Analysis Overview
SHA256
13f63c65ac270ce6d8f462791b1bb0ca64b8f7000f230b1c2ade64db617c5eac
Threat Level: Known bad
The file SynapseX.revamaped.V1.3.rar was found to be: Known bad.
Malicious Activity Summary
Xenorat family
XenorRat
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: GetForegroundWindowSpam
Creates scheduled task(s)
Suspicious use of SetWindowsHookEx
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-20 14:47
Signatures
Xenorat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-20 14:47
Reported
2024-05-20 14:50
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\SynapseX.revamaped.V1.3.rar
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-20 14:47
Reported
2024-05-20 14:50
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
145s
Command Line
Signatures
XenorRat
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SynapseX revamaped V1.3\Synapse X Installer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\SynapseX revamaped V1.3\Synapse X Installer.exe
"C:\Users\Admin\AppData\Local\Temp\SynapseX revamaped V1.3\Synapse X Installer.exe"
C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe
"C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "Windows Client" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5331.tmp" /F
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| N/A | 192.168.1.219:1234 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| N/A | 192.168.1.219:1234 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| N/A | 192.168.1.219:1234 | tcp | |
| US | 8.8.8.8:53 | 32.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| N/A | 192.168.1.219:1234 | tcp | |
| N/A | 192.168.1.219:1234 | tcp |
Files
memory/212-0-0x0000000074B4E000-0x0000000074B4F000-memory.dmp
memory/212-1-0x0000000000C60000-0x0000000000C72000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe
| MD5 | 769aad21a347b7576895910e55970390 |
| SHA1 | 36831993993050af72ea201cfa6ebc4726860e56 |
| SHA256 | 72e0f8bf690b647ae965d9a99f89c4f04c3b9500aac53f2a3fd376a2546b287a |
| SHA512 | 9bb36a376f0b3e8a26a813f1054bf92a9ca737bd9eb96403d28b4edb81c361408a058e5ccefda3e44bbf4943d9799203665161b02394d35a05faa20851f670a5 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Synapse X Installer.exe.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
memory/440-15-0x0000000074B40000-0x00000000752F0000-memory.dmp
memory/440-16-0x0000000074B40000-0x00000000752F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp5331.tmp
| MD5 | a27e485b47a3c136c01199b55f08c0d8 |
| SHA1 | 99a6c183d0673217570cf2e5efcc8bf44d78f483 |
| SHA256 | 0c297eec1e3f58624331b58ae22a57cdd344071d58942c6897bb6ae1409e95df |
| SHA512 | 386fe030cbcb380350e5e5cc8179b76115601ad9b322f90a9d71f76fb2468993986a224796b489c600b4a388d76584772369259ac05d64a6551978e3c9102b60 |
memory/440-19-0x0000000074B40000-0x00000000752F0000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-20 14:47
Reported
2024-05-20 14:49
Platform
win7-20240221-en
Max time kernel
70s
Max time network
71s
Command Line
Signatures
XenorRat
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\SynapseX revamaped V1.3\Synapse X Installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\SynapseX revamaped V1.3\Synapse X Installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\SynapseX revamaped V1.3\bin\OoxIi8qtt.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\SynapseX revamaped V1.3\Synapse X Installer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\SynapseX revamaped V1.3\Synapse X Installer.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\SynapseX.revamaped.V1.3.rar
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\SynapseX.revamaped.V1.3.rar"
C:\Users\Admin\Desktop\SynapseX revamaped V1.3\Synapse X Installer.exe
"C:\Users\Admin\Desktop\SynapseX revamaped V1.3\Synapse X Installer.exe"
C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe
"C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "Windows Client" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5C05.tmp" /F
C:\Users\Admin\Desktop\SynapseX revamaped V1.3\Synapse X Installer.exe
"C:\Users\Admin\Desktop\SynapseX revamaped V1.3\Synapse X Installer.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "Windows Client" /XML "C:\Users\Admin\AppData\Local\Temp\tmp80B4.tmp" /F
C:\Users\Admin\Desktop\SynapseX revamaped V1.3\bin\OoxIi8qtt.exe
"C:\Users\Admin\Desktop\SynapseX revamaped V1.3\bin\OoxIi8qtt.exe"
C:\Users\Admin\Desktop\SynapseX revamaped V1.3\Synapse X Installer.exe
"C:\Users\Admin\Desktop\SynapseX revamaped V1.3\Synapse X Installer.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "Windows Client" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE7D0.tmp" /F
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
Network
| Country | Destination | Domain | Proto |
| N/A | 192.168.1.219:1234 | tcp | |
| N/A | 192.168.1.219:1234 | tcp | |
| N/A | 192.168.1.219:1234 | tcp | |
| N/A | 192.168.1.219:1234 | tcp | |
| N/A | 192.168.1.219:1234 | tcp |
Files
C:\Users\Admin\Desktop\SynapseX revamaped V1.3\Synapse X Installer.exe
| MD5 | 769aad21a347b7576895910e55970390 |
| SHA1 | 36831993993050af72ea201cfa6ebc4726860e56 |
| SHA256 | 72e0f8bf690b647ae965d9a99f89c4f04c3b9500aac53f2a3fd376a2546b287a |
| SHA512 | 9bb36a376f0b3e8a26a813f1054bf92a9ca737bd9eb96403d28b4edb81c361408a058e5ccefda3e44bbf4943d9799203665161b02394d35a05faa20851f670a5 |
memory/2380-32-0x00000000009E0000-0x00000000009F2000-memory.dmp
memory/2928-40-0x00000000009C0000-0x00000000009D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp5C05.tmp
| MD5 | a27e485b47a3c136c01199b55f08c0d8 |
| SHA1 | 99a6c183d0673217570cf2e5efcc8bf44d78f483 |
| SHA256 | 0c297eec1e3f58624331b58ae22a57cdd344071d58942c6897bb6ae1409e95df |
| SHA512 | 386fe030cbcb380350e5e5cc8179b76115601ad9b322f90a9d71f76fb2468993986a224796b489c600b4a388d76584772369259ac05d64a6551978e3c9102b60 |
memory/2792-44-0x0000000000CB0000-0x0000000000CC2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp80B4.tmp
| MD5 | 52953356462e0df5b41269e4b757acbe |
| SHA1 | f6778ffad7195ace77bc450caea9ae618d912d74 |
| SHA256 | b4178bcc8cef3da00fac9a5cb727591cbb97cd6cbe58ad73369d7286dce31475 |
| SHA512 | 679729e31e10e514064a22acee4a6d7fe2a53817abfc48784e4611758c5ff3413105249e50428db6c68e396b52ae8a5847aa3b76c1a2d24ee0b66c7c3e137fc0 |
C:\Users\Admin\Desktop\SynapseX revamaped V1.3\bin\OoxIi8qtt.exe
| MD5 | a48d6b525da2501d8ec661f2f2f1b0e8 |
| SHA1 | 5737e465e5ffbed6b51e6775b5e05b5769f89e6b |
| SHA256 | a6e52cc20913ae168b7dcbb923ea8cd7bdda93e43399ec22a85dabfab14ddf3a |
| SHA512 | 3cf1d6acbf1a3c3e99739af505b57aef7e8db5a2a84db2310c1d6490a097e11065510d2aaaac6ea71fd226b421d87be216993528e245e0bdee9b6000e68e32ab |
memory/1440-49-0x00000000011D0000-0x00000000012E8000-memory.dmp
memory/1440-50-0x0000000000CE0000-0x0000000000D8A000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-20 14:47
Reported
2024-05-20 14:50
Platform
win7-20231129-en
Max time kernel
149s
Max time network
138s
Command Line
Signatures
XenorRat
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SynapseX revamaped V1.3\Synapse X Installer.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\SynapseX revamaped V1.3\Synapse X Installer.exe
"C:\Users\Admin\AppData\Local\Temp\SynapseX revamaped V1.3\Synapse X Installer.exe"
C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe
"C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "Windows Client" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB08.tmp" /F
Network
| Country | Destination | Domain | Proto |
| N/A | 192.168.1.219:1234 | tcp | |
| N/A | 192.168.1.219:1234 | tcp | |
| N/A | 192.168.1.219:1234 | tcp | |
| N/A | 192.168.1.219:1234 | tcp | |
| N/A | 192.168.1.219:1234 | tcp |
Files
memory/3044-0-0x0000000074DCE000-0x0000000074DCF000-memory.dmp
memory/3044-1-0x00000000002A0000-0x00000000002B2000-memory.dmp
\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe
| MD5 | 769aad21a347b7576895910e55970390 |
| SHA1 | 36831993993050af72ea201cfa6ebc4726860e56 |
| SHA256 | 72e0f8bf690b647ae965d9a99f89c4f04c3b9500aac53f2a3fd376a2546b287a |
| SHA512 | 9bb36a376f0b3e8a26a813f1054bf92a9ca737bd9eb96403d28b4edb81c361408a058e5ccefda3e44bbf4943d9799203665161b02394d35a05faa20851f670a5 |
memory/1792-9-0x0000000000390000-0x00000000003A2000-memory.dmp
memory/1792-10-0x0000000074DC0000-0x00000000754AE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpB08.tmp
| MD5 | a27e485b47a3c136c01199b55f08c0d8 |
| SHA1 | 99a6c183d0673217570cf2e5efcc8bf44d78f483 |
| SHA256 | 0c297eec1e3f58624331b58ae22a57cdd344071d58942c6897bb6ae1409e95df |
| SHA512 | 386fe030cbcb380350e5e5cc8179b76115601ad9b322f90a9d71f76fb2468993986a224796b489c600b4a388d76584772369259ac05d64a6551978e3c9102b60 |
memory/1792-13-0x0000000074DC0000-0x00000000754AE000-memory.dmp
memory/1792-14-0x0000000074DC0000-0x00000000754AE000-memory.dmp
memory/1792-15-0x0000000074DC0000-0x00000000754AE000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-20 14:47
Reported
2024-05-20 14:50
Platform
win7-20240508-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\.bin | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\bin_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\bin_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\bin_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\bin_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\bin_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\.bin\ = "bin_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\bin_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1384 wrote to memory of 1452 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1384 wrote to memory of 1452 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1384 wrote to memory of 1452 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1452 wrote to memory of 2896 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 1452 wrote to memory of 2896 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 1452 wrote to memory of 2896 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 1452 wrote to memory of 2896 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\SynapseX revamaped V1.3\auth\internal\3132e54eb7c.bin"
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\SynapseX revamaped V1.3\auth\internal\3132e54eb7c.bin
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\SynapseX revamaped V1.3\auth\internal\3132e54eb7c.bin"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | b4cb2f0ebcb8dcb07b23b70e226f0607 |
| SHA1 | 119e05eda1675734f1d3e886930ad0b1ac7ce8cd |
| SHA256 | ee7bab38725e5809cae435552eef9570de3a484d1b64979fdcf0e0e08d29de75 |
| SHA512 | baee2de235030a5dc50c54f9eb2fd1b2f560c1be732ebb16445aa80b287898bfe874e4bc115d51897c5385bdbcd929f9c58d76a8619d6ac7b839108e8ee437bf |
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-20 14:47
Reported
2024-05-20 14:50
Platform
win10v2004-20240426-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\SynapseX revamaped V1.3\auth\internal\3132e54eb7c.bin"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 23.62.61.89:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.89:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 89.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-20 14:47
Reported
2024-05-20 14:50
Platform
win7-20240508-en
Max time kernel
122s
Max time network
122s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\SynapseX revamaped V1.3\bin\OoxIi8qtt.exe
"C:\Users\Admin\AppData\Local\Temp\SynapseX revamaped V1.3\bin\OoxIi8qtt.exe"
Network
Files
memory/2184-0-0x000000007448E000-0x000000007448F000-memory.dmp
memory/2184-1-0x0000000000AE0000-0x0000000000BF8000-memory.dmp
memory/2184-2-0x0000000074480000-0x0000000074B6E000-memory.dmp
memory/2184-3-0x00000000049B0000-0x0000000004A5A000-memory.dmp
memory/2184-4-0x0000000074480000-0x0000000074B6E000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-20 14:47
Reported
2024-05-20 14:50
Platform
win10v2004-20240426-en
Max time kernel
130s
Max time network
125s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\SynapseX revamaped V1.3\bin\OoxIi8qtt.exe
"C:\Users\Admin\AppData\Local\Temp\SynapseX revamaped V1.3\bin\OoxIi8qtt.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| NL | 23.62.61.75:443 | www.bing.com | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 75.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/1268-0-0x00000000748AE000-0x00000000748AF000-memory.dmp
memory/1268-1-0x0000000000490000-0x00000000005A8000-memory.dmp
memory/1268-2-0x00000000748A0000-0x0000000075050000-memory.dmp
memory/1268-3-0x0000000005190000-0x000000000523A000-memory.dmp
memory/1268-4-0x00000000052D0000-0x0000000005320000-memory.dmp
memory/1268-6-0x00000000748A0000-0x0000000075050000-memory.dmp