Managed XDR

c015a.msi — malware analysis report

File info

Filename
c015a.msi
File type
Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Syncro, Author: Servably, Inc., Keywords: Installer, Comments: This installer database contains the logic and data required to install Syncro., Template: Intel;1033, Revision Number: {19EA6259-F468-4BB9-AE73-B27764E9EBB2}, Create Time/Date: Fri Jul 26 21:47:30 2024, Last Saved Time/Date: Fri Jul 26 21:47:30 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.0.8606), Security: 2
File size
3.1 MB
First seen
Last seen

Environment

w10/x86 en

Hashes

SHA1
65c7b507cbdee450223107eabef6881fd4ab8f51
SHA256
f3f63bbf7719b047278b5d5e892a33f350679c5d9995c9c78ad86641b4214270
MD5
e64d4c0f7ccbb4063062068e965c6622

Signatures

Execution

T1569.002 persistence_service: Starts newly created service
T1047 has_wmi: Executes one or several WMI requests
T1059.003 suspicious_process: Spawns a suspicious process
T1059.003 executes_dropped_cmd: Executes dropped batch files

Persistence

T1543.003 creates_service: Creates a service, that will start automatically
T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1574.011 persistence_services: Modifies Services registry key
T1543.003 persistence_services: Modifies Services registry key

Privilege Escalation

T1543.003 creates_service: Creates a service, that will start automatically
T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1574.011 persistence_services: Modifies Services registry key
T1543.003 persistence_services: Modifies Services registry key
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1562.001 disables_windowsupdate: Disables Windows Auto Updates
T1497.001 antivm_generic_services: Enumerates services, possibly for anti-virtualization
T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1574.011 persistence_services: Modifies Services registry key
T1497.003 antisandbox_sleep_utilities: Uses Windows utilities for pausing the execution
T1497.001 antivm_network_adapters: Checks NIC addresses
T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1480 system_default_lang_id_present: Checks the system language
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1497 evasion_diskenum: Sandbox evasion using enumeration of partitions
T1497.001 antivm_queries_computername: Retrieves the computer name
T1218 suspicious_cmdline_keywords: Cmdline with suspicious keywords

Discovery

T1518.001 antiav_detectservice: Attempts to detect installed antiviruses by a certain service
T1497.001 antivm_generic_services: Enumerates services, possibly for anti-virtualization
T1518 recon_programs: Collects information about installed programs
T1497.003 antisandbox_sleep_utilities: Uses Windows utilities for pausing the execution
T1082 uses_windows_utilities: Uses Windows utilities for basic Windows functionality
T1518 locates_browser: Attempts to identify where browsers are installed
T1497.001 antivm_network_adapters: Checks NIC addresses
T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1049 list_ts_rdp_sessions: Lists ts/rdp sessions
T1497 evasion_diskenum: Sandbox evasion using enumeration of partitions
T1497.001 antivm_queries_computername: Retrieves the computer name
T1082 fingerprint_to_file: Collects data about system and user and writes it to a text file

Impact

T1489 change_service_config: Stops services via ChangeServiceConfig
T1489 net_stop: Stops services through the use of net stop

Other

ce_info: Syncro Configuration Data found
pe_in_bcryptdecrypt: PE found in BCryptDecrypt function
syncro_behavior: Demonstrates behavioral signs of Syncro RMM Agent
creates_exe: Creates executable files in the file system
suspicious_process_network: Unusual process network activity detected
executes_dropped_exe: Executes dropped exe files
unexpected_exception: Unexpected exception
unsigned_driver_drop: Sample is not signed and drops a device driver
create_rpc_bindings: Creates RPC connection
creates_suspended_process: Creates suspended process
break_limit_exceeded: Warning: function calls limit has been exceeded
msi_has_custom_action: MSI file contains custom action
get_policy_info: Retrieves information about a Policy object
creates_in_programdata: Creates files in the ProgramData directory
test_check_service: Starts services
checktokenmembership: Checks user token with CheckTokenMembership call
writes_data: Writes big amount of data to disk
yara_rules: Static rules
valid_authenticode: The digital signature has been verified