Malware Analysis Report

2025-06-16 05:06

Sample ID 230529-f4ysmaac21
Target ngg_cl.zip
SHA256 faf9b23508c4445bf9017cacb3b4f08f39d0cd0cd48cc17156320abb6083d9c7
Tags
netsupport rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

faf9b23508c4445bf9017cacb3b4f08f39d0cd0cd48cc17156320abb6083d9c7

Threat Level: Known bad

The file ngg_cl.zip was found to be: Known bad.

Malicious Activity Summary

netsupport rat

NetSupport

Program crash

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-05-29 05:26

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-29 05:26

Reported

2023-05-29 05:28

Platform

win7-20230220-en

Max time kernel

30s

Max time network

33s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AudioCapture.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AudioCapture.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AudioCapture.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-29 05:26

Reported

2023-05-29 05:28

Platform

win10v2004-20230220-en

Max time kernel

135s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AudioCapture.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3032 wrote to memory of 2520 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3032 wrote to memory of 2520 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3032 wrote to memory of 2520 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AudioCapture.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\AudioCapture.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 123.108.74.40.in-addr.arpa udp
US 40.125.122.176:443 tcp
US 20.42.73.26:443 tcp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 1.77.109.52.in-addr.arpa udp
US 93.184.221.240:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2023-05-29 05:26

Reported

2023-05-29 05:28

Platform

win10v2004-20230220-en

Max time kernel

138s

Max time network

144s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\HTCTL32.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4024 wrote to memory of 4720 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4024 wrote to memory of 4720 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4024 wrote to memory of 4720 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\HTCTL32.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\HTCTL32.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4720 -ip 4720

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 640

Network

Country Destination Domain Proto
US 8.8.8.8:53 123.108.74.40.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
FR 40.79.141.153:443 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 134.121.24.20.in-addr.arpa udp
US 8.8.8.8:53 177.238.32.23.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 62.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 229.78.74.40.in-addr.arpa udp
US 8.8.8.8:53 191.94.239.20.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
NL 173.223.113.164:443 tcp
IE 20.54.89.15:443 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2023-05-29 05:26

Reported

2023-05-29 05:28

Platform

win10v2004-20230221-en

Max time kernel

92s

Max time network

106s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\PCICHEK.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 392 wrote to memory of 3400 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 392 wrote to memory of 3400 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 392 wrote to memory of 3400 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\PCICHEK.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\PCICHEK.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 20.189.173.10:443 tcp
US 8.8.8.8:53 233.141.123.20.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2023-05-29 05:26

Reported

2023-05-29 05:28

Platform

win7-20230220-en

Max time kernel

31s

Max time network

34s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\PCICL32.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2028 wrote to memory of 1748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2028 wrote to memory of 1748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2028 wrote to memory of 1748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2028 wrote to memory of 1748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2028 wrote to memory of 1748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2028 wrote to memory of 1748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2028 wrote to memory of 1748 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\PCICL32.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\PCICL32.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2023-05-29 05:26

Reported

2023-05-29 05:28

Platform

win10v2004-20230220-en

Max time kernel

140s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\TCCTL32.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4336 wrote to memory of 4628 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4336 wrote to memory of 4628 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4336 wrote to memory of 4628 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\TCCTL32.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\TCCTL32.dll,#1

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 37.184.99.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
FR 51.11.192.49:443 tcp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 1.77.109.52.in-addr.arpa udp
US 52.242.101.226:443 tcp
US 209.197.3.8:80 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2023-05-29 05:26

Reported

2023-05-29 05:28

Platform

win10v2004-20230220-en

Max time kernel

135s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\msvcr100.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2188 wrote to memory of 4104 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2188 wrote to memory of 4104 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2188 wrote to memory of 4104 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\msvcr100.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\msvcr100.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4104 -ip 4104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 109.133.99.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 52.182.141.63:443 tcp
NL 173.223.113.164:443 tcp
US 204.79.197.203:80 tcp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
US 13.107.4.50:80 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2023-05-29 05:26

Reported

2023-05-29 05:28

Platform

win7-20230220-en

Max time kernel

29s

Max time network

32s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\msvcr100.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\msvcr100.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\msvcr100.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 224

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2023-05-29 05:26

Reported

2023-05-29 05:28

Platform

win7-20230220-en

Max time kernel

29s

Max time network

33s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\HTCTL32.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\HTCTL32.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\HTCTL32.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2023-05-29 05:26

Reported

2023-05-29 05:28

Platform

win7-20230220-en

Max time kernel

31s

Max time network

34s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\PCICHEK.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1420 wrote to memory of 1508 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1420 wrote to memory of 1508 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1420 wrote to memory of 1508 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1420 wrote to memory of 1508 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1420 wrote to memory of 1508 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1420 wrote to memory of 1508 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1420 wrote to memory of 1508 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\PCICHEK.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\PCICHEK.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2023-05-29 05:26

Reported

2023-05-29 05:28

Platform

win10v2004-20230220-en

Max time kernel

150s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\PCICL32.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2128 wrote to memory of 4144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2128 wrote to memory of 4144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2128 wrote to memory of 4144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\PCICL32.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\PCICL32.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 14.103.197.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 52.242.101.226:443 tcp
IE 20.50.73.9:443 tcp
US 52.242.101.226:443 tcp
US 93.184.221.240:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
US 52.242.101.226:443 tcp
US 93.184.221.240:80 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2023-05-29 05:26

Reported

2023-05-29 05:28

Platform

win7-20230220-en

Max time kernel

27s

Max time network

30s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\TCCTL32.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1040 wrote to memory of 1740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1040 wrote to memory of 1740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1040 wrote to memory of 1740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1040 wrote to memory of 1740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1040 wrote to memory of 1740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1040 wrote to memory of 1740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1040 wrote to memory of 1740 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\TCCTL32.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\TCCTL32.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2023-05-29 05:26

Reported

2023-05-29 05:28

Platform

win7-20230220-en

Max time kernel

29s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\client32.exe"

Signatures

NetSupport

rat netsupport

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\client32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\client32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\client32.exe

"C:\Users\Admin\AppData\Local\Temp\client32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 xoomep1.com udp
NL 80.66.88.143:1935 xoomep1.com tcp
US 8.8.8.8:53 geo.netsupportsoftware.com udp
GB 62.172.138.67:80 geo.netsupportsoftware.com tcp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2023-05-29 05:26

Reported

2023-05-29 05:28

Platform

win10v2004-20230220-en

Max time kernel

133s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\client32.exe"

Signatures

NetSupport

rat netsupport

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\client32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\client32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\client32.exe

"C:\Users\Admin\AppData\Local\Temp\client32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 xoomep1.com udp
NL 80.66.88.143:1935 xoomep1.com tcp
US 8.8.8.8:53 geo.netsupportsoftware.com udp
GB 51.142.119.24:80 geo.netsupportsoftware.com tcp
US 8.8.8.8:53 143.88.66.80.in-addr.arpa udp
US 8.8.8.8:53 24.119.142.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 14.103.197.20.in-addr.arpa udp
US 8.8.8.8:53 123.108.74.40.in-addr.arpa udp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 20.42.73.25:443 tcp
US 52.242.101.226:443 tcp
NL 173.223.113.164:443 tcp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 45.8.109.52.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 52.242.101.226:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 40.77.2.164:443 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2023-05-29 05:26

Reported

2023-05-29 05:28

Platform

win10v2004-20230220-en

Max time kernel

135s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\pcicapi.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4596 wrote to memory of 3524 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4596 wrote to memory of 3524 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4596 wrote to memory of 3524 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\pcicapi.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\pcicapi.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 40.125.122.176:443 tcp
US 13.89.179.8:443 tcp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
NL 8.238.21.254:80 tcp
NL 8.238.21.254:80 tcp
US 40.125.122.176:443 tcp
NL 8.238.21.254:80 tcp
NL 8.238.21.254:80 tcp
NL 173.223.113.164:443 tcp
US 40.125.122.176:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2023-05-29 05:26

Reported

2023-05-29 05:28

Platform

win7-20230220-en

Max time kernel

31s

Max time network

34s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\pcicapi.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\pcicapi.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\pcicapi.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2023-05-29 05:26

Reported

2023-05-29 05:28

Platform

win7-20230220-en

Max time kernel

31s

Max time network

34s

Command Line

"C:\Users\Admin\AppData\Local\Temp\remcmdstub.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\remcmdstub.exe

"C:\Users\Admin\AppData\Local\Temp\remcmdstub.exe"

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2023-05-29 05:26

Reported

2023-05-29 05:28

Platform

win10v2004-20230220-en

Max time kernel

135s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\remcmdstub.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\remcmdstub.exe

"C:\Users\Admin\AppData\Local\Temp\remcmdstub.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 20.42.72.131:443 tcp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp

Files

N/A