Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
08-07-2021 08:45
Static task
static1
Behavioral task
behavioral1
Sample
sample.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
sample.exe
Resource
win10v20210408
General
-
Target
sample.exe
-
Size
4.6MB
-
MD5
97a2004028b9687561993ed9cabc0ee4
-
SHA1
3d35d423479b1b8a755144c30a4b347d4f915175
-
SHA256
5ceca4728f509e3b8b58f71296472de6572c63db934b2e9c2530cae561ae608a
-
SHA512
e0c196fd1e70d01910ea2a944ad46d7aeb87a34efc305a904ec2dde2848ce76e744beb638611c45d292c2733b7a4bcf93e76297fda80ddd2b8c9e103c35c1de0
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 4548 created 4364 4548 WerFault.exe tgzvuy.exe -
Executes dropped EXE 3 IoCs
Processes:
._cache_sample.exeSynaptics.exetgzvuy.exepid process 3692 ._cache_sample.exe 736 Synaptics.exe 4364 tgzvuy.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\V53WnWoU.xlsm office_macros -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
sample.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation sample.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
sample.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" sample.exe -
Drops file in System32 directory 2 IoCs
Processes:
._cache_sample.exedescription ioc process File created C:\Windows\SysWOW64\tgzvuy.exe ._cache_sample.exe File opened for modification C:\Windows\SysWOW64\tgzvuy.exe ._cache_sample.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
Processes:
._cache_sample.exetgzvuy.exepid process 3692 ._cache_sample.exe 3692 ._cache_sample.exe 3692 ._cache_sample.exe 3692 ._cache_sample.exe 3692 ._cache_sample.exe 3692 ._cache_sample.exe 3692 ._cache_sample.exe 3692 ._cache_sample.exe 3692 ._cache_sample.exe 3692 ._cache_sample.exe 3692 ._cache_sample.exe 3692 ._cache_sample.exe 3692 ._cache_sample.exe 3692 ._cache_sample.exe 3692 ._cache_sample.exe 3692 ._cache_sample.exe 3692 ._cache_sample.exe 3692 ._cache_sample.exe 3692 ._cache_sample.exe 3692 ._cache_sample.exe 3692 ._cache_sample.exe 3692 ._cache_sample.exe 3692 ._cache_sample.exe 3692 ._cache_sample.exe 3692 ._cache_sample.exe 3692 ._cache_sample.exe 3692 ._cache_sample.exe 3692 ._cache_sample.exe 3692 ._cache_sample.exe 3692 ._cache_sample.exe 3692 ._cache_sample.exe 3692 ._cache_sample.exe 3692 ._cache_sample.exe 3692 ._cache_sample.exe 3692 ._cache_sample.exe 3692 ._cache_sample.exe 3692 ._cache_sample.exe 3692 ._cache_sample.exe 3692 ._cache_sample.exe 3692 ._cache_sample.exe 3692 ._cache_sample.exe 3692 ._cache_sample.exe 3692 ._cache_sample.exe 4364 tgzvuy.exe 4364 tgzvuy.exe 4364 tgzvuy.exe 4364 tgzvuy.exe 4364 tgzvuy.exe 4364 tgzvuy.exe 4364 tgzvuy.exe 3692 ._cache_sample.exe 3692 ._cache_sample.exe 3692 ._cache_sample.exe 3692 ._cache_sample.exe 3692 ._cache_sample.exe 3692 ._cache_sample.exe 4364 tgzvuy.exe 4364 tgzvuy.exe 4364 tgzvuy.exe 4364 tgzvuy.exe 4364 tgzvuy.exe 4364 tgzvuy.exe 3692 ._cache_sample.exe 3692 ._cache_sample.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2384 4364 WerFault.exe tgzvuy.exe 4548 4364 WerFault.exe tgzvuy.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
tgzvuy.exeEXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 tgzvuy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz tgzvuy.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE -
Modifies registry class 1 IoCs
Processes:
sample.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance sample.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 4220 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
WerFault.exeWerFault.exepid process 2384 WerFault.exe 2384 WerFault.exe 2384 WerFault.exe 2384 WerFault.exe 2384 WerFault.exe 2384 WerFault.exe 2384 WerFault.exe 2384 WerFault.exe 2384 WerFault.exe 2384 WerFault.exe 2384 WerFault.exe 2384 WerFault.exe 2384 WerFault.exe 2384 WerFault.exe 2384 WerFault.exe 4548 WerFault.exe 4548 WerFault.exe 4548 WerFault.exe 4548 WerFault.exe 4548 WerFault.exe 4548 WerFault.exe 4548 WerFault.exe 4548 WerFault.exe 4548 WerFault.exe 4548 WerFault.exe 4548 WerFault.exe 4548 WerFault.exe 4548 WerFault.exe 4548 WerFault.exe 4548 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
._cache_sample.exeWerFault.exeWerFault.exedescription pid process Token: SeIncBasePriorityPrivilege 3692 ._cache_sample.exe Token: SeRestorePrivilege 2384 WerFault.exe Token: SeBackupPrivilege 2384 WerFault.exe Token: SeDebugPrivilege 2384 WerFault.exe Token: SeDebugPrivilege 4548 WerFault.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
EXCEL.EXEpid process 4220 EXCEL.EXE 4220 EXCEL.EXE 4220 EXCEL.EXE 4220 EXCEL.EXE 4220 EXCEL.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
sample.exe._cache_sample.exedescription pid process target process PID 4648 wrote to memory of 3692 4648 sample.exe ._cache_sample.exe PID 4648 wrote to memory of 3692 4648 sample.exe ._cache_sample.exe PID 4648 wrote to memory of 3692 4648 sample.exe ._cache_sample.exe PID 4648 wrote to memory of 736 4648 sample.exe Synaptics.exe PID 4648 wrote to memory of 736 4648 sample.exe Synaptics.exe PID 4648 wrote to memory of 736 4648 sample.exe Synaptics.exe PID 3692 wrote to memory of 4532 3692 ._cache_sample.exe cmd.exe PID 3692 wrote to memory of 4532 3692 ._cache_sample.exe cmd.exe PID 3692 wrote to memory of 4532 3692 ._cache_sample.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_sample.exe"C:\Users\Admin\AppData\Local\Temp\._cache_sample.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\_CACHE~1.EXE > nul3⤵
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Executes dropped EXE
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\tgzvuy.exeC:\Windows\SysWOW64\tgzvuy.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 11122⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 10202⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Synaptics\Synaptics.exeMD5
e1230466283011778b5ddb2c622a9beb
SHA1a6e476c1821d6ee42ead730843331e0661e3bad2
SHA256bf3cccf8a6099b0f5788d11d7c26532e89d03eb22f019dff9f17803508e071f1
SHA51223449bb0a1fc8d6fc1db86554b07771e95a816d6299fcffbb35dd229769d261f820d0fb27b5536235b1de7364cf4701de6245b9cc47ea53ef96c42aaa0724449
-
C:\ProgramData\Synaptics\Synaptics.exeMD5
e1230466283011778b5ddb2c622a9beb
SHA1a6e476c1821d6ee42ead730843331e0661e3bad2
SHA256bf3cccf8a6099b0f5788d11d7c26532e89d03eb22f019dff9f17803508e071f1
SHA51223449bb0a1fc8d6fc1db86554b07771e95a816d6299fcffbb35dd229769d261f820d0fb27b5536235b1de7364cf4701de6245b9cc47ea53ef96c42aaa0724449
-
C:\Users\Admin\AppData\Local\Temp\._cache_sample.exeMD5
0c77a192f14fbf587e4f7fbf7abe03f6
SHA121373d839c4392046254d9afee6bcd4bed344db6
SHA2569a3802de337c11336c8b40a7cdbbe4668eec13d86f7db7c4a8e20bd20932496d
SHA512abbf7585ae9c97b40200c777ca58b9df87d0591debdacebe56f9ccc49d1cf8a56644a9771b1e719eeab285456dbabeb8963df95ee25693860006b09e8cb89c20
-
C:\Users\Admin\AppData\Local\Temp\._cache_sample.exeMD5
0c77a192f14fbf587e4f7fbf7abe03f6
SHA121373d839c4392046254d9afee6bcd4bed344db6
SHA2569a3802de337c11336c8b40a7cdbbe4668eec13d86f7db7c4a8e20bd20932496d
SHA512abbf7585ae9c97b40200c777ca58b9df87d0591debdacebe56f9ccc49d1cf8a56644a9771b1e719eeab285456dbabeb8963df95ee25693860006b09e8cb89c20
-
C:\Users\Admin\AppData\Local\Temp\V53WnWoU.xlsmMD5
e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
C:\Windows\SysWOW64\tgzvuy.exeMD5
0c77a192f14fbf587e4f7fbf7abe03f6
SHA121373d839c4392046254d9afee6bcd4bed344db6
SHA2569a3802de337c11336c8b40a7cdbbe4668eec13d86f7db7c4a8e20bd20932496d
SHA512abbf7585ae9c97b40200c777ca58b9df87d0591debdacebe56f9ccc49d1cf8a56644a9771b1e719eeab285456dbabeb8963df95ee25693860006b09e8cb89c20
-
C:\Windows\SysWOW64\tgzvuy.exeMD5
0c77a192f14fbf587e4f7fbf7abe03f6
SHA121373d839c4392046254d9afee6bcd4bed344db6
SHA2569a3802de337c11336c8b40a7cdbbe4668eec13d86f7db7c4a8e20bd20932496d
SHA512abbf7585ae9c97b40200c777ca58b9df87d0591debdacebe56f9ccc49d1cf8a56644a9771b1e719eeab285456dbabeb8963df95ee25693860006b09e8cb89c20
-
memory/736-123-0x0000000000540000-0x0000000000541000-memory.dmpFilesize
4KB
-
memory/736-118-0x0000000000000000-mapping.dmp
-
memory/3692-115-0x0000000000000000-mapping.dmp
-
memory/3692-124-0x0000000074390000-0x0000000074552000-memory.dmpFilesize
1.8MB
-
memory/3692-126-0x0000000074220000-0x000000007435C000-memory.dmpFilesize
1.2MB
-
memory/3692-128-0x00000000031E1000-0x00000000033A4000-memory.dmpFilesize
1.8MB
-
memory/3692-129-0x0000000002E7C000-0x000000000300B000-memory.dmpFilesize
1.6MB
-
memory/3692-130-0x0000000002B51000-0x0000000002C22000-memory.dmpFilesize
836KB
-
memory/3692-131-0x0000000002CDD000-0x0000000002E1A000-memory.dmpFilesize
1.2MB
-
memory/3692-122-0x0000000077580000-0x000000007770E000-memory.dmpFilesize
1.6MB
-
memory/3692-127-0x00000000767A0000-0x0000000076817000-memory.dmpFilesize
476KB
-
memory/4220-134-0x00007FFA38500000-0x00007FFA38510000-memory.dmpFilesize
64KB
-
memory/4220-121-0x00007FF683630000-0x00007FF686BE6000-memory.dmpFilesize
53.7MB
-
memory/4220-135-0x00007FFA38500000-0x00007FFA38510000-memory.dmpFilesize
64KB
-
memory/4220-133-0x00007FFA38500000-0x00007FFA38510000-memory.dmpFilesize
64KB
-
memory/4220-139-0x00007FFA59470000-0x00007FFA5A55E000-memory.dmpFilesize
16.9MB
-
memory/4220-138-0x00007FFA38500000-0x00007FFA38510000-memory.dmpFilesize
64KB
-
memory/4220-132-0x00007FFA38500000-0x00007FFA38510000-memory.dmpFilesize
64KB
-
memory/4220-140-0x0000016B5B560000-0x0000016B5D455000-memory.dmpFilesize
31.0MB
-
memory/4364-196-0x0000000001600000-0x00000000016D1000-memory.dmpFilesize
836KB
-
memory/4364-195-0x0000000001707000-0x0000000001896000-memory.dmpFilesize
1.6MB
-
memory/4364-194-0x0000000001A77000-0x0000000001C3A000-memory.dmpFilesize
1.8MB
-
memory/4364-197-0x0000000001C44000-0x0000000001D81000-memory.dmpFilesize
1.2MB
-
memory/4532-198-0x0000000000000000-mapping.dmp
-
memory/4648-114-0x0000000000950000-0x00000000009FE000-memory.dmpFilesize
696KB