Analysis
-
max time kernel
91s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 19:16
Static task
static1
Behavioral task
behavioral1
Sample
3ec2471a7a0a060ca5c60549ec70370c708f692baa76d13049e9022252e387e0.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3ec2471a7a0a060ca5c60549ec70370c708f692baa76d13049e9022252e387e0.exe
Resource
win10v2004-20220414-en
General
-
Target
3ec2471a7a0a060ca5c60549ec70370c708f692baa76d13049e9022252e387e0.exe
-
Size
910KB
-
MD5
4242ae7b111169ba16b56f3cabfb2bfd
-
SHA1
ff65a7b8b5ccb534587dbc960b7ada6caa793b60
-
SHA256
3ec2471a7a0a060ca5c60549ec70370c708f692baa76d13049e9022252e387e0
-
SHA512
ee4b881edfa71cf1b38b359cabd7d045896b71178997882713ddd508e8b43a4594e2a1119a7e8b329069fa8acd1dcebf20d90f3014960d27cbf3f54698e6b038
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
._cache_3ec2471a7a0a060ca5c60549ec70370c708f692baa76d13049e9022252e387e0.exeSynaptics.exepid process 1020 ._cache_3ec2471a7a0a060ca5c60549ec70370c708f692baa76d13049e9022252e387e0.exe 1808 Synaptics.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3ec2471a7a0a060ca5c60549ec70370c708f692baa76d13049e9022252e387e0.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation 3ec2471a7a0a060ca5c60549ec70370c708f692baa76d13049e9022252e387e0.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
3ec2471a7a0a060ca5c60549ec70370c708f692baa76d13049e9022252e387e0.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" 3ec2471a7a0a060ca5c60549ec70370c708f692baa76d13049e9022252e387e0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
3ec2471a7a0a060ca5c60549ec70370c708f692baa76d13049e9022252e387e0.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 3ec2471a7a0a060ca5c60549ec70370c708f692baa76d13049e9022252e387e0.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
3ec2471a7a0a060ca5c60549ec70370c708f692baa76d13049e9022252e387e0.exedescription pid process target process PID 3996 wrote to memory of 1020 3996 3ec2471a7a0a060ca5c60549ec70370c708f692baa76d13049e9022252e387e0.exe ._cache_3ec2471a7a0a060ca5c60549ec70370c708f692baa76d13049e9022252e387e0.exe PID 3996 wrote to memory of 1020 3996 3ec2471a7a0a060ca5c60549ec70370c708f692baa76d13049e9022252e387e0.exe ._cache_3ec2471a7a0a060ca5c60549ec70370c708f692baa76d13049e9022252e387e0.exe PID 3996 wrote to memory of 1020 3996 3ec2471a7a0a060ca5c60549ec70370c708f692baa76d13049e9022252e387e0.exe ._cache_3ec2471a7a0a060ca5c60549ec70370c708f692baa76d13049e9022252e387e0.exe PID 3996 wrote to memory of 1808 3996 3ec2471a7a0a060ca5c60549ec70370c708f692baa76d13049e9022252e387e0.exe Synaptics.exe PID 3996 wrote to memory of 1808 3996 3ec2471a7a0a060ca5c60549ec70370c708f692baa76d13049e9022252e387e0.exe Synaptics.exe PID 3996 wrote to memory of 1808 3996 3ec2471a7a0a060ca5c60549ec70370c708f692baa76d13049e9022252e387e0.exe Synaptics.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ec2471a7a0a060ca5c60549ec70370c708f692baa76d13049e9022252e387e0.exe"C:\Users\Admin\AppData\Local\Temp\3ec2471a7a0a060ca5c60549ec70370c708f692baa76d13049e9022252e387e0.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_3ec2471a7a0a060ca5c60549ec70370c708f692baa76d13049e9022252e387e0.exe"C:\Users\Admin\AppData\Local\Temp\._cache_3ec2471a7a0a060ca5c60549ec70370c708f692baa76d13049e9022252e387e0.exe"2⤵
- Executes dropped EXE
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Synaptics\Synaptics.exeFilesize
757KB
MD5d9a0a07d2d33a9412fedac99a191149a
SHA1f82e116919332eb0fcd8fb71b99faba75d661dce
SHA25689f29f519ee9380319d9ae5512192ce557059c9c364d092e740a4dd89b057d41
SHA51233ac8dd81109927069877a990040acfee6df8e56ce4a624521d1fa20094509abb4f9aa2bff89b4318c57368a2fc4d607b3f39dcbda8154252ed634fd256ae9d2
-
C:\ProgramData\Synaptics\Synaptics.exeFilesize
757KB
MD5d9a0a07d2d33a9412fedac99a191149a
SHA1f82e116919332eb0fcd8fb71b99faba75d661dce
SHA25689f29f519ee9380319d9ae5512192ce557059c9c364d092e740a4dd89b057d41
SHA51233ac8dd81109927069877a990040acfee6df8e56ce4a624521d1fa20094509abb4f9aa2bff89b4318c57368a2fc4d607b3f39dcbda8154252ed634fd256ae9d2
-
C:\Users\Admin\AppData\Local\Temp\._cache_3ec2471a7a0a060ca5c60549ec70370c708f692baa76d13049e9022252e387e0.exeFilesize
152KB
MD5326a586ea96de9b380e6c19c526e0b12
SHA19690058d99b88a9f1b602c2f06c9474640ebf2b3
SHA256689cb526d4f8c2f38703b8e87833d4b390510d93bd53fb9d8e6012bb6262a8aa
SHA512b698190dd301d3b9a3230d459398c702f5055d66ced4295a38dae8d9950f0228a46c72781aabe7c1ed9b69b36a6160d826a5c138f47c2d90fa3cb79b75858a4e
-
C:\Users\Admin\AppData\Local\Temp\._cache_3ec2471a7a0a060ca5c60549ec70370c708f692baa76d13049e9022252e387e0.exeFilesize
152KB
MD5326a586ea96de9b380e6c19c526e0b12
SHA19690058d99b88a9f1b602c2f06c9474640ebf2b3
SHA256689cb526d4f8c2f38703b8e87833d4b390510d93bd53fb9d8e6012bb6262a8aa
SHA512b698190dd301d3b9a3230d459398c702f5055d66ced4295a38dae8d9950f0228a46c72781aabe7c1ed9b69b36a6160d826a5c138f47c2d90fa3cb79b75858a4e
-
memory/1020-130-0x0000000000000000-mapping.dmp
-
memory/1020-136-0x0000000000FC0000-0x0000000000FEC000-memory.dmpFilesize
176KB
-
memory/1020-137-0x0000000005940000-0x00000000059DC000-memory.dmpFilesize
624KB
-
memory/1020-138-0x0000000005FF0000-0x0000000006594000-memory.dmpFilesize
5.6MB
-
memory/1020-139-0x0000000005AE0000-0x0000000005B72000-memory.dmpFilesize
584KB
-
memory/1020-140-0x0000000005A20000-0x0000000005A2A000-memory.dmpFilesize
40KB
-
memory/1020-141-0x0000000005CD0000-0x0000000005D26000-memory.dmpFilesize
344KB
-
memory/1808-133-0x0000000000000000-mapping.dmp