7b35b77b3a955e72ffb5beadec92e06345aa719661cd2e3fe9ab283594fd5951

Resubmissions

29-11-2024 09:09

241129-k4hhvsxjh1 10

31-12-2023 13:32

231231-qs5rxaceer 7

Analysis

max time kernel
146s
max time network
141s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 13:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81351025614fa49877fe720b29232748.exe
Size

1.0MB
MD5

81351025614fa49877fe720b29232748
SHA1

562d461be71f9a6174b4aa4ea6b7ea11cc7882b4
SHA256

7b35b77b3a955e72ffb5beadec92e06345aa719661cd2e3fe9ab283594fd5951
SHA512

8e4e42352ff3e07db7cfdd7b80ed428b3cbd649d756f6e6565d5bcb6a3c2d2f0b5b72280e0c6800463cb4d7b1789362b497ff5307d0af254cdba0e9ec47cad75
SSDEEP

12288:GMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9BL+AUbA1w/6xZZUD0X4k+:GnsJ39LyjbJkQFMhmC+6GD9ReSfZUAX8

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2148	._cache_81351025614fa49877fe720b29232748.exe
2764	Synaptics.exe
2564	._cache_Synaptics.exe

Loads dropped DLL 14 IoCs

pid	Process
1864	81351025614fa49877fe720b29232748.exe
1864	81351025614fa49877fe720b29232748.exe
1864	81351025614fa49877fe720b29232748.exe
1864	81351025614fa49877fe720b29232748.exe
2764	Synaptics.exe
2764	Synaptics.exe
2764	Synaptics.exe
1552	WerFault.exe
1552	WerFault.exe
1552	WerFault.exe
1552	WerFault.exe
1552	WerFault.exe
1552	WerFault.exe
1552	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	81351025614fa49877fe720b29232748.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1552	2564	WerFault.exe	30

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1864 wrote to memory of 2148	1864	81351025614fa49877fe720b29232748.exe	28
PID 1864 wrote to memory of 2148	1864	81351025614fa49877fe720b29232748.exe	28
PID 1864 wrote to memory of 2148	1864	81351025614fa49877fe720b29232748.exe	28
PID 1864 wrote to memory of 2148	1864	81351025614fa49877fe720b29232748.exe	28
PID 1864 wrote to memory of 2764	1864	81351025614fa49877fe720b29232748.exe	29
PID 1864 wrote to memory of 2764	1864	81351025614fa49877fe720b29232748.exe	29
PID 1864 wrote to memory of 2764	1864	81351025614fa49877fe720b29232748.exe	29
PID 1864 wrote to memory of 2764	1864	81351025614fa49877fe720b29232748.exe	29
PID 2764 wrote to memory of 2564	2764	Synaptics.exe	30
PID 2764 wrote to memory of 2564	2764	Synaptics.exe	30
PID 2764 wrote to memory of 2564	2764	Synaptics.exe	30
PID 2764 wrote to memory of 2564	2764	Synaptics.exe	30
PID 2564 wrote to memory of 1552	2564	._cache_Synaptics.exe	35
PID 2564 wrote to memory of 1552	2564	._cache_Synaptics.exe	35
PID 2564 wrote to memory of 1552	2564	._cache_Synaptics.exe	35
PID 2564 wrote to memory of 1552	2564	._cache_Synaptics.exe	35

C:\Users\Admin\AppData\Local\Temp\81351025614fa49877fe720b29232748.exe
"C:\Users\Admin\AppData\Local\Temp\81351025614fa49877fe720b29232748.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Users\Admin\AppData\Local\Temp\._cache_81351025614fa49877fe720b29232748.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_81351025614fa49877fe720b29232748.exe"
  2⤵
  - Executes dropped EXE
  PID:2148
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 356
      4⤵
      Loads dropped DLL
      Program crash
      PID:1552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
121KB

MD5
8c150da6d3f7dd9c5bc2a020865192c4

SHA1
3c382a2a631264ae586e93f16d907680a15f9dd1

SHA256
55583e7ea02ad9f7fa6c2c5bfcc532b4644aa71a120a47beb71a7dfe23e2bbe8

SHA512
ffe07887648c6426afcdac7d648ee6c56cd3d214edad5e1c937e18118e5e40e7e43556f0b71c5a8abe6bd0d0df1288903e88ad34b53b29c04c53c35e5f12a92a

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
15KB

MD5
138bbaa2c07c252b877e50b9ec8874f1

SHA1
167ddf5cdd0d6d1acf9bff8c68cd4bf3a05a1501

SHA256
ae5d0742253f8003a1cd372e16ea6854aae6cefa35ca5984e110b45fabadaf71

SHA512
9c416a7a26e6ad8167fcaf3e5a3444fa6d23413ba4b5dd0fc4ea5ba260a80da77f53a8c4d0e5dbd9ae30f15e42a1ecd74655a4f01a996c431dc6bfe014810c3f

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
79KB

MD5
5939106129b2fbcc7c2d94cf2b8a905f

SHA1
b9b8ba962c02866ff0b5c2ff529980efe403ff7f

SHA256
9594fd0e1fd84ccf9cef200c6ff578e015fdd16c1e8442c604fe39b14422ce7d

SHA512
c0dcbf4dc44055516a8aef00182641b6e358ab6b8e8d1ceebf007f4eab05756d9f3e0c99b26eb4cacca5ccc382cee04ae9c9fd39ff65276eda90775373882bd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_81351025614fa49877fe720b29232748.exe

Filesize
81KB

MD5
c132a266d9bfb3e8da7339ea82168d71

SHA1
95dcdb41acf85574f7fb3a24eeb3ad1f5ad2a3d1

SHA256
b86d4b7e88ac9b1fa7eb65216b37197d52c7737cbd8b42aabe28f5ae931652e4

SHA512
be2e50773718315e2aaa1b5af2b7826f2ce3cf235d7e8ad728e1b3da78742743203c79ec1f7ec652999da5c88cc936c039f62ed1eb5aef0179dd79e4ce525b12

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_81351025614fa49877fe720b29232748.exe

Filesize
91KB

MD5
dfbbdbdfc332fdc90066afd8a1a42740

SHA1
5254296f0fb48bdc9a53041bdbefe727330c4f13

SHA256
e8882e40e375a30fb0185c92863264e65f67acccc54c80d3866aa5e4ded8143c

SHA512
99eb5cdb61133429f31be509a06d9c7f11dc70201f60d68a13b4d72e90da1cc3bac59d2be5d6be7218f5602c9470179864da3761f10854b0daa5874660e94935

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
45KB

MD5
36c97cb264ecf65c45055545ad0e876f

SHA1
3992f95898230155bf1af4b9c75407a6f47e86f4

SHA256
b794aa5c5cff288780d7b4ac8f3854a13ca43a8912519a9bee6c3b70c30f53ca

SHA512
7004828859d9365cf820b63c968006e0d260034451489a6e507ebaa81f5dac9853fee30e31632c4ee65b58d1f960ba31f0fba6207537c8f67e2029e66890b25b

Download Submit
\ProgramData\Synaptics\Synaptics.exe

Filesize
9KB

MD5
62f650eaf5737b6b40aad7697c333de9

SHA1
cbdb8e8e71d2fb4f0a4db04f901c11c83bc4da56

SHA256
ddd319fe44188ab007bff1e0bee0af59e8ba4860fb8ae903593a4bbb27644f27

SHA512
d0d1b53e8fc71813f510253c13dafb45e3873d05d669c5da1595060204db019d1ad42b76bb5d35d3cff4c11234f4b1d670e6f86e932a41fdd5bec937f8c7bc2e

Download Submit
\ProgramData\Synaptics\Synaptics.exe

Filesize
42KB

MD5
5d2f5fa8d8d79963192aba75e7cad566

SHA1
ef4bb72aebab0732d7df76ca83dc6e189a5f4746

SHA256
8a73ebc194ce098fcfb8bbab8de3d5ab71776b5833601882053171431a17af99

SHA512
ea05b00526a5e95d2957ef68696bfb1ed824ca62d95b220aebfdd48870251fa76f2603ece08b1e3da70bdb9f20276add8670dec824468e45312a75da0e340331

Download Submit
\ProgramData\Synaptics\Synaptics.exe

Filesize
72KB

MD5
f88684b0356017094f8a676e6050fc77

SHA1
b54ce3c074a22ecb3b8e981e91e22577795dfedb

SHA256
2b96b5e9dbe2feca77f7d3f921db9088ddafc44063e2f64d40e9ecad6bd41ec9

SHA512
27755e081411b3e046fc4b4f42f0c501ba9ee7bfe70b7cf4de69f0ee15ff3e5860d3c1b11759034f92455e60e28128f13d9b60e3ccaa03cbc20365a365000f20

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_81351025614fa49877fe720b29232748.exe

Filesize
61KB

MD5
ccfd0ecc3139aa9c879c1328380e5321

SHA1
8f984b05b30726952632e6068355adaf839e11df

SHA256
17225a2946120a7e5a76b3234ac58f41c00f1346e6b197dddb47139019ec2011

SHA512
98b4528e527165a54808c0e8e77e6d2284bb64e80de3816670f5f24251aa31e0421cb759f08e7fe691514d3c1f6f4f9021b1eabcef2ba90a4920d5c3e167141a

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_81351025614fa49877fe720b29232748.exe

Filesize
111KB

MD5
6605296f5a870a66b2c273f7c6cadf5c

SHA1
7e2aaa958146954cded6b22c3adf6cd884e475f3

SHA256
292018cba5bc60f08e231a34991259e779775c21adef226aef1ff8ccb358f5ee

SHA512
8e78707be31177f3c50c8d07c051d522786add605de227ffff8d0b96e41f3d770f7a3bc5134588efac71f5f43dae0c5c667e148541442af073f8baa61bd51fd8

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
86KB

MD5
239dae7f08f8ae2754550f11285ad6d3

SHA1
a9ed3120711d4ba3b4b7a0faa3ee88a66ffec22b

SHA256
af6e2dd3c859da8841e1ae8936a51d66c0c0fbea700a319ba70c107ea767ba42

SHA512
593cff1d1afdc19cb451417010a67607aa7d991043d69308084a638c8176e016585cdbc937fdad4ce9bed960ca4809926fba89de71805affc9e782a194aa92c6

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
57KB

MD5
d38960979cb6f77a030b2886201ccc8d

SHA1
e9f46dc30b779622e256d0c507c403277b32980e

SHA256
bf7e26bc97c7c488aa451a2e827b8e2b633c993af96cb90385a6cea79e49afeb

SHA512
81e22881b714d9a336ab334b8ab11039f463c5b959f832c85af8c9199c479e6eff1dda69c50da424e4b7267845767883d9d973e3ef32e14cb7822003d2734858

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
301KB

MD5
c8d0166f0514b28771d173bfa7f0a5b5

SHA1
a665d8586b00b924159a9cada82cfd48a4dead31

SHA256
132317183d6356e3d4a9d8c7f237d60ca0356587f03a18fdb7178a11e7c24de8

SHA512
59d4ad9c5758d23afdad48314a2f62017eb582e2a892611fc65c2d074880c93bdfa95f38af4e21258dff4c664faa0b5943e81edcf2fbcc1278eca294688b2bb8

Download Submit
memory/1864-28-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1864-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2764-42-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2764-43-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2764-44-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2764-45-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2764-49-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2764-75-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2764-29-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads