Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

Synapse X ...er.exe

windows7-x64

10

Synapse X ...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/06/2024, 04:00 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Synapse X Launcher.exe

  • Size

    45KB

  • MD5

    13325ceba29ec848cee74cc4b4c34816

  • SHA1

    7c7408870da2fe079aa460fe0d237e12e19cb7cb

  • SHA256

    c05a571f0f7e4233697b7590f7f4329e7da984d6fcf71a2ce521df984aa2cd54

  • SHA512

    e3c069485b14679bed54b47d0e914417e00e526bc6ffd2e77767c86e30267abc037b1f974add86672c9b8cc4d40ccb1420929641b495e419aa8c6bcac585e220

  • SSDEEP

    768:JdhO/poiiUcjlJInRJH9Xqk5nWEZ5SbTDaNWI7CPW5A:Hw+jjgnrH9XqcnW85SbTsWIY

Score
10/10
xenoratrattrojan

Malware Config

Extracted

Family

xenorat

C2

anyone-blogging.gl.at.ply.gg

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    500

  • install_path

    temp

  • port

    22284

  • startup_name

    Windows

Signatures

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Synapse X Launcher.exe
    "C:\Users\Admin\AppData\Local\Temp\Synapse X Launcher.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2800
    • C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Launcher.exe
      "C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Launcher.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4272
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /Create /TN "Windows" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4873.tmp" /F
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3624

Network

  • flag-us
    DNS
    anyone-blogging.gl.at.ply.gg
    Synapse X Launcher.exe
    Remote address:
    8.8.8.8:53
    Request
    anyone-blogging.gl.at.ply.gg
    IN A
  • flag-us
    DNS
    anyone-blogging.gl.at.ply.gg
    Synapse X Launcher.exe
    Remote address:
    8.8.8.8:53
    Request
    anyone-blogging.gl.at.ply.gg
    IN A
  • flag-us
    DNS
    anyone-blogging.gl.at.ply.gg
    Synapse X Launcher.exe
    Remote address:
    8.8.8.8:53
    Request
    anyone-blogging.gl.at.ply.gg
    IN A
  • flag-us
    DNS
    anyone-blogging.gl.at.ply.gg
    Synapse X Launcher.exe
    Remote address:
    8.8.8.8:53
    Request
    anyone-blogging.gl.at.ply.gg
    IN A
  • flag-us
    DNS
    anyone-blogging.gl.at.ply.gg
    Synapse X Launcher.exe
    Remote address:
    8.8.8.8:53
    Request
    anyone-blogging.gl.at.ply.gg
    IN A
  • flag-us
    DNS
    anyone-blogging.gl.at.ply.gg
    Synapse X Launcher.exe
    Remote address:
    8.8.8.8:53
    Request
    anyone-blogging.gl.at.ply.gg
    IN A
  • flag-us
    DNS
    anyone-blogging.gl.at.ply.gg
    Synapse X Launcher.exe
    Remote address:
    8.8.8.8:53
    Request
    anyone-blogging.gl.at.ply.gg
    IN A
  • flag-us
    DNS
    anyone-blogging.gl.at.ply.gg
    Synapse X Launcher.exe
    Remote address:
    8.8.8.8:53
    Request
    anyone-blogging.gl.at.ply.gg
    IN A
  • flag-us
    DNS
    anyone-blogging.gl.at.ply.gg
    Synapse X Launcher.exe
    Remote address:
    8.8.8.8:53
    Request
    anyone-blogging.gl.at.ply.gg
    IN A
  • flag-us
    DNS
    anyone-blogging.gl.at.ply.gg
    Synapse X Launcher.exe
    Remote address:
    8.8.8.8:53
    Request
    anyone-blogging.gl.at.ply.gg
    IN A
  • flag-us
    DNS
    anyone-blogging.gl.at.ply.gg
    Synapse X Launcher.exe
    Remote address:
    8.8.8.8:53
    Request
    anyone-blogging.gl.at.ply.gg
    IN A
  • flag-us
    DNS
    anyone-blogging.gl.at.ply.gg
    Synapse X Launcher.exe
    Remote address:
    8.8.8.8:53
    Request
    anyone-blogging.gl.at.ply.gg
    IN A
  • flag-us
    DNS
    anyone-blogging.gl.at.ply.gg
    Synapse X Launcher.exe
    Remote address:
    8.8.8.8:53
    Request
    anyone-blogging.gl.at.ply.gg
    IN A
  • flag-us
    DNS
    anyone-blogging.gl.at.ply.gg
    Synapse X Launcher.exe
    Remote address:
    8.8.8.8:53
    Request
    anyone-blogging.gl.at.ply.gg
    IN A
  • flag-us
    DNS
    anyone-blogging.gl.at.ply.gg
    Synapse X Launcher.exe
    Remote address:
    8.8.8.8:53
    Request
    anyone-blogging.gl.at.ply.gg
    IN A
  • flag-us
    DNS
    anyone-blogging.gl.at.ply.gg
    Synapse X Launcher.exe
    Remote address:
    8.8.8.8:53
    Request
    anyone-blogging.gl.at.ply.gg
    IN A
  • flag-us
    DNS
    anyone-blogging.gl.at.ply.gg
    Synapse X Launcher.exe
    Remote address:
    8.8.8.8:53
    Request
    anyone-blogging.gl.at.ply.gg
    IN A
  • flag-us
    DNS
    anyone-blogging.gl.at.ply.gg
    Synapse X Launcher.exe
    Remote address:
    8.8.8.8:53
    Request
    anyone-blogging.gl.at.ply.gg
    IN A
  • flag-us
    DNS
    anyone-blogging.gl.at.ply.gg
    Synapse X Launcher.exe
    Remote address:
    8.8.8.8:53
    Request
    anyone-blogging.gl.at.ply.gg
    IN A
  • flag-us
    DNS
    anyone-blogging.gl.at.ply.gg
    Synapse X Launcher.exe
    Remote address:
    8.8.8.8:53
    Request
    anyone-blogging.gl.at.ply.gg
    IN A
  • flag-us
    DNS
    anyone-blogging.gl.at.ply.gg
    Synapse X Launcher.exe
    Remote address:
    8.8.8.8:53
    Request
    anyone-blogging.gl.at.ply.gg
    IN A
  • flag-us
    DNS
    anyone-blogging.gl.at.ply.gg
    Synapse X Launcher.exe
    Remote address:
    8.8.8.8:53
    Request
    anyone-blogging.gl.at.ply.gg
    IN A
  • flag-us
    DNS
    anyone-blogging.gl.at.ply.gg
    Synapse X Launcher.exe
    Remote address:
    8.8.8.8:53
    Request
    anyone-blogging.gl.at.ply.gg
    IN A
  • flag-us
    DNS
    anyone-blogging.gl.at.ply.gg
    Synapse X Launcher.exe
    Remote address:
    8.8.8.8:53
    Request
    anyone-blogging.gl.at.ply.gg
    IN A
  • flag-us
    DNS
    anyone-blogging.gl.at.ply.gg
    Synapse X Launcher.exe
    Remote address:
    8.8.8.8:53
    Request
    anyone-blogging.gl.at.ply.gg
    IN A
  • flag-us
    DNS
    anyone-blogging.gl.at.ply.gg
    Synapse X Launcher.exe
    Remote address:
    8.8.8.8:53
    Request
    anyone-blogging.gl.at.ply.gg
    IN A
  • flag-us
    DNS
    anyone-blogging.gl.at.ply.gg
    Synapse X Launcher.exe
    Remote address:
    8.8.8.8:53
    Request
    anyone-blogging.gl.at.ply.gg
    IN A
  • flag-us
    DNS
    anyone-blogging.gl.at.ply.gg
    Synapse X Launcher.exe
    Remote address:
    8.8.8.8:53
    Request
    anyone-blogging.gl.at.ply.gg
    IN A
  • flag-us
    DNS
    anyone-blogging.gl.at.ply.gg
    Synapse X Launcher.exe
    Remote address:
    8.8.8.8:53
    Request
    anyone-blogging.gl.at.ply.gg
    IN A
  • flag-us
    DNS
    anyone-blogging.gl.at.ply.gg
    Synapse X Launcher.exe
    Remote address:
    8.8.8.8:53
    Request
    anyone-blogging.gl.at.ply.gg
    IN A
  • flag-us
    DNS
    anyone-blogging.gl.at.ply.gg
    Synapse X Launcher.exe
    Remote address:
    8.8.8.8:53
    Request
    anyone-blogging.gl.at.ply.gg
    IN A
  • flag-us
    DNS
    anyone-blogging.gl.at.ply.gg
    Synapse X Launcher.exe
    Remote address:
    8.8.8.8:53
    Request
    anyone-blogging.gl.at.ply.gg
    IN A
  • flag-us
    DNS
    anyone-blogging.gl.at.ply.gg
    Synapse X Launcher.exe
    Remote address:
    8.8.8.8:53
    Request
    anyone-blogging.gl.at.ply.gg
    IN A
  • flag-us
    DNS
    anyone-blogging.gl.at.ply.gg
    Synapse X Launcher.exe
    Remote address:
    8.8.8.8:53
    Request
    anyone-blogging.gl.at.ply.gg
    IN A
  • 52.111.229.43:443
    322 B
     7
  • 8.8.8.8:53
    anyone-blogging.gl.at.ply.gg
    dns
    Synapse X Launcher.exe
    370 B
     5

    DNS Request

    anyone-blogging.gl.at.ply.gg

    DNS Request

    anyone-blogging.gl.at.ply.gg

    DNS Request

    anyone-blogging.gl.at.ply.gg

    DNS Request

    anyone-blogging.gl.at.ply.gg

    DNS Request

    anyone-blogging.gl.at.ply.gg

  • 8.8.8.8:53
    anyone-blogging.gl.at.ply.gg
    dns
    Synapse X Launcher.exe
    370 B
     5

    DNS Request

    anyone-blogging.gl.at.ply.gg

    DNS Request

    anyone-blogging.gl.at.ply.gg

    DNS Request

    anyone-blogging.gl.at.ply.gg

    DNS Request

    anyone-blogging.gl.at.ply.gg

    DNS Request

    anyone-blogging.gl.at.ply.gg

  • 8.8.8.8:53
    anyone-blogging.gl.at.ply.gg
    dns
    Synapse X Launcher.exe
    370 B
     5

    DNS Request

    anyone-blogging.gl.at.ply.gg

    DNS Request

    anyone-blogging.gl.at.ply.gg

    DNS Request

    anyone-blogging.gl.at.ply.gg

    DNS Request

    anyone-blogging.gl.at.ply.gg

    DNS Request

    anyone-blogging.gl.at.ply.gg

  • 8.8.8.8:53
    anyone-blogging.gl.at.ply.gg
    dns
    Synapse X Launcher.exe
    370 B
     5

    DNS Request

    anyone-blogging.gl.at.ply.gg

    DNS Request

    anyone-blogging.gl.at.ply.gg

    DNS Request

    anyone-blogging.gl.at.ply.gg

    DNS Request

    anyone-blogging.gl.at.ply.gg

    DNS Request

    anyone-blogging.gl.at.ply.gg

  • 8.8.8.8:53
    anyone-blogging.gl.at.ply.gg
    dns
    Synapse X Launcher.exe
    370 B
     5

    DNS Request

    anyone-blogging.gl.at.ply.gg

    DNS Request

    anyone-blogging.gl.at.ply.gg

    DNS Request

    anyone-blogging.gl.at.ply.gg

    DNS Request

    anyone-blogging.gl.at.ply.gg

    DNS Request

    anyone-blogging.gl.at.ply.gg

  • 8.8.8.8:53
    anyone-blogging.gl.at.ply.gg
    dns
    Synapse X Launcher.exe
    370 B
     5

    DNS Request

    anyone-blogging.gl.at.ply.gg

    DNS Request

    anyone-blogging.gl.at.ply.gg

    DNS Request

    anyone-blogging.gl.at.ply.gg

    DNS Request

    anyone-blogging.gl.at.ply.gg

    DNS Request

    anyone-blogging.gl.at.ply.gg

  • 8.8.8.8:53
    anyone-blogging.gl.at.ply.gg
    dns
    Synapse X Launcher.exe
    296 B
     4

    DNS Request

    anyone-blogging.gl.at.ply.gg

    DNS Request

    anyone-blogging.gl.at.ply.gg

    DNS Request

    anyone-blogging.gl.at.ply.gg

    DNS Request

    anyone-blogging.gl.at.ply.gg

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Synapse X Launcher.exe.log
    Filesize

    226B

    MD5

    916851e072fbabc4796d8916c5131092

    SHA1

    d48a602229a690c512d5fdaf4c8d77547a88e7a2

    SHA256

    7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

    SHA512

    07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Launcher.exe
    Filesize

    45KB

    MD5

    13325ceba29ec848cee74cc4b4c34816

    SHA1

    7c7408870da2fe079aa460fe0d237e12e19cb7cb

    SHA256

    c05a571f0f7e4233697b7590f7f4329e7da984d6fcf71a2ce521df984aa2cd54

    SHA512

    e3c069485b14679bed54b47d0e914417e00e526bc6ffd2e77767c86e30267abc037b1f974add86672c9b8cc4d40ccb1420929641b495e419aa8c6bcac585e220

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp4873.tmp
    Filesize

    1KB

    MD5

    bfa2a91e547e0ff8c7a626855fec009a

    SHA1

    7a3ad834ea4a346a4a94957e0e9bc8a8e2f7548b

    SHA256

    6e7dd646584b20198083de0af47e031702aed514d4fcb226c3b80f504a175864

    SHA512

    93be0a795d6bc6051bb7ad8daec885bb703efc379be16ccf2ae5767197401e04b22b8988c84dedae09c6cc727ac7139a0552bf2603f102ba48a64d0b32b603aa

    Download Submit

  • memory/2800-0-0x000000007430E000-0x000000007430F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2800-1-0x0000000000E30000-0x0000000000E42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4272-15-0x0000000074300000-0x0000000074AB0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4272-16-0x0000000074300000-0x0000000074AB0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4272-19-0x0000000074300000-0x0000000074AB0000-memory.dmp

    Filesize

    7.7MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.