Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
24-12-2024 11:37
Behavioral task
behavioral1
Sample
Synapse Loader.exe
Resource
win7-20240729-en
General
-
Target
Synapse Loader.exe
-
Size
3.1MB
-
MD5
8cff9bae2bc1b05b8b4dd4ab5946c8b7
-
SHA1
93369919961d4f4cbaa65e7728ead8fd9d4dea93
-
SHA256
ae1b306c87730bbf7b1cd56f687903f396f8295d7d128c9897ebb5fb0ad14933
-
SHA512
73a9969b7dcda426b09a2a8566ed8c466e30752a161eade7e331743946d4cbcff589e3ec79d72f4b3ebb3e0e4a6665de29b87b409e7b4944d170518c0186a85e
-
SSDEEP
49152:avct62XlaSFNWPjljiFa2RoUYIkxxNESETk/itLoGdyOsTHHB72eh2NT:avg62XlaSFNWPjljiFXRoUYISxal5
Malware Config
Extracted
quasar
1.4.1
svhost
vnt-39824.portmap.host:39824
a8e213b3-b8da-419b-8e37-bca8a65bb11c
-
encryption_key
20999754454467FF7C9649079A3ADDFF8252D170
-
install_name
svhost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
svhost
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 3 IoCs
resource yara_rule behavioral1/memory/2264-1-0x0000000000CF0000-0x0000000001014000-memory.dmp family_quasar behavioral1/files/0x000700000001932d-5.dat family_quasar behavioral1/memory/2856-9-0x0000000000B70000-0x0000000000E94000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
pid Process 2856 svhost.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\SubDir\svhost.exe Synapse Loader.exe File opened for modification C:\Program Files\SubDir\svhost.exe Synapse Loader.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2712 schtasks.exe 2700 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2264 Synapse Loader.exe Token: SeDebugPrivilege 2856 svhost.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2856 svhost.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2856 svhost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2856 svhost.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2264 wrote to memory of 2712 2264 Synapse Loader.exe 30 PID 2264 wrote to memory of 2712 2264 Synapse Loader.exe 30 PID 2264 wrote to memory of 2712 2264 Synapse Loader.exe 30 PID 2264 wrote to memory of 2856 2264 Synapse Loader.exe 32 PID 2264 wrote to memory of 2856 2264 Synapse Loader.exe 32 PID 2264 wrote to memory of 2856 2264 Synapse Loader.exe 32 PID 2856 wrote to memory of 2700 2856 svhost.exe 33 PID 2856 wrote to memory of 2700 2856 svhost.exe 33 PID 2856 wrote to memory of 2700 2856 svhost.exe 33 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Synapse Loader.exe"C:\Users\Admin\AppData\Local\Temp\Synapse Loader.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Program Files\SubDir\svhost.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2712
-
-
C:\Program Files\SubDir\svhost.exe"C:\Program Files\SubDir\svhost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Program Files\SubDir\svhost.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2700
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD58cff9bae2bc1b05b8b4dd4ab5946c8b7
SHA193369919961d4f4cbaa65e7728ead8fd9d4dea93
SHA256ae1b306c87730bbf7b1cd56f687903f396f8295d7d128c9897ebb5fb0ad14933
SHA51273a9969b7dcda426b09a2a8566ed8c466e30752a161eade7e331743946d4cbcff589e3ec79d72f4b3ebb3e0e4a6665de29b87b409e7b4944d170518c0186a85e