9af327b367b69a023c5269d7da2f73dbf7cb56580f6ac9a108c4bcb3a622842d

General

Target

9af327b367b69a023c5269d7da2f73dbf7cb56580f6ac9a108c4bcb3a622842d.exe
Size

1.6MB
MD5

c326b83a1c289944a918f0dc22f7c003
SHA1

b835f673d18e44631d5e138e8d20243829ae93a7
SHA256

9af327b367b69a023c5269d7da2f73dbf7cb56580f6ac9a108c4bcb3a622842d
SHA512

8188fea4ebd3da84a752779a57b43e6f3cc573772dc305aff3f7173e7fc6c5be8f3f9629ab609a89603ee9ef5b27e31f79615f10dcecacb150866986cc6b3975
SSDEEP

24576:lnsJ39LyjbJkQFMhmC+6GD9BkzIs5pR9sgyRpYmGmYnUOPiWGIkq:lnsHyjtk2MYC5GDyiei+oId

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	9af327b367b69a023c5269d7da2f73dbf7cb56580f6ac9a108c4bcb3a622842d.exe

Executes dropped EXE 2 IoCs

pid	Process
3660	._cache_9af327b367b69a023c5269d7da2f73dbf7cb56580f6ac9a108c4bcb3a622842d.exe
3552	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	9af327b367b69a023c5269d7da2f73dbf7cb56580f6ac9a108c4bcb3a622842d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
220	3660	WerFault.exe	82

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	9af327b367b69a023c5269d7da2f73dbf7cb56580f6ac9a108c4bcb3a622842d.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4168	EXCEL.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4168	EXCEL.EXE
4168	EXCEL.EXE
4168	EXCEL.EXE
4168	EXCEL.EXE
4168	EXCEL.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3488 wrote to memory of 3660	3488	9af327b367b69a023c5269d7da2f73dbf7cb56580f6ac9a108c4bcb3a622842d.exe	82
PID 3488 wrote to memory of 3660	3488	9af327b367b69a023c5269d7da2f73dbf7cb56580f6ac9a108c4bcb3a622842d.exe	82
PID 3488 wrote to memory of 3660	3488	9af327b367b69a023c5269d7da2f73dbf7cb56580f6ac9a108c4bcb3a622842d.exe	82
PID 3488 wrote to memory of 3552	3488	9af327b367b69a023c5269d7da2f73dbf7cb56580f6ac9a108c4bcb3a622842d.exe	83
PID 3488 wrote to memory of 3552	3488	9af327b367b69a023c5269d7da2f73dbf7cb56580f6ac9a108c4bcb3a622842d.exe	83
PID 3488 wrote to memory of 3552	3488	9af327b367b69a023c5269d7da2f73dbf7cb56580f6ac9a108c4bcb3a622842d.exe	83

C:\Users\Admin\AppData\Local\Temp\9af327b367b69a023c5269d7da2f73dbf7cb56580f6ac9a108c4bcb3a622842d.exe
"C:\Users\Admin\AppData\Local\Temp\9af327b367b69a023c5269d7da2f73dbf7cb56580f6ac9a108c4bcb3a622842d.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3488
- C:\Users\Admin\AppData\Local\Temp\._cache_9af327b367b69a023c5269d7da2f73dbf7cb56580f6ac9a108c4bcb3a622842d.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_9af327b367b69a023c5269d7da2f73dbf7cb56580f6ac9a108c4bcb3a622842d.exe"
  2⤵
  - Executes dropped EXE
  PID:3660
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 472
    3⤵
    - Program crash
    PID:220
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  PID:3552

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3660 -ip 3660
1⤵
PID:4268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
754KB

MD5
9053a0cbd2ae2350d9fa43468d6e96dd

SHA1
5c905ea1c7a6a52c3385dd68e11c45cfcc73cd63

SHA256
cc8f6c5a99dd8b667c8a32ff4f5aa2d3aee292b3a531493d74a65e3cbc12bf69

SHA512
3b1f01950bcd0e8973e47dee703f8e43046083c63abe9363ddbe973bb3f37a17829efae9a4ded360c1c40f65bcedaa9de14a4e3f1e487f8596ee8f53c54445c6

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
754KB

MD5
9053a0cbd2ae2350d9fa43468d6e96dd

SHA1
5c905ea1c7a6a52c3385dd68e11c45cfcc73cd63

SHA256
cc8f6c5a99dd8b667c8a32ff4f5aa2d3aee292b3a531493d74a65e3cbc12bf69

SHA512
3b1f01950bcd0e8973e47dee703f8e43046083c63abe9363ddbe973bb3f37a17829efae9a4ded360c1c40f65bcedaa9de14a4e3f1e487f8596ee8f53c54445c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_9af327b367b69a023c5269d7da2f73dbf7cb56580f6ac9a108c4bcb3a622842d.exe

Filesize
865KB

MD5
84336e3d11c2715b850e1029aff93803

SHA1
26c9e96ce4263bb599e3b92b6d52bf006d829ccb

SHA256
c5717a66a3b087ffcf68b53018bef0881d179922b7654eeab0075da195b5054a

SHA512
fbe5ade00745a2b287d63b3a3363f3ef6c14d274de61e7afafcbc646a98395bb7994da65429f1cc827e1ea2748f1b81c782ee98501611a46fc75410862198f92

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_9af327b367b69a023c5269d7da2f73dbf7cb56580f6ac9a108c4bcb3a622842d.exe

Filesize
865KB

MD5
84336e3d11c2715b850e1029aff93803

SHA1
26c9e96ce4263bb599e3b92b6d52bf006d829ccb

SHA256
c5717a66a3b087ffcf68b53018bef0881d179922b7654eeab0075da195b5054a

SHA512
fbe5ade00745a2b287d63b3a3363f3ef6c14d274de61e7afafcbc646a98395bb7994da65429f1cc827e1ea2748f1b81c782ee98501611a46fc75410862198f92

Download Submit
C:\Users\Admin\AppData\Local\Temp\s3qX9NnD.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
memory/3660-140-0x00000000769A0000-0x0000000076BB5000-memory.dmp

Filesize
2.1MB

Download
memory/3660-139-0x0000000077400000-0x00000000775A3000-memory.dmp

Filesize
1.6MB

Download
memory/3660-138-0x0000000000400000-0x0000000000525000-memory.dmp

Filesize
1.1MB

Download
memory/3660-147-0x0000000000400000-0x0000000000525000-memory.dmp

Filesize
1.1MB

Download
memory/4168-142-0x00007FFA76DF0000-0x00007FFA76E00000-memory.dmp

Filesize
64KB

Download
memory/4168-143-0x00007FFA76DF0000-0x00007FFA76E00000-memory.dmp

Filesize
64KB

Download
memory/4168-144-0x00007FFA76DF0000-0x00007FFA76E00000-memory.dmp

Filesize
64KB

Download
memory/4168-145-0x00007FFA76DF0000-0x00007FFA76E00000-memory.dmp

Filesize
64KB

Download
memory/4168-146-0x00007FFA76DF0000-0x00007FFA76E00000-memory.dmp

Filesize
64KB

Download
memory/4168-148-0x00007FFA74A00000-0x00007FFA74A10000-memory.dmp

Filesize
64KB

Download
memory/4168-149-0x00007FFA74A00000-0x00007FFA74A10000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads