Overview

overview

10

Static

static

10

Synapse X ...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    32s
  • max time network
    32s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/05/2024, 17:27

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Synapse X Installer.exe

  • Size

    43KB

  • MD5

    769aad21a347b7576895910e55970390

  • SHA1

    36831993993050af72ea201cfa6ebc4726860e56

  • SHA256

    72e0f8bf690b647ae965d9a99f89c4f04c3b9500aac53f2a3fd376a2546b287a

  • SHA512

    9bb36a376f0b3e8a26a813f1054bf92a9ca737bd9eb96403d28b4edb81c361408a058e5ccefda3e44bbf4943d9799203665161b02394d35a05faa20851f670a5

  • SSDEEP

    768:d/jqPyqisr4dGirXAHg5rbWDdJwtZ69e7Sd/bDXNJb7bTDa/o1IV27C1:tNqwohJKZ69eKjBJb7bT2o1IgC1

Score
10/10
xenoratrattrojan

Malware Config

Extracted

Family

xenorat

C2

192.168.1.219

Mutex

131313131323

Attributes
  • delay

    1000

  • install_path

    temp

  • port

    1234

  • startup_name

    Windows Client

Signatures

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 38 IoCs
  • Suspicious use of SendNotifyMessage 37 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Synapse X Installer.exe
    "C:\Users\Admin\AppData\Local\Temp\Synapse X Installer.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4048
    • C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe
      "C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3588
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /Create /TN "Windows Client" /XML "C:\Users\Admin\AppData\Local\Temp\tmp688D.tmp" /F
        3⤵
        • Creates scheduled task(s)
        PID:4808
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3592

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Synapse X Installer.exe.log
    Filesize

    226B

    MD5

    916851e072fbabc4796d8916c5131092

    SHA1

    d48a602229a690c512d5fdaf4c8d77547a88e7a2

    SHA256

    7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

    SHA512

    07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe
    Filesize

    43KB

    MD5

    769aad21a347b7576895910e55970390

    SHA1

    36831993993050af72ea201cfa6ebc4726860e56

    SHA256

    72e0f8bf690b647ae965d9a99f89c4f04c3b9500aac53f2a3fd376a2546b287a

    SHA512

    9bb36a376f0b3e8a26a813f1054bf92a9ca737bd9eb96403d28b4edb81c361408a058e5ccefda3e44bbf4943d9799203665161b02394d35a05faa20851f670a5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp688D.tmp
    Filesize

    1KB

    MD5

    a27e485b47a3c136c01199b55f08c0d8

    SHA1

    99a6c183d0673217570cf2e5efcc8bf44d78f483

    SHA256

    0c297eec1e3f58624331b58ae22a57cdd344071d58942c6897bb6ae1409e95df

    SHA512

    386fe030cbcb380350e5e5cc8179b76115601ad9b322f90a9d71f76fb2468993986a224796b489c600b4a388d76584772369259ac05d64a6551978e3c9102b60

    Download Submit

  • memory/3588-31-0x0000000074950000-0x0000000075100000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3588-15-0x0000000074950000-0x0000000075100000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3592-20-0x000001B34D8B0000-0x000001B34D8B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3592-18-0x000001B34D8B0000-0x000001B34D8B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3592-19-0x000001B34D8B0000-0x000001B34D8B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3592-24-0x000001B34D8B0000-0x000001B34D8B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3592-25-0x000001B34D8B0000-0x000001B34D8B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3592-30-0x000001B34D8B0000-0x000001B34D8B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3592-29-0x000001B34D8B0000-0x000001B34D8B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3592-28-0x000001B34D8B0000-0x000001B34D8B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3592-27-0x000001B34D8B0000-0x000001B34D8B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3592-26-0x000001B34D8B0000-0x000001B34D8B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4048-0-0x000000007495E000-0x000000007495F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4048-1-0x0000000000B20000-0x0000000000B32000-memory.dmp

    Filesize

    72KB

    Download