5ad39be48dbd64accc2e81e8bcb4f65325fc119f283713ca5aa677869398c580 | Triage

Submit
Reports

Overview

overview

Static

static

1

SyncSpoofer.exe

windows7-x64

5

SyncSpoofer.exe

windows10-2004-x64

Sharing

General

Target

SyncSpoofer.exe
Size

2.5MB
Sample

240610-p8t5nsxajk
MD5

4c23a05e5ee3cbf9f770a04c434faead
SHA1

67bdadebdd222beae7097bbed9699aaf18282657
SHA256

5ad39be48dbd64accc2e81e8bcb4f65325fc119f283713ca5aa677869398c580
SHA512

ac46de9bb81356d35f4b4cc930d7c934ebc9ac1578d93291d15540c44588985ce8a1479cd790b4318595609e7d392938c1345256eb889cf071e5d0b8cbe0f232
SSDEEP

49152:jLTbqRkki0qgd0fsexLxZak//s3RA+SW4+VbuLpG8AVTyyu75jNi7MOZTFL:HaoDgw7aTB4W4+VgG8QTyrFJ8rNB

Score

10^/10

evasion execution persistence

Static task

static1

Behavioral task

behavioral1

Sample

SyncSpoofer.exe

Resource

win7-20240221-en

windows7-x64

3 signatures

150 seconds

Behavioral task

behavioral2

Sample

SyncSpoofer.exe

Resource

win10v2004-20240426-en

evasion execution persistence

windows10-2004-x64

26 signatures

150 seconds

Malware Config

Targets

- Target
  
  SyncSpoofer.exe
- Size
  
  2.5MB
- MD5
  
  4c23a05e5ee3cbf9f770a04c434faead
- SHA1
  
  67bdadebdd222beae7097bbed9699aaf18282657
- SHA256
  
  5ad39be48dbd64accc2e81e8bcb4f65325fc119f283713ca5aa677869398c580
- SHA512
  
  ac46de9bb81356d35f4b4cc930d7c934ebc9ac1578d93291d15540c44588985ce8a1479cd790b4318595609e7d392938c1345256eb889cf071e5d0b8cbe0f232
- SSDEEP
  
  49152:jLTbqRkki0qgd0fsexLxZak//s3RA+SW4+VbuLpG8AVTyyu75jNi7MOZTFL:HaoDgw7aTB4W4+VgG8QTyrFJ8rNB
Score

10^/10

execution evasion persistence
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Nirsoft
- Blocklisted process makes network request
- Creates new service(s)
  persistence execution
- Downloads MZ/PE file
- Stops running service(s)
  evasion execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

System Services

Service Execution

Persistence

Create or Modify System Process

Windows Service

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

behavioral2

evasionexecutionpersistence

© 2018-2025

Terms | Privacy