Overview

overview

6

Static

static

3

Synapse X.exe

windows7-x64

6

Synapse X.exe

windows10-2004-x64

6

Resubmissions

21/09/2024, 14:51 UTC

240921-r7719aybkr 6

21/09/2024, 12:45 UTC

240921-pzfkxssfng 6

Analysis

  • max time kernel
    428s
  • max time network
    439s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/09/2024, 14:51 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Synapse X.exe

  • Size

    374KB

  • MD5

    b69c13e0099df6821ba000cb9d39819b

  • SHA1

    6a36cf9a4a9ff90f8ddf21f62db94ef2691b85ee

  • SHA256

    cbff32a11e742c778f5d2d94da6699af7302ec751111b06c37f665768eaf2d02

  • SHA512

    0c7b4d42f46a04574d8adf6d6149e0a81bc4cbafcb2e46557b0bd083f82fdd8dbf7cc166ee0da1cdf5048605f0e83f50a1e064a5c581a97b1aefc4533d9954bb

  • SSDEEP

    6144:H83Kwo3BjOALaQIigh4f86OZUjUKnmuv9uVYwEHCnGuBt+1:Hxz7r86h0uv8V5nxj+1

Score
6/10
discovery

Malware Config

Signatures

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Synapse X.exe
    "C:\Users\Admin\AppData\Local\Temp\Synapse X.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:760
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 760 -s 4724
      2⤵
      • Program crash
      PID:2168
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 760 -ip 760
    1⤵
      PID:4524

    Network

    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      28.118.140.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      28.118.140.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      25.140.123.92.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      25.140.123.92.in-addr.arpa
      IN PTR
      Response
      25.140.123.92.in-addr.arpa
      IN PTR
      a92-123-140-25deploystaticakamaitechnologiescom
    • flag-us
      DNS
      pastebin.com
      Synapse X.exe
      Remote address:
      8.8.8.8:53
      Request
      pastebin.com
      IN A
      Response
      pastebin.com
      IN A
      104.20.3.235
      pastebin.com
      IN A
      172.67.19.24
      pastebin.com
      IN A
      104.20.4.235
    • flag-us
      GET
      https://pastebin.com/raw/pgk6j94i
      Synapse X.exe
      Remote address:
      104.20.3.235:443
      Request
      GET /raw/pgk6j94i HTTP/1.1
      Host: pastebin.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 403 Forbidden
      Date: Sat, 21 Sep 2024 14:56:19 GMT
      Content-Type: text/html; charset=UTF-8
      Content-Length: 7497
      Connection: close
      Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
      Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
      Cross-Origin-Embedder-Policy: require-corp
      Cross-Origin-Opener-Policy: same-origin
      Cross-Origin-Resource-Policy: same-origin
      Origin-Agent-Cluster: ?1
      Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
      Referrer-Policy: same-origin
      X-Content-Options: nosniff
      X-Frame-Options: SAMEORIGIN
      cf-mitigated: challenge
      cf-chl-out: kf7FOENrtT1vvJ4ani322+qJrS6ifpvJyBOTBIBzr6LPYZerHEfao7fYTKoLFzlzOGSLuokh+FN56hJVA5LWgBAiUC5hr3nyQUwNBHlVMYk=$dGc86PjKHYTahCstm9n89Q==
      Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
      Expires: Thu, 01 Jan 1970 00:00:01 GMT
      Server: cloudflare
      CF-RAY: 8c6ae6b96f3260dd-LHR
    • flag-us
      DNS
      235.3.20.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      235.3.20.104.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      149.220.183.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      149.220.183.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      56.163.245.4.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      56.163.245.4.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      171.39.242.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      171.39.242.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      18.134.221.88.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      18.134.221.88.in-addr.arpa
      IN PTR
      Response
      18.134.221.88.in-addr.arpa
      IN PTR
      a88-221-134-18deploystaticakamaitechnologiescom
    • flag-us
      DNS
      18.134.221.88.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      18.134.221.88.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      240.143.123.92.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      240.143.123.92.in-addr.arpa
      IN PTR
      Response
      240.143.123.92.in-addr.arpa
      IN PTR
      a92-123-143-240deploystaticakamaitechnologiescom
    • flag-us
      DNS
      44.56.20.217.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      44.56.20.217.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      30.243.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      30.243.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      12.173.189.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      12.173.189.20.in-addr.arpa
      IN PTR
      Response
    • 104.20.3.235:443
      https://pastebin.com/raw/pgk6j94i
      tls, http
      Synapse X.exe
      1.0kB
       13.1kB
       14
      19

      HTTP Request

      GET https://pastebin.com/raw/pgk6j94i

      HTTP Response

      403
    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
       90 B
       1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      28.118.140.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      28.118.140.52.in-addr.arpa

    • 8.8.8.8:53
      25.140.123.92.in-addr.arpa
      dns
      72 B
       137 B
       1
      1

      DNS Request

      25.140.123.92.in-addr.arpa

    • 8.8.8.8:53
      pastebin.com
      dns
      Synapse X.exe
      58 B
       106 B
       1
      1

      DNS Request

      pastebin.com

      DNS Response

      104.20.3.235
      172.67.19.24
      104.20.4.235

    • 8.8.8.8:53
      235.3.20.104.in-addr.arpa
      dns
      71 B
       133 B
       1
      1

      DNS Request

      235.3.20.104.in-addr.arpa

    • 8.8.8.8:53
      149.220.183.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      149.220.183.52.in-addr.arpa

    • 8.8.8.8:53
      56.163.245.4.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      56.163.245.4.in-addr.arpa

    • 8.8.8.8:53
      171.39.242.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      171.39.242.20.in-addr.arpa

    • 8.8.8.8:53
      18.134.221.88.in-addr.arpa
      dns
      144 B
       137 B
       2
      1

      DNS Request

      18.134.221.88.in-addr.arpa

      DNS Request

      18.134.221.88.in-addr.arpa

    • 8.8.8.8:53
      240.143.123.92.in-addr.arpa
      dns
      73 B
       139 B
       1
      1

      DNS Request

      240.143.123.92.in-addr.arpa

    • 8.8.8.8:53
      44.56.20.217.in-addr.arpa
      dns
      71 B
       131 B
       1
      1

      DNS Request

      44.56.20.217.in-addr.arpa

    • 8.8.8.8:53
      30.243.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      30.243.111.52.in-addr.arpa

    • 8.8.8.8:53
      12.173.189.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      12.173.189.20.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/760-0-0x00000000748DE000-0x00000000748DF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/760-1-0x00000000005A0000-0x0000000000602000-memory.dmp

      Filesize

      392KB

      Download

    • memory/760-2-0x0000000007440000-0x00000000074BA000-memory.dmp

      Filesize

      488KB

      Download

    • memory/760-3-0x00000000028B0000-0x00000000028B6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/760-4-0x00000000748D0000-0x0000000075080000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/760-5-0x00000000748D0000-0x0000000075080000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/760-6-0x0000000007530000-0x0000000007568000-memory.dmp

      Filesize

      224KB

      Download

    • memory/760-7-0x0000000006070000-0x000000000607E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/760-8-0x00000000748D0000-0x0000000075080000-memory.dmp

      Filesize

      7.7MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.