6099b0f5788d11d7c26532e89d03eb22f019dff9f17803508e071f1
SHA51223449bb0a1fc8d6fc1db86554b07771e95a816d6299fcffbb35dd229769d261f820d0fb27b5536235b1de7364cf4701de6245b9cc47ea53ef96c42aaa0724449
-
\ProgramData\Synaptics\Synaptics.exeMD5
e1230466283011778b5ddb2c622a9beb
SHA1a6e476c1821d6ee42ead730843331e0661e3bad2
SHA256bf3cccf8a6099b0f5788d11d7c26532e89d03eb22f019dff9f17803508e071f1
SHA51223449bb0a1fc8d6fc1db86554b07771e95a816d6299fcffbb35dd229769d261f820d0fb27b5536235b1de7364cf4701de6245b9cc47ea53ef96c42aaa0724449
-
\Users\Admin\AppData\Local\Temp\._cache_sample.exeMD5
0c77a192f14fbf587e4f7fbf7abe03f6
SHA121373d839c4392046254d9afee6bcd4bed344db6
SHA2569a3802de337c11336c8b40a7cdbbe4668eec13d86f7db7c4a8e20bd20932496d
SHA512abbf7585ae9c97b40200c777ca58b9df87d0591debdacebe56f9ccc49d1cf8a56644a9771b1e719eeab285456dbabeb8963df95ee25693860006b09e8cb89c20
-
memory/612-80-0x0000000002930000-0x0000000002A41000-memory.dmpFilesize
1.1MB
-
memory/612-81-0x0000000002A50000-0x0000000002B51000-memory.dmpFilesize
1.0MB
-
memory/612-73-0x0000000075FB0000-0x0000000075FF7000-memory.dmpFilesize
284KB
-
memory/612-76-0x00000000760A0000-0x0000000076140000-memory.dmpFilesize
640KB
-
memory/612-77-0x0000000002440000-0x0000000002489000-memory.dmpFilesize
292KB
-
memory/612-62-0x0000000000000000-mapping.dmp
-
memory/612-82-0x0000000010000000-0x000000001002B000-memory.dmpFilesize
172KB
-
memory/612-78-0x0000000002600000-0x0000000002781000-memory.dmpFilesize
1.5MB
-
memory/772-95-0x00000000028F0000-0x0000000002A01000-memory.dmpFilesize
1.1MB
-
memory/772-88-0x0000000075FB0000-0x0000000075FF7000-memory.dmpFilesize
284KB
-
memory/772-91-0x00000000760A0000-0x0000000076140000-memory.dmpFilesize
640KB
-
memory/772-92-0x0000000002430000-0x0000000002479000-memory.dmpFilesize
292KB
-
memory/772-93-0x0000000002640000-0x00000000027C1000-memory.dmpFilesize
1.5MB
-
memory/772-96-0x0000000002A10000-0x0000000002B11000-memory.dmpFilesize
1.0MB
-
memory/816-100-0x0000000000000000-mapping.dmp
-
memory/1724-60-0x0000000075161000-0x0000000075163000-memory.dmpFilesize
8KB
-
memory/1724-65-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/1880-101-0x000007FEFB571000-0x000007FEFB573000-memory.dmpFilesize
8KB
-
memory/1880-102-0x00000000027C0000-0x00000000027C1000-memory.dmpFilesize
4KB
-
memory/1964-68-0x0000000000000000-mapping.dmp
-
memory/1964-71-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB