5b3d4395b0f5acd40bc20f4bf3930cbd14da3d240ad67f7ab9a65de0681e8742

General

Target

2d2f0c7af61867cd84f2e419a62cef16.exe
Size

117KB
MD5

2d2f0c7af61867cd84f2e419a62cef16
SHA1

e734bb114c2f47dc900d3a5a526db94f0b752ba0
SHA256

5b3d4395b0f5acd40bc20f4bf3930cbd14da3d240ad67f7ab9a65de0681e8742
SHA512

82a56fd148157c9957daa001b2dc0a31720e5a452a800e38fff2fae3661abab11f3cef04bdf4575bfb29d3a925e0b57bf65d809f6c8421721bad763dfd8eebd9

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

synic.exe

pid process

1716 synic.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

880 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

2d2f0c7af61867cd84f2e419a62cef16.exe

pid process

1048 2d2f0c7af61867cd84f2e419a62cef16.exe

pid	process
880	cmd.exe

pid	process
1048	2d2f0c7af61867cd84f2e419a62cef16.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

synic.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\Currentversion\Run	synic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\{8C10AF90-152A-D061-B84E-08DA70A7AFC9} = "C:\\Users\\Admin\\AppData\\Roaming\\Noetfo\\synic.exe"	synic.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

2d2f0c7af61867cd84f2e419a62cef16.exe

description pid process target process

PID 1048 set thread context of 880 1048 2d2f0c7af61867cd84f2e419a62cef16.exe cmd.exe

description	pid	process	target process
PID 1048 set thread context of 880	1048	2d2f0c7af61867cd84f2e419a62cef16.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

2d2f0c7af61867cd84f2e419a62cef16.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Privacy	2d2f0c7af61867cd84f2e419a62cef16.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	2d2f0c7af61867cd84f2e419a62cef16.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

synic.exe

pid	process
1716	synic.exe
1716	synic.exe
1716	synic.exe
1716	synic.exe
1716	synic.exe
1716	synic.exe
1716	synic.exe
1716	synic.exe
1716	synic.exe
1716	synic.exe
1716	synic.exe
1716	synic.exe
1716	synic.exe
1716	synic.exe
1716	synic.exe
1716	synic.exe
1716	synic.exe
1716	synic.exe
1716	synic.exe
1716	synic.exe
1716	synic.exe
1716	synic.exe
1716	synic.exe
1716	synic.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

2d2f0c7af61867cd84f2e419a62cef16.exe

description	pid	process
Token: SeSecurityPrivilege	1048	2d2f0c7af61867cd84f2e419a62cef16.exe
Token: SeSecurityPrivilege	1048	2d2f0c7af61867cd84f2e419a62cef16.exe
Token: SeSecurityPrivilege	1048	2d2f0c7af61867cd84f2e419a62cef16.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

2d2f0c7af61867cd84f2e419a62cef16.exesynic.exe

pid process

1048 2d2f0c7af61867cd84f2e419a62cef16.exe
1716 synic.exe

pid	process
1048	2d2f0c7af61867cd84f2e419a62cef16.exe
1716	synic.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

2d2f0c7af61867cd84f2e419a62cef16.exesynic.exe

description	pid	process	target process
PID 1048 wrote to memory of 1716	1048	2d2f0c7af61867cd84f2e419a62cef16.exe	synic.exe
PID 1048 wrote to memory of 1716	1048	2d2f0c7af61867cd84f2e419a62cef16.exe	synic.exe
PID 1048 wrote to memory of 1716	1048	2d2f0c7af61867cd84f2e419a62cef16.exe	synic.exe
PID 1048 wrote to memory of 1716	1048	2d2f0c7af61867cd84f2e419a62cef16.exe	synic.exe
PID 1716 wrote to memory of 1116	1716	synic.exe	taskhost.exe
PID 1716 wrote to memory of 1116	1716	synic.exe	taskhost.exe
PID 1716 wrote to memory of 1116	1716	synic.exe	taskhost.exe
PID 1716 wrote to memory of 1116	1716	synic.exe	taskhost.exe
PID 1716 wrote to memory of 1116	1716	synic.exe	taskhost.exe
PID 1716 wrote to memory of 1200	1716	synic.exe	Dwm.exe
PID 1716 wrote to memory of 1200	1716	synic.exe	Dwm.exe
PID 1716 wrote to memory of 1200	1716	synic.exe	Dwm.exe
PID 1716 wrote to memory of 1200	1716	synic.exe	Dwm.exe
PID 1716 wrote to memory of 1200	1716	synic.exe	Dwm.exe
PID 1716 wrote to memory of 1232	1716	synic.exe	Explorer.EXE
PID 1716 wrote to memory of 1232	1716	synic.exe	Explorer.EXE
PID 1716 wrote to memory of 1232	1716	synic.exe	Explorer.EXE
PID 1716 wrote to memory of 1232	1716	synic.exe	Explorer.EXE
PID 1716 wrote to memory of 1232	1716	synic.exe	Explorer.EXE
PID 1716 wrote to memory of 1048	1716	synic.exe	2d2f0c7af61867cd84f2e419a62cef16.exe
PID 1716 wrote to memory of 1048	1716	synic.exe	2d2f0c7af61867cd84f2e419a62cef16.exe
PID 1716 wrote to memory of 1048	1716	synic.exe	2d2f0c7af61867cd84f2e419a62cef16.exe
PID 1716 wrote to memory of 1048	1716	synic.exe	2d2f0c7af61867cd84f2e419a62cef16.exe
PID 1716 wrote to memory of 1048	1716	synic.exe	2d2f0c7af61867cd84f2e419a62cef16.exe
PID 1048 wrote to memory of 880	1048	2d2f0c7af61867cd84f2e419a62cef16.exe	cmd.exe
PID 1048 wrote to memory of 880	1048	2d2f0c7af61867cd84f2e419a62cef16.exe	cmd.exe
PID 1048 wrote to memory of 880	1048	2d2f0c7af61867cd84f2e419a62cef16.exe	cmd.exe
PID 1048 wrote to memory of 880	1048	2d2f0c7af61867cd84f2e419a62cef16.exe	cmd.exe
PID 1048 wrote to memory of 880	1048	2d2f0c7af61867cd84f2e419a62cef16.exe	cmd.exe
PID 1048 wrote to memory of 880	1048	2d2f0c7af61867cd84f2e419a62cef16.exe	cmd.exe
PID 1048 wrote to memory of 880	1048	2d2f0c7af61867cd84f2e419a62cef16.exe	cmd.exe
PID 1048 wrote to memory of 880	1048	2d2f0c7af61867cd84f2e419a62cef16.exe	cmd.exe
PID 1048 wrote to memory of 880	1048	2d2f0c7af61867cd84f2e419a62cef16.exe	cmd.exe
PID 1716 wrote to memory of 568	1716	synic.exe	DllHost.exe
PID 1716 wrote to memory of 568	1716	synic.exe	DllHost.exe
PID 1716 wrote to memory of 568	1716	synic.exe	DllHost.exe
PID 1716 wrote to memory of 568	1716	synic.exe	DllHost.exe
PID 1716 wrote to memory of 568	1716	synic.exe	DllHost.exe
PID 1716 wrote to memory of 1528	1716	synic.exe	DllHost.exe
PID 1716 wrote to memory of 1528	1716	synic.exe	DllHost.exe
PID 1716 wrote to memory of 1528	1716	synic.exe	DllHost.exe
PID 1716 wrote to memory of 1528	1716	synic.exe	DllHost.exe
PID 1716 wrote to memory of 1528	1716	synic.exe	DllHost.exe
PID 1716 wrote to memory of 1588	1716	synic.exe	DllHost.exe
PID 1716 wrote to memory of 1588	1716	synic.exe	DllHost.exe
PID 1716 wrote to memory of 1588	1716	synic.exe	DllHost.exe
PID 1716 wrote to memory of 1588	1716	synic.exe	DllHost.exe
PID 1716 wrote to memory of 1588	1716	synic.exe	DllHost.exe
PID 1716 wrote to memory of 2032	1716	synic.exe	DllHost.exe
PID 1716 wrote to memory of 2032	1716	synic.exe	DllHost.exe
PID 1716 wrote to memory of 2032	1716	synic.exe	DllHost.exe
PID 1716 wrote to memory of 2032	1716	synic.exe	DllHost.exe
PID 1716 wrote to memory of 2032	1716	synic.exe	DllHost.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1116

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1232

C:\Users\Admin\AppData\Local\Temp\2d2f0c7af61867cd84f2e419a62cef16.exe
"C:\Users\Admin\AppData\Local\Temp\2d2f0c7af61867cd84f2e419a62cef16.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1048

C:\Users\Admin\AppData\Roaming\Noetfo\synic.exe
"C:\Users\Admin\AppData\Roaming\Noetfo\synic.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpbbaed002.bat"
3⤵
- Deletes itself
PID:880

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1200

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:568

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1528

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1588

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2032

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpbbaed002.bat
Filesize
243B

MD5
dc09c0d7848216a4df2f4ec579e72422

SHA1
85809704932824573247217845c01c6d164603e5

SHA256
516f8b1a962d0e7c935c0eb511957dbdf53b871af8ac967ffb239c8345ed73af

SHA512
38ca7006100bb9815de740b2b55cecf31649a6b50c17ea06ccbea4be86e0398894b70400d424152c005bed538af3d43a41ca05e4fb8c3d8737adfac9e48bd644

Download Submit
C:\Users\Admin\AppData\Roaming\Ecrala\leun.igl
Filesize
366B

MD5
e0981eba8eaadc172735324cf732d2cd

SHA1
5fb80ef71db2889766b66339506a6b4b6224e6c5

SHA256
6f82d0866ba97d723cd9b8501fd8954ead59f6d6b1d5b050993a6cad1357fd90

SHA512
cd9de9c51a8e0ba7cec6fe982faea112c7e5b4157b34ff48c17e25f25392a454bfa85b955633aec991fe2a46c50c7b174613ee6beb98673d74e4099cee0da48e

Download Submit
C:\Users\Admin\AppData\Roaming\Noetfo\synic.exe
Filesize
117KB

MD5
44ccaaff09eed1ff3de6c1debab07ab5

SHA1
bba3b3205f3ea6c76913a1dda4ab2127a829d51b

SHA256
365432f33823fc40f4066825613a0569b6d802225e22b6ef9260618cbb6bd7f6

SHA512
7ad66d1412d05965f7d1b99e945876f9c7ca22faf2b25c7184ee0bec11f56ae951c32a82bdb7e0c18b4581ab340cac3cc314a00da01749b6692c8774307bd0af

Download Submit
C:\Users\Admin\AppData\Roaming\Noetfo\synic.exe
Filesize
117KB

MD5
44ccaaff09eed1ff3de6c1debab07ab5

SHA1
bba3b3205f3ea6c76913a1dda4ab2127a829d51b

SHA256
365432f33823fc40f4066825613a0569b6d802225e22b6ef9260618cbb6bd7f6

SHA512
7ad66d1412d05965f7d1b99e945876f9c7ca22faf2b25c7184ee0bec11f56ae951c32a82bdb7e0c18b4581ab340cac3cc314a00da01749b6692c8774307bd0af

Download Submit
\Users\Admin\AppData\Roaming\Noetfo\synic.exe
Filesize
117KB

MD5
44ccaaff09eed1ff3de6c1debab07ab5

SHA1
bba3b3205f3ea6c76913a1dda4ab2127a829d51b

SHA256
365432f33823fc40f4066825613a0569b6d802225e22b6ef9260618cbb6bd7f6

SHA512
7ad66d1412d05965f7d1b99e945876f9c7ca22faf2b25c7184ee0bec11f56ae951c32a82bdb7e0c18b4581ab340cac3cc314a00da01749b6692c8774307bd0af

Download Submit
memory/568-108-0x0000000000230000-0x0000000000255000-memory.dmp

Filesize
148KB

Download
memory/568-107-0x0000000000230000-0x0000000000255000-memory.dmp

Filesize
148KB

Download
memory/568-109-0x0000000000230000-0x0000000000255000-memory.dmp

Filesize
148KB

Download
memory/568-110-0x0000000000230000-0x0000000000255000-memory.dmp

Filesize
148KB

Download
memory/880-93-0x0000000000050000-0x0000000000075000-memory.dmp

Filesize
148KB

Download
memory/880-104-0x0000000000050000-0x0000000000075000-memory.dmp

Filesize
148KB

Download
memory/880-99-0x000000000006A5AD-mapping.dmp

Download
memory/880-95-0x0000000000050000-0x0000000000075000-memory.dmp

Filesize
148KB

Download
memory/880-96-0x0000000000050000-0x0000000000075000-memory.dmp

Filesize
148KB

Download
memory/880-97-0x0000000000050000-0x0000000000075000-memory.dmp

Filesize
148KB

Download
memory/1048-90-0x0000000000530000-0x0000000000556000-memory.dmp

Filesize
152KB

Download
memory/1048-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/1048-55-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1048-101-0x0000000000530000-0x0000000000555000-memory.dmp

Filesize
148KB

Download
memory/1048-100-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1048-57-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1048-83-0x0000000000530000-0x0000000000555000-memory.dmp

Filesize
148KB

Download
memory/1048-84-0x0000000000530000-0x0000000000555000-memory.dmp

Filesize
148KB

Download
memory/1048-85-0x0000000000530000-0x0000000000555000-memory.dmp

Filesize
148KB

Download
memory/1048-86-0x0000000000530000-0x0000000000555000-memory.dmp

Filesize
148KB

Download
memory/1048-87-0x0000000000530000-0x0000000000556000-memory.dmp

Filesize
152KB

Download
memory/1048-56-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1116-68-0x0000000001BC0000-0x0000000001BE5000-memory.dmp

Filesize
148KB

Download
memory/1116-63-0x0000000001BC0000-0x0000000001BE5000-memory.dmp

Filesize
148KB

Download
memory/1116-65-0x0000000001BC0000-0x0000000001BE5000-memory.dmp

Filesize
148KB

Download
memory/1116-66-0x0000000001BC0000-0x0000000001BE5000-memory.dmp

Filesize
148KB

Download
memory/1116-67-0x0000000001BC0000-0x0000000001BE5000-memory.dmp

Filesize
148KB

Download
memory/1200-72-0x00000000001A0000-0x00000000001C5000-memory.dmp

Filesize
148KB

Download
memory/1200-71-0x00000000001A0000-0x00000000001C5000-memory.dmp

Filesize
148KB

Download
memory/1200-74-0x00000000001A0000-0x00000000001C5000-memory.dmp

Filesize
148KB

Download
memory/1200-73-0x00000000001A0000-0x00000000001C5000-memory.dmp

Filesize
148KB

Download
memory/1232-79-0x00000000029D0000-0x00000000029F5000-memory.dmp

Filesize
148KB

Download
memory/1232-78-0x00000000029D0000-0x00000000029F5000-memory.dmp

Filesize
148KB

Download
memory/1232-80-0x00000000029D0000-0x00000000029F5000-memory.dmp

Filesize
148KB

Download
memory/1232-77-0x00000000029D0000-0x00000000029F5000-memory.dmp

Filesize
148KB

Download
memory/1528-116-0x0000000003A50000-0x0000000003A75000-memory.dmp

Filesize
148KB

Download
memory/1528-115-0x0000000003A50000-0x0000000003A75000-memory.dmp

Filesize
148KB

Download
memory/1528-118-0x0000000003A50000-0x0000000003A75000-memory.dmp

Filesize
148KB

Download
memory/1528-117-0x0000000003A50000-0x0000000003A75000-memory.dmp

Filesize
148KB

Download
memory/1588-121-0x0000000000210000-0x0000000000235000-memory.dmp

Filesize
148KB

Download
memory/1588-122-0x0000000000210000-0x0000000000235000-memory.dmp

Filesize
148KB

Download
memory/1588-123-0x0000000000210000-0x0000000000235000-memory.dmp

Filesize
148KB

Download
memory/1588-124-0x0000000000210000-0x0000000000235000-memory.dmp

Filesize
148KB

Download
memory/1716-113-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1716-88-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1716-111-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1716-89-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1716-59-0x0000000000000000-mapping.dmp

Download
memory/2032-127-0x0000000000310000-0x0000000000335000-memory.dmp

Filesize
148KB

Download
memory/2032-128-0x0000000000310000-0x0000000000335000-memory.dmp

Filesize
148KB

Download
memory/2032-129-0x0000000000310000-0x0000000000335000-memory.dmp

Filesize
148KB

Download
memory/2032-130-0x0000000000310000-0x0000000000335000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads