ea087c479b0f47c8ec7026eb3ff2b6d1cf939f63715b3a7519ddc403bf6b513b

Analysis

max time kernel
150s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2023, 01:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8afc905c264a7e00b89e1f29d2e30d44.exe
Size

17.1MB
MD5

8afc905c264a7e00b89e1f29d2e30d44
SHA1

70b57a174fd6210c3a5241f20af43cf079e2e245
SHA256

ea087c479b0f47c8ec7026eb3ff2b6d1cf939f63715b3a7519ddc403bf6b513b
SHA512

279b399fa98691f560621abf975d8846e948fd780ea5e1ac53bc5e5faa13b193d24f0ed08775c5c58ea89a8c0ddb4658b768e9921ce96269b4ba893c696075a1
SSDEEP

393216:0V0Q4oIqRsl/c38/EV7w7GQTExdsjbqfnkgzObnzRb6:QSEq/q8cGK6EPNnlzOb0

Score

7^/10

bootkit persistence vmprotect

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4836	._cache_8afc905c264a7e00b89e1f29d2e30d44.exe
1524	Synaptics.exe
4688	._cache_Synaptics.exe

VMProtect packed file 11 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x000700000002320b-138.dat	vmprotect
behavioral2/files/0x000700000002320b-192.dat	vmprotect
behavioral2/files/0x000700000002320b-193.dat	vmprotect
behavioral2/files/0x0009000000023211-323.dat	vmprotect
behavioral2/files/0x0009000000023211-324.dat	vmprotect
behavioral2/memory/4836-331-0x0000000000400000-0x00000000025B8000-memory.dmp	vmprotect
behavioral2/memory/4836-333-0x0000000000400000-0x00000000025B8000-memory.dmp	vmprotect
behavioral2/memory/4688-344-0x0000000000400000-0x00000000025B8000-memory.dmp	vmprotect
behavioral2/memory/4836-357-0x0000000000400000-0x00000000025B8000-memory.dmp	vmprotect
behavioral2/memory/4688-359-0x0000000000400000-0x00000000025B8000-memory.dmp	vmprotect
behavioral2/memory/4836-360-0x0000000000400000-0x00000000025B8000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	8afc905c264a7e00b89e1f29d2e30d44.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	._cache_8afc905c264a7e00b89e1f29d2e30d44.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	8afc905c264a7e00b89e1f29d2e30d44.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
4836	._cache_8afc905c264a7e00b89e1f29d2e30d44.exe
4836	._cache_8afc905c264a7e00b89e1f29d2e30d44.exe
4836	._cache_8afc905c264a7e00b89e1f29d2e30d44.exe
4836	._cache_8afc905c264a7e00b89e1f29d2e30d44.exe
4688	._cache_Synaptics.exe
4688	._cache_Synaptics.exe
4836	._cache_8afc905c264a7e00b89e1f29d2e30d44.exe
4836	._cache_8afc905c264a7e00b89e1f29d2e30d44.exe
4836	._cache_8afc905c264a7e00b89e1f29d2e30d44.exe
4836	._cache_8afc905c264a7e00b89e1f29d2e30d44.exe
4688	._cache_Synaptics.exe
4688	._cache_Synaptics.exe
4836	._cache_8afc905c264a7e00b89e1f29d2e30d44.exe
4836	._cache_8afc905c264a7e00b89e1f29d2e30d44.exe
4836	._cache_8afc905c264a7e00b89e1f29d2e30d44.exe
4836	._cache_8afc905c264a7e00b89e1f29d2e30d44.exe
4688	._cache_Synaptics.exe
4688	._cache_Synaptics.exe
4688	._cache_Synaptics.exe
4688	._cache_Synaptics.exe
4688	._cache_Synaptics.exe
4688	._cache_Synaptics.exe
4688	._cache_Synaptics.exe
4688	._cache_Synaptics.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4836	._cache_8afc905c264a7e00b89e1f29d2e30d44.exe
4688	._cache_Synaptics.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4836	._cache_8afc905c264a7e00b89e1f29d2e30d44.exe
4688	._cache_Synaptics.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4836	._cache_8afc905c264a7e00b89e1f29d2e30d44.exe
4836	._cache_8afc905c264a7e00b89e1f29d2e30d44.exe
4688	._cache_Synaptics.exe
4688	._cache_Synaptics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5028 wrote to memory of 4836	5028	8afc905c264a7e00b89e1f29d2e30d44.exe	85
PID 5028 wrote to memory of 4836	5028	8afc905c264a7e00b89e1f29d2e30d44.exe	85
PID 5028 wrote to memory of 4836	5028	8afc905c264a7e00b89e1f29d2e30d44.exe	85
PID 5028 wrote to memory of 1524	5028	8afc905c264a7e00b89e1f29d2e30d44.exe	86
PID 5028 wrote to memory of 1524	5028	8afc905c264a7e00b89e1f29d2e30d44.exe	86
PID 5028 wrote to memory of 1524	5028	8afc905c264a7e00b89e1f29d2e30d44.exe	86
PID 1524 wrote to memory of 4688	1524	Synaptics.exe	88
PID 1524 wrote to memory of 4688	1524	Synaptics.exe	88
PID 1524 wrote to memory of 4688	1524	Synaptics.exe	88

C:\Users\Admin\AppData\Local\Temp\8afc905c264a7e00b89e1f29d2e30d44.exe
"C:\Users\Admin\AppData\Local\Temp\8afc905c264a7e00b89e1f29d2e30d44.exe"
1⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Users\Admin\AppData\Local\Temp\._cache_8afc905c264a7e00b89e1f29d2e30d44.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_8afc905c264a7e00b89e1f29d2e30d44.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4836
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:4688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
17.1MB

MD5
8afc905c264a7e00b89e1f29d2e30d44

SHA1
70b57a174fd6210c3a5241f20af43cf079e2e245

SHA256
ea087c479b0f47c8ec7026eb3ff2b6d1cf939f63715b3a7519ddc403bf6b513b

SHA512
279b399fa98691f560621abf975d8846e948fd780ea5e1ac53bc5e5faa13b193d24f0ed08775c5c58ea89a8c0ddb4658b768e9921ce96269b4ba893c696075a1

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
17.1MB

MD5
8afc905c264a7e00b89e1f29d2e30d44

SHA1
70b57a174fd6210c3a5241f20af43cf079e2e245

SHA256
ea087c479b0f47c8ec7026eb3ff2b6d1cf939f63715b3a7519ddc403bf6b513b

SHA512
279b399fa98691f560621abf975d8846e948fd780ea5e1ac53bc5e5faa13b193d24f0ed08775c5c58ea89a8c0ddb4658b768e9921ce96269b4ba893c696075a1

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
17.1MB

MD5
8afc905c264a7e00b89e1f29d2e30d44

SHA1
70b57a174fd6210c3a5241f20af43cf079e2e245

SHA256
ea087c479b0f47c8ec7026eb3ff2b6d1cf939f63715b3a7519ddc403bf6b513b

SHA512
279b399fa98691f560621abf975d8846e948fd780ea5e1ac53bc5e5faa13b193d24f0ed08775c5c58ea89a8c0ddb4658b768e9921ce96269b4ba893c696075a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_8afc905c264a7e00b89e1f29d2e30d44.exe

Filesize
16.3MB

MD5
0ea6a399a2e431b805a03c4b5f2d338c

SHA1
558eb8d58f1b287dff7dff4177f7ee128539dbb8

SHA256
dce7ed370cbb4c6010d317d7fd99209f66a27f026673316beac0326e4fd4c10f

SHA512
74112698d910527d4b8a71cb7baea515c919689f7303e27e7aeb42c89800132749b83c99d548c289c6d5af97cccee52415cf5b8d6e9beaa23009c562a8f5b7fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_8afc905c264a7e00b89e1f29d2e30d44.exe

Filesize
16.3MB

MD5
0ea6a399a2e431b805a03c4b5f2d338c

SHA1
558eb8d58f1b287dff7dff4177f7ee128539dbb8

SHA256
dce7ed370cbb4c6010d317d7fd99209f66a27f026673316beac0326e4fd4c10f

SHA512
74112698d910527d4b8a71cb7baea515c919689f7303e27e7aeb42c89800132749b83c99d548c289c6d5af97cccee52415cf5b8d6e9beaa23009c562a8f5b7fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_8afc905c264a7e00b89e1f29d2e30d44.exe

Filesize
16.3MB

MD5
0ea6a399a2e431b805a03c4b5f2d338c

SHA1
558eb8d58f1b287dff7dff4177f7ee128539dbb8

SHA256
dce7ed370cbb4c6010d317d7fd99209f66a27f026673316beac0326e4fd4c10f

SHA512
74112698d910527d4b8a71cb7baea515c919689f7303e27e7aeb42c89800132749b83c99d548c289c6d5af97cccee52415cf5b8d6e9beaa23009c562a8f5b7fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
16.3MB

MD5
0ea6a399a2e431b805a03c4b5f2d338c

SHA1
558eb8d58f1b287dff7dff4177f7ee128539dbb8

SHA256
dce7ed370cbb4c6010d317d7fd99209f66a27f026673316beac0326e4fd4c10f

SHA512
74112698d910527d4b8a71cb7baea515c919689f7303e27e7aeb42c89800132749b83c99d548c289c6d5af97cccee52415cf5b8d6e9beaa23009c562a8f5b7fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
16.3MB

MD5
0ea6a399a2e431b805a03c4b5f2d338c

SHA1
558eb8d58f1b287dff7dff4177f7ee128539dbb8

SHA256
dce7ed370cbb4c6010d317d7fd99209f66a27f026673316beac0326e4fd4c10f

SHA512
74112698d910527d4b8a71cb7baea515c919689f7303e27e7aeb42c89800132749b83c99d548c289c6d5af97cccee52415cf5b8d6e9beaa23009c562a8f5b7fe

Download Submit
C:\Users\Admin\Desktop\ÁúÖ®¹ú-»ð·ï.lnk

Filesize
1KB

MD5
f4f53a0f1a2d01d6452199517276991f

SHA1
7308bb8206a4cb18bc924c084e126417a8c6d3a8

SHA256
3024ab0d24acd49ad05672c906ba1944d96a8237b3f1e9b8aa15a50fb74c2776

SHA512
255588a478d95a27325f158970f9f9407c51c6306a047e28fb76a01307427c4477c8506733095c0dd85de944721bff632801d06139e5defebddda3681ce19fb0

Download Submit
memory/1524-358-0x0000000000400000-0x000000000151B000-memory.dmp

Filesize
17.1MB

Download
memory/1524-356-0x00000000016D0000-0x00000000016D1000-memory.dmp

Filesize
4KB

Download
memory/1524-264-0x00000000016D0000-0x00000000016D1000-memory.dmp

Filesize
4KB

Download
memory/1524-345-0x0000000000400000-0x000000000151B000-memory.dmp

Filesize
17.1MB

Download
memory/1524-387-0x0000000000400000-0x000000000151B000-memory.dmp

Filesize
17.1MB

Download
memory/4688-338-0x0000000004310000-0x0000000004311000-memory.dmp

Filesize
4KB

Download
memory/4688-336-0x0000000002930000-0x0000000002931000-memory.dmp

Filesize
4KB

Download
memory/4688-359-0x0000000000400000-0x00000000025B8000-memory.dmp

Filesize
33.7MB

Download
memory/4688-344-0x0000000000400000-0x00000000025B8000-memory.dmp

Filesize
33.7MB

Download
memory/4688-342-0x0000000004370000-0x0000000004371000-memory.dmp

Filesize
4KB

Download
memory/4688-341-0x0000000004360000-0x0000000004361000-memory.dmp

Filesize
4KB

Download
memory/4688-340-0x0000000004350000-0x0000000004351000-memory.dmp

Filesize
4KB

Download
memory/4688-339-0x0000000004340000-0x0000000004341000-memory.dmp

Filesize
4KB

Download
memory/4688-337-0x0000000004300000-0x0000000004301000-memory.dmp

Filesize
4KB

Download
memory/4836-349-0x0000000006330000-0x0000000006430000-memory.dmp

Filesize
1024KB

Download
memory/4836-354-0x0000000006330000-0x0000000006430000-memory.dmp

Filesize
1024KB

Download
memory/4836-333-0x0000000000400000-0x00000000025B8000-memory.dmp

Filesize
33.7MB

Download
memory/4836-332-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

Filesize
4KB

Download
memory/4836-331-0x0000000000400000-0x00000000025B8000-memory.dmp

Filesize
33.7MB

Download
memory/4836-329-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/4836-330-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/4836-325-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/4836-327-0x0000000002860000-0x0000000002861000-memory.dmp

Filesize
4KB

Download
memory/4836-350-0x0000000006330000-0x0000000006430000-memory.dmp

Filesize
1024KB

Download
memory/4836-351-0x0000000006330000-0x0000000006430000-memory.dmp

Filesize
1024KB

Download
memory/4836-352-0x0000000006330000-0x0000000006430000-memory.dmp

Filesize
1024KB

Download
memory/4836-353-0x0000000006330000-0x0000000006430000-memory.dmp

Filesize
1024KB

Download
memory/4836-367-0x0000000004370000-0x0000000004371000-memory.dmp

Filesize
4KB

Download
memory/4836-326-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/4836-365-0x0000000006330000-0x0000000006430000-memory.dmp

Filesize
1024KB

Download
memory/4836-357-0x0000000000400000-0x00000000025B8000-memory.dmp

Filesize
33.7MB

Download
memory/4836-364-0x0000000006330000-0x0000000006430000-memory.dmp

Filesize
1024KB

Download
memory/4836-328-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/4836-360-0x0000000000400000-0x00000000025B8000-memory.dmp

Filesize
33.7MB

Download
memory/4836-361-0x0000000004370000-0x0000000004371000-memory.dmp

Filesize
4KB

Download
memory/4836-362-0x0000000006330000-0x0000000006430000-memory.dmp

Filesize
1024KB

Download
memory/4836-363-0x0000000006330000-0x0000000006430000-memory.dmp

Filesize
1024KB

Download
memory/5028-204-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/5028-263-0x0000000000400000-0x000000000151B000-memory.dmp

Filesize
17.1MB

Download
memory/5028-133-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/5028-203-0x0000000000400000-0x000000000151B000-memory.dmp

Filesize
17.1MB

Download