ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4

General

Target

ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe
Size

904KB
MD5

174dd7939ab780f7cf8118f9a8967afe
SHA1

4fb8476faa85c3ba287c170ebd749331488be2f1
SHA256

ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4
SHA512

918b267890e2befea1abc78643338acd9edbf0c40bc3edcba293278425c41cf3f80eaa4c507bf7802b3c69afa64e9e411842bf9848877a235d2b70fb3e1f4958

Score

8^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exeSynaptics.exe

pid process

4504 ._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe
2116 Synaptics.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run	._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe"	._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe

description ioc process

File opened for modification \??\PhysicalDrive0 ._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2552 4504 WerFault.exe ._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4996 schtasks.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe

pid	pid_target	process	target process
2552	4504	WerFault.exe	._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe

pid	process
4996	schtasks.exe

Modifies registry class 1 IoCs

Processes:

ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe

pid	process
4504	._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe
4504	._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe
4504	._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe
4504	._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe
4504	._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe
4504	._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe

description pid process

Token: SeDebugPrivilege 4504 ._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe

description	pid	process
Token: SeDebugPrivilege	4504	._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe

description	pid	process	target process
PID 2360 wrote to memory of 4504	2360	ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe	._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe
PID 2360 wrote to memory of 4504	2360	ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe	._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe
PID 2360 wrote to memory of 4504	2360	ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe	._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe
PID 4504 wrote to memory of 4996	4504	._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe	schtasks.exe
PID 4504 wrote to memory of 4996	4504	._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe	schtasks.exe
PID 4504 wrote to memory of 4996	4504	._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe	schtasks.exe
PID 2360 wrote to memory of 2116	2360	ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe	Synaptics.exe
PID 2360 wrote to memory of 2116	2360	ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe	Synaptics.exe
PID 2360 wrote to memory of 2116	2360	ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe	Synaptics.exe

C:\Users\Admin\AppData\Local\Temp\ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe
"C:\Users\Admin\AppData\Local\Temp\ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2360

C:\Users\Admin\AppData\Local\Temp\._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4504

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Local\Temp\._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe"
3⤵
- Creates scheduled task(s)
PID:4996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 508
3⤵
- Program crash
PID:2552

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
2⤵
- Executes dropped EXE
PID:2116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4504 -ip 4504
1⤵
PID:2320

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Bootkit

1

T1067

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe
Filesize
753KB

MD5
d39c83fa94398010bc7a281fcd781369

SHA1
cf0352fe8bd177507456f65c54c806fe1ca85507

SHA256
e173266e3d9af60add936ab2b0de936d1e35fa85556ea5c60bad7c75e818c4e3

SHA512
5688c1d2a02fa4d2da2d3711a3cea12e6f8585eb9d7d28df0fc5f835be075e371e5ac1f991352beb9a71b9fcd1f32f744e7af7b8068095f1bffceebdb711daa4

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe
Filesize
753KB

MD5
d39c83fa94398010bc7a281fcd781369

SHA1
cf0352fe8bd177507456f65c54c806fe1ca85507

SHA256
e173266e3d9af60add936ab2b0de936d1e35fa85556ea5c60bad7c75e818c4e3

SHA512
5688c1d2a02fa4d2da2d3711a3cea12e6f8585eb9d7d28df0fc5f835be075e371e5ac1f991352beb9a71b9fcd1f32f744e7af7b8068095f1bffceebdb711daa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe
Filesize
150KB

MD5
b22a39290f8d3bfa63521368b32b1004

SHA1
99c2f942b56d1c8fd180d1464f3218bb66cc2016

SHA256
1c9c800d28964e7672d59e733c8eba0a262fe1d80cdee042f376927ee296c560

SHA512
b9d8cb98028ed01b58e7f7715372e31c647a9e6506119d497668b55f1ab56854b842a7b4f82c9cdff35ccab1ba168d5afe6f161beabdff903c499b27599da7f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe
Filesize
150KB

MD5
b22a39290f8d3bfa63521368b32b1004

SHA1
99c2f942b56d1c8fd180d1464f3218bb66cc2016

SHA256
1c9c800d28964e7672d59e733c8eba0a262fe1d80cdee042f376927ee296c560

SHA512
b9d8cb98028ed01b58e7f7715372e31c647a9e6506119d497668b55f1ab56854b842a7b4f82c9cdff35ccab1ba168d5afe6f161beabdff903c499b27599da7f4

Download Submit
memory/2116-134-0x0000000000000000-mapping.dmp

Download
memory/4504-130-0x0000000000000000-mapping.dmp

Download
memory/4996-133-0x0000000000000000-mapping.dmp

Download

pid	process
4504	._cache_ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4.exe
2116	Synaptics.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads