Analysis
-
max time kernel
1624s -
max time network
1793s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
24-04-2024 15:19
Static task
static1
Behavioral task
behavioral1
Sample
client/client32.exe
Resource
win10-20240404-en
windows10-1703-x64
5 signatures
1800 seconds
Behavioral task
behavioral2
Sample
client/client32.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
4 signatures
1800 seconds
Behavioral task
behavioral3
Sample
client/client32.exe
Resource
win11-20240412-en
windows11-21h2-x64
5 signatures
1800 seconds
General
-
Target
client/client32.exe
-
Size
54KB
-
MD5
9497aece91e1ccc495ca26ae284600b9
-
SHA1
a005d8ce0c1ea8901c1b4ea86c40f4925bd2c6da
-
SHA256
1b63f83f06dbd9125a6983a36e0dbd64026bb4f535e97c5df67c1563d91eff89
-
SHA512
4c892e5029a707bcf73b85ac110d8078cb273632b68637e9b296a7474ab0202320ff24cf6206de04af08abf087654b0d80cbecfae824c06616c47ce93f0929c9
-
SSDEEP
1536:HtvrImfzoXK6DDvvvDvpvZMt+pan/opgRl2:lImfzoXK9/o66
Score
10/10
Malware Config
Signatures
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeSecurityPrivilege 3764 client32.exe Token: SeIncreaseQuotaPrivilege 2840 WMIC.exe Token: SeSecurityPrivilege 2840 WMIC.exe Token: SeTakeOwnershipPrivilege 2840 WMIC.exe Token: SeLoadDriverPrivilege 2840 WMIC.exe Token: SeSystemProfilePrivilege 2840 WMIC.exe Token: SeSystemtimePrivilege 2840 WMIC.exe Token: SeProfSingleProcessPrivilege 2840 WMIC.exe Token: SeIncBasePriorityPrivilege 2840 WMIC.exe Token: SeCreatePagefilePrivilege 2840 WMIC.exe Token: SeBackupPrivilege 2840 WMIC.exe Token: SeRestorePrivilege 2840 WMIC.exe Token: SeShutdownPrivilege 2840 WMIC.exe Token: SeDebugPrivilege 2840 WMIC.exe Token: SeSystemEnvironmentPrivilege 2840 WMIC.exe Token: SeRemoteShutdownPrivilege 2840 WMIC.exe Token: SeUndockPrivilege 2840 WMIC.exe Token: SeManageVolumePrivilege 2840 WMIC.exe Token: 33 2840 WMIC.exe Token: 34 2840 WMIC.exe Token: 35 2840 WMIC.exe Token: 36 2840 WMIC.exe Token: SeIncreaseQuotaPrivilege 2840 WMIC.exe Token: SeSecurityPrivilege 2840 WMIC.exe Token: SeTakeOwnershipPrivilege 2840 WMIC.exe Token: SeLoadDriverPrivilege 2840 WMIC.exe Token: SeSystemProfilePrivilege 2840 WMIC.exe Token: SeSystemtimePrivilege 2840 WMIC.exe Token: SeProfSingleProcessPrivilege 2840 WMIC.exe Token: SeIncBasePriorityPrivilege 2840 WMIC.exe Token: SeCreatePagefilePrivilege 2840 WMIC.exe Token: SeBackupPrivilege 2840 WMIC.exe Token: SeRestorePrivilege 2840 WMIC.exe Token: SeShutdownPrivilege 2840 WMIC.exe Token: SeDebugPrivilege 2840 WMIC.exe Token: SeSystemEnvironmentPrivilege 2840 WMIC.exe Token: SeRemoteShutdownPrivilege 2840 WMIC.exe Token: SeUndockPrivilege 2840 WMIC.exe Token: SeManageVolumePrivilege 2840 WMIC.exe Token: 33 2840 WMIC.exe Token: 34 2840 WMIC.exe Token: 35 2840 WMIC.exe Token: 36 2840 WMIC.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 3764 client32.exe 3764 client32.exe 3764 client32.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 3764 client32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 3764 wrote to memory of 952 3764 client32.exe 82 PID 3764 wrote to memory of 952 3764 client32.exe 82 PID 3764 wrote to memory of 952 3764 client32.exe 82 PID 952 wrote to memory of 1240 952 remcmdstub.exe 84 PID 952 wrote to memory of 1240 952 remcmdstub.exe 84 PID 1240 wrote to memory of 2840 1240 cmd.exe 85 PID 1240 wrote to memory of 2840 1240 cmd.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\client\client32.exe"C:\Users\Admin\AppData\Local\Temp\client\client32.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Users\Admin\AppData\Local\Temp\client\remcmdstub.exeremcmdstub.exe 2392 2372 2380 2408 %COMSPEC%2⤵
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe3⤵
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get domain4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2840
-
-
-