f860040b23f5087b90d364e20926219479ff3cf63fff6d21a05dcdf1a2752fbb

General

Target

f860040b23f5087b90d364e20926219479ff3cf63fff6d21a05dcdf1a2752fbbN.exe
Size

820KB
MD5

2f629ee1ae60e54bf73c7de3699d5ec0
SHA1

4dfc6ed6fabde0ad7b0151e5d89e64c35e92fbbf
SHA256

f860040b23f5087b90d364e20926219479ff3cf63fff6d21a05dcdf1a2752fbb
SHA512

0d472f14f2c6bf1a449bd327323645378b1eba352375bf09e53c0141bf9c613a1b65947bb3219b9cdecfe113eccfc9abbaf4fdda4bab648f2f6b226b6e87437c
SSDEEP

12288:UMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9N3Z:UnsJ39LyjbJkQFMhmC+6GD9T

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2788	Synaptics.exe

Loads dropped DLL 2 IoCs

pid	Process
2640	f860040b23f5087b90d364e20926219479ff3cf63fff6d21a05dcdf1a2752fbbN.exe
2640	f860040b23f5087b90d364e20926219479ff3cf63fff6d21a05dcdf1a2752fbbN.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	f860040b23f5087b90d364e20926219479ff3cf63fff6d21a05dcdf1a2752fbbN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f860040b23f5087b90d364e20926219479ff3cf63fff6d21a05dcdf1a2752fbbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1844	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1844	EXCEL.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2788	2640	f860040b23f5087b90d364e20926219479ff3cf63fff6d21a05dcdf1a2752fbbN.exe	30
PID 2640 wrote to memory of 2788	2640	f860040b23f5087b90d364e20926219479ff3cf63fff6d21a05dcdf1a2752fbbN.exe	30
PID 2640 wrote to memory of 2788	2640	f860040b23f5087b90d364e20926219479ff3cf63fff6d21a05dcdf1a2752fbbN.exe	30
PID 2640 wrote to memory of 2788	2640	f860040b23f5087b90d364e20926219479ff3cf63fff6d21a05dcdf1a2752fbbN.exe	30

C:\Users\Admin\AppData\Local\Temp\f860040b23f5087b90d364e20926219479ff3cf63fff6d21a05dcdf1a2752fbbN.exe
"C:\Users\Admin\AppData\Local\Temp\f860040b23f5087b90d364e20926219479ff3cf63fff6d21a05dcdf1a2752fbbN.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2640
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2788

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
820KB

MD5
2f629ee1ae60e54bf73c7de3699d5ec0

SHA1
4dfc6ed6fabde0ad7b0151e5d89e64c35e92fbbf

SHA256
f860040b23f5087b90d364e20926219479ff3cf63fff6d21a05dcdf1a2752fbb

SHA512
0d472f14f2c6bf1a449bd327323645378b1eba352375bf09e53c0141bf9c613a1b65947bb3219b9cdecfe113eccfc9abbaf4fdda4bab648f2f6b226b6e87437c

Download Submit
C:\Users\Admin\AppData\Local\Temp\gsb8Ib9m.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\gsb8Ib9m.xlsm

Filesize
24KB

MD5
a2f8a8a701e20185c55ec24cd99149d0

SHA1
c21c55901251480ed1dd94859dc14da25d0d3f9a

SHA256
dc8b2b8cb2172a3c96fbcecb59790abc1d5f62ce1c345949f1e457a11275f28b

SHA512
df0f544563392b544082ff79e0531cc93eba0c6354cfe31844f9286f77db1380a362dfed80b41b5b8a6c7dd1e67801a8f219a4d18c6632ca46ed434626da51e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\gsb8Ib9m.xlsm

Filesize
31KB

MD5
85bd5652cdfeda78d8402ee2b4f8af14

SHA1
61fee1313014b8c4ec33872be8359075b763f43e

SHA256
52be8ce44c486b4c2799caa86e8b76ed3ab37f96738c66b55d976f76198276e1

SHA512
68f5560683b8bf0dcee0fdeaf510b280daa5c3bd96d5261ce16f6bf3e1a8fb82f3f5ef8c712837bfa3c8ebab656e32f17f4731e03d4290621f72dbbe091544cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\gsb8Ib9m.xlsm

Filesize
28KB

MD5
2303e29ceb9909127db6985d2b6f26e8

SHA1
e568583e51e65273e86f26cd23806b42276dffff

SHA256
70e9c49da892b30dbbaf0af624fc1a4290c82acb19823f59d7b8df2e4a596af1

SHA512
4a70f6a9fd2a230eebaaf6f6486c44aab392525afb24db64066f117e03cd6c8058928f444760202927d625f5a170620a74cb0416c5dda911999db0b5f779ea36

Download Submit
memory/1844-80-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1844-16-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2640-14-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/2640-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2788-15-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2788-82-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2788-81-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/2788-83-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/2788-116-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads