041efa3f3ef6a59bcc3f3646e9a272daa8e9676eed4a6b4e2142105c867371a8

Resubmissions

29-11-2024 09:15

241129-k761maxlgw 10

29-12-2023 20:41

231229-zgm76ahgc4 7

Analysis

max time kernel
142s
max time network
144s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29-12-2023 20:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mwVGb4WU.exe
Size

753KB
MD5

555fbf1135687a8cf1d630baaa6e171b
SHA1

5bc6237d0e04747b593ef279e198a48b2dc1f763
SHA256

83201d85f85f870c65c3e40e712313fb3764cab64691fcd60a2a466019b2c4fa
SHA512

ffffc24d789b6656a8cdf892369cc5534d4cd7df4dc41d52c9e57f643082b97cef89f95d919bfcc53568b6805e184f02ee9da227861791c1de632e3869c516c0
SSDEEP

12288:aMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9Ilr:ansJ39LyjbJkQFMhmC+6GD9K

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Synaptics.exe

pid	Process
2308	Synaptics.exe

Loads dropped DLL 2 IoCs

Processes:

mwVGb4WU.exe

pid	Process
1584	mwVGb4WU.exe
1584	mwVGb4WU.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

mwVGb4WU.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	mwVGb4WU.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

mwVGb4WU.exe

description	pid	Process	procid_target
PID 1584 wrote to memory of 2308	1584	mwVGb4WU.exe	28
PID 1584 wrote to memory of 2308	1584	mwVGb4WU.exe	28
PID 1584 wrote to memory of 2308	1584	mwVGb4WU.exe	28
PID 1584 wrote to memory of 2308	1584	mwVGb4WU.exe	28

C:\Users\Admin\AppData\Local\Temp\mwVGb4WU.exe
"C:\Users\Admin\AppData\Local\Temp\mwVGb4WU.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1584
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
80KB

MD5
346adb9e02ed5b26155696794bde73b7

SHA1
b05b9e7d0d4817058fcf0cbc37b3423eeb264aba

SHA256
74a0e4b668c5905d92dd625e9b138515603d49e25d16f9da8b31b451d46f6259

SHA512
1e6630248b7abc379bc066c17c7aa94d56fa4b2e9254bec86580477b09f5706d4c2b05e6612d6b69e7135aeb740196161dea034fc6273d7c6fdd67aaf700aac9

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
753KB

MD5
555fbf1135687a8cf1d630baaa6e171b

SHA1
5bc6237d0e04747b593ef279e198a48b2dc1f763

SHA256
83201d85f85f870c65c3e40e712313fb3764cab64691fcd60a2a466019b2c4fa

SHA512
ffffc24d789b6656a8cdf892369cc5534d4cd7df4dc41d52c9e57f643082b97cef89f95d919bfcc53568b6805e184f02ee9da227861791c1de632e3869c516c0

Download Submit
\ProgramData\Synaptics\Synaptics.exe

Filesize
680KB

MD5
0aa98b6193bde4920370900e232e29d2

SHA1
fe2ba32d4c1bee2f2e45898d04f9deedae7c058a

SHA256
c6830cb8b605747eef2373bca6a0cfb3b3403dedad1be33186cbf766c7095274

SHA512
1685748373efdba7d0ffac693ef4d82621cdbcd9bc20894091bca7e373977ac363764bd90588a115885ec805562ee3b3c149684e67815c1bf24b9b37f85a759a

Download Submit
memory/1584-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1584-14-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2308-15-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2308-16-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2308-18-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2308-22-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2308-47-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download