Analysis
-
max time kernel
68s -
max time network
129s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
07-05-2021 23:16
Static task
static1
Behavioral task
behavioral1
Sample
778740fde9b90b9dba00950061087e9a.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
778740fde9b90b9dba00950061087e9a.exe
Resource
win10v20210408
General
-
Target
778740fde9b90b9dba00950061087e9a.exe
-
Size
3.2MB
-
MD5
778740fde9b90b9dba00950061087e9a
-
SHA1
a2b0d310fe8acb98d21ab9ffb7dac7cdcedf5348
-
SHA256
01910bddacbf2ea878b487dd3dfc2cfbeabf1a3dba94309b4a84c9e6b4b4afc9
-
SHA512
1fb987544a2031b45e659b9f87fbea2d437c96e64748d02d856b014aa952bced4514119a7e97d19511423765e8eef30765c7ee5f3768f464bb95c2404bf046b5
Malware Config
Signatures
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Executes dropped EXE 3 IoCs
Processes:
DS3.exeDS3.tmpclient32.exepid process 3228 DS3.exe 4216 DS3.tmp 576 client32.exe -
Loads dropped DLL 8 IoCs
Processes:
DS3.tmpclient32.exepid process 4216 DS3.tmp 4216 DS3.tmp 576 client32.exe 576 client32.exe 576 client32.exe 576 client32.exe 576 client32.exe 576 client32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
DS3.tmppid process 4216 DS3.tmp 4216 DS3.tmp -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
client32.exedescription pid process Token: SeSecurityPrivilege 576 client32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
DS3.tmpclient32.exepid process 4216 DS3.tmp 576 client32.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
778740fde9b90b9dba00950061087e9a.exeDS3.exeDS3.tmpdescription pid process target process PID 4804 wrote to memory of 3228 4804 778740fde9b90b9dba00950061087e9a.exe DS3.exe PID 4804 wrote to memory of 3228 4804 778740fde9b90b9dba00950061087e9a.exe DS3.exe PID 4804 wrote to memory of 3228 4804 778740fde9b90b9dba00950061087e9a.exe DS3.exe PID 3228 wrote to memory of 4216 3228 DS3.exe DS3.tmp PID 3228 wrote to memory of 4216 3228 DS3.exe DS3.tmp PID 3228 wrote to memory of 4216 3228 DS3.exe DS3.tmp PID 4216 wrote to memory of 576 4216 DS3.tmp client32.exe PID 4216 wrote to memory of 576 4216 DS3.tmp client32.exe PID 4216 wrote to memory of 576 4216 DS3.tmp client32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\778740fde9b90b9dba00950061087e9a.exe"C:\Users\Admin\AppData\Local\Temp\778740fde9b90b9dba00950061087e9a.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\DS3.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\DS3.exe" /VERYSILENT /SP-2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-G7NVI.tmp\DS3.tmp"C:\Users\Admin\AppData\Local\Temp\is-G7NVI.tmp\DS3.tmp" /SL5="$2019E,2809640,780800,C:\Users\Admin\AppData\Local\Temp\RarSFX0\DS3.exe" /VERYSILENT /SP-3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WindowsUpdate\client32.exe"C:\Users\Admin\AppData\Roaming\WindowsUpdate\client32.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\DS3.exeMD5
196c51b04013f65bc6d857f6cfe34ca2
SHA1a08307aec683b6beec52ae39a4a76f54c3f8ea78
SHA25672e24354f29eeb59d5a33ea9edafddfe9b983a6323c0a8687c1d043ea965bd4f
SHA5125f69fbff0cc94571c48345f7c0c2952ae3ab1ce8bfe0ae0036e72ff6f84467d29f30c154dd2969e9c5b7e6180ef0338a9d9bb8226ce3e83f0690087cd6ca33c4
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\DS3.exeMD5
196c51b04013f65bc6d857f6cfe34ca2
SHA1a08307aec683b6beec52ae39a4a76f54c3f8ea78
SHA25672e24354f29eeb59d5a33ea9edafddfe9b983a6323c0a8687c1d043ea965bd4f
SHA5125f69fbff0cc94571c48345f7c0c2952ae3ab1ce8bfe0ae0036e72ff6f84467d29f30c154dd2969e9c5b7e6180ef0338a9d9bb8226ce3e83f0690087cd6ca33c4
-
C:\Users\Admin\AppData\Local\Temp\is-G7NVI.tmp\DS3.tmpMD5
c622b0970f4d2e3146bb00840cef3e5a
SHA122edbc60da2bcaec3ccc14cb729e8e12e4b2eb93
SHA256904f3e825cbb7d41b9e9b3eb1b58a9a269df751738ba58ebecba74e8aa9e0294
SHA512698413616a50e5c3ef5ac084d366d94e10b2eb1195e4f30536e97d54ba8f8237348a44380c78789c0c9eb551b61af14f9b3d8d05c45dd7f1c08f450fadcb4972
-
C:\Users\Admin\AppData\Roaming\WindowsUpdate\HTCTL32.DLLMD5
580458344285d0baede4a903bf528f7c
SHA1189d4003105c870f9c06b081035e1835c4100c68
SHA256f9c6042866655032bc0c1192806844f31f9775bcf39961d49ca4fa58b9539840
SHA5126971cd8d4c1ff4f38e2bccba65fc50fbc947d821593aea72c57cc056034f358c68427e3b158350f3e8256382f48f499916e06fbcf1f7ad3ae9a7d53a1f7d302d
-
C:\Users\Admin\AppData\Roaming\WindowsUpdate\MSVCR100.dllMD5
33d7e92c15cf68ede5df6eb024722681
SHA1590813d6f81fb34031fcb387e1da4bb4dfee3b8e
SHA256c20c75eb4f419e6e69cd595fd785d7061c0379c0c1a0ea1e756794c51882e7f2
SHA51247ccd10002cafdccf2f0cbe3f55b7578892ca9b8622331ea6d93e7ca3f6fe816fcb43d34adcb792cecfc7f804f4a809992be98459f17764ebb0e1b40ab5dae4b
-
C:\Users\Admin\AppData\Roaming\WindowsUpdate\NSM.LICMD5
ac5d5cc9acad4531ef1bd16145ea68bd
SHA1f9d92f79a934815b645591ebbd6f5d20aa6a3e38
SHA25668c787616681427557343e42ede5805dfbeeb580c59f69c4706b500f225e2c6b
SHA512196863e039e9c83fb0f8eb3f0a6119db31a624e7ef4e9ba99516702e76796957f0ebf87e8728e1bd0de6cd7420bec6e644caa58a0724a7208e9a765d6eb78f64
-
C:\Users\Admin\AppData\Roaming\WindowsUpdate\PCICL32.dllMD5
e335d6f4ad2831371fcac867a1be9d0b
SHA19aa816d9fa32dcb1f6db518a3ccdb995692f3062
SHA2562063622eb7297a0dd51315175aab88bace572a6ee07c2a6447afceaa9549900e
SHA5120faa140022feec4b17f9ee702e033f267ef27116e0f40138a711d3784f36fd0d9db4744feb5319857e60ef1c91f1c45679ccb3f92c2bf1f77474c1b08094068f
-
C:\Users\Admin\AppData\Roaming\WindowsUpdate\client32.exeMD5
877c80b68ba9e784d36ae8cab4125d43
SHA11e49fe1789cb943f07950c593ed109bab9e634ab
SHA256fbd832accf3fc85b6bce198b63ece09b69cef9be7e7e9513b3fcf40184f537e6
SHA512429d14f24b14db24057ab7901855915c77f57ecb6917a2672b5081daef1403c56dc0ef0c5fdb08e2275358bdb28f28c9d9998f455d8baa3dc811d07f7d9f0dc5
-
C:\Users\Admin\AppData\Roaming\WindowsUpdate\client32.exeMD5
877c80b68ba9e784d36ae8cab4125d43
SHA11e49fe1789cb943f07950c593ed109bab9e634ab
SHA256fbd832accf3fc85b6bce198b63ece09b69cef9be7e7e9513b3fcf40184f537e6
SHA512429d14f24b14db24057ab7901855915c77f57ecb6917a2672b5081daef1403c56dc0ef0c5fdb08e2275358bdb28f28c9d9998f455d8baa3dc811d07f7d9f0dc5
-
C:\Users\Admin\AppData\Roaming\WindowsUpdate\client32.iniMD5
b1bad9a1f72059e718459cd6a26956ef
SHA17ef2158e334d05af773948eaccf9996cc96f2146
SHA256e9443eecd51f64e2a52631726d602b39ef64a3ba4f962778b3b6dfe719251bbd
SHA51241b9b0901eb44d0a0094048f9faf22e79a229bca943f99a5c901c57d721fc7b0b7e64e30b6478573daa508ee4d83e9155defa78ec8cf04e3abf5ce69048f7a03
-
C:\Users\Admin\AppData\Roaming\WindowsUpdate\pcicapi.dllMD5
eaa5d9ce3cf8054e71a5a13076f0dbb3
SHA1b48046c9d41f652be8e21e8e47068d9be0800ca7
SHA256dd629c8a1396d9d5748a4b04213ab29771e65875dd60d5125c4703daf94117c9
SHA512dd57e6fba126a2f6bb05761298abbee0cf13602e0bf829b778e3e8bb109d3bde7731eeb483058f564fea4371aec3f8cb72952755a50f47e4df028b628ffda20c
-
C:\Users\Admin\AppData\Roaming\WindowsUpdate\pcichek.dllMD5
83335b9eace69554d05edbcc562be369
SHA178772989137e95ffb3ebcec9008f0fa3ef1f24f4
SHA256aff89746ce83d085a4a479170f4c4176f4e5c7e942590c3b48bbe18720588ecc
SHA512de51ee9563d6f359a03fc1da2db92da565eee020f594f33188a14dc86276fb31632661032a9383a25c75a9148a22a916dade4d79b3ce17ef2ddf8b4b800a2fa0
-
\Users\Admin\AppData\Local\Temp\is-U73IM.tmp\_isetup\_isdecmp.dllMD5
c6ae924ad02500284f7e4efa11fa7cfc
SHA12a7770b473b0a7dc9a331d017297ff5af400fed8
SHA25631d04c1e4bfdfa34704c142fa98f80c0a3076e4b312d6ada57c4be9d9c7dcf26
SHA512f321e4820b39d1642fc43bf1055471a323edcc0c4cbd3ddd5ad26a7b28c4fb9fc4e57c00ae7819a4f45a3e0bb9c7baa0ba19c3ceedacf38b911cdf625aa7ddae
-
\Users\Admin\AppData\Local\Temp\is-U73IM.tmp\_isetup\_isdecmp.dllMD5
c6ae924ad02500284f7e4efa11fa7cfc
SHA12a7770b473b0a7dc9a331d017297ff5af400fed8
SHA25631d04c1e4bfdfa34704c142fa98f80c0a3076e4b312d6ada57c4be9d9c7dcf26
SHA512f321e4820b39d1642fc43bf1055471a323edcc0c4cbd3ddd5ad26a7b28c4fb9fc4e57c00ae7819a4f45a3e0bb9c7baa0ba19c3ceedacf38b911cdf625aa7ddae
-
\Users\Admin\AppData\Roaming\WindowsUpdate\HTCTL32.DLLMD5
580458344285d0baede4a903bf528f7c
SHA1189d4003105c870f9c06b081035e1835c4100c68
SHA256f9c6042866655032bc0c1192806844f31f9775bcf39961d49ca4fa58b9539840
SHA5126971cd8d4c1ff4f38e2bccba65fc50fbc947d821593aea72c57cc056034f358c68427e3b158350f3e8256382f48f499916e06fbcf1f7ad3ae9a7d53a1f7d302d
-
\Users\Admin\AppData\Roaming\WindowsUpdate\PCICHEK.DLLMD5
83335b9eace69554d05edbcc562be369
SHA178772989137e95ffb3ebcec9008f0fa3ef1f24f4
SHA256aff89746ce83d085a4a479170f4c4176f4e5c7e942590c3b48bbe18720588ecc
SHA512de51ee9563d6f359a03fc1da2db92da565eee020f594f33188a14dc86276fb31632661032a9383a25c75a9148a22a916dade4d79b3ce17ef2ddf8b4b800a2fa0
-
\Users\Admin\AppData\Roaming\WindowsUpdate\PCICL32.DLLMD5
e335d6f4ad2831371fcac867a1be9d0b
SHA19aa816d9fa32dcb1f6db518a3ccdb995692f3062
SHA2562063622eb7297a0dd51315175aab88bace572a6ee07c2a6447afceaa9549900e
SHA5120faa140022feec4b17f9ee702e033f267ef27116e0f40138a711d3784f36fd0d9db4744feb5319857e60ef1c91f1c45679ccb3f92c2bf1f77474c1b08094068f
-
\Users\Admin\AppData\Roaming\WindowsUpdate\msvcr100.dllMD5
33d7e92c15cf68ede5df6eb024722681
SHA1590813d6f81fb34031fcb387e1da4bb4dfee3b8e
SHA256c20c75eb4f419e6e69cd595fd785d7061c0379c0c1a0ea1e756794c51882e7f2
SHA51247ccd10002cafdccf2f0cbe3f55b7578892ca9b8622331ea6d93e7ca3f6fe816fcb43d34adcb792cecfc7f804f4a809992be98459f17764ebb0e1b40ab5dae4b
-
\Users\Admin\AppData\Roaming\WindowsUpdate\msvcr100.dllMD5
33d7e92c15cf68ede5df6eb024722681
SHA1590813d6f81fb34031fcb387e1da4bb4dfee3b8e
SHA256c20c75eb4f419e6e69cd595fd785d7061c0379c0c1a0ea1e756794c51882e7f2
SHA51247ccd10002cafdccf2f0cbe3f55b7578892ca9b8622331ea6d93e7ca3f6fe816fcb43d34adcb792cecfc7f804f4a809992be98459f17764ebb0e1b40ab5dae4b
-
\Users\Admin\AppData\Roaming\WindowsUpdate\pcicapi.dllMD5
eaa5d9ce3cf8054e71a5a13076f0dbb3
SHA1b48046c9d41f652be8e21e8e47068d9be0800ca7
SHA256dd629c8a1396d9d5748a4b04213ab29771e65875dd60d5125c4703daf94117c9
SHA512dd57e6fba126a2f6bb05761298abbee0cf13602e0bf829b778e3e8bb109d3bde7731eeb483058f564fea4371aec3f8cb72952755a50f47e4df028b628ffda20c
-
memory/576-125-0x0000000000000000-mapping.dmp
-
memory/3228-114-0x0000000000000000-mapping.dmp
-
memory/3228-116-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/4216-124-0x0000000003491000-0x0000000003495000-memory.dmpFilesize
16KB
-
memory/4216-121-0x0000000000700000-0x0000000000701000-memory.dmpFilesize
4KB
-
memory/4216-118-0x0000000000000000-mapping.dmp