0e43ffb6610189ff1231a937304148dd659eb719326f42df12e6e9955bd29a6f

Analysis

max time kernel
258s
max time network
272s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2023, 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SourceTreeSetup-3.3.9.exe
Size

24.8MB
MD5

66f304ccde7c9d9fbad90b19a52a2a0a
SHA1

c457f59a80ba1761a0b0b5cb3dc0d1d349c80395
SHA256

0e43ffb6610189ff1231a937304148dd659eb719326f42df12e6e9955bd29a6f
SHA512

e0d3b2cac83ccc028ebf8f1c6895b9fee022793da2dd245122abaad61bdc22f007a438ace5d9477fb28e9f95fdede7410e8dbc075d08fcb70e6756b9dc2fb814
SSDEEP

393216:EyvPkkSDcyERxMyMfEhE3gY6L1UNSBMFI7wYerTSKiwj4lR5Sd4M0vncjCM:BkkQgssS3X6L1UJFgkf4lRwOT6

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	SourceTreeSetup-3.3.9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 5 IoCs

pid	Process
1088	._cache_SourceTreeSetup-3.3.9.exe
544	Update.exe
524	Synaptics.exe
4256	._cache_Synaptics.exe
4088	Update.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	SourceTreeSetup-3.3.9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	SourceTreeSetup-3.3.9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 1088	2548	SourceTreeSetup-3.3.9.exe	83
PID 2548 wrote to memory of 1088	2548	SourceTreeSetup-3.3.9.exe	83
PID 2548 wrote to memory of 1088	2548	SourceTreeSetup-3.3.9.exe	83
PID 1088 wrote to memory of 544	1088	._cache_SourceTreeSetup-3.3.9.exe	85
PID 1088 wrote to memory of 544	1088	._cache_SourceTreeSetup-3.3.9.exe	85
PID 2548 wrote to memory of 524	2548	SourceTreeSetup-3.3.9.exe	88
PID 2548 wrote to memory of 524	2548	SourceTreeSetup-3.3.9.exe	88
PID 2548 wrote to memory of 524	2548	SourceTreeSetup-3.3.9.exe	88
PID 524 wrote to memory of 4256	524	Synaptics.exe	92
PID 524 wrote to memory of 4256	524	Synaptics.exe	92
PID 524 wrote to memory of 4256	524	Synaptics.exe	92
PID 4256 wrote to memory of 4088	4256	._cache_Synaptics.exe	93
PID 4256 wrote to memory of 4088	4256	._cache_Synaptics.exe	93

C:\Users\Admin\AppData\Local\Temp\SourceTreeSetup-3.3.9.exe
"C:\Users\Admin\AppData\Local\Temp\SourceTreeSetup-3.3.9.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Local\Temp\._cache_SourceTreeSetup-3.3.9.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_SourceTreeSetup-3.3.9.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1088
- - C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
    "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
    3⤵
    - Executes dropped EXE
    PID:544
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:524
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4256
  - - C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
      "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install . InjUpdate
      4⤵
      Executes dropped EXE
      PID:4088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
24.8MB

MD5
66f304ccde7c9d9fbad90b19a52a2a0a

SHA1
c457f59a80ba1761a0b0b5cb3dc0d1d349c80395

SHA256
0e43ffb6610189ff1231a937304148dd659eb719326f42df12e6e9955bd29a6f

SHA512
e0d3b2cac83ccc028ebf8f1c6895b9fee022793da2dd245122abaad61bdc22f007a438ace5d9477fb28e9f95fdede7410e8dbc075d08fcb70e6756b9dc2fb814

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
24.8MB

MD5
66f304ccde7c9d9fbad90b19a52a2a0a

SHA1
c457f59a80ba1761a0b0b5cb3dc0d1d349c80395

SHA256
0e43ffb6610189ff1231a937304148dd659eb719326f42df12e6e9955bd29a6f

SHA512
e0d3b2cac83ccc028ebf8f1c6895b9fee022793da2dd245122abaad61bdc22f007a438ace5d9477fb28e9f95fdede7410e8dbc075d08fcb70e6756b9dc2fb814

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
24.8MB

MD5
66f304ccde7c9d9fbad90b19a52a2a0a

SHA1
c457f59a80ba1761a0b0b5cb3dc0d1d349c80395

SHA256
0e43ffb6610189ff1231a937304148dd659eb719326f42df12e6e9955bd29a6f

SHA512
e0d3b2cac83ccc028ebf8f1c6895b9fee022793da2dd245122abaad61bdc22f007a438ace5d9477fb28e9f95fdede7410e8dbc075d08fcb70e6756b9dc2fb814

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\RELEASES

Filesize
80B

MD5
c9a09c9728e430f323605e1971f22726

SHA1
f1b67e5c7f63258964be72b1982801bfbd948467

SHA256
9023b65a8dee768138afb96378f278d2dc97783d9ea64bee1b7398d39b244e7b

SHA512
987d5cc87d7cfade01125cb2b33ae2954221a5e30379c9031b464640c268bb4ec3ceb79de111e063895594c8412c607aacf5060167589bb929d03e29e9f20d58

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\SourceTree-3.3.9-full.nupkg

Filesize
23.3MB

MD5
349d6b5d0aaf53153ccd870d0f096095

SHA1
c2369dfceb2e39ee84cb70a77c905ec144ecc8a6

SHA256
868d1b4e302397baa24c23f69eeb9cbd6340d8cf373c62029fa55d7894d0de42

SHA512
ef0a2e0a0c46aa26982dc3e2fd2e653d0c5c875871ee76064a91e1975a2c7919f7b5e83bf93caefd6b64f6ef5280c519b16271095164075f9647ced81121d080

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
1.8MB

MD5
597856ac1657d8c94e59e68e43eb2a38

SHA1
5b47a0f1b01ed0df6e562bdeadd6203bd74ff19c

SHA256
0c0e17dddaa1ff0cf4ea6ed8dd62207b4a2f4f36a5fe494843ec6596e39b21f1

SHA512
3d09158b2dc69577f541d694568b55e925fd191359b3c9ec3ac70364c0adcfa3799536fd2ea254d99030546974f1bcc6ce3877dc4345e8260f6880044706bd16

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
1.8MB

MD5
597856ac1657d8c94e59e68e43eb2a38

SHA1
5b47a0f1b01ed0df6e562bdeadd6203bd74ff19c

SHA256
0c0e17dddaa1ff0cf4ea6ed8dd62207b4a2f4f36a5fe494843ec6596e39b21f1

SHA512
3d09158b2dc69577f541d694568b55e925fd191359b3c9ec3ac70364c0adcfa3799536fd2ea254d99030546974f1bcc6ce3877dc4345e8260f6880044706bd16

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
1.8MB

MD5
597856ac1657d8c94e59e68e43eb2a38

SHA1
5b47a0f1b01ed0df6e562bdeadd6203bd74ff19c

SHA256
0c0e17dddaa1ff0cf4ea6ed8dd62207b4a2f4f36a5fe494843ec6596e39b21f1

SHA512
3d09158b2dc69577f541d694568b55e925fd191359b3c9ec3ac70364c0adcfa3799536fd2ea254d99030546974f1bcc6ce3877dc4345e8260f6880044706bd16

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\background.gif

Filesize
4KB

MD5
0dfd25b120d2617e38b96f501bcdb7e9

SHA1
62a620cd5c4bf23dd2d68b410a7a47557fbbbe35

SHA256
e3dc5a573764c9960fe992286d6628f82ccb7d26dceaa5d2d457a9b3ca18c691

SHA512
06a4a02368c66e9a1d7b1f3d425aaf62eebd71a668b1d1968af078acc67d04de464a6379702581190e4e26c8213c4e3e9cb6f33b70e469e3956154165296824c

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_SourceTreeSetup-3.3.9.exe

Filesize
24.1MB

MD5
12ad58ccaf4b2eff9a9e76d1b77ea9c9

SHA1
bc0a887f1e7c0ffe1cac18a8c117bd27e73bee40

SHA256
ffaef30ad57ab28aefb4dec307af0bdccdb81a99d1e345f2a7f4030dcc48f874

SHA512
2413cc74fb608f24a921cc067d42572dae14cd5f8f640f573a975fceb401018ea62dae64faa747324b17ea7434113124d7b1ffcea23980b263dadb5fb2865aad

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_SourceTreeSetup-3.3.9.exe

Filesize
24.1MB

MD5
12ad58ccaf4b2eff9a9e76d1b77ea9c9

SHA1
bc0a887f1e7c0ffe1cac18a8c117bd27e73bee40

SHA256
ffaef30ad57ab28aefb4dec307af0bdccdb81a99d1e345f2a7f4030dcc48f874

SHA512
2413cc74fb608f24a921cc067d42572dae14cd5f8f640f573a975fceb401018ea62dae64faa747324b17ea7434113124d7b1ffcea23980b263dadb5fb2865aad

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_SourceTreeSetup-3.3.9.exe

Filesize
24.1MB

MD5
12ad58ccaf4b2eff9a9e76d1b77ea9c9

SHA1
bc0a887f1e7c0ffe1cac18a8c117bd27e73bee40

SHA256
ffaef30ad57ab28aefb4dec307af0bdccdb81a99d1e345f2a7f4030dcc48f874

SHA512
2413cc74fb608f24a921cc067d42572dae14cd5f8f640f573a975fceb401018ea62dae64faa747324b17ea7434113124d7b1ffcea23980b263dadb5fb2865aad

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
24.1MB

MD5
12ad58ccaf4b2eff9a9e76d1b77ea9c9

SHA1
bc0a887f1e7c0ffe1cac18a8c117bd27e73bee40

SHA256
ffaef30ad57ab28aefb4dec307af0bdccdb81a99d1e345f2a7f4030dcc48f874

SHA512
2413cc74fb608f24a921cc067d42572dae14cd5f8f640f573a975fceb401018ea62dae64faa747324b17ea7434113124d7b1ffcea23980b263dadb5fb2865aad

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
24.1MB

MD5
12ad58ccaf4b2eff9a9e76d1b77ea9c9

SHA1
bc0a887f1e7c0ffe1cac18a8c117bd27e73bee40

SHA256
ffaef30ad57ab28aefb4dec307af0bdccdb81a99d1e345f2a7f4030dcc48f874

SHA512
2413cc74fb608f24a921cc067d42572dae14cd5f8f640f573a975fceb401018ea62dae64faa747324b17ea7434113124d7b1ffcea23980b263dadb5fb2865aad

Download Submit
memory/524-384-0x0000000000400000-0x0000000001CD9000-memory.dmp

Filesize
24.8MB

Download
memory/524-159-0x0000000003B50000-0x0000000003B51000-memory.dmp

Filesize
4KB

Download
memory/524-367-0x0000000000400000-0x0000000001CD9000-memory.dmp

Filesize
24.8MB

Download
memory/524-354-0x0000000000400000-0x0000000001CD9000-memory.dmp

Filesize
24.8MB

Download
memory/544-355-0x00007FFCBD760000-0x00007FFCBE221000-memory.dmp

Filesize
10.8MB

Download
memory/544-134-0x00007FFCBD760000-0x00007FFCBE221000-memory.dmp

Filesize
10.8MB

Download
memory/544-86-0x00000000001E0000-0x00000000003AE000-memory.dmp

Filesize
1.8MB

Download
memory/544-160-0x000000001B1E0000-0x000000001B1F0000-memory.dmp

Filesize
64KB

Download
memory/544-356-0x000000001B1E0000-0x000000001B1F0000-memory.dmp

Filesize
64KB

Download
memory/2548-0-0x0000000003B60000-0x0000000003B61000-memory.dmp

Filesize
4KB

Download
memory/2548-142-0x0000000000400000-0x0000000001CD9000-memory.dmp

Filesize
24.8MB

Download
memory/2548-54-0x0000000003B60000-0x0000000003B61000-memory.dmp

Filesize
4KB

Download
memory/2548-3-0x0000000000400000-0x0000000001CD9000-memory.dmp

Filesize
24.8MB

Download
memory/2548-79-0x0000000000400000-0x0000000001CD9000-memory.dmp

Filesize
24.8MB

Download
memory/2548-149-0x0000000000400000-0x0000000001CD9000-memory.dmp

Filesize
24.8MB

Download
memory/4088-370-0x00007FFCBD760000-0x00007FFCBE221000-memory.dmp

Filesize
10.8MB

Download
memory/4088-371-0x000000001B3C0000-0x000000001B3D0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads