Analysis

  • max time kernel
    91s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 19:16

General

  • Target

    3ec2471a7a0a060ca5c60549ec70370c708f692baa76d13049e9022252e387e0.exe

  • Size

    910KB

  • MD5

    4242ae7b111169ba16b56f3cabfb2bfd

  • SHA1

    ff65a7b8b5ccb534587dbc960b7ada6caa793b60

  • SHA256

    3ec2471a7a0a060ca5c60549ec70370c708f692baa76d13049e9022252e387e0

  • SHA512

    ee4b881edfa71cf1b38b359cabd7d045896b71178997882713ddd508e8b43a4594e2a1119a7e8b329069fa8acd1dcebf20d90f3014960d27cbf3f54698e6b038

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3ec2471a7a0a060ca5c60549ec70370c708f692baa76d13049e9022252e387e0.exe
    "C:\Users\Admin\AppData\Local\Temp\3ec2471a7a0a060ca5c60549ec70370c708f692baa76d13049e9022252e387e0.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3996
    • C:\Users\Admin\AppData\Local\Temp\._cache_3ec2471a7a0a060ca5c60549ec70370c708f692baa76d13049e9022252e387e0.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_3ec2471a7a0a060ca5c60549ec70370c708f692baa76d13049e9022252e387e0.exe"
      2⤵
      • Executes dropped EXE
      PID:1020
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Executes dropped EXE
      PID:1808

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe
    Filesize

    757KB

    MD5

    d9a0a07d2d33a9412fedac99a191149a

    SHA1

    f82e116919332eb0fcd8fb71b99faba75d661dce

    SHA256

    89f29f519ee9380319d9ae5512192ce557059c9c364d092e740a4dd89b057d41

    SHA512

    33ac8dd81109927069877a990040acfee6df8e56ce4a624521d1fa20094509abb4f9aa2bff89b4318c57368a2fc4d607b3f39dcbda8154252ed634fd256ae9d2

  • C:\ProgramData\Synaptics\Synaptics.exe
    Filesize

    757KB

    MD5

    d9a0a07d2d33a9412fedac99a191149a

    SHA1

    f82e116919332eb0fcd8fb71b99faba75d661dce

    SHA256

    89f29f519ee9380319d9ae5512192ce557059c9c364d092e740a4dd89b057d41

    SHA512

    33ac8dd81109927069877a990040acfee6df8e56ce4a624521d1fa20094509abb4f9aa2bff89b4318c57368a2fc4d607b3f39dcbda8154252ed634fd256ae9d2

  • C:\Users\Admin\AppData\Local\Temp\._cache_3ec2471a7a0a060ca5c60549ec70370c708f692baa76d13049e9022252e387e0.exe
    Filesize

    152KB

    MD5

    326a586ea96de9b380e6c19c526e0b12

    SHA1

    9690058d99b88a9f1b602c2f06c9474640ebf2b3

    SHA256

    689cb526d4f8c2f38703b8e87833d4b390510d93bd53fb9d8e6012bb6262a8aa

    SHA512

    b698190dd301d3b9a3230d459398c702f5055d66ced4295a38dae8d9950f0228a46c72781aabe7c1ed9b69b36a6160d826a5c138f47c2d90fa3cb79b75858a4e

  • C:\Users\Admin\AppData\Local\Temp\._cache_3ec2471a7a0a060ca5c60549ec70370c708f692baa76d13049e9022252e387e0.exe
    Filesize

    152KB

    MD5

    326a586ea96de9b380e6c19c526e0b12

    SHA1

    9690058d99b88a9f1b602c2f06c9474640ebf2b3

    SHA256

    689cb526d4f8c2f38703b8e87833d4b390510d93bd53fb9d8e6012bb6262a8aa

    SHA512

    b698190dd301d3b9a3230d459398c702f5055d66ced4295a38dae8d9950f0228a46c72781aabe7c1ed9b69b36a6160d826a5c138f47c2d90fa3cb79b75858a4e

  • memory/1020-130-0x0000000000000000-mapping.dmp
  • memory/1020-136-0x0000000000FC0000-0x0000000000FEC000-memory.dmp
    Filesize

    176KB

  • memory/1020-137-0x0000000005940000-0x00000000059DC000-memory.dmp
    Filesize

    624KB

  • memory/1020-138-0x0000000005FF0000-0x0000000006594000-memory.dmp
    Filesize

    5.6MB

  • memory/1020-139-0x0000000005AE0000-0x0000000005B72000-memory.dmp
    Filesize

    584KB

  • memory/1020-140-0x0000000005A20000-0x0000000005A2A000-memory.dmp
    Filesize

    40KB

  • memory/1020-141-0x0000000005CD0000-0x0000000005D26000-memory.dmp
    Filesize

    344KB

  • memory/1808-133-0x0000000000000000-mapping.dmp