Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1598s -
max time network
1802s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
24/04/2024, 15:19
Static task
static1
Behavioral task
behavioral1
Sample
client/client32.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
client/client32.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral3
Sample
client/client32.exe
Resource
win11-20240412-en
General
-
Target
client/client32.exe
-
Size
54KB
-
MD5
9497aece91e1ccc495ca26ae284600b9
-
SHA1
a005d8ce0c1ea8901c1b4ea86c40f4925bd2c6da
-
SHA256
1b63f83f06dbd9125a6983a36e0dbd64026bb4f535e97c5df67c1563d91eff89
-
SHA512
4c892e5029a707bcf73b85ac110d8078cb273632b68637e9b296a7474ab0202320ff24cf6206de04af08abf087654b0d80cbecfae824c06616c47ce93f0929c9
-
SSDEEP
1536:HtvrImfzoXK6DDvvvDvpvZMt+pan/opgRl2:lImfzoXK9/o66
Malware Config
Signatures
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeSecurityPrivilege 4588 client32.exe Token: SeIncreaseQuotaPrivilege 904 WMIC.exe Token: SeSecurityPrivilege 904 WMIC.exe Token: SeTakeOwnershipPrivilege 904 WMIC.exe Token: SeLoadDriverPrivilege 904 WMIC.exe Token: SeSystemProfilePrivilege 904 WMIC.exe Token: SeSystemtimePrivilege 904 WMIC.exe Token: SeProfSingleProcessPrivilege 904 WMIC.exe Token: SeIncBasePriorityPrivilege 904 WMIC.exe Token: SeCreatePagefilePrivilege 904 WMIC.exe Token: SeBackupPrivilege 904 WMIC.exe Token: SeRestorePrivilege 904 WMIC.exe Token: SeShutdownPrivilege 904 WMIC.exe Token: SeDebugPrivilege 904 WMIC.exe Token: SeSystemEnvironmentPrivilege 904 WMIC.exe Token: SeRemoteShutdownPrivilege 904 WMIC.exe Token: SeUndockPrivilege 904 WMIC.exe Token: SeManageVolumePrivilege 904 WMIC.exe Token: 33 904 WMIC.exe Token: 34 904 WMIC.exe Token: 35 904 WMIC.exe Token: 36 904 WMIC.exe Token: SeIncreaseQuotaPrivilege 904 WMIC.exe Token: SeSecurityPrivilege 904 WMIC.exe Token: SeTakeOwnershipPrivilege 904 WMIC.exe Token: SeLoadDriverPrivilege 904 WMIC.exe Token: SeSystemProfilePrivilege 904 WMIC.exe Token: SeSystemtimePrivilege 904 WMIC.exe Token: SeProfSingleProcessPrivilege 904 WMIC.exe Token: SeIncBasePriorityPrivilege 904 WMIC.exe Token: SeCreatePagefilePrivilege 904 WMIC.exe Token: SeBackupPrivilege 904 WMIC.exe Token: SeRestorePrivilege 904 WMIC.exe Token: SeShutdownPrivilege 904 WMIC.exe Token: SeDebugPrivilege 904 WMIC.exe Token: SeSystemEnvironmentPrivilege 904 WMIC.exe Token: SeRemoteShutdownPrivilege 904 WMIC.exe Token: SeUndockPrivilege 904 WMIC.exe Token: SeManageVolumePrivilege 904 WMIC.exe Token: 33 904 WMIC.exe Token: 34 904 WMIC.exe Token: 35 904 WMIC.exe Token: 36 904 WMIC.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 4588 client32.exe 4588 client32.exe 4588 client32.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 4588 client32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 4588 wrote to memory of 4408 4588 client32.exe 75 PID 4588 wrote to memory of 4408 4588 client32.exe 75 PID 4588 wrote to memory of 4408 4588 client32.exe 75 PID 4408 wrote to memory of 696 4408 remcmdstub.exe 77 PID 4408 wrote to memory of 696 4408 remcmdstub.exe 77 PID 696 wrote to memory of 904 696 cmd.exe 78 PID 696 wrote to memory of 904 696 cmd.exe 78
Processes
-
C:\Users\Admin\AppData\Local\Temp\client\client32.exe"C:\Users\Admin\AppData\Local\Temp\client\client32.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Users\Admin\AppData\Local\Temp\client\remcmdstub.exeremcmdstub.exe 2212 2196 2224 2228 %COMSPEC%2⤵
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe3⤵
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get domain4⤵
- Suspicious use of AdjustPrivilegeToken
PID:904
-
-
-