Analysis

  • max time kernel
    117s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    08-02-2024 07:51

General

  • Target

    E52BE8968152E665685D030C8D641540.exe

  • Size

    2.0MB

  • MD5

    e52be8968152e665685d030c8d641540

  • SHA1

    b6fffdeb2df0789cef2201416894f5ca6e055bfc

  • SHA256

    ea35797a9556636378031645a48f089087cd258f8e40e1399aa371b2cca3cb7f

  • SHA512

    e1f522f0d445bbaa371bcaac6ee780210ada01fb6702934777c3465afa374d7ea6d5dc97fbd50417e31a720a2839318821006f8d3f898773003b5d78c73c5482

  • SSDEEP

    49152:mXeTIVDZ5quXQqyAZF8L5wfHIvDVeoyS69XZJJdxopHq:mXe0RZlXQq5ZeLW/KynLJdypHq

Score
10/10

Malware Config

Signatures

  • NetSupport

    NetSupport is a remote access tool sold as a legitimate system administration software.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\E52BE8968152E665685D030C8D641540.exe
    "C:\Users\Admin\AppData\Local\Temp\E52BE8968152E665685D030C8D641540.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2884
    • C:\Users\Admin\AppData\Roaming\updatein1432\client32.exe
      "C:\Users\Admin\AppData\Roaming\updatein1432\client32.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:2700

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\updatein1432\HTCTL32.DLL

    Filesize

    43KB

    MD5

    6f70b428874d56d5706547fdcfbff9a3

    SHA1

    7d4eda7f6da4c6918f493c4c1a8b88b4af27d072

    SHA256

    6d0c6640d0eff7e53dab2e7e1d31cab177547c3d5fc93577b0237d2c1c42c1c1

    SHA512

    2ebc1ad181f7cec599d2e8cc49bf293fa64f6388d99aaec525ec37c58692ccbd992a7ba1411b13eacc97f526dd59eb9a093f572f73228a7b05dd9e927b9ac211

  • C:\Users\Admin\AppData\Roaming\updatein1432\MSVCR100.dll

    Filesize

    74KB

    MD5

    458efb098e14eec1f1176ba91c28333d

    SHA1

    0efbd2ec5f9e564e8064c1726b63a7ab573e1c34

    SHA256

    c89b64a2a63768b7531a45ab2477aa98bd7174e43bf6b2dadb13e50a2980113d

    SHA512

    2cfcc73822edf3ce86ff4206dcd4235ed6a0a1def2d92c7c4cb2f7f8a9fee99d66b71b12b48b8b969eee85b5af2934a39066d9d32ec467fc5cd03de9a484043c

  • C:\Users\Admin\AppData\Roaming\updatein1432\NSM.LIC

    Filesize

    259B

    MD5

    6af7a794e1553154dd4fa63175494d3a

    SHA1

    125c582559647e8bf24081f35e2702c476b0af16

    SHA256

    09af8db75365407c9305a934caee8de6f2b46f2b338434bebafba55d684d0425

    SHA512

    ad8b57b5d99adae5fd1280e7d0dae5fe2d1b8d91dd36274ebd75b366961391281ea0b0b4ea0c644fe6aba19587cf8d25401f770664371a2079852bd951534527

  • C:\Users\Admin\AppData\Roaming\updatein1432\PCICAPI.dll

    Filesize

    72KB

    MD5

    16d0c8247dfe152a356429fa87d1a6f4

    SHA1

    84528ea7f1bdf4bbcdb7f97eec0efd718aa5e062

    SHA256

    3306d9efe539863388845d9e544e92264485648ccd6717a6d0744de4239747a9

    SHA512

    5f2435c5856bb78894b5162fe594dd13a79fb7c13acfe0cd684d799407932a6d95f1cc202464e71388c56ed1b25bc56f6d3d665c17ced29c546d266d3c3b1b36

  • C:\Users\Admin\AppData\Roaming\updatein1432\PCICL32.dll

    Filesize

    698KB

    MD5

    f2fbe647c250337dcab3bb4856f83de5

    SHA1

    c15444821cf4c627119fa1e33eda48d08889f1ef

    SHA256

    95a71a44aec21501c1b2d9036eb0dc4d264a852e3c7ae83ae7e28220bd99bc58

    SHA512

    9094636ff5fd789ab256f0f44cb59f98347ae6dd589513adf59cad451c966e65346a4078f68ca226926b52ecc33916368057af765741918f534761f3ee3abb00

  • C:\Users\Admin\AppData\Roaming\updatein1432\client32.ini

    Filesize

    701B

    MD5

    c3bb1894b531c58a43d290e9f6cd91f0

    SHA1

    b9ccbde0b306c7727bba5dc329333454ef73c27b

    SHA256

    7d66b61e87088b93336ac1cf562c6a525fe5807d8b363e8b928125068bab626c

    SHA512

    f065e3c783e6ca3b48f4b37307c3100d4efb24006ac7d61cfc724225cb743f959580db0decd2db9415123096b5170f34937921db4d980ea73fefed70beb601e0

  • \Users\Admin\AppData\Roaming\updatein1432\HTCTL32.DLL

    Filesize

    99KB

    MD5

    3861de34bb7620f05666463e040edd80

    SHA1

    94d6601065b5da9318686ceb024abc4b49d1c16b

    SHA256

    624cc3438dd8bcca2605a010864dc7d860bea012f437bc79e63a2e2955ac7885

    SHA512

    48bf669b57fafb794e946c548e7c4ffd37f87b3306a73261ec1ec4712c7b31c3e335e50e2431e5835b8be613f4a9d2886f976875a0f7a4494c697a2db2cd15ab

  • \Users\Admin\AppData\Roaming\updatein1432\PCICHEK.DLL

    Filesize

    14KB

    MD5

    3aabcd7c81425b3b9327a2bf643251c6

    SHA1

    ea841199baa7307280fc9e4688ac75e5624f2181

    SHA256

    0cff893b1e7716d09fb74b7a0313b78a09f3f48c586d31fc5f830bd72ce8331f

    SHA512

    97605b07be34948541462000345f1e8f9a9134d139448d4f331cefeeca6dad51c025fcab09d182b86e5a4a8e2f9412b3745ec86b514b0523497c821cb6b8c592

  • \Users\Admin\AppData\Roaming\updatein1432\PCICL32.DLL

    Filesize

    153KB

    MD5

    6c0598943de38ef7f9f609646303f9a7

    SHA1

    2d44f497771db3b6d5649a2a7ca9dd554ac61cf9

    SHA256

    345c029a0f4a196c4dbe2127d975e869ced45f66516c25b0d47db108c8fb1a96

    SHA512

    c1bd6dfd88d01e425817add79798c743640244cedfc2e4466d55f2107e58401745571abd489433c8f0a00f8d6c50e60ab865a6b4d7d92672f86332dc2e938fc4

  • \Users\Admin\AppData\Roaming\updatein1432\client32.exe

    Filesize

    101KB

    MD5

    c4f1b50e3111d29774f7525039ff7086

    SHA1

    57539c95cba0986ec8df0fcdea433e7c71b724c6

    SHA256

    18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d

    SHA512

    005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

  • \Users\Admin\AppData\Roaming\updatein1432\msvcr100.dll

    Filesize

    102KB

    MD5

    4a4a1c04f5ceee1366ec38c5bec6b2a4

    SHA1

    0526fc24e5ef9e48a500f5466f8543d02edcd0a3

    SHA256

    edd7be944556a697dc9cc606f702acd2f322303d5f535118fa6910e0edd40f08

    SHA512

    2aae2fefa27352aaa366e7d021c41a53c6f7887f920a6b56d3751396980bf8a469eacf392461133c3a6962717a3f0edd66d5fa62f333259c2f1cd4331b8502dc

  • \Users\Admin\AppData\Roaming\updatein1432\pcicapi.dll

    Filesize

    103KB

    MD5

    49f39c0c4e6f78eb29bea573df15f726

    SHA1

    b6834fa506a7077c1fa9850c422d888b60bc7981

    SHA256

    fa549226d232d0289c9b77c76b817cd6aa5a2727012ddb706bc121c7369aee5d

    SHA512

    b6aacd3bf3e984a6bf02db676512206eadd2b5e39715a1c6874ba2eb4a50d037253e1f740febb4ea9e655b784f741562b435be4c622c0054952b035c3573c01b