831a04ea1dae4d5fb42743fdc5321e532c17fed2cf6dc130467bcc025842252a

General

Target

NEAS.8277147e808fdccd8cb3cb8299e82e30.exe
Size

1.3MB
MD5

8277147e808fdccd8cb3cb8299e82e30
SHA1

17d3cd78f197e6cb3c17f2570f9d40543bba9ecb
SHA256

831a04ea1dae4d5fb42743fdc5321e532c17fed2cf6dc130467bcc025842252a
SHA512

2228623cb39199f2d6cc6ef287ab21331ec88aeb149c6a5ef6468aabc25366d1cc733efdfa05c512c2f7f5e10e3478749c445c1a33f82bbb4ee1513391863e12
SSDEEP

12288:iMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9NiXIigo+qwl6:insJ39LyjbJkQFMhmC+6GD94Xt1+qw8

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	NEAS.8277147e808fdccd8cb3cb8299e82e30.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 3 IoCs

pid	Process
4948	._cache_NEAS.8277147e808fdccd8cb3cb8299e82e30.exe
1500	Synaptics.exe
2456	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	NEAS.8277147e808fdccd8cb3cb8299e82e30.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	NEAS.8277147e808fdccd8cb3cb8299e82e30.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 4948	1424	NEAS.8277147e808fdccd8cb3cb8299e82e30.exe	89
PID 1424 wrote to memory of 4948	1424	NEAS.8277147e808fdccd8cb3cb8299e82e30.exe	89
PID 1424 wrote to memory of 1500	1424	NEAS.8277147e808fdccd8cb3cb8299e82e30.exe	91
PID 1424 wrote to memory of 1500	1424	NEAS.8277147e808fdccd8cb3cb8299e82e30.exe	91
PID 1424 wrote to memory of 1500	1424	NEAS.8277147e808fdccd8cb3cb8299e82e30.exe	91
PID 1500 wrote to memory of 2456	1500	Synaptics.exe	92
PID 1500 wrote to memory of 2456	1500	Synaptics.exe	92

C:\Users\Admin\AppData\Local\Temp\NEAS.8277147e808fdccd8cb3cb8299e82e30.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.8277147e808fdccd8cb3cb8299e82e30.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Users\Admin\AppData\Local\Temp\._cache_NEAS.8277147e808fdccd8cb3cb8299e82e30.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_NEAS.8277147e808fdccd8cb3cb8299e82e30.exe"
  2⤵
  - Executes dropped EXE
  PID:4948
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.3MB

MD5
8277147e808fdccd8cb3cb8299e82e30

SHA1
17d3cd78f197e6cb3c17f2570f9d40543bba9ecb

SHA256
831a04ea1dae4d5fb42743fdc5321e532c17fed2cf6dc130467bcc025842252a

SHA512
2228623cb39199f2d6cc6ef287ab21331ec88aeb149c6a5ef6468aabc25366d1cc733efdfa05c512c2f7f5e10e3478749c445c1a33f82bbb4ee1513391863e12

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.3MB

MD5
8277147e808fdccd8cb3cb8299e82e30

SHA1
17d3cd78f197e6cb3c17f2570f9d40543bba9ecb

SHA256
831a04ea1dae4d5fb42743fdc5321e532c17fed2cf6dc130467bcc025842252a

SHA512
2228623cb39199f2d6cc6ef287ab21331ec88aeb149c6a5ef6468aabc25366d1cc733efdfa05c512c2f7f5e10e3478749c445c1a33f82bbb4ee1513391863e12

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.3MB

MD5
8277147e808fdccd8cb3cb8299e82e30

SHA1
17d3cd78f197e6cb3c17f2570f9d40543bba9ecb

SHA256
831a04ea1dae4d5fb42743fdc5321e532c17fed2cf6dc130467bcc025842252a

SHA512
2228623cb39199f2d6cc6ef287ab21331ec88aeb149c6a5ef6468aabc25366d1cc733efdfa05c512c2f7f5e10e3478749c445c1a33f82bbb4ee1513391863e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_NEAS.8277147e808fdccd8cb3cb8299e82e30.exe

Filesize
557KB

MD5
c766853e9158449855b5d9cc0925904b

SHA1
9cd986cbca432e46d2a34ea54ce69a7066fcb342

SHA256
956314ce4abf95cb91ff32bca737a615dc38bcb1fb349a96e4e4fa5fd64252ca

SHA512
06c5de1113f5ff7f718a11b927dfd59d0538c88807809d700a342f589bba274d233fd83c0fd86c588ae2ea54e7c0b45179ee0c0da1ddd85d9e430734fb6dc504

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_NEAS.8277147e808fdccd8cb3cb8299e82e30.exe

Filesize
557KB

MD5
c766853e9158449855b5d9cc0925904b

SHA1
9cd986cbca432e46d2a34ea54ce69a7066fcb342

SHA256
956314ce4abf95cb91ff32bca737a615dc38bcb1fb349a96e4e4fa5fd64252ca

SHA512
06c5de1113f5ff7f718a11b927dfd59d0538c88807809d700a342f589bba274d233fd83c0fd86c588ae2ea54e7c0b45179ee0c0da1ddd85d9e430734fb6dc504

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_NEAS.8277147e808fdccd8cb3cb8299e82e30.exe

Filesize
557KB

MD5
c766853e9158449855b5d9cc0925904b

SHA1
9cd986cbca432e46d2a34ea54ce69a7066fcb342

SHA256
956314ce4abf95cb91ff32bca737a615dc38bcb1fb349a96e4e4fa5fd64252ca

SHA512
06c5de1113f5ff7f718a11b927dfd59d0538c88807809d700a342f589bba274d233fd83c0fd86c588ae2ea54e7c0b45179ee0c0da1ddd85d9e430734fb6dc504

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
557KB

MD5
c766853e9158449855b5d9cc0925904b

SHA1
9cd986cbca432e46d2a34ea54ce69a7066fcb342

SHA256
956314ce4abf95cb91ff32bca737a615dc38bcb1fb349a96e4e4fa5fd64252ca

SHA512
06c5de1113f5ff7f718a11b927dfd59d0538c88807809d700a342f589bba274d233fd83c0fd86c588ae2ea54e7c0b45179ee0c0da1ddd85d9e430734fb6dc504

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
557KB

MD5
c766853e9158449855b5d9cc0925904b

SHA1
9cd986cbca432e46d2a34ea54ce69a7066fcb342

SHA256
956314ce4abf95cb91ff32bca737a615dc38bcb1fb349a96e4e4fa5fd64252ca

SHA512
06c5de1113f5ff7f718a11b927dfd59d0538c88807809d700a342f589bba274d233fd83c0fd86c588ae2ea54e7c0b45179ee0c0da1ddd85d9e430734fb6dc504

Download Submit
memory/1424-131-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/1424-1-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/1424-0-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/1500-204-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/1500-201-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/1500-210-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/1500-134-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/1500-135-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/1500-203-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/1500-226-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/1500-202-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/2456-200-0x00007FFE8CB00000-0x00007FFE8D5C1000-memory.dmp

Filesize
10.8MB

Download
memory/2456-198-0x00007FFE8CB00000-0x00007FFE8D5C1000-memory.dmp

Filesize
10.8MB

Download
memory/4948-139-0x00007FFE8CA50000-0x00007FFE8D511000-memory.dmp

Filesize
10.8MB

Download
memory/4948-129-0x000001E14B360000-0x000001E14B370000-memory.dmp

Filesize
64KB

Download
memory/4948-72-0x000001E149590000-0x000001E14961E000-memory.dmp

Filesize
568KB

Download
memory/4948-71-0x00007FFE8CA50000-0x00007FFE8D511000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads