Analysis

  • max time kernel
    161s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-01-2024 19:21

General

  • Target

    Market_Time_New_Conditions.exe

  • Size

    630KB

  • MD5

    553ac66062429d5a0423d4b286e53c31

  • SHA1

    0acea7bcaea5c8a9a4e19232e3ca114863aa6968

  • SHA256

    428d51259ad927c58ea5abb9eca6e0dce4fee5d97e20f78abba194c8c4faadfd

  • SHA512

    16df91a5240bffdfe4af26350b3f81a6ad97dd64e534443839832549793a35bf44ae882c430183357b8fb2dae9b4fdeaf5ab373488dac7f8c48daaaeaaf33720

  • SSDEEP

    12288:nL6hD2x/HAWbR2zS4sisO1A83u2BSDoCqKcuz:L6uHAW92zt/sWu2BSMCqDuz

Malware Config

Signatures

  • NetSupport

    NetSupport is a remote access tool sold as a legitimate system administration software.

  • Drops file in Drivers directory 2 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 64 IoCs
  • Registers COM server for autorun 1 TTPs 3 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 1 IoCs
  • Drops file in System32 directory 9 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 24 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Market_Time_New_Conditions.exe
    "C:\Users\Admin\AppData\Local\Temp\Market_Time_New_Conditions.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4484
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\ibcbwacl.fho\whopper.msi /q
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1228
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4804
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding E2DE02605713CA7F0CE658F432EDB4A0
      2⤵
      • Loads dropped DLL
      PID:2440
    • C:\Windows\system32\cmd.exe
      cmd.exe /c ATTRIB -R "C:\Users\Admin\AppData\Local\Temp\{FC61B946-B9CF-4AD3-9042-4FF8CFF0440A}\\nsm.lic"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3340
      • C:\Windows\SysWOW64\attrib.exe
        ATTRIB -R "C:\Users\Admin\AppData\Local\Temp\{FC61B946-B9CF-4AD3-9042-4FF8CFF0440A}\\nsm.lic"
        3⤵
        • Views/modifies file attributes
        PID:3760
    • C:\Windows\Installer\MSI54F6.tmp
      "C:\Windows\Installer\MSI54F6.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport Manager\" /EU
      2⤵
      • Executes dropped EXE
      PID:4524
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 0D57307C35BFAB0B5DD3A5622F9915EA E Global\MSI0000
      2⤵
      • Loads dropped DLL
      • Modifies registry class
      PID:4440
    • C:\Windows\Installer\MSI5AF8.tmp
      "C:\Windows\Installer\MSI5AF8.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport Manager\" /EU
      2⤵
      • Executes dropped EXE
      PID:1480
    • C:\Program Files (x86)\NetSupport\NetSupport Manager\checkdvd.exe
      "C:\Program Files (x86)\NetSupport\NetSupport Manager\checkdvd.exe"
      2⤵
      • Executes dropped EXE
      PID:64
    • C:\Windows\Installer\MSI6D4A.tmp
      "C:\Windows\Installer\MSI6D4A.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport Manager\" /EV"NetSupport School" /EF".\Log Files" /EF".\Bookmarks" /EF".\Tests" /EF".\Store" /EF".\inv" /EF".\Resources" /EF".\Help" /EF".\Image" /EF".\Sound" /EF".\Video" /EA /EX /EC /Q /V /Q /I *
      2⤵
      • Sets service image path in registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4120
      • C:\Program Files (x86)\NetSupport\NetSupport Manager\winst64.exe
        winst64.exe /q /q /ex /i
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Registers COM server for autorun
        • Drops file in System32 directory
        • Modifies registry class
        PID:232
    • C:\Windows\Installer\MSI74AF.tmp
      "C:\Windows\Installer\MSI74AF.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport Manager\" /EI
      2⤵
      • Executes dropped EXE
      PID:2220
    • C:\Program Files (x86)\NetSupport\NetSupport Manager\pcicfgui_client.exe
      "C:\Program Files (x86)\NetSupport\NetSupport Manager\pcicfgui_client.exe" /Q "C:\Program Files (x86)\NetSupport\NetSupport Manager\Client32.ini"
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of WriteProcessMemory
      PID:3888
      • C:\Program Files (x86)\NetSupport\NetSupport Manager\pcicfgui_client.exe
        "C:\Program Files (x86)\NetSupport\NetSupport Manager\pcicfgui_client.exe"
        3⤵
        • Executes dropped EXE
        PID:948
  • C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe
    "C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe" /* *
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3616
    • C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe
      "C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe" * /VistaUI
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Checks SCSI registry key(s)
      • Checks processor information in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:1616
      • C:\Windows\SysWOW64\cscript.exe
        "cscript.exe" C:\Windows\system32\Printing_Admin_Scripts\en-US\prnport.vbs -a -r NSM001 -h 127.0.0.1 -o raw -n 58128
        3⤵
        • Modifies data under HKEY_USERS
        PID:2632
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
    1⤵
    • Modifies data under HKEY_USERS
    PID:4204

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\e593503.rbs

    Filesize

    43KB

    MD5

    fa710a744bd7b4505ff8e9ccc46a0bc3

    SHA1

    661dc100ad1b418e4da79eac331ce3e111dc7063

    SHA256

    7989b57d7fb600eb628eaa2f88fc80c7b392a2b29d2f3e15480ad8f3add37e96

    SHA512

    9f6dbbb2f59726d8ce5ecfaf20dd17b27c1bd2c755038665c341e47480b5560c87a39cf6e719253e9e2cf752edd7593185ed61b20aa7717abfed37df099989f5

  • C:\Program Files (x86)\NetSupport\NetSupport Manager\WINSTALL.EXE

    Filesize

    742KB

    MD5

    3dcc148a999c6fe570b61a0cb8635057

    SHA1

    cd6d084b0b696f6d4083ff0b81c8b64956c221e4

    SHA256

    55c901291f733771c04cf3eef0c831f7923652001d316ed58f3f620be706c5bc

    SHA512

    1bc406cdd72f5791f71e9f0dff380174f92c764a2323c1ba95fb38a5a5b01a85535c62d4a0f3f36a38839a524246fb27c86c8a92304a578492ea0a66ebe4d314

  • C:\Users\Admin\AppData\Local\Temp\DLL_{FC61B946-B9CF-4AD3-9042-4FF8CFF0440A}.ini

    Filesize

    7KB

    MD5

    ecebf33c351a8f487e1e5dbfcbeee352

    SHA1

    64c3f5dcc9bf09440b9f935c47fcdea4fa53740f

    SHA256

    6acc3f9012eddea3874404a805c3f0453593bc8d09b19ee44f55a00ce14827d9

    SHA512

    4ac1b79bc092bc1cbbfdb51ecd0937aad486ee34813c198003af31ee706b251704bf88ae7b9d92358c6d26af056b97b129b8a387c9b326cf393d3814b2645725

  • C:\Users\Admin\AppData\Local\Temp\ibcbwacl.fho\Client32.ini

    Filesize

    880B

    MD5

    f21c50aa6dc247c7b4284b61e76c525f

    SHA1

    873865fc3528f98713eb99f495beb90085a596e1

    SHA256

    587a341b24eab5e18ff78169d9ba5dc15181fc4390b801cd2c7f549440a4d24a

    SHA512

    6d49d33433d4971602b48140fd57d9fbd339fc1e1f352a3eb93e49f628018a0ad4f6c23c5e222e27decac07b1cb428beefe3004f218e525e058913d0e594e95e

  • C:\Users\Admin\AppData\Local\Temp\ibcbwacl.fho\NSM.lic

    Filesize

    253B

    MD5

    d2c2217861f5535686409d80a0867f6f

    SHA1

    f4d90bebfcf8f501e5b9f0427028f696c3a191c7

    SHA256

    af9c79cf3af6a7e969208da78dfcfac54d6f956545b46f434d0e447cff94807b

    SHA512

    656deac03f9d81792e3d78108fb7d6754ca4a21a30f0e8da72e71f64b0b015dfc299d5478a8cc27acb05a0ec7e01c2c1cfcc9eb40041e4fe0a790414e42b4a37

  • C:\Users\Admin\AppData\Local\Temp\ibcbwacl.fho\whopper.msi

    Filesize

    11.0MB

    MD5

    fe67aa0ba045bf84861f1f6a65749ebd

    SHA1

    777a28dc06204438b797c0b8d924713350d5c87f

    SHA256

    016b1bb3c921add87c24d78449db3d4c0760512cd16cc80782bc7d2b6eefd143

    SHA512

    dc36b03f0418c41e3665c1b2707b2b0fa36d5854197767771a4513be7527e9b4853e101d830d6848f72066c4329b7fee828977ab78bc116186226c6622ae94b4

  • C:\Users\Admin\AppData\Local\Temp\ibcbwacl.fho\whopper.msi

    Filesize

    6.5MB

    MD5

    0c74e5ae7fc61202d305f16e4e8433a1

    SHA1

    d07bdd8e2a41a1ef1899036c614bbc999d42d8ee

    SHA256

    f4153bb9e48f2b638e511b6d346cb1f83a8d5c3294a40dcb3f839aa729773294

    SHA512

    bbcc6dacbfe35dd143e35c21b3ba50c804f1f50a2bb0a78ef7818be01929bddd670bc1e13eb609c86a9db357be87908f24d2da68cf3036772f34160dae19d406

  • C:\Users\Admin\AppData\Local\Temp\{FC61B946-B9CF-4AD3-9042-4FF8CFF0440A}\product.dat

    Filesize

    506B

    MD5

    ff7c0d2dbb9195083bbabaff482d5ed6

    SHA1

    5c2efbf855c376ce1b93e681c54a367a407495dc

    SHA256

    065d817596d710d5a06060241acc207b82b844530cc56ff842ff53d8ff92a075

    SHA512

    ea226b3a55fc59175136f104df497ebf5055624fb1c1c8073b249dfc5e1ed5818a6feee995aa82cf9ed050f1adc7a62994c90b1af03569dfe0d4551ee2bc70c9

  • C:\Windows\Installer\MSI3FCE.tmp

    Filesize

    169KB

    MD5

    0e6fda2b8425c9513c774cf29a1bc72d

    SHA1

    a79ffa24cb5956398ded44da24793a2067b85dd0

    SHA256

    e946b2fae0b36c43064463a8c16a2774adac30c4188c5af90e9338b903c501c9

    SHA512

    285bb7759a1214abed36162ac8be2d48df17a05278c4de97562448e20fd43b635563a6819f37e23d92a5f5ed0205a68bffe43dac0d3a67513bd0303b4e7f89aa

  • C:\Windows\Installer\MSI409A.tmp

    Filesize

    511KB

    MD5

    d524b639a3a088155981b9b4efa55631

    SHA1

    39d8eea673c02c1522b110829b93d61310555b98

    SHA256

    03d91c8cd20b846625a092a3dae6a12369930c65d6216a455a00449ebb0dc289

    SHA512

    84f8ab54122f93a40da08fd83bca767ab49eb0f73c4ab274d9bda11dd09224134df011fa02e5a3abbafcc6fbef6a60673dd48feabdf829a1e22c85a2a759b7ac

  • C:\Windows\Installer\MSI4176.tmp

    Filesize

    505KB

    MD5

    ea15a2262abd2cb7c4d241a58ba92d51

    SHA1

    307b5da3ea460dc7f3bc3e8420acb526a9d51233

    SHA256

    30c9c51a46dd6a3405f73c3ebc96199e08299315990c0ed53c4fd72498aaf002

    SHA512

    c552acafb70a4561d049f8bda3a58d3858a5df7380a93a9bef47ff5a2c99c605f4f408fc6a4a147bbf7c0b2231475e9629609036f9d1c354890d6a4ce0833eb3

  • C:\Windows\Installer\MSI42C1.tmp

    Filesize

    153KB

    MD5

    a1b7850763af9593b66ee459a081bddf

    SHA1

    6e45955fae2b2494902a1b55a3873e542f0f5ce4

    SHA256

    41b8e92deba5206c78817236ed7f44df95636ca748d95fab05f032f5aec186af

    SHA512

    a87a302a9a0d19d7ce293b42f5e7bc09664b21307a5321f226157fcc57eb2df2b59c6651878cb23969a182c82b55e8671ff00f8462194b81a907974a49cb25b1

  • C:\Windows\Installer\MSI4CB8.tmp

    Filesize

    448KB

    MD5

    2d16190938ed8fbe7a39edbd172e5374

    SHA1

    183a4f1c92a762e48d5b0171b6e002f51395352b

    SHA256

    1c0b33e7e648c877537e47051e799a4feda0c6ee200f0bedcf1e393e853f437c

    SHA512

    f75a792d9c8cda3f79b5addb7e80b598f576dd7bf895eae017a5605f727de15f0605a7bf1d1546bbbb1239cb4f68d3f65543a3ae1c62c5fb409eed9a5749d6ad

  • C:\Windows\Installer\MSI4D95.tmp

    Filesize

    164KB

    MD5

    7d754a7f0d51626a1b139d555da4ae0e

    SHA1

    3bfdcebb18cd151c6b1b007fa546aec0c08b8cde

    SHA256

    02324ec9dbcfbf8a2a923b4f86a4108fd1a9c8e7f78f1b8ff9706a4edbc82f9f

    SHA512

    004cb932456335ed82fa2c5c6fb089d4398feaa16b8fd7189e3c6e5097b69c6e06dec2fe57c76c4314b6dc66533aef56ddf80fb28a9cc6cc3d35e52af9f0d033

  • C:\Windows\Installer\MSI4D95.tmp

    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • C:\Windows\Installer\MSI7346.tmp

    Filesize

    244KB

    MD5

    c4ca339bc85aae8999e4b101556239dd

    SHA1

    d090fc385e0002e35db276960a360c67c4fc85cd

    SHA256

    4ab23609cdc64d10b97c9ccb285ed7100f55d54d983cd50762da25ecac4357f9

    SHA512

    9185ec32545fc838d7fef6c9e4dd222dd02114c661b0b344f16287d55e6571bfe7a4233a852acc579d07bcdbab18c5c034c465b1f4bb78535ed51c3499087fe0

  • memory/1616-468-0x0000000004090000-0x0000000004698000-memory.dmp

    Filesize

    6.0MB

  • memory/1616-446-0x00000000066E0000-0x0000000006804000-memory.dmp

    Filesize

    1.1MB

  • memory/3616-467-0x0000000002B40000-0x0000000003148000-memory.dmp

    Filesize

    6.0MB

  • memory/3888-441-0x0000000002C30000-0x0000000002DD3000-memory.dmp

    Filesize

    1.6MB

  • memory/4484-1-0x00000000745F0000-0x0000000074DA0000-memory.dmp

    Filesize

    7.7MB

  • memory/4484-4-0x00000000745F0000-0x0000000074DA0000-memory.dmp

    Filesize

    7.7MB

  • memory/4484-2-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

    Filesize

    64KB

  • memory/4484-5-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

    Filesize

    64KB

  • memory/4484-465-0x00000000745F0000-0x0000000074DA0000-memory.dmp

    Filesize

    7.7MB

  • memory/4484-3-0x0000000004CB0000-0x0000000004D26000-memory.dmp

    Filesize

    472KB

  • memory/4484-0-0x00000000001A0000-0x0000000000244000-memory.dmp

    Filesize

    656KB