Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
3SynapseZ C...er.exe
windows11-21h2-x64
10SynapseZ C...7c.bin
windows11-21h2-x64
3SynapseZ C...Ek.exe
windows11-21h2-x64
3SynapseZ C...re.dll
windows11-21h2-x64
3SynapseZ C...ss.exe
windows11-21h2-x64
3SynapseZ C...re.dll
windows11-21h2-x64
3SynapseZ C...pf.dll
windows11-21h2-x64
3SynapseZ C...rp.dll
windows11-21h2-x64
3SynapseZ C...r.html
windows11-21h2-x64
3SynapseZ C...tt.exe
windows11-21h2-x64
3SynapseZ C...or.dll
windows11-21h2-x64
9SynapseZ C...lf.dll
windows11-21h2-x64
3SynapseZ C...47.dll
windows11-21h2-x64
3SynapseZ C...GL.dll
windows11-21h2-x64
3SynapseZ C...v2.dll
windows11-21h2-x64
3SynapseZ C...mp.exe
windows11-21h2-x64
9Analysis
-
max time kernel
17s -
max time network
39s -
platform
windows11-21h2_x64 -
resource
win11-20241023-en -
resource tags
arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system -
submitted
18/11/2024, 01:29
Static task
static1
Behavioral task
behavioral1
Sample
SynapseZ Cracked V5.2/Synapse X Launcher.exe
Resource
win11-20241023-en
Behavioral task
behavioral2
Sample
SynapseZ Cracked V5.2/auth/internal/3132e54eb7c.bin
Resource
win11-20241007-en
Behavioral task
behavioral3
Sample
SynapseZ Cracked V5.2/bin/359k6u5HUNL4tEk.exe
Resource
win11-20241007-en
Behavioral task
behavioral4
Sample
SynapseZ Cracked V5.2/bin/CefSharp.BrowserSubprocess.Core.dll
Resource
win11-20241007-en
Behavioral task
behavioral5
Sample
SynapseZ Cracked V5.2/bin/CefSharp.BrowserSubprocess.exe
Resource
win11-20241023-en
Behavioral task
behavioral6
Sample
SynapseZ Cracked V5.2/bin/CefSharp.Core.dll
Resource
win11-20241007-en
Behavioral task
behavioral7
Sample
SynapseZ Cracked V5.2/bin/CefSharp.Wpf.dll
Resource
win11-20241007-en
Behavioral task
behavioral8
Sample
SynapseZ Cracked V5.2/bin/CefSharp.dll
Resource
win11-20241007-en
Behavioral task
behavioral9
Sample
SynapseZ Cracked V5.2/bin/Editor.html
Resource
win11-20241007-en
Behavioral task
behavioral10
Sample
SynapseZ Cracked V5.2/bin/OoxIi8qtt.exe
Resource
win11-20241007-en
Behavioral task
behavioral11
Sample
SynapseZ Cracked V5.2/bin/SynapseInjector.dll
Resource
win11-20241007-en
Behavioral task
behavioral12
Sample
SynapseZ Cracked V5.2/bin/chrome_elf.dll
Resource
win11-20241007-en
Behavioral task
behavioral13
Sample
SynapseZ Cracked V5.2/bin/d3dcompiler_47.dll
Resource
win11-20241023-en
Behavioral task
behavioral14
Sample
SynapseZ Cracked V5.2/bin/libEGL.dll
Resource
win11-20241007-en
Behavioral task
behavioral15
Sample
SynapseZ Cracked V5.2/bin/libGLESv2.dll
Resource
win11-20241007-en
General
-
Target
SynapseZ Cracked V5.2/Synapse X Launcher.exe
-
Size
67.0MB
-
MD5
9780271fc9b17aecd71866f182dd7376
-
SHA1
3b0c619dbb862438ec70d913674e8840eb7ca5d9
-
SHA256
ff29b51276d46f8e3f096d2a244ba579ee8b0424ed825f7d3c6ace1ed1f4ca07
-
SHA512
0f038d8cb1111437c06a16695fcc3623f3cea46520b022d9678c762322b80c5b9b5fec152d3a3e3c78db948ae18cde5d3e057c0ac764b6bf71955de668184a4e
-
SSDEEP
393216:R4TPZVLWruiFVks+9j54GXvitZQLCO5SXDqQu58EISEhoIaE2FShABZDv25PPa2v:RKRVQxhu0P8Lq1LEvxOOx5Sl
Malware Config
Extracted
xworm
5.0
week-dictionary.gl.at.ply.gg:12466
WIHzy7HOqD8TiFlq
-
Install_directory
%AppData%
-
install_file
PowerShell.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x001c00000002ab5c-3.dat family_xworm behavioral1/memory/3632-6-0x00000000002C0000-0x00000000002CE000-memory.dmp family_xworm -
Xworm family
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerShell.lnk app507ea758.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerShell.lnk app507ea758.exe -
Executes dropped EXE 1 IoCs
pid Process 3632 app507ea758.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 384 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3632 app507ea758.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4512 wrote to memory of 3632 4512 Synapse X Launcher.exe 81 PID 4512 wrote to memory of 3632 4512 Synapse X Launcher.exe 81 PID 3632 wrote to memory of 384 3632 app507ea758.exe 82 PID 3632 wrote to memory of 384 3632 app507ea758.exe 82 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\SynapseZ Cracked V5.2\Synapse X Launcher.exe"C:\Users\Admin\AppData\Local\Temp\SynapseZ Cracked V5.2\Synapse X Launcher.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Users\Admin\AppData\Local\Temp\TempAppbd723f48\app507ea758.exeC:\Users\Admin\AppData\Local\Temp\TempAppbd723f48\app507ea758.exe2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "PowerShell" /tr "C:\Users\Admin\AppData\Roaming\PowerShell.exe"3⤵
- Scheduled Task/Job: Scheduled Task
PID:384
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34KB
MD5df4465e6693e489c6db32a427bbd93ec
SHA1ea8ef0ae2b517e10f934b66ebefa71e2d9007aa5
SHA2560c5031bae18c7e5b294b89b4b82e30c3862d1e5e4aa5fd664d7a04451dc83847
SHA5124d569c1c29adadf32ff28ba53378493189c99e6e1734e1c896e52e6df89358cbfc6525a96ae1d5cbd99a909ffb7d8e88b075674f679a448a54fef961cdc16f5d