Analysis
-
max time kernel
117s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
08-02-2024 07:51
Static task
static1
Behavioral task
behavioral1
Sample
E52BE8968152E665685D030C8D641540.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
E52BE8968152E665685D030C8D641540.exe
Resource
win10v2004-20231215-en
General
-
Target
E52BE8968152E665685D030C8D641540.exe
-
Size
2.0MB
-
MD5
e52be8968152e665685d030c8d641540
-
SHA1
b6fffdeb2df0789cef2201416894f5ca6e055bfc
-
SHA256
ea35797a9556636378031645a48f089087cd258f8e40e1399aa371b2cca3cb7f
-
SHA512
e1f522f0d445bbaa371bcaac6ee780210ada01fb6702934777c3465afa374d7ea6d5dc97fbd50417e31a720a2839318821006f8d3f898773003b5d78c73c5482
-
SSDEEP
49152:mXeTIVDZ5quXQqyAZF8L5wfHIvDVeoyS69XZJJdxopHq:mXe0RZlXQq5ZeLW/KynLJdypHq
Malware Config
Signatures
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Drops startup file 1 IoCs
Processes:
E52BE8968152E665685D030C8D641540.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\automnruns2012.ini.lnk E52BE8968152E665685D030C8D641540.exe -
Executes dropped EXE 1 IoCs
Processes:
client32.exepid process 2700 client32.exe -
Loads dropped DLL 10 IoCs
Processes:
E52BE8968152E665685D030C8D641540.execlient32.exepid process 2884 E52BE8968152E665685D030C8D641540.exe 2884 E52BE8968152E665685D030C8D641540.exe 2884 E52BE8968152E665685D030C8D641540.exe 2884 E52BE8968152E665685D030C8D641540.exe 2884 E52BE8968152E665685D030C8D641540.exe 2700 client32.exe 2700 client32.exe 2700 client32.exe 2700 client32.exe 2700 client32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
client32.exedescription pid process Token: SeSecurityPrivilege 2700 client32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
client32.exepid process 2700 client32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
E52BE8968152E665685D030C8D641540.exedescription pid process target process PID 2884 wrote to memory of 2700 2884 E52BE8968152E665685D030C8D641540.exe client32.exe PID 2884 wrote to memory of 2700 2884 E52BE8968152E665685D030C8D641540.exe client32.exe PID 2884 wrote to memory of 2700 2884 E52BE8968152E665685D030C8D641540.exe client32.exe PID 2884 wrote to memory of 2700 2884 E52BE8968152E665685D030C8D641540.exe client32.exe PID 2884 wrote to memory of 2700 2884 E52BE8968152E665685D030C8D641540.exe client32.exe PID 2884 wrote to memory of 2700 2884 E52BE8968152E665685D030C8D641540.exe client32.exe PID 2884 wrote to memory of 2700 2884 E52BE8968152E665685D030C8D641540.exe client32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\E52BE8968152E665685D030C8D641540.exe"C:\Users\Admin\AppData\Local\Temp\E52BE8968152E665685D030C8D641540.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Users\Admin\AppData\Roaming\updatein1432\client32.exe"C:\Users\Admin\AppData\Roaming\updatein1432\client32.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2700
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
43KB
MD56f70b428874d56d5706547fdcfbff9a3
SHA17d4eda7f6da4c6918f493c4c1a8b88b4af27d072
SHA2566d0c6640d0eff7e53dab2e7e1d31cab177547c3d5fc93577b0237d2c1c42c1c1
SHA5122ebc1ad181f7cec599d2e8cc49bf293fa64f6388d99aaec525ec37c58692ccbd992a7ba1411b13eacc97f526dd59eb9a093f572f73228a7b05dd9e927b9ac211
-
Filesize
74KB
MD5458efb098e14eec1f1176ba91c28333d
SHA10efbd2ec5f9e564e8064c1726b63a7ab573e1c34
SHA256c89b64a2a63768b7531a45ab2477aa98bd7174e43bf6b2dadb13e50a2980113d
SHA5122cfcc73822edf3ce86ff4206dcd4235ed6a0a1def2d92c7c4cb2f7f8a9fee99d66b71b12b48b8b969eee85b5af2934a39066d9d32ec467fc5cd03de9a484043c
-
Filesize
259B
MD56af7a794e1553154dd4fa63175494d3a
SHA1125c582559647e8bf24081f35e2702c476b0af16
SHA25609af8db75365407c9305a934caee8de6f2b46f2b338434bebafba55d684d0425
SHA512ad8b57b5d99adae5fd1280e7d0dae5fe2d1b8d91dd36274ebd75b366961391281ea0b0b4ea0c644fe6aba19587cf8d25401f770664371a2079852bd951534527
-
Filesize
72KB
MD516d0c8247dfe152a356429fa87d1a6f4
SHA184528ea7f1bdf4bbcdb7f97eec0efd718aa5e062
SHA2563306d9efe539863388845d9e544e92264485648ccd6717a6d0744de4239747a9
SHA5125f2435c5856bb78894b5162fe594dd13a79fb7c13acfe0cd684d799407932a6d95f1cc202464e71388c56ed1b25bc56f6d3d665c17ced29c546d266d3c3b1b36
-
Filesize
698KB
MD5f2fbe647c250337dcab3bb4856f83de5
SHA1c15444821cf4c627119fa1e33eda48d08889f1ef
SHA25695a71a44aec21501c1b2d9036eb0dc4d264a852e3c7ae83ae7e28220bd99bc58
SHA5129094636ff5fd789ab256f0f44cb59f98347ae6dd589513adf59cad451c966e65346a4078f68ca226926b52ecc33916368057af765741918f534761f3ee3abb00
-
Filesize
701B
MD5c3bb1894b531c58a43d290e9f6cd91f0
SHA1b9ccbde0b306c7727bba5dc329333454ef73c27b
SHA2567d66b61e87088b93336ac1cf562c6a525fe5807d8b363e8b928125068bab626c
SHA512f065e3c783e6ca3b48f4b37307c3100d4efb24006ac7d61cfc724225cb743f959580db0decd2db9415123096b5170f34937921db4d980ea73fefed70beb601e0
-
Filesize
99KB
MD53861de34bb7620f05666463e040edd80
SHA194d6601065b5da9318686ceb024abc4b49d1c16b
SHA256624cc3438dd8bcca2605a010864dc7d860bea012f437bc79e63a2e2955ac7885
SHA51248bf669b57fafb794e946c548e7c4ffd37f87b3306a73261ec1ec4712c7b31c3e335e50e2431e5835b8be613f4a9d2886f976875a0f7a4494c697a2db2cd15ab
-
Filesize
14KB
MD53aabcd7c81425b3b9327a2bf643251c6
SHA1ea841199baa7307280fc9e4688ac75e5624f2181
SHA2560cff893b1e7716d09fb74b7a0313b78a09f3f48c586d31fc5f830bd72ce8331f
SHA51297605b07be34948541462000345f1e8f9a9134d139448d4f331cefeeca6dad51c025fcab09d182b86e5a4a8e2f9412b3745ec86b514b0523497c821cb6b8c592
-
Filesize
153KB
MD56c0598943de38ef7f9f609646303f9a7
SHA12d44f497771db3b6d5649a2a7ca9dd554ac61cf9
SHA256345c029a0f4a196c4dbe2127d975e869ced45f66516c25b0d47db108c8fb1a96
SHA512c1bd6dfd88d01e425817add79798c743640244cedfc2e4466d55f2107e58401745571abd489433c8f0a00f8d6c50e60ab865a6b4d7d92672f86332dc2e938fc4
-
Filesize
101KB
MD5c4f1b50e3111d29774f7525039ff7086
SHA157539c95cba0986ec8df0fcdea433e7c71b724c6
SHA25618df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d
SHA512005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5
-
Filesize
102KB
MD54a4a1c04f5ceee1366ec38c5bec6b2a4
SHA10526fc24e5ef9e48a500f5466f8543d02edcd0a3
SHA256edd7be944556a697dc9cc606f702acd2f322303d5f535118fa6910e0edd40f08
SHA5122aae2fefa27352aaa366e7d021c41a53c6f7887f920a6b56d3751396980bf8a469eacf392461133c3a6962717a3f0edd66d5fa62f333259c2f1cd4331b8502dc
-
Filesize
103KB
MD549f39c0c4e6f78eb29bea573df15f726
SHA1b6834fa506a7077c1fa9850c422d888b60bc7981
SHA256fa549226d232d0289c9b77c76b817cd6aa5a2727012ddb706bc121c7369aee5d
SHA512b6aacd3bf3e984a6bf02db676512206eadd2b5e39715a1c6874ba2eb4a50d037253e1f740febb4ea9e655b784f741562b435be4c622c0054952b035c3573c01b