Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29-10-2024 23:25
Behavioral task
behavioral1
Sample
5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe
Resource
win7-20240903-en
windows7-x64
21 signatures
150 seconds
General
-
Target
5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe
-
Size
868KB
-
MD5
31ce659e1e8cb2bdd2b634332b2195ec
-
SHA1
a2201f5e636d03091950c4e585420227b501ce3f
-
SHA256
5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9
-
SHA512
c5ce587d67f3e1880835061d61b0dc3fe8f6091a2a6038fc966d50995acbe9e9869c71f3f5cdaa4fd6b260a91c6500e0fc5ced90905684abf0510f2f81547839
-
SSDEEP
12288:BpJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V91dNDXBl2CUMS9:nJ39LyjbJkQFMhmC+6GD95DRYn9
Malware Config
Signatures
-
Detect Neshta payload 6 IoCs
Processes:
resource yara_rule behavioral2/files/0x000600000002021e-205.dat family_neshta behavioral2/files/0x00010000000228e4-339.dat family_neshta behavioral2/memory/3940-340-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3940-348-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3940-352-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3940-357-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exeSynaptics.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation Synaptics.exe -
Executes dropped EXE 4 IoCs
Processes:
5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe._cache_5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exeSynaptics.exe._cache_Synaptics.exepid Process 1412 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe 3164 ._cache_5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe 4196 Synaptics.exe 4412 ._cache_Synaptics.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe -
Processes:
resource yara_rule behavioral2/files/0x000a000000023b5e-17.dat upx behavioral2/memory/3164-73-0x0000000000400000-0x0000000000431000-memory.dmp upx behavioral2/memory/4412-207-0x0000000000400000-0x0000000000431000-memory.dmp upx behavioral2/memory/3164-341-0x0000000000400000-0x0000000000431000-memory.dmp upx behavioral2/memory/4412-344-0x0000000000400000-0x0000000000431000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
Processes:
5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exedescription ioc Process File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~3\SYNAPT~1\SYNAPT~1.EXE 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe -
Drops file in Windows directory 1 IoCs
Processes:
5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exedescription ioc Process File opened for modification C:\Windows\svchost.com 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe._cache_5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exeSynaptics.exe._cache_Synaptics.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE -
Processes:
._cache_5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe._cache_Synaptics.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\TypedURLs ._cache_5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\TypedURLs ._cache_Synaptics.exe -
Modifies registry class 34 IoCs
Processes:
._cache_5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe._cache_Synaptics.exe5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exeSynaptics.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags ._cache_5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell ._cache_Synaptics.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 ._cache_5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe Set value (data) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 ._cache_Synaptics.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell ._cache_Synaptics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 ._cache_5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe Set value (data) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 ._cache_5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" ._cache_5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Synaptics.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings ._cache_5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU ._cache_5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ ._cache_5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe Set value (data) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff ._cache_5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell ._cache_5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" ._cache_Synaptics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ ._cache_Synaptics.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ ._cache_Synaptics.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell ._cache_5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 ._cache_5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe Set value (data) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff ._cache_5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe Set value (data) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff ._cache_5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings ._cache_Synaptics.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 ._cache_Synaptics.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 ._cache_Synaptics.exe Set value (data) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff ._cache_Synaptics.exe Set value (data) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots ._cache_5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe Set value (data) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 ._cache_5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe Set value (data) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff ._cache_5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU ._cache_Synaptics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ ._cache_5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe Set value (data) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 ._cache_5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" ._cache_5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid Process 728 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
EXCEL.EXE._cache_5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe._cache_Synaptics.exepid Process 728 EXCEL.EXE 728 EXCEL.EXE 728 EXCEL.EXE 728 EXCEL.EXE 728 EXCEL.EXE 728 EXCEL.EXE 728 EXCEL.EXE 728 EXCEL.EXE 3164 ._cache_5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe 4412 ._cache_Synaptics.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exeSynaptics.exedescription pid Process procid_target PID 3940 wrote to memory of 1412 3940 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe 84 PID 3940 wrote to memory of 1412 3940 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe 84 PID 3940 wrote to memory of 1412 3940 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe 84 PID 1412 wrote to memory of 3164 1412 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe 86 PID 1412 wrote to memory of 3164 1412 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe 86 PID 1412 wrote to memory of 3164 1412 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe 86 PID 1412 wrote to memory of 4196 1412 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe 87 PID 1412 wrote to memory of 4196 1412 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe 87 PID 1412 wrote to memory of 4196 1412 5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe 87 PID 4196 wrote to memory of 4412 4196 Synaptics.exe 88 PID 4196 wrote to memory of 4412 4196 Synaptics.exe 88 PID 4196 wrote to memory of 4412 4196 Synaptics.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe"C:\Users\Admin\AppData\Local\Temp\5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe"1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Users\Admin\AppData\Local\Temp\._cache_5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe"C:\Users\Admin\AppData\Local\Temp\._cache_5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3164
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4412
-
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:728
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Change Default File Association
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
86KB
MD53b73078a714bf61d1c19ebc3afc0e454
SHA19abeabd74613a2f533e2244c9ee6f967188e4e7e
SHA256ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29
SHA51275959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4
-
Filesize
1.6MB
MD53a3a71a5df2d162555fcda9bc0993d74
SHA195c7400f85325eba9b0a92abd80ea64b76917a1a
SHA2560a023355d1cc0a2348475d63aaf6aa0521d11e12a5c70102d7b3ebde092849e8
SHA5129ad76ccce76ccfe8292bca8def5bc7255e7ea0ba6d92130c4350da49a3d7faef2d46b08aaef1955f3f4ea0a2e22451562b5e08783a79f794724584e409cf7837
-
C:\Users\Admin\AppData\Local\Temp\._cache_5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe
Filesize74KB
MD550fa0999fdcb73093fd97baeb588da63
SHA1aee58afbdb9728b7229d68face88d22f0c489b71
SHA256eefdef80e5a5fdfe4fede76fb38f389e43aaea2029f76867951c1cb309fd0089
SHA5124fcca37d3c566a3c81d0ac9d25942f85813b553f55acea3d70ebe7e3d6ba98fd5540edcd35eca72dccb700142b50477c6ec0021702c72c7569e17a0887b76e21
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5cba7c1d08dcf2912a5abb0d0dc2bfec46138a7a628df9e025ba9a4eaf1eb5a9.exe
Filesize828KB
MD57d5724acae0035a43ce2e1dbd26ad922
SHA1983f2ad2a4ba4a583642d60fd38037037a11145f
SHA2561c64ef3803d7117182aa028dcae107a4f37af2662df8b7935ecf5cd99b75b948
SHA51204d524c750d9d54ca1336361fab53c33ebcd1a625363546e1d0e1603db43c9854ca7325ac1e00da81a4e5853aae4c98d0caf148752411ab0663990b5eb6cc695
-
Filesize
21KB
MD55d7d9806a28c36c0014e5b67e519c425
SHA11370a6ef562de305a1100041cbccc24ee6a340cb
SHA2566b9c87f43cc20ce193913cf35e1dd0eb964841a943bb6925b577a053bb3d3e3e
SHA51205498087a512577172ac3c8bc9ed3dbcfa9467e972fa601ced412405037c6c4ece1296099cd0464aa4c935793e383e43df3a34f575e99393cdef3f8a8130de7b
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04