Analysis

  • max time kernel
    136s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-06-2023 22:31

General

  • Target

    https://github.com/SynapseCracked/SynapseX/blob/main/SynapseX%20Cracked/SynapseX.exe

Malware Config

Extracted

Family

mercurialgrabber

C2

https://discord.com/api/webhooks/873343890944573471/I1S2G6R_cNiuB_s5CHOhENiNydaR9xR_r88ljvdOtVPXkOC2CYj4BVOXuzk4qVJbdSZz

Signatures

  • Mercurial Grabber Stealer

    Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.

  • Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
  • Downloads MZ/PE file
  • Looks for VMWare Tools registry key 2 TTPs 2 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 7 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 2 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 8 IoCs
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 41 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/SynapseCracked/SynapseX/blob/main/SynapseX%20Cracked/SynapseX.exe
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4752
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4752 CREDAT:17410 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1948
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RP56V4OA\SynapseX.exe
      "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RP56V4OA\SynapseX.exe"
      2⤵
      • Looks for VirtualBox Guest Additions in registry
      • Looks for VMWare Tools registry key
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Maps connected drives based on registry
      • Checks SCSI registry key(s)
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      PID:1280
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 1280 -s 2060
        3⤵
        • Program crash
        PID:1620
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GPVLIKPI\SynapseX.exe
      "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GPVLIKPI\SynapseX.exe"
      2⤵
      • Looks for VirtualBox Guest Additions in registry
      • Looks for VMWare Tools registry key
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Maps connected drives based on registry
      • Checks SCSI registry key(s)
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      PID:4736
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 4736 -s 2044
        3⤵
        • Program crash
        PID:4788
  • C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -pss -s 456 -p 1280 -ip 1280
    1⤵
      PID:2076
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -pss -s 476 -p 4736 -ip 4736
      1⤵
        PID:4464

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

        Filesize

        471B

        MD5

        0a18c4e5d48519f11d47e21d48beb4c1

        SHA1

        ef72edf3da93c8438e33829542296d86b9608d48

        SHA256

        572990d6df4be97a68222158083b64bc4391b26347069435b00407b3fd1d0e0e

        SHA512

        d6b78a5a080d0339a58a490122c80165dd3cce9ef1aad17e6363814859116c91a05142a5b8a7de4cbae658c9cc754dbbc1c99f96f139a17303db3f749ab6b7d8

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

        Filesize

        404B

        MD5

        1bfe3c6159ba707c2b4a1e06972ce3d9

        SHA1

        e1673e063dfd0c082977326b6056c8cc00c334f1

        SHA256

        99295dc924b44ab0093dce498b668d11c016341c3fd9655072f478f9fe2efc97

        SHA512

        8a9f570b762fa1b44c3258d6c7739bf4a0b25c1018a9ffdc698c1f8783fce200957dc60ff6e109efa5bc9919862e4b736bbca574f8a2a8176d684197562348a7

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DomainSuggestions\en-US.1

        Filesize

        17KB

        MD5

        5a34cb996293fde2cb7a4ac89587393a

        SHA1

        3c96c993500690d1a77873cd62bc639b3a10653f

        SHA256

        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

        SHA512

        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\cz9baam\imagestore.dat

        Filesize

        1KB

        MD5

        b20d5c0b284624e12a5d14609d873b4d

        SHA1

        a8a8f7cc0c3ab3139326ea5c3d0178432d2aaefb

        SHA256

        5376ebdc891dc8583f62c8df978ef051dc7d334f84a4773d8b62c8220a8fee09

        SHA512

        328f97abe964c561ec15d222a80e6dd6d21f143a305080b791c9450149a0136a5fec88f90f47b760713b7eb0654fdb7b2a9a2a929f68bb6e46fb3d5c3efe9868

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GPVLIKPI\SynapseX.exe

        Filesize

        56KB

        MD5

        7b8392fe4399d3e4b2675d9874ad86cb

        SHA1

        cc63374f42e25331c9531baa2934f8a97b1a6fd4

        SHA256

        3a33033cd9ddf012b6532f69d3d39e576cbe3429b89dd56f6f6dab1679799b4b

        SHA512

        a500acf4154ccc3598d981063c560f9b9fa0ba85c2b0ed4ca39a1608106e0554bc3fff9d044bd8cdfcb637875926de01fa6a828fc7dcff9bb349985b676ae42d

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GPVLIKPI\SynapseX.exe.k9tq9i0.partial

        Filesize

        56KB

        MD5

        7b8392fe4399d3e4b2675d9874ad86cb

        SHA1

        cc63374f42e25331c9531baa2934f8a97b1a6fd4

        SHA256

        3a33033cd9ddf012b6532f69d3d39e576cbe3429b89dd56f6f6dab1679799b4b

        SHA512

        a500acf4154ccc3598d981063c560f9b9fa0ba85c2b0ed4ca39a1608106e0554bc3fff9d044bd8cdfcb637875926de01fa6a828fc7dcff9bb349985b676ae42d

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GPVLIKPI\SynapseX[1].exe

        Filesize

        56KB

        MD5

        7b8392fe4399d3e4b2675d9874ad86cb

        SHA1

        cc63374f42e25331c9531baa2934f8a97b1a6fd4

        SHA256

        3a33033cd9ddf012b6532f69d3d39e576cbe3429b89dd56f6f6dab1679799b4b

        SHA512

        a500acf4154ccc3598d981063c560f9b9fa0ba85c2b0ed4ca39a1608106e0554bc3fff9d044bd8cdfcb637875926de01fa6a828fc7dcff9bb349985b676ae42d

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GPVLIKPI\favicon[1].png

        Filesize

        958B

        MD5

        346e09471362f2907510a31812129cd2

        SHA1

        323b99430dd424604ae57a19a91f25376e209759

        SHA256

        74cf90ac2fe6624ab1056cacea11cf7ed4f8bef54bbb0e869638013bba45bc08

        SHA512

        a62b0fcc02e671d6037725cf67935f8ca1c875f764ce39fed267420935c0b7bad69ab50d3f9f8c628e9b3cff439885ee416989e31ceaa5d32ae596dd7e5fedbd

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RP56V4OA\SynapseX.exe

        Filesize

        56KB

        MD5

        7b8392fe4399d3e4b2675d9874ad86cb

        SHA1

        cc63374f42e25331c9531baa2934f8a97b1a6fd4

        SHA256

        3a33033cd9ddf012b6532f69d3d39e576cbe3429b89dd56f6f6dab1679799b4b

        SHA512

        a500acf4154ccc3598d981063c560f9b9fa0ba85c2b0ed4ca39a1608106e0554bc3fff9d044bd8cdfcb637875926de01fa6a828fc7dcff9bb349985b676ae42d

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RP56V4OA\SynapseX.exe.04k2xp1.partial

        Filesize

        56KB

        MD5

        7b8392fe4399d3e4b2675d9874ad86cb

        SHA1

        cc63374f42e25331c9531baa2934f8a97b1a6fd4

        SHA256

        3a33033cd9ddf012b6532f69d3d39e576cbe3429b89dd56f6f6dab1679799b4b

        SHA512

        a500acf4154ccc3598d981063c560f9b9fa0ba85c2b0ed4ca39a1608106e0554bc3fff9d044bd8cdfcb637875926de01fa6a828fc7dcff9bb349985b676ae42d

      • memory/1280-311-0x0000000003200000-0x0000000003210000-memory.dmp

        Filesize

        64KB

      • memory/1280-310-0x0000000000F70000-0x0000000000F84000-memory.dmp

        Filesize

        80KB

      • memory/4736-343-0x000000001B410000-0x000000001B420000-memory.dmp

        Filesize

        64KB