Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

sync-installer.exe

windows7-x64

8

sync-installer.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    98s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    04/06/2023, 14:47 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sync-installer.exe

  • Size

    47.2MB

  • MD5

    3ec6f06cebbf559143794f86ded8fdea

  • SHA1

    77e2f0e0a59b72093bb65a26aa59ce061f3d5e3e

  • SHA256

    726e1acc63fcc6859f0d26d341a2a61cffcafb9eafdb39a27729103e7225d05b

  • SHA512

    53aea781de8230535f8c80ff2426d8092ea85ae79bc33532ccd7946ab5eb17faad98294939e34ec8955bd28dc557ccbf1c7a5c39e6583e1bc357dd8c34982917

  • SSDEEP

    786432:OaTrHQ8Vzeo30F+IJStJM5EIyFGGGGGGdfDn4s07xRFC3Mc9LSROtv06f0el3v:OaTrw8VeWQBJ+uAMsYRFC3FLSROG6f06

Score
8/10
persistence

Malware Config

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 10 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 7 IoCs
  • Registers COM server for autorun 1 TTPs 24 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 46 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\sync-installer.exe
    "C:\Users\Admin\AppData\Local\Temp\sync-installer.exe"
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1352
    • C:\Windows\SysWOW64\msiexec.exe
      msiexec.exe /lv C:\Users\Admin\Sync-1685890098.msi.log /passive /norestart /package C:\Users\Admin\Sync-1685890098.msi
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:1804
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\System32\explorer.exe" C:\PROGRA~2\Sync\startfresh.vbs
      2⤵
        PID:748
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Blocklisted process makes network request
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Loads dropped DLL
      • Registers COM server for autorun
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:1208
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:268
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000049C" "0000000000000578"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:1388
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1308
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Sync\startfresh.vbs"
        2⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:452
        • C:\Program Files (x86)\Sync\sync-taskbar.exe
          "C:\Program Files (x86)\Sync\sync-taskbar.exe" --forcefreshconfig=1
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          PID:1396

    Network

    • flag-us
      DNS
      secure20.sync.com
      sync-taskbar.exe
      Remote address:
      8.8.8.8:53
      Request
      secure20.sync.com
      IN A
      Response
      secure20.sync.com
      IN A
      54.243.226.218
      secure20.sync.com
      IN A
      52.1.179.207
    • flag-us
      DNS
      secure10.sync.com
      sync-taskbar.exe
      Remote address:
      8.8.8.8:53
      Request
      secure10.sync.com
      IN A
      Response
      secure10.sync.com
      IN A
      52.1.179.207
      secure10.sync.com
      IN A
      54.243.226.218
    • 54.243.226.218:443
      secure20.sync.com
      tls
      sync-taskbar.exe
      1.0kB
       4.1kB
       11
      14
    • 52.1.179.207:443
      secure10.sync.com
      tls
      sync-taskbar.exe
      1.1kB
       4.1kB
       12
      14
    • 8.8.8.8:53
      secure20.sync.com
      dns
      sync-taskbar.exe
      63 B
       95 B
       1
      1

      DNS Request

      secure20.sync.com

      DNS Response

      54.243.226.218
      52.1.179.207

    • 8.8.8.8:53
      secure10.sync.com
      dns
      sync-taskbar.exe
      63 B
       95 B
       1
      1

      DNS Request

      secure10.sync.com

      DNS Response

      52.1.179.207
      54.243.226.218

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\6c7312.rbs
      Filesize

      30KB

      MD5

      8393247ee78c9c267c474bbf164720c3

      SHA1

      67607230fa85e7c15700487d6320ff9d407e282e

      SHA256

      845f3535028ce2cbe80bccc257dfaaf7c63a2e395e220f068313dc8efe6d39d2

      SHA512

      c0ffc74858f76fc59d1c66b9989ececb0a4fd70a41b2f970fb8c1693d16438ba0157500966cac846cfe65af82d7e6a6ae6b9fb5f0fe7ece42f06ca42048ea7e8

      Download Submit

    • C:\PROGRA~2\Sync\CrashSender1403.exe
      Filesize

      1.7MB

      MD5

      f1de8fec9f440a8fc647f578b9dfc4da

      SHA1

      e41acf9bd0808e60b17c130a4f7f93d335fef80a

      SHA256

      d7fe62a679d83e6ddb02ca52d27b73a106f32b66f8769269f7273562c2387922

      SHA512

      7a1d81f5e1c78816c9b1a21a808e9343dcba7ecb0f05bd47d28529ab4c1820c312ac6f546def92aaefe22c36f396de4c4042035c5133b16de6d3d8e02bfdcfe7

      Download Submit

    • C:\PROGRA~2\Sync\crashrpt_lang.ini
      Filesize

      8KB

      MD5

      771da39b527e886a247a0c0a33ffb715

      SHA1

      cb762abe50294a08a7823c246e02cd9347555b49

      SHA256

      763f0fe5af80055827fb2563af696bd1452c39be080720ab483d0ce6ac36ee92

      SHA512

      628382cf8a6035275b48d6ff3cf0dc17c2b61f65e4ef0f138990a09fd0cf09a4f821e2cb5780a3fddb49a01e3f6af1f379ed44bef290d39b0d04d5e110b7d9a5

      Download Submit

    • C:\Program Files (x86)\Sync\FreeImage.dll
      Filesize

      6.6MB

      MD5

      557ae816ce660e89b181536d9165d1c8

      SHA1

      db0c717c1e8517f657415254f10dba06dbc9cae4

      SHA256

      4594bd0538f7f6b05148b00996ff36ddfedef8d66910e931503dcfebf8efe1db

      SHA512

      fd5e544bbb5799545b2ca660fcd7970a3ddd93ffb557250811c7e54100760bc0c4f823eb3708ab5b1071c5e2fb5204b0946163c0bf25bb1c0124e5ea63efbe1c

      Download Submit

    • C:\Program Files (x86)\Sync\VCOMP140.DLL
      Filesize

      180KB

      MD5

      52204dfe5d83d5a7ce94deded15cac1e

      SHA1

      266537394a717e94cf22863b2f42d44ecb799c1d

      SHA256

      5fc1d087402556529319e412d599ae445845cca97d620fd4efc762632cb3dd28

      SHA512

      9021adaeffb376dd76416254ec1b5a28074cbb468debf7ae9fe9ae6f7b19d50d3178761e1be5b7471e5ced3658e0fe153e18f84273653f741a01a3e8814d64f0

      Download Submit

    • C:\Program Files (x86)\Sync\cacert.pem
      Filesize

      251KB

      MD5

      0a9b490a379c3e7e030ebc4e67a4efd6

      SHA1

      66f130a9b35f9c7c223ebaad19f904a648a07c50

      SHA256

      d471b34e5589ea22ac12958d21784608c35b64074dbc3f332d6bf0321e31ba71

      SHA512

      5e547d63132563f16deedaeb812694f54d3fdfef219278a8e23edb5a910c34bb645b46875b9b64d7c44da85c9e530f5eecc90dd93a0c48e2e314f5cf3bc192cc

      Download Submit

    • C:\Program Files (x86)\Sync\cfg.db
      Filesize

      84KB

      MD5

      563110bb9f0b8d5ba97748fb8edc0207

      SHA1

      44b29160cf7dfedcf38e65f7e33e7f3d55119f42

      SHA256

      e705eeda788187eac69fc4a05595d738298577f529f7ea83d861f57cf7760263

      SHA512

      13ae172ab039886a337ee2c5c4400dc686270b80734b1043eea3149c5c49608d246818167bfcc619003c5ad6233eee49f3aa1026127c351aa68fd92348034c18

      Download Submit

    • C:\Program Files (x86)\Sync\startfresh.vbs
      Filesize

      232B

      MD5

      028a36ca013d185fec4ca9adf7bd9efe

      SHA1

      c5c73378ec5b41403f32b02eb56aaef0a1c104fa

      SHA256

      e6ecf152a2948b7412536e8dd1a1205b39d4a80b969c951c5304895dfa7230db

      SHA512

      a3a04308261a365756d2ce1c4d0a014b45a6373774823a0a327c7e8489782c48b956dc1a946a25f16f198842f819a6cf155587546b863b92836e402886b0286c

      Download Submit

    • C:\Program Files (x86)\Sync\state.db
      Filesize

      208KB

      MD5

      9c3ccc7b8ed61067fd895739a2acd448

      SHA1

      43eb0e823bb03d2e45164ae972670e7ff4f6a5d5

      SHA256

      5287e023769a40e1805ac778fe2974c55ebdc3beccded4caa390af2d06d48327

      SHA512

      8cf9fd3501b909f6faefdf5c91dfd6fd06ca334dcbf6fdd08dd922f464ab3cbe061295b876e65cfbea694360985095f94283cec268e578eb9eb57c71367a14d9

      Download Submit

    • C:\Program Files (x86)\Sync\stats.db
      Filesize

      24KB

      MD5

      fa6a5ad48d04c1895df842ea805bd488

      SHA1

      ff86f6538c73d9571f21cabe933789cb26944793

      SHA256

      ac800ac27a3a13cc7ed0bfa2026ba0f26f23aec6fffa3ab3c7bff48c7ab4d4c3

      SHA512

      7af2178341b12e53fec7a4a874a294ae8a433a33caa8d91e704103df6a855c21730fae757e350a516b8010c3a3e952dee3c35a62a23feb1006e53260937937b2

      Download Submit

    • C:\Program Files (x86)\Sync\sync-taskbar.exe
      Filesize

      12.9MB

      MD5

      aa74c0143fd4bf3aaa25943814eed1c6

      SHA1

      20e47cdd75772ce6f5111b1fc5a9a527c895e16b

      SHA256

      6995cfa9b108f8fe96ba45a6bf56ff087275341544e10a9dbaf8d23d77fead31

      SHA512

      529fb02873478d5077ed9d844ead3e770f2baf82448743338d4e7fd5f084b11af2862fdeed658aee550c6822eea6869b14bc342b0e6b6145165a8c63040996fb

      Download Submit

    • C:\Program Files (x86)\Sync\sync-taskbar.exe
      Filesize

      12.9MB

      MD5

      aa74c0143fd4bf3aaa25943814eed1c6

      SHA1

      20e47cdd75772ce6f5111b1fc5a9a527c895e16b

      SHA256

      6995cfa9b108f8fe96ba45a6bf56ff087275341544e10a9dbaf8d23d77fead31

      SHA512

      529fb02873478d5077ed9d844ead3e770f2baf82448743338d4e7fd5f084b11af2862fdeed658aee550c6822eea6869b14bc342b0e6b6145165a8c63040996fb

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      62KB

      MD5

      3ac860860707baaf32469fa7cc7c0192

      SHA1

      c33c2acdaba0e6fa41fd2f00f186804722477639

      SHA256

      d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

      SHA512

      d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

      Download Submit

    • C:\Users\Admin\AppData\Local\Sync.Config\1.1\cfg.db
      Filesize

      84KB

      MD5

      899de0fd2174430fa4677ed64835a829

      SHA1

      e78f843cae7c01ad415a21b5dc04fda8da940ff5

      SHA256

      b3097f020d3bd32356e933bf45f2813e5f33107c4182432a706505cc0c59ca4b

      SHA512

      d4edc18c7bbe775d977ed5bdc8f9b1fe6839d0ba53951260910dde0ee4daba11c126024a0b3218a90f9315c576c657764dda89749394061589ec4f34db6c89f5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab7533.tmp
      Filesize

      61KB

      MD5

      fc4666cbca561e864e7fdf883a9e6661

      SHA1

      2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

      SHA256

      10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

      SHA512

      c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar7555.tmp
      Filesize

      161KB

      MD5

      73b4b714b42fc9a6aaefd0ae59adb009

      SHA1

      efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

      SHA256

      c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

      SHA512

      73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar78E4.tmp
      Filesize

      164KB

      MD5

      4ff65ad929cd9a367680e0e5b1c08166

      SHA1

      c0af0d4396bd1f15c45f39d3b849ba444233b3a2

      SHA256

      c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

      SHA512

      f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

      Download Submit

    • C:\Users\Admin\Sync-1685890098.msi
      Filesize

      21.5MB

      MD5

      6298e16bae84d78f98a29c1c09934717

      SHA1

      4c237363a4cfa386608780e05ee3a221c974ab7f

      SHA256

      2df785de004f9f2703f4f3c54e27b722b57695bb2a21b87fac97680b4f6b3fc2

      SHA512

      3d589ddffb77587895531beb343ca07dafc59c492e7b4a50b51b18a792e4f8add005222ca9bd9111aae3773f1fd3cf6ba5ae1b39971af20ee8266738b728b3d4

      Download Submit

    • C:\Users\Admin\Sync-1685890098.msi.log
      Filesize

      280KB

      MD5

      b78c1a4c706917b5fa550cb0d57c94d3

      SHA1

      0c50be404feb53f8b905af3bbe71a49dc39a63cd

      SHA256

      24fe0e0b6a334e1e4d970dd0dcdd3719b802f4d48c162daf78e196e209a495b7

      SHA512

      6303b698309a9d04adf015becd6d4e31fb37a34144e25ada5f530614cbfd3274ed65f6f05df3dda1ad6ff660464f966a19474f94e815d8a9c7b318893e1c91f3

      Download Submit

    • C:\Users\Admin\Sync-1685890098.msi.log
      Filesize

      2KB

      MD5

      f37b2cf8614a7827e4e385b9e26f0526

      SHA1

      60d5900c28e7e1ed49e9ae83240c008056fd13b5

      SHA256

      09d6482b89638823cdcf17a7d080ba5ff50e82283f48eea0c98f17fb1ab8b335

      SHA512

      490f9f9e514091bfe442bb87a6601899520fecb7e0fbabaa29a885a346a521df64fe7bcac9110a4dce7db406a449db1c5ea0ec15abfe0452b1a9471a249f300c

      Download Submit

    • C:\Windows\Installer\6c7313.msi
      Filesize

      21.5MB

      MD5

      6298e16bae84d78f98a29c1c09934717

      SHA1

      4c237363a4cfa386608780e05ee3a221c974ab7f

      SHA256

      2df785de004f9f2703f4f3c54e27b722b57695bb2a21b87fac97680b4f6b3fc2

      SHA512

      3d589ddffb77587895531beb343ca07dafc59c492e7b4a50b51b18a792e4f8add005222ca9bd9111aae3773f1fd3cf6ba5ae1b39971af20ee8266738b728b3d4

      Download Submit

    • \Program Files (x86)\Sync\FreeImage.dll
      Filesize

      6.6MB

      MD5

      557ae816ce660e89b181536d9165d1c8

      SHA1

      db0c717c1e8517f657415254f10dba06dbc9cae4

      SHA256

      4594bd0538f7f6b05148b00996ff36ddfedef8d66910e931503dcfebf8efe1db

      SHA512

      fd5e544bbb5799545b2ca660fcd7970a3ddd93ffb557250811c7e54100760bc0c4f823eb3708ab5b1071c5e2fb5204b0946163c0bf25bb1c0124e5ea63efbe1c

      Download Submit

    • \Program Files (x86)\Sync\sync-taskbar.exe
      Filesize

      12.9MB

      MD5

      aa74c0143fd4bf3aaa25943814eed1c6

      SHA1

      20e47cdd75772ce6f5111b1fc5a9a527c895e16b

      SHA256

      6995cfa9b108f8fe96ba45a6bf56ff087275341544e10a9dbaf8d23d77fead31

      SHA512

      529fb02873478d5077ed9d844ead3e770f2baf82448743338d4e7fd5f084b11af2862fdeed658aee550c6822eea6869b14bc342b0e6b6145165a8c63040996fb

      Download Submit

    • \Program Files (x86)\Sync\sync-taskbar.exe
      Filesize

      12.9MB

      MD5

      aa74c0143fd4bf3aaa25943814eed1c6

      SHA1

      20e47cdd75772ce6f5111b1fc5a9a527c895e16b

      SHA256

      6995cfa9b108f8fe96ba45a6bf56ff087275341544e10a9dbaf8d23d77fead31

      SHA512

      529fb02873478d5077ed9d844ead3e770f2baf82448743338d4e7fd5f084b11af2862fdeed658aee550c6822eea6869b14bc342b0e6b6145165a8c63040996fb

      Download Submit

    • \Program Files (x86)\Sync\sync-taskbar.exe
      Filesize

      12.9MB

      MD5

      aa74c0143fd4bf3aaa25943814eed1c6

      SHA1

      20e47cdd75772ce6f5111b1fc5a9a527c895e16b

      SHA256

      6995cfa9b108f8fe96ba45a6bf56ff087275341544e10a9dbaf8d23d77fead31

      SHA512

      529fb02873478d5077ed9d844ead3e770f2baf82448743338d4e7fd5f084b11af2862fdeed658aee550c6822eea6869b14bc342b0e6b6145165a8c63040996fb

      Download Submit

    • \Program Files (x86)\Sync\sync-taskbar.exe
      Filesize

      12.9MB

      MD5

      aa74c0143fd4bf3aaa25943814eed1c6

      SHA1

      20e47cdd75772ce6f5111b1fc5a9a527c895e16b

      SHA256

      6995cfa9b108f8fe96ba45a6bf56ff087275341544e10a9dbaf8d23d77fead31

      SHA512

      529fb02873478d5077ed9d844ead3e770f2baf82448743338d4e7fd5f084b11af2862fdeed658aee550c6822eea6869b14bc342b0e6b6145165a8c63040996fb

      Download Submit

    • \Program Files (x86)\Sync\sync-taskbar.exe
      Filesize

      12.9MB

      MD5

      aa74c0143fd4bf3aaa25943814eed1c6

      SHA1

      20e47cdd75772ce6f5111b1fc5a9a527c895e16b

      SHA256

      6995cfa9b108f8fe96ba45a6bf56ff087275341544e10a9dbaf8d23d77fead31

      SHA512

      529fb02873478d5077ed9d844ead3e770f2baf82448743338d4e7fd5f084b11af2862fdeed658aee550c6822eea6869b14bc342b0e6b6145165a8c63040996fb

      Download Submit

    • \Program Files (x86)\Sync\vcomp140.dll
      Filesize

      180KB

      MD5

      52204dfe5d83d5a7ce94deded15cac1e

      SHA1

      266537394a717e94cf22863b2f42d44ecb799c1d

      SHA256

      5fc1d087402556529319e412d599ae445845cca97d620fd4efc762632cb3dd28

      SHA512

      9021adaeffb376dd76416254ec1b5a28074cbb468debf7ae9fe9ae6f7b19d50d3178761e1be5b7471e5ced3658e0fe153e18f84273653f741a01a3e8814d64f0

      Download Submit

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.