8cce2bf81d0b937fb5256b69b497435b05ea9a4cf34f570592267897782d2d2b

General

Target

winer/Winner_Free.exe
Size

6.3MB
MD5

babd90df8276efdedb7a0510d6d6e8aa
SHA1

9a43619fea06385a32a8bda7f125c834b7824f0a
SHA256

925840c7fa54b3bd5f8df5ed843d6872e30c95b423b10dedf6c6f56ec92dec7a
SHA512

7b703f1006f0a67184e95072eb14f5c24161e45ad134e690fc4b25640798e6ecd966d14c736f5782e5efd4d604a34bc89805257250cd80ba9bae30715df9e159
SSDEEP

98304:xnsmtk2aPV6s5YTnGUIcNAYDtYsvs6zqVXoQW07XlOVZ+dHXn8RXHhxBh7ZM5DBW:NLiV6s5XUxNAotvsjoQhLGQHuXrEBW

Score

7^/10

persistence vmprotect

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	Winner_Free.exe
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 3 IoCs

pid	Process
3420	._cache_Winner_Free.exe
4476	Synaptics.exe
2356	._cache_Synaptics.exe

VMProtect packed file 10 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x00060000000231fe-8.dat	vmprotect
behavioral2/files/0x00060000000231fe-35.dat	vmprotect
behavioral2/memory/3420-132-0x0000000000B50000-0x0000000001451000-memory.dmp	vmprotect
behavioral2/memory/3420-134-0x0000000000B50000-0x0000000001451000-memory.dmp	vmprotect
behavioral2/memory/3420-136-0x0000000000B50000-0x0000000001451000-memory.dmp	vmprotect
behavioral2/memory/2356-145-0x0000000000BB0000-0x00000000014B1000-memory.dmp	vmprotect
behavioral2/memory/2356-149-0x0000000000BB0000-0x00000000014B1000-memory.dmp	vmprotect
behavioral2/memory/2356-148-0x0000000000BB0000-0x00000000014B1000-memory.dmp	vmprotect
behavioral2/memory/2356-164-0x0000000000BB0000-0x00000000014B1000-memory.dmp	vmprotect
behavioral2/memory/3420-163-0x0000000000B50000-0x0000000001451000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	Process not Found

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3420	._cache_Winner_Free.exe
2356	._cache_Synaptics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Winner_Free.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\Local Settings	._cache_Winner_Free.exe
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\Local Settings	._cache_Synaptics.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3420	._cache_Winner_Free.exe
3420	._cache_Winner_Free.exe
3420	._cache_Winner_Free.exe
3420	._cache_Winner_Free.exe
3420	._cache_Winner_Free.exe
3420	._cache_Winner_Free.exe
2356	._cache_Synaptics.exe
2356	._cache_Synaptics.exe
2356	._cache_Synaptics.exe
2356	._cache_Synaptics.exe
2356	._cache_Synaptics.exe
2356	._cache_Synaptics.exe
3420	._cache_Winner_Free.exe
3420	._cache_Winner_Free.exe
2356	._cache_Synaptics.exe
2356	._cache_Synaptics.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1224	OpenWith.exe
404	OpenWith.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1060 wrote to memory of 3420	1060	Process not Found	93
PID 1060 wrote to memory of 3420	1060	Process not Found	93
PID 1060 wrote to memory of 3420	1060	Process not Found	93
PID 1060 wrote to memory of 4476	1060	Process not Found	95
PID 1060 wrote to memory of 4476	1060	Process not Found	95
PID 1060 wrote to memory of 4476	1060	Process not Found	95
PID 3420 wrote to memory of 2536	3420	._cache_Winner_Free.exe	97
PID 3420 wrote to memory of 2536	3420	._cache_Winner_Free.exe	97
PID 3420 wrote to memory of 2536	3420	._cache_Winner_Free.exe	97
PID 4476 wrote to memory of 2356	4476	Synaptics.exe	98
PID 4476 wrote to memory of 2356	4476	Synaptics.exe	98
PID 4476 wrote to memory of 2356	4476	Synaptics.exe	98
PID 2356 wrote to memory of 1588	2356	._cache_Synaptics.exe	100
PID 2356 wrote to memory of 1588	2356	._cache_Synaptics.exe	100
PID 2356 wrote to memory of 1588	2356	._cache_Synaptics.exe	100

C:\Users\Admin\AppData\Local\Temp\winer\Winner_Free.exe
"C:\Users\Admin\AppData\Local\Temp\winer\Winner_Free.exe"
1⤵
- Checks computer location settings
- Modifies registry class
PID:1060
- C:\Users\Admin\AppData\Local\Temp\winer\._cache_Winner_Free.exe
  "C:\Users\Admin\AppData\Local\Temp\winer\._cache_Winner_Free.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c title 20w76030r3llW7912xOqi8xpkJV04vKvbot8m2P8WEYG8oJ9F12M884Vv2rV
    3⤵
    PID:2536
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4476
- - C:\Users\Admin\AppData\Local\Temp\winer\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\winer\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2356
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c title hN65Q4Ib1x07yb01902oGd53HBVF0E8nEE7QjA59qvoaGDQXF4UjinQ7AtU0
      4⤵
      PID:1588

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1224

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
5.9MB

MD5
e6573205dcd566d5b237ee338ffca7ac

SHA1
cf03e35e6f00cbe4d3ce486f02a1b02f2fb452cb

SHA256
1ab2a474ffe834014724c03897d21671960dbb605b2aaae66a6d8255f0bd2efa

SHA512
55d5ddd111c948a35a3fb266024ff893a1eb9e65005ced4129be86fa92f23faba85246973d1c2addbd8f8884e0f1d21b904e0a5a88969bfad0a8cede87782fdb

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
6.3MB

MD5
babd90df8276efdedb7a0510d6d6e8aa

SHA1
9a43619fea06385a32a8bda7f125c834b7824f0a

SHA256
925840c7fa54b3bd5f8df5ed843d6872e30c95b423b10dedf6c6f56ec92dec7a

SHA512
7b703f1006f0a67184e95072eb14f5c24161e45ad134e690fc4b25640798e6ecd966d14c736f5782e5efd4d604a34bc89805257250cd80ba9bae30715df9e159

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5AA3E3031017589228632D3AF69D1A61

Filesize
503B

MD5
6beea5dd50cd1571a4a40185aec8ecb3

SHA1
7caa8db3160870a20851b1528439d7f45bf78cc2

SHA256
68678e8affbaf8a0649996bce081ce3c583f3f480afd407c78e1aa739cffba50

SHA512
516a232aeebc1fba652fbde256d041d2e810c0c9e6380a4e59951957565bab415332d3157b4b7a8a0a07440dc3f390b7a6f14e6b128349fadc9b857792265857

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
d7639dac6b130a6c433c7d1bad896dae

SHA1
f0cdceaa6db132500b0d6fd9484325e48ec74386

SHA256
6f088c014e9dd2a239f9a06b76c6121a92fa13ab4f79c4d3d90a1ce4b1645439

SHA512
556151957496be67b479587486951db767bcdfa5b86b763f94670f8520fd9adeba66de76be17a63d7d433b153061a7b7491b1e2976a3b5d43e88ef2b19fc490a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5AA3E3031017589228632D3AF69D1A61

Filesize
548B

MD5
ea935865bdbc8e0edd551f2d3d0590ac

SHA1
d7e0d73ba4431425cdb2fd786b1bcc9359b5f8e2

SHA256
7b59ad1ab64c4bd056ab798eb862af24107f13f1cefd38e221c0b1a1f6987ff8

SHA512
dbda38f79ca99a26c87db505214fa4de7f32b9d7727ecef91d6ff27f9d17295fbd5d4a4bccf81ec3a49e0b7f68fa67d7106c0e86a90ea3e0df9deeaffda7029e

Download Submit
C:\Users\Admin\AppData\Local\Temp\winer\._cache_Winner_Free.exe

Filesize
5.0MB

MD5
f39708e1ca3d6c99cb134e04c93e0253

SHA1
98352b665ff3f8f1d23fe18344e6a8c701c0bf88

SHA256
8d4d04b5a75242bd2ad2133a51a9c76cb26ef39291b8510ed062fd651ee8fc2d

SHA512
405132fedae46b910fccb96c7726c576ce3b33c50809573040bda6064429e1ca56efb624149cee0ce46d86c3f620de8d33d8e5347b734715a5d0ea49f33ea9da

Download Submit
C:\Users\Admin\AppData\Local\Temp\winer\._cache_Winner_Free.exe

Filesize
5.6MB

MD5
a8133b3fdf3ec104c0f0d503ef6a7ec7

SHA1
d875876bd027a59b9157a45df00a24ccd505ed20

SHA256
c3429972cc6d611fa4f940f89624658e3aadc85a681bdcd5adce9bdc6c6d3072

SHA512
2734304de246490ff8d3ab0487838afc6cc2abb7cfbc0404860cbb395ba69887c33b802a08d32f8ccd2c6e341e4b5062c3aa27b3de2f4bba3c542d984e4721b1

Download Submit
memory/1060-0-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/1060-1-0x0000000000400000-0x0000000000A51000-memory.dmp

Filesize
6.3MB

Download
memory/1060-103-0x0000000000400000-0x0000000000A51000-memory.dmp

Filesize
6.3MB

Download
memory/2356-146-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/2356-164-0x0000000000BB0000-0x00000000014B1000-memory.dmp

Filesize
9.0MB

Download
memory/2356-145-0x0000000000BB0000-0x00000000014B1000-memory.dmp

Filesize
9.0MB

Download
memory/2356-148-0x0000000000BB0000-0x00000000014B1000-memory.dmp

Filesize
9.0MB

Download
memory/2356-147-0x0000000002D60000-0x0000000002D61000-memory.dmp

Filesize
4KB

Download
memory/2356-149-0x0000000000BB0000-0x00000000014B1000-memory.dmp

Filesize
9.0MB

Download
memory/3420-134-0x0000000000B50000-0x0000000001451000-memory.dmp

Filesize
9.0MB

Download
memory/3420-135-0x0000000001820000-0x0000000001821000-memory.dmp

Filesize
4KB

Download
memory/3420-133-0x0000000001810000-0x0000000001811000-memory.dmp

Filesize
4KB

Download
memory/3420-132-0x0000000000B50000-0x0000000001451000-memory.dmp

Filesize
9.0MB

Download
memory/3420-136-0x0000000000B50000-0x0000000001451000-memory.dmp

Filesize
9.0MB

Download
memory/3420-163-0x0000000000B50000-0x0000000001451000-memory.dmp

Filesize
9.0MB

Download
memory/4476-151-0x0000000000400000-0x0000000000A51000-memory.dmp

Filesize
6.3MB

Download
memory/4476-105-0x00000000028D0000-0x00000000028D1000-memory.dmp

Filesize
4KB

Download
memory/4476-162-0x00000000028D0000-0x00000000028D1000-memory.dmp

Filesize
4KB

Download
memory/4476-165-0x0000000000400000-0x0000000000A51000-memory.dmp

Filesize
6.3MB

Download
memory/4476-174-0x0000000000400000-0x0000000000A51000-memory.dmp

Filesize
6.3MB

Download
memory/4476-187-0x0000000000400000-0x0000000000A51000-memory.dmp

Filesize
6.3MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads