Analysis

  • max time kernel
    118s
  • max time network
    277s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    13/07/2023, 00:15

General

  • Target

    8efcacd9f737126c4c4ef0c5299f0c5ff83c83c7d2591b150117817e1fda4190.exe

  • Size

    1.2MB

  • MD5

    d1fef0adb3b868c81dacf62d853c70fe

  • SHA1

    1ca333c31ee2d3ebad136d594f2c11530b10d4cf

  • SHA256

    8efcacd9f737126c4c4ef0c5299f0c5ff83c83c7d2591b150117817e1fda4190

  • SHA512

    ae3c1463d42c4b95edb94968ebfbd8dbcf5896ea47c1e92ed8e2c18bd1a69455fe9cb736ca811c88707ba3570c13d577cb838820b7eee15c6b010dcf32222e51

  • SSDEEP

    24576:Jj73kZstQ9SS3tuS1rhWh9u0h9UF1HIkUVKL3DlZjlvR8SS6fB6PtmV26r:53ZM/cDPiF133pZjl3SEBomJ

Score
10/10

Malware Config

Signatures

  • NetSupport

    NetSupport is a remote access tool sold as a legitimate system administration software.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies system certificate store 2 TTPs 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8efcacd9f737126c4c4ef0c5299f0c5ff83c83c7d2591b150117817e1fda4190.exe
    "C:\Users\Admin\AppData\Local\Temp\8efcacd9f737126c4c4ef0c5299f0c5ff83c83c7d2591b150117817e1fda4190.exe"
    1⤵
    • Loads dropped DLL
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:2604
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /create /sc ONLOGON /tn "TaskBrowser" /tr "C:\Users\Admin\AppData\Roaming\TaskBrowser\client32.exe" /RL HIGHEST
      2⤵
      • Creates scheduled task(s)
      PID:3028
    • C:\Users\Admin\AppData\Roaming\TaskBrowser\client32.exe
      C:\Users\Admin\AppData\Roaming\TaskBrowser\client32.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:2964

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    73423a281fa9afdb891da3c6d662fcf9

    SHA1

    5402318db44821aaa1404a1642220a8be679088c

    SHA256

    ae525df3a2543f89f9dfacd621b554a8a8e3ffaddce04d47a932f1eb853cf6e4

    SHA512

    a567a94f8d211f96f05646f5757f7e42503ec55ef49f9b3ab02f61f05016832ee4918c96d932f68e4929fc0d136e76d244ffab128fa4eb52fba2703af6c7bea5

  • C:\Users\Admin\AppData\Local\Temp\Cab9629.tmp

    Filesize

    62KB

    MD5

    3ac860860707baaf32469fa7cc7c0192

    SHA1

    c33c2acdaba0e6fa41fd2f00f186804722477639

    SHA256

    d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

    SHA512

    d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

  • C:\Users\Admin\AppData\Local\Temp\Tar96D8.tmp

    Filesize

    164KB

    MD5

    4ff65ad929cd9a367680e0e5b1c08166

    SHA1

    c0af0d4396bd1f15c45f39d3b849ba444233b3a2

    SHA256

    c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

    SHA512

    f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

  • C:\Users\Admin\AppData\Roaming\TaskBrowser\HTCTL32.DLL

    Filesize

    320KB

    MD5

    2d3b207c8a48148296156e5725426c7f

    SHA1

    ad464eb7cf5c19c8a443ab5b590440b32dbc618f

    SHA256

    edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796

    SHA512

    55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

  • C:\Users\Admin\AppData\Roaming\TaskBrowser\MSVCR100.dll

    Filesize

    755KB

    MD5

    0e37fbfa79d349d672456923ec5fbbe3

    SHA1

    4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

    SHA256

    8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

    SHA512

    2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

  • C:\Users\Admin\AppData\Roaming\TaskBrowser\NSM.LIC

    Filesize

    259B

    MD5

    3a88847f4bbf7199a2161ed963fe88ef

    SHA1

    8629803adb6af84691dc5431b6590df14bad4a61

    SHA256

    a680947aba5cf3316be50f1ec6a0d8bf72f7d7ca79d91430c26e24680eddd35e

    SHA512

    2b6408e7334946655045914b2cfa14dcfb39502f64ffafad784717a8ca036b73928bd7a5b02d650d8698357c54c31cac11a705baed0e1e7a3a07d659a2104e02

  • C:\Users\Admin\AppData\Roaming\TaskBrowser\PCICL32.dll

    Filesize

    3.5MB

    MD5

    35f0259df06c4605fe2743c26dd9eac5

    SHA1

    5ed1de8fe63d1bdd4ea7321bd27d22f162cc4168

    SHA256

    412674e44fa27c523e0d968244f0e4d128487daf779de17b83b94da8bf602e59

    SHA512

    f4e28b3ab19614d3e915a5d8333adb7805a213b31b4c7159c5d65b386f8dcc95fe3a892098a46abe92bb4ba12a31c140c97d24546c97f9c702638644bd874b71

  • C:\Users\Admin\AppData\Roaming\TaskBrowser\client32.exe

    Filesize

    99KB

    MD5

    f70b67c2b3204b7ddd8b755799cccff0

    SHA1

    a42e55e328d62d11e687c167bb7049d46f0f9b26

    SHA256

    213af995d4142854b81af3cf73dee7ffe9d8ad6e84fda6386029101dbf3df897

    SHA512

    54fcba8a063bfbaae4c3a39624bf3407db6af5699ab8686f936ab03c5864df7a44d089066fa2d4aedf5ad50d6b04624966a5111bf57bec1dda74a571f1dd7c63

  • C:\Users\Admin\AppData\Roaming\TaskBrowser\client32.ini

    Filesize

    637B

    MD5

    3a0000407dd239c1e4247138def47413

    SHA1

    6c88ab844b433590300cd44b2ae49e71f99e5974

    SHA256

    520c6cf87d2903886a274134a2a94466de7a4315b4c48c97d0144dc995cef84d

    SHA512

    01cafc3453093b856148f2bf12b332dbe8d812e0de6cea7d1631f109a66079fc6d5f4ee05cd173f4534df45004db168b3a4dbd1c29f2e974d6ae3daffd0ed688

  • C:\Users\Admin\AppData\Roaming\TaskBrowser\pcicapi.dll

    Filesize

    32KB

    MD5

    dcde2248d19c778a41aa165866dd52d0

    SHA1

    7ec84be84fe23f0b0093b647538737e1f19ebb03

    SHA256

    9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917

    SHA512

    c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

  • C:\Users\Admin\AppData\Roaming\TaskBrowser\pcichek.dll

    Filesize

    18KB

    MD5

    a0b9388c5f18e27266a31f8c5765b263

    SHA1

    906f7e94f841d464d4da144f7c858fa2160e36db

    SHA256

    313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a

    SHA512

    6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

  • \Users\Admin\AppData\Roaming\TaskBrowser\HTCTL32.DLL

    Filesize

    320KB

    MD5

    2d3b207c8a48148296156e5725426c7f

    SHA1

    ad464eb7cf5c19c8a443ab5b590440b32dbc618f

    SHA256

    edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796

    SHA512

    55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

  • \Users\Admin\AppData\Roaming\TaskBrowser\PCICHEK.DLL

    Filesize

    18KB

    MD5

    a0b9388c5f18e27266a31f8c5765b263

    SHA1

    906f7e94f841d464d4da144f7c858fa2160e36db

    SHA256

    313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a

    SHA512

    6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

  • \Users\Admin\AppData\Roaming\TaskBrowser\PCICL32.DLL

    Filesize

    3.5MB

    MD5

    35f0259df06c4605fe2743c26dd9eac5

    SHA1

    5ed1de8fe63d1bdd4ea7321bd27d22f162cc4168

    SHA256

    412674e44fa27c523e0d968244f0e4d128487daf779de17b83b94da8bf602e59

    SHA512

    f4e28b3ab19614d3e915a5d8333adb7805a213b31b4c7159c5d65b386f8dcc95fe3a892098a46abe92bb4ba12a31c140c97d24546c97f9c702638644bd874b71

  • \Users\Admin\AppData\Roaming\TaskBrowser\client32.exe

    Filesize

    99KB

    MD5

    f70b67c2b3204b7ddd8b755799cccff0

    SHA1

    a42e55e328d62d11e687c167bb7049d46f0f9b26

    SHA256

    213af995d4142854b81af3cf73dee7ffe9d8ad6e84fda6386029101dbf3df897

    SHA512

    54fcba8a063bfbaae4c3a39624bf3407db6af5699ab8686f936ab03c5864df7a44d089066fa2d4aedf5ad50d6b04624966a5111bf57bec1dda74a571f1dd7c63

  • \Users\Admin\AppData\Roaming\TaskBrowser\msvcr100.dll

    Filesize

    755KB

    MD5

    0e37fbfa79d349d672456923ec5fbbe3

    SHA1

    4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

    SHA256

    8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

    SHA512

    2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

  • \Users\Admin\AppData\Roaming\TaskBrowser\pcicapi.dll

    Filesize

    32KB

    MD5

    dcde2248d19c778a41aa165866dd52d0

    SHA1

    7ec84be84fe23f0b0093b647538737e1f19ebb03

    SHA256

    9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917

    SHA512

    c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

  • memory/2604-54-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

  • memory/2604-161-0x0000000000400000-0x0000000000531000-memory.dmp

    Filesize

    1.2MB

  • memory/2604-55-0x0000000000340000-0x0000000000376000-memory.dmp

    Filesize

    216KB