1f17b0bc9b27bdab616b3bba647daed7981ccb8a0017d34bd8abf3de0fa87172

General

Target

0a903623fe398009bfffb64a6a00f950N.exe
Size

758KB
MD5

0a903623fe398009bfffb64a6a00f950
SHA1

ab719aaf30cefaa53724be01da4478bd9d489401
SHA256

1f17b0bc9b27bdab616b3bba647daed7981ccb8a0017d34bd8abf3de0fa87172
SHA512

39ac8961650e329a262c24c2f67c0f6cec0dbd95bd3f1f1fe1175e21680321751006c8ff643b033f5f781c0b3f1011f3ebb766a1e822c86a9c13d1f267d2b009
SSDEEP

12288:yMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V98kj:ynsJ39LyjbJkQFMhmC+6GD93

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2348	._cache_0a903623fe398009bfffb64a6a00f950N.exe
1648	Synaptics.exe
2608	._cache_Synaptics.exe

Loads dropped DLL 5 IoCs

pid	Process
2504	0a903623fe398009bfffb64a6a00f950N.exe
2504	0a903623fe398009bfffb64a6a00f950N.exe
2504	0a903623fe398009bfffb64a6a00f950N.exe
1648	Synaptics.exe
1648	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	0a903623fe398009bfffb64a6a00f950N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a903623fe398009bfffb64a6a00f950N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_0a903623fe398009bfffb64a6a00f950N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
544	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
544	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2348	2504	0a903623fe398009bfffb64a6a00f950N.exe	31
PID 2504 wrote to memory of 2348	2504	0a903623fe398009bfffb64a6a00f950N.exe	31
PID 2504 wrote to memory of 2348	2504	0a903623fe398009bfffb64a6a00f950N.exe	31
PID 2504 wrote to memory of 2348	2504	0a903623fe398009bfffb64a6a00f950N.exe	31
PID 2504 wrote to memory of 1648	2504	0a903623fe398009bfffb64a6a00f950N.exe	33
PID 2504 wrote to memory of 1648	2504	0a903623fe398009bfffb64a6a00f950N.exe	33
PID 2504 wrote to memory of 1648	2504	0a903623fe398009bfffb64a6a00f950N.exe	33
PID 2504 wrote to memory of 1648	2504	0a903623fe398009bfffb64a6a00f950N.exe	33
PID 1648 wrote to memory of 2608	1648	Synaptics.exe	34
PID 1648 wrote to memory of 2608	1648	Synaptics.exe	34
PID 1648 wrote to memory of 2608	1648	Synaptics.exe	34
PID 1648 wrote to memory of 2608	1648	Synaptics.exe	34

C:\Users\Admin\AppData\Local\Temp\0a903623fe398009bfffb64a6a00f950N.exe
"C:\Users\Admin\AppData\Local\Temp\0a903623fe398009bfffb64a6a00f950N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Users\Admin\AppData\Local\Temp\._cache_0a903623fe398009bfffb64a6a00f950N.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_0a903623fe398009bfffb64a6a00f950N.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2348
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2608

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
758KB

MD5
0a903623fe398009bfffb64a6a00f950

SHA1
ab719aaf30cefaa53724be01da4478bd9d489401

SHA256
1f17b0bc9b27bdab616b3bba647daed7981ccb8a0017d34bd8abf3de0fa87172

SHA512
39ac8961650e329a262c24c2f67c0f6cec0dbd95bd3f1f1fe1175e21680321751006c8ff643b033f5f781c0b3f1011f3ebb766a1e822c86a9c13d1f267d2b009

Download Submit
C:\Users\Admin\AppData\Local\Temp\ERhMFC8H.xlsm

Filesize
24KB

MD5
42b4ff2382f512eca5f078d04a690514

SHA1
9e14d1a6f026e15b4bb4caf6a9eedf0b3a73745d

SHA256
688490b0bf7f6632129585d371b20f2f9f87c6bef6ebde36d652f12b2e0f1a2c

SHA512
27e838d68819c110d5a6ae6d09806cce4099b09399c892362f76786bd2f5ec4f795558050a0b58513bde513e13915503c135b4cd841f18b17e1b9ce95f582fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ERhMFC8H.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_0a903623fe398009bfffb64a6a00f950N.exe

Filesize
4KB

MD5
99b79aa4ded90d1b7e4c2489d31d484f

SHA1
298b74b1ab408379a3b2108733dff07dc604bbaa

SHA256
3ffec1abd8a6ef0f5077f53bfcf72c679bc5ab513cab3e9d8a1bd36401a2bf4a

SHA512
55f1437696f838be3527ed27fafe247b5ab3ce30c98fd9d9333e1100980cead19d181640ee69f53f1e948b53b82efc33b1e1e96fba9df8de578ebf98f05b61e1

Download Submit
memory/544-40-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1648-39-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1648-83-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1648-84-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1648-106-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1648-117-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2348-29-0x0000000000960000-0x0000000000968000-memory.dmp

Filesize
32KB

Download
memory/2504-2-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2504-26-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2608-38-0x0000000000B20000-0x0000000000B28000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads