Overview

overview

10

Static

static

3

srgjsrtyjs...ty.ps1

windows7-x64

10

srgjsrtyjs...ty.ps1

windows10-1703-x64

10

srgjsrtyjs...ty.ps1

windows10-2004-x64

10

srgjsrtyjs...ty.ps1

windows11-21h2-x64

10

Resubmissions

30-07-2024 14:18

240730-rml82stbkq 10

30-07-2024 01:45

240730-b6d4sawcld 3

Analysis

  • max time kernel
    30s
  • max time network
    20s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-07-2024 14:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    srgjsrtyjstryjkwssdty.ps1

  • Size

    789B

  • MD5

    175251f9d896e7faf156eb7c6865ddae

  • SHA1

    0665df5296b40ed0fcddefedeb82c96dada5cdac

  • SHA256

    a288c22b7c277f9fb41a46793ab5651f93e0a99f03332ac7b0f36a169ca7d321

  • SHA512

    90fa93dfd7f8751e0164dd305b11388941b36f599cd39f19744de2069cd0ca5df1984649fdaf97cd8949bbe0eff7a692703d2fdd174202e5fb2652618b2fead6

Score
10/10
netsupportdiscoveryexecutionrat

Malware Config

Signatures

  • NetSupport

    NetSupport is a remote access tool sold as a legitimate system administration software.

    ratnetsupport
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\srgjsrtyjstryjkwssdty.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1156
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "VFS\ProgramFilesX64\66\66.exe e VFS\ProgramFilesX64\programm3.7z -oC:\Users\Public\Pictures\programm -pprogramm3"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3356
      • C:\Users\Admin\AppData\Local\Temp\VFS\ProgramFilesX64\66\66.exe
        VFS\ProgramFilesX64\66\66.exe e VFS\ProgramFilesX64\programm3.7z -oC:\Users\Public\Pictures\programm -pprogramm3
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4420
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "VFS\ProgramFilesX64\66\66.exe e C:\Users\Public\Pictures\programm\programm2.7z -oC:\Users\Public\Pictures\programm -pprogramm2"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3140
      • C:\Users\Admin\AppData\Local\Temp\VFS\ProgramFilesX64\66\66.exe
        VFS\ProgramFilesX64\66\66.exe e C:\Users\Public\Pictures\programm\programm2.7z -oC:\Users\Public\Pictures\programm -pprogramm2
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3616
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "VFS\ProgramFilesX64\66\66.exe e C:\Users\Public\Pictures\programm\programm1.7z -oC:\Users\Public\Pictures\programm -pprogramm1"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3544
      • C:\Users\Admin\AppData\Local\Temp\VFS\ProgramFilesX64\66\66.exe
        VFS\ProgramFilesX64\66\66.exe e C:\Users\Public\Pictures\programm\programm1.7z -oC:\Users\Public\Pictures\programm -pprogramm1
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3200
    • C:\Users\Public\Pictures\programm\soft.exe
      "C:\Users\Public\Pictures\programm\soft.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:3668

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3depuieo.my4.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Public\Pictures\programm\HTCTL32.DLL
    Filesize

    320KB

    MD5

    2d3b207c8a48148296156e5725426c7f

    SHA1

    ad464eb7cf5c19c8a443ab5b590440b32dbc618f

    SHA256

    edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796

    SHA512

    55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

    Download Submit

  • C:\Users\Public\Pictures\programm\MSVCR100.dll
    Filesize

    755KB

    MD5

    0e37fbfa79d349d672456923ec5fbbe3

    SHA1

    4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

    SHA256

    8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

    SHA512

    2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

    Download Submit

  • C:\Users\Public\Pictures\programm\NSM.LIC
    Filesize

    2KB

    MD5

    52696f6345ef7afbfa28380f140bc770

    SHA1

    102839cbfa6970c0ba5c1e12fe036cc4322620a2

    SHA256

    fdba04fb98dab25b2e60d5a0a95996f2cad7bff0d1803d884400a3d13acabcf1

    SHA512

    8143d6a021a6fbf1814fc1f9a110ca124c24cf2a72c320370dc3c18f50c1618999dcbd0dba0efa1ed12339531d30b5cfa0d5a5b2a019824d7dc0772aae5e5e2f

    Download Submit

  • C:\Users\Public\Pictures\programm\PCICHEK.DLL
    Filesize

    18KB

    MD5

    a0b9388c5f18e27266a31f8c5765b263

    SHA1

    906f7e94f841d464d4da144f7c858fa2160e36db

    SHA256

    313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a

    SHA512

    6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

    Download Submit

  • C:\Users\Public\Pictures\programm\PCICL32.dll
    Filesize

    3.5MB

    MD5

    ad51946b1659ed61b76ff4e599e36683

    SHA1

    dfe2439424886e8acf9fa3ffde6caaf7bfdd583e

    SHA256

    07a191254362664b3993479a277199f7ea5ee723b6c25803914eedb50250acf4

    SHA512

    6c30e7793f69508f6d9aa6edcec6930ba361628ef597e32c218e15d80586f5a86d89fcbee63a35eab7b1e0ae26277512f4c1a03df7912f9b7ff9a9a858cf3962

    Download Submit

  • C:\Users\Public\Pictures\programm\client32.ini
    Filesize

    641B

    MD5

    3c3efb32e77a115e45d570a83f1ddb8d

    SHA1

    b513339ff89f02ddd1f26101b880506238eb680e

    SHA256

    6cf0dff63f4e65bdf05677d3156692acaf2a8c4e7ec96cfe290e9a8c461a48b2

    SHA512

    28a26c92c20c2b812fe0ca61ab18e4361a0204792290205efe3215746e3904cf9c67016c211ca9ace02741fb9fbe6b22b9d6560d08dd84dc63e4281ecf170b12

    Download Submit

  • C:\Users\Public\Pictures\programm\pcicapi.dll
    Filesize

    32KB

    MD5

    dcde2248d19c778a41aa165866dd52d0

    SHA1

    7ec84be84fe23f0b0093b647538737e1f19ebb03

    SHA256

    9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917

    SHA512

    c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

    Download Submit

  • C:\Users\Public\Pictures\programm\programm1.7z
    Filesize

    1.4MB

    MD5

    b8182677ab16dce667e20d33a6176c1d

    SHA1

    40a506c1cec627a781f0ec49973e691a8f68e326

    SHA256

    51e5c3c3afa0744970e772bf0c53768d9d9856801e7cd682b1edbf52f7e689fa

    SHA512

    d86cafc98fac2dd5b1af1202adae3d35419439e9984f6027119a828d46f47e0d45fc6889b0182b2b2bf599d59e614f6d86b0348e20a4655c5be5b3c9d47e2457

    Download Submit

  • C:\Users\Public\Pictures\programm\programm2.7z
    Filesize

    1.4MB

    MD5

    0521bd9a3fb18805722e4473c09a7c43

    SHA1

    25ac677556421ecf2209b1d6ba70f9af20cdc7a7

    SHA256

    16f8bad5154d5c557794a43ba2acc260e70d142df25fc424eaea8378d4e70dc9

    SHA512

    507ce217b49fc53c535714e854378aed1531efe5697948fd982ffbc43a326e9a13d72c9557b5437b6e7d2ef620572cfc19ca9fc4807dd692877522ddce047fca

    Download Submit

  • C:\Users\Public\Pictures\programm\soft.exe
    Filesize

    54KB

    MD5

    4cb25a4d34304410017210125112bc79

    SHA1

    021f72c016402db9fef4e1953f1b4b7251fea2fb

    SHA256

    3d15fff559a6279db51ae58202c03167f69797340c4e581a6b5c4898d8e2e244

    SHA512

    62f32e442f587950223f816fbde09d4eaaea38c5365209894a7df6e3b296153ee480289666904b0feb9996277af750b539f0b8564bbe66e7e822bddc828d6e74

    Download Submit

  • memory/1156-12-0x00007FFA21140000-0x00007FFA21C01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1156-0-0x00007FFA21143000-0x00007FFA21145000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1156-7-0x0000018258D20000-0x0000018258D42000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1156-6-0x00007FFA21140000-0x00007FFA21C01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1156-62-0x00007FFA21140000-0x00007FFA21C01000-memory.dmp

    Filesize

    10.8MB

    Download