Analysis
-
max time kernel
1445s -
max time network
1803s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
24-04-2024 15:19
Static task
static1
Behavioral task
behavioral1
Sample
client/client32.exe
Resource
win10-20240404-en
windows10-1703-x64
5 signatures
1800 seconds
Behavioral task
behavioral2
Sample
client/client32.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
4 signatures
1800 seconds
Behavioral task
behavioral3
Sample
client/client32.exe
Resource
win11-20240412-en
windows11-21h2-x64
5 signatures
1800 seconds
General
-
Target
client/client32.exe
-
Size
54KB
-
MD5
9497aece91e1ccc495ca26ae284600b9
-
SHA1
a005d8ce0c1ea8901c1b4ea86c40f4925bd2c6da
-
SHA256
1b63f83f06dbd9125a6983a36e0dbd64026bb4f535e97c5df67c1563d91eff89
-
SHA512
4c892e5029a707bcf73b85ac110d8078cb273632b68637e9b296a7474ab0202320ff24cf6206de04af08abf087654b0d80cbecfae824c06616c47ce93f0929c9
-
SSDEEP
1536:HtvrImfzoXK6DDvvvDvpvZMt+pan/opgRl2:lImfzoXK9/o66
Score
10/10
Malware Config
Signatures
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeSecurityPrivilege 1788 client32.exe Token: SeIncreaseQuotaPrivilege 2348 WMIC.exe Token: SeSecurityPrivilege 2348 WMIC.exe Token: SeTakeOwnershipPrivilege 2348 WMIC.exe Token: SeLoadDriverPrivilege 2348 WMIC.exe Token: SeSystemProfilePrivilege 2348 WMIC.exe Token: SeSystemtimePrivilege 2348 WMIC.exe Token: SeProfSingleProcessPrivilege 2348 WMIC.exe Token: SeIncBasePriorityPrivilege 2348 WMIC.exe Token: SeCreatePagefilePrivilege 2348 WMIC.exe Token: SeBackupPrivilege 2348 WMIC.exe Token: SeRestorePrivilege 2348 WMIC.exe Token: SeShutdownPrivilege 2348 WMIC.exe Token: SeDebugPrivilege 2348 WMIC.exe Token: SeSystemEnvironmentPrivilege 2348 WMIC.exe Token: SeRemoteShutdownPrivilege 2348 WMIC.exe Token: SeUndockPrivilege 2348 WMIC.exe Token: SeManageVolumePrivilege 2348 WMIC.exe Token: 33 2348 WMIC.exe Token: 34 2348 WMIC.exe Token: 35 2348 WMIC.exe Token: 36 2348 WMIC.exe Token: SeIncreaseQuotaPrivilege 2348 WMIC.exe Token: SeSecurityPrivilege 2348 WMIC.exe Token: SeTakeOwnershipPrivilege 2348 WMIC.exe Token: SeLoadDriverPrivilege 2348 WMIC.exe Token: SeSystemProfilePrivilege 2348 WMIC.exe Token: SeSystemtimePrivilege 2348 WMIC.exe Token: SeProfSingleProcessPrivilege 2348 WMIC.exe Token: SeIncBasePriorityPrivilege 2348 WMIC.exe Token: SeCreatePagefilePrivilege 2348 WMIC.exe Token: SeBackupPrivilege 2348 WMIC.exe Token: SeRestorePrivilege 2348 WMIC.exe Token: SeShutdownPrivilege 2348 WMIC.exe Token: SeDebugPrivilege 2348 WMIC.exe Token: SeSystemEnvironmentPrivilege 2348 WMIC.exe Token: SeRemoteShutdownPrivilege 2348 WMIC.exe Token: SeUndockPrivilege 2348 WMIC.exe Token: SeManageVolumePrivilege 2348 WMIC.exe Token: 33 2348 WMIC.exe Token: 34 2348 WMIC.exe Token: 35 2348 WMIC.exe Token: 36 2348 WMIC.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1788 client32.exe 1788 client32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1788 wrote to memory of 4492 1788 client32.exe 126 PID 1788 wrote to memory of 4492 1788 client32.exe 126 PID 1788 wrote to memory of 4492 1788 client32.exe 126 PID 4492 wrote to memory of 4568 4492 remcmdstub.exe 128 PID 4492 wrote to memory of 4568 4492 remcmdstub.exe 128 PID 4568 wrote to memory of 2348 4568 cmd.exe 129 PID 4568 wrote to memory of 2348 4568 cmd.exe 129
Processes
-
C:\Users\Admin\AppData\Local\Temp\client\client32.exe"C:\Users\Admin\AppData\Local\Temp\client\client32.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Users\Admin\AppData\Local\Temp\client\remcmdstub.exeremcmdstub.exe 2320 2336 2348 2352 %COMSPEC%2⤵
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe3⤵
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get domain4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2348
-
-
-