Overview
overview
10Static
static
10SynapseX.r....3.rar
windows7-x64
SynapseX.r....3.rar
windows10-2004-x64
3SynapseX r...er.exe
windows7-x64
10SynapseX r...er.exe
windows10-2004-x64
10SynapseX r...7c.bin
windows7-x64
3SynapseX r...7c.bin
windows10-2004-x64
3SynapseX r...tt.exe
windows7-x64
1SynapseX r...tt.exe
windows10-2004-x64
1Analysis
-
max time kernel
70s -
max time network
71s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20-05-2024 14:47
Behavioral task
behavioral1
Sample
SynapseX.revamaped.V1.3.rar
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
SynapseX.revamaped.V1.3.rar
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
SynapseX revamaped V1.3/Synapse X Installer.exe
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
SynapseX revamaped V1.3/Synapse X Installer.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
SynapseX revamaped V1.3/auth/internal/3132e54eb7c.bin
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
SynapseX revamaped V1.3/auth/internal/3132e54eb7c.bin
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
SynapseX revamaped V1.3/bin/OoxIi8qtt.exe
Resource
win7-20240508-en
Behavioral task
behavioral8
Sample
SynapseX revamaped V1.3/bin/OoxIi8qtt.exe
Resource
win10v2004-20240426-en
Errors
General
-
Target
SynapseX.revamaped.V1.3.rar
-
Size
659KB
-
MD5
25e767f22f576a1187ca297428a909b3
-
SHA1
a6ad4d278d09e0ecab07d095e996c91e9afb3b18
-
SHA256
13f63c65ac270ce6d8f462791b1bb0ca64b8f7000f230b1c2ade64db617c5eac
-
SHA512
37e4e4dd2d0c03d00f7afb024406f7445142b82f24648da287ef9008805af6b083223e9d0a34fa343bf5dc0300c701f71151eebe9be459157daf10d0d5275689
-
SSDEEP
12288:aPSH3BnY7Y78MKc1yLt6OX2CqsfcTJalg7BBU0g+6qBeS02xdJXWhd3cEx5sCB94:ASH3qcqc1yRxtqW4alg7vgpj2zJmhdMx
Malware Config
Extracted
xenorat
192.168.1.219
131313131323
-
delay
1000
-
install_path
temp
-
port
1234
-
startup_name
Windows Client
Signatures
-
Executes dropped EXE 5 IoCs
pid Process 2380 Synapse X Installer.exe 2928 Synapse X Installer.exe 2792 Synapse X Installer.exe 1440 OoxIi8qtt.exe 1708 Synapse X Installer.exe -
Loads dropped DLL 1 IoCs
pid Process 2380 Synapse X Installer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2764 schtasks.exe 308 schtasks.exe 692 schtasks.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2688 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 2688 7zFM.exe Token: 35 2688 7zFM.exe Token: SeSecurityPrivilege 2688 7zFM.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2688 7zFM.exe 2688 7zFM.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2124 wrote to memory of 2688 2124 cmd.exe 29 PID 2124 wrote to memory of 2688 2124 cmd.exe 29 PID 2124 wrote to memory of 2688 2124 cmd.exe 29 PID 2380 wrote to memory of 2928 2380 Synapse X Installer.exe 32 PID 2380 wrote to memory of 2928 2380 Synapse X Installer.exe 32 PID 2380 wrote to memory of 2928 2380 Synapse X Installer.exe 32 PID 2380 wrote to memory of 2928 2380 Synapse X Installer.exe 32 PID 2380 wrote to memory of 2928 2380 Synapse X Installer.exe 32 PID 2380 wrote to memory of 2928 2380 Synapse X Installer.exe 32 PID 2380 wrote to memory of 2928 2380 Synapse X Installer.exe 32 PID 2928 wrote to memory of 2764 2928 Synapse X Installer.exe 33 PID 2928 wrote to memory of 2764 2928 Synapse X Installer.exe 33 PID 2928 wrote to memory of 2764 2928 Synapse X Installer.exe 33 PID 2928 wrote to memory of 2764 2928 Synapse X Installer.exe 33 PID 2792 wrote to memory of 308 2792 Synapse X Installer.exe 36 PID 2792 wrote to memory of 308 2792 Synapse X Installer.exe 36 PID 2792 wrote to memory of 308 2792 Synapse X Installer.exe 36 PID 2792 wrote to memory of 308 2792 Synapse X Installer.exe 36 PID 1708 wrote to memory of 692 1708 Synapse X Installer.exe 43 PID 1708 wrote to memory of 692 1708 Synapse X Installer.exe 43 PID 1708 wrote to memory of 692 1708 Synapse X Installer.exe 43 PID 1708 wrote to memory of 692 1708 Synapse X Installer.exe 43
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\SynapseX.revamaped.V1.3.rar1⤵
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\SynapseX.revamaped.V1.3.rar"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2688
-
-
C:\Users\Admin\Desktop\SynapseX revamaped V1.3\Synapse X Installer.exe"C:\Users\Admin\Desktop\SynapseX revamaped V1.3\Synapse X Installer.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe"C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "Windows Client" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5C05.tmp" /F3⤵
- Creates scheduled task(s)
PID:2764
-
-
-
C:\Users\Admin\Desktop\SynapseX revamaped V1.3\Synapse X Installer.exe"C:\Users\Admin\Desktop\SynapseX revamaped V1.3\Synapse X Installer.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "Windows Client" /XML "C:\Users\Admin\AppData\Local\Temp\tmp80B4.tmp" /F2⤵
- Creates scheduled task(s)
PID:308
-
-
C:\Users\Admin\Desktop\SynapseX revamaped V1.3\bin\OoxIi8qtt.exe"C:\Users\Admin\Desktop\SynapseX revamaped V1.3\bin\OoxIi8qtt.exe"1⤵
- Executes dropped EXE
PID:1440
-
C:\Users\Admin\Desktop\SynapseX revamaped V1.3\Synapse X Installer.exe"C:\Users\Admin\Desktop\SynapseX revamaped V1.3\Synapse X Installer.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "Windows Client" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE7D0.tmp" /F2⤵
- Creates scheduled task(s)
PID:692
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:1868
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:1788
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5a27e485b47a3c136c01199b55f08c0d8
SHA199a6c183d0673217570cf2e5efcc8bf44d78f483
SHA2560c297eec1e3f58624331b58ae22a57cdd344071d58942c6897bb6ae1409e95df
SHA512386fe030cbcb380350e5e5cc8179b76115601ad9b322f90a9d71f76fb2468993986a224796b489c600b4a388d76584772369259ac05d64a6551978e3c9102b60
-
Filesize
1KB
MD552953356462e0df5b41269e4b757acbe
SHA1f6778ffad7195ace77bc450caea9ae618d912d74
SHA256b4178bcc8cef3da00fac9a5cb727591cbb97cd6cbe58ad73369d7286dce31475
SHA512679729e31e10e514064a22acee4a6d7fe2a53817abfc48784e4611758c5ff3413105249e50428db6c68e396b52ae8a5847aa3b76c1a2d24ee0b66c7c3e137fc0
-
Filesize
43KB
MD5769aad21a347b7576895910e55970390
SHA136831993993050af72ea201cfa6ebc4726860e56
SHA25672e0f8bf690b647ae965d9a99f89c4f04c3b9500aac53f2a3fd376a2546b287a
SHA5129bb36a376f0b3e8a26a813f1054bf92a9ca737bd9eb96403d28b4edb81c361408a058e5ccefda3e44bbf4943d9799203665161b02394d35a05faa20851f670a5
-
Filesize
1.1MB
MD5a48d6b525da2501d8ec661f2f2f1b0e8
SHA15737e465e5ffbed6b51e6775b5e05b5769f89e6b
SHA256a6e52cc20913ae168b7dcbb923ea8cd7bdda93e43399ec22a85dabfab14ddf3a
SHA5123cf1d6acbf1a3c3e99739af505b57aef7e8db5a2a84db2310c1d6490a097e11065510d2aaaac6ea71fd226b421d87be216993528e245e0bdee9b6000e68e32ab