9d834e675f206e961bcf9ace6507b2b6bf2a3b7b1b5a03fd6b771046e603a4d7

General

Target

faedf8bcd08ab56558cb4bfd32d8d47e_JC.exe
Size

873KB
MD5

faedf8bcd08ab56558cb4bfd32d8d47e
SHA1

b1599ed21234519b9d0ccc3a54075cda700b92bd
SHA256

9d834e675f206e961bcf9ace6507b2b6bf2a3b7b1b5a03fd6b771046e603a4d7
SHA512

d231e1fe656e54c89afa6944788839f541f51f6e515df8b6d69e9bffba63245fa953fa0215454ff5da3327f01c069d7aad1b472a771b2560544da5d647e22623
SSDEEP

12288:EMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9YPYYV/nT5V/GSL7j:EnsJ39LyjbJkQFMhmC+6GD9GVVPT7h

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	faedf8bcd08ab56558cb4bfd32d8d47e_JC.exe

Executes dropped EXE 3 IoCs

pid	Process
3324	._cache_faedf8bcd08ab56558cb4bfd32d8d47e_JC.exe
4320	Synaptics.exe
4704	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	faedf8bcd08ab56558cb4bfd32d8d47e_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	faedf8bcd08ab56558cb4bfd32d8d47e_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3804 wrote to memory of 3324	3804	faedf8bcd08ab56558cb4bfd32d8d47e_JC.exe	90
PID 3804 wrote to memory of 3324	3804	faedf8bcd08ab56558cb4bfd32d8d47e_JC.exe	90
PID 3804 wrote to memory of 3324	3804	faedf8bcd08ab56558cb4bfd32d8d47e_JC.exe	90
PID 3804 wrote to memory of 4320	3804	faedf8bcd08ab56558cb4bfd32d8d47e_JC.exe	92
PID 3804 wrote to memory of 4320	3804	faedf8bcd08ab56558cb4bfd32d8d47e_JC.exe	92
PID 3804 wrote to memory of 4320	3804	faedf8bcd08ab56558cb4bfd32d8d47e_JC.exe	92
PID 4320 wrote to memory of 4704	4320	Synaptics.exe	93
PID 4320 wrote to memory of 4704	4320	Synaptics.exe	93
PID 4320 wrote to memory of 4704	4320	Synaptics.exe	93

C:\Users\Admin\AppData\Local\Temp\faedf8bcd08ab56558cb4bfd32d8d47e_JC.exe
"C:\Users\Admin\AppData\Local\Temp\faedf8bcd08ab56558cb4bfd32d8d47e_JC.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3804
- C:\Users\Admin\AppData\Local\Temp\._cache_faedf8bcd08ab56558cb4bfd32d8d47e_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_faedf8bcd08ab56558cb4bfd32d8d47e_JC.exe"
  2⤵
  - Executes dropped EXE
  PID:3324
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4320
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    PID:4704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
873KB

MD5
faedf8bcd08ab56558cb4bfd32d8d47e

SHA1
b1599ed21234519b9d0ccc3a54075cda700b92bd

SHA256
9d834e675f206e961bcf9ace6507b2b6bf2a3b7b1b5a03fd6b771046e603a4d7

SHA512
d231e1fe656e54c89afa6944788839f541f51f6e515df8b6d69e9bffba63245fa953fa0215454ff5da3327f01c069d7aad1b472a771b2560544da5d647e22623

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
873KB

MD5
faedf8bcd08ab56558cb4bfd32d8d47e

SHA1
b1599ed21234519b9d0ccc3a54075cda700b92bd

SHA256
9d834e675f206e961bcf9ace6507b2b6bf2a3b7b1b5a03fd6b771046e603a4d7

SHA512
d231e1fe656e54c89afa6944788839f541f51f6e515df8b6d69e9bffba63245fa953fa0215454ff5da3327f01c069d7aad1b472a771b2560544da5d647e22623

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
873KB

MD5
faedf8bcd08ab56558cb4bfd32d8d47e

SHA1
b1599ed21234519b9d0ccc3a54075cda700b92bd

SHA256
9d834e675f206e961bcf9ace6507b2b6bf2a3b7b1b5a03fd6b771046e603a4d7

SHA512
d231e1fe656e54c89afa6944788839f541f51f6e515df8b6d69e9bffba63245fa953fa0215454ff5da3327f01c069d7aad1b472a771b2560544da5d647e22623

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
120KB

MD5
629e2583dd120d61366d7519a2d65b72

SHA1
d53a9d7be907b43e355acd0b96840a6dca21fc64

SHA256
819eeeb77e5d23d17e115b514366fdcd3ee98e4fe454136136f39db4a4daa257

SHA512
f8ecb3ff7e02464d6a345f4b2cf0d44d72b0cb042214f56304a0946397d4e9279281eeacb7c3f50c3b317f29859a4e5a900ebe21c0970d2d5532a73e731c7a38

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
120KB

MD5
629e2583dd120d61366d7519a2d65b72

SHA1
d53a9d7be907b43e355acd0b96840a6dca21fc64

SHA256
819eeeb77e5d23d17e115b514366fdcd3ee98e4fe454136136f39db4a4daa257

SHA512
f8ecb3ff7e02464d6a345f4b2cf0d44d72b0cb042214f56304a0946397d4e9279281eeacb7c3f50c3b317f29859a4e5a900ebe21c0970d2d5532a73e731c7a38

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_faedf8bcd08ab56558cb4bfd32d8d47e_JC.exe

Filesize
120KB

MD5
629e2583dd120d61366d7519a2d65b72

SHA1
d53a9d7be907b43e355acd0b96840a6dca21fc64

SHA256
819eeeb77e5d23d17e115b514366fdcd3ee98e4fe454136136f39db4a4daa257

SHA512
f8ecb3ff7e02464d6a345f4b2cf0d44d72b0cb042214f56304a0946397d4e9279281eeacb7c3f50c3b317f29859a4e5a900ebe21c0970d2d5532a73e731c7a38

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_faedf8bcd08ab56558cb4bfd32d8d47e_JC.exe

Filesize
120KB

MD5
629e2583dd120d61366d7519a2d65b72

SHA1
d53a9d7be907b43e355acd0b96840a6dca21fc64

SHA256
819eeeb77e5d23d17e115b514366fdcd3ee98e4fe454136136f39db4a4daa257

SHA512
f8ecb3ff7e02464d6a345f4b2cf0d44d72b0cb042214f56304a0946397d4e9279281eeacb7c3f50c3b317f29859a4e5a900ebe21c0970d2d5532a73e731c7a38

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_faedf8bcd08ab56558cb4bfd32d8d47e_JC.exe

Filesize
120KB

MD5
629e2583dd120d61366d7519a2d65b72

SHA1
d53a9d7be907b43e355acd0b96840a6dca21fc64

SHA256
819eeeb77e5d23d17e115b514366fdcd3ee98e4fe454136136f39db4a4daa257

SHA512
f8ecb3ff7e02464d6a345f4b2cf0d44d72b0cb042214f56304a0946397d4e9279281eeacb7c3f50c3b317f29859a4e5a900ebe21c0970d2d5532a73e731c7a38

Download Submit
memory/3804-28-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/3804-107-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/3804-3-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/3804-0-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/4320-104-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/4320-139-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/4320-140-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/4320-146-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/4320-162-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads