Analysis
-
max time kernel
108s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 22:59
Static task
static1
Behavioral task
behavioral1
Sample
df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exe
Resource
win10v2004-20220414-en
General
-
Target
df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exe
-
Size
1.0MB
-
MD5
5fc659c5d2949cc28b50d27fc49e21b2
-
SHA1
2e95bce936bd5d56c3a4e4bb30046df44a76348c
-
SHA256
df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04
-
SHA512
63d5eba1083626e2f1968867284a554dbb69f04548a107419d5a4654a7a7cc00dfa04374780c5da3929b57e633fb66bf86f13801b16189fc852ec375f1e73140
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
._cache_df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exeSynaptics.exepid process 1668 ._cache_df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exe 908 Synaptics.exe -
Loads dropped DLL 3 IoCs
Processes:
df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exepid process 2020 df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exe 2020 df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exe 2020 df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exe -
Processes:
._cache_df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ._cache_df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exedescription pid process target process PID 2020 wrote to memory of 1668 2020 df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exe ._cache_df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exe PID 2020 wrote to memory of 1668 2020 df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exe ._cache_df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exe PID 2020 wrote to memory of 1668 2020 df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exe ._cache_df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exe PID 2020 wrote to memory of 1668 2020 df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exe ._cache_df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exe PID 2020 wrote to memory of 908 2020 df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exe Synaptics.exe PID 2020 wrote to memory of 908 2020 df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exe Synaptics.exe PID 2020 wrote to memory of 908 2020 df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exe Synaptics.exe PID 2020 wrote to memory of 908 2020 df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exe Synaptics.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exe"C:\Users\Admin\AppData\Local\Temp\df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exe"C:\Users\Admin\AppData\Local\Temp\._cache_df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Synaptics\Synaptics.exeFilesize
753KB
MD54c15a7014eeed3bb63348cb35edc8bf3
SHA13ad24399138f24d0eb1b19c96354df21aa5064cb
SHA256be239988be3a59db556f7a1248807d895ab4e622b5af487897c740cc80db5cab
SHA51219e1a143e41369a91ded7f375fc2b37ca10b530fd2c52a09f8976e6811e8cebd3822f77f68df678335fc3fc7dd5439ba8c05b527d45d0553ba252d089e628f18
-
C:\Users\Admin\AppData\Local\Temp\._cache_df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exeFilesize
319KB
MD540cf9b8371664331a2d0c09ddbe23a41
SHA1ab503eda30aac6105e3c76186bd0a43301f588f7
SHA2562f50ea4dd2b4a90622d1ba9d9b68dd40f1941f3a913b5d449100055a21552bf4
SHA512826c78dca660506ff0a5f73443d15a39635e98e04e1eea6dcbd6983f6e8a52bcece1667a572b42cabaa961008a6446d52a695fa5d7461471f1509a2df9426e62
-
C:\Users\Admin\AppData\Local\Temp\._cache_df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exeFilesize
319KB
MD540cf9b8371664331a2d0c09ddbe23a41
SHA1ab503eda30aac6105e3c76186bd0a43301f588f7
SHA2562f50ea4dd2b4a90622d1ba9d9b68dd40f1941f3a913b5d449100055a21552bf4
SHA512826c78dca660506ff0a5f73443d15a39635e98e04e1eea6dcbd6983f6e8a52bcece1667a572b42cabaa961008a6446d52a695fa5d7461471f1509a2df9426e62
-
\ProgramData\Synaptics\Synaptics.exeFilesize
753KB
MD54c15a7014eeed3bb63348cb35edc8bf3
SHA13ad24399138f24d0eb1b19c96354df21aa5064cb
SHA256be239988be3a59db556f7a1248807d895ab4e622b5af487897c740cc80db5cab
SHA51219e1a143e41369a91ded7f375fc2b37ca10b530fd2c52a09f8976e6811e8cebd3822f77f68df678335fc3fc7dd5439ba8c05b527d45d0553ba252d089e628f18
-
\ProgramData\Synaptics\Synaptics.exeFilesize
753KB
MD54c15a7014eeed3bb63348cb35edc8bf3
SHA13ad24399138f24d0eb1b19c96354df21aa5064cb
SHA256be239988be3a59db556f7a1248807d895ab4e622b5af487897c740cc80db5cab
SHA51219e1a143e41369a91ded7f375fc2b37ca10b530fd2c52a09f8976e6811e8cebd3822f77f68df678335fc3fc7dd5439ba8c05b527d45d0553ba252d089e628f18
-
\Users\Admin\AppData\Local\Temp\._cache_df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exeFilesize
319KB
MD540cf9b8371664331a2d0c09ddbe23a41
SHA1ab503eda30aac6105e3c76186bd0a43301f588f7
SHA2562f50ea4dd2b4a90622d1ba9d9b68dd40f1941f3a913b5d449100055a21552bf4
SHA512826c78dca660506ff0a5f73443d15a39635e98e04e1eea6dcbd6983f6e8a52bcece1667a572b42cabaa961008a6446d52a695fa5d7461471f1509a2df9426e62
-
memory/908-61-0x0000000000000000-mapping.dmp
-
memory/1668-56-0x0000000000000000-mapping.dmp
-
memory/1668-64-0x0000000000E40000-0x0000000000E96000-memory.dmpFilesize
344KB
-
memory/1668-65-0x000007FEFBCB1000-0x000007FEFBCB3000-memory.dmpFilesize
8KB
-
memory/1668-66-0x000000001B466000-0x000000001B485000-memory.dmpFilesize
124KB
-
memory/2020-54-0x00000000755C1000-0x00000000755C3000-memory.dmpFilesize
8KB