Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05/09/2024, 06:43
Static task
static1
Behavioral task
behavioral1
Sample
049ccb277f6c9e2816347b2d51df7ba0N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
049ccb277f6c9e2816347b2d51df7ba0N.exe
Resource
win10v2004-20240802-en
General
-
Target
049ccb277f6c9e2816347b2d51df7ba0N.exe
-
Size
4.3MB
-
MD5
049ccb277f6c9e2816347b2d51df7ba0
-
SHA1
b78da518b845bacca6ecd4595f751a8e6c41c4d6
-
SHA256
dbd90ffa51b2ec9e716642d651d5740f2a9e376db28b217dbc31ab89b5362409
-
SHA512
4250cf0ca6815f97265eb7924095c84a8fe41e463bcf172802e72ba5c045f999f23411a994a21d73cab270fe22287e44b33d5314f5b120ab5fad79c53e8a4559
-
SSDEEP
98304:gC11IMjItWMFAetMtXjxhmZrC11IMjItWMFAetMtXjxhmZY4T:ghSMFjO7mZrhSMFjO7mZY
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1184 powershell.exe 3456 powershell.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation 049ccb277f6c9e2816347b2d51df7ba0N.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation 049ccb277f6c9e2816347b2d51df7ba0N.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation Synaptics.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation Synaptics.exe -
Executes dropped EXE 6 IoCs
pid Process 1644 ._cache_049ccb277f6c9e2816347b2d51df7ba0N.exe 404 Synaptics.exe 1548 Synaptics.exe 3100 Synaptics.exe 4992 Synaptics.exe 1932 ._cache_Synaptics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" 049ccb277f6c9e2816347b2d51df7ba0N.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3020 set thread context of 672 3020 049ccb277f6c9e2816347b2d51df7ba0N.exe 97 PID 404 set thread context of 4992 404 Synaptics.exe 106 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 049ccb277f6c9e2816347b2d51df7ba0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 049ccb277f6c9e2816347b2d51df7ba0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_049ccb277f6c9e2816347b2d51df7ba0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 049ccb277f6c9e2816347b2d51df7ba0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Synaptics.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2252 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 3020 049ccb277f6c9e2816347b2d51df7ba0N.exe 3020 049ccb277f6c9e2816347b2d51df7ba0N.exe 3020 049ccb277f6c9e2816347b2d51df7ba0N.exe 3020 049ccb277f6c9e2816347b2d51df7ba0N.exe 3020 049ccb277f6c9e2816347b2d51df7ba0N.exe 3020 049ccb277f6c9e2816347b2d51df7ba0N.exe 3020 049ccb277f6c9e2816347b2d51df7ba0N.exe 3020 049ccb277f6c9e2816347b2d51df7ba0N.exe 3020 049ccb277f6c9e2816347b2d51df7ba0N.exe 1184 powershell.exe 1184 powershell.exe 404 Synaptics.exe 404 Synaptics.exe 404 Synaptics.exe 404 Synaptics.exe 404 Synaptics.exe 404 Synaptics.exe 404 Synaptics.exe 404 Synaptics.exe 404 Synaptics.exe 404 Synaptics.exe 404 Synaptics.exe 3456 powershell.exe 3456 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3020 049ccb277f6c9e2816347b2d51df7ba0N.exe Token: SeDebugPrivilege 1184 powershell.exe Token: SeDebugPrivilege 404 Synaptics.exe Token: SeDebugPrivilege 3456 powershell.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 1644 ._cache_049ccb277f6c9e2816347b2d51df7ba0N.exe 2252 EXCEL.EXE 2252 EXCEL.EXE 2252 EXCEL.EXE 2252 EXCEL.EXE -
Suspicious use of WriteProcessMemory 46 IoCs
description pid Process procid_target PID 3020 wrote to memory of 1184 3020 049ccb277f6c9e2816347b2d51df7ba0N.exe 94 PID 3020 wrote to memory of 1184 3020 049ccb277f6c9e2816347b2d51df7ba0N.exe 94 PID 3020 wrote to memory of 1184 3020 049ccb277f6c9e2816347b2d51df7ba0N.exe 94 PID 3020 wrote to memory of 4416 3020 049ccb277f6c9e2816347b2d51df7ba0N.exe 96 PID 3020 wrote to memory of 4416 3020 049ccb277f6c9e2816347b2d51df7ba0N.exe 96 PID 3020 wrote to memory of 4416 3020 049ccb277f6c9e2816347b2d51df7ba0N.exe 96 PID 3020 wrote to memory of 672 3020 049ccb277f6c9e2816347b2d51df7ba0N.exe 97 PID 3020 wrote to memory of 672 3020 049ccb277f6c9e2816347b2d51df7ba0N.exe 97 PID 3020 wrote to memory of 672 3020 049ccb277f6c9e2816347b2d51df7ba0N.exe 97 PID 3020 wrote to memory of 672 3020 049ccb277f6c9e2816347b2d51df7ba0N.exe 97 PID 3020 wrote to memory of 672 3020 049ccb277f6c9e2816347b2d51df7ba0N.exe 97 PID 3020 wrote to memory of 672 3020 049ccb277f6c9e2816347b2d51df7ba0N.exe 97 PID 3020 wrote to memory of 672 3020 049ccb277f6c9e2816347b2d51df7ba0N.exe 97 PID 3020 wrote to memory of 672 3020 049ccb277f6c9e2816347b2d51df7ba0N.exe 97 PID 3020 wrote to memory of 672 3020 049ccb277f6c9e2816347b2d51df7ba0N.exe 97 PID 3020 wrote to memory of 672 3020 049ccb277f6c9e2816347b2d51df7ba0N.exe 97 PID 3020 wrote to memory of 672 3020 049ccb277f6c9e2816347b2d51df7ba0N.exe 97 PID 672 wrote to memory of 1644 672 049ccb277f6c9e2816347b2d51df7ba0N.exe 98 PID 672 wrote to memory of 1644 672 049ccb277f6c9e2816347b2d51df7ba0N.exe 98 PID 672 wrote to memory of 1644 672 049ccb277f6c9e2816347b2d51df7ba0N.exe 98 PID 672 wrote to memory of 404 672 049ccb277f6c9e2816347b2d51df7ba0N.exe 99 PID 672 wrote to memory of 404 672 049ccb277f6c9e2816347b2d51df7ba0N.exe 99 PID 672 wrote to memory of 404 672 049ccb277f6c9e2816347b2d51df7ba0N.exe 99 PID 404 wrote to memory of 3456 404 Synaptics.exe 102 PID 404 wrote to memory of 3456 404 Synaptics.exe 102 PID 404 wrote to memory of 3456 404 Synaptics.exe 102 PID 404 wrote to memory of 1548 404 Synaptics.exe 104 PID 404 wrote to memory of 1548 404 Synaptics.exe 104 PID 404 wrote to memory of 1548 404 Synaptics.exe 104 PID 404 wrote to memory of 3100 404 Synaptics.exe 105 PID 404 wrote to memory of 3100 404 Synaptics.exe 105 PID 404 wrote to memory of 3100 404 Synaptics.exe 105 PID 404 wrote to memory of 4992 404 Synaptics.exe 106 PID 404 wrote to memory of 4992 404 Synaptics.exe 106 PID 404 wrote to memory of 4992 404 Synaptics.exe 106 PID 404 wrote to memory of 4992 404 Synaptics.exe 106 PID 404 wrote to memory of 4992 404 Synaptics.exe 106 PID 404 wrote to memory of 4992 404 Synaptics.exe 106 PID 404 wrote to memory of 4992 404 Synaptics.exe 106 PID 404 wrote to memory of 4992 404 Synaptics.exe 106 PID 404 wrote to memory of 4992 404 Synaptics.exe 106 PID 404 wrote to memory of 4992 404 Synaptics.exe 106 PID 404 wrote to memory of 4992 404 Synaptics.exe 106 PID 4992 wrote to memory of 1932 4992 Synaptics.exe 107 PID 4992 wrote to memory of 1932 4992 Synaptics.exe 107 PID 4992 wrote to memory of 1932 4992 Synaptics.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\049ccb277f6c9e2816347b2d51df7ba0N.exe"C:\Users\Admin\AppData\Local\Temp\049ccb277f6c9e2816347b2d51df7ba0N.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\049ccb277f6c9e2816347b2d51df7ba0N.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1184
-
-
C:\Users\Admin\AppData\Local\Temp\049ccb277f6c9e2816347b2d51df7ba0N.exe"C:\Users\Admin\AppData\Local\Temp\049ccb277f6c9e2816347b2d51df7ba0N.exe"2⤵PID:4416
-
-
C:\Users\Admin\AppData\Local\Temp\049ccb277f6c9e2816347b2d51df7ba0N.exe"C:\Users\Admin\AppData\Local\Temp\049ccb277f6c9e2816347b2d51df7ba0N.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Users\Admin\AppData\Local\Temp\._cache_049ccb277f6c9e2816347b2d51df7ba0N.exe"C:\Users\Admin\AppData\Local\Temp\._cache_049ccb277f6c9e2816347b2d51df7ba0N.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1644
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\Synaptics\Synaptics.exe"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3456
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe"4⤵
- Executes dropped EXE
PID:1548
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe"4⤵
- Executes dropped EXE
PID:3100
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1932
-
-
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2252
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.3MB
MD5049ccb277f6c9e2816347b2d51df7ba0
SHA1b78da518b845bacca6ecd4595f751a8e6c41c4d6
SHA256dbd90ffa51b2ec9e716642d651d5740f2a9e376db28b217dbc31ab89b5362409
SHA5124250cf0ca6815f97265eb7924095c84a8fe41e463bcf172802e72ba5c045f999f23411a994a21d73cab270fe22287e44b33d5314f5b120ab5fad79c53e8a4559
-
Filesize
144B
MD55e874202887e447e03c5e8cba47107e5
SHA19bb6276a74dd5f580a9078ec746d93d1539f1acc
SHA256667c06df0a1ea6d57a545b34292e05b6b4e19455266049b4bdbd9500e167a55a
SHA512c87541a0a26603545efbc8e062b962aafe4689a32eb0461a24e7c3fa82406e9725886aeba838c21f2c01f014c9786f270d06d104cf54c841e77f9ac523e74450
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD56ffdec7a8f2587c83ed1571e4bf4be74
SHA1f67226d7eab0750d8d0b430d9c6bc9d00d526849
SHA256e976bf080b3606fa6a8cb7089e1cb42412194663842442f568408757ab1d5d00
SHA5127e1619d4d81e1231f9583caaffbc170bc577f34fbee3e9a7597ede4c7753f61e09881db5d719666018785bba47627ae7b5ff153fd1d56ad2f6479938656161e9
-
Filesize
483KB
MD587705ce8d428c8701a1efa3669cb5135
SHA13d2022f4950b549bf238bf285aa6ac0dc0c075e3
SHA256543001345cedb9f6962494aafd531be8c1427876b07f339365fd7b20c18fcdce
SHA512374bd7e76c0341ad3cba5b1f4d949b246b584f227c8c6461cc4798781fe6b8e8e6b64556d3c6bf94cac2aa4b06ccf10bc0b373a7594bbf117a50b5113f75c9d4
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82