Analysis

  • max time kernel
    149s
  • max time network
    164s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    20-05-2022 22:58

General

  • Target

    43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exe

  • Size

    2.4MB

  • MD5

    35da338f4f436aea22b6eb70a1a4f4da

  • SHA1

    7a680d40094954c586afbbc091157023913cee25

  • SHA256

    43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d

  • SHA512

    d9094284f53b5e940c05604588ab5963712c844a8a7213d3948373a3efeb5187b4193c25957517ffe95724263f914b3993681383d9489da071187102bbb01e53

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exe
    "C:\Users\Admin\AppData\Local\Temp\43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1840
    • C:\Users\Admin\AppData\Local\Temp\._cache_43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exe"
      2⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Checks whether UAC is enabled
      • Writes to the Master Boot Record (MBR)
      • Enumerates system info in registry
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1832
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Executes dropped EXE
      PID:1588
  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1664
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -startmediumtab -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1812
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1812 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1092

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Bootkit

1
T1067

Defense Evasion

Modify Registry

2
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

4
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe
    Filesize

    753KB

    MD5

    3d2541eae8ef24d9fa7fd7c6444e17fe

    SHA1

    e3f98ed8af37cd2f12cddaecf2f60c3366e376e0

    SHA256

    18ad52826f035d87cc4b3a7175b956badd0de25beec2cc1fdeeb85982dcb6723

    SHA512

    b2be4ded000fb5cc91b522011d5cd3f681be9269dd65fbe96f438ba8005f51c612b37602c9bafab1f27c0b43a942623801e31e47fae9a1c6aa075bca01b8dd22

  • C:\ProgramData\Synaptics\Synaptics.exe
    Filesize

    753KB

    MD5

    3d2541eae8ef24d9fa7fd7c6444e17fe

    SHA1

    e3f98ed8af37cd2f12cddaecf2f60c3366e376e0

    SHA256

    18ad52826f035d87cc4b3a7175b956badd0de25beec2cc1fdeeb85982dcb6723

    SHA512

    b2be4ded000fb5cc91b522011d5cd3f681be9269dd65fbe96f438ba8005f51c612b37602c9bafab1f27c0b43a942623801e31e47fae9a1c6aa075bca01b8dd22

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C
    Filesize

    1KB

    MD5

    0338c19fcfa9a53c2d9b4680f0b77238

    SHA1

    9430f91d2a3f8194035c091f76d77cb0ca531036

    SHA256

    7c90f93e8bce4f6256f523fcc1a6f88e27fdc46dbc5a23149f04b39e9c8147d4

    SHA512

    fba0039ed089f6fd698a7437b921d2789296515f64d8029918afe4d09135cf93f9ca8920f766814ebe01ae33b30467308ee388b8a57fefd7f31eed1bbc43cb60

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
    Filesize

    1KB

    MD5

    a266bb7dcc38a562631361bbf61dd11b

    SHA1

    3b1efd3a66ea28b16697394703a72ca340a05bd5

    SHA256

    df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

    SHA512

    0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    6a8285b454f1e42c466afd545acdf204

    SHA1

    dd71c31797fae81d208be64d6bbd4296439f9727

    SHA256

    b7f45c538c0160cf05bc1b8024c57d9463da513dc421cfe1661f10feeab07abc

    SHA512

    cab79a786ee3767131fc8607dbf5e4a12a07f7b2db5f45f3ed2a0ad7d5f261303d863f96e9de3f2f5d45b3a74d07053cbebdc85946a1c3c8f66ad7a3037b5d4a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C
    Filesize

    492B

    MD5

    999343078a167e47f1fca0f071805dd2

    SHA1

    1dc60f86631fd152e0572656344aad933032c1ef

    SHA256

    c869d21fee0e8dfa1e06cb38ea802b07f180f0e2852e052d0f33c7bcbd5ce00b

    SHA512

    2c236b0e37ac314ba18dd1cc8a9679e9d6ccb35a5ae54bfc3d27ce9395f57d6209861022ddc4d8ce9bb70477bde1fd4c79e92c87ca08844395fa32792526eef6

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
    Filesize

    242B

    MD5

    5e33885e18870b82d3d9770d331e7618

    SHA1

    d5997423d6d4e8e425f2d9b1b1bd1bc2beb8cdea

    SHA256

    97da192faa6b1adae322dfba89bfdc12b50200329d2d94aff10365aa93f343fd

    SHA512

    7f86964fe1d3a01e5b79429b608311edd4d71bb4b81d7e5db6262417780f0cc0dc7a853a4fca80dcd7a6d7503c9538496297db0ca1c7937dc0a262575a4588ee

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\k007hrg\imagestore.dat
    Filesize

    5KB

    MD5

    948dfab2a1f679a1e8d657690ec0aee0

    SHA1

    6a7b9d95955012c0c9bdef285e48de97a1cea21c

    SHA256

    c8a2d3a297d30f91575d761bdbaaf74eeb6596a053705bb03d3efa020fb1c0bd

    SHA512

    b05da841217d0175e501e4c4359e3b8b32435982a7d97a4506d7c96133c5406b0f9e1ca5045a475705aa2297c8b28b789b844a5c0f591512196fb674c393eeea

  • C:\Users\Admin\AppData\Local\Temp\._cache_43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exe
    Filesize

    1.6MB

    MD5

    123a2ca40f5a1f14c54398da04db1f0a

    SHA1

    5e146627897798aec20423cb8457948585599cbd

    SHA256

    afbfacf8989342b12d39a17566fdc777e73da743dae733f71c02c46f17bc37f5

    SHA512

    ed1b983b2822874a4f9422f1932f4c2e9a6f97d1e5337bb51468f00e294b0acad482ef94738766ac50083064afec3edc72a2312235c03202f000a23c48fbb7f3

  • C:\Users\Admin\AppData\Local\Temp\._cache_43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exe
    Filesize

    1.6MB

    MD5

    123a2ca40f5a1f14c54398da04db1f0a

    SHA1

    5e146627897798aec20423cb8457948585599cbd

    SHA256

    afbfacf8989342b12d39a17566fdc777e73da743dae733f71c02c46f17bc37f5

    SHA512

    ed1b983b2822874a4f9422f1932f4c2e9a6f97d1e5337bb51468f00e294b0acad482ef94738766ac50083064afec3edc72a2312235c03202f000a23c48fbb7f3

  • C:\Users\Admin\AppData\Local\Temp\MOIGcrdT.xlsm
    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\A0MI3B8Y.txt
    Filesize

    600B

    MD5

    bdce61cebbd7322af01d9048347d7a5f

    SHA1

    6aef6e5191f622f258f8a34b1b263cfbbcffcf6d

    SHA256

    3fab3b08f9531cacdcd382b345f652b50e42c70ebde56fbd3843322c700527bd

    SHA512

    444a2719dfc4a1c0f0e8e814bf090001e196f8de0dcccf59fc2967c9b8934361c096f0d77b96a76872eb591a9b275054e18fa17e7afd7f999e9b9ed8587cdf43

  • \ProgramData\Synaptics\Synaptics.exe
    Filesize

    753KB

    MD5

    3d2541eae8ef24d9fa7fd7c6444e17fe

    SHA1

    e3f98ed8af37cd2f12cddaecf2f60c3366e376e0

    SHA256

    18ad52826f035d87cc4b3a7175b956badd0de25beec2cc1fdeeb85982dcb6723

    SHA512

    b2be4ded000fb5cc91b522011d5cd3f681be9269dd65fbe96f438ba8005f51c612b37602c9bafab1f27c0b43a942623801e31e47fae9a1c6aa075bca01b8dd22

  • \ProgramData\Synaptics\Synaptics.exe
    Filesize

    753KB

    MD5

    3d2541eae8ef24d9fa7fd7c6444e17fe

    SHA1

    e3f98ed8af37cd2f12cddaecf2f60c3366e376e0

    SHA256

    18ad52826f035d87cc4b3a7175b956badd0de25beec2cc1fdeeb85982dcb6723

    SHA512

    b2be4ded000fb5cc91b522011d5cd3f681be9269dd65fbe96f438ba8005f51c612b37602c9bafab1f27c0b43a942623801e31e47fae9a1c6aa075bca01b8dd22

  • \Users\Admin\AppData\Local\Temp\._cache_43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exe
    Filesize

    1.6MB

    MD5

    123a2ca40f5a1f14c54398da04db1f0a

    SHA1

    5e146627897798aec20423cb8457948585599cbd

    SHA256

    afbfacf8989342b12d39a17566fdc777e73da743dae733f71c02c46f17bc37f5

    SHA512

    ed1b983b2822874a4f9422f1932f4c2e9a6f97d1e5337bb51468f00e294b0acad482ef94738766ac50083064afec3edc72a2312235c03202f000a23c48fbb7f3

  • memory/1588-61-0x0000000000000000-mapping.dmp
  • memory/1664-81-0x0000000000613000-0x0000000000619000-memory.dmp
    Filesize

    24KB

  • memory/1664-91-0x000000007051D000-0x0000000070528000-memory.dmp
    Filesize

    44KB

  • memory/1664-84-0x0000000000613000-0x0000000000619000-memory.dmp
    Filesize

    24KB

  • memory/1664-85-0x0000000000613000-0x0000000000619000-memory.dmp
    Filesize

    24KB

  • memory/1664-86-0x0000000000613000-0x0000000000619000-memory.dmp
    Filesize

    24KB

  • memory/1664-87-0x0000000000613000-0x0000000000619000-memory.dmp
    Filesize

    24KB

  • memory/1664-88-0x0000000000613000-0x0000000000619000-memory.dmp
    Filesize

    24KB

  • memory/1664-89-0x0000000000613000-0x0000000000619000-memory.dmp
    Filesize

    24KB

  • memory/1664-90-0x0000000000613000-0x0000000000619000-memory.dmp
    Filesize

    24KB

  • memory/1664-83-0x0000000000613000-0x0000000000619000-memory.dmp
    Filesize

    24KB

  • memory/1664-64-0x000000002FCC1000-0x000000002FCC4000-memory.dmp
    Filesize

    12KB

  • memory/1664-82-0x0000000000613000-0x0000000000619000-memory.dmp
    Filesize

    24KB

  • memory/1664-80-0x0000000000613000-0x0000000000619000-memory.dmp
    Filesize

    24KB

  • memory/1664-79-0x0000000000613000-0x0000000000619000-memory.dmp
    Filesize

    24KB

  • memory/1664-66-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

  • memory/1664-65-0x000000006F531000-0x000000006F533000-memory.dmp
    Filesize

    8KB

  • memory/1832-56-0x0000000000000000-mapping.dmp
  • memory/1840-54-0x00000000751C1000-0x00000000751C3000-memory.dmp
    Filesize

    8KB