ebf8c70201f3fa543de8bc8a93f96f04d39b09f99e39a30729eafb033d2cf14b

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-10-2024 11:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SupplierRFQID365242213q___________________________pdf.exe
Size

763KB
MD5

f063df845a7bfb23a59cb8c8e5fa28eb
SHA1

a80bf8e2cc122c95a145a34d96da39ad9224bd40
SHA256

ebf8c70201f3fa543de8bc8a93f96f04d39b09f99e39a30729eafb033d2cf14b
SHA512

94de5c5137edebd31b8d048fb87a8682e4d3a7f37ead13c8e50ff5ca05c1a174625138ac4edb794e0a82ad6e30d3955299612de10a6010e2730f1b0b824f864e
SSDEEP

12288:CMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9IiKt9j:CnsJ39LyjbJkQFMhmC+6GD9lm

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2804	._cache_SupplierRFQID365242213q___________________________pdf.exe
2400	Synaptics.exe
2880	._cache_Synaptics.exe

Loads dropped DLL 5 IoCs

pid	Process
1016	SupplierRFQID365242213q___________________________pdf.exe
1016	SupplierRFQID365242213q___________________________pdf.exe
1016	SupplierRFQID365242213q___________________________pdf.exe
2400	Synaptics.exe
2400	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	SupplierRFQID365242213q___________________________pdf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SupplierRFQID365242213q___________________________pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_SupplierRFQID365242213q___________________________pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2420	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2804	._cache_SupplierRFQID365242213q___________________________pdf.exe
Token: SeDebugPrivilege	2880	._cache_Synaptics.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2420	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1016 wrote to memory of 2804	1016	SupplierRFQID365242213q___________________________pdf.exe	30
PID 1016 wrote to memory of 2804	1016	SupplierRFQID365242213q___________________________pdf.exe	30
PID 1016 wrote to memory of 2804	1016	SupplierRFQID365242213q___________________________pdf.exe	30
PID 1016 wrote to memory of 2804	1016	SupplierRFQID365242213q___________________________pdf.exe	30
PID 1016 wrote to memory of 2400	1016	SupplierRFQID365242213q___________________________pdf.exe	31
PID 1016 wrote to memory of 2400	1016	SupplierRFQID365242213q___________________________pdf.exe	31
PID 1016 wrote to memory of 2400	1016	SupplierRFQID365242213q___________________________pdf.exe	31
PID 1016 wrote to memory of 2400	1016	SupplierRFQID365242213q___________________________pdf.exe	31
PID 2400 wrote to memory of 2880	2400	Synaptics.exe	32
PID 2400 wrote to memory of 2880	2400	Synaptics.exe	32
PID 2400 wrote to memory of 2880	2400	Synaptics.exe	32
PID 2400 wrote to memory of 2880	2400	Synaptics.exe	32

C:\Users\Admin\AppData\Local\Temp\SupplierRFQID365242213q___________________________pdf.exe
"C:\Users\Admin\AppData\Local\Temp\SupplierRFQID365242213q___________________________pdf.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Users\Admin\AppData\Local\Temp\._cache_SupplierRFQID365242213q___________________________pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_SupplierRFQID365242213q___________________________pdf.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2804
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2880

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
763KB

MD5
f063df845a7bfb23a59cb8c8e5fa28eb

SHA1
a80bf8e2cc122c95a145a34d96da39ad9224bd40

SHA256
ebf8c70201f3fa543de8bc8a93f96f04d39b09f99e39a30729eafb033d2cf14b

SHA512
94de5c5137edebd31b8d048fb87a8682e4d3a7f37ead13c8e50ff5ca05c1a174625138ac4edb794e0a82ad6e30d3955299612de10a6010e2730f1b0b824f864e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xLyqRdMm.xlsm

Filesize
23KB

MD5
525b3f8bad70e424873a769a9def2e42

SHA1
8a9374fa5e1bab6c4ef73aa448dc11fbca77c7f5

SHA256
884e44ebe795a9390f56b2f9494530cadc93eef541e9e587aa20276889b5611e

SHA512
e0393e915f71c57d5fb3a8d27b499d14aa92eba998cdf779fead4584dbd707243d1f3844f9973af033846c93d48f0ff7e86339ed200dbe0e267c6c2baa75b58b

Download Submit
C:\Users\Admin\AppData\Local\Temp\xLyqRdMm.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\xLyqRdMm.xlsm

Filesize
24KB

MD5
786a298f501ea549af43e673d631c19b

SHA1
f67fe91488d58b6fb8fdd443f16f921e2b48b8ea

SHA256
66c1ffb90ad54f5c0b26c4e4a7f5a47e3ef3cb483bdd62c8a28ac60e3a966351

SHA512
7018632835607fb96ab2079ab776ac52d36ab32248fc2a125b96e3ff9eefa849511e82e7f0bc0002a604ebd0290662228e6a5cf19431796146a9082649fa5fb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\xLyqRdMm.xlsm

Filesize
27KB

MD5
075d715fab70e729ccbfb8ef1f2fc53a

SHA1
b137556085a6049778c48cd81449f85606e897d4

SHA256
eb0be061d254737ac0c6e62032ad0dd22f10484f3406a81b724f107152c9f93a

SHA512
09b9682aef709885ab603a393a7548fb953046f65587b61b9c88cf818499398f16b7a587947275e60a9195a31ec889859eba53119e2b7914edc749d264b3f095

Download Submit
C:\Users\Admin\AppData\Local\Temp\xLyqRdMm.xlsm

Filesize
25KB

MD5
eb705f7b3b5250a189c5e5276ad6ad5d

SHA1
c476cf471e23a03938a9123d878b6a66f6b28fa1

SHA256
2a7dd19d390578a0f5e27d1c4f8b1ee742804d1b97d0f661dd7feb8bd0772a61

SHA512
cecd59c4b63ca3dd609b543b2d5a0cf5f44fd20595dd36f23bea06eb76e9a5e2f0c009900d61a9c2f10ce136411537c031497fb6cb7777949ebde1b6d0f59d6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xLyqRdMm.xlsm

Filesize
28KB

MD5
13aa2044e3e280620b7ae802a8efb8b9

SHA1
3219b842552196e3e8e17f6cae15e049c402bdce

SHA256
c4e9ed7ce3b0f92ce183b2fef36851304f1abbae146a5d79c9fbec1c6a9235c3

SHA512
fa8379107102bc9abb7e18c954a4530aadb4974d26463ad580d142f918f08041904bd62b125dd1b25da0dd51b51dfc8a469407bf4d30254c2ae355ceb3ba7b20

Download Submit
C:\Users\Admin\Desktop\~$StepInitialize.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_SupplierRFQID365242213q___________________________pdf.exe

Filesize
9KB

MD5
f90ea0a295f1f19131fd81e0494df731

SHA1
51d5a58045de6d06e2a5eea3c5f823caa18695b6

SHA256
905d6410a4f44915a21dcbf57b1709b35959f858ee2cecd773ee40cec5465510

SHA512
797b19355a1693c68a24453b0df01ade47253e0f90fe1c1cb1f23b73a4233c6181fb746a6bf41ae0d3add011e0e3cdb656c0715f3879b68a6d7fc4f442e9e1af

Download Submit
memory/1016-26-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1016-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2400-130-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2400-131-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2400-163-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2420-39-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2804-29-0x0000000000F90000-0x0000000000F98000-memory.dmp

Filesize
32KB

Download
memory/2880-38-0x0000000000020000-0x0000000000028000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads