5e171a8f1339b1d3ea649df73606f70f8fd6e1821b160471822011a1719d4b59

Analysis

max time kernel
16s
max time network
17s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/04/2024, 13:25

Sharing

Reason

Machine shutdown: "{\"level\":\"info\",\"time\":\"2024-04-25T13:25:43Z\",\"message\":\"Dirty snapshot: /var/lib/sandbox/hatchvm/win7-20240221-en/instance_29-dirty.qcow2\"}"

Report Analysis Logs

General

Target

SyntaxPlayerLauncher.exe
Size

2.0MB
MD5

729d8e93628f2a42a69733012ee8b486
SHA1

0bbc4af1e89e5d37d3530e134525cbd323d04d1c
SHA256

5e171a8f1339b1d3ea649df73606f70f8fd6e1821b160471822011a1719d4b59
SHA512

89fc40ebf24bfb844f6c351b51175eafe6b448258231d89b12120b5c373b3511b08c153007da4afccb2c2c1e1175b770780cff21ffd7bd4cbd0ce9e213bffdc5
SSDEEP

49152:Rzsw2YTKoHnPZFBasug0uWcTk6/N4zc3wFWD77kdBoVjvyA:Rgw2cjHnRFBasu3uWcTk6/N4zcA3ivy

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
3000	SyntaxPlayerLauncher.exe

Loads dropped DLL 2 IoCs

pid	Process
2844	SyntaxPlayerLauncher.exe
2844	SyntaxPlayerLauncher.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 1652	2844	SyntaxPlayerLauncher.exe	29
PID 2844 wrote to memory of 1652	2844	SyntaxPlayerLauncher.exe	29
PID 2844 wrote to memory of 1652	2844	SyntaxPlayerLauncher.exe	29
PID 2844 wrote to memory of 1652	2844	SyntaxPlayerLauncher.exe	29
PID 2844 wrote to memory of 1652	2844	SyntaxPlayerLauncher.exe	29
PID 2844 wrote to memory of 1652	2844	SyntaxPlayerLauncher.exe	29
PID 2844 wrote to memory of 1652	2844	SyntaxPlayerLauncher.exe	29
PID 2844 wrote to memory of 3000	2844	SyntaxPlayerLauncher.exe	30
PID 2844 wrote to memory of 3000	2844	SyntaxPlayerLauncher.exe	30
PID 2844 wrote to memory of 3000	2844	SyntaxPlayerLauncher.exe	30
PID 2844 wrote to memory of 3000	2844	SyntaxPlayerLauncher.exe	30
PID 2844 wrote to memory of 3000	2844	SyntaxPlayerLauncher.exe	30
PID 2844 wrote to memory of 3000	2844	SyntaxPlayerLauncher.exe	30
PID 2844 wrote to memory of 3000	2844	SyntaxPlayerLauncher.exe	30
PID 3000 wrote to memory of 2644	3000	SyntaxPlayerLauncher.exe	31
PID 3000 wrote to memory of 2644	3000	SyntaxPlayerLauncher.exe	31
PID 3000 wrote to memory of 2644	3000	SyntaxPlayerLauncher.exe	31
PID 3000 wrote to memory of 2644	3000	SyntaxPlayerLauncher.exe	31
PID 3000 wrote to memory of 2644	3000	SyntaxPlayerLauncher.exe	31
PID 3000 wrote to memory of 2644	3000	SyntaxPlayerLauncher.exe	31
PID 3000 wrote to memory of 2644	3000	SyntaxPlayerLauncher.exe	31

C:\Users\Admin\AppData\Local\Temp\SyntaxPlayerLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\SyntaxPlayerLauncher.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c cls
  2⤵
  PID:1652
- C:\Users\Admin\AppData\Local\Syntax\Versions\version-6f28acd84197b6cd\SyntaxPlayerLauncher.exe
  "C:\Users\Admin\AppData\Local\Syntax\Versions\version-6f28acd84197b6cd\SyntaxPlayerLauncher.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c cls
    3⤵
    PID:2644

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2724

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:108

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Syntax\Versions\version-6f28acd84197b6cd\SyntaxPlayerLauncher.exe

Filesize
2.0MB

MD5
858ef57b0d3a3373b6ef8001004dbff8

SHA1
46b64f351f00d4243005aa1cbbfd98d803f38113

SHA256
799a2d09610ba6592a6ba4608f1c4adee4028bdf2eecab1564ce88c67d20b905

SHA512
50300fd7536ed86614c01d21346e65c78ecf4c37df17304ac3f965399b1c30195b06a110473ea1cceb79e36bfe405cf6d7ec9bace3949ba812b464ace61bdf0e

Download Submit
memory/108-14-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download
memory/2724-13-0x0000000002E10000-0x0000000002E11000-memory.dmp

Filesize
4KB

Download