Analysis

  • max time kernel
    142s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-02-2024 03:14

General

  • Target

    85c6ab4916dad9444c1ca9f8bdb42a97.exe

  • Size

    3.5MB

  • MD5

    85c6ab4916dad9444c1ca9f8bdb42a97

  • SHA1

    2d78ce63220b5f86a367c2fe8e3e34686a1aa103

  • SHA256

    64caca487c57e5ea5952df3ccfe5924cb18f66f8653fa6fe156ef30604dfb48f

  • SHA512

    b213416e734c362db8c585a38f9c2e099255b3e4fc269ab3da24ed3484f98cf27905a6c75e2af68e9f5626dece7b26b17292a80f4a969a64bd988109f67aa107

  • SSDEEP

    98304:NeryXGHprtcmgyKexolnCpZwxzfOBLUF8ljRY:unZczZ2azf4Am5a

Score
10/10

Malware Config

Signatures

  • NetSupport

    NetSupport is a remote access tool sold as a legitimate system administration software.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\85c6ab4916dad9444c1ca9f8bdb42a97.exe
    "C:\Users\Admin\AppData\Local\Temp\85c6ab4916dad9444c1ca9f8bdb42a97.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4404
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\CryptoWallet.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\CryptoWallet.exe" /VERYSILENT /SP-
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:848
      • C:\Users\Admin\AppData\Local\Temp\is-DKI5H.tmp\CryptoWallet.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-DKI5H.tmp\CryptoWallet.tmp" /SL5="$E0046,2778947,780800,C:\Users\Admin\AppData\Local\Temp\RarSFX0\CryptoWallet.exe" /VERYSILENT /SP-
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:1332
        • C:\Users\Admin\AppData\Roaming\WindowsUpdate$\client32.exe
          "C:\Users\Admin\AppData\Roaming\WindowsUpdate$\client32.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          PID:620

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\CryptoWallet.exe

    Filesize

    1.2MB

    MD5

    ed8d6d859f384100fe69ba203174aa0e

    SHA1

    cad370c33bcab205e07d1b50dec266eba1b29ac5

    SHA256

    a500a1a3fbab1c5d3b63dfe11c542066bf1c3b37db8694081032545109838379

    SHA512

    406d4a24f5ac20e0c16ed221346444f5f63ec420632d065a152deac652c557f8687909c0bf317a4951d1fcb0ffaa5608a98d66da1bf304e79cc06071e0cc781b

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\CryptoWallet.exe

    Filesize

    1.2MB

    MD5

    a81076d4b011784d81a55c5e852f5537

    SHA1

    d517b9efa51dae8ebf6cd7f9e590636351ecbddb

    SHA256

    89c00029f250fbed23a1beef6ce0d4e88874aacd90eb010880c64a4790021414

    SHA512

    38e5f4a6265ba3a5033392690f100fc7df35b07770de5f77ebd13ab1501a261b052b3d318b8a691220928ad39f0e709eb29431fa69fd495de20165f150b985d7

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\CryptoWallet.exe

    Filesize

    3.2MB

    MD5

    0204ada2b40a637fc43b18acde079add

    SHA1

    62a7832300b3513aeb32d4e3d4e46dfdffdf6002

    SHA256

    ac89aa0c7e88410f1f0b404e702353633ff038773777041147edf7fd69d95353

    SHA512

    08507fac4a290253583543fb425b52fb67970acf79f948bfffc8365f0072de0f3ab14c7f54145ad95a4ef9bee74650cdcfbcf237e799ed6d6210d595898e8798

  • C:\Users\Admin\AppData\Local\Temp\is-DKI5H.tmp\CryptoWallet.tmp

    Filesize

    1014KB

    MD5

    9da68a77164bed9ab50eea992a3aba6b

    SHA1

    a8b526967fcb33376b636dea29c96b5222f923db

    SHA256

    637f389f5df7c4a167a62848b695f358cc3f6a13bdb222f88adc183cc05775e8

    SHA512

    cec25fac82c74ac24ae121ee1559832a448ba59457d09b0aa22ff205a818e17224a37c12c0e1d5600e4a14cb26a129f2add90a6d2e6ae1ff1cfcc24230bbe3a2

  • C:\Users\Admin\AppData\Local\Temp\is-G159N.tmp\_isetup\_isdecmp.dll

    Filesize

    34KB

    MD5

    c6ae924ad02500284f7e4efa11fa7cfc

    SHA1

    2a7770b473b0a7dc9a331d017297ff5af400fed8

    SHA256

    31d04c1e4bfdfa34704c142fa98f80c0a3076e4b312d6ada57c4be9d9c7dcf26

    SHA512

    f321e4820b39d1642fc43bf1055471a323edcc0c4cbd3ddd5ad26a7b28c4fb9fc4e57c00ae7819a4f45a3e0bb9c7baa0ba19c3ceedacf38b911cdf625aa7ddae

  • C:\Users\Admin\AppData\Roaming\WindowsUpdate$\HTCTL32.DLL

    Filesize

    313KB

    MD5

    580458344285d0baede4a903bf528f7c

    SHA1

    189d4003105c870f9c06b081035e1835c4100c68

    SHA256

    f9c6042866655032bc0c1192806844f31f9775bcf39961d49ca4fa58b9539840

    SHA512

    6971cd8d4c1ff4f38e2bccba65fc50fbc947d821593aea72c57cc056034f358c68427e3b158350f3e8256382f48f499916e06fbcf1f7ad3ae9a7d53a1f7d302d

  • C:\Users\Admin\AppData\Roaming\WindowsUpdate$\MSVCR100.dll

    Filesize

    69KB

    MD5

    d1ab205855104c6b832c1d83ae19d2c9

    SHA1

    cd95107bfa4df369b098f953728488552d5b6ca2

    SHA256

    23d682d66cc1058886e73b1bb64e5a98ab42c0224eb4e33f7e97bd886e721c1f

    SHA512

    b7e1a25fa1b84cb13d7de4bd1d9073d5c505c2713a3fbe2990b3ff20a8cc9da47f42b3c85a5279fde814a846706fb0f31ee55f7e76acf92b516a532aafe3be37

  • C:\Users\Admin\AppData\Roaming\WindowsUpdate$\PCICL32.DLL

    Filesize

    896KB

    MD5

    6629d54b3609c99ba09330750bb3dfb5

    SHA1

    c760c127a66891e548e9d74f16015976146d466f

    SHA256

    da7239e5635039a8d7cf4368d1d2596aabdc353cd76ae3b5898fa8f7fe615a5c

    SHA512

    ca534068e481f989ddc8ff71b5de336905a2ae145a04187653739c7930f7b21980ab688ae0d826ad7e00aa5cd8128e3d2552471547bb2826e1c8ae55aa4c30d8

  • C:\Users\Admin\AppData\Roaming\WindowsUpdate$\PCICL32.dll

    Filesize

    885KB

    MD5

    4bd77c5c332c6031131adf3d8c91d100

    SHA1

    014f3ea1635c3d1c7290b39293fa46b4465a997a

    SHA256

    bb00bdedc387598b9c3ed394fb148dce25f5b9a3380e4ffbdb49c62138690436

    SHA512

    e17c7d26d814946f037551dff1f50c0e8d612096d092866eeeeb396b7ce80de4c8a411d3b49ffeb0496d84a85b6643b75a4db3b128da7fee6e7417a39ae3645b

  • C:\Users\Admin\AppData\Roaming\WindowsUpdate$\msvcr100.dll

    Filesize

    1KB

    MD5

    bc4d1822e38a44673f64ff0b4de623a5

    SHA1

    ce832a8abcb753405dd9ccb75e5e9731081ac1de

    SHA256

    bd63591248f35b794189bb284ac01f4161ed8b575d08b668d6f726ffa5a40ee0

    SHA512

    7e52c560af3ffb762e0a1adb38d19dbe6fa4aba6cc76042fab3288d803a4a3c9aabd46595443721ad8e4098d595a318d660ef3216d26d1d57a9cae2d8ab34ed6

  • C:\Users\Admin\AppData\Roaming\WindowsUpdate$\msvcr100.dll

    Filesize

    75KB

    MD5

    587e54191bc2817184471aa39d226fe1

    SHA1

    1303223464e3a5d57bfc78326ce9a7bdff8d1efd

    SHA256

    b3526217e880983e11e84c756220ae6bf6fab72a3b1172189dde5e288f9b9988

    SHA512

    6dde9610af1bae6a298a7cf010967fd71120160c11cb4465bee71ab9b76ad5b23d37b5b5c0f6a412a4b88a9404af53c4a3e6d5bc09fcb662200d27b364bf9cf5

  • C:\Users\Admin\AppData\Roaming\windowsupdate\HTCTL32.DLL

    Filesize

    266KB

    MD5

    7fea9145e555909af5ac0257974f0d34

    SHA1

    10d673bb2f4bc5e7c225942f1be39ed0e53c47c2

    SHA256

    6fd4c4d2b542befc569185c7ba652fc6338e2952113b8821255dea47737801f2

    SHA512

    eb1db3669dbb91c666ff6e6485bf0b01f9d9054dd1f7f448225b7bbd1b97d5d810b5c4f10a409767fc617a30dfdb540c1d83802b7c2e0e8a96a806b2ecf0e273

  • C:\Users\Admin\AppData\Roaming\windowsupdate\NSM.LIC

    Filesize

    259B

    MD5

    ac5d5cc9acad4531ef1bd16145ea68bd

    SHA1

    f9d92f79a934815b645591ebbd6f5d20aa6a3e38

    SHA256

    68c787616681427557343e42ede5805dfbeeb580c59f69c4706b500f225e2c6b

    SHA512

    196863e039e9c83fb0f8eb3f0a6119db31a624e7ef4e9ba99516702e76796957f0ebf87e8728e1bd0de6cd7420bec6e644caa58a0724a7208e9a765d6eb78f64

  • C:\Users\Admin\AppData\Roaming\windowsupdate\NSM.ini

    Filesize

    6KB

    MD5

    88b1dab8f4fd1ae879685995c90bd902

    SHA1

    3d23fb4036dc17fa4bee27e3e2a56ff49beed59d

    SHA256

    60fe386112ad51f40a1ee9e1b15eca802ced174d7055341c491dee06780b3f92

    SHA512

    4ea2c20991189fe1d6d5c700603c038406303cca594577ddcbc16ab9a7915cb4d4aa9e53093747db164f068a7ba0f568424bc8cb7682f1a3fb17e4c9ec01f047

  • C:\Users\Admin\AppData\Roaming\windowsupdate\PCICHEK.DLL

    Filesize

    11KB

    MD5

    83335b9eace69554d05edbcc562be369

    SHA1

    78772989137e95ffb3ebcec9008f0fa3ef1f24f4

    SHA256

    aff89746ce83d085a4a479170f4c4176f4e5c7e942590c3b48bbe18720588ecc

    SHA512

    de51ee9563d6f359a03fc1da2db92da565eee020f594f33188a14dc86276fb31632661032a9383a25c75a9148a22a916dade4d79b3ce17ef2ddf8b4b800a2fa0

  • C:\Users\Admin\AppData\Roaming\windowsupdate\PCICL32.DLL

    Filesize

    180KB

    MD5

    9d6d19803713cfaee28c371d83b3b6df

    SHA1

    4d0cd6660e9cdb8117df89afe40bb139c9be9b68

    SHA256

    e10646beeca03793a2ba06df8ff76a74e96a1b6de0141cebccfa368e4842565b

    SHA512

    7c35d3ad5f4e1e08449d194f8d094cd3555e6facd16901d060de1b7171f53692f3870f57728bf271a14c7d04c4a7cde64524712ad73678d088453c39b859230d

  • C:\Users\Admin\AppData\Roaming\windowsupdate\TCCTL32.DLL

    Filesize

    107KB

    MD5

    d661ee9887cf7773fa804a3ddb169998

    SHA1

    83b5d3a1158678cb05fe44724478da9fc6bd5207

    SHA256

    7bab18661275a62b99ba80b67d0f98c650e92dfdfbcfb533a08f86a565a03229

    SHA512

    ab3bdaae5ef8348dff45cbe51ae436d0a8ae92c0fae55069669ffc68e0fe222920a0225c1d7108e1372cb1e51c0949f7edd28936e340b6d1d5fc87e5fc17b620

  • C:\Users\Admin\AppData\Roaming\windowsupdate\client32.exe

    Filesize

    96KB

    MD5

    877c80b68ba9e784d36ae8cab4125d43

    SHA1

    1e49fe1789cb943f07950c593ed109bab9e634ab

    SHA256

    fbd832accf3fc85b6bce198b63ece09b69cef9be7e7e9513b3fcf40184f537e6

    SHA512

    429d14f24b14db24057ab7901855915c77f57ecb6917a2672b5081daef1403c56dc0ef0c5fdb08e2275358bdb28f28c9d9998f455d8baa3dc811d07f7d9f0dc5

  • C:\Users\Admin\AppData\Roaming\windowsupdate\client32.ini

    Filesize

    624B

    MD5

    b1bad9a1f72059e718459cd6a26956ef

    SHA1

    7ef2158e334d05af773948eaccf9996cc96f2146

    SHA256

    e9443eecd51f64e2a52631726d602b39ef64a3ba4f962778b3b6dfe719251bbd

    SHA512

    41b9b0901eb44d0a0094048f9faf22e79a229bca943f99a5c901c57d721fc7b0b7e64e30b6478573daa508ee4d83e9155defa78ec8cf04e3abf5ce69048f7a03

  • C:\Users\Admin\AppData\Roaming\windowsupdate\msvcr100.dll

    Filesize

    289KB

    MD5

    c7f0ff3ce91becd5c02d7345f5da0ec9

    SHA1

    ee2599fa096d54127c528d54ec99ca3dfe21e20b

    SHA256

    538de2219212918700931b10c27c78df8de31ac6d88a07199cb35cc0a2bc0f9a

    SHA512

    7f39291ce250477d15af526e6782ec9efec0f7fe63e9d571fb1efe6707d7900936ef78a95a4635c290e03a4df51ab1c87e51561a04f01d717e5face65abc40da

  • C:\Users\Admin\AppData\Roaming\windowsupdate\nskbfltr.inf

    Filesize

    328B

    MD5

    26e28c01461f7e65c402bdf09923d435

    SHA1

    1d9b5cfcc30436112a7e31d5e4624f52e845c573

    SHA256

    d96856cd944a9f1587907cacef974c0248b7f4210f1689c1e6bcac5fed289368

    SHA512

    c30ec66fecb0a41e91a31804be3a8b6047fc3789306adc106c723b3e5b166127766670c7da38d77d3694d99a8cddb26bc266ee21dba60a148cdf4d6ee10d27d7

  • C:\Users\Admin\AppData\Roaming\windowsupdate\nsm_vpro.ini

    Filesize

    46B

    MD5

    3be27483fdcdbf9ebae93234785235e3

    SHA1

    360b61fe19cdc1afb2b34d8c25d8b88a4c843a82

    SHA256

    4bfa4c00414660ba44bddde5216a7f28aeccaa9e2d42df4bbff66db57c60522b

    SHA512

    edbe8cf1cbc5fed80fedf963ade44e08052b19c064e8bca66fa0fe1b332141fbe175b8b727f8f56978d1584baaf27d331947c0b3593aaff5632756199dc470e5

  • C:\Users\Admin\AppData\Roaming\windowsupdate\pcicapi.dll

    Filesize

    25KB

    MD5

    eaa5d9ce3cf8054e71a5a13076f0dbb3

    SHA1

    b48046c9d41f652be8e21e8e47068d9be0800ca7

    SHA256

    dd629c8a1396d9d5748a4b04213ab29771e65875dd60d5125c4703daf94117c9

    SHA512

    dd57e6fba126a2f6bb05761298abbee0cf13602e0bf829b778e3e8bb109d3bde7731eeb483058f564fea4371aec3f8cb72952755a50f47e4df028b628ffda20c

  • C:\Users\Admin\AppData\Roaming\windowsupdate\remcmdstub.exe

    Filesize

    55KB

    MD5

    6631e203edc735551c6d2513e714e759

    SHA1

    89825bab3441950bd4e2897840796f405b5d3b26

    SHA256

    fef8a4e8926b4effd767b9c904532eddc275a6acf4b4434c3fea2f943c5d6608

    SHA512

    49ed2f3fc02bcf3f9d5a12f5268d6f28b46116f14b2423735120fad1e226de785dcfccbba1d4f2e480c4b15ea88bc8d927b8786cb92ae11c3b419c35e1f63869

  • memory/848-111-0x0000000000400000-0x00000000004CC000-memory.dmp

    Filesize

    816KB

  • memory/848-11-0x0000000000400000-0x00000000004CC000-memory.dmp

    Filesize

    816KB

  • memory/1332-102-0x0000000000400000-0x00000000006EE000-memory.dmp

    Filesize

    2.9MB

  • memory/1332-17-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

    Filesize

    4KB