86d898556a024baa92bfdcda6207a77495f7ff19853e75724197eab7c1b5bd9b

Resubmissions

29-11-2024 09:17

241129-k9a1zasnfk 10

28-12-2023 10:00

231228-l1yw4shdbr 7

Analysis

max time kernel
146s
max time network
178s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28-12-2023 10:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

delsort.exe
Size

2.5MB
MD5

a5e6c1e3a8eb38dfbf17567b56689595
SHA1

62899e6b169f18d6fd5183865f77ca6ae9fc0b30
SHA256

9dc49c1a95ee34f3f01069e96484e4d153d1ca9685c8232b15d1ded396c346d6
SHA512

3dcf9f899bcadb90ea0a61b6cda206b0ee5aba77a748155f26d2ae5b8095d32d2f3dfdc477776e3b9f9e17a984fe984431e11766b722575a5234a89bdbe1c476
SSDEEP

12288:xMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9IkBiQOBiD8422EagzVd:xnsJ39LyjbJkQFMhmC+6GD9l5U

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1724	._cache_delsort.exe
2732	Synaptics.exe
2888	._cache_Synaptics.exe

Loads dropped DLL 5 IoCs

pid	Process
2212	delsort.exe
2212	delsort.exe
2212	delsort.exe
2732	Synaptics.exe
2732	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	delsort.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 1724	2212	delsort.exe	28
PID 2212 wrote to memory of 1724	2212	delsort.exe	28
PID 2212 wrote to memory of 1724	2212	delsort.exe	28
PID 2212 wrote to memory of 1724	2212	delsort.exe	28
PID 2212 wrote to memory of 2732	2212	delsort.exe	30
PID 2212 wrote to memory of 2732	2212	delsort.exe	30
PID 2212 wrote to memory of 2732	2212	delsort.exe	30
PID 2212 wrote to memory of 2732	2212	delsort.exe	30
PID 2732 wrote to memory of 2888	2732	Synaptics.exe	32
PID 2732 wrote to memory of 2888	2732	Synaptics.exe	32
PID 2732 wrote to memory of 2888	2732	Synaptics.exe	32
PID 2732 wrote to memory of 2888	2732	Synaptics.exe	32

C:\Users\Admin\AppData\Local\Temp\delsort.exe
"C:\Users\Admin\AppData\Local\Temp\delsort.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Local\Temp\._cache_delsort.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_delsort.exe"
  2⤵
  - Executes dropped EXE
  PID:1724
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
385KB

MD5
f2514eba0ab4f398b34a8eb9371a9031

SHA1
08143e62c3ea90679180995b259442dcf49f2460

SHA256
1cf74832884761ddb5aa5205276a49c7558f0623c0d1172ec7df12594c4189ea

SHA512
9ec39246ed9bc6c6ee9ffcfde54118f4693b90e95f30b7e064351406becd4f36788c52463d606017a5923a480f063ac90be67d7ff77e4fd6b4fd4539903e8df4

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
348KB

MD5
dbaf73437924dcef35198562c11e3a9f

SHA1
682e4ca90eaa384dc9de3934661b9c31ee38a50b

SHA256
9a2014646de52db1326de2177d720be5e33f08a1c2b8e54bbe6a137d21fbdcf1

SHA512
582698a78597bde15f37f86322748384426772a80dc05875c7085ac1feffefee2813f39c039bf6bba4a8dec98ffc8dfe857f0c995ff69d21dfedc31335c8a76b

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_delsort.exe

Filesize
93KB

MD5
f44efe981449973bdc41fc5c28e3e530

SHA1
002f775a97604ef0668efee5009d978d43e47c5c

SHA256
b7b4706f7e4dcd86c6156e20e00abcce03ab7d960dbb61741e0ee97b8f1c0ad6

SHA512
1eb84cb0731fa242cb8771c3daad67fcd2636f66b3fe75691d815b03a0dffc381258e9ba2341446bfb8dc929da3bfe227dbf870415e821d23072bd36eafaaff5

Download Submit
\ProgramData\Synaptics\Synaptics.exe

Filesize
349KB

MD5
ebaeed9ee8fc3c0c99728b6b9ff5b02b

SHA1
fb7252cad2650a1fa80a0773cb397dde9b25e605

SHA256
28dd4498c75876c54fbe30d0f109dfc59fee8a08d8b501bfe83934792e1752d9

SHA512
d0ba5a419a53c2c30d223ddbf80a5f4fb624299df2ae4ec9d450395e6d11558d8c81b28a69d8a50b9487625dd406e3ccd3c92c1c483ec90f75e0933e58367335

Download Submit
\ProgramData\Synaptics\Synaptics.exe

Filesize
65KB

MD5
1dbf8c90e7db09aa88d1d9a3ff0c9db9

SHA1
43203f0672472c86434672174fe155edfb2abd23

SHA256
676c270ecf7c8e949c11c8d81af9c6ebf3e73d8d0243cbd733c5f2dbd46a4248

SHA512
87c30cd7f6cee8f5ba5b1e7171148044d3f66897a60e776057c530444af88d60760237a78f2fb2d5bf57a9d3f445de2d75386e0ba49dbb5eb1b1b2a897f2cd7c

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_delsort.exe

Filesize
338KB

MD5
5a8cb08673d9afee6f439a3174ba390b

SHA1
ba80f81105d732c5bc836fb6a400bc5f7e6b4f10

SHA256
174cd39a74eb5f67a5b84b2a7ecb28d05a0028b5d435a0f1545aabfd5c0e5a1d

SHA512
9db9441f4a36be770c85862806cd51d502abddaa55bd104ab70b9cf5863198ea798a401b83d67389c11d751377aab5bcf3a382cbedac691d7689850ca073c1ea

Download Submit
memory/2212-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2212-28-0x0000000000400000-0x0000000000693000-memory.dmp

Filesize
2.6MB

Download
memory/2732-25-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2732-36-0x0000000000400000-0x0000000000693000-memory.dmp

Filesize
2.6MB

Download
memory/2732-37-0x0000000000400000-0x0000000000693000-memory.dmp

Filesize
2.6MB

Download
memory/2732-38-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2732-39-0x0000000000400000-0x0000000000693000-memory.dmp

Filesize
2.6MB

Download
memory/2732-44-0x0000000000400000-0x0000000000693000-memory.dmp

Filesize
2.6MB

Download
memory/2732-70-0x0000000000400000-0x0000000000693000-memory.dmp

Filesize
2.6MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads