Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

sync-installer.exe

windows7-x64

8

sync-installer.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    140s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/06/2023, 14:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sync-installer.exe

  • Size

    47.2MB

  • MD5

    3ec6f06cebbf559143794f86ded8fdea

  • SHA1

    77e2f0e0a59b72093bb65a26aa59ce061f3d5e3e

  • SHA256

    726e1acc63fcc6859f0d26d341a2a61cffcafb9eafdb39a27729103e7225d05b

  • SHA512

    53aea781de8230535f8c80ff2426d8092ea85ae79bc33532ccd7946ab5eb17faad98294939e34ec8955bd28dc557ccbf1c7a5c39e6583e1bc357dd8c34982917

  • SSDEEP

    786432:OaTrHQ8Vzeo30F+IJStJM5EIyFGGGGGGdfDn4s07xRFC3Mc9LSROtv06f0el3v:OaTrw8VeWQBJ+uAMsYRFC3FLSROG6f06

Score
8/10
persistence

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 8 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Registers COM server for autorun 1 TTPs 24 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\sync-installer.exe
    "C:\Users\Admin\AppData\Local\Temp\sync-installer.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2580
    • C:\Windows\SysWOW64\msiexec.exe
      msiexec.exe /lv C:\Users\Admin\Sync-1685890099.msi.log /passive /norestart /package C:\Users\Admin\Sync-1685890099.msi
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:808
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\System32\explorer.exe" C:\PROGRA~2\Sync\startfresh.vbs
      2⤵
        PID:1720
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Blocklisted process makes network request
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Registers COM server for autorun
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3012
      • C:\Windows\system32\srtasks.exe
        C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
        2⤵
          PID:2036
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Checks SCSI registry key(s)
        • Suspicious use of AdjustPrivilegeToken
        PID:3876
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
        1⤵
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:3136
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Sync\startfresh.vbs"
          2⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:4304
          • C:\Program Files (x86)\Sync\sync-taskbar.exe
            "C:\Program Files (x86)\Sync\sync-taskbar.exe" --forcefreshconfig=1
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            PID:1884

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Config.Msi\e5705fd.rbs
        Filesize

        32KB

        MD5

        df1fec05cefcf553d0e502b1e5b014ca

        SHA1

        600653c08d1cc6bb739dbebb60f63b26e307447a

        SHA256

        478094b6d1c00fe0ea5a5b41946d1226836a6756f4847c99e7a04713171a4ffc

        SHA512

        369fec59fc9e4ffd6e37494ca3685133ae442643ae6374e0ef2916775638237505fc7df1a3adc40c74de9a23a11d6e98f3300d779f681d13276e536172505221

        Download Submit

      • C:\PROGRA~2\Sync\CrashSender1403.exe
        Filesize

        1.7MB

        MD5

        f1de8fec9f440a8fc647f578b9dfc4da

        SHA1

        e41acf9bd0808e60b17c130a4f7f93d335fef80a

        SHA256

        d7fe62a679d83e6ddb02ca52d27b73a106f32b66f8769269f7273562c2387922

        SHA512

        7a1d81f5e1c78816c9b1a21a808e9343dcba7ecb0f05bd47d28529ab4c1820c312ac6f546def92aaefe22c36f396de4c4042035c5133b16de6d3d8e02bfdcfe7

        Download Submit

      • C:\PROGRA~2\Sync\crashrpt_lang.ini
        Filesize

        8KB

        MD5

        771da39b527e886a247a0c0a33ffb715

        SHA1

        cb762abe50294a08a7823c246e02cd9347555b49

        SHA256

        763f0fe5af80055827fb2563af696bd1452c39be080720ab483d0ce6ac36ee92

        SHA512

        628382cf8a6035275b48d6ff3cf0dc17c2b61f65e4ef0f138990a09fd0cf09a4f821e2cb5780a3fddb49a01e3f6af1f379ed44bef290d39b0d04d5e110b7d9a5

        Download Submit

      • C:\Program Files (x86)\Sync\FreeImage.dll
        Filesize

        6.6MB

        MD5

        557ae816ce660e89b181536d9165d1c8

        SHA1

        db0c717c1e8517f657415254f10dba06dbc9cae4

        SHA256

        4594bd0538f7f6b05148b00996ff36ddfedef8d66910e931503dcfebf8efe1db

        SHA512

        fd5e544bbb5799545b2ca660fcd7970a3ddd93ffb557250811c7e54100760bc0c4f823eb3708ab5b1071c5e2fb5204b0946163c0bf25bb1c0124e5ea63efbe1c

        Download Submit

      • C:\Program Files (x86)\Sync\FreeImage.dll
        Filesize

        6.6MB

        MD5

        557ae816ce660e89b181536d9165d1c8

        SHA1

        db0c717c1e8517f657415254f10dba06dbc9cae4

        SHA256

        4594bd0538f7f6b05148b00996ff36ddfedef8d66910e931503dcfebf8efe1db

        SHA512

        fd5e544bbb5799545b2ca660fcd7970a3ddd93ffb557250811c7e54100760bc0c4f823eb3708ab5b1071c5e2fb5204b0946163c0bf25bb1c0124e5ea63efbe1c

        Download Submit

      • C:\Program Files (x86)\Sync\VCOMP140.DLL
        Filesize

        180KB

        MD5

        52204dfe5d83d5a7ce94deded15cac1e

        SHA1

        266537394a717e94cf22863b2f42d44ecb799c1d

        SHA256

        5fc1d087402556529319e412d599ae445845cca97d620fd4efc762632cb3dd28

        SHA512

        9021adaeffb376dd76416254ec1b5a28074cbb468debf7ae9fe9ae6f7b19d50d3178761e1be5b7471e5ced3658e0fe153e18f84273653f741a01a3e8814d64f0

        Download Submit

      • C:\Program Files (x86)\Sync\cacert.pem
        Filesize

        251KB

        MD5

        0a9b490a379c3e7e030ebc4e67a4efd6

        SHA1

        66f130a9b35f9c7c223ebaad19f904a648a07c50

        SHA256

        d471b34e5589ea22ac12958d21784608c35b64074dbc3f332d6bf0321e31ba71

        SHA512

        5e547d63132563f16deedaeb812694f54d3fdfef219278a8e23edb5a910c34bb645b46875b9b64d7c44da85c9e530f5eecc90dd93a0c48e2e314f5cf3bc192cc

        Download Submit

      • C:\Program Files (x86)\Sync\cfg.db
        Filesize

        84KB

        MD5

        563110bb9f0b8d5ba97748fb8edc0207

        SHA1

        44b29160cf7dfedcf38e65f7e33e7f3d55119f42

        SHA256

        e705eeda788187eac69fc4a05595d738298577f529f7ea83d861f57cf7760263

        SHA512

        13ae172ab039886a337ee2c5c4400dc686270b80734b1043eea3149c5c49608d246818167bfcc619003c5ad6233eee49f3aa1026127c351aa68fd92348034c18

        Download Submit

      • C:\Program Files (x86)\Sync\startfresh.vbs
        Filesize

        232B

        MD5

        028a36ca013d185fec4ca9adf7bd9efe

        SHA1

        c5c73378ec5b41403f32b02eb56aaef0a1c104fa

        SHA256

        e6ecf152a2948b7412536e8dd1a1205b39d4a80b969c951c5304895dfa7230db

        SHA512

        a3a04308261a365756d2ce1c4d0a014b45a6373774823a0a327c7e8489782c48b956dc1a946a25f16f198842f819a6cf155587546b863b92836e402886b0286c

        Download Submit

      • C:\Program Files (x86)\Sync\state.db
        Filesize

        208KB

        MD5

        9c3ccc7b8ed61067fd895739a2acd448

        SHA1

        43eb0e823bb03d2e45164ae972670e7ff4f6a5d5

        SHA256

        5287e023769a40e1805ac778fe2974c55ebdc3beccded4caa390af2d06d48327

        SHA512

        8cf9fd3501b909f6faefdf5c91dfd6fd06ca334dcbf6fdd08dd922f464ab3cbe061295b876e65cfbea694360985095f94283cec268e578eb9eb57c71367a14d9

        Download Submit

      • C:\Program Files (x86)\Sync\stats.db
        Filesize

        24KB

        MD5

        fa6a5ad48d04c1895df842ea805bd488

        SHA1

        ff86f6538c73d9571f21cabe933789cb26944793

        SHA256

        ac800ac27a3a13cc7ed0bfa2026ba0f26f23aec6fffa3ab3c7bff48c7ab4d4c3

        SHA512

        7af2178341b12e53fec7a4a874a294ae8a433a33caa8d91e704103df6a855c21730fae757e350a516b8010c3a3e952dee3c35a62a23feb1006e53260937937b2

        Download Submit

      • C:\Program Files (x86)\Sync\sync-taskbar.exe
        Filesize

        12.9MB

        MD5

        aa74c0143fd4bf3aaa25943814eed1c6

        SHA1

        20e47cdd75772ce6f5111b1fc5a9a527c895e16b

        SHA256

        6995cfa9b108f8fe96ba45a6bf56ff087275341544e10a9dbaf8d23d77fead31

        SHA512

        529fb02873478d5077ed9d844ead3e770f2baf82448743338d4e7fd5f084b11af2862fdeed658aee550c6822eea6869b14bc342b0e6b6145165a8c63040996fb

        Download Submit

      • C:\Program Files (x86)\Sync\sync-taskbar.exe
        Filesize

        12.9MB

        MD5

        aa74c0143fd4bf3aaa25943814eed1c6

        SHA1

        20e47cdd75772ce6f5111b1fc5a9a527c895e16b

        SHA256

        6995cfa9b108f8fe96ba45a6bf56ff087275341544e10a9dbaf8d23d77fead31

        SHA512

        529fb02873478d5077ed9d844ead3e770f2baf82448743338d4e7fd5f084b11af2862fdeed658aee550c6822eea6869b14bc342b0e6b6145165a8c63040996fb

        Download Submit

      • C:\Program Files (x86)\Sync\vcomp140.dll
        Filesize

        180KB

        MD5

        52204dfe5d83d5a7ce94deded15cac1e

        SHA1

        266537394a717e94cf22863b2f42d44ecb799c1d

        SHA256

        5fc1d087402556529319e412d599ae445845cca97d620fd4efc762632cb3dd28

        SHA512

        9021adaeffb376dd76416254ec1b5a28074cbb468debf7ae9fe9ae6f7b19d50d3178761e1be5b7471e5ced3658e0fe153e18f84273653f741a01a3e8814d64f0

        Download Submit

      • C:\Users\Admin\Sync-1685890099.msi
        Filesize

        21.5MB

        MD5

        6298e16bae84d78f98a29c1c09934717

        SHA1

        4c237363a4cfa386608780e05ee3a221c974ab7f

        SHA256

        2df785de004f9f2703f4f3c54e27b722b57695bb2a21b87fac97680b4f6b3fc2

        SHA512

        3d589ddffb77587895531beb343ca07dafc59c492e7b4a50b51b18a792e4f8add005222ca9bd9111aae3773f1fd3cf6ba5ae1b39971af20ee8266738b728b3d4

        Download Submit

      • C:\Users\Admin\Sync-1685890099.msi.log
        Filesize

        2KB

        MD5

        b8f20c4127492e8df8a1c813a9a9d621

        SHA1

        333cfa6b682e5657e053c3e3529b79f8d3e8264b

        SHA256

        40ac2465665668fd7a108476a22812ff8c4cbc91f667938892f86b084dd566eb

        SHA512

        03dd407cc27320750535efbcbcdea8a7b42f07282588a2a8e58cb4f24a54bc3d15c7207428835dd5e2521e4c1e66ad5cd02b53f13a05b10b50933e5bf786a1fa

        Download Submit

      • C:\Users\Admin\Sync-1685890099.msi.log
        Filesize

        283KB

        MD5

        99850e918c82ca323e17bbde15fe2c5e

        SHA1

        24827871bf5fd6c610e5e6c2b327eaf121035e64

        SHA256

        9eee42608453ea7d96cf6ed11d3ed6dae2c52caa726d30b04b0f3a75dd97a04f

        SHA512

        374e47110a230819c2d9455e5c5c94eca93c990f6efb9b042b17bcc88773d9127a6b9e2a489d31cba9a17b20c36e78c8bf4a859af5f7331a147e8b6c0d9262ce

        Download Submit

      • C:\Windows\Installer\e5705fe.msi
        Filesize

        21.5MB

        MD5

        6298e16bae84d78f98a29c1c09934717

        SHA1

        4c237363a4cfa386608780e05ee3a221c974ab7f

        SHA256

        2df785de004f9f2703f4f3c54e27b722b57695bb2a21b87fac97680b4f6b3fc2

        SHA512

        3d589ddffb77587895531beb343ca07dafc59c492e7b4a50b51b18a792e4f8add005222ca9bd9111aae3773f1fd3cf6ba5ae1b39971af20ee8266738b728b3d4

        Download Submit

      • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
        Filesize

        23.0MB

        MD5

        afd1eddb6fe12b84a259797ac337a876

        SHA1

        3b71833dd208c4cf83b9f6affe68222324314805

        SHA256

        bf0ec2f643713d82cf215f0a2629fb2b327dc19184f50803bc7ce60b8cf98804

        SHA512

        41f0c6aa4177e843f48771c2c22b706b797ef76913b90b64ca7a7bb4493a76ff45402b2648270006397af716d0fe1e034edbe3cfe81d271619507bd75718c7f1

        Download Submit

      • \??\Volume{af0fc727-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{fa7479b5-bccd-4ce5-8c81-2d4b7cd6d1d7}_OnDiskSnapshotProp
        Filesize

        5KB

        MD5

        58fc97ae9523ed8ad66c5ffd8bbf9639

        SHA1

        0c524c2408056113613f00f20d518d66d452a5a6

        SHA256

        a94ed269eaea08a45de9d8139d28b7b87416a68ceb46d3e596ef505879b2289f

        SHA512

        a133664882407630699089ebf230a63fbf736536dc62aa924cbeeb7d5a944742487e73ab03c4f643d94d887534190ef64ad001b70b964d8c4875b61f53aaed60

        Download Submit