Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2024 11:37
Behavioral task
behavioral1
Sample
Synapse Loader.exe
Resource
win7-20240729-en
General
-
Target
Synapse Loader.exe
-
Size
3.1MB
-
MD5
8cff9bae2bc1b05b8b4dd4ab5946c8b7
-
SHA1
93369919961d4f4cbaa65e7728ead8fd9d4dea93
-
SHA256
ae1b306c87730bbf7b1cd56f687903f396f8295d7d128c9897ebb5fb0ad14933
-
SHA512
73a9969b7dcda426b09a2a8566ed8c466e30752a161eade7e331743946d4cbcff589e3ec79d72f4b3ebb3e0e4a6665de29b87b409e7b4944d170518c0186a85e
-
SSDEEP
49152:avct62XlaSFNWPjljiFa2RoUYIkxxNESETk/itLoGdyOsTHHB72eh2NT:avg62XlaSFNWPjljiFXRoUYISxal5
Malware Config
Extracted
quasar
1.4.1
svhost
vnt-39824.portmap.host:39824
a8e213b3-b8da-419b-8e37-bca8a65bb11c
-
encryption_key
20999754454467FF7C9649079A3ADDFF8252D170
-
install_name
svhost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
svhost
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/4108-1-0x0000000000BD0000-0x0000000000EF4000-memory.dmp family_quasar behavioral2/files/0x000b000000023b93-5.dat family_quasar -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation svhost.exe -
Executes dropped EXE 1 IoCs
pid Process 1096 svhost.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files\SubDir\svhost.exe Synapse Loader.exe File created C:\Program Files\SubDir\svhost.exe Synapse Loader.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings svhost.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2976 schtasks.exe 4392 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2072 vlc.exe 3248 vlc.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2072 vlc.exe 3248 vlc.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 4108 Synapse Loader.exe Token: SeDebugPrivilege 1096 svhost.exe Token: 33 3568 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3568 AUDIODG.EXE Token: 33 2072 vlc.exe Token: SeIncBasePriorityPrivilege 2072 vlc.exe Token: 33 3248 vlc.exe Token: SeIncBasePriorityPrivilege 3248 vlc.exe -
Suspicious use of FindShellTrayWindow 55 IoCs
pid Process 1096 svhost.exe 1096 svhost.exe 1096 svhost.exe 1096 svhost.exe 2072 vlc.exe 2072 vlc.exe 2072 vlc.exe 2072 vlc.exe 2072 vlc.exe 2072 vlc.exe 2072 vlc.exe 2072 vlc.exe 2072 vlc.exe 2072 vlc.exe 2072 vlc.exe 2072 vlc.exe 2072 vlc.exe 2072 vlc.exe 2072 vlc.exe 2072 vlc.exe 2072 vlc.exe 2072 vlc.exe 2072 vlc.exe 2072 vlc.exe 2072 vlc.exe 2072 vlc.exe 2072 vlc.exe 2072 vlc.exe 2072 vlc.exe 2072 vlc.exe 2072 vlc.exe 2072 vlc.exe 2072 vlc.exe 2072 vlc.exe 2072 vlc.exe 3248 vlc.exe 3248 vlc.exe 3248 vlc.exe 3248 vlc.exe 3248 vlc.exe 3248 vlc.exe 3248 vlc.exe 3248 vlc.exe 3248 vlc.exe 3248 vlc.exe 3248 vlc.exe 3248 vlc.exe 3248 vlc.exe 3248 vlc.exe 3248 vlc.exe 3248 vlc.exe 3248 vlc.exe 3248 vlc.exe 3248 vlc.exe 3248 vlc.exe -
Suspicious use of SendNotifyMessage 16 IoCs
pid Process 1096 svhost.exe 1096 svhost.exe 1096 svhost.exe 1096 svhost.exe 2072 vlc.exe 2072 vlc.exe 2072 vlc.exe 2072 vlc.exe 2072 vlc.exe 2072 vlc.exe 2072 vlc.exe 2072 vlc.exe 3248 vlc.exe 3248 vlc.exe 3248 vlc.exe 3248 vlc.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 1096 svhost.exe 2072 vlc.exe 2072 vlc.exe 2072 vlc.exe 2072 vlc.exe 3248 vlc.exe 3248 vlc.exe 3248 vlc.exe 3248 vlc.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 4108 wrote to memory of 2976 4108 Synapse Loader.exe 83 PID 4108 wrote to memory of 2976 4108 Synapse Loader.exe 83 PID 4108 wrote to memory of 1096 4108 Synapse Loader.exe 85 PID 4108 wrote to memory of 1096 4108 Synapse Loader.exe 85 PID 1096 wrote to memory of 4392 1096 svhost.exe 86 PID 1096 wrote to memory of 4392 1096 svhost.exe 86 PID 1096 wrote to memory of 2072 1096 svhost.exe 106 PID 1096 wrote to memory of 2072 1096 svhost.exe 106 PID 1096 wrote to memory of 3248 1096 svhost.exe 110 PID 1096 wrote to memory of 3248 1096 svhost.exe 110 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Synapse Loader.exe"C:\Users\Admin\AppData\Local\Temp\Synapse Loader.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Program Files\SubDir\svhost.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2976
-
-
C:\Program Files\SubDir\svhost.exe"C:\Program Files\SubDir\svhost.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "svhost" /sc ONLOGON /tr "C:\Program Files\SubDir\svhost.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:4392
-
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\VID-20240924-WA0004 (1).mp4"3⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2072
-
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\VID-20240924-WA0004 (1).mp4"3⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3248
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x518 0x53c1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3568
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD58cff9bae2bc1b05b8b4dd4ab5946c8b7
SHA193369919961d4f4cbaa65e7728ead8fd9d4dea93
SHA256ae1b306c87730bbf7b1cd56f687903f396f8295d7d128c9897ebb5fb0ad14933
SHA51273a9969b7dcda426b09a2a8566ed8c466e30752a161eade7e331743946d4cbcff589e3ec79d72f4b3ebb3e0e4a6665de29b87b409e7b4944d170518c0186a85e
-
Filesize
304B
MD5781602441469750c3219c8c38b515ed4
SHA1e885acd1cbd0b897ebcedbb145bef1c330f80595
SHA25681970dbe581373d14fbd451ac4b3f96e5f69b79645f1ee1ca715cff3af0bf20d
SHA5122b0a1717d96edb47bdf0ffeb250a5ec11f7d0638d3e0a62fbe48c064379b473ca88ffbececb32a72129d06c040b107834f1004ccda5f0f35b8c3588034786461
-
Filesize
532B
MD588a2d7ca7e8628d38682ab18abfcd62d
SHA1692de262f4ce2682e1a0987e4459004458473e20
SHA256f00ba9d5b4f879d0289d5a49d944bff163b857bc647937b3667b1c1badd56c4f
SHA5129459748ef0a388c6d98521a4a73f1a68340d334aab533afe6f3ade495241defd3a1dd286f619fb067a3fdaeed0f997eff19ffd9b1c12f75ff48d48d157a6441e
-
Filesize
12.8MB
MD593e54f13d22c3455ddb03c36aaaacd0b
SHA1ddeeeb61d6f3c717c721c029716f8c3960aed3d3
SHA2568c18e6fd60fa659570ddb09113f4ccc4b2b70923ee09eb2f9df1ecd57f41ce68
SHA512057bea3dc3444711c99ddc63610fce3c4e526263f45c95bce957a68eb477f2a9d8a259cd6f8553bd8337d1779379ccaeb0a2666269a348faa264a841c24a7b3e