Malware Analysis Report

2024-08-06 18:22

Sample ID 240527-wkwrxsde32
Target SynapseX.revamaped.V1.3.rar
SHA256 13f63c65ac270ce6d8f462791b1bb0ca64b8f7000f230b1c2ade64db617c5eac
Tags
xenorat rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

13f63c65ac270ce6d8f462791b1bb0ca64b8f7000f230b1c2ade64db617c5eac

Threat Level: Known bad

The file SynapseX.revamaped.V1.3.rar was found to be: Known bad.

Malicious Activity Summary

xenorat rat trojan

Xenorat family

XenorRat

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-27 17:59

Signatures

Xenorat family

xenorat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-27 17:59

Reported

2024-05-27 18:02

Platform

win7-20240215-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SynapseX revamaped V1.3\bin\OoxIi8qtt.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SynapseX revamaped V1.3\bin\OoxIi8qtt.exe

"C:\Users\Admin\AppData\Local\Temp\SynapseX revamaped V1.3\bin\OoxIi8qtt.exe"

Network

N/A

Files

memory/2080-0-0x000000007496E000-0x000000007496F000-memory.dmp

memory/2080-1-0x0000000000070000-0x0000000000188000-memory.dmp

memory/2080-2-0x0000000074960000-0x000000007504E000-memory.dmp

memory/2080-3-0x0000000004540000-0x00000000045EA000-memory.dmp

memory/2080-4-0x0000000074960000-0x000000007504E000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-27 17:59

Reported

2024-05-27 18:02

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SynapseX revamaped V1.3\bin\OoxIi8qtt.exe"

Signatures

XenorRat

trojan rat xenorat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: 33 N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 624 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\SynapseX revamaped V1.3\Synapse X Installer.exe C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe
PID 624 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\SynapseX revamaped V1.3\Synapse X Installer.exe C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe
PID 624 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\SynapseX revamaped V1.3\Synapse X Installer.exe C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe
PID 5012 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe C:\Windows\SysWOW64\schtasks.exe
PID 5012 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe C:\Windows\SysWOW64\schtasks.exe
PID 5012 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe C:\Windows\SysWOW64\schtasks.exe
PID 4296 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\SynapseX revamaped V1.3\Synapse X Installer.exe C:\Windows\SysWOW64\schtasks.exe
PID 4296 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\SynapseX revamaped V1.3\Synapse X Installer.exe C:\Windows\SysWOW64\schtasks.exe
PID 4296 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\SynapseX revamaped V1.3\Synapse X Installer.exe C:\Windows\SysWOW64\schtasks.exe
PID 3224 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe C:\Windows\SysWOW64\schtasks.exe
PID 3224 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe C:\Windows\SysWOW64\schtasks.exe
PID 3224 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SynapseX revamaped V1.3\bin\OoxIi8qtt.exe

"C:\Users\Admin\AppData\Local\Temp\SynapseX revamaped V1.3\bin\OoxIi8qtt.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\AppData\Local\Temp\SynapseX revamaped V1.3\Synapse X Installer.exe

"C:\Users\Admin\AppData\Local\Temp\SynapseX revamaped V1.3\Synapse X Installer.exe"

C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe

"C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "Windows Client" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9A0.tmp" /F

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /7

C:\Users\Admin\AppData\Local\Temp\SynapseX revamaped V1.3\Synapse X Installer.exe

"C:\Users\Admin\AppData\Local\Temp\SynapseX revamaped V1.3\Synapse X Installer.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "Windows Client" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8567.tmp" /F

C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe

"C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "Windows Client" /XML "C:\Users\Admin\AppData\Local\Temp\tmp67C8.tmp" /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
N/A 192.168.1.219:1234 tcp
US 8.8.8.8:53 96.136.73.23.in-addr.arpa udp
N/A 192.168.1.219:1234 tcp
N/A 192.168.1.219:1234 tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
N/A 192.168.1.219:1234 tcp
N/A 192.168.1.219:1234 tcp
N/A 192.168.1.219:1234 tcp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

memory/3064-0-0x0000000074ECE000-0x0000000074ECF000-memory.dmp

memory/3064-1-0x0000000000BC0000-0x0000000000CD8000-memory.dmp

memory/3064-2-0x0000000074EC0000-0x0000000075670000-memory.dmp

memory/3064-3-0x00000000057E0000-0x000000000588A000-memory.dmp

memory/3064-4-0x00000000058E0000-0x0000000005930000-memory.dmp

memory/3064-6-0x0000000074EC0000-0x0000000075670000-memory.dmp

memory/624-7-0x00000000002B0000-0x00000000002C2000-memory.dmp

memory/624-9-0x0000000074EC0000-0x0000000075670000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe

MD5 769aad21a347b7576895910e55970390
SHA1 36831993993050af72ea201cfa6ebc4726860e56
SHA256 72e0f8bf690b647ae965d9a99f89c4f04c3b9500aac53f2a3fd376a2546b287a
SHA512 9bb36a376f0b3e8a26a813f1054bf92a9ca737bd9eb96403d28b4edb81c361408a058e5ccefda3e44bbf4943d9799203665161b02394d35a05faa20851f670a5

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Synapse X Installer.exe.log

MD5 916851e072fbabc4796d8916c5131092
SHA1 d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA256 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA512 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

memory/624-22-0x0000000074EC0000-0x0000000075670000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9A0.tmp

MD5 a27e485b47a3c136c01199b55f08c0d8
SHA1 99a6c183d0673217570cf2e5efcc8bf44d78f483
SHA256 0c297eec1e3f58624331b58ae22a57cdd344071d58942c6897bb6ae1409e95df
SHA512 386fe030cbcb380350e5e5cc8179b76115601ad9b322f90a9d71f76fb2468993986a224796b489c600b4a388d76584772369259ac05d64a6551978e3c9102b60

memory/744-25-0x000001EFC40B0000-0x000001EFC40B1000-memory.dmp

memory/744-27-0x000001EFC40B0000-0x000001EFC40B1000-memory.dmp

memory/744-26-0x000001EFC40B0000-0x000001EFC40B1000-memory.dmp

memory/744-37-0x000001EFC40B0000-0x000001EFC40B1000-memory.dmp

memory/744-36-0x000001EFC40B0000-0x000001EFC40B1000-memory.dmp

memory/744-35-0x000001EFC40B0000-0x000001EFC40B1000-memory.dmp

memory/744-34-0x000001EFC40B0000-0x000001EFC40B1000-memory.dmp

memory/744-33-0x000001EFC40B0000-0x000001EFC40B1000-memory.dmp

memory/744-32-0x000001EFC40B0000-0x000001EFC40B1000-memory.dmp

memory/744-31-0x000001EFC40B0000-0x000001EFC40B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8567.tmp

MD5 a6c6a83993bb88fdfe551ca2ab5bf12f
SHA1 e55eedc482590ede32099df92b7fa71074a2b96f
SHA256 39799cfec57c25b1e20832019fd242ae6afc8054b242e7858e38e931b2f897dd
SHA512 b9db848d1c1cfeac05829088a4198726debf25ecf2402f1a79a6fbcb293b940186664ccf1d5887c4e56fc9d916cfa0c1df57af3bc4d27dd6b9e21aee7900b421

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-27 17:59

Reported

2024-05-27 18:02

Platform

win7-20240220-en

Max time kernel

121s

Max time network

122s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\SynapseX revamaped V1.3\auth\internal\3132e54eb7c.bin"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\bin_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.bin C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\bin_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\bin_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.bin\ = "bin_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\bin_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\bin_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\bin_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1696 wrote to memory of 1060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1696 wrote to memory of 1060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1696 wrote to memory of 1060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1060 wrote to memory of 2588 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 1060 wrote to memory of 2588 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 1060 wrote to memory of 2588 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 1060 wrote to memory of 2588 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\SynapseX revamaped V1.3\auth\internal\3132e54eb7c.bin"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\SynapseX revamaped V1.3\auth\internal\3132e54eb7c.bin

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\SynapseX revamaped V1.3\auth\internal\3132e54eb7c.bin"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 98630b85504b4a7344b6f4daa82d4cfe
SHA1 ec3e0f65aae99162f1a8593dcb23eda40cecbbea
SHA256 43d8f2fe6b3fa25b13ee915be2248dcf130124a79082b313b0618dc8bd36550a
SHA512 a729d78c88d698eb7c0ac08cdb8560fdb8650ace1604a9e4f5d7cf2e55cfd469db4daf8bab8e02b3ff60592ee22a36f8d6e8bfc9805e89dea4dee972db04d9d0

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-27 17:59

Reported

2024-05-27 18:00

Platform

win7-20240508-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-27 17:59

Reported

2024-05-27 18:02

Platform

win10v2004-20240426-en

Max time kernel

92s

Max time network

94s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\SynapseX.revamaped.V1.3.rar

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\SynapseX.revamaped.V1.3.rar

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-27 17:59

Reported

2024-05-27 18:02

Platform

win7-20240221-en

Max time kernel

130s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SynapseX revamaped V1.3\Synapse X Installer.exe"

Signatures

XenorRat

trojan rat xenorat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SynapseX revamaped V1.3\Synapse X Installer.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2744 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\SynapseX revamaped V1.3\Synapse X Installer.exe C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe
PID 2744 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\SynapseX revamaped V1.3\Synapse X Installer.exe C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe
PID 2744 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\SynapseX revamaped V1.3\Synapse X Installer.exe C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe
PID 2744 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\SynapseX revamaped V1.3\Synapse X Installer.exe C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe
PID 2744 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\SynapseX revamaped V1.3\Synapse X Installer.exe C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe
PID 2744 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\SynapseX revamaped V1.3\Synapse X Installer.exe C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe
PID 2744 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\SynapseX revamaped V1.3\Synapse X Installer.exe C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe
PID 3036 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe C:\Windows\SysWOW64\schtasks.exe
PID 3036 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe C:\Windows\SysWOW64\schtasks.exe
PID 3036 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe C:\Windows\SysWOW64\schtasks.exe
PID 3036 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SynapseX revamaped V1.3\Synapse X Installer.exe

"C:\Users\Admin\AppData\Local\Temp\SynapseX revamaped V1.3\Synapse X Installer.exe"

C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe

"C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "Windows Client" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7B67.tmp" /F

Network

Country Destination Domain Proto
N/A 192.168.1.219:1234 tcp
N/A 192.168.1.219:1234 tcp
N/A 192.168.1.219:1234 tcp
N/A 192.168.1.219:1234 tcp
N/A 192.168.1.219:1234 tcp

Files

memory/2744-0-0x000000007486E000-0x000000007486F000-memory.dmp

memory/2744-1-0x0000000000C50000-0x0000000000C62000-memory.dmp

\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe

MD5 769aad21a347b7576895910e55970390
SHA1 36831993993050af72ea201cfa6ebc4726860e56
SHA256 72e0f8bf690b647ae965d9a99f89c4f04c3b9500aac53f2a3fd376a2546b287a
SHA512 9bb36a376f0b3e8a26a813f1054bf92a9ca737bd9eb96403d28b4edb81c361408a058e5ccefda3e44bbf4943d9799203665161b02394d35a05faa20851f670a5

memory/3036-9-0x00000000002A0000-0x00000000002B2000-memory.dmp

memory/3036-10-0x0000000074860000-0x0000000074F4E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7B67.tmp

MD5 a27e485b47a3c136c01199b55f08c0d8
SHA1 99a6c183d0673217570cf2e5efcc8bf44d78f483
SHA256 0c297eec1e3f58624331b58ae22a57cdd344071d58942c6897bb6ae1409e95df
SHA512 386fe030cbcb380350e5e5cc8179b76115601ad9b322f90a9d71f76fb2468993986a224796b489c600b4a388d76584772369259ac05d64a6551978e3c9102b60

memory/3036-13-0x0000000074860000-0x0000000074F4E000-memory.dmp

memory/3036-14-0x0000000074860000-0x0000000074F4E000-memory.dmp

memory/3036-15-0x0000000074860000-0x0000000074F4E000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-27 17:59

Reported

2024-05-27 18:02

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SynapseX revamaped V1.3\Synapse X Installer.exe"

Signatures

XenorRat

trojan rat xenorat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SynapseX revamaped V1.3\Synapse X Installer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3364 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\SynapseX revamaped V1.3\Synapse X Installer.exe C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe
PID 3364 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\SynapseX revamaped V1.3\Synapse X Installer.exe C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe
PID 3364 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\SynapseX revamaped V1.3\Synapse X Installer.exe C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe
PID 1432 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe C:\Windows\SysWOW64\schtasks.exe
PID 1432 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe C:\Windows\SysWOW64\schtasks.exe
PID 1432 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SynapseX revamaped V1.3\Synapse X Installer.exe

"C:\Users\Admin\AppData\Local\Temp\SynapseX revamaped V1.3\Synapse X Installer.exe"

C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe

"C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "Windows Client" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2D45.tmp" /F

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4240 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
N/A 192.168.1.219:1234 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
N/A 192.168.1.219:1234 tcp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
FR 216.58.214.74:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 74.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
N/A 192.168.1.219:1234 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
N/A 192.168.1.219:1234 tcp
US 8.8.8.8:53 92.16.208.104.in-addr.arpa udp
N/A 192.168.1.219:1234 tcp

Files

memory/3364-0-0x0000000074EDE000-0x0000000074EDF000-memory.dmp

memory/3364-1-0x00000000003A0000-0x00000000003B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe

MD5 769aad21a347b7576895910e55970390
SHA1 36831993993050af72ea201cfa6ebc4726860e56
SHA256 72e0f8bf690b647ae965d9a99f89c4f04c3b9500aac53f2a3fd376a2546b287a
SHA512 9bb36a376f0b3e8a26a813f1054bf92a9ca737bd9eb96403d28b4edb81c361408a058e5ccefda3e44bbf4943d9799203665161b02394d35a05faa20851f670a5

memory/1432-14-0x0000000074ED0000-0x0000000075680000-memory.dmp

memory/1432-15-0x0000000074ED0000-0x0000000075680000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp2D45.tmp

MD5 a27e485b47a3c136c01199b55f08c0d8
SHA1 99a6c183d0673217570cf2e5efcc8bf44d78f483
SHA256 0c297eec1e3f58624331b58ae22a57cdd344071d58942c6897bb6ae1409e95df
SHA512 386fe030cbcb380350e5e5cc8179b76115601ad9b322f90a9d71f76fb2468993986a224796b489c600b4a388d76584772369259ac05d64a6551978e3c9102b60

memory/1432-18-0x0000000074ED0000-0x0000000075680000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-27 17:59

Reported

2024-05-27 18:00

Platform

win10v2004-20240508-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A