c3d08da4de1efa0d5aeda92e1a6a414f5a1b6155a15487c6a14e3eead20a3e41

Resubmissions

29-11-2024 09:09

241129-k4l62sxkax 10

31-12-2023 13:14

231231-qgt62aghen 7

Analysis

max time kernel
161s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2023 13:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

378934719d9eaaccb26897d7ec92828b.exe
Size

1.5MB
MD5

378934719d9eaaccb26897d7ec92828b
SHA1

90b1c3843c3c52d745009742b8b11155482aad26
SHA256

c3d08da4de1efa0d5aeda92e1a6a414f5a1b6155a15487c6a14e3eead20a3e41
SHA512

fd8c1cc2c866224947cf1b9d662eb36884790a33cd23e5843b700c3b71df44af55b76cde0ad66f3834c7129a8cc47770ce88b84f62d755a791981953e8774fec
SSDEEP

24576:ensJ39LyjbJkQFMhmC+6GD9cwTwVsCAIr8Blu/GdbsmPLWRP9GVbDGghUeEMl:ensHyjtk2MYC5GDhqAIr8/ZAlP9GVn5l

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	378934719d9eaaccb26897d7ec92828b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 3 IoCs

pid	Process
4264	._cache_378934719d9eaaccb26897d7ec92828b.exe
3760	Synaptics.exe
5060	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	378934719d9eaaccb26897d7ec92828b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	378934719d9eaaccb26897d7ec92828b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2716	EXCEL.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2716	EXCEL.EXE
2716	EXCEL.EXE
2716	EXCEL.EXE
2716	EXCEL.EXE
2716	EXCEL.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 4264	2448	378934719d9eaaccb26897d7ec92828b.exe	91
PID 2448 wrote to memory of 4264	2448	378934719d9eaaccb26897d7ec92828b.exe	91
PID 2448 wrote to memory of 4264	2448	378934719d9eaaccb26897d7ec92828b.exe	91
PID 2448 wrote to memory of 3760	2448	378934719d9eaaccb26897d7ec92828b.exe	93
PID 2448 wrote to memory of 3760	2448	378934719d9eaaccb26897d7ec92828b.exe	93
PID 2448 wrote to memory of 3760	2448	378934719d9eaaccb26897d7ec92828b.exe	93
PID 3760 wrote to memory of 5060	3760	Synaptics.exe	94
PID 3760 wrote to memory of 5060	3760	Synaptics.exe	94
PID 3760 wrote to memory of 5060	3760	Synaptics.exe	94

C:\Users\Admin\AppData\Local\Temp\378934719d9eaaccb26897d7ec92828b.exe
"C:\Users\Admin\AppData\Local\Temp\378934719d9eaaccb26897d7ec92828b.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Users\Admin\AppData\Local\Temp\._cache_378934719d9eaaccb26897d7ec92828b.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_378934719d9eaaccb26897d7ec92828b.exe"
  2⤵
  - Executes dropped EXE
  PID:4264
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3760
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    PID:5060

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.0MB

MD5
7dd54b09ec822a04ed399623265175f1

SHA1
6c6151c5f8212da0af5cf3ceff0a9a7685f8899f

SHA256
8d4d053bf537d8aea93c0dd88d2c20e53535b08831b1ec97622aba2547c2f0fa

SHA512
d143e3fd7239559347730fc65f8a97610e1b7b0005f794d6b18ac796d787ff6f88b8d5f3bc61447ec6c9c865ab665f2621228d03ea44258679101aa66d0b8510

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.2MB

MD5
91fbfaaedbb5b9fede6dd50e76f00abe

SHA1
fda7e0bf814cbc1e4939c51b86cdc71e9578b245

SHA256
53fbd7d62d7e477ff6373a19049c9aaef0be7b0069053323dffb3d6b77a9a595

SHA512
8e3bac133f99e651d31064e799de5ef196b4922e4f0968555847bd7fa946d6aae9fae23fc030dc4bf2bca1e88aa72f3784967dc18bdf4117715febcf5f11e8d5

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
628KB

MD5
912447f44205d0d724316890d2ad3374

SHA1
c99fa4cd027ef0f30d6c0b6555e448f58ef11786

SHA256
bd6255599e6fb0dd3ec3d9f2f53bed60b4e5e79f3c2dc1cc14f7594616fe5117

SHA512
7bc1e9a8f1db072636ed61389577286fda9db1ec95d8a44836fab13fed8a7c079835bc4eef45b6c819d4232e9ed7611da1dea2b6ef673caf10ee84be9856489e

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_378934719d9eaaccb26897d7ec92828b.exe

Filesize
773KB

MD5
b75ec941384801dbf33e2fe5433929d7

SHA1
dbb874aa5878debb406178f88fc75c473eeaf76b

SHA256
5f94bd3c5a705883e93c2a8fa527e8ad88e3c32525b3cf98f01aef094c301137

SHA512
5c886d2dfdc73aecbdf8496921d9f05df22045c6573f769fff029d6f410c02490a50060f48479267f1044a1c9070e2af299e9300d31eec5c20bd61e035ddb600

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_378934719d9eaaccb26897d7ec92828b.exe

Filesize
140KB

MD5
0eb1eb66dc2336ae18005aa3e18b1c25

SHA1
4fac1d33d1404bdbe6214c27e7297d824a1c661d

SHA256
a5cb7f7e1903a5a6f74be8bf41148db90f5810d77398c9cd5331346b06ca0cf5

SHA512
460cafc6d2893387d3467b61dff35d5fba37a5de231b0d35baf913226d4d1aa4f5cbc65b1d04f1a38bbe6ed9dc44220ca1ac90dd516bbe93bef782ebbedf4b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_378934719d9eaaccb26897d7ec92828b.exe

Filesize
442KB

MD5
3b5c2198d3abe764d4a5f8a1b7a0538a

SHA1
8ea8a98b0e81c221754b57b88840a5af515e39b6

SHA256
6e00991335dadee0d7bc84d05a21322f5587576cebef2897f0c85700b397ca67

SHA512
a8234562c08deef470c2afead536c0799e1ae7ae3140444017f6726ba6c7fcea8b0c16130434a2ba025543c455445aba19b9c2806333e253b9141acc5cd9562c

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
121KB

MD5
ccd921a6a8b2479cd9fd5e1ba908fe8b

SHA1
b768b37a664fecd74e787dbfd4c1f1819ce0e175

SHA256
ff9996d95b608167c66d4bfda40bda27ee2bdf810512a4d1b6bd41a2ef07a78a

SHA512
0c8c20b2ea731328e951c30738e69d291c68dc078454ba6bcabad451d3ffa1befa7b64266ccd9c0b70b12094ebe06308bda50045db0bc944de8610e2e35d65b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
84KB

MD5
3a01fb7cd2386be698f1995faeba9356

SHA1
532b8ba507868a5c4ba4166cabf0007687528fc4

SHA256
50d45539005509985de8874d2af0967d8ad49fe3d680ee67949116572ac2ec92

SHA512
304b704240704e521bee1b7384e2f8f67c58c78cdb5fbd2675a02c478674cd1cb32bc90ee1afaf785a36428ff52d36e6aaa31ebc7ba8e1b8b272b0d49af478dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYw2Tymb.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
memory/2448-0-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/2448-101-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/2716-147-0x00007FF9C78F0000-0x00007FF9C7AE5000-memory.dmp

Filesize
2.0MB

Download
memory/2716-148-0x00007FF9C78F0000-0x00007FF9C7AE5000-memory.dmp

Filesize
2.0MB

Download
memory/2716-141-0x00007FF9C78F0000-0x00007FF9C7AE5000-memory.dmp

Filesize
2.0MB

Download
memory/2716-140-0x00007FF987970000-0x00007FF987980000-memory.dmp

Filesize
64KB

Download
memory/2716-143-0x00007FF9C78F0000-0x00007FF9C7AE5000-memory.dmp

Filesize
2.0MB

Download
memory/2716-136-0x00007FF987970000-0x00007FF987980000-memory.dmp

Filesize
64KB

Download
memory/2716-146-0x00007FF9C78F0000-0x00007FF9C7AE5000-memory.dmp

Filesize
2.0MB

Download
memory/2716-145-0x00007FF9C78F0000-0x00007FF9C7AE5000-memory.dmp

Filesize
2.0MB

Download
memory/2716-144-0x00007FF987970000-0x00007FF987980000-memory.dmp

Filesize
64KB

Download
memory/2716-149-0x00007FF9C78F0000-0x00007FF9C7AE5000-memory.dmp

Filesize
2.0MB

Download
memory/2716-150-0x00007FF985520000-0x00007FF985530000-memory.dmp

Filesize
64KB

Download
memory/2716-139-0x00007FF9C78F0000-0x00007FF9C7AE5000-memory.dmp

Filesize
2.0MB

Download
memory/2716-142-0x00007FF987970000-0x00007FF987980000-memory.dmp

Filesize
64KB

Download
memory/2716-138-0x00007FF987970000-0x00007FF987980000-memory.dmp

Filesize
64KB

Download
memory/2716-137-0x00007FF9C78F0000-0x00007FF9C7AE5000-memory.dmp

Filesize
2.0MB

Download
memory/2716-151-0x00007FF985520000-0x00007FF985530000-memory.dmp

Filesize
64KB

Download
memory/2716-173-0x00007FF9C78F0000-0x00007FF9C7AE5000-memory.dmp

Filesize
2.0MB

Download
memory/2716-172-0x00007FF9C78F0000-0x00007FF9C7AE5000-memory.dmp

Filesize
2.0MB

Download
memory/3760-171-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/3760-166-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/3760-102-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/3760-195-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads