041efa3f3ef6a59bcc3f3646e9a272daa8e9676eed4a6b4e2142105c867371a8

Resubmissions

29-11-2024 09:15

241129-k761maxlgw 10

29-12-2023 20:41

231229-zgm76ahgc4 7

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2023 20:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mwVGb4WU.exe
Size

753KB
MD5

555fbf1135687a8cf1d630baaa6e171b
SHA1

5bc6237d0e04747b593ef279e198a48b2dc1f763
SHA256

83201d85f85f870c65c3e40e712313fb3764cab64691fcd60a2a466019b2c4fa
SHA512

ffffc24d789b6656a8cdf892369cc5534d4cd7df4dc41d52c9e57f643082b97cef89f95d919bfcc53568b6805e184f02ee9da227861791c1de632e3869c516c0
SSDEEP

12288:aMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9Ilr:ansJ39LyjbJkQFMhmC+6GD9K

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	mwVGb4WU.exe

Executes dropped EXE 1 IoCs

pid	Process
1228	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	mwVGb4WU.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	mwVGb4WU.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 408 wrote to memory of 1228	408	mwVGb4WU.exe	91
PID 408 wrote to memory of 1228	408	mwVGb4WU.exe	91
PID 408 wrote to memory of 1228	408	mwVGb4WU.exe	91

C:\Users\Admin\AppData\Local\Temp\mwVGb4WU.exe
"C:\Users\Admin\AppData\Local\Temp\mwVGb4WU.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:408
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  PID:1228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
753KB

MD5
555fbf1135687a8cf1d630baaa6e171b

SHA1
5bc6237d0e04747b593ef279e198a48b2dc1f763

SHA256
83201d85f85f870c65c3e40e712313fb3764cab64691fcd60a2a466019b2c4fa

SHA512
ffffc24d789b6656a8cdf892369cc5534d4cd7df4dc41d52c9e57f643082b97cef89f95d919bfcc53568b6805e184f02ee9da227861791c1de632e3869c516c0

Download Submit
memory/408-0-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/408-64-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1228-65-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/1228-66-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1228-68-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/1228-72-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1228-88-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads