Analysis
-
max time kernel
144s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
21-03-2023 15:16
Static task
static1
Behavioral task
behavioral1
Sample
5331532e760e8d1006f09ab8be38efe4.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
5331532e760e8d1006f09ab8be38efe4.exe
Resource
win10v2004-20230220-en
General
-
Target
5331532e760e8d1006f09ab8be38efe4.exe
-
Size
2.5MB
-
MD5
5331532e760e8d1006f09ab8be38efe4
-
SHA1
09bbc125d5e7fba8bfbd1c26b71c7f0496b7e574
-
SHA256
b4e0ddcf69631a6f24718c6a25ef4eee2c13d56a581ec4f102e9388b39bfb041
-
SHA512
9402a6c1f9c79b0e47b908c8b86dbd52f71d15099bdd80bc1c9971fa4fdad79778bcfba0b9112cb1fc0dd15ca9a9fe419780f3ac456c0ac0b304d1b2ea9f057c
-
SSDEEP
49152:xFeJD6gLQsN5kEtXhd9Gvf6Hgx6nlhXesKb40lKSm8:GD95kEtP9Gvf6AO5IMMKu
Malware Config
Signatures
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5331532e760e8d1006f09ab8be38efe4.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation 5331532e760e8d1006f09ab8be38efe4.exe -
Drops startup file 1 IoCs
Processes:
5331532e760e8d1006f09ab8be38efe4.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\autorunn2023.ini.lnk 5331532e760e8d1006f09ab8be38efe4.exe -
Executes dropped EXE 1 IoCs
Processes:
client32.exepid process 4136 client32.exe -
Loads dropped DLL 5 IoCs
Processes:
client32.exepid process 4136 client32.exe 4136 client32.exe 4136 client32.exe 4136 client32.exe 4136 client32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
client32.exedescription pid process Token: SeSecurityPrivilege 4136 client32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
client32.exepid process 4136 client32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
5331532e760e8d1006f09ab8be38efe4.exedescription pid process target process PID 1512 wrote to memory of 4136 1512 5331532e760e8d1006f09ab8be38efe4.exe client32.exe PID 1512 wrote to memory of 4136 1512 5331532e760e8d1006f09ab8be38efe4.exe client32.exe PID 1512 wrote to memory of 4136 1512 5331532e760e8d1006f09ab8be38efe4.exe client32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5331532e760e8d1006f09ab8be38efe4.exe"C:\Users\Admin\AppData\Local\Temp\5331532e760e8d1006f09ab8be38efe4.exe"1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\supwinupdate\client32.exe"C:\Users\Admin\AppData\Roaming\supwinupdate\client32.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\supwinupdate\HTCTL32.DLLFilesize
299KB
MD5369388ac78ca4ca8a64219cf9aafad4c
SHA1dfa6c01c55ac799f041c65df9a35aba8cf0d8c2d
SHA256c76ee648639406c81469772311c39b46042bf1b91e47d9201908f3cf70407f30
SHA5127d090f033ffc48b870d692877f3804a69dcb1ff61b96936f1ab77bf42b156839bfd787c387bc7d642c732868e3dcd8c0ff3b319f057c0157b5afc6843b302bc5
-
C:\Users\Admin\AppData\Roaming\supwinupdate\HTCTL32.DLLFilesize
299KB
MD5369388ac78ca4ca8a64219cf9aafad4c
SHA1dfa6c01c55ac799f041c65df9a35aba8cf0d8c2d
SHA256c76ee648639406c81469772311c39b46042bf1b91e47d9201908f3cf70407f30
SHA5127d090f033ffc48b870d692877f3804a69dcb1ff61b96936f1ab77bf42b156839bfd787c387bc7d642c732868e3dcd8c0ff3b319f057c0157b5afc6843b302bc5
-
C:\Users\Admin\AppData\Roaming\supwinupdate\MSVCR100.dllFilesize
755KB
MD50e37fbfa79d349d672456923ec5fbbe3
SHA14e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA2568793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA5122bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630
-
C:\Users\Admin\AppData\Roaming\supwinupdate\NSM.LICFilesize
258B
MD506fa55f6114fd4155223638237dc4b1d
SHA1a7662e7466cfa9ab554f68bb679c2807e6d3afad
SHA256e8fea18a30729f9a3b56460964d9e9f74a7075732cf7a522456280903ddd9cf7
SHA512df5b984a9ae7a65c7213328c14c172296a79af5079a035d7b4e77c55c80856eebcb58c8436fc2b5c33b08dd81a7d646eb0829d41e7a45c4e45039aea5574bf5e
-
C:\Users\Admin\AppData\Roaming\supwinupdate\PCICAPI.dllFilesize
100KB
MD5f0d7d2a77eee2b3146405d3ad0d56230
SHA137c323faf58584606ee5847cb9a25346c588f78f
SHA256f043653ab1b8fbe5a33922df5b4fb46797e9694e5fcee807b97cc6aaef650131
SHA512861258b5b97665f649437fd25aadc5dc66e5bc5a87d7482300f9931810f0d89d0ed9c01890cd038daa7c6d2f1850a3208fc20b3c1dc2e588c7688e228a4baade
-
C:\Users\Admin\AppData\Roaming\supwinupdate\PCICHEK.DLLFilesize
8KB
MD507b474ab5c503f35873b94cd48d01592
SHA1e6f699d6c021d9d434cc6a4e68516c4c2ac80ddc
SHA256c8911c298f860de85037f8634e8539627f5a1c13b1fffe5568d63612e29b9cd4
SHA512a995b0d1fba6e99dd89afbf5161efc18b0268c001c27155876e642abc8639f79c2c320530039cfa5ec9f6ca10e1d716060b0fb86414245f578f920f11c9bbbc8
-
C:\Users\Admin\AppData\Roaming\supwinupdate\PCICL32.DLLFilesize
3.3MB
MD51274cca13cc5e37ca94d35e5b0673e89
SHA1a8754c94f88273c304bc45a5afd61a383bb52117
SHA256cd5510c8bc7ea60be77ad4aab502ee02d871bf4e917aeeb6921c20eebd9693dd
SHA51252eafa31ee942dc92d0b8f52c12206f6abc1d5fae799b37b371e97c38ce66bd0693263de86b4880748ba1405054701288caf2cd00cd327edc164e1390cf9191c
-
C:\Users\Admin\AppData\Roaming\supwinupdate\PCICL32.dllFilesize
3.3MB
MD51274cca13cc5e37ca94d35e5b0673e89
SHA1a8754c94f88273c304bc45a5afd61a383bb52117
SHA256cd5510c8bc7ea60be77ad4aab502ee02d871bf4e917aeeb6921c20eebd9693dd
SHA51252eafa31ee942dc92d0b8f52c12206f6abc1d5fae799b37b371e97c38ce66bd0693263de86b4880748ba1405054701288caf2cd00cd327edc164e1390cf9191c
-
C:\Users\Admin\AppData\Roaming\supwinupdate\client32.exeFilesize
101KB
MD5c4f1b50e3111d29774f7525039ff7086
SHA157539c95cba0986ec8df0fcdea433e7c71b724c6
SHA25618df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d
SHA512005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5
-
C:\Users\Admin\AppData\Roaming\supwinupdate\client32.exeFilesize
101KB
MD5c4f1b50e3111d29774f7525039ff7086
SHA157539c95cba0986ec8df0fcdea433e7c71b724c6
SHA25618df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d
SHA512005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5
-
C:\Users\Admin\AppData\Roaming\supwinupdate\client32.exeFilesize
101KB
MD5c4f1b50e3111d29774f7525039ff7086
SHA157539c95cba0986ec8df0fcdea433e7c71b724c6
SHA25618df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d
SHA512005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5
-
C:\Users\Admin\AppData\Roaming\supwinupdate\client32.iniFilesize
1009B
MD595bfe0d689147edf522ccbc7b62f6400
SHA1633a14f96e2b022fb1e05e4d5308b49f9439405c
SHA2562949b1bc32a6572c854f1185084d2f9f252e86c0ead6f15e3716b24ba1147b85
SHA512788064d17b897f70f3bf7cd474266d6d307600184628341c1863c129bff46e74a4f3f833f2ab5bfaa0b15a462efb5fbafb01f136f18a4611259cb4c7236709ad
-
C:\Users\Admin\AppData\Roaming\supwinupdate\msvcr100.dllFilesize
755KB
MD50e37fbfa79d349d672456923ec5fbbe3
SHA14e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA2568793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA5122bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630
-
C:\Users\Admin\AppData\Roaming\supwinupdate\pcicapi.dllFilesize
100KB
MD5f0d7d2a77eee2b3146405d3ad0d56230
SHA137c323faf58584606ee5847cb9a25346c588f78f
SHA256f043653ab1b8fbe5a33922df5b4fb46797e9694e5fcee807b97cc6aaef650131
SHA512861258b5b97665f649437fd25aadc5dc66e5bc5a87d7482300f9931810f0d89d0ed9c01890cd038daa7c6d2f1850a3208fc20b3c1dc2e588c7688e228a4baade
-
C:\Users\Admin\AppData\Roaming\supwinupdate\pcichek.dllFilesize
8KB
MD507b474ab5c503f35873b94cd48d01592
SHA1e6f699d6c021d9d434cc6a4e68516c4c2ac80ddc
SHA256c8911c298f860de85037f8634e8539627f5a1c13b1fffe5568d63612e29b9cd4
SHA512a995b0d1fba6e99dd89afbf5161efc18b0268c001c27155876e642abc8639f79c2c320530039cfa5ec9f6ca10e1d716060b0fb86414245f578f920f11c9bbbc8