Analysis
-
max time kernel
97s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
27-03-2023 22:56
Static task
static1
Behavioral task
behavioral1
Sample
ae63b342d6211f00ff9e256b1e2339b3.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
ae63b342d6211f00ff9e256b1e2339b3.exe
Resource
win10v2004-20230220-en
General
-
Target
ae63b342d6211f00ff9e256b1e2339b3.exe
-
Size
2.5MB
-
MD5
ae63b342d6211f00ff9e256b1e2339b3
-
SHA1
f2cb5fef98dd61c96e79896bd9ee84f258f3e856
-
SHA256
64d3eef726267d18037a898e65f9a98aa609a37d6cda7762013f9362ef424dd6
-
SHA512
f35155e7fcae0f5a4e70856bac54eeaa398bafa7c8a95cd34fe7f31c4f07dfa719af1a6738f875f95eda8dd9ce02edfdc5ee9b7d67bb61f94fc78b71e9503f4e
-
SSDEEP
49152:xdoHdxkp92TMp2OSSyWi/TlV56nNeDyQ41Huw9If8DQtqKPi/VBK:id6Ugp24+6UyQ41uw9IkDUii
Malware Config
Signatures
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ae63b342d6211f00ff9e256b1e2339b3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation ae63b342d6211f00ff9e256b1e2339b3.exe -
Drops startup file 1 IoCs
Processes:
ae63b342d6211f00ff9e256b1e2339b3.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\autorunins_2022.ini.lnk ae63b342d6211f00ff9e256b1e2339b3.exe -
Executes dropped EXE 1 IoCs
Processes:
client32.exepid process 2608 client32.exe -
Loads dropped DLL 5 IoCs
Processes:
client32.exepid process 2608 client32.exe 2608 client32.exe 2608 client32.exe 2608 client32.exe 2608 client32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
client32.exedescription pid process Token: SeSecurityPrivilege 2608 client32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
client32.exepid process 2608 client32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
ae63b342d6211f00ff9e256b1e2339b3.exedescription pid process target process PID 1952 wrote to memory of 2608 1952 ae63b342d6211f00ff9e256b1e2339b3.exe client32.exe PID 1952 wrote to memory of 2608 1952 ae63b342d6211f00ff9e256b1e2339b3.exe client32.exe PID 1952 wrote to memory of 2608 1952 ae63b342d6211f00ff9e256b1e2339b3.exe client32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae63b342d6211f00ff9e256b1e2339b3.exe"C:\Users\Admin\AppData\Local\Temp\ae63b342d6211f00ff9e256b1e2339b3.exe"1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WinUpdate_2022\client32.exe"C:\Users\Admin\AppData\Roaming\WinUpdate_2022\client32.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\WinUpdate_2022\HTCTL32.DLLFilesize
299KB
MD5369388ac78ca4ca8a64219cf9aafad4c
SHA1dfa6c01c55ac799f041c65df9a35aba8cf0d8c2d
SHA256c76ee648639406c81469772311c39b46042bf1b91e47d9201908f3cf70407f30
SHA5127d090f033ffc48b870d692877f3804a69dcb1ff61b96936f1ab77bf42b156839bfd787c387bc7d642c732868e3dcd8c0ff3b319f057c0157b5afc6843b302bc5
-
C:\Users\Admin\AppData\Roaming\WinUpdate_2022\HTCTL32.DLLFilesize
299KB
MD5369388ac78ca4ca8a64219cf9aafad4c
SHA1dfa6c01c55ac799f041c65df9a35aba8cf0d8c2d
SHA256c76ee648639406c81469772311c39b46042bf1b91e47d9201908f3cf70407f30
SHA5127d090f033ffc48b870d692877f3804a69dcb1ff61b96936f1ab77bf42b156839bfd787c387bc7d642c732868e3dcd8c0ff3b319f057c0157b5afc6843b302bc5
-
C:\Users\Admin\AppData\Roaming\WinUpdate_2022\MSVCR100.dllFilesize
755KB
MD50e37fbfa79d349d672456923ec5fbbe3
SHA14e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA2568793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA5122bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630
-
C:\Users\Admin\AppData\Roaming\WinUpdate_2022\NSM.LICFilesize
258B
MD5c8e98888195af80508c1900df67abd3b
SHA136f4acb21978f5c47d0ff226790f86a1d891496a
SHA256cdd35ab3123f2b83ffa58bc6491cfafe3a048deb4eafd836822f49ee704697d0
SHA512e1288e49313194bb87183c7561a821748dd7e589cb601f22dbc50a465cb3f8fe1127d6327e2906c266134cf49ad7a7f8193ad5bc91f6ed76db3c5f54a5dc7e8a
-
C:\Users\Admin\AppData\Roaming\WinUpdate_2022\PCICAPI.dllFilesize
100KB
MD5f0d7d2a77eee2b3146405d3ad0d56230
SHA137c323faf58584606ee5847cb9a25346c588f78f
SHA256f043653ab1b8fbe5a33922df5b4fb46797e9694e5fcee807b97cc6aaef650131
SHA512861258b5b97665f649437fd25aadc5dc66e5bc5a87d7482300f9931810f0d89d0ed9c01890cd038daa7c6d2f1850a3208fc20b3c1dc2e588c7688e228a4baade
-
C:\Users\Admin\AppData\Roaming\WinUpdate_2022\PCICHEK.DLLFilesize
8KB
MD507b474ab5c503f35873b94cd48d01592
SHA1e6f699d6c021d9d434cc6a4e68516c4c2ac80ddc
SHA256c8911c298f860de85037f8634e8539627f5a1c13b1fffe5568d63612e29b9cd4
SHA512a995b0d1fba6e99dd89afbf5161efc18b0268c001c27155876e642abc8639f79c2c320530039cfa5ec9f6ca10e1d716060b0fb86414245f578f920f11c9bbbc8
-
C:\Users\Admin\AppData\Roaming\WinUpdate_2022\PCICL32.DLLFilesize
3.3MB
MD51274cca13cc5e37ca94d35e5b0673e89
SHA1a8754c94f88273c304bc45a5afd61a383bb52117
SHA256cd5510c8bc7ea60be77ad4aab502ee02d871bf4e917aeeb6921c20eebd9693dd
SHA51252eafa31ee942dc92d0b8f52c12206f6abc1d5fae799b37b371e97c38ce66bd0693263de86b4880748ba1405054701288caf2cd00cd327edc164e1390cf9191c
-
C:\Users\Admin\AppData\Roaming\WinUpdate_2022\PCICL32.dllFilesize
3.3MB
MD51274cca13cc5e37ca94d35e5b0673e89
SHA1a8754c94f88273c304bc45a5afd61a383bb52117
SHA256cd5510c8bc7ea60be77ad4aab502ee02d871bf4e917aeeb6921c20eebd9693dd
SHA51252eafa31ee942dc92d0b8f52c12206f6abc1d5fae799b37b371e97c38ce66bd0693263de86b4880748ba1405054701288caf2cd00cd327edc164e1390cf9191c
-
C:\Users\Admin\AppData\Roaming\WinUpdate_2022\client32.exeFilesize
101KB
MD5c4f1b50e3111d29774f7525039ff7086
SHA157539c95cba0986ec8df0fcdea433e7c71b724c6
SHA25618df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d
SHA512005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5
-
C:\Users\Admin\AppData\Roaming\WinUpdate_2022\client32.exeFilesize
101KB
MD5c4f1b50e3111d29774f7525039ff7086
SHA157539c95cba0986ec8df0fcdea433e7c71b724c6
SHA25618df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d
SHA512005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5
-
C:\Users\Admin\AppData\Roaming\WinUpdate_2022\client32.exeFilesize
101KB
MD5c4f1b50e3111d29774f7525039ff7086
SHA157539c95cba0986ec8df0fcdea433e7c71b724c6
SHA25618df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d
SHA512005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5
-
C:\Users\Admin\AppData\Roaming\WinUpdate_2022\client32.iniFilesize
971B
MD55887b18cef1c7bd6af30ac2e1f5a80ab
SHA15a25aa37c731ef2299ddb4db9674e12ac710a983
SHA2561b9240e64cbdb8bf01a8585b42df4ca724b3943c4e8135d216ec719c9087778f
SHA512fa4ec439fc8b6c30203637d2d880fe9ea3b72901bddee6883fb42a50070fa6cfb111e2132e35623fa7bca395a37c06fd1863831cf5e67e491caebb47fbf633d6
-
C:\Users\Admin\AppData\Roaming\WinUpdate_2022\msvcr100.dllFilesize
755KB
MD50e37fbfa79d349d672456923ec5fbbe3
SHA14e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA2568793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA5122bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630
-
C:\Users\Admin\AppData\Roaming\WinUpdate_2022\pcicapi.dllFilesize
100KB
MD5f0d7d2a77eee2b3146405d3ad0d56230
SHA137c323faf58584606ee5847cb9a25346c588f78f
SHA256f043653ab1b8fbe5a33922df5b4fb46797e9694e5fcee807b97cc6aaef650131
SHA512861258b5b97665f649437fd25aadc5dc66e5bc5a87d7482300f9931810f0d89d0ed9c01890cd038daa7c6d2f1850a3208fc20b3c1dc2e588c7688e228a4baade
-
C:\Users\Admin\AppData\Roaming\WinUpdate_2022\pcichek.dllFilesize
8KB
MD507b474ab5c503f35873b94cd48d01592
SHA1e6f699d6c021d9d434cc6a4e68516c4c2ac80ddc
SHA256c8911c298f860de85037f8634e8539627f5a1c13b1fffe5568d63612e29b9cd4
SHA512a995b0d1fba6e99dd89afbf5161efc18b0268c001c27155876e642abc8639f79c2c320530039cfa5ec9f6ca10e1d716060b0fb86414245f578f920f11c9bbbc8