dd303e2aa332c790d1cc46d7bcd169b3d6cd5e05592e1ea7484a622cca669c85

Analysis

max time kernel
119s
max time network
140s
platform
windows7_x64
resource
win7v20201028
submitted
31-10-2020 05:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Syn3Updater_1.0.1.1.exe
Size

1.2MB
MD5

0dcc0a775ee770e59a21861e344f54b3
SHA1

0cb0f4d011111114a0f0994337e5a1b15a734a22
SHA256

dd303e2aa332c790d1cc46d7bcd169b3d6cd5e05592e1ea7484a622cca669c85
SHA512

4681f72f28c644af61ebfacac3eb231b5d952fffc363af2746f02ae3489a09abe0cee9fa17036651db32f0723f0dbdb43bead1c18002d70031eb0da960ee4df8

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Syn3Updater.exe

pid process

1616 Syn3Updater.exe

pid	process
1616	Syn3Updater.exe

Loads dropped DLL 10 IoCs

Processes:

Syn3Updater_1.0.1.1.exeSyn3Updater.exe

pid	process
2024	Syn3Updater_1.0.1.1.exe
2024	Syn3Updater_1.0.1.1.exe
2024	Syn3Updater_1.0.1.1.exe
2024	Syn3Updater_1.0.1.1.exe
2024	Syn3Updater_1.0.1.1.exe
2024	Syn3Updater_1.0.1.1.exe
1616	Syn3Updater.exe
1616	Syn3Updater.exe
1616	Syn3Updater.exe
1616	Syn3Updater.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 15 IoCs

Processes:

Syn3Updater_1.0.1.1.exe

description	ioc	process
File created	C:\Program Files (x86)\CyanLabs\Syn3Updater\Syn3Updater.exe.config	Syn3Updater_1.0.1.1.exe
File created	C:\Program Files (x86)\CyanLabs\Syn3Updater\de\Syn3Updater.resources.dll	Syn3Updater_1.0.1.1.exe
File created	C:\Program Files (x86)\CyanLabs\Syn3Updater\fr\Syn3Updater.resources.dll	Syn3Updater_1.0.1.1.exe
File created	C:\Program Files (x86)\CyanLabs\Syn3Updater\zh\Syn3Updater.resources.dll	Syn3Updater_1.0.1.1.exe
File created	C:\Program Files (x86)\CyanLabs\Syn3Updater\AutoUpdater.NET.dll	Syn3Updater_1.0.1.1.exe
File created	C:\Program Files (x86)\CyanLabs\Syn3Updater\Newtonsoft.Json.dll	Syn3Updater_1.0.1.1.exe
File created	C:\Program Files (x86)\CyanLabs\Syn3Updater\Syn3Updater.exe	Syn3Updater_1.0.1.1.exe
File created	C:\Program Files (x86)\CyanLabs\Syn3Updater\Microsoft.WindowsAPICodePack.Shell.dll	Syn3Updater_1.0.1.1.exe
File created	C:\Program Files (x86)\CyanLabs\Syn3Updater\Microsoft.WindowsAPICodePack.dll	Syn3Updater_1.0.1.1.exe
File created	C:\Program Files (x86)\CyanLabs\Syn3Updater\en-gb\Syn3Updater.resources.dll	Syn3Updater_1.0.1.1.exe
File created	C:\Program Files (x86)\CyanLabs\Syn3Updater\es\Syn3Updater.resources.dll	Syn3Updater_1.0.1.1.exe
File created	C:\Program Files (x86)\CyanLabs\Syn3Updater\uninst.exe	Syn3Updater_1.0.1.1.exe
File created	C:\Program Files (x86)\CyanLabs\Syn3Updater\en\Syn3Updater.resources.dll	Syn3Updater_1.0.1.1.exe
File created	C:\Program Files (x86)\CyanLabs\Syn3Updater\it\Syn3Updater.resources.dll	Syn3Updater_1.0.1.1.exe
File created	C:\Program Files (x86)\CyanLabs\Syn3Updater\ru\Syn3Updater.resources.dll	Syn3Updater_1.0.1.1.exe

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
\Program Files (x86)\CyanLabs\Syn3Updater\uninst.exe	nsis_installer_1
\Program Files (x86)\CyanLabs\Syn3Updater\uninst.exe	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

Syn3Updater.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	Syn3Updater.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Syn3Updater.exe

description pid process

Token: SeDebugPrivilege 1616 Syn3Updater.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Syn3Updater.exe

pid process

1616 Syn3Updater.exe
1616 Syn3Updater.exe

description	pid	process
Token: SeDebugPrivilege	1616	Syn3Updater.exe

pid	process
1616	Syn3Updater.exe
1616	Syn3Updater.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

Syn3Updater_1.0.1.1.exe

description	pid	process	target process
PID 2024 wrote to memory of 1616	2024	Syn3Updater_1.0.1.1.exe	Syn3Updater.exe
PID 2024 wrote to memory of 1616	2024	Syn3Updater_1.0.1.1.exe	Syn3Updater.exe
PID 2024 wrote to memory of 1616	2024	Syn3Updater_1.0.1.1.exe	Syn3Updater.exe
PID 2024 wrote to memory of 1616	2024	Syn3Updater_1.0.1.1.exe	Syn3Updater.exe
PID 2024 wrote to memory of 1616	2024	Syn3Updater_1.0.1.1.exe	Syn3Updater.exe
PID 2024 wrote to memory of 1616	2024	Syn3Updater_1.0.1.1.exe	Syn3Updater.exe
PID 2024 wrote to memory of 1616	2024	Syn3Updater_1.0.1.1.exe	Syn3Updater.exe

C:\Users\Admin\AppData\Local\Temp\Syn3Updater_1.0.1.1.exe
"C:\Users\Admin\AppData\Local\Temp\Syn3Updater_1.0.1.1.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2024

C:\Program Files (x86)\CyanLabs\Syn3Updater\Syn3Updater.exe
"C:\Program Files (x86)\CyanLabs\Syn3Updater\Syn3Updater.exe" /updated
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\CyanLabs\Syn3Updater\AutoUpdater.NET.dll

MD5
4919c59e98c927eb902a9370a45e71b8

SHA1
4c08f77658d33e5aec0c8873f02779a87ed09334

SHA256
0f2b1c726e47166cfe30f0edbd0939b3723bf3e63fc4dd9d8d178d85a4bcc72f

SHA512
99af63dcce2b058e425fe6eb5d1a3480aabb18a6db9a98d001e81624b492b176a3cd9355c4ad30877adba5a5a65a9a400a3df206500f3c8b76a06cdf492b03ea

Download Submit
C:\Program Files (x86)\CyanLabs\Syn3Updater\Syn3Updater.exe

MD5
bf9bc3cb8183838343f21b0010ec55ab

SHA1
df373c177fb8a75ca1658a851849d3d34b51ab03

SHA256
c2987dce934ef2633686ef752c9a614bc82780095b6bd650a6d579df7e212bce

SHA512
b48176a1d9b85779fa0d790acc108ecd6bd97195ae0dd18f7f5ce4eb52c134393b99920609c56c1bb0496cf49734a70d955deaf9af65151ccc48da120a765884

Download Submit
C:\Program Files (x86)\CyanLabs\Syn3Updater\Syn3Updater.exe

MD5
bf9bc3cb8183838343f21b0010ec55ab

SHA1
df373c177fb8a75ca1658a851849d3d34b51ab03

SHA256
c2987dce934ef2633686ef752c9a614bc82780095b6bd650a6d579df7e212bce

SHA512
b48176a1d9b85779fa0d790acc108ecd6bd97195ae0dd18f7f5ce4eb52c134393b99920609c56c1bb0496cf49734a70d955deaf9af65151ccc48da120a765884

Download Submit
C:\Program Files (x86)\CyanLabs\Syn3Updater\Syn3Updater.exe.config

MD5
55995cccdf32be905a5ed5c7917ceb47

SHA1
6af482131e6b348e65d898f9261f99316c7c04ba

SHA256
2b5567d2b347821bebfc0f2a45bc932bd705acc17f1ce5cdbba2a6b823d05b05

SHA512
c8e7c7486257d62e25d4a26d6157cf0ac00918f7a1a404df9f9dc025792887951324327aff57bdd069ae5e7bf53341f68b8a2b07aa64a815a320aadb719a560a

Download Submit
C:\Program Files (x86)\CyanLabs\Syn3Updater\en\Syn3Updater.resources.dll

MD5
fdb329b60a236727c471bcb6ef97b9d5

SHA1
317a2d7c242d84bfd9132a757dbe4847d4e97233

SHA256
d05013384456025653011c31d1c913609e87a2f12a8bb369d8cb5d04b1bb7bde

SHA512
64d033cc2e8c8f8238115175ff997dc494e390a3abdf2125858d742a9db00669b74a75ea77ae7edc0bab91ac73e93ab7f9b108c18f211f562711c941ecbc5d92

Download Submit
\Program Files (x86)\CyanLabs\Syn3Updater\AutoUpdater.NET.dll

MD5
4919c59e98c927eb902a9370a45e71b8

SHA1
4c08f77658d33e5aec0c8873f02779a87ed09334

SHA256
0f2b1c726e47166cfe30f0edbd0939b3723bf3e63fc4dd9d8d178d85a4bcc72f

SHA512
99af63dcce2b058e425fe6eb5d1a3480aabb18a6db9a98d001e81624b492b176a3cd9355c4ad30877adba5a5a65a9a400a3df206500f3c8b76a06cdf492b03ea

Download Submit
\Program Files (x86)\CyanLabs\Syn3Updater\AutoUpdater.NET.dll

MD5
4919c59e98c927eb902a9370a45e71b8

SHA1
4c08f77658d33e5aec0c8873f02779a87ed09334

SHA256
0f2b1c726e47166cfe30f0edbd0939b3723bf3e63fc4dd9d8d178d85a4bcc72f

SHA512
99af63dcce2b058e425fe6eb5d1a3480aabb18a6db9a98d001e81624b492b176a3cd9355c4ad30877adba5a5a65a9a400a3df206500f3c8b76a06cdf492b03ea

Download Submit
\Program Files (x86)\CyanLabs\Syn3Updater\Syn3Updater.exe

MD5
bf9bc3cb8183838343f21b0010ec55ab

SHA1
df373c177fb8a75ca1658a851849d3d34b51ab03

SHA256
c2987dce934ef2633686ef752c9a614bc82780095b6bd650a6d579df7e212bce

SHA512
b48176a1d9b85779fa0d790acc108ecd6bd97195ae0dd18f7f5ce4eb52c134393b99920609c56c1bb0496cf49734a70d955deaf9af65151ccc48da120a765884

Download Submit
\Program Files (x86)\CyanLabs\Syn3Updater\Syn3Updater.exe

MD5
bf9bc3cb8183838343f21b0010ec55ab

SHA1
df373c177fb8a75ca1658a851849d3d34b51ab03

SHA256
c2987dce934ef2633686ef752c9a614bc82780095b6bd650a6d579df7e212bce

SHA512
b48176a1d9b85779fa0d790acc108ecd6bd97195ae0dd18f7f5ce4eb52c134393b99920609c56c1bb0496cf49734a70d955deaf9af65151ccc48da120a765884

Download Submit
\Program Files (x86)\CyanLabs\Syn3Updater\Syn3Updater.exe

MD5
bf9bc3cb8183838343f21b0010ec55ab

SHA1
df373c177fb8a75ca1658a851849d3d34b51ab03

SHA256
c2987dce934ef2633686ef752c9a614bc82780095b6bd650a6d579df7e212bce

SHA512
b48176a1d9b85779fa0d790acc108ecd6bd97195ae0dd18f7f5ce4eb52c134393b99920609c56c1bb0496cf49734a70d955deaf9af65151ccc48da120a765884

Download Submit
\Program Files (x86)\CyanLabs\Syn3Updater\en\Syn3Updater.resources.dll

MD5
fdb329b60a236727c471bcb6ef97b9d5

SHA1
317a2d7c242d84bfd9132a757dbe4847d4e97233

SHA256
d05013384456025653011c31d1c913609e87a2f12a8bb369d8cb5d04b1bb7bde

SHA512
64d033cc2e8c8f8238115175ff997dc494e390a3abdf2125858d742a9db00669b74a75ea77ae7edc0bab91ac73e93ab7f9b108c18f211f562711c941ecbc5d92

Download Submit
\Program Files (x86)\CyanLabs\Syn3Updater\en\Syn3Updater.resources.dll

MD5
fdb329b60a236727c471bcb6ef97b9d5

SHA1
317a2d7c242d84bfd9132a757dbe4847d4e97233

SHA256
d05013384456025653011c31d1c913609e87a2f12a8bb369d8cb5d04b1bb7bde

SHA512
64d033cc2e8c8f8238115175ff997dc494e390a3abdf2125858d742a9db00669b74a75ea77ae7edc0bab91ac73e93ab7f9b108c18f211f562711c941ecbc5d92

Download Submit
\Program Files (x86)\CyanLabs\Syn3Updater\uninst.exe

MD5
645cd8b8e31c00b6a4570ddb9fb1c5b3

SHA1
4108643670eb5b8c97912ce0f70d64d44be7ab73

SHA256
9821c8308ee052ceb9780554081076c5346075dcc0faf64200b4deda5c829267

SHA512
56c5da0f736d9ab50d727cdd4cb7bcb57763f01c75ecee84ca396efe6e6ed7a4a0a0bdae36f15e20f2a515fc525cf0848b64f38ec4869e70d88c0c6000f4c61c

Download Submit
\Users\Admin\AppData\Local\Temp\nsi10F3.tmp\System.dll

MD5
0063d48afe5a0cdc02833145667b6641

SHA1
e7eb614805d183ecb1127c62decb1a6be1b4f7a8

SHA256
ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

SHA512
71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

Download Submit
\Users\Admin\AppData\Local\Temp\nsi10F3.tmp\nsDialogs.dll

MD5
6e64e5d5f9498058a300b26b8741d9d5

SHA1
837ce28e5e02788da63a7f1d8f20207d2b0bf523

SHA256
8d4b1c275fd1cd0782a265080b56d1aec8d1c93edca5ef3b050d1d20d7b61f33

SHA512
f53514d36021d79f85df2494d403f03589b3ad848889b9224f962cc932ef740f127131a914c7171ad8136ca1ef631285ea1c80576db18ccf8ea56940eb00ea1e

Download Submit
memory/544-22-0x000007FEF6510000-0x000007FEF678A000-memory.dmp

Filesize
2.5MB

Download
memory/1616-8-0x0000000074230000-0x000000007491E000-memory.dmp

Filesize
6.9MB

Download
memory/1616-11-0x0000000001180000-0x0000000001181000-memory.dmp

Filesize
4KB

Download
memory/1616-3-0x0000000000000000-mapping.dmp

Download
memory/1616-16-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/1616-21-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download
memory/1616-23-0x000000000C830000-0x000000000C831000-memory.dmp

Filesize
4KB

Download