ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4

General

Target

ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe
Size

904KB
MD5

174dd7939ab780f7cf8118f9a8967afe
SHA1

4fb8476faa85c3ba287c170ebd749331488be2f1
SHA256

ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4
SHA512

918b267890e2befea1abc78643338acd9edbf0c40bc3edcba293278425c41cf3f80eaa4c507bf7802b3c69afa64e9e411842bf9848877a235d2b70fb3e1f4958

Score

8^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe

pid process

1360 ._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe

pid	process
1360	._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe

Loads dropped DLL 2 IoCs

Processes:

ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe

pid	process
1640	ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe
1640	ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run	._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe"	._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe

description ioc process

File opened for modification \??\PhysicalDrive0 ._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

952 schtasks.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe

pid	process
952	schtasks.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe

description	pid	process	target process
PID 1640 wrote to memory of 1360	1640	ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe	._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe
PID 1640 wrote to memory of 1360	1640	ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe	._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe
PID 1640 wrote to memory of 1360	1640	ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe	._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe
PID 1640 wrote to memory of 1360	1640	ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe	._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe
PID 1360 wrote to memory of 952	1360	._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe	schtasks.exe
PID 1360 wrote to memory of 952	1360	._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe	schtasks.exe
PID 1360 wrote to memory of 952	1360	._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe	schtasks.exe
PID 1360 wrote to memory of 952	1360	._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe
"C:\Users\Admin\AppData\Local\Temp\ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1640

C:\Users\Admin\AppData\Local\Temp\._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Local\Temp\._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe"
3⤵
- Creates scheduled task(s)
PID:952

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Bootkit

1

T1067

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe
Filesize
150KB

MD5
b22a39290f8d3bfa63521368b32b1004

SHA1
99c2f942b56d1c8fd180d1464f3218bb66cc2016

SHA256
1c9c800d28964e7672d59e733c8eba0a262fe1d80cdee042f376927ee296c560

SHA512
b9d8cb98028ed01b58e7f7715372e31c647a9e6506119d497668b55f1ab56854b842a7b4f82c9cdff35ccab1ba168d5afe6f161beabdff903c499b27599da7f4

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe
Filesize
150KB

MD5
b22a39290f8d3bfa63521368b32b1004

SHA1
99c2f942b56d1c8fd180d1464f3218bb66cc2016

SHA256
1c9c800d28964e7672d59e733c8eba0a262fe1d80cdee042f376927ee296c560

SHA512
b9d8cb98028ed01b58e7f7715372e31c647a9e6506119d497668b55f1ab56854b842a7b4f82c9cdff35ccab1ba168d5afe6f161beabdff903c499b27599da7f4

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe
Filesize
150KB

MD5
b22a39290f8d3bfa63521368b32b1004

SHA1
99c2f942b56d1c8fd180d1464f3218bb66cc2016

SHA256
1c9c800d28964e7672d59e733c8eba0a262fe1d80cdee042f376927ee296c560

SHA512
b9d8cb98028ed01b58e7f7715372e31c647a9e6506119d497668b55f1ab56854b842a7b4f82c9cdff35ccab1ba168d5afe6f161beabdff903c499b27599da7f4

Download Submit
memory/952-60-0x0000000000000000-mapping.dmp

Download
memory/1360-57-0x0000000000000000-mapping.dmp

Download
memory/1640-54-0x0000000076241000-0x0000000076243000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads