93fc4441b3648a74d3bc72cc5f34ced564ceca74a5e560961178b42a6c8416b0

Analysis

max time kernel
80s
max time network
70s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2022, 04:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Synapse Launcher.exe
Size

787KB
MD5

154e1239c1bb0e04b18f27aabffcd6e7
SHA1

0c72c4db91b8ae7e10271aece8db7efb5271f8ec
SHA256

93fc4441b3648a74d3bc72cc5f34ced564ceca74a5e560961178b42a6c8416b0
SHA512

52d4b91f4610a53ad41e0c73d129b218551ebb70e2162e1c268d84030dc77bc5411926a15fa44ba62f1a93e1c757287c842a217ea25602fac0db157742ee2a05
SSDEEP

6144:ARv5ZcPe5q67ue+MNhH0X4wz2HA/z0OqysLAilL2hJO5Hp2y9z89S49htWZ1BXtx:ARv5OIbhH0IwzyE8LyspL9z89x+zHFi

Score

9^/10

evasion trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	kbhRA41Nczhx.exe

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
1508	A5wh9eC.bin
3100	kbhRA41Nczhx.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	kbhRA41Nczhx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	kbhRA41Nczhx.exe

Loads dropped DLL 1 IoCs

pid	Process
3100	kbhRA41Nczhx.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	kbhRA41Nczhx.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	kbhRA41Nczhx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	kbhRA41Nczhx.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	kbhRA41Nczhx.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate	kbhRA41Nczhx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	kbhRA41Nczhx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	kbhRA41Nczhx.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	kbhRA41Nczhx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor	kbhRA41Nczhx.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
880	Synapse Launcher.exe
1508	A5wh9eC.bin
3100	kbhRA41Nczhx.exe
3100	kbhRA41Nczhx.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	880	Synapse Launcher.exe
Token: SeDebugPrivilege	1508	A5wh9eC.bin
Token: SeDebugPrivilege	3100	kbhRA41Nczhx.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 1508	880	Synapse Launcher.exe	82
PID 880 wrote to memory of 1508	880	Synapse Launcher.exe	82
PID 880 wrote to memory of 1508	880	Synapse Launcher.exe	82
PID 1508 wrote to memory of 3100	1508	A5wh9eC.bin	84
PID 1508 wrote to memory of 3100	1508	A5wh9eC.bin	84
PID 1508 wrote to memory of 3100	1508	A5wh9eC.bin	84

C:\Users\Admin\AppData\Local\Temp\Synapse Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Synapse Launcher.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:880
- C:\Users\Admin\AppData\Local\Temp\bin\A5wh9eC.bin
  "bin\A5wh9eC.bin"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Users\Admin\AppData\Local\Temp\bin\kbhRA41Nczhx.exe
    "bin\kbhRA41Nczhx.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bin\A5wh9eC.bin

Filesize
2.1MB

MD5
ab7ab99485c5fc2bceaae1050613761b

SHA1
0a28b44687d71f4d1caaf430b6b31b6f799d21c8

SHA256
e82f550c965fdbb7429804008461311b53baf9b0bf2436c0b391665ea2bc4ad4

SHA512
4061996c11e22fafa4d4be7b47aedc28f38fc410c84c274b24d5170f42a99240043ee4aa58d12ac4894ed1ef72a4f5eea539aac3e0875170de01b51b09ba4972

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\A5wh9eC.bin

Filesize
2.1MB

MD5
ab7ab99485c5fc2bceaae1050613761b

SHA1
0a28b44687d71f4d1caaf430b6b31b6f799d21c8

SHA256
e82f550c965fdbb7429804008461311b53baf9b0bf2436c0b391665ea2bc4ad4

SHA512
4061996c11e22fafa4d4be7b47aedc28f38fc410c84c274b24d5170f42a99240043ee4aa58d12ac4894ed1ef72a4f5eea539aac3e0875170de01b51b09ba4972

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\SLAgent.dll

Filesize
6.0MB

MD5
9b248dfff1d2b73fd639324741fe2e08

SHA1
e82684cd6858a6712eff69ace1707b3bcd464105

SHA256
39943c30732988289ca346902f007a72124bd98b82e08b0b9739241cdab4018e

SHA512
56784a895f113088e3c92ccd96f354473e5d849fb9d0798868ff5e9477f60854e8bc7c9759c63417c9298f8702abab266722439b445977c6e940da393b8b696c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\SLAgent.dll

Filesize
6.0MB

MD5
9b248dfff1d2b73fd639324741fe2e08

SHA1
e82684cd6858a6712eff69ace1707b3bcd464105

SHA256
39943c30732988289ca346902f007a72124bd98b82e08b0b9739241cdab4018e

SHA512
56784a895f113088e3c92ccd96f354473e5d849fb9d0798868ff5e9477f60854e8bc7c9759c63417c9298f8702abab266722439b445977c6e940da393b8b696c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\SynapseInjector.dll

Filesize
6.0MB

MD5
9b248dfff1d2b73fd639324741fe2e08

SHA1
e82684cd6858a6712eff69ace1707b3bcd464105

SHA256
39943c30732988289ca346902f007a72124bd98b82e08b0b9739241cdab4018e

SHA512
56784a895f113088e3c92ccd96f354473e5d849fb9d0798868ff5e9477f60854e8bc7c9759c63417c9298f8702abab266722439b445977c6e940da393b8b696c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\kbhRA41Nczhx.exe

Filesize
2.1MB

MD5
ab7ab99485c5fc2bceaae1050613761b

SHA1
0a28b44687d71f4d1caaf430b6b31b6f799d21c8

SHA256
e82f550c965fdbb7429804008461311b53baf9b0bf2436c0b391665ea2bc4ad4

SHA512
4061996c11e22fafa4d4be7b47aedc28f38fc410c84c274b24d5170f42a99240043ee4aa58d12ac4894ed1ef72a4f5eea539aac3e0875170de01b51b09ba4972

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\kbhRA41Nczhx.exe

Filesize
2.1MB

MD5
ab7ab99485c5fc2bceaae1050613761b

SHA1
0a28b44687d71f4d1caaf430b6b31b6f799d21c8

SHA256
e82f550c965fdbb7429804008461311b53baf9b0bf2436c0b391665ea2bc4ad4

SHA512
4061996c11e22fafa4d4be7b47aedc28f38fc410c84c274b24d5170f42a99240043ee4aa58d12ac4894ed1ef72a4f5eea539aac3e0875170de01b51b09ba4972

Download Submit
memory/880-133-0x0000000005DE0000-0x0000000006384000-memory.dmp

Filesize
5.6MB

Download
memory/880-135-0x0000000008C60000-0x0000000008C82000-memory.dmp

Filesize
136KB

Download
memory/880-134-0x00000000056B0000-0x0000000005742000-memory.dmp

Filesize
584KB

Download
memory/880-132-0x0000000000BB0000-0x0000000000C7A000-memory.dmp

Filesize
808KB

Download
memory/1508-139-0x0000000000C90000-0x0000000000EA8000-memory.dmp

Filesize
2.1MB

Download
memory/3100-169-0x000000006D0F0000-0x000000006E016000-memory.dmp

Filesize
15.1MB

Download
memory/3100-178-0x000000006D0F0000-0x000000006E016000-memory.dmp

Filesize
15.1MB

Download
memory/3100-147-0x000000006D0F0000-0x000000006E016000-memory.dmp

Filesize
15.1MB

Download
memory/3100-148-0x000000006D0F0000-0x000000006E016000-memory.dmp

Filesize
15.1MB

Download
memory/3100-150-0x000000006D0F0000-0x000000006E016000-memory.dmp

Filesize
15.1MB

Download
memory/3100-151-0x000000006D0F0000-0x000000006E016000-memory.dmp

Filesize
15.1MB

Download
memory/3100-152-0x000000006D0F0000-0x000000006E016000-memory.dmp

Filesize
15.1MB

Download
memory/3100-153-0x000000006D0F0000-0x000000006E016000-memory.dmp

Filesize
15.1MB

Download
memory/3100-154-0x000000006D0F0000-0x000000006E016000-memory.dmp

Filesize
15.1MB

Download
memory/3100-155-0x000000006D0F0000-0x000000006E016000-memory.dmp

Filesize
15.1MB

Download
memory/3100-156-0x000000006D0F0000-0x000000006E016000-memory.dmp

Filesize
15.1MB

Download
memory/3100-157-0x000000006D0F0000-0x000000006E016000-memory.dmp

Filesize
15.1MB

Download
memory/3100-158-0x000000006D0F0000-0x000000006E016000-memory.dmp

Filesize
15.1MB

Download
memory/3100-160-0x000000006D0F0000-0x000000006E016000-memory.dmp

Filesize
15.1MB

Download
memory/3100-161-0x000000006D0F0000-0x000000006E016000-memory.dmp

Filesize
15.1MB

Download
memory/3100-162-0x0000000006810000-0x0000000006818000-memory.dmp

Filesize
32KB

Download
memory/3100-163-0x000000006D0F0000-0x000000006E016000-memory.dmp

Filesize
15.1MB

Download
memory/3100-164-0x000000000AC90000-0x000000000ACC8000-memory.dmp

Filesize
224KB

Download
memory/3100-165-0x000000000AC60000-0x000000000AC6E000-memory.dmp

Filesize
56KB

Download
memory/3100-167-0x000000006D0F0000-0x000000006E016000-memory.dmp

Filesize
15.1MB

Download
memory/3100-168-0x000000006D0F0000-0x000000006E016000-memory.dmp

Filesize
15.1MB

Download
memory/3100-170-0x0000000005AA0000-0x0000000005AF0000-memory.dmp

Filesize
320KB

Download
memory/3100-171-0x000000006D0F0000-0x000000006E016000-memory.dmp

Filesize
15.1MB

Download
memory/3100-173-0x000000000AC70000-0x000000000AC82000-memory.dmp

Filesize
72KB

Download
memory/3100-172-0x000000006D0F0000-0x000000006E016000-memory.dmp

Filesize
15.1MB

Download
memory/3100-174-0x000000006D0F0000-0x000000006E016000-memory.dmp

Filesize
15.1MB

Download
memory/3100-176-0x000000006D0F0000-0x000000006E016000-memory.dmp

Filesize
15.1MB

Download
memory/3100-177-0x000000006D0F0000-0x000000006E016000-memory.dmp

Filesize
15.1MB

Download
memory/3100-146-0x000000006D0F0000-0x000000006E016000-memory.dmp

Filesize
15.1MB

Download
memory/3100-179-0x000000006D0F0000-0x000000006E016000-memory.dmp

Filesize
15.1MB

Download
memory/3100-181-0x000000006D0F0000-0x000000006E016000-memory.dmp

Filesize
15.1MB

Download
memory/3100-180-0x000000006D0F0000-0x000000006E016000-memory.dmp

Filesize
15.1MB

Download
memory/3100-183-0x000000006D0F0000-0x000000006E016000-memory.dmp

Filesize
15.1MB

Download
memory/3100-182-0x000000006D0F0000-0x000000006E016000-memory.dmp

Filesize
15.1MB

Download
memory/3100-184-0x000000006D0F0000-0x000000006E016000-memory.dmp

Filesize
15.1MB

Download
memory/3100-185-0x000000006D0F0000-0x000000006E016000-memory.dmp

Filesize
15.1MB

Download
memory/3100-186-0x000000006D0F0000-0x000000006E016000-memory.dmp

Filesize
15.1MB

Download
memory/3100-188-0x000000006D0F0000-0x000000006E016000-memory.dmp

Filesize
15.1MB

Download
memory/3100-187-0x000000000C630000-0x000000000CB5C000-memory.dmp

Filesize
5.2MB

Download
memory/3100-189-0x000000006D0F0000-0x000000006E016000-memory.dmp

Filesize
15.1MB

Download
memory/3100-190-0x000000006D0F0000-0x000000006E016000-memory.dmp

Filesize
15.1MB

Download
memory/3100-191-0x000000006D0F0000-0x000000006E016000-memory.dmp

Filesize
15.1MB

Download
memory/3100-192-0x000000006D0F0000-0x000000006E016000-memory.dmp

Filesize
15.1MB

Download
memory/3100-193-0x000000006D0F0000-0x000000006E016000-memory.dmp

Filesize
15.1MB

Download
memory/3100-194-0x000000006D0F0000-0x000000006E016000-memory.dmp

Filesize
15.1MB

Download
memory/3100-195-0x000000006D0F0000-0x000000006E016000-memory.dmp

Filesize
15.1MB

Download
memory/3100-196-0x000000006D0F0000-0x000000006E016000-memory.dmp

Filesize
15.1MB

Download
memory/3100-197-0x000000006D0F0000-0x000000006E016000-memory.dmp

Filesize
15.1MB

Download
memory/3100-198-0x000000006D0F0000-0x000000006E016000-memory.dmp

Filesize
15.1MB

Download
memory/3100-199-0x000000006D0F0000-0x000000006E016000-memory.dmp

Filesize
15.1MB

Download
memory/3100-200-0x000000006D0F0000-0x000000006E016000-memory.dmp

Filesize
15.1MB

Download
memory/3100-201-0x000000006D0F0000-0x000000006E016000-memory.dmp

Filesize
15.1MB

Download
memory/3100-202-0x000000006D0F0000-0x000000006E016000-memory.dmp

Filesize
15.1MB

Download
memory/3100-203-0x000000006D0F0000-0x000000006E016000-memory.dmp

Filesize
15.1MB

Download
memory/3100-204-0x000000006D0F0000-0x000000006E016000-memory.dmp

Filesize
15.1MB

Download
memory/3100-205-0x000000006D0F0000-0x000000006E016000-memory.dmp

Filesize
15.1MB

Download