Analysis
-
max time kernel
149s -
max time network
164s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 22:58
Static task
static1
Behavioral task
behavioral1
Sample
43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exe
Resource
win10v2004-20220414-en
General
-
Target
43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exe
-
Size
2.4MB
-
MD5
35da338f4f436aea22b6eb70a1a4f4da
-
SHA1
7a680d40094954c586afbbc091157023913cee25
-
SHA256
43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d
-
SHA512
d9094284f53b5e940c05604588ab5963712c844a8a7213d3948373a3efeb5187b4193c25957517ffe95724263f914b3993681383d9489da071187102bbb01e53
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
._cache_43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exeSynaptics.exepid process 1832 ._cache_43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exe 1588 Synaptics.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
._cache_43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ._cache_43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate ._cache_43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exe -
Loads dropped DLL 3 IoCs
Processes:
43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exepid process 1840 43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exe 1840 43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exe 1840 43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" 43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exe -
Processes:
._cache_43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ._cache_43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
._cache_43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exedescription ioc process File opened for modification \??\PhysicalDrive0 ._cache_43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
._cache_43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exeEXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier ._cache_43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEiexplore.exe._cache_43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000358f16e0538341458b70f68dad1eafd400000000020000000000106600000001000020000000b5577a20926b838d8e48485673bc01ff364af5d64b05695f05a0721168c32009000000000e8000000002000020000000ada2e6899870a08c6b790e0099e1e16965b3160156b91fdd0408ad3c68c45f6a20000000eb6ba92ac42d3b42d240b3a9a27f554deba7e42eab1372325256360c3c68faaf40000000664466676b9a58224ac64629b28fa1fd9f940e2c557ebb3d698af3a44c361ccc53588a63edc1d74a55099506a10b4fc7046c996e5282ff7babda6c86142ac328 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.virtualhardwares.com\ = "63" ._cache_43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\virtualhardwares.com ._cache_43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage ._cache_43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exe Set value (int) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "359860239" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total ._cache_43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main ._cache_43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6B4C41C1-D8A2-11EC-939C-6AE7990DC39D} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\virtualhardwares.com\NumberOfSubdomains = "1" ._cache_43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exe Set value (int) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63" ._cache_43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exe Set value (int) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\virtualhardwares.com\Total = "63" ._cache_43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exe Set value (int) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50dd2e35af6cd801 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" ._cache_43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.virtualhardwares.com ._cache_43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch ._cache_43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe -
Modifies registry class 64 IoCs
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1664 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
._cache_43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exepid process 1832 ._cache_43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exe 1832 ._cache_43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
._cache_43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exedescription pid process Token: SeDebugPrivilege 1832 ._cache_43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 1812 iexplore.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
Processes:
._cache_43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exeEXCEL.EXEiexplore.exeIEXPLORE.EXEpid process 1832 ._cache_43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exe 1832 ._cache_43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exe 1664 EXCEL.EXE 1812 iexplore.exe 1812 iexplore.exe 1092 IEXPLORE.EXE 1092 IEXPLORE.EXE 1092 IEXPLORE.EXE 1092 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exeiexplore.exedescription pid process target process PID 1840 wrote to memory of 1832 1840 43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exe ._cache_43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exe PID 1840 wrote to memory of 1832 1840 43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exe ._cache_43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exe PID 1840 wrote to memory of 1832 1840 43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exe ._cache_43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exe PID 1840 wrote to memory of 1832 1840 43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exe ._cache_43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exe PID 1840 wrote to memory of 1588 1840 43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exe Synaptics.exe PID 1840 wrote to memory of 1588 1840 43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exe Synaptics.exe PID 1840 wrote to memory of 1588 1840 43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exe Synaptics.exe PID 1840 wrote to memory of 1588 1840 43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exe Synaptics.exe PID 1812 wrote to memory of 1092 1812 iexplore.exe IEXPLORE.EXE PID 1812 wrote to memory of 1092 1812 iexplore.exe IEXPLORE.EXE PID 1812 wrote to memory of 1092 1812 iexplore.exe IEXPLORE.EXE PID 1812 wrote to memory of 1092 1812 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exe"C:\Users\Admin\AppData\Local\Temp\43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exe"C:\Users\Admin\AppData\Local\Temp\._cache_43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -startmediumtab -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1812 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Synaptics\Synaptics.exeFilesize
753KB
MD53d2541eae8ef24d9fa7fd7c6444e17fe
SHA1e3f98ed8af37cd2f12cddaecf2f60c3366e376e0
SHA25618ad52826f035d87cc4b3a7175b956badd0de25beec2cc1fdeeb85982dcb6723
SHA512b2be4ded000fb5cc91b522011d5cd3f681be9269dd65fbe96f438ba8005f51c612b37602c9bafab1f27c0b43a942623801e31e47fae9a1c6aa075bca01b8dd22
-
C:\ProgramData\Synaptics\Synaptics.exeFilesize
753KB
MD53d2541eae8ef24d9fa7fd7c6444e17fe
SHA1e3f98ed8af37cd2f12cddaecf2f60c3366e376e0
SHA25618ad52826f035d87cc4b3a7175b956badd0de25beec2cc1fdeeb85982dcb6723
SHA512b2be4ded000fb5cc91b522011d5cd3f681be9269dd65fbe96f438ba8005f51c612b37602c9bafab1f27c0b43a942623801e31e47fae9a1c6aa075bca01b8dd22
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96CFilesize
1KB
MD50338c19fcfa9a53c2d9b4680f0b77238
SHA19430f91d2a3f8194035c091f76d77cb0ca531036
SHA2567c90f93e8bce4f6256f523fcc1a6f88e27fdc46dbc5a23149f04b39e9c8147d4
SHA512fba0039ed089f6fd698a7437b921d2789296515f64d8029918afe4d09135cf93f9ca8920f766814ebe01ae33b30467308ee388b8a57fefd7f31eed1bbc43cb60
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD56a8285b454f1e42c466afd545acdf204
SHA1dd71c31797fae81d208be64d6bbd4296439f9727
SHA256b7f45c538c0160cf05bc1b8024c57d9463da513dc421cfe1661f10feeab07abc
SHA512cab79a786ee3767131fc8607dbf5e4a12a07f7b2db5f45f3ed2a0ad7d5f261303d863f96e9de3f2f5d45b3a74d07053cbebdc85946a1c3c8f66ad7a3037b5d4a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96CFilesize
492B
MD5999343078a167e47f1fca0f071805dd2
SHA11dc60f86631fd152e0572656344aad933032c1ef
SHA256c869d21fee0e8dfa1e06cb38ea802b07f180f0e2852e052d0f33c7bcbd5ce00b
SHA5122c236b0e37ac314ba18dd1cc8a9679e9d6ccb35a5ae54bfc3d27ce9395f57d6209861022ddc4d8ce9bb70477bde1fd4c79e92c87ca08844395fa32792526eef6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357Filesize
242B
MD55e33885e18870b82d3d9770d331e7618
SHA1d5997423d6d4e8e425f2d9b1b1bd1bc2beb8cdea
SHA25697da192faa6b1adae322dfba89bfdc12b50200329d2d94aff10365aa93f343fd
SHA5127f86964fe1d3a01e5b79429b608311edd4d71bb4b81d7e5db6262417780f0cc0dc7a853a4fca80dcd7a6d7503c9538496297db0ca1c7937dc0a262575a4588ee
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\k007hrg\imagestore.datFilesize
5KB
MD5948dfab2a1f679a1e8d657690ec0aee0
SHA16a7b9d95955012c0c9bdef285e48de97a1cea21c
SHA256c8a2d3a297d30f91575d761bdbaaf74eeb6596a053705bb03d3efa020fb1c0bd
SHA512b05da841217d0175e501e4c4359e3b8b32435982a7d97a4506d7c96133c5406b0f9e1ca5045a475705aa2297c8b28b789b844a5c0f591512196fb674c393eeea
-
C:\Users\Admin\AppData\Local\Temp\._cache_43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exeFilesize
1.6MB
MD5123a2ca40f5a1f14c54398da04db1f0a
SHA15e146627897798aec20423cb8457948585599cbd
SHA256afbfacf8989342b12d39a17566fdc777e73da743dae733f71c02c46f17bc37f5
SHA512ed1b983b2822874a4f9422f1932f4c2e9a6f97d1e5337bb51468f00e294b0acad482ef94738766ac50083064afec3edc72a2312235c03202f000a23c48fbb7f3
-
C:\Users\Admin\AppData\Local\Temp\._cache_43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exeFilesize
1.6MB
MD5123a2ca40f5a1f14c54398da04db1f0a
SHA15e146627897798aec20423cb8457948585599cbd
SHA256afbfacf8989342b12d39a17566fdc777e73da743dae733f71c02c46f17bc37f5
SHA512ed1b983b2822874a4f9422f1932f4c2e9a6f97d1e5337bb51468f00e294b0acad482ef94738766ac50083064afec3edc72a2312235c03202f000a23c48fbb7f3
-
C:\Users\Admin\AppData\Local\Temp\MOIGcrdT.xlsmFilesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\A0MI3B8Y.txtFilesize
600B
MD5bdce61cebbd7322af01d9048347d7a5f
SHA16aef6e5191f622f258f8a34b1b263cfbbcffcf6d
SHA2563fab3b08f9531cacdcd382b345f652b50e42c70ebde56fbd3843322c700527bd
SHA512444a2719dfc4a1c0f0e8e814bf090001e196f8de0dcccf59fc2967c9b8934361c096f0d77b96a76872eb591a9b275054e18fa17e7afd7f999e9b9ed8587cdf43
-
\ProgramData\Synaptics\Synaptics.exeFilesize
753KB
MD53d2541eae8ef24d9fa7fd7c6444e17fe
SHA1e3f98ed8af37cd2f12cddaecf2f60c3366e376e0
SHA25618ad52826f035d87cc4b3a7175b956badd0de25beec2cc1fdeeb85982dcb6723
SHA512b2be4ded000fb5cc91b522011d5cd3f681be9269dd65fbe96f438ba8005f51c612b37602c9bafab1f27c0b43a942623801e31e47fae9a1c6aa075bca01b8dd22
-
\ProgramData\Synaptics\Synaptics.exeFilesize
753KB
MD53d2541eae8ef24d9fa7fd7c6444e17fe
SHA1e3f98ed8af37cd2f12cddaecf2f60c3366e376e0
SHA25618ad52826f035d87cc4b3a7175b956badd0de25beec2cc1fdeeb85982dcb6723
SHA512b2be4ded000fb5cc91b522011d5cd3f681be9269dd65fbe96f438ba8005f51c612b37602c9bafab1f27c0b43a942623801e31e47fae9a1c6aa075bca01b8dd22
-
\Users\Admin\AppData\Local\Temp\._cache_43da221f252d3e0e7c06aa2f21854fed1f01344f81be704e4f0b648f6085527d.exeFilesize
1.6MB
MD5123a2ca40f5a1f14c54398da04db1f0a
SHA15e146627897798aec20423cb8457948585599cbd
SHA256afbfacf8989342b12d39a17566fdc777e73da743dae733f71c02c46f17bc37f5
SHA512ed1b983b2822874a4f9422f1932f4c2e9a6f97d1e5337bb51468f00e294b0acad482ef94738766ac50083064afec3edc72a2312235c03202f000a23c48fbb7f3
-
memory/1588-61-0x0000000000000000-mapping.dmp
-
memory/1664-81-0x0000000000613000-0x0000000000619000-memory.dmpFilesize
24KB
-
memory/1664-91-0x000000007051D000-0x0000000070528000-memory.dmpFilesize
44KB
-
memory/1664-84-0x0000000000613000-0x0000000000619000-memory.dmpFilesize
24KB
-
memory/1664-85-0x0000000000613000-0x0000000000619000-memory.dmpFilesize
24KB
-
memory/1664-86-0x0000000000613000-0x0000000000619000-memory.dmpFilesize
24KB
-
memory/1664-87-0x0000000000613000-0x0000000000619000-memory.dmpFilesize
24KB
-
memory/1664-88-0x0000000000613000-0x0000000000619000-memory.dmpFilesize
24KB
-
memory/1664-89-0x0000000000613000-0x0000000000619000-memory.dmpFilesize
24KB
-
memory/1664-90-0x0000000000613000-0x0000000000619000-memory.dmpFilesize
24KB
-
memory/1664-83-0x0000000000613000-0x0000000000619000-memory.dmpFilesize
24KB
-
memory/1664-64-0x000000002FCC1000-0x000000002FCC4000-memory.dmpFilesize
12KB
-
memory/1664-82-0x0000000000613000-0x0000000000619000-memory.dmpFilesize
24KB
-
memory/1664-80-0x0000000000613000-0x0000000000619000-memory.dmpFilesize
24KB
-
memory/1664-79-0x0000000000613000-0x0000000000619000-memory.dmpFilesize
24KB
-
memory/1664-66-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1664-65-0x000000006F531000-0x000000006F533000-memory.dmpFilesize
8KB
-
memory/1832-56-0x0000000000000000-mapping.dmp
-
memory/1840-54-0x00000000751C1000-0x00000000751C3000-memory.dmpFilesize
8KB