xworm | 829b40fc8af48b5669e85eba8089f604b456783d60b29724aeb5824c08205271

Resubmissions

29/08/2024, 01:09

240829-bh6twswdkf 10

29/08/2024, 01:06

240829-bgdrqawcke 3

Analysis

max time kernel
91s
max time network
93s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
29/08/2024, 01:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SynZ.zip
Size

51KB
MD5

b23eb8982c76332c7da86e438f37e390
SHA1

81552549673b96a88ae76eca202f25df1fae912a
SHA256

829b40fc8af48b5669e85eba8089f604b456783d60b29724aeb5824c08205271
SHA512

93cf779ace6b752395ac006d6feb9459c1caeed51301c3f784fdb7875ce163ac915387b5777f5c87f8b3eddb46ca0842ffbe092995814599a500240e81a5c163
SSDEEP

1536:5lH+sK5umOmSgfPHDj37BlX5adbzIqQo5s5y4RM/r6i6FRLJl:5lXmjLfPtlXSzqoa5YT6NHl

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

one-qualified.gl.at.ply.gg:61458

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000200000002aaa9-85.dat	family_xworm
behavioral1/memory/1696-87-0x0000000000140000-0x000000000015C000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3516	powershell.exe
4992	powershell.exe
4244	powershell.exe
920	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TouchingBoys.lnk	SynZ.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TouchingBoys.lnk	SynZ.exe

Executes dropped EXE 2 IoCs

pid	Process
1696	SynZ.exe
2268	TouchingBoys

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\TouchingBoys = "C:\\Users\\Admin\\AppData\\Roaming\\TouchingBoys"	SynZ.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133693674421157704"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\SynZ.zip:Zone.Identifier	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2632	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3564	chrome.exe
3564	chrome.exe
920	powershell.exe
920	powershell.exe
920	powershell.exe
3516	powershell.exe
3516	powershell.exe
3516	powershell.exe
4992	powershell.exe
4992	powershell.exe
4992	powershell.exe
4244	powershell.exe
4244	powershell.exe
4244	powershell.exe
1696	SynZ.exe
1696	SynZ.exe
1696	SynZ.exe
1696	SynZ.exe
1696	SynZ.exe
1696	SynZ.exe
1696	SynZ.exe
1696	SynZ.exe
1696	SynZ.exe
1696	SynZ.exe
1696	SynZ.exe
1696	SynZ.exe
1696	SynZ.exe
1696	SynZ.exe
1696	SynZ.exe
1696	SynZ.exe
1696	SynZ.exe
1696	SynZ.exe
1696	SynZ.exe
1696	SynZ.exe
1696	SynZ.exe
1696	SynZ.exe
1696	SynZ.exe
1696	SynZ.exe
1696	SynZ.exe
1696	SynZ.exe
1696	SynZ.exe
1696	SynZ.exe
1696	SynZ.exe
1696	SynZ.exe
1696	SynZ.exe
1696	SynZ.exe
1696	SynZ.exe
1696	SynZ.exe
1696	SynZ.exe
1696	SynZ.exe
1696	SynZ.exe
1696	SynZ.exe
1696	SynZ.exe
1696	SynZ.exe
1696	SynZ.exe
1696	SynZ.exe
1696	SynZ.exe
1696	SynZ.exe
1696	SynZ.exe
1696	SynZ.exe
1696	SynZ.exe
1696	SynZ.exe
1696	SynZ.exe
1696	SynZ.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeRestorePrivilege	3276	7zG.exe
Token: 35	3276	7zG.exe
Token: SeSecurityPrivilege	3276	7zG.exe
Token: SeSecurityPrivilege	3276	7zG.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeShutdownPrivilege	3564	chrome.exe
Token: SeCreatePagefilePrivilege	3564	chrome.exe
Token: SeDebugPrivilege	1696	SynZ.exe
Token: SeShutdownPrivilege	3564	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3276	7zG.exe
3564	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe
3564	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1696	SynZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3564 wrote to memory of 2784	3564	chrome.exe	85
PID 3564 wrote to memory of 2784	3564	chrome.exe	85
PID 3564 wrote to memory of 3492	3564	chrome.exe	86
PID 3564 wrote to memory of 3492	3564	chrome.exe	86
PID 3564 wrote to memory of 3492	3564	chrome.exe	86
PID 3564 wrote to memory of 3492	3564	chrome.exe	86
PID 3564 wrote to memory of 3492	3564	chrome.exe	86
PID 3564 wrote to memory of 3492	3564	chrome.exe	86
PID 3564 wrote to memory of 3492	3564	chrome.exe	86
PID 3564 wrote to memory of 3492	3564	chrome.exe	86
PID 3564 wrote to memory of 3492	3564	chrome.exe	86
PID 3564 wrote to memory of 3492	3564	chrome.exe	86
PID 3564 wrote to memory of 3492	3564	chrome.exe	86
PID 3564 wrote to memory of 3492	3564	chrome.exe	86
PID 3564 wrote to memory of 3492	3564	chrome.exe	86
PID 3564 wrote to memory of 3492	3564	chrome.exe	86
PID 3564 wrote to memory of 3492	3564	chrome.exe	86
PID 3564 wrote to memory of 3492	3564	chrome.exe	86
PID 3564 wrote to memory of 3492	3564	chrome.exe	86
PID 3564 wrote to memory of 3492	3564	chrome.exe	86
PID 3564 wrote to memory of 3492	3564	chrome.exe	86
PID 3564 wrote to memory of 3492	3564	chrome.exe	86
PID 3564 wrote to memory of 3492	3564	chrome.exe	86
PID 3564 wrote to memory of 3492	3564	chrome.exe	86
PID 3564 wrote to memory of 3492	3564	chrome.exe	86
PID 3564 wrote to memory of 3492	3564	chrome.exe	86
PID 3564 wrote to memory of 3492	3564	chrome.exe	86
PID 3564 wrote to memory of 3492	3564	chrome.exe	86
PID 3564 wrote to memory of 3492	3564	chrome.exe	86
PID 3564 wrote to memory of 3492	3564	chrome.exe	86
PID 3564 wrote to memory of 3492	3564	chrome.exe	86
PID 3564 wrote to memory of 3492	3564	chrome.exe	86
PID 3564 wrote to memory of 3992	3564	chrome.exe	87
PID 3564 wrote to memory of 3992	3564	chrome.exe	87
PID 3564 wrote to memory of 1604	3564	chrome.exe	88
PID 3564 wrote to memory of 1604	3564	chrome.exe	88
PID 3564 wrote to memory of 1604	3564	chrome.exe	88
PID 3564 wrote to memory of 1604	3564	chrome.exe	88
PID 3564 wrote to memory of 1604	3564	chrome.exe	88
PID 3564 wrote to memory of 1604	3564	chrome.exe	88
PID 3564 wrote to memory of 1604	3564	chrome.exe	88
PID 3564 wrote to memory of 1604	3564	chrome.exe	88
PID 3564 wrote to memory of 1604	3564	chrome.exe	88
PID 3564 wrote to memory of 1604	3564	chrome.exe	88
PID 3564 wrote to memory of 1604	3564	chrome.exe	88
PID 3564 wrote to memory of 1604	3564	chrome.exe	88
PID 3564 wrote to memory of 1604	3564	chrome.exe	88
PID 3564 wrote to memory of 1604	3564	chrome.exe	88
PID 3564 wrote to memory of 1604	3564	chrome.exe	88
PID 3564 wrote to memory of 1604	3564	chrome.exe	88
PID 3564 wrote to memory of 1604	3564	chrome.exe	88
PID 3564 wrote to memory of 1604	3564	chrome.exe	88
PID 3564 wrote to memory of 1604	3564	chrome.exe	88
PID 3564 wrote to memory of 1604	3564	chrome.exe	88
PID 3564 wrote to memory of 1604	3564	chrome.exe	88
PID 3564 wrote to memory of 1604	3564	chrome.exe	88
PID 3564 wrote to memory of 1604	3564	chrome.exe	88
PID 3564 wrote to memory of 1604	3564	chrome.exe	88
PID 3564 wrote to memory of 1604	3564	chrome.exe	88
PID 3564 wrote to memory of 1604	3564	chrome.exe	88
PID 3564 wrote to memory of 1604	3564	chrome.exe	88
PID 3564 wrote to memory of 1604	3564	chrome.exe	88
PID 3564 wrote to memory of 1604	3564	chrome.exe	88
PID 3564 wrote to memory of 1604	3564	chrome.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\SynZ.zip
1⤵
PID:4984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xe4,0x108,0x7ffd38c3cc40,0x7ffd38c3cc4c,0x7ffd38c3cc58
  2⤵
  PID:2784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1888,i,5487713313383339246,10302230247866286823,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1884 /prefetch:2
  2⤵
  PID:3492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2148,i,5487713313383339246,10302230247866286823,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2164 /prefetch:3
  2⤵
  PID:3992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2224,i,5487713313383339246,10302230247866286823,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2240 /prefetch:8
  2⤵
  PID:1604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,5487713313383339246,10302230247866286823,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3180,i,5487713313383339246,10302230247866286823,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4468,i,5487713313383339246,10302230247866286823,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4484 /prefetch:1
  2⤵
  PID:3584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4688,i,5487713313383339246,10302230247866286823,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4884 /prefetch:8
  2⤵
  PID:3308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4904,i,5487713313383339246,10302230247866286823,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4964 /prefetch:8
  2⤵
  PID:4552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4416,i,5487713313383339246,10302230247866286823,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4584 /prefetch:1
  2⤵
  PID:2752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4892,i,5487713313383339246,10302230247866286823,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5100 /prefetch:8
  2⤵
  - NTFS ADS
  PID:216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3732,i,5487713313383339246,10302230247866286823,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4620 /prefetch:8
  2⤵
  PID:3600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3752,i,5487713313383339246,10302230247866286823,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5276 /prefetch:8
  2⤵
  PID:4320

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2156

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4980

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\SynZ\" -spe -an -ai#7zMap29041:70:7zEvent30429
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3276

C:\Users\Admin\Downloads\SynZ\SynZ.exe
"C:\Users\Admin\Downloads\SynZ\SynZ.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\SynZ\SynZ.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SynZ.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\TouchingBoys'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'TouchingBoys'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4244
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "TouchingBoys" /tr "C:\Users\Admin\AppData\Roaming\TouchingBoys"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2632

C:\Users\Admin\AppData\Roaming\TouchingBoys
C:\Users\Admin\AppData\Roaming\TouchingBoys
1⤵
- Executes dropped EXE
PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
efcdeb075cbc3dcfc3ea459af64b755f

SHA1
7076a4071522181cba32a1cf4aa95ad9468924f3

SHA256
3745cf08a378668232fa10e71b92bb13e1dd52c52dd4632240b0ba096041b784

SHA512
1887c62a80b0711c95f183f443a4bcee202ed1e713baecacefecc47e6f9ff83693e334ce9b90ca75172586abf2acd0462bbb21ebde26b052d34b1c8ffb5e62b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
38d5d10559008fa192707c35fb7107cf

SHA1
e943c0b9720e50b268ad687f6596ec43dac0511b

SHA256
567a0f4910f289ed4bdaadcbd14fc82cc2fdce9353412e3a55276ddf6c4d0e9d

SHA512
e9ba8ec28d8cf7be275a0a6b2a68fc99da5fc4a8862a4ca923075c1dacb8697957ef7b61bc292b5f3044ae68ff8cce749cf15a9506be06a8bdea97e0bc1272f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
e8bd634b466293469e92095c5c516bc3

SHA1
e814afa96aafc8ccae4a632761a90166a513f820

SHA256
5ea557f3e07b0ae228f8b69d2c7b065e673435b9076b0231293672465ebb192b

SHA512
6c6afaae03cdcdf94b5940cb41bb2f5910376ec77715c46cde1419198752dfb694d386c5f531e742e956914cec86b82dd66b5d0721b220fa41245fb5d4b25136

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
68aa2e65c88275c5f0756a5179bf7fad

SHA1
aea1774ecf56d27c4f7213aed2bd84fa462933c2

SHA256
15b7a378c0490ac3e8eecd1b3da38d8f73039c74bb6bd2fe019b62b2f7c4d360

SHA512
9be8185c71c53c3b464402ca71363f1c38de34641a11bafa0c71e0e79e0a7ed8bc2145b6113eb46df01d2f7023aaf6c967352154bb33f4b0217f358dfa9d1500

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
534e77118650043b9ea7df9b33f6bd37

SHA1
182eab856a72d0757681b0f25cd18c5ec3c71937

SHA256
7b4a327bfafe32e675916f7383ba904a204c22677da9346984a3385a455cb496

SHA512
e428ea7ff5fde3f8efaf8537e42eb006ffc80018c7e9b528dc1ed019530f9ab02aace595781491cf4abd2ba7ecd6a163ff8e4ae01183412e4b2fb82364bf5534

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3b0ee43ffd5e61e0a1bf9f2a51437746

SHA1
c08109d831fdd4154a4c92a925307ac9e0a9f40e

SHA256
3a90b8aa0c37328699c7a0ccb33bb457f57c44cec6162e86113fa8f95d374bdf

SHA512
7ec242c711e1b167c71dae4536a8b674b6d5df65ec1c98b8257dc0ed039ab0d38da68c3486bd866986410eaa1a329a6bbe7a0e69ee91efec63f83ad83a36383e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
d24e7c40f83b36af896f76bbc47e0583

SHA1
f986ff72433c1d12c0d84af95ae5aed03934889a

SHA256
53413d8f477d7832ff0d22a8fc1f8c5eb36e74c2469ff4d5408e7bd0f9db3f55

SHA512
0cbecef1df0688c02b85ecdf6dd519b06692b83c8aaa584ecce31717f2d2659a5394d37047c518205dab28d2ffbe053bf3c5cb2747ebbf8cdd0dbb4b158eb744

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
7ccd12d1a81ee8c9e31a69a7a0515cb9

SHA1
8b7ea78b68e9164396bb04022ba5a7af00d3fb01

SHA256
bf54fb739b0e9e1dcd2ec704af7b6e3de7508395b31f496f0c9d13aa84a0c4ed

SHA512
e05d742539641c6594a37b54f2fdf7d07995ad27aff7130d377d3f09e76668da5bbe725ddd484be50bf403352b1d0ba7d4d812959aebeb8a982b3d79338048b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
201KB

MD5
164c7fae869a694f66f8954fa0b59581

SHA1
9e62b25b4335298eea1ddd428caec250cdf8b16d

SHA256
276254caf38b10cd40fab72dc19fd0f8cff1c726bd37c79542b22ee4fd314f3a

SHA512
1e14c6b8ca99ac6ce3a95295c58f1410e75327886fc626bb674515e36fea631a13ec0d58d266a7960d1058da21a710138439633a498c0a0f2484d02b09e9adfb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
201KB

MD5
8137029ea612ccfb5a63a2c6ab9d0f59

SHA1
ac4f72683ef68c93dabbe2813c79207aad18467a

SHA256
e3b682484c45f3368fe8d99856669ac3355ec972a029204588ef892d8904a6ac

SHA512
1078e5e0eb4b63d6ca89896e5112a689991ee2d8f6405abd596d64e0827714771e45b0c257c1ae7c8dc7aef1361a63c463e75fa0c4772a84d81291981f9f8c8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
201KB

MD5
96092901717543173dbaff6efbc5d326

SHA1
7cd12b692be40dfa4656bbb25be847c6863a9e8b

SHA256
e872ac40fc0c80b0603fe3876149f031587ce49b9f077b43c4bc45985b03880e

SHA512
c6e83f6764bd102bd80f0ce8fb3f56a0e6b1ff19eaf9094d3434c686f6ebd8f51461a5c429149a06be3de7f2440a4a59c9cfc8c58e8ee51aaf535dc04f01a640

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
fc9ca9169b7887d342b2c589febc8952

SHA1
383f245e7f109c9b206cec9c8abefbb05dba09ec

SHA256
9e3ebcbb6951f819a1eb162b2b658ff099914f7edd4e15abd1aae83045570c2f

SHA512
f71826ca02aa9874731232870eed9f3dfe3f36fef8668b9f2a74eef9b1f04535bfae8857449a574d43b6a261c5787bc178b0636aea2862cf5c069bda47017a81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e8eb51096d6f6781456fef7df731d97

SHA1
ec2aaf851a618fb43c3d040a13a71997c25bda43

SHA256
96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

SHA512
0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
df808b11175970c23f00e611a7b6d2cc

SHA1
0243f099e483fcafb6838c0055982e65634b6db6

SHA256
2d5eec6aeee0c568d08cc1777a67b529dce3133efc761ef4b4643d4b2003d43d

SHA512
c7c4e39be7cb6bfda48055cd2b0b05a6b6a71131a124730f62928600a5870303e06e3db54634c45f86310413126d2524f51002d5f36f7012e41b641992b5ac89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
21017c68eaf9461301de459f4f07e888

SHA1
41ff30fc8446508d4c3407c79e798cf6eaa5bb73

SHA256
03b321e48ff3328d9c230308914961fe110c4c7bc96c0a85a296745437bcb888

SHA512
956990c11c6c1baa3665ef7ef23ef6073e0a7fcff77a93b5e605a83ff1e60b916d80d45dafb06977aed90868a273569a865cf2c623e295b5157bfff0fb2be35d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gz3y3bop.xhc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\SynZ.zip.crdownload

Filesize
51KB

MD5
b23eb8982c76332c7da86e438f37e390

SHA1
81552549673b96a88ae76eca202f25df1fae912a

SHA256
829b40fc8af48b5669e85eba8089f604b456783d60b29724aeb5824c08205271

SHA512
93cf779ace6b752395ac006d6feb9459c1caeed51301c3f784fdb7875ce163ac915387b5777f5c87f8b3eddb46ca0842ffbe092995814599a500240e81a5c163

Download Submit
C:\Users\Admin\Downloads\SynZ.zip:Zone.Identifier

Filesize
216B

MD5
b6d3c1193cc59f688056d783c4ca2ce6

SHA1
886d734f69078582419e5479ff592f3ce383ebb2

SHA256
65b790a4b168bb63dbbcb8bcc61b6a86449c8e0b1236163578b22597a3de153b

SHA512
7abf32c6bcda368dfd26b3446678c87196c92f9e00144718cef095f805a7e82a8e9d32f8687bb8b16cb3b3a46dc3dea2ce240744ffcd0204c2717af58dcdc3fb

Download Submit
C:\Users\Admin\Downloads\SynZ\SynZ.exe

Filesize
83KB

MD5
15cb86405458bd9402b40df6ee9097b9

SHA1
2c5e958e0fc75c9467b6af704c3deb345a434743

SHA256
c4a1a821040a2ec5dcdf660a296ceef7722175dd16189febb54eac0ea36767f5

SHA512
9af6cd2eb7ba552e5d55d52ea6cbfcd8242a31f678abbca8c2acb3aa70ae4fd105730393140877e6e920fa342107ecbafa1af179a3e961f1b693da40dcabcadb

Download Submit
memory/920-98-0x0000023212910000-0x0000023212932000-memory.dmp

Filesize
136KB

Download
memory/1696-87-0x0000000000140000-0x000000000015C000-memory.dmp

Filesize
112KB

Download