Analysis
-
max time kernel
1799s -
max time network
1802s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-05-2024 02:35
Behavioral task
behavioral1
Sample
SynapseX.Revamped.V1.5.rar
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
SynapseX.Revamped.V1.5.rar
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
SynapseX Revamped V1.5/SynapseXBootstrapper.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
SynapseX Revamped V1.5/SynapseXBootstrapper.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
SynapseX Revamped V1.5/bin/SynapseInjector.dll
Resource
win7-20240419-en
General
-
Target
SynapseX.Revamped.V1.5.rar
-
Size
6.9MB
-
MD5
358e3fc465a47e440775cd04fe9e9650
-
SHA1
c0dea173ba12149b325de5831c2e08d8c3ff7b21
-
SHA256
8739b236fb674c2c3516bc43ecf4b6583ea22ca0d4b2fe417b6223d654d52011
-
SHA512
1a8dad583487280053ec13a088f02f54177f2c14318d9edfc60121884e6bda8e06979c47fa2e9100db21ecedcb30431a1842c2a6ef3c69f20b703ea07865348f
-
SSDEEP
196608:SGOV4gKBR19F8lsJ7WJ+ZVNXARR+n9fmYclvlcf:SB4LFXKsJ7QmVNXARkVwl9cf
Malware Config
Extracted
quasar
1.4.1
Windows Update
skbidiooiilet-31205.portmap.host:31205
b2f09b33-2e5b-4ffa-afbf-3f1aaed274a6
-
encryption_key
6F721445F7E0B1CF58980D84A9D49F4458D4EFD9
-
install_name
Update.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
WindowsUpdate
-
subdirectory
Windows Update
Signatures
-
Quasar payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zOC6A74786\SynapseXBootstrapper.exe family_quasar behavioral1/memory/2540-35-0x00000000002A0000-0x00000000005C4000-memory.dmp family_quasar behavioral1/memory/2480-41-0x0000000001010000-0x0000000001334000-memory.dmp family_quasar C:\Users\Admin\AppData\Local\Temp\7zOC6AC1DF8\.text family_quasar -
Executes dropped EXE 2 IoCs
Processes:
SynapseXBootstrapper.exeUpdate.exepid process 2540 SynapseXBootstrapper.exe 2480 Update.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2560 schtasks.exe 2500 schtasks.exe -
Modifies registry class 14 IoCs
Processes:
rundll32.exerundll32.exerundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\text_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\text_auto_file\shell\edit\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\text_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\text_auto_file\shell\open rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\text_auto_file\shell\open\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\text_auto_file\shell rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\text_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.text rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.text\ = "text_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\text_auto_file\shell\edit rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\text_auto_file rundll32.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 2648 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
7zFM.exepid process 2668 7zFM.exe 2668 7zFM.exe 2668 7zFM.exe 2668 7zFM.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
7zFM.exepid process 2668 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
7zFM.exeSynapseXBootstrapper.exeUpdate.exedescription pid process Token: SeRestorePrivilege 2668 7zFM.exe Token: 35 2668 7zFM.exe Token: SeSecurityPrivilege 2668 7zFM.exe Token: SeDebugPrivilege 2540 SynapseXBootstrapper.exe Token: SeDebugPrivilege 2480 Update.exe Token: SeSecurityPrivilege 2668 7zFM.exe Token: SeSecurityPrivilege 2668 7zFM.exe Token: SeSecurityPrivilege 2668 7zFM.exe Token: SeSecurityPrivilege 2668 7zFM.exe Token: SeSecurityPrivilege 2668 7zFM.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
Processes:
7zFM.exeNOTEPAD.EXEpid process 2668 7zFM.exe 2668 7zFM.exe 2668 7zFM.exe 2668 7zFM.exe 2668 7zFM.exe 2668 7zFM.exe 2668 7zFM.exe 2648 NOTEPAD.EXE 2668 7zFM.exe 2668 7zFM.exe 2668 7zFM.exe 2668 7zFM.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
cmd.exe7zFM.exeSynapseXBootstrapper.exeUpdate.exerundll32.exedescription pid process target process PID 1284 wrote to memory of 2668 1284 cmd.exe 7zFM.exe PID 1284 wrote to memory of 2668 1284 cmd.exe 7zFM.exe PID 1284 wrote to memory of 2668 1284 cmd.exe 7zFM.exe PID 2668 wrote to memory of 2540 2668 7zFM.exe SynapseXBootstrapper.exe PID 2668 wrote to memory of 2540 2668 7zFM.exe SynapseXBootstrapper.exe PID 2668 wrote to memory of 2540 2668 7zFM.exe SynapseXBootstrapper.exe PID 2540 wrote to memory of 2560 2540 SynapseXBootstrapper.exe schtasks.exe PID 2540 wrote to memory of 2560 2540 SynapseXBootstrapper.exe schtasks.exe PID 2540 wrote to memory of 2560 2540 SynapseXBootstrapper.exe schtasks.exe PID 2540 wrote to memory of 2480 2540 SynapseXBootstrapper.exe Update.exe PID 2540 wrote to memory of 2480 2540 SynapseXBootstrapper.exe Update.exe PID 2540 wrote to memory of 2480 2540 SynapseXBootstrapper.exe Update.exe PID 2480 wrote to memory of 2500 2480 Update.exe schtasks.exe PID 2480 wrote to memory of 2500 2480 Update.exe schtasks.exe PID 2480 wrote to memory of 2500 2480 Update.exe schtasks.exe PID 2668 wrote to memory of 1252 2668 7zFM.exe rundll32.exe PID 2668 wrote to memory of 1252 2668 7zFM.exe rundll32.exe PID 2668 wrote to memory of 1252 2668 7zFM.exe rundll32.exe PID 2668 wrote to memory of 2648 2668 7zFM.exe NOTEPAD.EXE PID 2668 wrote to memory of 2648 2668 7zFM.exe NOTEPAD.EXE PID 2668 wrote to memory of 2648 2668 7zFM.exe NOTEPAD.EXE PID 2668 wrote to memory of 2636 2668 7zFM.exe rundll32.exe PID 2668 wrote to memory of 2636 2668 7zFM.exe rundll32.exe PID 2668 wrote to memory of 2636 2668 7zFM.exe rundll32.exe PID 2668 wrote to memory of 644 2668 7zFM.exe rundll32.exe PID 2668 wrote to memory of 644 2668 7zFM.exe rundll32.exe PID 2668 wrote to memory of 644 2668 7zFM.exe rundll32.exe PID 644 wrote to memory of 840 644 rundll32.exe NOTEPAD.EXE PID 644 wrote to memory of 840 644 rundll32.exe NOTEPAD.EXE PID 644 wrote to memory of 840 644 rundll32.exe NOTEPAD.EXE -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\SynapseX.Revamped.V1.5.rar1⤵
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\SynapseX.Revamped.V1.5.rar"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Users\Admin\AppData\Local\Temp\7zOC6A74786\SynapseXBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\7zOC6A74786\SynapseXBootstrapper.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Update\Update.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
PID:2560 -
C:\Users\Admin\AppData\Roaming\Windows Update\Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update\Update.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "WindowsUpdate" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Update\Update.exe" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
PID:2500 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\7zOC6A86607\13⤵
- Modifies registry class
PID:1252 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zOC6AFB068\version.txt3⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:2648 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\7zOC6A71398\.text3⤵
- Modifies registry class
PID:2636 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\7zOC6AC1DF8\.text3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zOC6AC1DF8\.text4⤵PID:840
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD59434a1822088cedbce057d280c235864
SHA1c09173a18e5ae2d9d38bd4d3d196adf1423f924e
SHA256de29011246319ec8b60774d8c4cad4e8299e27eba6dc7699cd257fbdda338336
SHA5127461b706ef796abc96d7f2549091061910fdf81a77ae0f8d0c20c5de870164410f5dd3b68e3e33a5bb9b77c3ccf59fd787164530b6d2d03688d4dceccb4fb632
-
Filesize
3.1MB
MD59693ab4017b430693aab5ed990a8161a
SHA103d71ff31ff1b9d516ddaa77668cbaafd8f39905
SHA256052a59ba9192055583d81d9e50b6a723c1f2323e0fca8e35c7af1f361ca76518
SHA51202ca270ee8242196548bc1d9f1642e5e6e58792081c28c12ab7e3bac6d723f14f0dcdaaf4f5279f2077c6523f65a558185a8f2c79a5d5bd0e24d061ef785435e
-
Filesize
1KB
MD5ab6f65c5a67f69a1f23c29373b6b6ada
SHA1eb80cda039fd6ac2453402f793dc372eadf0e24f
SHA256e333770e0c4c51e6c05101eae443bde40a7ab64fe4362374e4a900dc6cbe2aca
SHA512d8910b4105e7925e4597d8011cf415453571e4f2ee61e39a0ad14be549ef51ce20e11502b4790536ac02724d2f12ae9717a1cadbd3eb02bfc459b8868f29fd12