d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be

Analysis

max time kernel
144s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26-07-2024 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe
Size

9.7MB
MD5

3572ee7941ba7a5768248935d6c66400
SHA1

4dd2d29a658672cfd8b266c9d1f83d86e0763e48
SHA256

d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be
SHA512

6e71442a3c5fe1743242b4261dd0b3b088c0a8b3676dd017da9679e1e5825a30d568bdb02a95d49c738fce9ab0941eab5ccf7fe5d93dd79dd69662a411932053
SSDEEP

196608:+LRYE0SCI4rbECIwBbiL4c7uXIYaK+GutOHpDRw0nptlVOmpLEMSUsY:+NYn/8ChUvnGutMpDDnpnVVpQfUsY

Score

9^/10

discovery evasion persistence

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Runner.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Runner.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Runner.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Runner.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Runner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Runner.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exeSynaptics.exe._cache_d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	._cache_d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe

Executes dropped EXE 5 IoCs

Processes:

._cache_d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exeSynaptics.exe._cache_Synaptics.exeRunner.exebinding.exe

pid	process
1956	._cache_d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe
3156	Synaptics.exe
1196	._cache_Synaptics.exe
1400	Runner.exe
4672	binding.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Runner.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Wine Runner.exe
Loads dropped DLL 3 IoCs

Processes:

Runner.exe

pid process

1400 Runner.exe
1400 Runner.exe
1400 Runner.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Wine	Runner.exe

pid	process
1400	Runner.exe
1400	Runner.exe
1400	Runner.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

PING.EXEbinding.exed5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe._cache_d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe._cache_Synaptics.exeRunner.exeSynaptics.exePING.EXEPING.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	binding.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Runner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXEPING.EXEPING.EXE

pid process

2244 PING.EXE
4092 PING.EXE
4396 PING.EXE

pid	process
2244	PING.EXE
4092	PING.EXE
4396	PING.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

._cache_d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Ver = "d32f69e2"	._cache_d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe

Modifies registry class 38 IoCs

Processes:

Runner.exed5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exeSynaptics.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InprocServer32	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32\ThreadingModel = "Apartment"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32\ThreadingModel = "Apartment"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\CLSID\ = "{241D7F03-9232-4024-8373-149860BE27C0}"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ProgID	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ProgID\ = "QMDispatch.QMVBSRoutine"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID\ = "{C07DB6A3-34FC-4084-BE2E-76BB9203B049}"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ = "QMDispatch.QMVBSRoutine"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InprocServer32	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\ = "QMDispatch.QMLibrary"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ProgID	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\CLSID	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InprocServer32	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\CLSID\ = "{EBEB87A6-E151-4054-AB45-A6E094C5334B}"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\ = "QMDispatch.QMRoutine"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32\ThreadingModel = "Apartment"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\ = "QMDispatch.QMVBSRoutine"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ = "QMDispatch.QMRoutine"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\CLSID	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ProgID\ = "QMDispatch.QMLibrary"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ProgID\ = "QMDispatch.QMRoutine"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ProgID	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ = "QMDispatch.QMLibrary"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32	Runner.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

4396 PING.EXE
2244 PING.EXE
4092 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1580 EXCEL.EXE

pid	process
4396	PING.EXE
2244	PING.EXE
4092	PING.EXE

pid	process
1580	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

._cache_d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe

pid	process
1956	._cache_d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe
1956	._cache_d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

._cache_d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe

pid process

1956 ._cache_d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

._cache_d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe

pid process

1956 ._cache_d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe

Suspicious use of SetWindowsHookEx 33 IoCs

Processes:

._cache_d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe._cache_Synaptics.exeEXCEL.EXERunner.exebinding.exe

pid	process
1956	._cache_d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe
1956	._cache_d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe
1956	._cache_d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe
1956	._cache_d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe
1956	._cache_d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe
1956	._cache_d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe
1956	._cache_d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe
1956	._cache_d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe
1956	._cache_d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe
1956	._cache_d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe
1196	._cache_Synaptics.exe
1580	EXCEL.EXE
1400	Runner.exe
1580	EXCEL.EXE
1400	Runner.exe
1400	Runner.exe
1400	Runner.exe
1400	Runner.exe
1400	Runner.exe
1400	Runner.exe
1400	Runner.exe
1580	EXCEL.EXE
1580	EXCEL.EXE
1400	Runner.exe
1400	Runner.exe
1400	Runner.exe
1400	Runner.exe
1956	._cache_d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe
1956	._cache_d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe
4672	binding.exe
4672	binding.exe
4672	binding.exe
1580	EXCEL.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe._cache_d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exeSynaptics.exe

description	pid	process	target process
PID 4828 wrote to memory of 1956	4828	d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe	._cache_d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe
PID 4828 wrote to memory of 1956	4828	d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe	._cache_d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe
PID 4828 wrote to memory of 1956	4828	d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe	._cache_d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe
PID 4828 wrote to memory of 3156	4828	d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe	Synaptics.exe
PID 4828 wrote to memory of 3156	4828	d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe	Synaptics.exe
PID 4828 wrote to memory of 3156	4828	d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe	Synaptics.exe
PID 1956 wrote to memory of 4396	1956	._cache_d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe	PING.EXE
PID 1956 wrote to memory of 4396	1956	._cache_d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe	PING.EXE
PID 1956 wrote to memory of 4396	1956	._cache_d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe	PING.EXE
PID 3156 wrote to memory of 1196	3156	Synaptics.exe	._cache_Synaptics.exe
PID 3156 wrote to memory of 1196	3156	Synaptics.exe	._cache_Synaptics.exe
PID 3156 wrote to memory of 1196	3156	Synaptics.exe	._cache_Synaptics.exe
PID 1956 wrote to memory of 1400	1956	._cache_d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe	Runner.exe
PID 1956 wrote to memory of 1400	1956	._cache_d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe	Runner.exe
PID 1956 wrote to memory of 1400	1956	._cache_d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe	Runner.exe
PID 1956 wrote to memory of 2244	1956	._cache_d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe	PING.EXE
PID 1956 wrote to memory of 2244	1956	._cache_d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe	PING.EXE
PID 1956 wrote to memory of 2244	1956	._cache_d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe	PING.EXE
PID 1956 wrote to memory of 4092	1956	._cache_d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe	PING.EXE
PID 1956 wrote to memory of 4092	1956	._cache_d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe	PING.EXE
PID 1956 wrote to memory of 4092	1956	._cache_d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe	PING.EXE
PID 1956 wrote to memory of 4672	1956	._cache_d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe	binding.exe
PID 1956 wrote to memory of 4672	1956	._cache_d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe	binding.exe
PID 1956 wrote to memory of 4672	1956	._cache_d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe	binding.exe

C:\Users\Admin\AppData\Local\Temp\d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe
"C:\Users\Admin\AppData\Local\Temp\d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4828

C:\Users\Admin\AppData\Local\Temp\._cache_d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\SysWOW64\PING.EXE
"C:\Windows\System32\PING.EXE" www.baidu.com -n 2
3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4396

C:\Users\Admin\AppData\Roaming\MyMacro\Runner.exe
--host_id 3 --verify_key A1L3wL038_Xg --product "C:\Users\Admin\AppData\Local\Temp\._cache_d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe" --version 2014.05.17762
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1400

C:\Windows\SysWOW64\PING.EXE
"C:\Windows\System32\PING.EXE" www.baidu.com -n 2
3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2244

C:\Windows\SysWOW64\PING.EXE
"C:\Windows\System32\PING.EXE" www.baidu.com -n 2
3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4092

C:\Users\Admin\AppData\Roaming\MyMacro\binding.exe
C:\Users\Admin\AppData\Roaming\MyMacro\binding.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4672

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3156

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1196

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
9.7MB

MD5
3572ee7941ba7a5768248935d6c66400

SHA1
4dd2d29a658672cfd8b266c9d1f83d86e0763e48

SHA256
d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be

SHA512
6e71442a3c5fe1743242b4261dd0b3b088c0a8b3676dd017da9679e1e5825a30d568bdb02a95d49c738fce9ab0941eab5ccf7fe5d93dd79dd69662a411932053

Download Submit
C:\ProgramData\boost_interprocess\GW_1RshA7SkE

Filesize
256KB

MD5
0ff11bc67236374cd9fad53c7eb51ce9

SHA1
3568d8e4c95151b77d1b5f878e5dfcced9585a60

SHA256
3922573ca3ad718c055fee5dcabe2cadeaf5ba5fda43766549c6cfde305797b6

SHA512
dcecff49d298972c314ef814a6d7eff6a90c494d4646fb6851c3b0df45e4ca10b299f9a03716de369cfb16e54b1263464d640ed7efc919c727cdb185695b13b4

Download Submit
C:\ProgramData\boost_interprocess\QLo_lxan6GoI

Filesize
2KB

MD5
8b7aeb144c3c1954534f2dc2f04a4d35

SHA1
ee5c68edbdaf4f324286113405f6d9d75979f4ec

SHA256
1ba371866bacc11ff71ce6e132475928fbc2447eb1dc4cfd89fc6dec597485a4

SHA512
ac8749928a22c54231d2a3cd9ba5267a168ee130172db257f2ae153790bba6180f371edb5664c92b94c8d47fcb2ceb6ed317eed9a7bd6eb9231a42fc4d4f3a81

Download Submit
C:\ProgramData\boost_interprocess\fcU0PEd1Hgz

Filesize
258B

MD5
b6433eea04160907b0904b0c1c499521

SHA1
b6d022194c60615d4870eb26e7d4f138cdd26db2

SHA256
681a8e8de701be1ba1b95491dcc55534f1c64e8c9640389fc9d6f652ef2de086

SHA512
91ad2c81697a239a21012b203b4a828131ab7f0901777f6905770d2bd9187aff712bb1253a79f8ae57242e0867fd146704fb93995cf8b0129edad1fb9b94ad0d

Download Submit
C:\ProgramData\boost_interprocess\fcU0PEd1Hgzi

Filesize
256KB

MD5
0ab9a5b1474257dd1045b666ca601b03

SHA1
b297d2c584fa3b909af7a05f8670bcf5470eb03f

SHA256
1bce5b498520efafe90fc08ee7878ac895bc36b7b78445f244a4e09573f9494d

SHA512
fed17dad3d4e79022ebae6009933de6cd2a49acd339b431131accf3192526cbe051cf3fb07616a578a0fbf4e6a6c8295f312cad3b6b809213d3bd5fbfb282198

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_d5942ce0cd067d5d8ef5ef6c9ceeb3fff2e26c57c2855f42d8076d2bcd3788be.exe

Filesize
8.9MB

MD5
52990450bdf46daf49c310a41588eb34

SHA1
2542708f7f0cd280a6b7745a0173c60e3bdf7f75

SHA256
b56aa1e916797ad350fd25d22c123bfef351095829fddc5382c39064f2550ecd

SHA512
91497e287ee089ecdea9ee3c013f4b59f9f617dbde95f655cc24a1c16c7b94d40b5f3342be6541ad14b39f8496261dac012ed2acddf90f2a80fae9041252cece

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMLog\20240726.log

Filesize
324B

MD5
bab8f778295f2df72d835dc3aa1995c6

SHA1
524d26cd12acf881ef9103194c5763b010e8399d

SHA256
0c137e6702796939f015ae5ce372f28e745ed9cf7bf2f7a013f9e09a91b8a43a

SHA512
f9b53e432190cd8dabc5bdff2df70aa29be212c198e7d396843155066979d92610e7d7ff550bbeaed158fe1cb807f8068b46918a669c9f0c27a8d1cc757ec5cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwOvwhmP.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\macAAC7.tmp

Filesize
330B

MD5
91b7cfbd9d4bbed71914d1d87443aa6a

SHA1
c11ce7a2e3e3d78347db5deeae5fc4553202f367

SHA256
99b26b57becd90b31c04dbf467a6dd4e4c77ab2a6b488bcc91f7c5be0e0c1980

SHA512
9b8342888b2ff77b752f16b8dad1833908550b2852758b592f99c0510849cd852dbe29ad3e8de1e622b1c4677fbd5033a82094d6b6c834482b7556cce95054fd

Download Submit
C:\Users\Admin\AppData\Roaming\MyMacro\Runner.exe

Filesize
7.2MB

MD5
bf194c1f69ea179613a00c300a537fd6

SHA1
d88ca448d3cb748f0bb8488cf2779adafb19170c

SHA256
774dd36da750db779d107b39e7f6f6f4c6f0766b2722d8d234971639d6e16fbf

SHA512
59e2ef379bafe0a4bc62bcf299776f1a837e0e86ef42651cd8c309a13e4a3d434a7cd4f844bb7346669a84a8d905b44e5ab9da9de557d11ef6e74210306039c4

Download Submit
C:\Users\Admin\AppData\Roaming\MyMacro\binding.exe

Filesize
1.7MB

MD5
6abd36f782e36bcf9e90a3230d6ca97f

SHA1
3c3d5760a8db6c66f4c5b8c31cbf2613a8a7d6b9

SHA256
13652dae4ec58de8a20da51c7455f34144554b91d25ac1c72bec9cbe361ca752

SHA512
05463e3c0028e8e39787465e4529ad22c9c64c2a29701c4673f983b50852573aa3c197c2307fdf58d9ab514cca06f058cc17a8b53d28e76957792be7ac1acce6

Download Submit
C:\Users\Admin\AppData\Roaming\MyMacro\cfgdll.dll

Filesize
59KB

MD5
b35416c2b3e818894df95608b76934f7

SHA1
bbdd1c0f49e9ce54e9312f5edfead76d343c21cf

SHA256
8147481d1c93da5ce5de7ff7a72a45756d45ea1f27d27bb8c9944642f42549a3

SHA512
92382562761b36b4ed2ec0bba832c66c8f720e190630596ff830a047a498889e7a0f3628d1a3ffac066b06ccd8c2d3840e82b4304b636e1b1ee434910c6f0bdf

Download Submit
C:\Users\Admin\AppData\Roaming\MyMacro\qdisp.dll

Filesize
303KB

MD5
014c01cd6522778e1e15be0e696dfe0c

SHA1
c908376fcc4525ec5c4b35d289ef1361ea5cb2d9

SHA256
259eaf1ddc9bf610d11a22413853b3d4386fc5a8412c6e602c74eb43f1a32d46

SHA512
3b8d040b4a6e879ecf3bafba336b2fc8d793d4f6931902faf87e8f64faf6eca7f1f21485794cffe16c7d0ea907b9f6db93df0b4bae8cb3684733e95608523fd9

Download Submit
memory/1400-307-0x0000000000400000-0x0000000000B31000-memory.dmp

Filesize
7.2MB

Download
memory/1400-329-0x0000000000400000-0x0000000000B31000-memory.dmp

Filesize
7.2MB

Download
memory/1400-344-0x0000000000400000-0x0000000000B31000-memory.dmp

Filesize
7.2MB

Download
memory/1400-342-0x0000000000400000-0x0000000000B31000-memory.dmp

Filesize
7.2MB

Download
memory/1400-340-0x0000000000400000-0x0000000000B31000-memory.dmp

Filesize
7.2MB

Download
memory/1400-338-0x0000000000400000-0x0000000000B31000-memory.dmp

Filesize
7.2MB

Download
memory/1400-336-0x0000000000400000-0x0000000000B31000-memory.dmp

Filesize
7.2MB

Download
memory/1400-333-0x0000000000400000-0x0000000000B31000-memory.dmp

Filesize
7.2MB

Download
memory/1400-241-0x0000000000400000-0x0000000000B31000-memory.dmp

Filesize
7.2MB

Download
memory/1400-331-0x0000000000400000-0x0000000000B31000-memory.dmp

Filesize
7.2MB

Download
memory/1400-287-0x0000000000400000-0x0000000000B31000-memory.dmp

Filesize
7.2MB

Download
memory/1400-293-0x0000000000400000-0x0000000000B31000-memory.dmp

Filesize
7.2MB

Download
memory/1400-294-0x0000000000400000-0x0000000000B31000-memory.dmp

Filesize
7.2MB

Download
memory/1400-296-0x0000000000400000-0x0000000000B31000-memory.dmp

Filesize
7.2MB

Download
memory/1400-298-0x0000000000400000-0x0000000000B31000-memory.dmp

Filesize
7.2MB

Download
memory/1400-303-0x0000000000400000-0x0000000000B31000-memory.dmp

Filesize
7.2MB

Download
memory/1580-248-0x00007FFBD9B80000-0x00007FFBD9B90000-memory.dmp

Filesize
64KB

Download
memory/1580-246-0x00007FFBDBE90000-0x00007FFBDBEA0000-memory.dmp

Filesize
64KB

Download
memory/1580-245-0x00007FFBDBE90000-0x00007FFBDBEA0000-memory.dmp

Filesize
64KB

Download
memory/1580-244-0x00007FFBDBE90000-0x00007FFBDBEA0000-memory.dmp

Filesize
64KB

Download
memory/1580-243-0x00007FFBDBE90000-0x00007FFBDBEA0000-memory.dmp

Filesize
64KB

Download
memory/1580-242-0x00007FFBDBE90000-0x00007FFBDBEA0000-memory.dmp

Filesize
64KB

Download
memory/1580-247-0x00007FFBD9B80000-0x00007FFBD9B90000-memory.dmp

Filesize
64KB

Download
memory/3156-328-0x0000000000400000-0x0000000000DAE000-memory.dmp

Filesize
9.7MB

Download
memory/3156-286-0x0000000000400000-0x0000000000DAE000-memory.dmp

Filesize
9.7MB

Download
memory/4828-144-0x0000000000400000-0x0000000000DAE000-memory.dmp

Filesize
9.7MB

Download
memory/4828-0-0x0000000002D50000-0x0000000002D51000-memory.dmp

Filesize
4KB

Download