dd303e2aa332c790d1cc46d7bcd169b3d6cd5e05592e1ea7484a622cca669c85

Analysis

max time kernel
123s
max time network
125s
platform
windows10_x64
resource
win10v20201028
submitted
31-10-2020 05:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Syn3Updater_1.0.1.1.exe
Size

1.2MB
MD5

0dcc0a775ee770e59a21861e344f54b3
SHA1

0cb0f4d011111114a0f0994337e5a1b15a734a22
SHA256

dd303e2aa332c790d1cc46d7bcd169b3d6cd5e05592e1ea7484a622cca669c85
SHA512

4681f72f28c644af61ebfacac3eb231b5d952fffc363af2746f02ae3489a09abe0cee9fa17036651db32f0723f0dbdb43bead1c18002d70031eb0da960ee4df8

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Syn3Updater.exe

pid process

200 Syn3Updater.exe
Loads dropped DLL 6 IoCs

Processes:

Syn3Updater_1.0.1.1.exeSyn3Updater.exe

pid process

3944 Syn3Updater_1.0.1.1.exe
3944 Syn3Updater_1.0.1.1.exe
200 Syn3Updater.exe
200 Syn3Updater.exe
200 Syn3Updater.exe
200 Syn3Updater.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
200	Syn3Updater.exe

pid	process
3944	Syn3Updater_1.0.1.1.exe
3944	Syn3Updater_1.0.1.1.exe
200	Syn3Updater.exe
200	Syn3Updater.exe
200	Syn3Updater.exe
200	Syn3Updater.exe

Drops file in Program Files directory 15 IoCs

Processes:

Syn3Updater_1.0.1.1.exe

description	ioc	process
File created	C:\Program Files (x86)\CyanLabs\Syn3Updater\Microsoft.WindowsAPICodePack.Shell.dll	Syn3Updater_1.0.1.1.exe
File created	C:\Program Files (x86)\CyanLabs\Syn3Updater\Syn3Updater.exe	Syn3Updater_1.0.1.1.exe
File created	C:\Program Files (x86)\CyanLabs\Syn3Updater\es\Syn3Updater.resources.dll	Syn3Updater_1.0.1.1.exe
File created	C:\Program Files (x86)\CyanLabs\Syn3Updater\fr\Syn3Updater.resources.dll	Syn3Updater_1.0.1.1.exe
File created	C:\Program Files (x86)\CyanLabs\Syn3Updater\Syn3Updater.exe.config	Syn3Updater_1.0.1.1.exe
File created	C:\Program Files (x86)\CyanLabs\Syn3Updater\en\Syn3Updater.resources.dll	Syn3Updater_1.0.1.1.exe
File created	C:\Program Files (x86)\CyanLabs\Syn3Updater\uninst.exe	Syn3Updater_1.0.1.1.exe
File created	C:\Program Files (x86)\CyanLabs\Syn3Updater\de\Syn3Updater.resources.dll	Syn3Updater_1.0.1.1.exe
File created	C:\Program Files (x86)\CyanLabs\Syn3Updater\ru\Syn3Updater.resources.dll	Syn3Updater_1.0.1.1.exe
File created	C:\Program Files (x86)\CyanLabs\Syn3Updater\zh\Syn3Updater.resources.dll	Syn3Updater_1.0.1.1.exe
File created	C:\Program Files (x86)\CyanLabs\Syn3Updater\AutoUpdater.NET.dll	Syn3Updater_1.0.1.1.exe
File created	C:\Program Files (x86)\CyanLabs\Syn3Updater\Microsoft.WindowsAPICodePack.dll	Syn3Updater_1.0.1.1.exe
File created	C:\Program Files (x86)\CyanLabs\Syn3Updater\Newtonsoft.Json.dll	Syn3Updater_1.0.1.1.exe
File created	C:\Program Files (x86)\CyanLabs\Syn3Updater\en-gb\Syn3Updater.resources.dll	Syn3Updater_1.0.1.1.exe
File created	C:\Program Files (x86)\CyanLabs\Syn3Updater\it\Syn3Updater.resources.dll	Syn3Updater_1.0.1.1.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Syn3Updater.exe

description pid process

Token: SeDebugPrivilege 200 Syn3Updater.exe

description	pid	process
Token: SeDebugPrivilege	200	Syn3Updater.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

Syn3Updater_1.0.1.1.exe

description	pid	process	target process
PID 3944 wrote to memory of 200	3944	Syn3Updater_1.0.1.1.exe	Syn3Updater.exe
PID 3944 wrote to memory of 200	3944	Syn3Updater_1.0.1.1.exe	Syn3Updater.exe
PID 3944 wrote to memory of 200	3944	Syn3Updater_1.0.1.1.exe	Syn3Updater.exe

C:\Users\Admin\AppData\Local\Temp\Syn3Updater_1.0.1.1.exe
"C:\Users\Admin\AppData\Local\Temp\Syn3Updater_1.0.1.1.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3944

C:\Program Files (x86)\CyanLabs\Syn3Updater\Syn3Updater.exe
"C:\Program Files (x86)\CyanLabs\Syn3Updater\Syn3Updater.exe" /updated
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:200

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\CyanLabs\Syn3Updater\AutoUpdater.NET.dll
MD5
4919c59e98c927eb902a9370a45e71b8

SHA1
4c08f77658d33e5aec0c8873f02779a87ed09334

SHA256
0f2b1c726e47166cfe30f0edbd0939b3723bf3e63fc4dd9d8d178d85a4bcc72f

SHA512
99af63dcce2b058e425fe6eb5d1a3480aabb18a6db9a98d001e81624b492b176a3cd9355c4ad30877adba5a5a65a9a400a3df206500f3c8b76a06cdf492b03ea

Download Submit
C:\Program Files (x86)\CyanLabs\Syn3Updater\Syn3Updater.exe
MD5
bf9bc3cb8183838343f21b0010ec55ab

SHA1
df373c177fb8a75ca1658a851849d3d34b51ab03

SHA256
c2987dce934ef2633686ef752c9a614bc82780095b6bd650a6d579df7e212bce

SHA512
b48176a1d9b85779fa0d790acc108ecd6bd97195ae0dd18f7f5ce4eb52c134393b99920609c56c1bb0496cf49734a70d955deaf9af65151ccc48da120a765884

Download Submit
C:\Program Files (x86)\CyanLabs\Syn3Updater\Syn3Updater.exe
MD5
bf9bc3cb8183838343f21b0010ec55ab

SHA1
df373c177fb8a75ca1658a851849d3d34b51ab03

SHA256
c2987dce934ef2633686ef752c9a614bc82780095b6bd650a6d579df7e212bce

SHA512
b48176a1d9b85779fa0d790acc108ecd6bd97195ae0dd18f7f5ce4eb52c134393b99920609c56c1bb0496cf49734a70d955deaf9af65151ccc48da120a765884

Download Submit
C:\Program Files (x86)\CyanLabs\Syn3Updater\Syn3Updater.exe.config
MD5
55995cccdf32be905a5ed5c7917ceb47

SHA1
6af482131e6b348e65d898f9261f99316c7c04ba

SHA256
2b5567d2b347821bebfc0f2a45bc932bd705acc17f1ce5cdbba2a6b823d05b05

SHA512
c8e7c7486257d62e25d4a26d6157cf0ac00918f7a1a404df9f9dc025792887951324327aff57bdd069ae5e7bf53341f68b8a2b07aa64a815a320aadb719a560a

Download Submit
C:\Program Files (x86)\CyanLabs\Syn3Updater\en\Syn3Updater.resources.dll
MD5
fdb329b60a236727c471bcb6ef97b9d5

SHA1
317a2d7c242d84bfd9132a757dbe4847d4e97233

SHA256
d05013384456025653011c31d1c913609e87a2f12a8bb369d8cb5d04b1bb7bde

SHA512
64d033cc2e8c8f8238115175ff997dc494e390a3abdf2125858d742a9db00669b74a75ea77ae7edc0bab91ac73e93ab7f9b108c18f211f562711c941ecbc5d92

Download Submit
\Program Files (x86)\CyanLabs\Syn3Updater\AutoUpdater.NET.dll
MD5
4919c59e98c927eb902a9370a45e71b8

SHA1
4c08f77658d33e5aec0c8873f02779a87ed09334

SHA256
0f2b1c726e47166cfe30f0edbd0939b3723bf3e63fc4dd9d8d178d85a4bcc72f

SHA512
99af63dcce2b058e425fe6eb5d1a3480aabb18a6db9a98d001e81624b492b176a3cd9355c4ad30877adba5a5a65a9a400a3df206500f3c8b76a06cdf492b03ea

Download Submit
\Program Files (x86)\CyanLabs\Syn3Updater\AutoUpdater.NET.dll
MD5
4919c59e98c927eb902a9370a45e71b8

SHA1
4c08f77658d33e5aec0c8873f02779a87ed09334

SHA256
0f2b1c726e47166cfe30f0edbd0939b3723bf3e63fc4dd9d8d178d85a4bcc72f

SHA512
99af63dcce2b058e425fe6eb5d1a3480aabb18a6db9a98d001e81624b492b176a3cd9355c4ad30877adba5a5a65a9a400a3df206500f3c8b76a06cdf492b03ea

Download Submit
\Program Files (x86)\CyanLabs\Syn3Updater\en\Syn3Updater.resources.dll
MD5
fdb329b60a236727c471bcb6ef97b9d5

SHA1
317a2d7c242d84bfd9132a757dbe4847d4e97233

SHA256
d05013384456025653011c31d1c913609e87a2f12a8bb369d8cb5d04b1bb7bde

SHA512
64d033cc2e8c8f8238115175ff997dc494e390a3abdf2125858d742a9db00669b74a75ea77ae7edc0bab91ac73e93ab7f9b108c18f211f562711c941ecbc5d92

Download Submit
\Program Files (x86)\CyanLabs\Syn3Updater\en\Syn3Updater.resources.dll
MD5
fdb329b60a236727c471bcb6ef97b9d5

SHA1
317a2d7c242d84bfd9132a757dbe4847d4e97233

SHA256
d05013384456025653011c31d1c913609e87a2f12a8bb369d8cb5d04b1bb7bde

SHA512
64d033cc2e8c8f8238115175ff997dc494e390a3abdf2125858d742a9db00669b74a75ea77ae7edc0bab91ac73e93ab7f9b108c18f211f562711c941ecbc5d92

Download Submit
\Users\Admin\AppData\Local\Temp\nsf2D60.tmp\System.dll
MD5
0063d48afe5a0cdc02833145667b6641

SHA1
e7eb614805d183ecb1127c62decb1a6be1b4f7a8

SHA256
ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

SHA512
71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

Download Submit
\Users\Admin\AppData\Local\Temp\nsf2D60.tmp\nsDialogs.dll
MD5
6e64e5d5f9498058a300b26b8741d9d5

SHA1
837ce28e5e02788da63a7f1d8f20207d2b0bf523

SHA256
8d4b1c275fd1cd0782a265080b56d1aec8d1c93edca5ef3b050d1d20d7b61f33

SHA512
f53514d36021d79f85df2494d403f03589b3ad848889b9224f962cc932ef740f127131a914c7171ad8136ca1ef631285ea1c80576db18ccf8ea56940eb00ea1e

Download Submit
memory/200-5-0x0000000072FF0000-0x00000000736DE000-memory.dmp

Filesize
6.9MB

Download
memory/200-11-0x0000000005530000-0x0000000005531000-memory.dmp

Filesize
4KB

Download
memory/200-10-0x0000000005570000-0x0000000005571000-memory.dmp

Filesize
4KB

Download
memory/200-15-0x0000000008C20000-0x0000000008C21000-memory.dmp

Filesize
4KB

Download
memory/200-9-0x00000000059D0000-0x00000000059D1000-memory.dmp

Filesize
4KB

Download
memory/200-7-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/200-2-0x0000000000000000-mapping.dmp

Download
memory/200-20-0x00000000093A0000-0x00000000093A1000-memory.dmp

Filesize
4KB

Download
memory/200-21-0x000000000A640000-0x000000000A641000-memory.dmp

Filesize
4KB

Download