Overview

overview

10

Static

static

10

SynapseX.r...ed.rar

windows11-21h2-x64

Analysis

  • max time kernel
    55s
  • max time network
    62s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    13-05-2024 13:57

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    SynapseX.revamaped.rar

  • Size

    160.0MB

  • MD5

    3812a5893a2abdea718831baa062b718

  • SHA1

    d92570b364fbb1632630f97d459833f76ec65807

  • SHA256

    272aa33a3e9ff89993ba531faad69af778271e13cab169c863545fdef2a6e4f7

  • SHA512

    9d2a64c840fb4f9e6053b5692fb792c5a9c822f1d46ca6a6317b4a77c6ae7539d3bd3c55593b06aba6ccf319697984f2467cdba2f8d2ec7851f9a59dea4b6f80

  • SSDEEP

    3145728:mpzMB+crhy8Vm/7kNm6kUhA9DxSs8FpSHNnBBnPmKuLTtvfOw2T:mpQB+cD0/7DUh8LBBnPgXtZ2T

Score
10/10
quasarwindows updatespywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Windows Update

C2

espinyskibidi-29823.portmap.host:29823

Mutex

a94ba996-69af-4720-85e6-f4929c5eb0f8

Attributes
  • encryption_key

    6F721445F7E0B1CF58980D84A9D49F4458D4EFD9

  • install_name

    Update.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Update Startup

  • subdirectory

    Windows Update

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\SynapseX.revamaped.rar
    1⤵
    • Modifies registry class
    PID:1476
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:844
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4660
    • C:\Program Files\7-Zip\7zG.exe
      "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\SynapseX.revamaped\" -spe -an -ai#7zMap17622:94:7zEvent18126
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:2280
    • C:\Users\Admin\Desktop\SynapseX.revamaped\SynapseX revamaped\Synapse X Launcher.exe
      "C:\Users\Admin\Desktop\SynapseX.revamaped\SynapseX revamaped\Synapse X Launcher.exe"
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1488
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "Windows Update Startup" /sc ONLOGON /tr "C:\Windows\system32\Windows Update\Update.exe" /rl HIGHEST /f
        2⤵
        • Creates scheduled task(s)
        PID:904
      • C:\Windows\system32\Windows Update\Update.exe
        "C:\Windows\system32\Windows Update\Update.exe"
        2⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4964
        • C:\Windows\SYSTEM32\schtasks.exe
          "schtasks" /create /tn "Windows Update Startup" /sc ONLOGON /tr "C:\Windows\system32\Windows Update\Update.exe" /rl HIGHEST /f
          3⤵
          • Creates scheduled task(s)
          PID:3424
        • C:\Windows\System32\shutdown.exe
          "C:\Windows\System32\shutdown.exe" /s /t 0
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4864
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x4 /state0:0xa3a14055 /state1:0x41c64e6d
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:2196

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\Desktop\SynapseX.revamaped\SynapseX revamaped\Synapse X Launcher.exe
      Filesize

      3.2MB

      MD5

      3854a6572a9a5a25bccbd13664713915

      SHA1

      b7c3ca681c1dcb328113c5966bbd96aed541ae64

      SHA256

      6c4367e763852b7afe852905e9d7baba18ac33c1e4eaf8370350824fb3ffce86

      SHA512

      80fb1425c57d7984da87349efdc0c4508296b58548e62ee4743215edd1058818154cb1207b95ec74299c7b61953f19f71c6ab0d325126efd21d8c5749ad69452

      Download Submit

    • memory/1488-40-0x0000000000200000-0x0000000000542000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4964-47-0x000000001C900000-0x000000001C950000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4964-48-0x000000001CA10000-0x000000001CAC2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/4964-51-0x000000001C970000-0x000000001C982000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4964-52-0x000000001C9D0000-0x000000001CA0C000-memory.dmp

      Filesize

      240KB

      Download