27d3c4f58b48471511fd2597f39987384f76b3113ea5df3a94c55ffe340ea257

General

Target

27d3c4f58b48471511fd2597f39987384f76b3113ea5df3a94c55ffe340ea257.exe
Size

3.8MB
MD5

bb822e95e45231a03a063a791d66df2b
SHA1

4a6d37d130631be7e24a28d618d30de48d7aa042
SHA256

27d3c4f58b48471511fd2597f39987384f76b3113ea5df3a94c55ffe340ea257
SHA512

8fb86d9b49db91e26678084c266e95039f1dfe0c9ff0d5dff5f4fd7baeb09e9cf4ef8c46d407cdb6fb1ce409d35f0fac252c8ab70cdd4f46d9b6732531b395e1
SSDEEP

98304:mnsmtk2anG8nAiYW1xjfAVXCnXrDgInJBNV/:YLcggoVXiXtJBNV/

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	27d3c4f58b48471511fd2597f39987384f76b3113ea5df3a94c55ffe340ea257.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 3 IoCs

pid	Process
3164	._cache_27d3c4f58b48471511fd2597f39987384f76b3113ea5df3a94c55ffe340ea257.exe
3948	Synaptics.exe
3344	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	27d3c4f58b48471511fd2597f39987384f76b3113ea5df3a94c55ffe340ea257.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	27d3c4f58b48471511fd2597f39987384f76b3113ea5df3a94c55ffe340ea257.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 3164	1288	27d3c4f58b48471511fd2597f39987384f76b3113ea5df3a94c55ffe340ea257.exe	86
PID 1288 wrote to memory of 3164	1288	27d3c4f58b48471511fd2597f39987384f76b3113ea5df3a94c55ffe340ea257.exe	86
PID 1288 wrote to memory of 3164	1288	27d3c4f58b48471511fd2597f39987384f76b3113ea5df3a94c55ffe340ea257.exe	86
PID 1288 wrote to memory of 3948	1288	27d3c4f58b48471511fd2597f39987384f76b3113ea5df3a94c55ffe340ea257.exe	87
PID 1288 wrote to memory of 3948	1288	27d3c4f58b48471511fd2597f39987384f76b3113ea5df3a94c55ffe340ea257.exe	87
PID 1288 wrote to memory of 3948	1288	27d3c4f58b48471511fd2597f39987384f76b3113ea5df3a94c55ffe340ea257.exe	87
PID 3948 wrote to memory of 3344	3948	Synaptics.exe	88
PID 3948 wrote to memory of 3344	3948	Synaptics.exe	88
PID 3948 wrote to memory of 3344	3948	Synaptics.exe	88

C:\Users\Admin\AppData\Local\Temp\27d3c4f58b48471511fd2597f39987384f76b3113ea5df3a94c55ffe340ea257.exe
"C:\Users\Admin\AppData\Local\Temp\27d3c4f58b48471511fd2597f39987384f76b3113ea5df3a94c55ffe340ea257.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Users\Admin\AppData\Local\Temp\._cache_27d3c4f58b48471511fd2597f39987384f76b3113ea5df3a94c55ffe340ea257.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_27d3c4f58b48471511fd2597f39987384f76b3113ea5df3a94c55ffe340ea257.exe"
  2⤵
  - Executes dropped EXE
  PID:3164
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3948
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    PID:3344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
3.8MB

MD5
bb822e95e45231a03a063a791d66df2b

SHA1
4a6d37d130631be7e24a28d618d30de48d7aa042

SHA256
27d3c4f58b48471511fd2597f39987384f76b3113ea5df3a94c55ffe340ea257

SHA512
8fb86d9b49db91e26678084c266e95039f1dfe0c9ff0d5dff5f4fd7baeb09e9cf4ef8c46d407cdb6fb1ce409d35f0fac252c8ab70cdd4f46d9b6732531b395e1

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
3.8MB

MD5
bb822e95e45231a03a063a791d66df2b

SHA1
4a6d37d130631be7e24a28d618d30de48d7aa042

SHA256
27d3c4f58b48471511fd2597f39987384f76b3113ea5df3a94c55ffe340ea257

SHA512
8fb86d9b49db91e26678084c266e95039f1dfe0c9ff0d5dff5f4fd7baeb09e9cf4ef8c46d407cdb6fb1ce409d35f0fac252c8ab70cdd4f46d9b6732531b395e1

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
3.8MB

MD5
bb822e95e45231a03a063a791d66df2b

SHA1
4a6d37d130631be7e24a28d618d30de48d7aa042

SHA256
27d3c4f58b48471511fd2597f39987384f76b3113ea5df3a94c55ffe340ea257

SHA512
8fb86d9b49db91e26678084c266e95039f1dfe0c9ff0d5dff5f4fd7baeb09e9cf4ef8c46d407cdb6fb1ce409d35f0fac252c8ab70cdd4f46d9b6732531b395e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_27d3c4f58b48471511fd2597f39987384f76b3113ea5df3a94c55ffe340ea257.exe

Filesize
3.0MB

MD5
674c64a7e4fa94893123da22f8ea30af

SHA1
2456068eae785cd2cd70990b61a36c3f999ca0a2

SHA256
252f7ce9ebbeb17218d390a322720c04a41c4f4186982472e4885a26dfeef709

SHA512
6033ec982c889106d2d765a7227610b478e28620228afeadd3b965724e5e8e87af86de2ab3ab219a98b32ad25fb34f72edcb6b87e4ef06d4a86d1cd823bb190c

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_27d3c4f58b48471511fd2597f39987384f76b3113ea5df3a94c55ffe340ea257.exe

Filesize
3.0MB

MD5
674c64a7e4fa94893123da22f8ea30af

SHA1
2456068eae785cd2cd70990b61a36c3f999ca0a2

SHA256
252f7ce9ebbeb17218d390a322720c04a41c4f4186982472e4885a26dfeef709

SHA512
6033ec982c889106d2d765a7227610b478e28620228afeadd3b965724e5e8e87af86de2ab3ab219a98b32ad25fb34f72edcb6b87e4ef06d4a86d1cd823bb190c

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_27d3c4f58b48471511fd2597f39987384f76b3113ea5df3a94c55ffe340ea257.exe

Filesize
3.0MB

MD5
674c64a7e4fa94893123da22f8ea30af

SHA1
2456068eae785cd2cd70990b61a36c3f999ca0a2

SHA256
252f7ce9ebbeb17218d390a322720c04a41c4f4186982472e4885a26dfeef709

SHA512
6033ec982c889106d2d765a7227610b478e28620228afeadd3b965724e5e8e87af86de2ab3ab219a98b32ad25fb34f72edcb6b87e4ef06d4a86d1cd823bb190c

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
3.0MB

MD5
674c64a7e4fa94893123da22f8ea30af

SHA1
2456068eae785cd2cd70990b61a36c3f999ca0a2

SHA256
252f7ce9ebbeb17218d390a322720c04a41c4f4186982472e4885a26dfeef709

SHA512
6033ec982c889106d2d765a7227610b478e28620228afeadd3b965724e5e8e87af86de2ab3ab219a98b32ad25fb34f72edcb6b87e4ef06d4a86d1cd823bb190c

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
3.0MB

MD5
674c64a7e4fa94893123da22f8ea30af

SHA1
2456068eae785cd2cd70990b61a36c3f999ca0a2

SHA256
252f7ce9ebbeb17218d390a322720c04a41c4f4186982472e4885a26dfeef709

SHA512
6033ec982c889106d2d765a7227610b478e28620228afeadd3b965724e5e8e87af86de2ab3ab219a98b32ad25fb34f72edcb6b87e4ef06d4a86d1cd823bb190c

Download Submit
memory/1288-234-0x0000000000400000-0x00000000007C7000-memory.dmp

Filesize
3.8MB

Download
memory/1288-133-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/3164-4170-0x00000000771A0000-0x0000000077340000-memory.dmp

Filesize
1.6MB

Download
memory/3164-4176-0x0000000000400000-0x000000000087F000-memory.dmp

Filesize
4.5MB

Download
memory/3164-6185-0x0000000075DB0000-0x0000000075E2A000-memory.dmp

Filesize
488KB

Download
memory/3164-271-0x0000000076F80000-0x0000000077195000-memory.dmp

Filesize
2.1MB

Download
memory/3164-238-0x0000000000400000-0x000000000087F000-memory.dmp

Filesize
4.5MB

Download
memory/3344-4185-0x00000000771A0000-0x0000000077340000-memory.dmp

Filesize
1.6MB

Download
memory/3344-284-0x0000000076F80000-0x0000000077195000-memory.dmp

Filesize
2.1MB

Download
memory/3344-4216-0x0000000000400000-0x000000000087F000-memory.dmp

Filesize
4.5MB

Download
memory/3344-270-0x0000000000400000-0x000000000087F000-memory.dmp

Filesize
4.5MB

Download
memory/3344-6199-0x0000000075DB0000-0x0000000075E2A000-memory.dmp

Filesize
488KB

Download
memory/3948-672-0x0000000000400000-0x00000000007C7000-memory.dmp

Filesize
3.8MB

Download
memory/3948-3516-0x0000000000400000-0x00000000007C7000-memory.dmp

Filesize
3.8MB

Download
memory/3948-235-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/3948-675-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing