Analysis
-
max time kernel
142s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
18/07/2023, 12:43
Static task
static1
Behavioral task
behavioral1
Sample
0dfb4556324aec190bb1110b81d47fce.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
0dfb4556324aec190bb1110b81d47fce.exe
Resource
win10v2004-20230703-en
General
-
Target
0dfb4556324aec190bb1110b81d47fce.exe
-
Size
8.0MB
-
MD5
0dfb4556324aec190bb1110b81d47fce
-
SHA1
b8478aeb0e3241542adc3df2f819546e2de3dd36
-
SHA256
131f1d61fc64dddba918c00b37db56f910436493a9eeb42b3a7018d6624d5993
-
SHA512
a1bb5464784fc98553bd218193e707819c766beb5ca5ad893eadf3086de4497c7352850d1cece080d213e2bae06d42e2df89df16f7b06a2b972a914f0145cc58
-
SSDEEP
12288:2bi4AKzNIvHYBoapFVtzPHXYwgM6BEL8s1RATh73PzXTwnT1cQ47gDckpPWUNQVt:xV6ebapZzfUMq11L8+WdH/GPP7VknN8
Malware Config
Signatures
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation 0dfb4556324aec190bb1110b81d47fce.exe -
Executes dropped EXE 1 IoCs
pid Process 2740 client32.exe -
Loads dropped DLL 6 IoCs
pid Process 2740 client32.exe 2740 client32.exe 2740 client32.exe 2740 client32.exe 2740 client32.exe 2740 client32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 744 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeSecurityPrivilege 2740 client32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2740 client32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3056 wrote to memory of 744 3056 0dfb4556324aec190bb1110b81d47fce.exe 95 PID 3056 wrote to memory of 744 3056 0dfb4556324aec190bb1110b81d47fce.exe 95 PID 3056 wrote to memory of 744 3056 0dfb4556324aec190bb1110b81d47fce.exe 95 PID 3056 wrote to memory of 2740 3056 0dfb4556324aec190bb1110b81d47fce.exe 97 PID 3056 wrote to memory of 2740 3056 0dfb4556324aec190bb1110b81d47fce.exe 97 PID 3056 wrote to memory of 2740 3056 0dfb4556324aec190bb1110b81d47fce.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\0dfb4556324aec190bb1110b81d47fce.exe"C:\Users\Admin\AppData\Local\Temp\0dfb4556324aec190bb1110b81d47fce.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /sc ONLOGON /tn "TaskBrowser" /tr "C:\Users\Admin\AppData\Roaming\TaskBrowser\client32.exe" /RL HIGHEST2⤵
- Creates scheduled task(s)
PID:744
-
-
C:\Users\Admin\AppData\Roaming\TaskBrowser\client32.exeC:\Users\Admin\AppData\Roaming\TaskBrowser\client32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2740
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
320KB
MD52d3b207c8a48148296156e5725426c7f
SHA1ad464eb7cf5c19c8a443ab5b590440b32dbc618f
SHA256edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796
SHA51255c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c
-
Filesize
320KB
MD52d3b207c8a48148296156e5725426c7f
SHA1ad464eb7cf5c19c8a443ab5b590440b32dbc618f
SHA256edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796
SHA51255c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c
-
Filesize
755KB
MD50e37fbfa79d349d672456923ec5fbbe3
SHA14e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA2568793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA5122bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630
-
Filesize
259B
MD53a88847f4bbf7199a2161ed963fe88ef
SHA18629803adb6af84691dc5431b6590df14bad4a61
SHA256a680947aba5cf3316be50f1ec6a0d8bf72f7d7ca79d91430c26e24680eddd35e
SHA5122b6408e7334946655045914b2cfa14dcfb39502f64ffafad784717a8ca036b73928bd7a5b02d650d8698357c54c31cac11a705baed0e1e7a3a07d659a2104e02
-
Filesize
18KB
MD5a0b9388c5f18e27266a31f8c5765b263
SHA1906f7e94f841d464d4da144f7c858fa2160e36db
SHA256313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a
SHA5126051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd
-
Filesize
3.5MB
MD535f0259df06c4605fe2743c26dd9eac5
SHA15ed1de8fe63d1bdd4ea7321bd27d22f162cc4168
SHA256412674e44fa27c523e0d968244f0e4d128487daf779de17b83b94da8bf602e59
SHA512f4e28b3ab19614d3e915a5d8333adb7805a213b31b4c7159c5d65b386f8dcc95fe3a892098a46abe92bb4ba12a31c140c97d24546c97f9c702638644bd874b71
-
Filesize
3.5MB
MD535f0259df06c4605fe2743c26dd9eac5
SHA15ed1de8fe63d1bdd4ea7321bd27d22f162cc4168
SHA256412674e44fa27c523e0d968244f0e4d128487daf779de17b83b94da8bf602e59
SHA512f4e28b3ab19614d3e915a5d8333adb7805a213b31b4c7159c5d65b386f8dcc95fe3a892098a46abe92bb4ba12a31c140c97d24546c97f9c702638644bd874b71
-
Filesize
99KB
MD5f70b67c2b3204b7ddd8b755799cccff0
SHA1a42e55e328d62d11e687c167bb7049d46f0f9b26
SHA256213af995d4142854b81af3cf73dee7ffe9d8ad6e84fda6386029101dbf3df897
SHA51254fcba8a063bfbaae4c3a39624bf3407db6af5699ab8686f936ab03c5864df7a44d089066fa2d4aedf5ad50d6b04624966a5111bf57bec1dda74a571f1dd7c63
-
Filesize
99KB
MD5f70b67c2b3204b7ddd8b755799cccff0
SHA1a42e55e328d62d11e687c167bb7049d46f0f9b26
SHA256213af995d4142854b81af3cf73dee7ffe9d8ad6e84fda6386029101dbf3df897
SHA51254fcba8a063bfbaae4c3a39624bf3407db6af5699ab8686f936ab03c5864df7a44d089066fa2d4aedf5ad50d6b04624966a5111bf57bec1dda74a571f1dd7c63
-
Filesize
637B
MD53a0000407dd239c1e4247138def47413
SHA16c88ab844b433590300cd44b2ae49e71f99e5974
SHA256520c6cf87d2903886a274134a2a94466de7a4315b4c48c97d0144dc995cef84d
SHA51201cafc3453093b856148f2bf12b332dbe8d812e0de6cea7d1631f109a66079fc6d5f4ee05cd173f4534df45004db168b3a4dbd1c29f2e974d6ae3daffd0ed688
-
Filesize
755KB
MD50e37fbfa79d349d672456923ec5fbbe3
SHA14e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA2568793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA5122bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630
-
Filesize
755KB
MD50e37fbfa79d349d672456923ec5fbbe3
SHA14e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA2568793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA5122bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630
-
Filesize
32KB
MD5dcde2248d19c778a41aa165866dd52d0
SHA17ec84be84fe23f0b0093b647538737e1f19ebb03
SHA2569074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917
SHA512c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166
-
Filesize
32KB
MD5dcde2248d19c778a41aa165866dd52d0
SHA17ec84be84fe23f0b0093b647538737e1f19ebb03
SHA2569074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917
SHA512c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166
-
Filesize
18KB
MD5a0b9388c5f18e27266a31f8c5765b263
SHA1906f7e94f841d464d4da144f7c858fa2160e36db
SHA256313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a
SHA5126051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd