4cf43fb3fd0c9512573a0f601f74101816706cc5e71470ab84e106cf29cbf589

Analysis

max time kernel
18s
max time network
81s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
12-09-2023 08:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SynapseFromWish/release-v2.exe
Size

6.1MB
MD5

f7acd0852bb12402618146b0d16f354e
SHA1

211e1174154435cf731ffd70c69cc9050f924174
SHA256

02131c1bff27d6b1d89013f963095a425a32f8506e69799e7087554461bbbd9d
SHA512

6dee8dcc59d0ac59728c7750cba5c570797e91cd39755c4b910c95ee0dfb3b0e1c69d954970a3638ded9ec411927226c2468adc39471671ea7f96ebe402298cc
SSDEEP

196608:pNsMnreFZyDr0jUSCYKdY0ZVeQ+KMm6XOeRJpyrMS0kRkZ0YezmEse7IBWc7pH9K:pyc7/Zd31VC7WcVHdPa4c15D

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

Processes:

release-v2.exe

description	pid	process	target process
PID 3652 created 2748	3652	release-v2.exe	Explorer.EXE
PID 3652 created 2748	3652	release-v2.exe	Explorer.EXE
PID 3652 created 2748	3652	release-v2.exe	Explorer.EXE
PID 3652 created 2748	3652	release-v2.exe	Explorer.EXE

Drops file in Drivers directory 1 IoCs

Processes:

release-v2.exe

description ioc process

File created C:\Windows\System32\drivers\etc\hosts release-v2.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

release-v2.exe

description pid process target process

PID 3652 set thread context of 1556 3652 release-v2.exe dialer.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1620 616 WerFault.exe winlogon.exe
1532 668 WerFault.exe lsass.exe

description	ioc	process
File created	C:\Windows\System32\drivers\etc\hosts	release-v2.exe

description	pid	process	target process
PID 3652 set thread context of 1556	3652	release-v2.exe	dialer.exe

pid	pid_target	process	target process
1620	616	WerFault.exe	winlogon.exe
1532	668	WerFault.exe	lsass.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

release-v2.exepowershell.exedialer.exepowershell.exe

pid	process
3652	release-v2.exe
3652	release-v2.exe
2476	powershell.exe
2476	powershell.exe
2476	powershell.exe
3652	release-v2.exe
3652	release-v2.exe
3652	release-v2.exe
3652	release-v2.exe
3652	release-v2.exe
3652	release-v2.exe
1556	dialer.exe
1556	dialer.exe
3516	powershell.exe
3516	powershell.exe
1556	dialer.exe
1556	dialer.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exedialer.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2476 powershell.exe
Token: SeDebugPrivilege 1556 dialer.exe
Token: SeDebugPrivilege 3516 powershell.exe

description	pid	process
Token: SeDebugPrivilege	2476	powershell.exe
Token: SeDebugPrivilege	1556	dialer.exe
Token: SeDebugPrivilege	3516	powershell.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

release-v2.exedialer.execmd.exelsass.exe

description	pid	process	target process
PID 3652 wrote to memory of 1556	3652	release-v2.exe	dialer.exe
PID 1556 wrote to memory of 616	1556	dialer.exe	winlogon.exe
PID 936 wrote to memory of 3244	936	cmd.exe	powercfg.exe
PID 936 wrote to memory of 3244	936	cmd.exe	powercfg.exe
PID 1556 wrote to memory of 668	1556	dialer.exe	lsass.exe
PID 1556 wrote to memory of 964	1556	dialer.exe	svchost.exe
PID 668 wrote to memory of 2608	668	lsass.exe	sysmon.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:668

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 668 -s 4260
2⤵
- Program crash
PID:1532

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 616 -s 864
2⤵
- Program crash
PID:1620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:964

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2748

C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\release-v2.exe
"C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\release-v2.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3652

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2476

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:936

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:3244

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:3452

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:3000

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:4168

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#eszkltr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3516

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2608

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 448 -p 616 -ip 616
1⤵
PID:4996

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 472 -p 668 -ip 668
1⤵
PID:4948

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mxioahv0.qnx.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/384-52-0x00007FFEF1350000-0x00007FFEF1360000-memory.dmp

Filesize
64KB

Download
memory/384-61-0x0000020CF4160000-0x0000020CF4187000-memory.dmp

Filesize
156KB

Download
memory/384-48-0x0000020CF4160000-0x0000020CF4187000-memory.dmp

Filesize
156KB

Download
memory/540-58-0x00007FFEF1350000-0x00007FFEF1360000-memory.dmp

Filesize
64KB

Download
memory/540-56-0x00000298C6980000-0x00000298C69A7000-memory.dmp

Filesize
156KB

Download
memory/540-63-0x00000298C6980000-0x00000298C69A7000-memory.dmp

Filesize
156KB

Download
memory/616-98-0x0000020EE5AB0000-0x0000020EE5AD7000-memory.dmp

Filesize
156KB

Download
memory/616-42-0x00007FFF3136D000-0x00007FFF3136E000-memory.dmp

Filesize
4KB

Download
memory/616-39-0x0000020EE5AB0000-0x0000020EE5AD7000-memory.dmp

Filesize
156KB

Download
memory/616-27-0x0000020EE5A80000-0x0000020EE5AA1000-memory.dmp

Filesize
132KB

Download
memory/668-53-0x00007FFF3136D000-0x00007FFF3136E000-memory.dmp

Filesize
4KB

Download
memory/668-57-0x00007FFF3136F000-0x00007FFF31370000-memory.dmp

Filesize
4KB

Download
memory/668-114-0x00000288696A0000-0x00000288696C7000-memory.dmp

Filesize
156KB

Download
memory/668-40-0x00000288696A0000-0x00000288696C7000-memory.dmp

Filesize
156KB

Download
memory/668-43-0x00007FFEF1350000-0x00007FFEF1360000-memory.dmp

Filesize
64KB

Download
memory/668-45-0x00000288696A0000-0x00000288696C7000-memory.dmp

Filesize
156KB

Download
memory/700-68-0x00007FFEF1350000-0x00007FFEF1360000-memory.dmp

Filesize
64KB

Download
memory/700-67-0x00000174C17C0000-0x00000174C17E7000-memory.dmp

Filesize
156KB

Download
memory/700-150-0x00000174C17C0000-0x00000174C17E7000-memory.dmp

Filesize
156KB

Download
memory/964-62-0x00007FFF3136C000-0x00007FFF3136D000-memory.dmp

Filesize
4KB

Download
memory/964-47-0x000001B66BDD0000-0x000001B66BDF7000-memory.dmp

Filesize
156KB

Download
memory/964-51-0x00007FFEF1350000-0x00007FFEF1360000-memory.dmp

Filesize
64KB

Download
memory/964-59-0x000001B66BDD0000-0x000001B66BDF7000-memory.dmp

Filesize
156KB

Download
memory/1040-74-0x000001BDB7F40000-0x000001BDB7F67000-memory.dmp

Filesize
156KB

Download
memory/1040-78-0x00007FFEF1350000-0x00007FFEF1360000-memory.dmp

Filesize
64KB

Download
memory/1040-82-0x000001BDB7F40000-0x000001BDB7F67000-memory.dmp

Filesize
156KB

Download
memory/1040-187-0x000001BDB7F40000-0x000001BDB7F67000-memory.dmp

Filesize
156KB

Download
memory/1052-75-0x000001B9EAFD0000-0x000001B9EAFF7000-memory.dmp

Filesize
156KB

Download
memory/1052-87-0x000001B9EAFD0000-0x000001B9EAFF7000-memory.dmp

Filesize
156KB

Download
memory/1052-80-0x00007FFEF1350000-0x00007FFEF1360000-memory.dmp

Filesize
64KB

Download
memory/1120-79-0x000001D469FD0000-0x000001D469FF7000-memory.dmp

Filesize
156KB

Download
memory/1120-83-0x00007FFEF1350000-0x00007FFEF1360000-memory.dmp

Filesize
64KB

Download
memory/1120-91-0x000001D469FD0000-0x000001D469FF7000-memory.dmp

Filesize
156KB

Download
memory/1192-85-0x0000016D3F190000-0x0000016D3F1B7000-memory.dmp

Filesize
156KB

Download
memory/1192-89-0x00007FFEF1350000-0x00007FFEF1360000-memory.dmp

Filesize
64KB

Download
memory/1192-94-0x0000016D3F190000-0x0000016D3F1B7000-memory.dmp

Filesize
156KB

Download
memory/1216-96-0x000001AA21E60000-0x000001AA21E87000-memory.dmp

Filesize
156KB

Download
memory/1216-92-0x00007FFEF1350000-0x00007FFEF1360000-memory.dmp

Filesize
64KB

Download
memory/1216-90-0x000001AA21E60000-0x000001AA21E87000-memory.dmp

Filesize
156KB

Download
memory/1252-105-0x0000024C9E160000-0x0000024C9E187000-memory.dmp

Filesize
156KB

Download
memory/1252-131-0x0000024C9E160000-0x0000024C9E187000-memory.dmp

Filesize
156KB

Download
memory/1252-108-0x00007FFEF1350000-0x00007FFEF1360000-memory.dmp

Filesize
64KB

Download
memory/1372-140-0x0000025AAA2C0000-0x0000025AAA2E7000-memory.dmp

Filesize
156KB

Download
memory/1372-106-0x0000025AAA2C0000-0x0000025AAA2E7000-memory.dmp

Filesize
156KB

Download
memory/1372-111-0x00007FFEF1350000-0x00007FFEF1360000-memory.dmp

Filesize
64KB

Download
memory/1388-109-0x000001AB3CDB0000-0x000001AB3CDD7000-memory.dmp

Filesize
156KB

Download
memory/1388-142-0x000001AB3CDB0000-0x000001AB3CDD7000-memory.dmp

Filesize
156KB

Download
memory/1452-143-0x000001A706040000-0x000001A706067000-memory.dmp

Filesize
156KB

Download
memory/1460-127-0x000001CD86290000-0x000001CD862B7000-memory.dmp

Filesize
156KB

Download
memory/1556-77-0x00007FF72C450000-0x00007FF72C479000-memory.dmp

Filesize
164KB

Download
memory/1556-21-0x00007FFF312D0000-0x00007FFF314C5000-memory.dmp

Filesize
2.0MB

Download
memory/1556-22-0x00007FFF2F380000-0x00007FFF2F43E000-memory.dmp

Filesize
760KB

Download
memory/1568-145-0x000002278F590000-0x000002278F5B7000-memory.dmp

Filesize
156KB

Download
memory/1604-144-0x0000019FB1740000-0x0000019FB1767000-memory.dmp

Filesize
156KB

Download
memory/1648-154-0x000001F149ED0000-0x000001F149EF7000-memory.dmp

Filesize
156KB

Download
memory/1688-163-0x00000209F7A90000-0x00000209F7AB7000-memory.dmp

Filesize
156KB

Download
memory/1784-159-0x000002510DB40000-0x000002510DB67000-memory.dmp

Filesize
156KB

Download
memory/1800-181-0x000001EA6B170000-0x000001EA6B197000-memory.dmp

Filesize
156KB

Download
memory/1896-169-0x000002AE98CB0000-0x000002AE98CD7000-memory.dmp

Filesize
156KB

Download
memory/1908-174-0x0000012919B30000-0x0000012919B57000-memory.dmp

Filesize
156KB

Download
memory/1952-178-0x0000023418960000-0x0000023418987000-memory.dmp

Filesize
156KB

Download
memory/1964-184-0x000001C89C090000-0x000001C89C0B7000-memory.dmp

Filesize
156KB

Download
memory/2476-13-0x000001B6C8730000-0x000001B6C8740000-memory.dmp

Filesize
64KB

Download
memory/2476-14-0x000001B6C8730000-0x000001B6C8740000-memory.dmp

Filesize
64KB

Download
memory/2476-18-0x00007FFF11CB0000-0x00007FFF12771000-memory.dmp

Filesize
10.8MB

Download
memory/2476-8-0x000001B6C8730000-0x000001B6C8740000-memory.dmp

Filesize
64KB

Download
memory/2476-6-0x000001B6C8700000-0x000001B6C8722000-memory.dmp

Filesize
136KB

Download
memory/2476-15-0x000001B6C8730000-0x000001B6C8740000-memory.dmp

Filesize
64KB

Download
memory/2476-7-0x00007FFF11CB0000-0x00007FFF12771000-memory.dmp

Filesize
10.8MB

Download
memory/3516-115-0x0000022D3AD70000-0x0000022D3AD80000-memory.dmp

Filesize
64KB

Download
memory/3516-70-0x0000022D3AD70000-0x0000022D3AD80000-memory.dmp

Filesize
64KB

Download
memory/3516-25-0x0000022D3AD70000-0x0000022D3AD80000-memory.dmp

Filesize
64KB

Download
memory/3516-120-0x0000022D3AD70000-0x0000022D3AD80000-memory.dmp

Filesize
64KB

Download
memory/3516-24-0x00007FFF11CB0000-0x00007FFF12771000-memory.dmp

Filesize
10.8MB

Download
memory/3516-26-0x0000022D3AD70000-0x0000022D3AD80000-memory.dmp

Filesize
64KB

Download
memory/3516-110-0x00007FFF11CB0000-0x00007FFF12771000-memory.dmp

Filesize
10.8MB

Download
memory/3516-188-0x0000022D3AD70000-0x0000022D3AD80000-memory.dmp

Filesize
64KB

Download
memory/3652-0-0x00007FF7F14C0000-0x00007FF7F1AD7000-memory.dmp

Filesize
6.1MB

Download
memory/3652-50-0x00007FF7F14C0000-0x00007FF7F1AD7000-memory.dmp

Filesize
6.1MB

Download