bd0869ad342f66aaa662d47013c80351546f89ac243c021eb358a07fe7628769

Analysis

max time kernel
147s
max time network
151s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
04/08/2023, 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd0869ad342f66aaa662d47013c80351546f89ac243c021eb358a07fe7628769.exe
Size

4.0MB
MD5

d5f474152567f74e982ba7462fec87ed
SHA1

c0950ed8fcf05fec8dc9d82430bf8362868d49d3
SHA256

bd0869ad342f66aaa662d47013c80351546f89ac243c021eb358a07fe7628769
SHA512

80622f0ad4d9114b10b22d49d645e71c00f5ac1e40d05e758bf08bba1d691170dac30c07811f55b7d1c088a44b143b24a8e8ff973853399c334d3853663052ac
SSDEEP

98304:Wnsmtk2a/qdyX8n0f9FGIt/GoJfXFLs1AEDPCiMuWGBTIqHyFIYBF+oViRoq:ILCqdK3Z/5dnsHWGBvSIcF+odq

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2604	._cache_bd0869ad342f66aaa662d47013c80351546f89ac243c021eb358a07fe7628769.exe

Executes dropped EXE 2 IoCs

pid	Process
2604	._cache_bd0869ad342f66aaa662d47013c80351546f89ac243c021eb358a07fe7628769.exe
2092	Synaptics.exe

Loads dropped DLL 4 IoCs

pid	Process
1924	bd0869ad342f66aaa662d47013c80351546f89ac243c021eb358a07fe7628769.exe
1924	bd0869ad342f66aaa662d47013c80351546f89ac243c021eb358a07fe7628769.exe
1924	bd0869ad342f66aaa662d47013c80351546f89ac243c021eb358a07fe7628769.exe
2092	Synaptics.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000012107-58.dat	upx
behavioral1/files/0x0007000000012107-71.dat	upx
behavioral1/memory/2604-72-0x0000000000400000-0x00000000007E0000-memory.dmp	upx
behavioral1/files/0x0007000000012107-60.dat	upx
behavioral1/files/0x000300000000b3e1-85.dat	upx
behavioral1/memory/2604-109-0x0000000000400000-0x00000000007E0000-memory.dmp	upx
behavioral1/memory/2604-116-0x0000000000400000-0x00000000007E0000-memory.dmp	upx
behavioral1/memory/2604-120-0x0000000000400000-0x00000000007E0000-memory.dmp	upx
behavioral1/memory/2604-147-0x0000000000400000-0x00000000007E0000-memory.dmp	upx
behavioral1/memory/2604-151-0x0000000000400000-0x00000000007E0000-memory.dmp	upx
behavioral1/memory/2604-153-0x0000000000400000-0x00000000007E0000-memory.dmp	upx
behavioral1/memory/2604-156-0x0000000000400000-0x00000000007E0000-memory.dmp	upx
behavioral1/memory/2604-158-0x0000000000400000-0x00000000007E0000-memory.dmp	upx
behavioral1/memory/2604-160-0x0000000000400000-0x00000000007E0000-memory.dmp	upx
behavioral1/memory/2604-162-0x0000000000400000-0x00000000007E0000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	bd0869ad342f66aaa662d47013c80351546f89ac243c021eb358a07fe7628769.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2908	EXCEL.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2604	._cache_bd0869ad342f66aaa662d47013c80351546f89ac243c021eb358a07fe7628769.exe
2604	._cache_bd0869ad342f66aaa662d47013c80351546f89ac243c021eb358a07fe7628769.exe
2908	EXCEL.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 2604	1924	bd0869ad342f66aaa662d47013c80351546f89ac243c021eb358a07fe7628769.exe	28
PID 1924 wrote to memory of 2604	1924	bd0869ad342f66aaa662d47013c80351546f89ac243c021eb358a07fe7628769.exe	28
PID 1924 wrote to memory of 2604	1924	bd0869ad342f66aaa662d47013c80351546f89ac243c021eb358a07fe7628769.exe	28
PID 1924 wrote to memory of 2604	1924	bd0869ad342f66aaa662d47013c80351546f89ac243c021eb358a07fe7628769.exe	28
PID 1924 wrote to memory of 2092	1924	bd0869ad342f66aaa662d47013c80351546f89ac243c021eb358a07fe7628769.exe	29
PID 1924 wrote to memory of 2092	1924	bd0869ad342f66aaa662d47013c80351546f89ac243c021eb358a07fe7628769.exe	29
PID 1924 wrote to memory of 2092	1924	bd0869ad342f66aaa662d47013c80351546f89ac243c021eb358a07fe7628769.exe	29
PID 1924 wrote to memory of 2092	1924	bd0869ad342f66aaa662d47013c80351546f89ac243c021eb358a07fe7628769.exe	29

C:\Users\Admin\AppData\Local\Temp\bd0869ad342f66aaa662d47013c80351546f89ac243c021eb358a07fe7628769.exe
"C:\Users\Admin\AppData\Local\Temp\bd0869ad342f66aaa662d47013c80351546f89ac243c021eb358a07fe7628769.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Users\Admin\AppData\Local\Temp\._cache_bd0869ad342f66aaa662d47013c80351546f89ac243c021eb358a07fe7628769.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_bd0869ad342f66aaa662d47013c80351546f89ac243c021eb358a07fe7628769.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2604
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2092

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
4.0MB

MD5
d5f474152567f74e982ba7462fec87ed

SHA1
c0950ed8fcf05fec8dc9d82430bf8362868d49d3

SHA256
bd0869ad342f66aaa662d47013c80351546f89ac243c021eb358a07fe7628769

SHA512
80622f0ad4d9114b10b22d49d645e71c00f5ac1e40d05e758bf08bba1d691170dac30c07811f55b7d1c088a44b143b24a8e8ff973853399c334d3853663052ac

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
4.0MB

MD5
d5f474152567f74e982ba7462fec87ed

SHA1
c0950ed8fcf05fec8dc9d82430bf8362868d49d3

SHA256
bd0869ad342f66aaa662d47013c80351546f89ac243c021eb358a07fe7628769

SHA512
80622f0ad4d9114b10b22d49d645e71c00f5ac1e40d05e758bf08bba1d691170dac30c07811f55b7d1c088a44b143b24a8e8ff973853399c334d3853663052ac

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
4.0MB

MD5
d5f474152567f74e982ba7462fec87ed

SHA1
c0950ed8fcf05fec8dc9d82430bf8362868d49d3

SHA256
bd0869ad342f66aaa662d47013c80351546f89ac243c021eb358a07fe7628769

SHA512
80622f0ad4d9114b10b22d49d645e71c00f5ac1e40d05e758bf08bba1d691170dac30c07811f55b7d1c088a44b143b24a8e8ff973853399c334d3853663052ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
3.3MB

MD5
75af9f2eb945f6f1a1517e8806102d15

SHA1
5148e7b2da2231498a1ba67ed73f9f8d71d40066

SHA256
bb08e426c08f7f5b36e2714aeb5607fe457cc2fa824024ff470662c715021c55

SHA512
06034a5ba61699d6c10f84cb89ac0541206918fba133917bf1d7cf98c48ab3f1267353297d19ed4ec341af7a4e752121cfa43cdad0d7c951d0cb145bf45c4020

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_bd0869ad342f66aaa662d47013c80351546f89ac243c021eb358a07fe7628769.exe

Filesize
3.3MB

MD5
75af9f2eb945f6f1a1517e8806102d15

SHA1
5148e7b2da2231498a1ba67ed73f9f8d71d40066

SHA256
bb08e426c08f7f5b36e2714aeb5607fe457cc2fa824024ff470662c715021c55

SHA512
06034a5ba61699d6c10f84cb89ac0541206918fba133917bf1d7cf98c48ab3f1267353297d19ed4ec341af7a4e752121cfa43cdad0d7c951d0cb145bf45c4020

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_bd0869ad342f66aaa662d47013c80351546f89ac243c021eb358a07fe7628769.exe

Filesize
3.3MB

MD5
75af9f2eb945f6f1a1517e8806102d15

SHA1
5148e7b2da2231498a1ba67ed73f9f8d71d40066

SHA256
bb08e426c08f7f5b36e2714aeb5607fe457cc2fa824024ff470662c715021c55

SHA512
06034a5ba61699d6c10f84cb89ac0541206918fba133917bf1d7cf98c48ab3f1267353297d19ed4ec341af7a4e752121cfa43cdad0d7c951d0cb145bf45c4020

Download Submit
C:\Users\Admin\AppData\Local\Temp\O3sg8h6v.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
\ProgramData\Synaptics\Synaptics.exe

Filesize
4.0MB

MD5
d5f474152567f74e982ba7462fec87ed

SHA1
c0950ed8fcf05fec8dc9d82430bf8362868d49d3

SHA256
bd0869ad342f66aaa662d47013c80351546f89ac243c021eb358a07fe7628769

SHA512
80622f0ad4d9114b10b22d49d645e71c00f5ac1e40d05e758bf08bba1d691170dac30c07811f55b7d1c088a44b143b24a8e8ff973853399c334d3853663052ac

Download Submit
\ProgramData\Synaptics\Synaptics.exe

Filesize
4.0MB

MD5
d5f474152567f74e982ba7462fec87ed

SHA1
c0950ed8fcf05fec8dc9d82430bf8362868d49d3

SHA256
bd0869ad342f66aaa662d47013c80351546f89ac243c021eb358a07fe7628769

SHA512
80622f0ad4d9114b10b22d49d645e71c00f5ac1e40d05e758bf08bba1d691170dac30c07811f55b7d1c088a44b143b24a8e8ff973853399c334d3853663052ac

Download Submit
\ProgramData\Synaptics\Synaptics.exe

Filesize
4.0MB

MD5
d5f474152567f74e982ba7462fec87ed

SHA1
c0950ed8fcf05fec8dc9d82430bf8362868d49d3

SHA256
bd0869ad342f66aaa662d47013c80351546f89ac243c021eb358a07fe7628769

SHA512
80622f0ad4d9114b10b22d49d645e71c00f5ac1e40d05e758bf08bba1d691170dac30c07811f55b7d1c088a44b143b24a8e8ff973853399c334d3853663052ac

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_bd0869ad342f66aaa662d47013c80351546f89ac243c021eb358a07fe7628769.exe

Filesize
3.3MB

MD5
75af9f2eb945f6f1a1517e8806102d15

SHA1
5148e7b2da2231498a1ba67ed73f9f8d71d40066

SHA256
bb08e426c08f7f5b36e2714aeb5607fe457cc2fa824024ff470662c715021c55

SHA512
06034a5ba61699d6c10f84cb89ac0541206918fba133917bf1d7cf98c48ab3f1267353297d19ed4ec341af7a4e752121cfa43cdad0d7c951d0cb145bf45c4020

Download Submit
memory/1924-70-0x0000000005370000-0x0000000005750000-memory.dmp

Filesize
3.9MB

Download
memory/1924-81-0x0000000000400000-0x0000000000805000-memory.dmp

Filesize
4.0MB

Download
memory/1924-54-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2092-111-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2092-82-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2092-115-0x0000000000400000-0x0000000000805000-memory.dmp

Filesize
4.0MB

Download
memory/2092-148-0x0000000000400000-0x0000000000805000-memory.dmp

Filesize
4.0MB

Download
memory/2092-112-0x0000000000400000-0x0000000000805000-memory.dmp

Filesize
4.0MB

Download
memory/2604-120-0x0000000000400000-0x00000000007E0000-memory.dmp

Filesize
3.9MB

Download
memory/2604-72-0x0000000000400000-0x00000000007E0000-memory.dmp

Filesize
3.9MB

Download
memory/2604-162-0x0000000000400000-0x00000000007E0000-memory.dmp

Filesize
3.9MB

Download
memory/2604-160-0x0000000000400000-0x00000000007E0000-memory.dmp

Filesize
3.9MB

Download
memory/2604-116-0x0000000000400000-0x00000000007E0000-memory.dmp

Filesize
3.9MB

Download
memory/2604-158-0x0000000000400000-0x00000000007E0000-memory.dmp

Filesize
3.9MB

Download
memory/2604-147-0x0000000000400000-0x00000000007E0000-memory.dmp

Filesize
3.9MB

Download
memory/2604-109-0x0000000000400000-0x00000000007E0000-memory.dmp

Filesize
3.9MB

Download
memory/2604-151-0x0000000000400000-0x00000000007E0000-memory.dmp

Filesize
3.9MB

Download
memory/2604-153-0x0000000000400000-0x00000000007E0000-memory.dmp

Filesize
3.9MB

Download
memory/2604-156-0x0000000000400000-0x00000000007E0000-memory.dmp

Filesize
3.9MB

Download
memory/2908-88-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2908-89-0x0000000073F4D000-0x0000000073F58000-memory.dmp

Filesize
44KB

Download
memory/2908-113-0x0000000073F4D000-0x0000000073F58000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads