Malware analysis synapse X.rar Malicious activity | ANY.RUN

Add for printing

File name:	synapse X.rar
Full analysis:	https://app.any.run/tasks/dcb4e85e-41fb-47de-862b-072e094f4678
Verdict:	Malicious activity
Analysis date:	September 18, 2019, 15:50:39
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/x-rar
File info:	RAR archive data, v5
MD5:	6FCA5B4A7BC097ADC31FCCAC30A33B0E
SHA1:	8E0069E54BE8C273B971305A2BDE63BE4287DE2C
SHA256:	6474CCBE9FB70F4664AB6754EADB2A574012426E66B2FB91666A9BAE61712C71
SSDEEP:	393216:PsC5SDznkacZI/fXB6tNxNbvvR9nj5fo4baukHCBds:PsLznXci0NxB3R9OBiB2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Application was dropped or rewritten from another process
  - Synapse X.exe (PID: 3320)
  - C7FB8689DFEAC65B.bin (PID: 3804)
  - C7FB8689DFEAC65B.bin (PID: 3716)
  - Synapse X.exe (PID: 2448)
- Loads dropped or rewritten executable
  - C7FB8689DFEAC65B.bin (PID: 3716)
  - SearchProtocolHost.exe (PID: 1000)
SUSPICIOUS
- Starts application with an unusual extension
  - Synapse X.exe (PID: 2448)
  - Synapse X.exe (PID: 3320)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 3852)
  - Synapse X.exe (PID: 2448)
- Reads the BIOS version
  - C7FB8689DFEAC65B.bin (PID: 3716)
- Reads Environment values
  - C7FB8689DFEAC65B.bin (PID: 3716)
INFO
- Manual execution by user
  - Synapse X.exe (PID: 2448)
  - Synapse X.exe (PID: 3320)
- Reads settings of System Certificates
  - C7FB8689DFEAC65B.bin (PID: 3716)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.rar	\|	RAR compressed archive (v5.0) (61.5)
.rar	\|	RAR compressed archive (gen) (38.4)

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
3852	"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\synapse X.rar"	C:\Program Files\WinRAR\WinRAR.exe		explorer.exe
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0
2448	"C:\Users\admin\Desktop\Synapse X.exe"	C:\Users\admin\Desktop\Synapse X.exe		explorer.exe
User: admin Integrity Level: MEDIUM Description: Synapse Bootstrapper Exit code: 0 Version: 1.0.0.0
3320	"C:\Users\admin\Desktop\Synapse X.exe"	C:\Users\admin\Desktop\Synapse X.exe		explorer.exe
User: admin Integrity Level: MEDIUM Description: Synapse Bootstrapper Exit code: 0 Version: 1.0.0.0
3716	"bin\C7FB8689DFEAC65B.bin"	C:\Users\admin\Desktop\bin\C7FB8689DFEAC65B.bin		Synapse X.exe
User: admin Integrity Level: MEDIUM Description: Synapse UI WPF Version: 1.0.0.0
3804	"bin\C7FB8689DFEAC65B.bin"	C:\Users\admin\Desktop\bin\C7FB8689DFEAC65B.bin	—	Synapse X.exe
User: admin Integrity Level: MEDIUM Description: Synapse UI WPF Exit code: 4294967295 Version: 1.0.0.0
1000	"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"	C:\Windows\System32\SearchProtocolHost.exe	—	SearchIndexer.exe
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Version: 7.00.7600.16385 (win7_rtm.090713-1255)

Add for printing

Total events

937

Read events

855

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3852	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa3852.37009\bin\4EF437B6217B677D.dll		executable
		MD5:56E60FDFB8EB50D75AF96C094245106F	SHA256:71DB017C4FA4BD9FEFCA33DBF2AAED01E68792D99731F80EFD0678B78797378D
3852	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa3852.37009\bin\theme.json		text
		MD5:C0C61B71F2D4C3296E1E4C57EF31AC83	SHA256:951820403E841C0CBE8E00E9C5CCC68DD3EF170438D42A7B3F075D4A2AC73239
3852	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa3852.37009\bin\F089D07A5CDD2A84.bin		executable
		MD5:232D39E24BF5DA02FCC257A72456DF0F	SHA256:CE91BEE69D4EE6A23A945894D8520EBC5E03B42BE9464A3065853A8090AA8275
3852	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa3852.37009\bin\SynapseInjector.dll		executable
		MD5:C0A334A3830914BA35F2DAD5B1421F1B	SHA256:6E62638DC9FE57EC3921991EC5012E587D95604215DF1FF836F4A3CBA6170D9F
3852	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa3852.37009\bin\vs\basic-languages\dockerfile\dockerfile.js		text
		MD5:E32DE981BDAF75E6FFB8FE40BC955A68	SHA256:65B86FC54E9B35D6CB84F01DFB905680DBCAD6605757DE1D6BCA84E3029889AF
3852	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa3852.37009\bin\Monaco.html		html
		MD5:999896134BD43CEFA865F37E514BA62F	SHA256:1ECDD9529EF5487F92736894D94FF680F6C32EE821615D29C0FC814F3A310B4A
3852	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa3852.37009\bin\vs\basic-languages\csp\csp.js		text
		MD5:22ADA25D590811DCFF4E5F5D698E583B	SHA256:4B5A5D7D50986B86B00833447E097C0F01A4388CE1765B48E7E371D06E3A4789
3852	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa3852.37009\bin\vs\basic-languages\bat\bat.js		text
		MD5:4CB475399C4490EEA41982DCD6D9653E	SHA256:9BCA42394FE8922FEC24B768EEB8CE04692DE6FAD82F9052D5B7E70F5C6B0F40
3852	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa3852.37009\bin\vs\basic-languages\ini\ini.js		text
		MD5:B9252B74381FE17565D494711F4C9093	SHA256:1F0FEEAE58C32F6E1F31B78F7E2AAB3C91DA387E464234C0F55EBFF0E77444A2
3852	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa3852.37009\bin\vs\basic-languages\handlebars\handlebars.js		text
		MD5:3CA7CF83292B56444548F2914C0E1811	SHA256:31D25588D120E7C79F3332FF3B3C794CEBD0554C7578E3BB37B3CAC366E4F6C2

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2448	Synapse X.exe	104.20.166.135:443	synapse.to	Cloudflare Inc	US	shared
2448	Synapse X.exe	104.20.165.135:443	synapse.to	Cloudflare Inc	US	shared
3320	Synapse X.exe	104.20.166.135:443	synapse.to	Cloudflare Inc	US	shared
3716	C7FB8689DFEAC65B.bin	104.20.166.135:443	synapse.to	Cloudflare Inc	US	shared

DNS requests

Domain	IP	Reputation
synapse.to	104.20.166.135 104.20.165.135	whitelisted
cdn.synapse.to	104.20.165.135 104.20.166.135	suspicious

Threats

PID	Process	Class	Message
—	—	Potentially Bad Traffic	ET DNS Query for .to TLD
—	—	Potentially Bad Traffic	ET DNS Query for .to TLD

Add for printing

No debug info

General Info

synapse X.rar

6FCA5B4A7BC097ADC31FCCAC30A33B0E

8E0069E54BE8C273B971305A2BDE63BE4287DE2C

6474CCBE9FB70F4664AB6754EADB2A574012426E66B2FB91666A9BAE61712C71

393216:PsC5SDznkacZI/fXB6tNxNbvvR9nj5fo4baukHCBds:PsLznXci0NxB3R9OBiB2

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Loads dropped or rewritten executable

SUSPICIOUS

Starts application with an unusual extension

Executable content was dropped or overwritten

Reads the BIOS version

Reads Environment values

INFO

Manual execution by user

Reads settings of System Certificates

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings