Reads data out of its own binary image Show sources
| api_process_name | process: ._cache_263610b09096511eb54892a82b7d631ac6ec4995.exe, pid: 2524, offset: 0x009e6ce8, length: 0x000030d9 |
| api_process_name | process: ._cache_263610b09096511eb54892a82b7d631ac6ec4995.exe, pid: 2524, offset: 0x009e9f63, length: 0x000a9615 |
Attempts to connect to a dead IP:Port (4 unique times) Show sources
| network_host_ip | 8.240.248.254:80 (United States) |
| network_host_ip | 151.139.128.14:80 (United States) |
| network_host_ip | 172.217.1.163:80 (United States) |
| network_host_ip | 72.21.91.29:80 (United States) |
Performs some HTTP requests Show sources
| network_url | http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 |
| network_url | http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D |
| network_url | http://ocsp.pki.goog/gts1o1core/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQCaqSUI%2Bht%2FqQUAAAAAh0om |
| network_url | http://ocsp.pki.goog/gts1o1core/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEDV8NbKN%2BGCNBQAAAACHSlU%3D |
| network_url | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8%3D |
| network_url | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY%2Bsl%2Bj4yzQuAcL2oQno5fCgQUUWj%2FkK8CB3U8zNllZGKiErhZcjsCEAJLrzIItpd3cj34Ka%2BNH60%3D |
| network_url | http://xred.site50.net/syn/Synaptics.rar |
| network_url | http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D |
| network_url | http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D |
| network_url | http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRDC9IOTxN6GmyRjyTl2n4yTUczyAQUjYxexFStiuF36Zv5mwXhuAGNYeECECg%2FsnYZQBcbghenePPERjY%3D |
| network_url | http://crl.globalsign.net/primobject.crl |
Network activity contains more than one unique useragent. Show sources
| Process | Synaptics.exe |
| User-Agent | MyApp |
| Process | Synaptics.exe |
| User-Agent | Synaptics.exe |
Attempts to identify installed AV products by installation directory Show sources
| file_query | C:\Program Files\Sandboxie\Start.exe |
| file_query | C:\Program Files\Sandboxie |
| file_query | C:\Program Files\Sandboxie\Start.exe |
| file_query | C:\Program Files\Sandboxie |
| file_query | C:\Program Files\Sandboxie\Start.exe |
| file_query | C:\Program Files\Sandboxie |
| file_query | C:\Program Files\Sandboxie\SbieCtrl.exe |
| file_query | C:\Program Files\Sandboxie |
| file_query | C:\Program Files\Sandboxie\Start.exe |
| file_query | C:\Program Files\Sandboxie |
| file_query | C:\Windows\Installer\SandboxieInstall64.exe |
| file_query | C:\program files\sandboxie\Start.exe |
| file_query | C:\program files\sandboxie\Start.exe |
| file_query | C:\Program Files\Sandboxie\Start.exe |
| file_query | C:\Program Files\Sandboxie |
| file_query | C:\Program Files\Sandboxie\Start.exe |
| file_query | C:\Program Files\Sandboxie |
| file_query | C:\Program Files\Sandboxie\Start.exe |
| file_query | C:\Program Files\Sandboxie |
| file_query | C:\Program Files\Sandboxie\SbieCtrl.exe |
| file_query | C:\Program Files\Sandboxie |
| file_query | C:\Program Files\Sandboxie\Start.exe |
| file_query | C:\Program Files\Sandboxie |
| file_query | C:\Windows\Installer\SandboxieInstall64.exe |
The binary likely contains encrypted or compressed data. Show sources
| packer_section | name: .rsrc, entropy: 7.97, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ, raw_size: 0x00aa8600, virtual_size: 0x00aa8418 |
Anomalous binary characteristics Show sources
| static_pe_timestamp | Timestamp on binary predates the release date of the OS version it requires by at least a year |
Creates RWX memory Show sources
| injection_rwx_memory | 0x00000040, NtAllocateVirtualMemory or VirtualProtectEx |
'Dropbox' in HTML Title but connection is not HTTPS. Possibly indicative of phishing. Show sources
| network_url |
Drops a binary and executes it Show sources
| file_dropped | C:\Users\user\AppData\Local\Temp\._cache_263610b09096511eb54892a82b7d631ac6ec4995.exe |
| file_dropped | C:\Users\user\AppData\Local\Temp\is-VR9FB.tmp\._cache_263610b09096511eb54892a82b7d631ac6ec4995.tmp |
| file_dropped | C:\ProgramData\Synaptics\Synaptics.exe |
Installs itself for autorun at Windows startup Show sources
| registry_write | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver |
| data | C:\ProgramData\Synaptics\Synaptics.exe |
Possible date expiration check, exits too soon after checking local time Show sources
| api_process_name | ._cache_263610b09096511eb54892a82b7d631ac6ec4995.exe, PID 2524 |
A process attempted to delay the analysis task. Show sources
| api_process_name | Synaptics.exe tried to sleep 361 seconds, actually delayed analysis time by 0 seconds |
Detects VirtualBox through the presence of a file Show sources
| file_query | C:\Program Files\Oracle\VirtualBox Guest Additions\uninst.exe |
| file_query | C:\Program Files\Oracle\VirtualBox Guest Additions\uninst.exe |
Creates a hidden or system file Show sources
| file_write | C:\Users\user\AppData\Local\Temp\._cache_263610b09096511eb54892a82b7d631ac6ec4995.exe |
| file_write | C:\ProgramData\Synaptics |
| file_write | C:\ProgramData\Synaptics\Synaptics.exe |
| file_write | C:\Users\user\AppData\Roaming\WinSl |