c3d08da4de1efa0d5aeda92e1a6a414f5a1b6155a15487c6a14e3eead20a3e41

General

Target

378934719d9eaaccb26897d7ec92828b.exe
Size

1.5MB
MD5

378934719d9eaaccb26897d7ec92828b
SHA1

90b1c3843c3c52d745009742b8b11155482aad26
SHA256

c3d08da4de1efa0d5aeda92e1a6a414f5a1b6155a15487c6a14e3eead20a3e41
SHA512

fd8c1cc2c866224947cf1b9d662eb36884790a33cd23e5843b700c3b71df44af55b76cde0ad66f3834c7129a8cc47770ce88b84f62d755a791981953e8774fec
SSDEEP

24576:ensJ39LyjbJkQFMhmC+6GD9cwTwVsCAIr8Blu/GdbsmPLWRP9GVbDGghUeEMl:ensHyjtk2MYC5GDhqAIr8/ZAlP9GVn5l

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3004	._cache_378934719d9eaaccb26897d7ec92828b.exe
2812	Synaptics.exe
2724	._cache_Synaptics.exe

Loads dropped DLL 5 IoCs

pid	Process
2560	378934719d9eaaccb26897d7ec92828b.exe
2560	378934719d9eaaccb26897d7ec92828b.exe
2560	378934719d9eaaccb26897d7ec92828b.exe
2812	Synaptics.exe
2812	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	378934719d9eaaccb26897d7ec92828b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2560 wrote to memory of 3004	2560	378934719d9eaaccb26897d7ec92828b.exe	28
PID 2560 wrote to memory of 3004	2560	378934719d9eaaccb26897d7ec92828b.exe	28
PID 2560 wrote to memory of 3004	2560	378934719d9eaaccb26897d7ec92828b.exe	28
PID 2560 wrote to memory of 3004	2560	378934719d9eaaccb26897d7ec92828b.exe	28
PID 2560 wrote to memory of 2812	2560	378934719d9eaaccb26897d7ec92828b.exe	30
PID 2560 wrote to memory of 2812	2560	378934719d9eaaccb26897d7ec92828b.exe	30
PID 2560 wrote to memory of 2812	2560	378934719d9eaaccb26897d7ec92828b.exe	30
PID 2560 wrote to memory of 2812	2560	378934719d9eaaccb26897d7ec92828b.exe	30
PID 2812 wrote to memory of 2724	2812	Synaptics.exe	31
PID 2812 wrote to memory of 2724	2812	Synaptics.exe	31
PID 2812 wrote to memory of 2724	2812	Synaptics.exe	31
PID 2812 wrote to memory of 2724	2812	Synaptics.exe	31

C:\Users\Admin\AppData\Local\Temp\378934719d9eaaccb26897d7ec92828b.exe
"C:\Users\Admin\AppData\Local\Temp\378934719d9eaaccb26897d7ec92828b.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Users\Admin\AppData\Local\Temp\._cache_378934719d9eaaccb26897d7ec92828b.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_378934719d9eaaccb26897d7ec92828b.exe"
  2⤵
  - Executes dropped EXE
  PID:3004
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
836KB

MD5
6c573f9a96f1af314d22bd973b2f6f2d

SHA1
2fe0344f9ea19aa27275251fda082092de9cfbe5

SHA256
c36f667b3e7406f4425317aed68d24d33750e7d38e280f318563d522e6bbe256

SHA512
2be8d09419f46464c5d203fc47bc77f0a1b2ec0abc2f9d992bf3a81097a5e16d312ff7305c56f16f0420150089ebf19528e2232ea323da4b466f55ead9c5bbcb

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
697KB

MD5
2e910f1b38fcc3ab371d1c968f89e28e

SHA1
cee3fb821c7615a53eecbad114d990e2efaff538

SHA256
acab6e0fe9def1d8ac9f17c8ceb9b96973ba6f65d639d37fcacdd04ffb9a86df

SHA512
2f19edfa04dee612e037a5c69a38d95161839206b627bb3c00d976d26a331d42fa85e5472e12e3711e8cd993e8b861e3994538b52a7b09b605b4c33802514158

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1011KB

MD5
f6b418c34f0b8cf91bf635f573239df4

SHA1
3e2d3b5b63ed224cecb7d75af5c814519415f856

SHA256
40f0f2c85453f9039265e462dc7fa24b40d6b129f3922667386e99980a4dd2b2

SHA512
b643da164c489db90e94792eb0781e1ccd78c16e14e7a2b41ddbcf4ee6dc85e98756aa08718f965380a5f6f3efa733e8e7aa72fc4f9e3d6b31f7098124a8f38f

Download Submit
\ProgramData\Synaptics\Synaptics.exe

Filesize
626KB

MD5
bc2ab3b1768e04118ec8da31e6f21f0a

SHA1
de614701e71469e6c870e61217713569a6253659

SHA256
25017c1a332d974e38c878a7cc235f551bc90ba26fa550e579d393ae803954d6

SHA512
e61e52869c94ec20a472496c9eaa68a9b077f45d17b778335d1026017a3d9285c76390f0397d79e6e69761d73a11dff93b3d820a89a506f76d31e9d9b8ddcd30

Download Submit
\ProgramData\Synaptics\Synaptics.exe

Filesize
686KB

MD5
f825c0bfd3361ff417b0f6b16636c6c3

SHA1
896b8943f8adf3d40bbf50c77cbdb72e1aaff0c1

SHA256
412e3890a235344d62de2b2cef5554e5356ae9375b3f42bf9569df9ccc824ae3

SHA512
a46574ecf5391129920c4e000aef73e78bffe3b5b6f0dd10f4ffdb6d451ebcbe46837483ab55f9923bebd787af991894d0ca2bbcb833d7ae52cb521cadbb2f2e

Download Submit
\ProgramData\Synaptics\Synaptics.exe

Filesize
619KB

MD5
e8442910470e26506f81bd1d39292e42

SHA1
5adc738981c2e1230bca59a7e4b75ac48e5565d3

SHA256
49605bd3f85913355740b75c04d780ab75b2cae230b313cbd16fb997e712a7f0

SHA512
f4c7dce3ac844c86471ca55107fcdc5ca6e09512f7f2adc64c3f9d306f664b9d9a38e5419620ccad66b4551d3337caa555ff0a5842a850f70620a54037806003

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_378934719d9eaaccb26897d7ec92828b.exe

Filesize
773KB

MD5
b75ec941384801dbf33e2fe5433929d7

SHA1
dbb874aa5878debb406178f88fc75c473eeaf76b

SHA256
5f94bd3c5a705883e93c2a8fa527e8ad88e3c32525b3cf98f01aef094c301137

SHA512
5c886d2dfdc73aecbdf8496921d9f05df22045c6573f769fff029d6f410c02490a50060f48479267f1044a1c9070e2af299e9300d31eec5c20bd61e035ddb600

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
693KB

MD5
ecc065272c586e5c2c61639921d14f62

SHA1
0ed8ae0fc34ee5a93f73da10ed01b85f6404bd13

SHA256
2d622150ed56ee01970f23c97d9b2602f406d43bb112b5193f56f98aa8aab2e6

SHA512
2807f9309f2886864f4fa2628a8bd58eede31799c76c49698cd310644627eae04277c85e9aa1e3956e010ca8b80572791513aed48782f6bafaa39bfe66832870

Download Submit
memory/2560-25-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/2560-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2812-28-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2812-36-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/2812-38-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2812-43-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/2812-68-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads