df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04

General

Target

df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exe
Size

1.0MB
MD5

5fc659c5d2949cc28b50d27fc49e21b2
SHA1

2e95bce936bd5d56c3a4e4bb30046df44a76348c
SHA256

df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04
SHA512

63d5eba1083626e2f1968867284a554dbb69f04548a107419d5a4654a7a7cc00dfa04374780c5da3929b57e633fb66bf86f13801b16189fc852ec375f1e73140

Score

8^/10

evasion persistence trojan

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

._cache_df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exeSynaptics.exe

pid process

1668 ._cache_df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exe
908 Synaptics.exe

pid	process
1668	._cache_df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exe
908	Synaptics.exe

Loads dropped DLL 3 IoCs

Processes:

df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exe

pid	process
2020	df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exe
2020	df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exe
2020	df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

._cache_df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	._cache_df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exe

description	pid	process	target process
PID 2020 wrote to memory of 1668	2020	df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exe	._cache_df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exe
PID 2020 wrote to memory of 1668	2020	df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exe	._cache_df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exe
PID 2020 wrote to memory of 1668	2020	df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exe	._cache_df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exe
PID 2020 wrote to memory of 1668	2020	df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exe	._cache_df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exe
PID 2020 wrote to memory of 908	2020	df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exe	Synaptics.exe
PID 2020 wrote to memory of 908	2020	df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exe	Synaptics.exe
PID 2020 wrote to memory of 908	2020	df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exe	Synaptics.exe
PID 2020 wrote to memory of 908	2020	df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exe	Synaptics.exe

C:\Users\Admin\AppData\Local\Temp\df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exe
"C:\Users\Admin\AppData\Local\Temp\df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2020

C:\Users\Admin\AppData\Local\Temp\._cache_df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:1668

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
2⤵
- Executes dropped EXE
PID:908

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe
Filesize
753KB

MD5
4c15a7014eeed3bb63348cb35edc8bf3

SHA1
3ad24399138f24d0eb1b19c96354df21aa5064cb

SHA256
be239988be3a59db556f7a1248807d895ab4e622b5af487897c740cc80db5cab

SHA512
19e1a143e41369a91ded7f375fc2b37ca10b530fd2c52a09f8976e6811e8cebd3822f77f68df678335fc3fc7dd5439ba8c05b527d45d0553ba252d089e628f18

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exe
Filesize
319KB

MD5
40cf9b8371664331a2d0c09ddbe23a41

SHA1
ab503eda30aac6105e3c76186bd0a43301f588f7

SHA256
2f50ea4dd2b4a90622d1ba9d9b68dd40f1941f3a913b5d449100055a21552bf4

SHA512
826c78dca660506ff0a5f73443d15a39635e98e04e1eea6dcbd6983f6e8a52bcece1667a572b42cabaa961008a6446d52a695fa5d7461471f1509a2df9426e62

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exe
Filesize
319KB

MD5
40cf9b8371664331a2d0c09ddbe23a41

SHA1
ab503eda30aac6105e3c76186bd0a43301f588f7

SHA256
2f50ea4dd2b4a90622d1ba9d9b68dd40f1941f3a913b5d449100055a21552bf4

SHA512
826c78dca660506ff0a5f73443d15a39635e98e04e1eea6dcbd6983f6e8a52bcece1667a572b42cabaa961008a6446d52a695fa5d7461471f1509a2df9426e62

Download Submit
\ProgramData\Synaptics\Synaptics.exe
Filesize
753KB

MD5
4c15a7014eeed3bb63348cb35edc8bf3

SHA1
3ad24399138f24d0eb1b19c96354df21aa5064cb

SHA256
be239988be3a59db556f7a1248807d895ab4e622b5af487897c740cc80db5cab

SHA512
19e1a143e41369a91ded7f375fc2b37ca10b530fd2c52a09f8976e6811e8cebd3822f77f68df678335fc3fc7dd5439ba8c05b527d45d0553ba252d089e628f18

Download Submit
\ProgramData\Synaptics\Synaptics.exe
Filesize
753KB

MD5
4c15a7014eeed3bb63348cb35edc8bf3

SHA1
3ad24399138f24d0eb1b19c96354df21aa5064cb

SHA256
be239988be3a59db556f7a1248807d895ab4e622b5af487897c740cc80db5cab

SHA512
19e1a143e41369a91ded7f375fc2b37ca10b530fd2c52a09f8976e6811e8cebd3822f77f68df678335fc3fc7dd5439ba8c05b527d45d0553ba252d089e628f18

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_df7d3501766c1caf1cea04b8765b785fd33b72fa152490e4d0f0dc62dc8fdd04.exe
Filesize
319KB

MD5
40cf9b8371664331a2d0c09ddbe23a41

SHA1
ab503eda30aac6105e3c76186bd0a43301f588f7

SHA256
2f50ea4dd2b4a90622d1ba9d9b68dd40f1941f3a913b5d449100055a21552bf4

SHA512
826c78dca660506ff0a5f73443d15a39635e98e04e1eea6dcbd6983f6e8a52bcece1667a572b42cabaa961008a6446d52a695fa5d7461471f1509a2df9426e62

Download Submit
memory/908-61-0x0000000000000000-mapping.dmp

Download
memory/1668-56-0x0000000000000000-mapping.dmp

Download
memory/1668-64-0x0000000000E40000-0x0000000000E96000-memory.dmp

Filesize
344KB

Download
memory/1668-65-0x000007FEFBCB1000-0x000007FEFBCB3000-memory.dmp

Filesize
8KB

Download
memory/1668-66-0x000000001B466000-0x000000001B485000-memory.dmp

Filesize
124KB

Download
memory/2020-54-0x00000000755C1000-0x00000000755C3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads