4cf43fb3fd0c9512573a0f601f74101816706cc5e71470ab84e106cf29cbf589

Analysis

max time kernel
18s
max time network
81s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2023, 08:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SynapseFromWish/release-v2.exe
Size

6.1MB
MD5

f7acd0852bb12402618146b0d16f354e
SHA1

211e1174154435cf731ffd70c69cc9050f924174
SHA256

02131c1bff27d6b1d89013f963095a425a32f8506e69799e7087554461bbbd9d
SHA512

6dee8dcc59d0ac59728c7750cba5c570797e91cd39755c4b910c95ee0dfb3b0e1c69d954970a3638ded9ec411927226c2468adc39471671ea7f96ebe402298cc
SSDEEP

196608:pNsMnreFZyDr0jUSCYKdY0ZVeQ+KMm6XOeRJpyrMS0kRkZ0YezmEse7IBWc7pH9K:pyc7/Zd31VC7WcVHdPa4c15D

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

description	pid	Process	procid_target
PID 3652 created 2748	3652	release-v2.exe	55
PID 3652 created 2748	3652	release-v2.exe	55
PID 3652 created 2748	3652	release-v2.exe	55
PID 3652 created 2748	3652	release-v2.exe	55

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	release-v2.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3652 set thread context of 1556	3652	release-v2.exe	99

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1620	616	WerFault.exe	5
1532	668	WerFault.exe	3

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
3652	release-v2.exe
3652	release-v2.exe
2476	powershell.exe
2476	powershell.exe
2476	powershell.exe
3652	release-v2.exe
3652	release-v2.exe
3652	release-v2.exe
3652	release-v2.exe
3652	release-v2.exe
3652	release-v2.exe
1556	dialer.exe
1556	dialer.exe
3516	powershell.exe
3516	powershell.exe
1556	dialer.exe
1556	dialer.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2476	powershell.exe
Token: SeDebugPrivilege	1556	dialer.exe
Token: SeDebugPrivilege	3516	powershell.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3652 wrote to memory of 1556	3652	release-v2.exe	99
PID 1556 wrote to memory of 616	1556	dialer.exe	5
PID 936 wrote to memory of 3244	936	cmd.exe	102
PID 936 wrote to memory of 3244	936	cmd.exe	102
PID 1556 wrote to memory of 668	1556	dialer.exe	3
PID 1556 wrote to memory of 964	1556	dialer.exe	10
PID 668 wrote to memory of 2608	668	lsass.exe	60

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:668
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 668 -s 4260
  2⤵
  - Program crash
  PID:1532

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 616 -s 864
  2⤵
  - Program crash
  PID:1620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:964

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2748
- C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\release-v2.exe
  "C:\Users\Admin\AppData\Local\Temp\SynapseFromWish\release-v2.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in Drivers directory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2476
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:936
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:3244
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:3452
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:3000
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:4168
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#eszkltr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3516

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2608

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 448 -p 616 -ip 616
1⤵
PID:4996

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 472 -p 668 -ip 668
1⤵
PID:4948

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mxioahv0.qnx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/384-52-0x00007FFEF1350000-0x00007FFEF1360000-memory.dmp

Filesize
64KB

Download
memory/384-61-0x0000020CF4160000-0x0000020CF4187000-memory.dmp

Filesize
156KB

Download
memory/384-48-0x0000020CF4160000-0x0000020CF4187000-memory.dmp

Filesize
156KB

Download
memory/540-58-0x00007FFEF1350000-0x00007FFEF1360000-memory.dmp

Filesize
64KB

Download
memory/540-56-0x00000298C6980000-0x00000298C69A7000-memory.dmp

Filesize
156KB

Download
memory/540-63-0x00000298C6980000-0x00000298C69A7000-memory.dmp

Filesize
156KB

Download
memory/616-98-0x0000020EE5AB0000-0x0000020EE5AD7000-memory.dmp

Filesize
156KB

Download
memory/616-42-0x00007FFF3136D000-0x00007FFF3136E000-memory.dmp

Filesize
4KB

Download
memory/616-39-0x0000020EE5AB0000-0x0000020EE5AD7000-memory.dmp

Filesize
156KB

Download
memory/616-27-0x0000020EE5A80000-0x0000020EE5AA1000-memory.dmp

Filesize
132KB

Download
memory/668-53-0x00007FFF3136D000-0x00007FFF3136E000-memory.dmp

Filesize
4KB

Download
memory/668-57-0x00007FFF3136F000-0x00007FFF31370000-memory.dmp

Filesize
4KB

Download
memory/668-114-0x00000288696A0000-0x00000288696C7000-memory.dmp

Filesize
156KB

Download
memory/668-40-0x00000288696A0000-0x00000288696C7000-memory.dmp

Filesize
156KB

Download
memory/668-43-0x00007FFEF1350000-0x00007FFEF1360000-memory.dmp

Filesize
64KB

Download
memory/668-45-0x00000288696A0000-0x00000288696C7000-memory.dmp

Filesize
156KB

Download
memory/700-68-0x00007FFEF1350000-0x00007FFEF1360000-memory.dmp

Filesize
64KB

Download
memory/700-67-0x00000174C17C0000-0x00000174C17E7000-memory.dmp

Filesize
156KB

Download
memory/700-150-0x00000174C17C0000-0x00000174C17E7000-memory.dmp

Filesize
156KB

Download
memory/964-62-0x00007FFF3136C000-0x00007FFF3136D000-memory.dmp

Filesize
4KB

Download
memory/964-47-0x000001B66BDD0000-0x000001B66BDF7000-memory.dmp

Filesize
156KB

Download
memory/964-51-0x00007FFEF1350000-0x00007FFEF1360000-memory.dmp

Filesize
64KB

Download
memory/964-59-0x000001B66BDD0000-0x000001B66BDF7000-memory.dmp

Filesize
156KB

Download
memory/1040-74-0x000001BDB7F40000-0x000001BDB7F67000-memory.dmp

Filesize
156KB

Download
memory/1040-78-0x00007FFEF1350000-0x00007FFEF1360000-memory.dmp

Filesize
64KB

Download
memory/1040-82-0x000001BDB7F40000-0x000001BDB7F67000-memory.dmp

Filesize
156KB

Download
memory/1040-187-0x000001BDB7F40000-0x000001BDB7F67000-memory.dmp

Filesize
156KB

Download
memory/1052-75-0x000001B9EAFD0000-0x000001B9EAFF7000-memory.dmp

Filesize
156KB

Download
memory/1052-87-0x000001B9EAFD0000-0x000001B9EAFF7000-memory.dmp

Filesize
156KB

Download
memory/1052-80-0x00007FFEF1350000-0x00007FFEF1360000-memory.dmp

Filesize
64KB

Download
memory/1120-79-0x000001D469FD0000-0x000001D469FF7000-memory.dmp

Filesize
156KB

Download
memory/1120-83-0x00007FFEF1350000-0x00007FFEF1360000-memory.dmp

Filesize
64KB

Download
memory/1120-91-0x000001D469FD0000-0x000001D469FF7000-memory.dmp

Filesize
156KB

Download
memory/1192-85-0x0000016D3F190000-0x0000016D3F1B7000-memory.dmp

Filesize
156KB

Download
memory/1192-89-0x00007FFEF1350000-0x00007FFEF1360000-memory.dmp

Filesize
64KB

Download
memory/1192-94-0x0000016D3F190000-0x0000016D3F1B7000-memory.dmp

Filesize
156KB

Download
memory/1216-96-0x000001AA21E60000-0x000001AA21E87000-memory.dmp

Filesize
156KB

Download
memory/1216-92-0x00007FFEF1350000-0x00007FFEF1360000-memory.dmp

Filesize
64KB

Download
memory/1216-90-0x000001AA21E60000-0x000001AA21E87000-memory.dmp

Filesize
156KB

Download
memory/1252-105-0x0000024C9E160000-0x0000024C9E187000-memory.dmp

Filesize
156KB

Download
memory/1252-131-0x0000024C9E160000-0x0000024C9E187000-memory.dmp

Filesize
156KB

Download
memory/1252-108-0x00007FFEF1350000-0x00007FFEF1360000-memory.dmp

Filesize
64KB

Download
memory/1372-140-0x0000025AAA2C0000-0x0000025AAA2E7000-memory.dmp

Filesize
156KB

Download
memory/1372-106-0x0000025AAA2C0000-0x0000025AAA2E7000-memory.dmp

Filesize
156KB

Download
memory/1372-111-0x00007FFEF1350000-0x00007FFEF1360000-memory.dmp

Filesize
64KB

Download
memory/1388-109-0x000001AB3CDB0000-0x000001AB3CDD7000-memory.dmp

Filesize
156KB

Download
memory/1388-142-0x000001AB3CDB0000-0x000001AB3CDD7000-memory.dmp

Filesize
156KB

Download
memory/1452-143-0x000001A706040000-0x000001A706067000-memory.dmp

Filesize
156KB

Download
memory/1460-127-0x000001CD86290000-0x000001CD862B7000-memory.dmp

Filesize
156KB

Download
memory/1556-77-0x00007FF72C450000-0x00007FF72C479000-memory.dmp

Filesize
164KB

Download
memory/1556-21-0x00007FFF312D0000-0x00007FFF314C5000-memory.dmp

Filesize
2.0MB

Download
memory/1556-22-0x00007FFF2F380000-0x00007FFF2F43E000-memory.dmp

Filesize
760KB

Download
memory/1568-145-0x000002278F590000-0x000002278F5B7000-memory.dmp

Filesize
156KB

Download
memory/1604-144-0x0000019FB1740000-0x0000019FB1767000-memory.dmp

Filesize
156KB

Download
memory/1648-154-0x000001F149ED0000-0x000001F149EF7000-memory.dmp

Filesize
156KB

Download
memory/1688-163-0x00000209F7A90000-0x00000209F7AB7000-memory.dmp

Filesize
156KB

Download
memory/1784-159-0x000002510DB40000-0x000002510DB67000-memory.dmp

Filesize
156KB

Download
memory/1800-181-0x000001EA6B170000-0x000001EA6B197000-memory.dmp

Filesize
156KB

Download
memory/1896-169-0x000002AE98CB0000-0x000002AE98CD7000-memory.dmp

Filesize
156KB

Download
memory/1908-174-0x0000012919B30000-0x0000012919B57000-memory.dmp

Filesize
156KB

Download
memory/1952-178-0x0000023418960000-0x0000023418987000-memory.dmp

Filesize
156KB

Download
memory/1964-184-0x000001C89C090000-0x000001C89C0B7000-memory.dmp

Filesize
156KB

Download
memory/2476-13-0x000001B6C8730000-0x000001B6C8740000-memory.dmp

Filesize
64KB

Download
memory/2476-14-0x000001B6C8730000-0x000001B6C8740000-memory.dmp

Filesize
64KB

Download
memory/2476-18-0x00007FFF11CB0000-0x00007FFF12771000-memory.dmp

Filesize
10.8MB

Download
memory/2476-8-0x000001B6C8730000-0x000001B6C8740000-memory.dmp

Filesize
64KB

Download
memory/2476-6-0x000001B6C8700000-0x000001B6C8722000-memory.dmp

Filesize
136KB

Download
memory/2476-15-0x000001B6C8730000-0x000001B6C8740000-memory.dmp

Filesize
64KB

Download
memory/2476-7-0x00007FFF11CB0000-0x00007FFF12771000-memory.dmp

Filesize
10.8MB

Download
memory/3516-115-0x0000022D3AD70000-0x0000022D3AD80000-memory.dmp

Filesize
64KB

Download
memory/3516-70-0x0000022D3AD70000-0x0000022D3AD80000-memory.dmp

Filesize
64KB

Download
memory/3516-25-0x0000022D3AD70000-0x0000022D3AD80000-memory.dmp

Filesize
64KB

Download
memory/3516-120-0x0000022D3AD70000-0x0000022D3AD80000-memory.dmp

Filesize
64KB

Download
memory/3516-24-0x00007FFF11CB0000-0x00007FFF12771000-memory.dmp

Filesize
10.8MB

Download
memory/3516-26-0x0000022D3AD70000-0x0000022D3AD80000-memory.dmp

Filesize
64KB

Download
memory/3516-110-0x00007FFF11CB0000-0x00007FFF12771000-memory.dmp

Filesize
10.8MB

Download
memory/3516-188-0x0000022D3AD70000-0x0000022D3AD80000-memory.dmp

Filesize
64KB

Download
memory/3652-0-0x00007FF7F14C0000-0x00007FF7F1AD7000-memory.dmp

Filesize
6.1MB

Download
memory/3652-50-0x00007FF7F14C0000-0x00007FF7F1AD7000-memory.dmp

Filesize
6.1MB

Download