File name:

Synapse-X.zip

Full analysis: https://app.any.run/tasks/aa5e54cc-82ba-4aba-b70c-47e802a8f510
Verdict: Malicious activity
Analysis date: August 08, 2020, 19:18:57
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

59A03A7CF8C86585FC0F977662EAF0D7

SHA1:

2CFFDB8A8B8A14B479D26701CD9A3CCE61F845C8

SHA256:

8300F174F45AA59CD395B8DB0ED9CACAC25111C03D0363FF4DDA391A722FEFD0

SSDEEP:

12288:eVh3lXJKeAQDpUSpaA9eCYkGglxFWtDISTjoyRxpqm3mmsobpZx:en35JKezWSMATYkfWtESTjo16jsQZx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Synapse X.exe (PID: 3440)
      • xuGid.bin (PID: 3816)
      • Synapse X.exe (PID: 3600)
      • xuGid.bin (PID: 2544)

    • Loads dropped or rewritten executable

      • xuGid.bin (PID: 3816)

  • SUSPICIOUS

    • Starts application with an unusual extension

      • Synapse X.exe (PID: 3440)
      • Synapse X.exe (PID: 3600)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2508)
      • Synapse X.exe (PID: 3440)

    • Reads Environment values

      • xuGid.bin (PID: 3816)
      • xuGid.bin (PID: 2544)

    • Reads the BIOS version

      • xuGid.bin (PID: 3816)
      • xuGid.bin (PID: 2544)

  • INFO

    • Reads settings of System Certificates

      • Synapse X.exe (PID: 3600)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2020:02:17 13:16:12
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: Synapse-X/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
5
Malicious processes
0
Suspicious processes
5

Behavior graph

Click at the process to see the details
drop and start drop and start start drop and start winrar.exe synapse x.exe xugid.bin synapse x.exe xugid.bin

Process information

PID
CMD
Path
Indicators
Parent process
2508"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Synapse-X.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2544"bin\xuGid.bin"C:\Users\admin\AppData\Local\Temp\Rar$EXa2508.21938\Synapse-X\bin\xuGid.bin
Synapse X.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa2508.21938\synapse-x\bin\xugid.bin
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3440"C:\Users\admin\AppData\Local\Temp\Rar$EXa2508.18936\Synapse-X\Synapse X.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2508.18936\Synapse-X\Synapse X.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Synapse Bootstrapper
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa2508.18936\synapse-x\synapse x.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3600"C:\Users\admin\AppData\Local\Temp\Rar$EXa2508.21938\Synapse-X\Synapse X.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2508.21938\Synapse-X\Synapse X.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Synapse Bootstrapper
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa2508.21938\synapse-x\synapse x.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3816"bin\xuGid.bin"C:\Users\admin\AppData\Local\Temp\Rar$EXa2508.18936\Synapse-X\bin\xuGid.bin
Synapse X.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
4294967295
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa2508.18936\synapse-x\bin\xugid.bin
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
707
Read events
614
Write events
93
Delete events
0

Modification events

(PID) Process:(2508) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2508) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2508) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\137\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2508) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\137\52C64B7E
Operation:writeName:@C:\Windows\system32\NetworkExplorer.dll,-1
Value:
Network
(PID) Process:(2508) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Synapse-X.zip
(PID) Process:(2508) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2508) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2508) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2508) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2508) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\137\52C64B7E
Operation:writeName:@C:\Windows\system32\notepad.exe,-469
Value:
Text Document
Executable files
6
Suspicious files
1
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
2508WinRAR.exeC:\Users\admin\AppData\Local\Temp\__rzi_2508.21132
MD5:
SHA256:
3440Synapse X.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2508.18936\Synapse-X\bin\xuGid.binexecutable
MD5:
SHA256:
2508WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2508.18936\Synapse-X\README.txttext
MD5:
SHA256:
2508WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2508.21938\Synapse-X\Synapse X.exeexecutable
MD5:
SHA256:
2508WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2508.18936\Synapse-X\Synapse X.exeexecutable
MD5:
SHA256:
2508WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2508.21938\Synapse-X\auth\options.bintext
MD5:
SHA256:
3816xuGid.binC:\Users\admin\AppData\Local\Temp\Rar$EXa2508.18936\Synapse-X\auth\options.bintext
MD5:
SHA256:
2508WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2508.21938\Synapse-X\bin\xuGid.binexecutable
MD5:
SHA256:
2508WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2508.21938\Synapse-X\README.txttext
MD5:
SHA256:
2508WinRAR.exeC:\Users\admin\AppData\Local\Temp\Synapse-X.zipcompressed
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
2
Threats
2

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3440
Synapse X.exe
104.22.12.247:443
synapse.to
Cloudflare Inc
US
suspicious
3600
Synapse X.exe
104.22.12.247:443
synapse.to
Cloudflare Inc
US
suspicious
3816
xuGid.bin
104.22.12.247:443
synapse.to
Cloudflare Inc
US
suspicious
2544
xuGid.bin
104.22.12.247:443
synapse.to
Cloudflare Inc
US
suspicious
3440
Synapse X.exe
104.22.13.247:443
synapse.to
Cloudflare Inc
US
unknown

DNS requests

Domain
IP
Reputation
synapse.to
  • 104.22.12.247
  • 172.67.38.129
  • 104.22.13.247
whitelisted
cdn.synapse.to
  • 104.22.13.247
  • 104.22.12.247
  • 172.67.38.129
suspicious

Threats

PID
Process
Class
Message
1048
svchost.exe
Potentially Bad Traffic
ET DNS Query for .to TLD
1048
svchost.exe
Potentially Bad Traffic
ET DNS Query for .to TLD
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Synapse-X.zip