Malware Analysis Report

2024-10-23 16:16

Sample ID 240201-drbq8acafr
Target 85c6ab4916dad9444c1ca9f8bdb42a97
SHA256 64caca487c57e5ea5952df3ccfe5924cb18f66f8653fa6fe156ef30604dfb48f
Tags
netsupport rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

64caca487c57e5ea5952df3ccfe5924cb18f66f8653fa6fe156ef30604dfb48f

Threat Level: Known bad

The file 85c6ab4916dad9444c1ca9f8bdb42a97 was found to be: Known bad.

Malicious Activity Summary

netsupport rat

NetSupport

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-01 03:14

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-01 03:14

Reported

2024-02-01 03:16

Platform

win7-20231215-en

Max time kernel

117s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\85c6ab4916dad9444c1ca9f8bdb42a97.exe"

Signatures

NetSupport

rat netsupport

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-34HF5.tmp\CryptoWallet.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-34HF5.tmp\CryptoWallet.tmp N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\WindowsUpdate$\client32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-34HF5.tmp\CryptoWallet.tmp N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WindowsUpdate$\client32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 832 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\85c6ab4916dad9444c1ca9f8bdb42a97.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\CryptoWallet.exe
PID 832 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\85c6ab4916dad9444c1ca9f8bdb42a97.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\CryptoWallet.exe
PID 832 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\85c6ab4916dad9444c1ca9f8bdb42a97.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\CryptoWallet.exe
PID 832 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\85c6ab4916dad9444c1ca9f8bdb42a97.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\CryptoWallet.exe
PID 832 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\85c6ab4916dad9444c1ca9f8bdb42a97.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\CryptoWallet.exe
PID 832 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\85c6ab4916dad9444c1ca9f8bdb42a97.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\CryptoWallet.exe
PID 832 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\85c6ab4916dad9444c1ca9f8bdb42a97.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\CryptoWallet.exe
PID 2664 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\CryptoWallet.exe C:\Users\Admin\AppData\Local\Temp\is-34HF5.tmp\CryptoWallet.tmp
PID 2664 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\CryptoWallet.exe C:\Users\Admin\AppData\Local\Temp\is-34HF5.tmp\CryptoWallet.tmp
PID 2664 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\CryptoWallet.exe C:\Users\Admin\AppData\Local\Temp\is-34HF5.tmp\CryptoWallet.tmp
PID 2664 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\CryptoWallet.exe C:\Users\Admin\AppData\Local\Temp\is-34HF5.tmp\CryptoWallet.tmp
PID 2664 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\CryptoWallet.exe C:\Users\Admin\AppData\Local\Temp\is-34HF5.tmp\CryptoWallet.tmp
PID 2664 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\CryptoWallet.exe C:\Users\Admin\AppData\Local\Temp\is-34HF5.tmp\CryptoWallet.tmp
PID 2664 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\CryptoWallet.exe C:\Users\Admin\AppData\Local\Temp\is-34HF5.tmp\CryptoWallet.tmp
PID 2824 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\is-34HF5.tmp\CryptoWallet.tmp C:\Users\Admin\AppData\Roaming\WindowsUpdate$\client32.exe
PID 2824 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\is-34HF5.tmp\CryptoWallet.tmp C:\Users\Admin\AppData\Roaming\WindowsUpdate$\client32.exe
PID 2824 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\is-34HF5.tmp\CryptoWallet.tmp C:\Users\Admin\AppData\Roaming\WindowsUpdate$\client32.exe
PID 2824 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\is-34HF5.tmp\CryptoWallet.tmp C:\Users\Admin\AppData\Roaming\WindowsUpdate$\client32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\85c6ab4916dad9444c1ca9f8bdb42a97.exe

"C:\Users\Admin\AppData\Local\Temp\85c6ab4916dad9444c1ca9f8bdb42a97.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\CryptoWallet.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\CryptoWallet.exe" /VERYSILENT /SP-

C:\Users\Admin\AppData\Local\Temp\is-34HF5.tmp\CryptoWallet.tmp

"C:\Users\Admin\AppData\Local\Temp\is-34HF5.tmp\CryptoWallet.tmp" /SL5="$301F2,2778947,780800,C:\Users\Admin\AppData\Local\Temp\RarSFX0\CryptoWallet.exe" /VERYSILENT /SP-

C:\Users\Admin\AppData\Roaming\WindowsUpdate$\client32.exe

"C:\Users\Admin\AppData\Roaming\WindowsUpdate$\client32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 coinduck.duckdns.org udp
GB 82.115.223.246:1337 coinduck.duckdns.org tcp
US 8.8.8.8:53 geo.netsupportsoftware.com udp
US 104.26.0.231:80 geo.netsupportsoftware.com tcp
US 8.8.8.8:53 coinduck.duckdns.org udp
GB 82.115.223.246:1337 coinduck.duckdns.org tcp

Files

\Users\Admin\AppData\Local\Temp\RarSFX0\CryptoWallet.exe

MD5 65f219b840ec0770b93f68742c3d18d4
SHA1 fc29148b3f9e7d68113f5b0a2c639987416afece
SHA256 d175375ad601c3159a3e12aa2eec4d5d304f8a89fd16cb78cd5dbd2d21d8a8db
SHA512 ff30d4662b06488a3ef66aa6da890ee6d922111f86758cf338a07572f09469497b3168d4ebe4ba0b358e2d10a145516938f17053911454f71bb68f4aa011bb60

C:\Users\Admin\AppData\Local\Temp\RarSFX0\CryptoWallet.exe

MD5 cc388c72aac3cd044ae8c023c67969b7
SHA1 61f7fc65e4138ebd009e8df5b09855a2937a3006
SHA256 d96ae396c1c7b057b0ead8475097e03c25ffecdb43cba73ac86ca83fd6497a8d
SHA512 cfef2bc620e71da6af675c6175ea1cab18dd2be003f404f412a15689a9450af7b44bc176bbddd5701eaf9db68cb602b1a20a5e5f6f0eadf6e0c256f5c6469d5c

\Users\Admin\AppData\Local\Temp\RarSFX0\CryptoWallet.exe

MD5 4cf9411d5cfac676a4de703bbad3e381
SHA1 281321f7d58baccffb760531228cf44690b790e6
SHA256 7610b20e595fc191af8c20947e014844e0e62e2ac78cf46439a43ee2fadaf2eb
SHA512 ab8b2305fa4f66746679eaad87d699d8ef49ea3d7fc3b4310811bea63e7729f80a94406f3d35dc2e6d8cb0692e9d308ddf2b89a2828e4103dae01e584761ef5a

\Users\Admin\AppData\Local\Temp\RarSFX0\CryptoWallet.exe

MD5 d421d3099b119e950d03d37b2f54b69c
SHA1 ba00a0d13c27e32284b4cd6a147d9a87a6b6711e
SHA256 5bcd1af74e35cfc003ceebaa558bf4254e9f020e534ba0b3b06c07b527f6e55f
SHA512 11cd34ac9ca49c87e3ba0a22a4627d731a4d2b6a447fddcd856c2e860d2ade3e4c81d2f705ca0888dc0648dd64cdc1b9acc621c6a34e1335280936c776d8c01c

\Users\Admin\AppData\Local\Temp\RarSFX0\CryptoWallet.exe

MD5 e5efe20954f0b62181f193ed29c9dc3c
SHA1 520186f6156a7b9941a4aaf193fb59ee7eb2d4f5
SHA256 b825123dbffb60843073766558f88bba0c576ddb72717cc68865b33086402503
SHA512 7461b3eed40ea9d03f6a4aa087699aca3430a1681bc4d73edf78e2325ba9c835bac2b27f656b97184fcaff81f0f2872607a7fdd2503e2d0e1b85258bad3600da

C:\Users\Admin\AppData\Local\Temp\RarSFX0\CryptoWallet.exe

MD5 be0fffdf9fce0b975cbdd0ba2438d69c
SHA1 356238d7195979a52ffd7523b2c27b70145eb53f
SHA256 bad3c8e97efb1c3fcddf02f42d14e31136ae807b41e7d54e2e535eb4d50a8e19
SHA512 d78103612931e19340fc160ddb4a450bcda3a9389c13e4b12c4b959d0c56fdf78d8f27af2acd86645b71b726e88ff816609545eb9341f69cf08ff9f4f79d9b01

memory/2664-15-0x0000000000400000-0x00000000004CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\CryptoWallet.exe

MD5 8683606ff4e44da428c33da6c8e39182
SHA1 1d89b8f3c30cdac00c918ec7288c653e493e4cd9
SHA256 014329e45062d8f6e4aa4bf41251616a30dc042e92886aad99a6c6497e81e75b
SHA512 3b04fe1a07817fd2b5402bfafb551bde348b950bf9674b52facaa408ecb56f05c79ec84db95275baea0ed0a8fe005736bda7d7b2d18784e8e5f885277f0ad241

C:\Users\Admin\AppData\Local\Temp\is-34HF5.tmp\CryptoWallet.tmp

MD5 8622240854177f04ce3484c8e4727ebc
SHA1 ba9797f5c06601b289ad40417cf2a924974ce58a
SHA256 9125b250ad01e55e0bfdf5b0f21fc0b46852cadcace6b11ee1c159664c91594e
SHA512 56f2948acfc7c7ec950c2a6d4323819a1b442c356c1388fa180e34270131e19abab7ed98c60b6216f4ffe6b4287a2e34173f882d2240430f6656845468ad54cd

\Users\Admin\AppData\Local\Temp\is-34HF5.tmp\CryptoWallet.tmp

MD5 9b5614f7a47d0774ce1aeb186b9fd55a
SHA1 5ae0d1876b1c6136e95ff31c5240a4533a21f5af
SHA256 465e5f7163880f11f3918c26e0ab4c963f7f7a3058acd7c0bbcd68b5f8dd8a42
SHA512 e8890073a74a5983e4e490f49266c66bb12e5ec16842fc6b2ec8de04e63ee79ee4a4ff1f7c9a776ddf366c0fd4d7f46a3cede0627b6b73715672dbf1a37a769e

memory/2824-23-0x0000000000250000-0x0000000000251000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-GLB9K.tmp\_isetup\_isdecmp.dll

MD5 c6ae924ad02500284f7e4efa11fa7cfc
SHA1 2a7770b473b0a7dc9a331d017297ff5af400fed8
SHA256 31d04c1e4bfdfa34704c142fa98f80c0a3076e4b312d6ada57c4be9d9c7dcf26
SHA512 f321e4820b39d1642fc43bf1055471a323edcc0c4cbd3ddd5ad26a7b28c4fb9fc4e57c00ae7819a4f45a3e0bb9c7baa0ba19c3ceedacf38b911cdf625aa7ddae

C:\Users\Admin\AppData\Roaming\windowsupdate\PCICHEK.DLL

MD5 83335b9eace69554d05edbcc562be369
SHA1 78772989137e95ffb3ebcec9008f0fa3ef1f24f4
SHA256 aff89746ce83d085a4a479170f4c4176f4e5c7e942590c3b48bbe18720588ecc
SHA512 de51ee9563d6f359a03fc1da2db92da565eee020f594f33188a14dc86276fb31632661032a9383a25c75a9148a22a916dade4d79b3ce17ef2ddf8b4b800a2fa0

C:\Users\Admin\AppData\Roaming\windowsupdate\PCICL32.DLL

MD5 534e359ed5e15294bb6fa78d571f799f
SHA1 056e97a1a1b56c16600a09d22ea507e3bf82b6df
SHA256 700f3d7e8762ddbb1b677413e21914cbe159e82656c2ff6000a42959ee09365c
SHA512 f090ce8a8d044cd552a7b2031b2e827e01e8fa1baf52d74999be56e601ccfd186b5c2038b47b8a6e0e566c9950db8b80f2cceecb38a419af6cf7782dafe6ba12

C:\Users\Admin\AppData\Roaming\windowsupdate\TCCTL32.DLL

MD5 acbbd6890d5ee8ac890b4c519c9d8448
SHA1 f55a43a6fb2493c61cc0a6e283f8d11beb615dcf
SHA256 7d7fee61e59fcfb1526e8ab2c58dc79f71ff8e750fec86b7acb0b82219ebd131
SHA512 46c2567a6c066d1d99dcddf84e1405bfc80751463b6ae0986d9a63807979a17e99fcafc1297535d98866c988cca58d31745443fb8211320b254c1f313fb06e99

C:\Users\Admin\AppData\Roaming\windowsupdate\remcmdstub.exe

MD5 6631e203edc735551c6d2513e714e759
SHA1 89825bab3441950bd4e2897840796f405b5d3b26
SHA256 fef8a4e8926b4effd767b9c904532eddc275a6acf4b4434c3fea2f943c5d6608
SHA512 49ed2f3fc02bcf3f9d5a12f5268d6f28b46116f14b2423735120fad1e226de785dcfccbba1d4f2e480c4b15ea88bc8d927b8786cb92ae11c3b419c35e1f63869

C:\Users\Admin\AppData\Roaming\windowsupdate\pcicapi.dll

MD5 eaa5d9ce3cf8054e71a5a13076f0dbb3
SHA1 b48046c9d41f652be8e21e8e47068d9be0800ca7
SHA256 dd629c8a1396d9d5748a4b04213ab29771e65875dd60d5125c4703daf94117c9
SHA512 dd57e6fba126a2f6bb05761298abbee0cf13602e0bf829b778e3e8bb109d3bde7731eeb483058f564fea4371aec3f8cb72952755a50f47e4df028b628ffda20c

C:\Users\Admin\AppData\Roaming\windowsupdate\nsm_vpro.ini

MD5 3be27483fdcdbf9ebae93234785235e3
SHA1 360b61fe19cdc1afb2b34d8c25d8b88a4c843a82
SHA256 4bfa4c00414660ba44bddde5216a7f28aeccaa9e2d42df4bbff66db57c60522b
SHA512 edbe8cf1cbc5fed80fedf963ade44e08052b19c064e8bca66fa0fe1b332141fbe175b8b727f8f56978d1584baaf27d331947c0b3593aaff5632756199dc470e5

C:\Users\Admin\AppData\Roaming\windowsupdate\NSM.LIC

MD5 ac5d5cc9acad4531ef1bd16145ea68bd
SHA1 f9d92f79a934815b645591ebbd6f5d20aa6a3e38
SHA256 68c787616681427557343e42ede5805dfbeeb580c59f69c4706b500f225e2c6b
SHA512 196863e039e9c83fb0f8eb3f0a6119db31a624e7ef4e9ba99516702e76796957f0ebf87e8728e1bd0de6cd7420bec6e644caa58a0724a7208e9a765d6eb78f64

C:\Users\Admin\AppData\Roaming\windowsupdate\NSM.ini

MD5 88b1dab8f4fd1ae879685995c90bd902
SHA1 3d23fb4036dc17fa4bee27e3e2a56ff49beed59d
SHA256 60fe386112ad51f40a1ee9e1b15eca802ced174d7055341c491dee06780b3f92
SHA512 4ea2c20991189fe1d6d5c700603c038406303cca594577ddcbc16ab9a7915cb4d4aa9e53093747db164f068a7ba0f568424bc8cb7682f1a3fb17e4c9ec01f047

C:\Users\Admin\AppData\Roaming\windowsupdate\nskbfltr.inf

MD5 26e28c01461f7e65c402bdf09923d435
SHA1 1d9b5cfcc30436112a7e31d5e4624f52e845c573
SHA256 d96856cd944a9f1587907cacef974c0248b7f4210f1689c1e6bcac5fed289368
SHA512 c30ec66fecb0a41e91a31804be3a8b6047fc3789306adc106c723b3e5b166127766670c7da38d77d3694d99a8cddb26bc266ee21dba60a148cdf4d6ee10d27d7

C:\Users\Admin\AppData\Roaming\windowsupdate\msvcr100.dll

MD5 d31dc54da923cdfb6d9ff0c50d1b4a10
SHA1 6787950bbe10f21aadd8c4a98df5bb99a5b396e4
SHA256 eb9483878cbecfaa20e82736449b2ca681d4716cbf6acba4b10eb812a9ae9b84
SHA512 081ecb53a422038732e476d55acc0de29681773db1493385e742e3a38469f81210b138038ae3178fe0765cef662805a720b488b0774363f17f3b485cc8aec395

\Users\Admin\AppData\Roaming\WindowsUpdate$\client32.exe

MD5 9b1049932a83111de76a87f82c47f4a0
SHA1 4e101af1989bfdc022fcd797464aefa15ccfb986
SHA256 ad86b4becf41d55896b2099194caf3ae34098a761b21f428f840abca8759f53a
SHA512 417568115e23d96462d2a49678ecfb4da78155e89da36f51d9fd303b21a0728d3d0cbe22e61d687d657eeaca8c0b8d7bf70cae026a0e42920ef878ac746b552d

C:\Users\Admin\AppData\Roaming\WindowsUpdate$\PCICL32.dll

MD5 ebd29e5c739b2dadf349d5a4708baf4a
SHA1 e90a656195677dc1cdcce4cb95e68882e8eee121
SHA256 3ac8626f1bb2cd1219e9d448beb29486f2d3dc1a2db4ba6e3a1114f6f08944ef
SHA512 04d56ac1f4779138176e61637f6df0c217a004223a6e0f2bd0e3f70d793d526635cadcb4d247275c2a584de8abb47bbb1f60a120b160872b7ff4761373ac14d4

C:\Users\Admin\AppData\Roaming\WindowsUpdate$\client32.exe

MD5 877c80b68ba9e784d36ae8cab4125d43
SHA1 1e49fe1789cb943f07950c593ed109bab9e634ab
SHA256 fbd832accf3fc85b6bce198b63ece09b69cef9be7e7e9513b3fcf40184f537e6
SHA512 429d14f24b14db24057ab7901855915c77f57ecb6917a2672b5081daef1403c56dc0ef0c5fdb08e2275358bdb28f28c9d9998f455d8baa3dc811d07f7d9f0dc5

C:\Users\Admin\AppData\Roaming\WindowsUpdate$\client32.ini

MD5 b1bad9a1f72059e718459cd6a26956ef
SHA1 7ef2158e334d05af773948eaccf9996cc96f2146
SHA256 e9443eecd51f64e2a52631726d602b39ef64a3ba4f962778b3b6dfe719251bbd
SHA512 41b9b0901eb44d0a0094048f9faf22e79a229bca943f99a5c901c57d721fc7b0b7e64e30b6478573daa508ee4d83e9155defa78ec8cf04e3abf5ce69048f7a03

\Users\Admin\AppData\Roaming\WindowsUpdate$\HTCTL32.DLL

MD5 a2c18c8a5e08fb5f1720416a068c4389
SHA1 23f1b195f94fc131bf78850fd5bf5ce12dc7fdb8
SHA256 c068ddd44aa7a7352612a15b7ac61fd0d321be54d6ecdaed76e0c667148c2325
SHA512 9579634e91bb80723b5f486526a1e3db12e33af880a54182db8c48b73b781a1a7ba82e1dbbdac7bcf8ce656b73bdceed759e9b135a01afafd2fb975a103be9c1

C:\Users\Admin\AppData\Roaming\WindowsUpdate$\HTCTL32.DLL

MD5 a0e226b087874390cb87d181b96cd30c
SHA1 c0b7b342e3ea499b92935e2a86daedcc5a343764
SHA256 db08d2dcc7c81f2f81b5fc121effcc5c6964cb1645b1149a98f5797a049f93ae
SHA512 4fb70f71808feaebe554323e30fdb09d1d0bfa412cbcf9eed4f8d97527338330f459943671d65fc80dbfc8efab0e97e426824c4859170b376dac71268314d3dd

\Users\Admin\AppData\Roaming\WindowsUpdate$\msvcr100.dll

MD5 ac65ff15ef94e561f4193642956a47b8
SHA1 22bc3715fcd1af3ba29e8b484ab289f50348b3ae
SHA256 77ee2ed9c7a9e8f92a2f24354c4ce49580290c306917afd48bf6cb11dc95462c
SHA512 147c896ac3c3190e9a26bf19ca62331c34bb0135933639ce109abbec6452bdb5064ad71deb0fd15989b5db3edd99cd8c3ee0c846969388e1e8f7d18e06c88592

C:\Users\Admin\AppData\Roaming\WindowsUpdate$\MSVCR100.dll

MD5 352738770ce6649a84c77568b0b2fd24
SHA1 bf402f1fe50b4ab515e82a586fa5352b56fe4556
SHA256 0f285253d59ffdad5a8627e0a6df68c182e4ebe7795f4d764f27efc27e2ed4a9
SHA512 d906eb6902cda69371907235f59e97ef936c4683f951877b0aa947c1833b18dd9a07cb0f5fbda7b5947a741728e9f1f68a2d9d5a6fb085d4360257870c702851

\Users\Admin\AppData\Roaming\WindowsUpdate$\PCICL32.DLL

MD5 efdb607aa508c9778fac995686d675f9
SHA1 a7be2b041368c4fac34cb4b613a2906c9729d15d
SHA256 7847e1fa4905821e452b49adc7f0242803822d305adc146e02cf2adf937b3b52
SHA512 fd1179c2078eba647796a5a781d8bcdb795727c0612cc2357a220a8adac1c9afd5a7c4a5ce228ccc19f8ee3ab391305510959a1c4cc9cf0510516ae3eb663939

memory/2824-108-0x0000000000400000-0x00000000006EE000-memory.dmp

C:\Users\Admin\AppData\Roaming\windowsupdate\HTCTL32.DLL

MD5 580458344285d0baede4a903bf528f7c
SHA1 189d4003105c870f9c06b081035e1835c4100c68
SHA256 f9c6042866655032bc0c1192806844f31f9775bcf39961d49ca4fa58b9539840
SHA512 6971cd8d4c1ff4f38e2bccba65fc50fbc947d821593aea72c57cc056034f358c68427e3b158350f3e8256382f48f499916e06fbcf1f7ad3ae9a7d53a1f7d302d

memory/2664-122-0x0000000000400000-0x00000000004CC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-01 03:14

Reported

2024-02-01 03:16

Platform

win10v2004-20231215-en

Max time kernel

142s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\85c6ab4916dad9444c1ca9f8bdb42a97.exe"

Signatures

NetSupport

rat netsupport

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\85c6ab4916dad9444c1ca9f8bdb42a97.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DKI5H.tmp\CryptoWallet.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DKI5H.tmp\CryptoWallet.tmp N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\WindowsUpdate$\client32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DKI5H.tmp\CryptoWallet.tmp N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WindowsUpdate$\client32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4404 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\85c6ab4916dad9444c1ca9f8bdb42a97.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\CryptoWallet.exe
PID 4404 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\85c6ab4916dad9444c1ca9f8bdb42a97.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\CryptoWallet.exe
PID 4404 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\85c6ab4916dad9444c1ca9f8bdb42a97.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\CryptoWallet.exe
PID 848 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\CryptoWallet.exe C:\Users\Admin\AppData\Local\Temp\is-DKI5H.tmp\CryptoWallet.tmp
PID 848 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\CryptoWallet.exe C:\Users\Admin\AppData\Local\Temp\is-DKI5H.tmp\CryptoWallet.tmp
PID 848 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\CryptoWallet.exe C:\Users\Admin\AppData\Local\Temp\is-DKI5H.tmp\CryptoWallet.tmp
PID 1332 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\is-DKI5H.tmp\CryptoWallet.tmp C:\Users\Admin\AppData\Roaming\WindowsUpdate$\client32.exe
PID 1332 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\is-DKI5H.tmp\CryptoWallet.tmp C:\Users\Admin\AppData\Roaming\WindowsUpdate$\client32.exe
PID 1332 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\is-DKI5H.tmp\CryptoWallet.tmp C:\Users\Admin\AppData\Roaming\WindowsUpdate$\client32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\85c6ab4916dad9444c1ca9f8bdb42a97.exe

"C:\Users\Admin\AppData\Local\Temp\85c6ab4916dad9444c1ca9f8bdb42a97.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\CryptoWallet.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\CryptoWallet.exe" /VERYSILENT /SP-

C:\Users\Admin\AppData\Local\Temp\is-DKI5H.tmp\CryptoWallet.tmp

"C:\Users\Admin\AppData\Local\Temp\is-DKI5H.tmp\CryptoWallet.tmp" /SL5="$E0046,2778947,780800,C:\Users\Admin\AppData\Local\Temp\RarSFX0\CryptoWallet.exe" /VERYSILENT /SP-

C:\Users\Admin\AppData\Roaming\WindowsUpdate$\client32.exe

"C:\Users\Admin\AppData\Roaming\WindowsUpdate$\client32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 coinduck.duckdns.org udp
US 8.8.8.8:53 geo.netsupportsoftware.com udp
GB 82.115.223.246:1337 coinduck.duckdns.org tcp
US 104.26.0.231:80 geo.netsupportsoftware.com tcp
US 8.8.8.8:53 231.0.26.104.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 coinduck.duckdns.org udp
GB 82.115.223.246:1337 coinduck.duckdns.org tcp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\CryptoWallet.exe

MD5 0204ada2b40a637fc43b18acde079add
SHA1 62a7832300b3513aeb32d4e3d4e46dfdffdf6002
SHA256 ac89aa0c7e88410f1f0b404e702353633ff038773777041147edf7fd69d95353
SHA512 08507fac4a290253583543fb425b52fb67970acf79f948bfffc8365f0072de0f3ab14c7f54145ad95a4ef9bee74650cdcfbcf237e799ed6d6210d595898e8798

C:\Users\Admin\AppData\Local\Temp\RarSFX0\CryptoWallet.exe

MD5 ed8d6d859f384100fe69ba203174aa0e
SHA1 cad370c33bcab205e07d1b50dec266eba1b29ac5
SHA256 a500a1a3fbab1c5d3b63dfe11c542066bf1c3b37db8694081032545109838379
SHA512 406d4a24f5ac20e0c16ed221346444f5f63ec420632d065a152deac652c557f8687909c0bf317a4951d1fcb0ffaa5608a98d66da1bf304e79cc06071e0cc781b

memory/848-11-0x0000000000400000-0x00000000004CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\CryptoWallet.exe

MD5 a81076d4b011784d81a55c5e852f5537
SHA1 d517b9efa51dae8ebf6cd7f9e590636351ecbddb
SHA256 89c00029f250fbed23a1beef6ce0d4e88874aacd90eb010880c64a4790021414
SHA512 38e5f4a6265ba3a5033392690f100fc7df35b07770de5f77ebd13ab1501a261b052b3d318b8a691220928ad39f0e709eb29431fa69fd495de20165f150b985d7

C:\Users\Admin\AppData\Local\Temp\is-DKI5H.tmp\CryptoWallet.tmp

MD5 9da68a77164bed9ab50eea992a3aba6b
SHA1 a8b526967fcb33376b636dea29c96b5222f923db
SHA256 637f389f5df7c4a167a62848b695f358cc3f6a13bdb222f88adc183cc05775e8
SHA512 cec25fac82c74ac24ae121ee1559832a448ba59457d09b0aa22ff205a818e17224a37c12c0e1d5600e4a14cb26a129f2add90a6d2e6ae1ff1cfcc24230bbe3a2

memory/1332-17-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-G159N.tmp\_isetup\_isdecmp.dll

MD5 c6ae924ad02500284f7e4efa11fa7cfc
SHA1 2a7770b473b0a7dc9a331d017297ff5af400fed8
SHA256 31d04c1e4bfdfa34704c142fa98f80c0a3076e4b312d6ada57c4be9d9c7dcf26
SHA512 f321e4820b39d1642fc43bf1055471a323edcc0c4cbd3ddd5ad26a7b28c4fb9fc4e57c00ae7819a4f45a3e0bb9c7baa0ba19c3ceedacf38b911cdf625aa7ddae

C:\Users\Admin\AppData\Roaming\windowsupdate\HTCTL32.DLL

MD5 7fea9145e555909af5ac0257974f0d34
SHA1 10d673bb2f4bc5e7c225942f1be39ed0e53c47c2
SHA256 6fd4c4d2b542befc569185c7ba652fc6338e2952113b8821255dea47737801f2
SHA512 eb1db3669dbb91c666ff6e6485bf0b01f9d9054dd1f7f448225b7bbd1b97d5d810b5c4f10a409767fc617a30dfdb540c1d83802b7c2e0e8a96a806b2ecf0e273

C:\Users\Admin\AppData\Roaming\windowsupdate\remcmdstub.exe

MD5 6631e203edc735551c6d2513e714e759
SHA1 89825bab3441950bd4e2897840796f405b5d3b26
SHA256 fef8a4e8926b4effd767b9c904532eddc275a6acf4b4434c3fea2f943c5d6608
SHA512 49ed2f3fc02bcf3f9d5a12f5268d6f28b46116f14b2423735120fad1e226de785dcfccbba1d4f2e480c4b15ea88bc8d927b8786cb92ae11c3b419c35e1f63869

C:\Users\Admin\AppData\Roaming\windowsupdate\PCICL32.DLL

MD5 9d6d19803713cfaee28c371d83b3b6df
SHA1 4d0cd6660e9cdb8117df89afe40bb139c9be9b68
SHA256 e10646beeca03793a2ba06df8ff76a74e96a1b6de0141cebccfa368e4842565b
SHA512 7c35d3ad5f4e1e08449d194f8d094cd3555e6facd16901d060de1b7171f53692f3870f57728bf271a14c7d04c4a7cde64524712ad73678d088453c39b859230d

C:\Users\Admin\AppData\Roaming\windowsupdate\PCICHEK.DLL

MD5 83335b9eace69554d05edbcc562be369
SHA1 78772989137e95ffb3ebcec9008f0fa3ef1f24f4
SHA256 aff89746ce83d085a4a479170f4c4176f4e5c7e942590c3b48bbe18720588ecc
SHA512 de51ee9563d6f359a03fc1da2db92da565eee020f594f33188a14dc86276fb31632661032a9383a25c75a9148a22a916dade4d79b3ce17ef2ddf8b4b800a2fa0

C:\Users\Admin\AppData\Roaming\windowsupdate\pcicapi.dll

MD5 eaa5d9ce3cf8054e71a5a13076f0dbb3
SHA1 b48046c9d41f652be8e21e8e47068d9be0800ca7
SHA256 dd629c8a1396d9d5748a4b04213ab29771e65875dd60d5125c4703daf94117c9
SHA512 dd57e6fba126a2f6bb05761298abbee0cf13602e0bf829b778e3e8bb109d3bde7731eeb483058f564fea4371aec3f8cb72952755a50f47e4df028b628ffda20c

C:\Users\Admin\AppData\Roaming\windowsupdate\nsm_vpro.ini

MD5 3be27483fdcdbf9ebae93234785235e3
SHA1 360b61fe19cdc1afb2b34d8c25d8b88a4c843a82
SHA256 4bfa4c00414660ba44bddde5216a7f28aeccaa9e2d42df4bbff66db57c60522b
SHA512 edbe8cf1cbc5fed80fedf963ade44e08052b19c064e8bca66fa0fe1b332141fbe175b8b727f8f56978d1584baaf27d331947c0b3593aaff5632756199dc470e5

C:\Users\Admin\AppData\Roaming\windowsupdate\NSM.LIC

MD5 ac5d5cc9acad4531ef1bd16145ea68bd
SHA1 f9d92f79a934815b645591ebbd6f5d20aa6a3e38
SHA256 68c787616681427557343e42ede5805dfbeeb580c59f69c4706b500f225e2c6b
SHA512 196863e039e9c83fb0f8eb3f0a6119db31a624e7ef4e9ba99516702e76796957f0ebf87e8728e1bd0de6cd7420bec6e644caa58a0724a7208e9a765d6eb78f64

C:\Users\Admin\AppData\Roaming\windowsupdate\NSM.ini

MD5 88b1dab8f4fd1ae879685995c90bd902
SHA1 3d23fb4036dc17fa4bee27e3e2a56ff49beed59d
SHA256 60fe386112ad51f40a1ee9e1b15eca802ced174d7055341c491dee06780b3f92
SHA512 4ea2c20991189fe1d6d5c700603c038406303cca594577ddcbc16ab9a7915cb4d4aa9e53093747db164f068a7ba0f568424bc8cb7682f1a3fb17e4c9ec01f047

C:\Users\Admin\AppData\Roaming\windowsupdate\nskbfltr.inf

MD5 26e28c01461f7e65c402bdf09923d435
SHA1 1d9b5cfcc30436112a7e31d5e4624f52e845c573
SHA256 d96856cd944a9f1587907cacef974c0248b7f4210f1689c1e6bcac5fed289368
SHA512 c30ec66fecb0a41e91a31804be3a8b6047fc3789306adc106c723b3e5b166127766670c7da38d77d3694d99a8cddb26bc266ee21dba60a148cdf4d6ee10d27d7

C:\Users\Admin\AppData\Roaming\windowsupdate\msvcr100.dll

MD5 c7f0ff3ce91becd5c02d7345f5da0ec9
SHA1 ee2599fa096d54127c528d54ec99ca3dfe21e20b
SHA256 538de2219212918700931b10c27c78df8de31ac6d88a07199cb35cc0a2bc0f9a
SHA512 7f39291ce250477d15af526e6782ec9efec0f7fe63e9d571fb1efe6707d7900936ef78a95a4635c290e03a4df51ab1c87e51561a04f01d717e5face65abc40da

C:\Users\Admin\AppData\Roaming\windowsupdate\client32.ini

MD5 b1bad9a1f72059e718459cd6a26956ef
SHA1 7ef2158e334d05af773948eaccf9996cc96f2146
SHA256 e9443eecd51f64e2a52631726d602b39ef64a3ba4f962778b3b6dfe719251bbd
SHA512 41b9b0901eb44d0a0094048f9faf22e79a229bca943f99a5c901c57d721fc7b0b7e64e30b6478573daa508ee4d83e9155defa78ec8cf04e3abf5ce69048f7a03

C:\Users\Admin\AppData\Roaming\windowsupdate\client32.exe

MD5 877c80b68ba9e784d36ae8cab4125d43
SHA1 1e49fe1789cb943f07950c593ed109bab9e634ab
SHA256 fbd832accf3fc85b6bce198b63ece09b69cef9be7e7e9513b3fcf40184f537e6
SHA512 429d14f24b14db24057ab7901855915c77f57ecb6917a2672b5081daef1403c56dc0ef0c5fdb08e2275358bdb28f28c9d9998f455d8baa3dc811d07f7d9f0dc5

C:\Users\Admin\AppData\Roaming\windowsupdate\TCCTL32.DLL

MD5 d661ee9887cf7773fa804a3ddb169998
SHA1 83b5d3a1158678cb05fe44724478da9fc6bd5207
SHA256 7bab18661275a62b99ba80b67d0f98c650e92dfdfbcfb533a08f86a565a03229
SHA512 ab3bdaae5ef8348dff45cbe51ae436d0a8ae92c0fae55069669ffc68e0fe222920a0225c1d7108e1372cb1e51c0949f7edd28936e340b6d1d5fc87e5fc17b620

memory/848-111-0x0000000000400000-0x00000000004CC000-memory.dmp

C:\Users\Admin\AppData\Roaming\WindowsUpdate$\msvcr100.dll

MD5 587e54191bc2817184471aa39d226fe1
SHA1 1303223464e3a5d57bfc78326ce9a7bdff8d1efd
SHA256 b3526217e880983e11e84c756220ae6bf6fab72a3b1172189dde5e288f9b9988
SHA512 6dde9610af1bae6a298a7cf010967fd71120160c11cb4465bee71ab9b76ad5b23d37b5b5c0f6a412a4b88a9404af53c4a3e6d5bc09fcb662200d27b364bf9cf5

C:\Users\Admin\AppData\Roaming\WindowsUpdate$\msvcr100.dll

MD5 bc4d1822e38a44673f64ff0b4de623a5
SHA1 ce832a8abcb753405dd9ccb75e5e9731081ac1de
SHA256 bd63591248f35b794189bb284ac01f4161ed8b575d08b668d6f726ffa5a40ee0
SHA512 7e52c560af3ffb762e0a1adb38d19dbe6fa4aba6cc76042fab3288d803a4a3c9aabd46595443721ad8e4098d595a318d660ef3216d26d1d57a9cae2d8ab34ed6

C:\Users\Admin\AppData\Roaming\WindowsUpdate$\MSVCR100.dll

MD5 d1ab205855104c6b832c1d83ae19d2c9
SHA1 cd95107bfa4df369b098f953728488552d5b6ca2
SHA256 23d682d66cc1058886e73b1bb64e5a98ab42c0224eb4e33f7e97bd886e721c1f
SHA512 b7e1a25fa1b84cb13d7de4bd1d9073d5c505c2713a3fbe2990b3ff20a8cc9da47f42b3c85a5279fde814a846706fb0f31ee55f7e76acf92b516a532aafe3be37

C:\Users\Admin\AppData\Roaming\WindowsUpdate$\HTCTL32.DLL

MD5 580458344285d0baede4a903bf528f7c
SHA1 189d4003105c870f9c06b081035e1835c4100c68
SHA256 f9c6042866655032bc0c1192806844f31f9775bcf39961d49ca4fa58b9539840
SHA512 6971cd8d4c1ff4f38e2bccba65fc50fbc947d821593aea72c57cc056034f358c68427e3b158350f3e8256382f48f499916e06fbcf1f7ad3ae9a7d53a1f7d302d

memory/1332-102-0x0000000000400000-0x00000000006EE000-memory.dmp

C:\Users\Admin\AppData\Roaming\WindowsUpdate$\PCICL32.DLL

MD5 6629d54b3609c99ba09330750bb3dfb5
SHA1 c760c127a66891e548e9d74f16015976146d466f
SHA256 da7239e5635039a8d7cf4368d1d2596aabdc353cd76ae3b5898fa8f7fe615a5c
SHA512 ca534068e481f989ddc8ff71b5de336905a2ae145a04187653739c7930f7b21980ab688ae0d826ad7e00aa5cd8128e3d2552471547bb2826e1c8ae55aa4c30d8

C:\Users\Admin\AppData\Roaming\WindowsUpdate$\PCICL32.dll

MD5 4bd77c5c332c6031131adf3d8c91d100
SHA1 014f3ea1635c3d1c7290b39293fa46b4465a997a
SHA256 bb00bdedc387598b9c3ed394fb148dce25f5b9a3380e4ffbdb49c62138690436
SHA512 e17c7d26d814946f037551dff1f50c0e8d612096d092866eeeeb396b7ce80de4c8a411d3b49ffeb0496d84a85b6643b75a4db3b128da7fee6e7417a39ae3645b