Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

sync-installer.exe

windows7-x64

8

sync-installer.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    98s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    04/06/2023, 14:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sync-installer.exe

  • Size

    47.2MB

  • MD5

    3ec6f06cebbf559143794f86ded8fdea

  • SHA1

    77e2f0e0a59b72093bb65a26aa59ce061f3d5e3e

  • SHA256

    726e1acc63fcc6859f0d26d341a2a61cffcafb9eafdb39a27729103e7225d05b

  • SHA512

    53aea781de8230535f8c80ff2426d8092ea85ae79bc33532ccd7946ab5eb17faad98294939e34ec8955bd28dc557ccbf1c7a5c39e6583e1bc357dd8c34982917

  • SSDEEP

    786432:OaTrHQ8Vzeo30F+IJStJM5EIyFGGGGGGdfDn4s07xRFC3Mc9LSROtv06f0el3v:OaTrw8VeWQBJ+uAMsYRFC3FLSROG6f06

Score
8/10
persistence

Malware Config

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 10 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 7 IoCs
  • Registers COM server for autorun 1 TTPs 24 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 46 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\sync-installer.exe
    "C:\Users\Admin\AppData\Local\Temp\sync-installer.exe"
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1352
    • C:\Windows\SysWOW64\msiexec.exe
      msiexec.exe /lv C:\Users\Admin\Sync-1685890098.msi.log /passive /norestart /package C:\Users\Admin\Sync-1685890098.msi
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:1804
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\System32\explorer.exe" C:\PROGRA~2\Sync\startfresh.vbs
      2⤵
        PID:748
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Blocklisted process makes network request
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Loads dropped DLL
      • Registers COM server for autorun
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:1208
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:268
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000049C" "0000000000000578"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:1388
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1308
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Sync\startfresh.vbs"
        2⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:452
        • C:\Program Files (x86)\Sync\sync-taskbar.exe
          "C:\Program Files (x86)\Sync\sync-taskbar.exe" --forcefreshconfig=1
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          PID:1396

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\6c7312.rbs
      Filesize

      30KB

      MD5

      8393247ee78c9c267c474bbf164720c3

      SHA1

      67607230fa85e7c15700487d6320ff9d407e282e

      SHA256

      845f3535028ce2cbe80bccc257dfaaf7c63a2e395e220f068313dc8efe6d39d2

      SHA512

      c0ffc74858f76fc59d1c66b9989ececb0a4fd70a41b2f970fb8c1693d16438ba0157500966cac846cfe65af82d7e6a6ae6b9fb5f0fe7ece42f06ca42048ea7e8

      Download Submit

    • C:\PROGRA~2\Sync\CrashSender1403.exe
      Filesize

      1.7MB

      MD5

      f1de8fec9f440a8fc647f578b9dfc4da

      SHA1

      e41acf9bd0808e60b17c130a4f7f93d335fef80a

      SHA256

      d7fe62a679d83e6ddb02ca52d27b73a106f32b66f8769269f7273562c2387922

      SHA512

      7a1d81f5e1c78816c9b1a21a808e9343dcba7ecb0f05bd47d28529ab4c1820c312ac6f546def92aaefe22c36f396de4c4042035c5133b16de6d3d8e02bfdcfe7

      Download Submit

    • C:\PROGRA~2\Sync\crashrpt_lang.ini
      Filesize

      8KB

      MD5

      771da39b527e886a247a0c0a33ffb715

      SHA1

      cb762abe50294a08a7823c246e02cd9347555b49

      SHA256

      763f0fe5af80055827fb2563af696bd1452c39be080720ab483d0ce6ac36ee92

      SHA512

      628382cf8a6035275b48d6ff3cf0dc17c2b61f65e4ef0f138990a09fd0cf09a4f821e2cb5780a3fddb49a01e3f6af1f379ed44bef290d39b0d04d5e110b7d9a5

      Download Submit

    • C:\Program Files (x86)\Sync\FreeImage.dll
      Filesize

      6.6MB

      MD5

      557ae816ce660e89b181536d9165d1c8

      SHA1

      db0c717c1e8517f657415254f10dba06dbc9cae4

      SHA256

      4594bd0538f7f6b05148b00996ff36ddfedef8d66910e931503dcfebf8efe1db

      SHA512

      fd5e544bbb5799545b2ca660fcd7970a3ddd93ffb557250811c7e54100760bc0c4f823eb3708ab5b1071c5e2fb5204b0946163c0bf25bb1c0124e5ea63efbe1c

      Download Submit

    • C:\Program Files (x86)\Sync\VCOMP140.DLL
      Filesize

      180KB

      MD5

      52204dfe5d83d5a7ce94deded15cac1e

      SHA1

      266537394a717e94cf22863b2f42d44ecb799c1d

      SHA256

      5fc1d087402556529319e412d599ae445845cca97d620fd4efc762632cb3dd28

      SHA512

      9021adaeffb376dd76416254ec1b5a28074cbb468debf7ae9fe9ae6f7b19d50d3178761e1be5b7471e5ced3658e0fe153e18f84273653f741a01a3e8814d64f0

      Download Submit

    • C:\Program Files (x86)\Sync\cacert.pem
      Filesize

      251KB

      MD5

      0a9b490a379c3e7e030ebc4e67a4efd6

      SHA1

      66f130a9b35f9c7c223ebaad19f904a648a07c50

      SHA256

      d471b34e5589ea22ac12958d21784608c35b64074dbc3f332d6bf0321e31ba71

      SHA512

      5e547d63132563f16deedaeb812694f54d3fdfef219278a8e23edb5a910c34bb645b46875b9b64d7c44da85c9e530f5eecc90dd93a0c48e2e314f5cf3bc192cc

      Download Submit

    • C:\Program Files (x86)\Sync\cfg.db
      Filesize

      84KB

      MD5

      563110bb9f0b8d5ba97748fb8edc0207

      SHA1

      44b29160cf7dfedcf38e65f7e33e7f3d55119f42

      SHA256

      e705eeda788187eac69fc4a05595d738298577f529f7ea83d861f57cf7760263

      SHA512

      13ae172ab039886a337ee2c5c4400dc686270b80734b1043eea3149c5c49608d246818167bfcc619003c5ad6233eee49f3aa1026127c351aa68fd92348034c18

      Download Submit

    • C:\Program Files (x86)\Sync\startfresh.vbs
      Filesize

      232B

      MD5

      028a36ca013d185fec4ca9adf7bd9efe

      SHA1

      c5c73378ec5b41403f32b02eb56aaef0a1c104fa

      SHA256

      e6ecf152a2948b7412536e8dd1a1205b39d4a80b969c951c5304895dfa7230db

      SHA512

      a3a04308261a365756d2ce1c4d0a014b45a6373774823a0a327c7e8489782c48b956dc1a946a25f16f198842f819a6cf155587546b863b92836e402886b0286c

      Download Submit

    • C:\Program Files (x86)\Sync\state.db
      Filesize

      208KB

      MD5

      9c3ccc7b8ed61067fd895739a2acd448

      SHA1

      43eb0e823bb03d2e45164ae972670e7ff4f6a5d5

      SHA256

      5287e023769a40e1805ac778fe2974c55ebdc3beccded4caa390af2d06d48327

      SHA512

      8cf9fd3501b909f6faefdf5c91dfd6fd06ca334dcbf6fdd08dd922f464ab3cbe061295b876e65cfbea694360985095f94283cec268e578eb9eb57c71367a14d9

      Download Submit

    • C:\Program Files (x86)\Sync\stats.db
      Filesize

      24KB

      MD5

      fa6a5ad48d04c1895df842ea805bd488

      SHA1

      ff86f6538c73d9571f21cabe933789cb26944793

      SHA256

      ac800ac27a3a13cc7ed0bfa2026ba0f26f23aec6fffa3ab3c7bff48c7ab4d4c3

      SHA512

      7af2178341b12e53fec7a4a874a294ae8a433a33caa8d91e704103df6a855c21730fae757e350a516b8010c3a3e952dee3c35a62a23feb1006e53260937937b2

      Download Submit

    • C:\Program Files (x86)\Sync\sync-taskbar.exe
      Filesize

      12.9MB

      MD5

      aa74c0143fd4bf3aaa25943814eed1c6

      SHA1

      20e47cdd75772ce6f5111b1fc5a9a527c895e16b

      SHA256

      6995cfa9b108f8fe96ba45a6bf56ff087275341544e10a9dbaf8d23d77fead31

      SHA512

      529fb02873478d5077ed9d844ead3e770f2baf82448743338d4e7fd5f084b11af2862fdeed658aee550c6822eea6869b14bc342b0e6b6145165a8c63040996fb

      Download Submit

    • C:\Program Files (x86)\Sync\sync-taskbar.exe
      Filesize

      12.9MB

      MD5

      aa74c0143fd4bf3aaa25943814eed1c6

      SHA1

      20e47cdd75772ce6f5111b1fc5a9a527c895e16b

      SHA256

      6995cfa9b108f8fe96ba45a6bf56ff087275341544e10a9dbaf8d23d77fead31

      SHA512

      529fb02873478d5077ed9d844ead3e770f2baf82448743338d4e7fd5f084b11af2862fdeed658aee550c6822eea6869b14bc342b0e6b6145165a8c63040996fb

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      62KB

      MD5

      3ac860860707baaf32469fa7cc7c0192

      SHA1

      c33c2acdaba0e6fa41fd2f00f186804722477639

      SHA256

      d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

      SHA512

      d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

      Download Submit

    • C:\Users\Admin\AppData\Local\Sync.Config\1.1\cfg.db
      Filesize

      84KB

      MD5

      899de0fd2174430fa4677ed64835a829

      SHA1

      e78f843cae7c01ad415a21b5dc04fda8da940ff5

      SHA256

      b3097f020d3bd32356e933bf45f2813e5f33107c4182432a706505cc0c59ca4b

      SHA512

      d4edc18c7bbe775d977ed5bdc8f9b1fe6839d0ba53951260910dde0ee4daba11c126024a0b3218a90f9315c576c657764dda89749394061589ec4f34db6c89f5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab7533.tmp
      Filesize

      61KB

      MD5

      fc4666cbca561e864e7fdf883a9e6661

      SHA1

      2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

      SHA256

      10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

      SHA512

      c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar7555.tmp
      Filesize

      161KB

      MD5

      73b4b714b42fc9a6aaefd0ae59adb009

      SHA1

      efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

      SHA256

      c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

      SHA512

      73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar78E4.tmp
      Filesize

      164KB

      MD5

      4ff65ad929cd9a367680e0e5b1c08166

      SHA1

      c0af0d4396bd1f15c45f39d3b849ba444233b3a2

      SHA256

      c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

      SHA512

      f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

      Download Submit

    • C:\Users\Admin\Sync-1685890098.msi
      Filesize

      21.5MB

      MD5

      6298e16bae84d78f98a29c1c09934717

      SHA1

      4c237363a4cfa386608780e05ee3a221c974ab7f

      SHA256

      2df785de004f9f2703f4f3c54e27b722b57695bb2a21b87fac97680b4f6b3fc2

      SHA512

      3d589ddffb77587895531beb343ca07dafc59c492e7b4a50b51b18a792e4f8add005222ca9bd9111aae3773f1fd3cf6ba5ae1b39971af20ee8266738b728b3d4

      Download Submit

    • C:\Users\Admin\Sync-1685890098.msi.log
      Filesize

      280KB

      MD5

      b78c1a4c706917b5fa550cb0d57c94d3

      SHA1

      0c50be404feb53f8b905af3bbe71a49dc39a63cd

      SHA256

      24fe0e0b6a334e1e4d970dd0dcdd3719b802f4d48c162daf78e196e209a495b7

      SHA512

      6303b698309a9d04adf015becd6d4e31fb37a34144e25ada5f530614cbfd3274ed65f6f05df3dda1ad6ff660464f966a19474f94e815d8a9c7b318893e1c91f3

      Download Submit

    • C:\Users\Admin\Sync-1685890098.msi.log
      Filesize

      2KB

      MD5

      f37b2cf8614a7827e4e385b9e26f0526

      SHA1

      60d5900c28e7e1ed49e9ae83240c008056fd13b5

      SHA256

      09d6482b89638823cdcf17a7d080ba5ff50e82283f48eea0c98f17fb1ab8b335

      SHA512

      490f9f9e514091bfe442bb87a6601899520fecb7e0fbabaa29a885a346a521df64fe7bcac9110a4dce7db406a449db1c5ea0ec15abfe0452b1a9471a249f300c

      Download Submit

    • C:\Windows\Installer\6c7313.msi
      Filesize

      21.5MB

      MD5

      6298e16bae84d78f98a29c1c09934717

      SHA1

      4c237363a4cfa386608780e05ee3a221c974ab7f

      SHA256

      2df785de004f9f2703f4f3c54e27b722b57695bb2a21b87fac97680b4f6b3fc2

      SHA512

      3d589ddffb77587895531beb343ca07dafc59c492e7b4a50b51b18a792e4f8add005222ca9bd9111aae3773f1fd3cf6ba5ae1b39971af20ee8266738b728b3d4

      Download Submit

    • \Program Files (x86)\Sync\FreeImage.dll
      Filesize

      6.6MB

      MD5

      557ae816ce660e89b181536d9165d1c8

      SHA1

      db0c717c1e8517f657415254f10dba06dbc9cae4

      SHA256

      4594bd0538f7f6b05148b00996ff36ddfedef8d66910e931503dcfebf8efe1db

      SHA512

      fd5e544bbb5799545b2ca660fcd7970a3ddd93ffb557250811c7e54100760bc0c4f823eb3708ab5b1071c5e2fb5204b0946163c0bf25bb1c0124e5ea63efbe1c

      Download Submit

    • \Program Files (x86)\Sync\sync-taskbar.exe
      Filesize

      12.9MB

      MD5

      aa74c0143fd4bf3aaa25943814eed1c6

      SHA1

      20e47cdd75772ce6f5111b1fc5a9a527c895e16b

      SHA256

      6995cfa9b108f8fe96ba45a6bf56ff087275341544e10a9dbaf8d23d77fead31

      SHA512

      529fb02873478d5077ed9d844ead3e770f2baf82448743338d4e7fd5f084b11af2862fdeed658aee550c6822eea6869b14bc342b0e6b6145165a8c63040996fb

      Download Submit

    • \Program Files (x86)\Sync\sync-taskbar.exe
      Filesize

      12.9MB

      MD5

      aa74c0143fd4bf3aaa25943814eed1c6

      SHA1

      20e47cdd75772ce6f5111b1fc5a9a527c895e16b

      SHA256

      6995cfa9b108f8fe96ba45a6bf56ff087275341544e10a9dbaf8d23d77fead31

      SHA512

      529fb02873478d5077ed9d844ead3e770f2baf82448743338d4e7fd5f084b11af2862fdeed658aee550c6822eea6869b14bc342b0e6b6145165a8c63040996fb

      Download Submit

    • \Program Files (x86)\Sync\sync-taskbar.exe
      Filesize

      12.9MB

      MD5

      aa74c0143fd4bf3aaa25943814eed1c6

      SHA1

      20e47cdd75772ce6f5111b1fc5a9a527c895e16b

      SHA256

      6995cfa9b108f8fe96ba45a6bf56ff087275341544e10a9dbaf8d23d77fead31

      SHA512

      529fb02873478d5077ed9d844ead3e770f2baf82448743338d4e7fd5f084b11af2862fdeed658aee550c6822eea6869b14bc342b0e6b6145165a8c63040996fb

      Download Submit

    • \Program Files (x86)\Sync\sync-taskbar.exe
      Filesize

      12.9MB

      MD5

      aa74c0143fd4bf3aaa25943814eed1c6

      SHA1

      20e47cdd75772ce6f5111b1fc5a9a527c895e16b

      SHA256

      6995cfa9b108f8fe96ba45a6bf56ff087275341544e10a9dbaf8d23d77fead31

      SHA512

      529fb02873478d5077ed9d844ead3e770f2baf82448743338d4e7fd5f084b11af2862fdeed658aee550c6822eea6869b14bc342b0e6b6145165a8c63040996fb

      Download Submit

    • \Program Files (x86)\Sync\sync-taskbar.exe
      Filesize

      12.9MB

      MD5

      aa74c0143fd4bf3aaa25943814eed1c6

      SHA1

      20e47cdd75772ce6f5111b1fc5a9a527c895e16b

      SHA256

      6995cfa9b108f8fe96ba45a6bf56ff087275341544e10a9dbaf8d23d77fead31

      SHA512

      529fb02873478d5077ed9d844ead3e770f2baf82448743338d4e7fd5f084b11af2862fdeed658aee550c6822eea6869b14bc342b0e6b6145165a8c63040996fb

      Download Submit

    • \Program Files (x86)\Sync\vcomp140.dll
      Filesize

      180KB

      MD5

      52204dfe5d83d5a7ce94deded15cac1e

      SHA1

      266537394a717e94cf22863b2f42d44ecb799c1d

      SHA256

      5fc1d087402556529319e412d599ae445845cca97d620fd4efc762632cb3dd28

      SHA512

      9021adaeffb376dd76416254ec1b5a28074cbb468debf7ae9fe9ae6f7b19d50d3178761e1be5b7471e5ced3658e0fe153e18f84273653f741a01a3e8814d64f0

      Download Submit