File name: | synapse_x_cracked_2019.exe |
Full analysis: | https://app.any.run/tasks/7be240e3-7f26-4ef3-b6ea-b096c512c2c3 |
Verdict: | Malicious activity |
Analysis date: | May 15, 2019, 14:38:35 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (console) Intel 80386, for MS Windows |
MD5: | 4FC33E8759CCAE9DE15428AECA6F573F |
SHA1: | 4FDA2E6AC9E1EA0862823E9D4C56CF9E875CF113 |
SHA256: | AF1CAA8E00C2AD528DFAC543D33971D7BBFEB46D2712A45E933CA9A7574A22BD |
SSDEEP: | 12288:G1DO+ak4YAHY/S/qxUzUNX2zKRuqedEa1MWXVRJwf+s/:8pOYAHiS/yUzUNmzKRuqedEaJrJy+C |
.exe | | | Win64 Executable (generic) (64.6) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (15.4) |
.exe | | | Win32 Executable (generic) (10.5) |
.exe | | | Generic Win/DOS Executable (4.6) |
.exe | | | DOS Executable Generic (4.6) |
Subsystem: | Windows command line |
---|---|
SubsystemVersion: | 6 |
ImageVersion: | - |
OSVersion: | 6 |
EntryPoint: | 0x40ca |
UninitializedDataSize: | - |
InitializedDataSize: | 616448 |
CodeSize: | 69120 |
LinkerVersion: | 14.15 |
PEType: | PE32 |
TimeStamp: | 2019:05:15 15:12:39+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_CUI |
Compilation Date: | 15-May-2019 13:12:39 |
Detected languages: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000108 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 15-May-2019 13:12:39 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00010D04 | 0x00010E00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.54246 |
.rdata | 0x00012000 | 0x0008EC38 | 0x0008EE00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.5419 |
.data | 0x000A1000 | 0x00001290 | 0x00000A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 2.23265 |
.o3ip | 0x000A3000 | 0x00003E80 | 0x00004000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 1.79315 |
.rsrc | 0x000A7000 | 0x00002528 | 0x00002600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.83741 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 4.97281 | 668 | UNKNOWN | English - United States | RT_MANIFEST |
IDB_PNG1 | 7.96493 | 8644 | UNKNOWN | English - United States | PNG |
KERNEL32.dll |
USER32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2532 | "C:\Users\admin\AppData\Local\Temp\synapse_x_cracked_2019.exe" | C:\Users\admin\AppData\Local\Temp\synapse_x_cracked_2019.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3524 | "C:\Users\admin\AppData\Local\Temp\synapse_x_cracked_2019.exe" "C:\Users\admin\AppData\Local\Temp\synapse_x_cracked_2019.exe" | C:\Users\admin\AppData\Local\Temp\synapse_x_cracked_2019.exe | synapse_x_cracked_2019.exe | |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
2308 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\aftersay.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 |
(PID) Process: | (2532) synapse_x_cracked_2019.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (2532) synapse_x_cracked_2019.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (2308) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | df7f81a39-5f63-5b42-9efd-1f13b5431005lt; |
Value: 64243C0004090000010000000000000000000000 | |||
(PID) Process: | (2308) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (2308) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: On | |||
(PID) Process: | (2308) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | WORDFiles |
Value: 1320091679 | |||
(PID) Process: | (2308) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1320091792 | |||
(PID) Process: | (2308) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1320091793 | |||
(PID) Process: | (2308) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word |
Operation: | write | Name: | MTTT |
Value: 0409000024DBB0F62B0BD50100000000 | |||
(PID) Process: | (2308) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | }%< |
Value: 7D253C000409000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2308 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR9444.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2308 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{0AA287B8-9F02-453B-9AF0-236F7BBDA0E1}.tmp | — | |
MD5:— | SHA256:— | |||
2308 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{432E1323-06BB-4C7B-9F78-B6815952D627}.tmp | — | |
MD5:— | SHA256:— | |||
2308 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:50395AEF899E0A823FA7D2D02B6A8A31 | SHA256:F0072AF3E4683A56CA55C016C1E6A0A4579BDEE9DD9F31A3A487C8013A98BCC7 | |||
2308 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\aftersay.rtf.LNK | lnk | |
MD5:18AF31DD65A54833DBCC1A15BD72DF94 | SHA256:E6C5455030F8926491712C41484F9AB64A2C38CEDB5013CC9151CBB209FCB1F2 | |||
2308 | WINWORD.EXE | C:\Users\admin\Desktop\~$tersay.rtf | pgc | |
MD5:7CBB5033983E86E6A35A0DDF062D684B | SHA256:F36108CA62765CC0B1A4CA0289DA56AD133E9B9C891C3F3CA5AC73ABACC3A819 | |||
2308 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | ini | |
MD5:EF06FDC0682471CA90C050C72ED5A861 | SHA256:4195D17EC31348D3A72BB71174F7A45017F6186DCFFA36B8260763C76A9C3452 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3524 | synapse_x_cracked_2019.exe | GET | 200 | 54.230.129.93:80 | http://d1hq9wbcfo7dcl.cloudfront.net/offer.php?affId=7512&trackingId=413877782&instId=7584&ho_trackingid=HO413877782&cc=DE&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5d979308c3b6ea5ad7e984e628c8cac1&v=3&net=4.6.01055&ie=8%2e0%2e7601%2e17514&res=1280x720&osd=587&kid=hqmrb21b7n1opqg2uj5 | US | — | — | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3524 | synapse_x_cracked_2019.exe | 54.230.129.93:80 | d1hq9wbcfo7dcl.cloudfront.net | Amazon.com, Inc. | US | malicious |
Domain | IP | Reputation |
---|---|---|
d1hq9wbcfo7dcl.cloudfront.net |
| shared |
PID | Process | Class | Message |
---|---|---|---|
3524 | synapse_x_cracked_2019.exe | Unknown Traffic | ET INFO Suspicious User-Agent (1 space) |
3524 | synapse_x_cracked_2019.exe | Misc activity | ADWARE [PTsecurity] SoftwareBundler:Win32/Prepscram |