978bf35000aec54e08e7572607d05773da746d7b98ed58447c2900f5206e2fba

Resubmissions

29-11-2024 08:36

241129-khsfya1ldq 10

01-10-2024 11:04

241001-m6jvtazeqg 7

Analysis

max time kernel
119s
max time network
106s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-10-2024 11:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

978bf35000aec54e08e7572607d05773da746d7b98ed58447c2900f5206e2fbaN.exe
Size

1.9MB
MD5

c4e7360de90c311c8ee74feb603c4e40
SHA1

8c5eef4ba7ea32966655294a07462b366fee6c2f
SHA256

978bf35000aec54e08e7572607d05773da746d7b98ed58447c2900f5206e2fba
SHA512

8b2d2727673e284ec7b71542722ed86bdfb907b7f864d9cc840c37361142d70bd45059dd5842f036ef8160468251265fae71042c31813b0787477565a4a0ec04
SSDEEP

49152:wnsHyjtk2MYC5GD6/+6X/4mqCGdhaD8sLu3ChsFl2U8t:wnsmtk2a52G9D8cZsJI

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2284	._cache_978bf35000aec54e08e7572607d05773da746d7b98ed58447c2900f5206e2fbaN.exe
2768	Synaptics.exe
2848	._cache_Synaptics.exe

Loads dropped DLL 10 IoCs

pid	Process
1812	978bf35000aec54e08e7572607d05773da746d7b98ed58447c2900f5206e2fbaN.exe
2284	._cache_978bf35000aec54e08e7572607d05773da746d7b98ed58447c2900f5206e2fbaN.exe
2284	._cache_978bf35000aec54e08e7572607d05773da746d7b98ed58447c2900f5206e2fbaN.exe
2284	._cache_978bf35000aec54e08e7572607d05773da746d7b98ed58447c2900f5206e2fbaN.exe
2284	._cache_978bf35000aec54e08e7572607d05773da746d7b98ed58447c2900f5206e2fbaN.exe
1812	978bf35000aec54e08e7572607d05773da746d7b98ed58447c2900f5206e2fbaN.exe
1812	978bf35000aec54e08e7572607d05773da746d7b98ed58447c2900f5206e2fbaN.exe
2768	Synaptics.exe
2768	Synaptics.exe
2848	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	978bf35000aec54e08e7572607d05773da746d7b98ed58447c2900f5206e2fbaN.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Npcap\install.log	._cache_978bf35000aec54e08e7572607d05773da746d7b98ed58447c2900f5206e2fbaN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	978bf35000aec54e08e7572607d05773da746d7b98ed58447c2900f5206e2fbaN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_978bf35000aec54e08e7572607d05773da746d7b98ed58447c2900f5206e2fbaN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2928	EXCEL.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2284	._cache_978bf35000aec54e08e7572607d05773da746d7b98ed58447c2900f5206e2fbaN.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1796	WMIC.exe
Token: SeSecurityPrivilege	1796	WMIC.exe
Token: SeTakeOwnershipPrivilege	1796	WMIC.exe
Token: SeLoadDriverPrivilege	1796	WMIC.exe
Token: SeSystemProfilePrivilege	1796	WMIC.exe
Token: SeSystemtimePrivilege	1796	WMIC.exe
Token: SeProfSingleProcessPrivilege	1796	WMIC.exe
Token: SeIncBasePriorityPrivilege	1796	WMIC.exe
Token: SeCreatePagefilePrivilege	1796	WMIC.exe
Token: SeBackupPrivilege	1796	WMIC.exe
Token: SeRestorePrivilege	1796	WMIC.exe
Token: SeShutdownPrivilege	1796	WMIC.exe
Token: SeDebugPrivilege	1796	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1796	WMIC.exe
Token: SeRemoteShutdownPrivilege	1796	WMIC.exe
Token: SeUndockPrivilege	1796	WMIC.exe
Token: SeManageVolumePrivilege	1796	WMIC.exe
Token: 33	1796	WMIC.exe
Token: 34	1796	WMIC.exe
Token: 35	1796	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1796	WMIC.exe
Token: SeSecurityPrivilege	1796	WMIC.exe
Token: SeTakeOwnershipPrivilege	1796	WMIC.exe
Token: SeLoadDriverPrivilege	1796	WMIC.exe
Token: SeSystemProfilePrivilege	1796	WMIC.exe
Token: SeSystemtimePrivilege	1796	WMIC.exe
Token: SeProfSingleProcessPrivilege	1796	WMIC.exe
Token: SeIncBasePriorityPrivilege	1796	WMIC.exe
Token: SeCreatePagefilePrivilege	1796	WMIC.exe
Token: SeBackupPrivilege	1796	WMIC.exe
Token: SeRestorePrivilege	1796	WMIC.exe
Token: SeShutdownPrivilege	1796	WMIC.exe
Token: SeDebugPrivilege	1796	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1796	WMIC.exe
Token: SeRemoteShutdownPrivilege	1796	WMIC.exe
Token: SeUndockPrivilege	1796	WMIC.exe
Token: SeManageVolumePrivilege	1796	WMIC.exe
Token: 33	1796	WMIC.exe
Token: 34	1796	WMIC.exe
Token: 35	1796	WMIC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2928	EXCEL.EXE

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 2284	1812	978bf35000aec54e08e7572607d05773da746d7b98ed58447c2900f5206e2fbaN.exe	30
PID 1812 wrote to memory of 2284	1812	978bf35000aec54e08e7572607d05773da746d7b98ed58447c2900f5206e2fbaN.exe	30
PID 1812 wrote to memory of 2284	1812	978bf35000aec54e08e7572607d05773da746d7b98ed58447c2900f5206e2fbaN.exe	30
PID 1812 wrote to memory of 2284	1812	978bf35000aec54e08e7572607d05773da746d7b98ed58447c2900f5206e2fbaN.exe	30
PID 1812 wrote to memory of 2284	1812	978bf35000aec54e08e7572607d05773da746d7b98ed58447c2900f5206e2fbaN.exe	30
PID 1812 wrote to memory of 2284	1812	978bf35000aec54e08e7572607d05773da746d7b98ed58447c2900f5206e2fbaN.exe	30
PID 1812 wrote to memory of 2284	1812	978bf35000aec54e08e7572607d05773da746d7b98ed58447c2900f5206e2fbaN.exe	30
PID 2284 wrote to memory of 1904	2284	._cache_978bf35000aec54e08e7572607d05773da746d7b98ed58447c2900f5206e2fbaN.exe	31
PID 2284 wrote to memory of 1904	2284	._cache_978bf35000aec54e08e7572607d05773da746d7b98ed58447c2900f5206e2fbaN.exe	31
PID 2284 wrote to memory of 1904	2284	._cache_978bf35000aec54e08e7572607d05773da746d7b98ed58447c2900f5206e2fbaN.exe	31
PID 2284 wrote to memory of 1904	2284	._cache_978bf35000aec54e08e7572607d05773da746d7b98ed58447c2900f5206e2fbaN.exe	31
PID 1904 wrote to memory of 1796	1904	cmd.exe	33
PID 1904 wrote to memory of 1796	1904	cmd.exe	33
PID 1904 wrote to memory of 1796	1904	cmd.exe	33
PID 1904 wrote to memory of 1796	1904	cmd.exe	33
PID 1904 wrote to memory of 2720	1904	cmd.exe	34
PID 1904 wrote to memory of 2720	1904	cmd.exe	34
PID 1904 wrote to memory of 2720	1904	cmd.exe	34
PID 1904 wrote to memory of 2720	1904	cmd.exe	34
PID 1812 wrote to memory of 2768	1812	978bf35000aec54e08e7572607d05773da746d7b98ed58447c2900f5206e2fbaN.exe	35
PID 1812 wrote to memory of 2768	1812	978bf35000aec54e08e7572607d05773da746d7b98ed58447c2900f5206e2fbaN.exe	35
PID 1812 wrote to memory of 2768	1812	978bf35000aec54e08e7572607d05773da746d7b98ed58447c2900f5206e2fbaN.exe	35
PID 1812 wrote to memory of 2768	1812	978bf35000aec54e08e7572607d05773da746d7b98ed58447c2900f5206e2fbaN.exe	35
PID 2768 wrote to memory of 2848	2768	Synaptics.exe	37
PID 2768 wrote to memory of 2848	2768	Synaptics.exe	37
PID 2768 wrote to memory of 2848	2768	Synaptics.exe	37
PID 2768 wrote to memory of 2848	2768	Synaptics.exe	37
PID 2768 wrote to memory of 2848	2768	Synaptics.exe	37
PID 2768 wrote to memory of 2848	2768	Synaptics.exe	37
PID 2768 wrote to memory of 2848	2768	Synaptics.exe	37

C:\Users\Admin\AppData\Local\Temp\978bf35000aec54e08e7572607d05773da746d7b98ed58447c2900f5206e2fbaN.exe
"C:\Users\Admin\AppData\Local\Temp\978bf35000aec54e08e7572607d05773da746d7b98ed58447c2900f5206e2fbaN.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Users\Admin\AppData\Local\Temp\._cache_978bf35000aec54e08e7572607d05773da746d7b98ed58447c2900f5206e2fbaN.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_978bf35000aec54e08e7572607d05773da746d7b98ed58447c2900f5206e2fbaN.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Windows\SysWOW64\cmd.exe
    cmd /Q /C "%SYSTEMROOT%\System32\wbem\wmic.exe qfe get hotfixid | %SYSTEMROOT%\System32\findstr.exe "^KB4474419""
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1904
  - - C:\Windows\SysWOW64\wbem\WMIC.exe
      C:\Windows\System32\wbem\wmic.exe qfe get hotfixid
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1796
  - - C:\Windows\SysWOW64\findstr.exe
      C:\Windows\System32\findstr.exe "^KB4474419"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2720
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2848

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.9MB

MD5
c4e7360de90c311c8ee74feb603c4e40

SHA1
8c5eef4ba7ea32966655294a07462b366fee6c2f

SHA256
978bf35000aec54e08e7572607d05773da746d7b98ed58447c2900f5206e2fba

SHA512
8b2d2727673e284ec7b71542722ed86bdfb907b7f864d9cc840c37361142d70bd45059dd5842f036ef8160468251265fae71042c31813b0787477565a4a0ec04

Download Submit
C:\Users\Admin\AppData\Local\Temp\nvNVAuqr.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\nvNVAuqr.xlsm

Filesize
24KB

MD5
c48bc550b482faa71d494488625b4464

SHA1
c8dfc806d63b249575ae46ab50926d6666d34bba

SHA256
e6b258e789fdae134a5cc954e1eb6901e85e2635b8a9a24d466376409cb631a9

SHA512
73b674cdc925c9484e317d68839db9c74484976c6926c240337a97031d2af4b42f26a137ca08ee27da6cd5b5be504db0c18cedd5365d0b84f69c51164c0836d4

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_978bf35000aec54e08e7572607d05773da746d7b98ed58447c2900f5206e2fbaN.exe

Filesize
1.1MB

MD5
ba04898d2ff0674cdf73164530e917a4

SHA1
bbc1525419b343df6dd669104d2ea724cd428661

SHA256
ac4f26d7d9f994d6f04141b2266f02682def51af63c09c96a7268552c94a6535

SHA512
b1734a3c7b97c95313322bbdd3c7168da456111490e0324861b36367a027d8d5b2a46fbced8273931de16325521f6979e47becc3251daf4ef3cf328777efd65c

Download Submit
\Users\Admin\AppData\Local\Temp\nsjC535.tmp\InstallOptions.dll

Filesize
15KB

MD5
d1eefb07abc2577dfb92eb2e95a975e4

SHA1
0584c2b1807bc3bd10d4b60d2d23eeb0e6832ca2

SHA256
89dd7d646278d8bfc41d5446bdc348b9a9afaa832abf02c1396272bb7ac7262a

SHA512
eaffd9940b1df59e95e2adb79b3b6415fff5bf196ebea5fe625a6c52e552a00b44d985a36a8dd9eb33eba2425ffea4244ed07a75d87284ff51ec9f9a5e1ac65e

Download Submit
\Users\Admin\AppData\Local\Temp\nsjC535.tmp\System.dll

Filesize
12KB

MD5
192639861e3dc2dc5c08bb8f8c7260d5

SHA1
58d30e460609e22fa0098bc27d928b689ef9af78

SHA256
23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6

SHA512
6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc

Download Submit
\Users\Admin\AppData\Local\Temp\nsjC535.tmp\nsExec.dll

Filesize
7KB

MD5
11092c1d3fbb449a60695c44f9f3d183

SHA1
b89d614755f2e943df4d510d87a7fc1a3bcf5a33

SHA256
2cd3a2d4053954db1196e2526545c36dfc138c6de9b81f6264632f3132843c77

SHA512
c182e0a1f0044b67b4b9fb66cef9c4955629f6811d98bbffa99225b03c43c33b1e85cacabb39f2c45ead81cd85e98b201d5f9da4ee0038423b1ad947270c134a

Download Submit
memory/1812-53-0x0000000000400000-0x00000000005E8000-memory.dmp

Filesize
1.9MB

Download
memory/1812-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2768-69-0x0000000000400000-0x00000000005E8000-memory.dmp

Filesize
1.9MB

Download
memory/2768-116-0x0000000000400000-0x00000000005E8000-memory.dmp

Filesize
1.9MB

Download
memory/2768-119-0x0000000000400000-0x00000000005E8000-memory.dmp

Filesize
1.9MB

Download
memory/2768-151-0x0000000000400000-0x00000000005E8000-memory.dmp

Filesize
1.9MB

Download
memory/2928-70-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads