Analysis

  • max time kernel
    142s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/07/2023, 12:43

General

  • Target

    0dfb4556324aec190bb1110b81d47fce.exe

  • Size

    8.0MB

  • MD5

    0dfb4556324aec190bb1110b81d47fce

  • SHA1

    b8478aeb0e3241542adc3df2f819546e2de3dd36

  • SHA256

    131f1d61fc64dddba918c00b37db56f910436493a9eeb42b3a7018d6624d5993

  • SHA512

    a1bb5464784fc98553bd218193e707819c766beb5ca5ad893eadf3086de4497c7352850d1cece080d213e2bae06d42e2df89df16f7b06a2b972a914f0145cc58

  • SSDEEP

    12288:2bi4AKzNIvHYBoapFVtzPHXYwgM6BEL8s1RATh73PzXTwnT1cQ47gDckpPWUNQVt:xV6ebapZzfUMq11L8+WdH/GPP7VknN8

Score
10/10

Malware Config

Signatures

  • NetSupport

    NetSupport is a remote access tool sold as a legitimate system administration software.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0dfb4556324aec190bb1110b81d47fce.exe
    "C:\Users\Admin\AppData\Local\Temp\0dfb4556324aec190bb1110b81d47fce.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3056
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /create /sc ONLOGON /tn "TaskBrowser" /tr "C:\Users\Admin\AppData\Roaming\TaskBrowser\client32.exe" /RL HIGHEST
      2⤵
      • Creates scheduled task(s)
      PID:744
    • C:\Users\Admin\AppData\Roaming\TaskBrowser\client32.exe
      C:\Users\Admin\AppData\Roaming\TaskBrowser\client32.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:2740

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\TaskBrowser\HTCTL32.DLL

    Filesize

    320KB

    MD5

    2d3b207c8a48148296156e5725426c7f

    SHA1

    ad464eb7cf5c19c8a443ab5b590440b32dbc618f

    SHA256

    edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796

    SHA512

    55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

  • C:\Users\Admin\AppData\Roaming\TaskBrowser\HTCTL32.DLL

    Filesize

    320KB

    MD5

    2d3b207c8a48148296156e5725426c7f

    SHA1

    ad464eb7cf5c19c8a443ab5b590440b32dbc618f

    SHA256

    edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796

    SHA512

    55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

  • C:\Users\Admin\AppData\Roaming\TaskBrowser\MSVCR100.dll

    Filesize

    755KB

    MD5

    0e37fbfa79d349d672456923ec5fbbe3

    SHA1

    4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

    SHA256

    8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

    SHA512

    2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

  • C:\Users\Admin\AppData\Roaming\TaskBrowser\NSM.LIC

    Filesize

    259B

    MD5

    3a88847f4bbf7199a2161ed963fe88ef

    SHA1

    8629803adb6af84691dc5431b6590df14bad4a61

    SHA256

    a680947aba5cf3316be50f1ec6a0d8bf72f7d7ca79d91430c26e24680eddd35e

    SHA512

    2b6408e7334946655045914b2cfa14dcfb39502f64ffafad784717a8ca036b73928bd7a5b02d650d8698357c54c31cac11a705baed0e1e7a3a07d659a2104e02

  • C:\Users\Admin\AppData\Roaming\TaskBrowser\PCICHEK.DLL

    Filesize

    18KB

    MD5

    a0b9388c5f18e27266a31f8c5765b263

    SHA1

    906f7e94f841d464d4da144f7c858fa2160e36db

    SHA256

    313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a

    SHA512

    6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

  • C:\Users\Admin\AppData\Roaming\TaskBrowser\PCICL32.DLL

    Filesize

    3.5MB

    MD5

    35f0259df06c4605fe2743c26dd9eac5

    SHA1

    5ed1de8fe63d1bdd4ea7321bd27d22f162cc4168

    SHA256

    412674e44fa27c523e0d968244f0e4d128487daf779de17b83b94da8bf602e59

    SHA512

    f4e28b3ab19614d3e915a5d8333adb7805a213b31b4c7159c5d65b386f8dcc95fe3a892098a46abe92bb4ba12a31c140c97d24546c97f9c702638644bd874b71

  • C:\Users\Admin\AppData\Roaming\TaskBrowser\PCICL32.dll

    Filesize

    3.5MB

    MD5

    35f0259df06c4605fe2743c26dd9eac5

    SHA1

    5ed1de8fe63d1bdd4ea7321bd27d22f162cc4168

    SHA256

    412674e44fa27c523e0d968244f0e4d128487daf779de17b83b94da8bf602e59

    SHA512

    f4e28b3ab19614d3e915a5d8333adb7805a213b31b4c7159c5d65b386f8dcc95fe3a892098a46abe92bb4ba12a31c140c97d24546c97f9c702638644bd874b71

  • C:\Users\Admin\AppData\Roaming\TaskBrowser\client32.exe

    Filesize

    99KB

    MD5

    f70b67c2b3204b7ddd8b755799cccff0

    SHA1

    a42e55e328d62d11e687c167bb7049d46f0f9b26

    SHA256

    213af995d4142854b81af3cf73dee7ffe9d8ad6e84fda6386029101dbf3df897

    SHA512

    54fcba8a063bfbaae4c3a39624bf3407db6af5699ab8686f936ab03c5864df7a44d089066fa2d4aedf5ad50d6b04624966a5111bf57bec1dda74a571f1dd7c63

  • C:\Users\Admin\AppData\Roaming\TaskBrowser\client32.exe

    Filesize

    99KB

    MD5

    f70b67c2b3204b7ddd8b755799cccff0

    SHA1

    a42e55e328d62d11e687c167bb7049d46f0f9b26

    SHA256

    213af995d4142854b81af3cf73dee7ffe9d8ad6e84fda6386029101dbf3df897

    SHA512

    54fcba8a063bfbaae4c3a39624bf3407db6af5699ab8686f936ab03c5864df7a44d089066fa2d4aedf5ad50d6b04624966a5111bf57bec1dda74a571f1dd7c63

  • C:\Users\Admin\AppData\Roaming\TaskBrowser\client32.ini

    Filesize

    637B

    MD5

    3a0000407dd239c1e4247138def47413

    SHA1

    6c88ab844b433590300cd44b2ae49e71f99e5974

    SHA256

    520c6cf87d2903886a274134a2a94466de7a4315b4c48c97d0144dc995cef84d

    SHA512

    01cafc3453093b856148f2bf12b332dbe8d812e0de6cea7d1631f109a66079fc6d5f4ee05cd173f4534df45004db168b3a4dbd1c29f2e974d6ae3daffd0ed688

  • C:\Users\Admin\AppData\Roaming\TaskBrowser\msvcr100.dll

    Filesize

    755KB

    MD5

    0e37fbfa79d349d672456923ec5fbbe3

    SHA1

    4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

    SHA256

    8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

    SHA512

    2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

  • C:\Users\Admin\AppData\Roaming\TaskBrowser\msvcr100.dll

    Filesize

    755KB

    MD5

    0e37fbfa79d349d672456923ec5fbbe3

    SHA1

    4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

    SHA256

    8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

    SHA512

    2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

  • C:\Users\Admin\AppData\Roaming\TaskBrowser\pcicapi.dll

    Filesize

    32KB

    MD5

    dcde2248d19c778a41aa165866dd52d0

    SHA1

    7ec84be84fe23f0b0093b647538737e1f19ebb03

    SHA256

    9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917

    SHA512

    c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

  • C:\Users\Admin\AppData\Roaming\TaskBrowser\pcicapi.dll

    Filesize

    32KB

    MD5

    dcde2248d19c778a41aa165866dd52d0

    SHA1

    7ec84be84fe23f0b0093b647538737e1f19ebb03

    SHA256

    9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917

    SHA512

    c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

  • C:\Users\Admin\AppData\Roaming\TaskBrowser\pcichek.dll

    Filesize

    18KB

    MD5

    a0b9388c5f18e27266a31f8c5765b263

    SHA1

    906f7e94f841d464d4da144f7c858fa2160e36db

    SHA256

    313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a

    SHA512

    6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

  • memory/3056-137-0x0000000000400000-0x0000000000C0F000-memory.dmp

    Filesize

    8.1MB

  • memory/3056-161-0x0000000000400000-0x0000000000C0F000-memory.dmp

    Filesize

    8.1MB

  • memory/3056-133-0x0000000002980000-0x0000000002981000-memory.dmp

    Filesize

    4KB

  • memory/3056-136-0x0000000003680000-0x0000000003DA3000-memory.dmp

    Filesize

    7.1MB

  • memory/3056-135-0x0000000002980000-0x0000000002981000-memory.dmp

    Filesize

    4KB

  • memory/3056-134-0x0000000000400000-0x0000000000C0F000-memory.dmp

    Filesize

    8.1MB