analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

synapse-launcher-11-17-21 (4).zip

Full analysis: https://app.any.run/tasks/503917c0-2690-4e83-aeac-a25bff63ace5
Verdict: Malicious activity
Analysis date: January 24, 2022, 17:29:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

E5EB2CB7B70701AB11A279B8ECA15EDA

SHA1:

9760D0724E6E03CE62565FD16404B9CA0577C227

SHA256:

0314DE51CAA9B0A86A8EB4947F6868707DE4C45C0BE8165C77D77F22D6F38E5F

SSDEEP:

6144:nSGO4OZazXXGIz2HA/J0OqystAilL2hDO5Hp2ypz89S49ttWZIw/E1y5e:SG+ZEX2IzyEeLy2pLpz89xCOwM1y5e

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Synapse Launcher.exe (PID: 1256)
      • Synapse Launcher.exe (PID: 3924)
      • xuGid.bin (PID: 996)
      • 1NLbz5sRnL8kR.exe (PID: 3628)

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 2716)
      • 1NLbz5sRnL8kR.exe (PID: 3628)

    • Drops executable file immediately after starts

      • xuGid.bin (PID: 996)

  • SUSPICIOUS

    • Checks supported languages

      • Synapse Launcher.exe (PID: 1256)
      • WinRAR.exe (PID: 1988)
      • Synapse Launcher.exe (PID: 3924)
      • xuGid.bin (PID: 996)
      • 1NLbz5sRnL8kR.exe (PID: 3628)

    • Reads the computer name

      • WinRAR.exe (PID: 1988)
      • Synapse Launcher.exe (PID: 1256)
      • Synapse Launcher.exe (PID: 3924)
      • xuGid.bin (PID: 996)
      • 1NLbz5sRnL8kR.exe (PID: 3628)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1988)
      • Synapse Launcher.exe (PID: 3924)
      • xuGid.bin (PID: 996)

    • Reads Environment values

      • Synapse Launcher.exe (PID: 1256)
      • Synapse Launcher.exe (PID: 3924)
      • 1NLbz5sRnL8kR.exe (PID: 3628)

    • Drops a file with a compile date too recent

      • Synapse Launcher.exe (PID: 3924)
      • xuGid.bin (PID: 996)

    • Starts application with an unusual extension

      • Synapse Launcher.exe (PID: 1256)

    • Starts itself from another location

      • xuGid.bin (PID: 996)

    • Reads CPU info

      • 1NLbz5sRnL8kR.exe (PID: 3628)

  • INFO

    • Manual execution by user

      • Synapse Launcher.exe (PID: 1256)
      • Synapse Launcher.exe (PID: 3924)

    • Reads settings of System Certificates

      • Synapse Launcher.exe (PID: 1256)
      • Synapse Launcher.exe (PID: 3924)
      • 1NLbz5sRnL8kR.exe (PID: 3628)

    • Checks supported languages

      • WISPTIS.EXE (PID: 2908)

    • Reads the computer name

      • WISPTIS.EXE (PID: 2908)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2021:11:17 13:43:03
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: synapse-launcher-11-17-21/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
8
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe synapse launcher.exe synapse launcher.exe xugid.bin 1nlbz5srnl8kr.exe searchprotocolhost.exe no specs wisptis.exe no specs wisptis.exe

Process information

PID
CMD
Path
Indicators
Parent process
1988"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\synapse-launcher-11-17-21 (4).zip"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
1256"C:\Users\admin\Desktop\synapse-launcher-11-17-21\Synapse Launcher.exe" C:\Users\admin\Desktop\synapse-launcher-11-17-21\Synapse Launcher.exe
Explorer.EXE
User:
admin
Company:
Synapse Softworks LLC
Integrity Level:
MEDIUM
Description:
Synapse Softworks Launcher
Exit code:
0
Version:
1.1.0.0
3924"C:\Users\admin\Desktop\synapse-launcher-11-17-21\Synapse Launcher.exe" C:\Users\admin\Desktop\synapse-launcher-11-17-21\Synapse Launcher.exe
Explorer.EXE
User:
admin
Company:
Synapse Softworks LLC
Integrity Level:
MEDIUM
Description:
Synapse Softworks Launcher
Exit code:
0
Version:
1.1.0.0
996"bin\xuGid.bin"C:\Users\admin\Desktop\synapse-launcher-11-17-21\bin\xuGid.bin
Synapse Launcher.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.0.0.0
3628"bin\1NLbz5sRnL8kR.exe"C:\Users\admin\Desktop\synapse-launcher-11-17-21\bin\1NLbz5sRnL8kR.exe
xuGid.bin
User:
admin
Integrity Level:
MEDIUM
Version:
1.0.0.0
2716"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe3_ Global\UsGthrCtrlFltPipeMssGthrPipe3 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
2760"C:\Windows\SYSTEM32\WISPTIS.EXE" /ManualLaunch;C:\Windows\SYSTEM32\WISPTIS.EXE1NLbz5sRnL8kR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Pen and Touch Input Component
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2908"C:\Windows\SYSTEM32\WISPTIS.EXE" /ManualLaunch;C:\Windows\SYSTEM32\WISPTIS.EXE
1NLbz5sRnL8kR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Pen and Touch Input Component
Exit code:
24
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
11 840
Read events
11 702
Write events
0
Delete events
0

Modification events

No data
Executable files
5
Suspicious files
1
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
3924Synapse Launcher.exeC:\Users\admin\Desktop\synapse-launcher-11-17-21\bin\xuGid.binexecutable
MD5:C2871D1029B1BFA0D97581557DC6CEEA
SHA256:AF8BE24F3A4239CA9C369A1F5E06F0D49011C7E59678B450E390EE332941B8F7
36281NLbz5sRnL8kR.exeC:\Users\admin\Desktop\synapse-launcher-11-17-21\auth\options.bintext
MD5:B68E2F6C206A11A3BBAE8758396338B0
SHA256:11924BDE40385A538CA9E4391708CF3250C748AE7E24199592871A5684F533BC
996xuGid.binC:\Users\admin\Desktop\synapse-launcher-11-17-21\bin\SLAgent.dllexecutable
MD5:3C2AB2C87918358092DECB3C3B82FF44
SHA256:F2662DFE884C98F6AF24A96D5E4AC22394E37F46C1FF9497436E2FC79085FC23
996xuGid.binC:\Users\admin\Desktop\synapse-launcher-11-17-21\bin\1NLbz5sRnL8kR.exeexecutable
MD5:C2871D1029B1BFA0D97581557DC6CEEA
SHA256:AF8BE24F3A4239CA9C369A1F5E06F0D49011C7E59678B450E390EE332941B8F7
3924Synapse Launcher.exeC:\Users\admin\Desktop\synapse-launcher-11-17-21\bin\SynapseInjector.dllexecutable
MD5:B246479720332882C823BE9A07C47E62
SHA256:94DA330B0E9D8A03DBF7F585BCD2F42F5957C5AF869A93EB1CDD8F40617D88B2
1988WinRAR.exeC:\Users\admin\Desktop\synapse-launcher-11-17-21\Synapse Launcher.exeexecutable
MD5:154E1239C1BB0E04B18F27AABFFCD6E7
SHA256:93FC4441B3648A74D3BC72CC5F34CED564CECA74A5E560961178B42A6C8416B0
36281NLbz5sRnL8kR.exeC:\Users\admin\Desktop\synapse-launcher-11-17-21\bin\theme-wpf.jsonbinary
MD5:F92E57A56C890DA7B29A80219EDA8B76
SHA256:A55CF3C1A752CECCE303C97F08FEA682644297CDE884AFFB25849E2CB7B90A30
1988WinRAR.exeC:\Users\admin\Desktop\synapse-launcher-11-17-21\README.txttext
MD5:DC2B17CED7F566C8C8FA76E76388100E
SHA256:5E546413B92E3B07CC9BDE569A8ECFD9FCBC6C5FF0A65608C893B927B8AACDE7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1256
Synapse Launcher.exe
104.22.12.247:443
synapse.to
Cloudflare Inc
US
suspicious
1256
Synapse Launcher.exe
172.67.38.129:443
synapse.to
US
suspicious
3924
Synapse Launcher.exe
104.22.12.247:443
synapse.to
Cloudflare Inc
US
suspicious
3628
1NLbz5sRnL8kR.exe
104.22.12.247:443
synapse.to
Cloudflare Inc
US
suspicious
3924
Synapse Launcher.exe
172.67.38.129:443
synapse.to
US
suspicious

DNS requests

Domain
IP
Reputation
synapse.to
  • 104.22.12.247
  • 104.22.13.247
  • 172.67.38.129
whitelisted
cdn.synapse.to
  • 172.67.38.129
  • 104.22.12.247
  • 104.22.13.247
suspicious

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DNS Query for .to TLD
Potentially Bad Traffic
ET DNS Query for .to TLD
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
synapse-launcher-11-17-21 (4).zip