Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
91s -
max time network
93s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
29/08/2024, 01:09
Static task
static1
General
-
Target
SynZ.zip
-
Size
51KB
-
MD5
b23eb8982c76332c7da86e438f37e390
-
SHA1
81552549673b96a88ae76eca202f25df1fae912a
-
SHA256
829b40fc8af48b5669e85eba8089f604b456783d60b29724aeb5824c08205271
-
SHA512
93cf779ace6b752395ac006d6feb9459c1caeed51301c3f784fdb7875ce163ac915387b5777f5c87f8b3eddb46ca0842ffbe092995814599a500240e81a5c163
-
SSDEEP
1536:5lH+sK5umOmSgfPHDj37BlX5adbzIqQo5s5y4RM/r6i6FRLJl:5lXmjLfPtlXSzqoa5YT6NHl
Malware Config
Extracted
xworm
one-qualified.gl.at.ply.gg:61458
-
Install_directory
%AppData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x000200000002aaa9-85.dat family_xworm behavioral1/memory/1696-87-0x0000000000140000-0x000000000015C000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3516 powershell.exe 4992 powershell.exe 4244 powershell.exe 920 powershell.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TouchingBoys.lnk SynZ.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TouchingBoys.lnk SynZ.exe -
Executes dropped EXE 2 IoCs
pid Process 1696 SynZ.exe 2268 TouchingBoys -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\TouchingBoys = "C:\\Users\\Admin\\AppData\\Roaming\\TouchingBoys" SynZ.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 ip-api.com -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SystemTemp chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133693674421157704" chrome.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings chrome.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\SynZ.zip:Zone.Identifier chrome.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2632 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3564 chrome.exe 3564 chrome.exe 920 powershell.exe 920 powershell.exe 920 powershell.exe 3516 powershell.exe 3516 powershell.exe 3516 powershell.exe 4992 powershell.exe 4992 powershell.exe 4992 powershell.exe 4244 powershell.exe 4244 powershell.exe 4244 powershell.exe 1696 SynZ.exe 1696 SynZ.exe 1696 SynZ.exe 1696 SynZ.exe 1696 SynZ.exe 1696 SynZ.exe 1696 SynZ.exe 1696 SynZ.exe 1696 SynZ.exe 1696 SynZ.exe 1696 SynZ.exe 1696 SynZ.exe 1696 SynZ.exe 1696 SynZ.exe 1696 SynZ.exe 1696 SynZ.exe 1696 SynZ.exe 1696 SynZ.exe 1696 SynZ.exe 1696 SynZ.exe 1696 SynZ.exe 1696 SynZ.exe 1696 SynZ.exe 1696 SynZ.exe 1696 SynZ.exe 1696 SynZ.exe 1696 SynZ.exe 1696 SynZ.exe 1696 SynZ.exe 1696 SynZ.exe 1696 SynZ.exe 1696 SynZ.exe 1696 SynZ.exe 1696 SynZ.exe 1696 SynZ.exe 1696 SynZ.exe 1696 SynZ.exe 1696 SynZ.exe 1696 SynZ.exe 1696 SynZ.exe 1696 SynZ.exe 1696 SynZ.exe 1696 SynZ.exe 1696 SynZ.exe 1696 SynZ.exe 1696 SynZ.exe 1696 SynZ.exe 1696 SynZ.exe 1696 SynZ.exe 1696 SynZ.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 3564 chrome.exe 3564 chrome.exe 3564 chrome.exe 3564 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3564 chrome.exe Token: SeCreatePagefilePrivilege 3564 chrome.exe Token: SeShutdownPrivilege 3564 chrome.exe Token: SeCreatePagefilePrivilege 3564 chrome.exe Token: SeShutdownPrivilege 3564 chrome.exe Token: SeCreatePagefilePrivilege 3564 chrome.exe Token: SeShutdownPrivilege 3564 chrome.exe Token: SeCreatePagefilePrivilege 3564 chrome.exe Token: SeShutdownPrivilege 3564 chrome.exe Token: SeCreatePagefilePrivilege 3564 chrome.exe Token: SeShutdownPrivilege 3564 chrome.exe Token: SeCreatePagefilePrivilege 3564 chrome.exe Token: SeShutdownPrivilege 3564 chrome.exe Token: SeCreatePagefilePrivilege 3564 chrome.exe Token: SeShutdownPrivilege 3564 chrome.exe Token: SeCreatePagefilePrivilege 3564 chrome.exe Token: SeShutdownPrivilege 3564 chrome.exe Token: SeCreatePagefilePrivilege 3564 chrome.exe Token: SeShutdownPrivilege 3564 chrome.exe Token: SeCreatePagefilePrivilege 3564 chrome.exe Token: SeShutdownPrivilege 3564 chrome.exe Token: SeCreatePagefilePrivilege 3564 chrome.exe Token: SeShutdownPrivilege 3564 chrome.exe Token: SeCreatePagefilePrivilege 3564 chrome.exe Token: SeShutdownPrivilege 3564 chrome.exe Token: SeCreatePagefilePrivilege 3564 chrome.exe Token: SeShutdownPrivilege 3564 chrome.exe Token: SeCreatePagefilePrivilege 3564 chrome.exe Token: SeShutdownPrivilege 3564 chrome.exe Token: SeCreatePagefilePrivilege 3564 chrome.exe Token: SeShutdownPrivilege 3564 chrome.exe Token: SeCreatePagefilePrivilege 3564 chrome.exe Token: SeShutdownPrivilege 3564 chrome.exe Token: SeCreatePagefilePrivilege 3564 chrome.exe Token: SeShutdownPrivilege 3564 chrome.exe Token: SeCreatePagefilePrivilege 3564 chrome.exe Token: SeShutdownPrivilege 3564 chrome.exe Token: SeCreatePagefilePrivilege 3564 chrome.exe Token: SeShutdownPrivilege 3564 chrome.exe Token: SeCreatePagefilePrivilege 3564 chrome.exe Token: SeRestorePrivilege 3276 7zG.exe Token: 35 3276 7zG.exe Token: SeSecurityPrivilege 3276 7zG.exe Token: SeSecurityPrivilege 3276 7zG.exe Token: SeShutdownPrivilege 3564 chrome.exe Token: SeCreatePagefilePrivilege 3564 chrome.exe Token: SeShutdownPrivilege 3564 chrome.exe Token: SeCreatePagefilePrivilege 3564 chrome.exe Token: SeShutdownPrivilege 3564 chrome.exe Token: SeCreatePagefilePrivilege 3564 chrome.exe Token: SeShutdownPrivilege 3564 chrome.exe Token: SeCreatePagefilePrivilege 3564 chrome.exe Token: SeShutdownPrivilege 3564 chrome.exe Token: SeCreatePagefilePrivilege 3564 chrome.exe Token: SeShutdownPrivilege 3564 chrome.exe Token: SeCreatePagefilePrivilege 3564 chrome.exe Token: SeShutdownPrivilege 3564 chrome.exe Token: SeCreatePagefilePrivilege 3564 chrome.exe Token: SeShutdownPrivilege 3564 chrome.exe Token: SeCreatePagefilePrivilege 3564 chrome.exe Token: SeShutdownPrivilege 3564 chrome.exe Token: SeCreatePagefilePrivilege 3564 chrome.exe Token: SeDebugPrivilege 1696 SynZ.exe Token: SeShutdownPrivilege 3564 chrome.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 3564 chrome.exe 3564 chrome.exe 3564 chrome.exe 3564 chrome.exe 3564 chrome.exe 3564 chrome.exe 3564 chrome.exe 3564 chrome.exe 3564 chrome.exe 3564 chrome.exe 3564 chrome.exe 3564 chrome.exe 3564 chrome.exe 3564 chrome.exe 3564 chrome.exe 3564 chrome.exe 3564 chrome.exe 3564 chrome.exe 3564 chrome.exe 3564 chrome.exe 3564 chrome.exe 3564 chrome.exe 3564 chrome.exe 3564 chrome.exe 3564 chrome.exe 3564 chrome.exe 3564 chrome.exe 3564 chrome.exe 3564 chrome.exe 3564 chrome.exe 3564 chrome.exe 3564 chrome.exe 3564 chrome.exe 3276 7zG.exe 3564 chrome.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 3564 chrome.exe 3564 chrome.exe 3564 chrome.exe 3564 chrome.exe 3564 chrome.exe 3564 chrome.exe 3564 chrome.exe 3564 chrome.exe 3564 chrome.exe 3564 chrome.exe 3564 chrome.exe 3564 chrome.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1696 SynZ.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3564 wrote to memory of 2784 3564 chrome.exe 85 PID 3564 wrote to memory of 2784 3564 chrome.exe 85 PID 3564 wrote to memory of 3492 3564 chrome.exe 86 PID 3564 wrote to memory of 3492 3564 chrome.exe 86 PID 3564 wrote to memory of 3492 3564 chrome.exe 86 PID 3564 wrote to memory of 3492 3564 chrome.exe 86 PID 3564 wrote to memory of 3492 3564 chrome.exe 86 PID 3564 wrote to memory of 3492 3564 chrome.exe 86 PID 3564 wrote to memory of 3492 3564 chrome.exe 86 PID 3564 wrote to memory of 3492 3564 chrome.exe 86 PID 3564 wrote to memory of 3492 3564 chrome.exe 86 PID 3564 wrote to memory of 3492 3564 chrome.exe 86 PID 3564 wrote to memory of 3492 3564 chrome.exe 86 PID 3564 wrote to memory of 3492 3564 chrome.exe 86 PID 3564 wrote to memory of 3492 3564 chrome.exe 86 PID 3564 wrote to memory of 3492 3564 chrome.exe 86 PID 3564 wrote to memory of 3492 3564 chrome.exe 86 PID 3564 wrote to memory of 3492 3564 chrome.exe 86 PID 3564 wrote to memory of 3492 3564 chrome.exe 86 PID 3564 wrote to memory of 3492 3564 chrome.exe 86 PID 3564 wrote to memory of 3492 3564 chrome.exe 86 PID 3564 wrote to memory of 3492 3564 chrome.exe 86 PID 3564 wrote to memory of 3492 3564 chrome.exe 86 PID 3564 wrote to memory of 3492 3564 chrome.exe 86 PID 3564 wrote to memory of 3492 3564 chrome.exe 86 PID 3564 wrote to memory of 3492 3564 chrome.exe 86 PID 3564 wrote to memory of 3492 3564 chrome.exe 86 PID 3564 wrote to memory of 3492 3564 chrome.exe 86 PID 3564 wrote to memory of 3492 3564 chrome.exe 86 PID 3564 wrote to memory of 3492 3564 chrome.exe 86 PID 3564 wrote to memory of 3492 3564 chrome.exe 86 PID 3564 wrote to memory of 3492 3564 chrome.exe 86 PID 3564 wrote to memory of 3992 3564 chrome.exe 87 PID 3564 wrote to memory of 3992 3564 chrome.exe 87 PID 3564 wrote to memory of 1604 3564 chrome.exe 88 PID 3564 wrote to memory of 1604 3564 chrome.exe 88 PID 3564 wrote to memory of 1604 3564 chrome.exe 88 PID 3564 wrote to memory of 1604 3564 chrome.exe 88 PID 3564 wrote to memory of 1604 3564 chrome.exe 88 PID 3564 wrote to memory of 1604 3564 chrome.exe 88 PID 3564 wrote to memory of 1604 3564 chrome.exe 88 PID 3564 wrote to memory of 1604 3564 chrome.exe 88 PID 3564 wrote to memory of 1604 3564 chrome.exe 88 PID 3564 wrote to memory of 1604 3564 chrome.exe 88 PID 3564 wrote to memory of 1604 3564 chrome.exe 88 PID 3564 wrote to memory of 1604 3564 chrome.exe 88 PID 3564 wrote to memory of 1604 3564 chrome.exe 88 PID 3564 wrote to memory of 1604 3564 chrome.exe 88 PID 3564 wrote to memory of 1604 3564 chrome.exe 88 PID 3564 wrote to memory of 1604 3564 chrome.exe 88 PID 3564 wrote to memory of 1604 3564 chrome.exe 88 PID 3564 wrote to memory of 1604 3564 chrome.exe 88 PID 3564 wrote to memory of 1604 3564 chrome.exe 88 PID 3564 wrote to memory of 1604 3564 chrome.exe 88 PID 3564 wrote to memory of 1604 3564 chrome.exe 88 PID 3564 wrote to memory of 1604 3564 chrome.exe 88 PID 3564 wrote to memory of 1604 3564 chrome.exe 88 PID 3564 wrote to memory of 1604 3564 chrome.exe 88 PID 3564 wrote to memory of 1604 3564 chrome.exe 88 PID 3564 wrote to memory of 1604 3564 chrome.exe 88 PID 3564 wrote to memory of 1604 3564 chrome.exe 88 PID 3564 wrote to memory of 1604 3564 chrome.exe 88 PID 3564 wrote to memory of 1604 3564 chrome.exe 88 PID 3564 wrote to memory of 1604 3564 chrome.exe 88 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\SynZ.zip1⤵PID:4984
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xe4,0x108,0x7ffd38c3cc40,0x7ffd38c3cc4c,0x7ffd38c3cc582⤵PID:2784
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1888,i,5487713313383339246,10302230247866286823,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1884 /prefetch:22⤵PID:3492
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2148,i,5487713313383339246,10302230247866286823,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2164 /prefetch:32⤵PID:3992
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2224,i,5487713313383339246,10302230247866286823,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2240 /prefetch:82⤵PID:1604
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,5487713313383339246,10302230247866286823,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3280 /prefetch:12⤵PID:964
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3180,i,5487713313383339246,10302230247866286823,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3336 /prefetch:12⤵PID:916
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4468,i,5487713313383339246,10302230247866286823,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4484 /prefetch:12⤵PID:3584
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4688,i,5487713313383339246,10302230247866286823,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4884 /prefetch:82⤵PID:3308
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4904,i,5487713313383339246,10302230247866286823,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4964 /prefetch:82⤵PID:4552
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4416,i,5487713313383339246,10302230247866286823,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4584 /prefetch:12⤵PID:2752
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4892,i,5487713313383339246,10302230247866286823,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5100 /prefetch:82⤵
- NTFS ADS
PID:216
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3732,i,5487713313383339246,10302230247866286823,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4620 /prefetch:82⤵PID:3600
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3752,i,5487713313383339246,10302230247866286823,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5276 /prefetch:82⤵PID:4320
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:4420
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:2156
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4980
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\SynZ\" -spe -an -ai#7zMap29041:70:7zEvent304291⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3276
-
C:\Users\Admin\Downloads\SynZ\SynZ.exe"C:\Users\Admin\Downloads\SynZ\SynZ.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1696 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\SynZ\SynZ.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:920
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SynZ.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3516
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\TouchingBoys'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4992
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'TouchingBoys'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4244
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "TouchingBoys" /tr "C:\Users\Admin\AppData\Roaming\TouchingBoys"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2632
-
-
C:\Users\Admin\AppData\Roaming\TouchingBoysC:\Users\Admin\AppData\Roaming\TouchingBoys1⤵
- Executes dropped EXE
PID:2268
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649B
MD5efcdeb075cbc3dcfc3ea459af64b755f
SHA17076a4071522181cba32a1cf4aa95ad9468924f3
SHA2563745cf08a378668232fa10e71b92bb13e1dd52c52dd4632240b0ba096041b784
SHA5121887c62a80b0711c95f183f443a4bcee202ed1e713baecacefecc47e6f9ff83693e334ce9b90ca75172586abf2acd0462bbb21ebde26b052d34b1c8ffb5e62b8
-
Filesize
1KB
MD538d5d10559008fa192707c35fb7107cf
SHA1e943c0b9720e50b268ad687f6596ec43dac0511b
SHA256567a0f4910f289ed4bdaadcbd14fc82cc2fdce9353412e3a55276ddf6c4d0e9d
SHA512e9ba8ec28d8cf7be275a0a6b2a68fc99da5fc4a8862a4ca923075c1dacb8697957ef7b61bc292b5f3044ae68ff8cce749cf15a9506be06a8bdea97e0bc1272f0
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
354B
MD5e8bd634b466293469e92095c5c516bc3
SHA1e814afa96aafc8ccae4a632761a90166a513f820
SHA2565ea557f3e07b0ae228f8b69d2c7b065e673435b9076b0231293672465ebb192b
SHA5126c6afaae03cdcdf94b5940cb41bb2f5910376ec77715c46cde1419198752dfb694d386c5f531e742e956914cec86b82dd66b5d0721b220fa41245fb5d4b25136
-
Filesize
9KB
MD568aa2e65c88275c5f0756a5179bf7fad
SHA1aea1774ecf56d27c4f7213aed2bd84fa462933c2
SHA25615b7a378c0490ac3e8eecd1b3da38d8f73039c74bb6bd2fe019b62b2f7c4d360
SHA5129be8185c71c53c3b464402ca71363f1c38de34641a11bafa0c71e0e79e0a7ed8bc2145b6113eb46df01d2f7023aaf6c967352154bb33f4b0217f358dfa9d1500
-
Filesize
9KB
MD5534e77118650043b9ea7df9b33f6bd37
SHA1182eab856a72d0757681b0f25cd18c5ec3c71937
SHA2567b4a327bfafe32e675916f7383ba904a204c22677da9346984a3385a455cb496
SHA512e428ea7ff5fde3f8efaf8537e42eb006ffc80018c7e9b528dc1ed019530f9ab02aace595781491cf4abd2ba7ecd6a163ff8e4ae01183412e4b2fb82364bf5534
-
Filesize
9KB
MD53b0ee43ffd5e61e0a1bf9f2a51437746
SHA1c08109d831fdd4154a4c92a925307ac9e0a9f40e
SHA2563a90b8aa0c37328699c7a0ccb33bb457f57c44cec6162e86113fa8f95d374bdf
SHA5127ec242c711e1b167c71dae4536a8b674b6d5df65ec1c98b8257dc0ed039ab0d38da68c3486bd866986410eaa1a329a6bbe7a0e69ee91efec63f83ad83a36383e
-
Filesize
15KB
MD5d24e7c40f83b36af896f76bbc47e0583
SHA1f986ff72433c1d12c0d84af95ae5aed03934889a
SHA25653413d8f477d7832ff0d22a8fc1f8c5eb36e74c2469ff4d5408e7bd0f9db3f55
SHA5120cbecef1df0688c02b85ecdf6dd519b06692b83c8aaa584ecce31717f2d2659a5394d37047c518205dab28d2ffbe053bf3c5cb2747ebbf8cdd0dbb4b158eb744
-
Filesize
101KB
MD57ccd12d1a81ee8c9e31a69a7a0515cb9
SHA18b7ea78b68e9164396bb04022ba5a7af00d3fb01
SHA256bf54fb739b0e9e1dcd2ec704af7b6e3de7508395b31f496f0c9d13aa84a0c4ed
SHA512e05d742539641c6594a37b54f2fdf7d07995ad27aff7130d377d3f09e76668da5bbe725ddd484be50bf403352b1d0ba7d4d812959aebeb8a982b3d79338048b0
-
Filesize
201KB
MD5164c7fae869a694f66f8954fa0b59581
SHA19e62b25b4335298eea1ddd428caec250cdf8b16d
SHA256276254caf38b10cd40fab72dc19fd0f8cff1c726bd37c79542b22ee4fd314f3a
SHA5121e14c6b8ca99ac6ce3a95295c58f1410e75327886fc626bb674515e36fea631a13ec0d58d266a7960d1058da21a710138439633a498c0a0f2484d02b09e9adfb
-
Filesize
201KB
MD58137029ea612ccfb5a63a2c6ab9d0f59
SHA1ac4f72683ef68c93dabbe2813c79207aad18467a
SHA256e3b682484c45f3368fe8d99856669ac3355ec972a029204588ef892d8904a6ac
SHA5121078e5e0eb4b63d6ca89896e5112a689991ee2d8f6405abd596d64e0827714771e45b0c257c1ae7c8dc7aef1361a63c463e75fa0c4772a84d81291981f9f8c8a
-
Filesize
201KB
MD596092901717543173dbaff6efbc5d326
SHA17cd12b692be40dfa4656bbb25be847c6863a9e8b
SHA256e872ac40fc0c80b0603fe3876149f031587ce49b9f077b43c4bc45985b03880e
SHA512c6e83f6764bd102bd80f0ce8fb3f56a0e6b1ff19eaf9094d3434c686f6ebd8f51461a5c429149a06be3de7f2440a4a59c9cfc8c58e8ee51aaf535dc04f01a640
-
Filesize
264KB
MD5fc9ca9169b7887d342b2c589febc8952
SHA1383f245e7f109c9b206cec9c8abefbb05dba09ec
SHA2569e3ebcbb6951f819a1eb162b2b658ff099914f7edd4e15abd1aae83045570c2f
SHA512f71826ca02aa9874731232870eed9f3dfe3f36fef8668b9f2a74eef9b1f04535bfae8857449a574d43b6a261c5787bc178b0636aea2862cf5c069bda47017a81
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
944B
MD52e8eb51096d6f6781456fef7df731d97
SHA1ec2aaf851a618fb43c3d040a13a71997c25bda43
SHA25696bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864
SHA5120a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2
-
Filesize
944B
MD5df808b11175970c23f00e611a7b6d2cc
SHA10243f099e483fcafb6838c0055982e65634b6db6
SHA2562d5eec6aeee0c568d08cc1777a67b529dce3133efc761ef4b4643d4b2003d43d
SHA512c7c4e39be7cb6bfda48055cd2b0b05a6b6a71131a124730f62928600a5870303e06e3db54634c45f86310413126d2524f51002d5f36f7012e41b641992b5ac89
-
Filesize
944B
MD521017c68eaf9461301de459f4f07e888
SHA141ff30fc8446508d4c3407c79e798cf6eaa5bb73
SHA25603b321e48ff3328d9c230308914961fe110c4c7bc96c0a85a296745437bcb888
SHA512956990c11c6c1baa3665ef7ef23ef6073e0a7fcff77a93b5e605a83ff1e60b916d80d45dafb06977aed90868a273569a865cf2c623e295b5157bfff0fb2be35d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
51KB
MD5b23eb8982c76332c7da86e438f37e390
SHA181552549673b96a88ae76eca202f25df1fae912a
SHA256829b40fc8af48b5669e85eba8089f604b456783d60b29724aeb5824c08205271
SHA51293cf779ace6b752395ac006d6feb9459c1caeed51301c3f784fdb7875ce163ac915387b5777f5c87f8b3eddb46ca0842ffbe092995814599a500240e81a5c163
-
Filesize
216B
MD5b6d3c1193cc59f688056d783c4ca2ce6
SHA1886d734f69078582419e5479ff592f3ce383ebb2
SHA25665b790a4b168bb63dbbcb8bcc61b6a86449c8e0b1236163578b22597a3de153b
SHA5127abf32c6bcda368dfd26b3446678c87196c92f9e00144718cef095f805a7e82a8e9d32f8687bb8b16cb3b3a46dc3dea2ce240744ffcd0204c2717af58dcdc3fb
-
Filesize
83KB
MD515cb86405458bd9402b40df6ee9097b9
SHA12c5e958e0fc75c9467b6af704c3deb345a434743
SHA256c4a1a821040a2ec5dcdf660a296ceef7722175dd16189febb54eac0ea36767f5
SHA5129af6cd2eb7ba552e5d55d52ea6cbfcd8242a31f678abbca8c2acb3aa70ae4fd105730393140877e6e920fa342107ecbafa1af179a3e961f1b693da40dcabcadb