Overview

overview

10

Static

static

10

SynapseX.r....3.rar

windows7-x64

SynapseX.r....3.rar

windows10-2004-x64

3

SynapseX r...er.exe

windows7-x64

10

SynapseX r...er.exe

windows10-2004-x64

10

SynapseX r...7c.bin

windows7-x64

3

SynapseX r...7c.bin

windows10-2004-x64

SynapseX r...tt.exe

windows7-x64

1

SynapseX r...tt.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-05-2024 17:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SynapseX revamaped V1.3/bin/OoxIi8qtt.exe

  • Size

    1.1MB

  • MD5

    a48d6b525da2501d8ec661f2f2f1b0e8

  • SHA1

    5737e465e5ffbed6b51e6775b5e05b5769f89e6b

  • SHA256

    a6e52cc20913ae168b7dcbb923ea8cd7bdda93e43399ec22a85dabfab14ddf3a

  • SHA512

    3cf1d6acbf1a3c3e99739af505b57aef7e8db5a2a84db2310c1d6490a097e11065510d2aaaac6ea71fd226b421d87be216993528e245e0bdee9b6000e68e32ab

  • SSDEEP

    24576:5EvX2R7XLISXF8ElQlt8K9MlOZNsST2R7:qvX2VLIS2Jt89LST2

Score
10/10
xenoratrattrojan

Malware Config

Extracted

Family

xenorat

C2

192.168.1.219

Mutex

131313131323

Attributes
  • delay

    1000

  • install_path

    temp

  • port

    1234

  • startup_name

    Windows Client

Signatures

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Executes dropped EXE 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 53 IoCs
  • Suspicious use of SendNotifyMessage 52 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SynapseX revamaped V1.3\bin\OoxIi8qtt.exe
    "C:\Users\Admin\AppData\Local\Temp\SynapseX revamaped V1.3\bin\OoxIi8qtt.exe"
    1⤵
      PID:3064
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:2808
      • C:\Users\Admin\AppData\Local\Temp\SynapseX revamaped V1.3\Synapse X Installer.exe
        "C:\Users\Admin\AppData\Local\Temp\SynapseX revamaped V1.3\Synapse X Installer.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:624
        • C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe
          "C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:5012
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks.exe" /Create /TN "Windows Client" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9A0.tmp" /F
            3⤵
            • Creates scheduled task(s)
            PID:4748
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /7
        1⤵
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:744
      • C:\Users\Admin\AppData\Local\Temp\SynapseX revamaped V1.3\Synapse X Installer.exe
        "C:\Users\Admin\AppData\Local\Temp\SynapseX revamaped V1.3\Synapse X Installer.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:4296
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks.exe" /Create /TN "Windows Client" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8567.tmp" /F
          2⤵
          • Creates scheduled task(s)
          PID:4284
      • C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe
        "C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3224
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks.exe" /Create /TN "Windows Client" /XML "C:\Users\Admin\AppData\Local\Temp\tmp67C8.tmp" /F
          2⤵
          • Creates scheduled task(s)
          PID:2572

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Scheduled Task/Job

      1
      T1053

      Persistence

      Scheduled Task/Job

      1
      T1053

      Privilege Escalation

      Scheduled Task/Job

      1
      T1053

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      Peripheral Device Discovery

      1
      T1120

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Synapse X Installer.exe.log
        Filesize

        226B

        MD5

        916851e072fbabc4796d8916c5131092

        SHA1

        d48a602229a690c512d5fdaf4c8d77547a88e7a2

        SHA256

        7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

        SHA512

        07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe
        Filesize

        43KB

        MD5

        769aad21a347b7576895910e55970390

        SHA1

        36831993993050af72ea201cfa6ebc4726860e56

        SHA256

        72e0f8bf690b647ae965d9a99f89c4f04c3b9500aac53f2a3fd376a2546b287a

        SHA512

        9bb36a376f0b3e8a26a813f1054bf92a9ca737bd9eb96403d28b4edb81c361408a058e5ccefda3e44bbf4943d9799203665161b02394d35a05faa20851f670a5

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\tmp8567.tmp
        Filesize

        1KB

        MD5

        a6c6a83993bb88fdfe551ca2ab5bf12f

        SHA1

        e55eedc482590ede32099df92b7fa71074a2b96f

        SHA256

        39799cfec57c25b1e20832019fd242ae6afc8054b242e7858e38e931b2f897dd

        SHA512

        b9db848d1c1cfeac05829088a4198726debf25ecf2402f1a79a6fbcb293b940186664ccf1d5887c4e56fc9d916cfa0c1df57af3bc4d27dd6b9e21aee7900b421

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\tmp9A0.tmp
        Filesize

        1KB

        MD5

        a27e485b47a3c136c01199b55f08c0d8

        SHA1

        99a6c183d0673217570cf2e5efcc8bf44d78f483

        SHA256

        0c297eec1e3f58624331b58ae22a57cdd344071d58942c6897bb6ae1409e95df

        SHA512

        386fe030cbcb380350e5e5cc8179b76115601ad9b322f90a9d71f76fb2468993986a224796b489c600b4a388d76584772369259ac05d64a6551978e3c9102b60

        Download Submit
      • memory/624-9-0x0000000074EC0000-0x0000000075670000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/624-22-0x0000000074EC0000-0x0000000075670000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/624-7-0x00000000002B0000-0x00000000002C2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/744-37-0x000001EFC40B0000-0x000001EFC40B1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/744-35-0x000001EFC40B0000-0x000001EFC40B1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/744-31-0x000001EFC40B0000-0x000001EFC40B1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/744-32-0x000001EFC40B0000-0x000001EFC40B1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/744-33-0x000001EFC40B0000-0x000001EFC40B1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/744-25-0x000001EFC40B0000-0x000001EFC40B1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/744-27-0x000001EFC40B0000-0x000001EFC40B1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/744-26-0x000001EFC40B0000-0x000001EFC40B1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/744-34-0x000001EFC40B0000-0x000001EFC40B1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/744-36-0x000001EFC40B0000-0x000001EFC40B1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3064-6-0x0000000074EC0000-0x0000000075670000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/3064-0-0x0000000074ECE000-0x0000000074ECF000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3064-2-0x0000000074EC0000-0x0000000075670000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/3064-3-0x00000000057E0000-0x000000000588A000-memory.dmp
        Filesize

        680KB

        Download
      • memory/3064-4-0x00000000058E0000-0x0000000005930000-memory.dmp
        Filesize

        320KB

        Download
      • memory/3064-1-0x0000000000BC0000-0x0000000000CD8000-memory.dmp
        Filesize

        1.1MB

        Download