Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

srgjsrtyjs...ty.ps1

windows7-x64

10

srgjsrtyjs...ty.ps1

windows10-1703-x64

10

srgjsrtyjs...ty.ps1

windows10-2004-x64

10

srgjsrtyjs...ty.ps1

windows11-21h2-x64

10

Resubmissions

30/07/2024, 14:18 UTC

240730-rml82stbkq 10

30/07/2024, 01:45 UTC

240730-b6d4sawcld 3

Analysis

  • max time kernel
    30s
  • max time network
    20s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/07/2024, 14:18 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    srgjsrtyjstryjkwssdty.ps1

  • Size

    789B

  • MD5

    175251f9d896e7faf156eb7c6865ddae

  • SHA1

    0665df5296b40ed0fcddefedeb82c96dada5cdac

  • SHA256

    a288c22b7c277f9fb41a46793ab5651f93e0a99f03332ac7b0f36a169ca7d321

  • SHA512

    90fa93dfd7f8751e0164dd305b11388941b36f599cd39f19744de2069cd0ca5df1984649fdaf97cd8949bbe0eff7a692703d2fdd174202e5fb2652618b2fead6

Score
10/10
netsupportdiscoveryexecutionrat

Malware Config

Signatures

  • NetSupport

    NetSupport is a remote access tool sold as a legitimate system administration software.

    ratnetsupport
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\srgjsrtyjstryjkwssdty.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1156
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "VFS\ProgramFilesX64\66\66.exe e VFS\ProgramFilesX64\programm3.7z -oC:\Users\Public\Pictures\programm -pprogramm3"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3356
      • C:\Users\Admin\AppData\Local\Temp\VFS\ProgramFilesX64\66\66.exe
        VFS\ProgramFilesX64\66\66.exe e VFS\ProgramFilesX64\programm3.7z -oC:\Users\Public\Pictures\programm -pprogramm3
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4420
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "VFS\ProgramFilesX64\66\66.exe e C:\Users\Public\Pictures\programm\programm2.7z -oC:\Users\Public\Pictures\programm -pprogramm2"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3140
      • C:\Users\Admin\AppData\Local\Temp\VFS\ProgramFilesX64\66\66.exe
        VFS\ProgramFilesX64\66\66.exe e C:\Users\Public\Pictures\programm\programm2.7z -oC:\Users\Public\Pictures\programm -pprogramm2
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3616
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "VFS\ProgramFilesX64\66\66.exe e C:\Users\Public\Pictures\programm\programm1.7z -oC:\Users\Public\Pictures\programm -pprogramm1"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3544
      • C:\Users\Admin\AppData\Local\Temp\VFS\ProgramFilesX64\66\66.exe
        VFS\ProgramFilesX64\66\66.exe e C:\Users\Public\Pictures\programm\programm1.7z -oC:\Users\Public\Pictures\programm -pprogramm1
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3200
    • C:\Users\Public\Pictures\programm\soft.exe
      "C:\Users\Public\Pictures\programm\soft.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:3668

Network

  • flag-us
    DNS
    154.239.44.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.239.44.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.143.123.92.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.143.123.92.in-addr.arpa
    IN PTR
    Response
    240.143.123.92.in-addr.arpa
    IN PTR
    a92-123-143-240deploystaticakamaitechnologiescom
  • flag-us
    DNS
    6.181.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    6.181.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    58.55.71.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.55.71.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    geo.netsupportsoftware.com
    soft.exe
    Remote address:
    8.8.8.8:53
    Request
    geo.netsupportsoftware.com
    IN A
    Response
    geo.netsupportsoftware.com
    IN A
    172.67.68.212
    geo.netsupportsoftware.com
    IN A
    104.26.1.231
    geo.netsupportsoftware.com
    IN A
    104.26.0.231
  • flag-us
    DNS
    geo.netsupportsoftware.com
    soft.exe
    Remote address:
    8.8.8.8:53
    Request
    geo.netsupportsoftware.com
    IN A
  • flag-us
    DNS
    26.156.181.5.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.156.181.5.in-addr.arpa
    IN PTR
    Response
    26.156.181.5.in-addr.arpa
    IN PTR
    no-rdns mivocloudcom
  • flag-us
    GET
    http://geo.netsupportsoftware.com/location/loca.asp
    soft.exe
    Remote address:
    172.67.68.212:80
    Request
    GET /location/loca.asp HTTP/1.1
    Host: geo.netsupportsoftware.com
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 404 Not Found
    Date: Tue, 30 Jul 2024 14:19:23 GMT
    Content-Type: text/html; charset=us-ascii
    Transfer-Encoding: chunked
    Connection: keep-alive
    CF-Ray: 8ab5fbbd88d46551-LHR
    CF-Cache-Status: DYNAMIC
    cf-apo-via: origin,host
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=T57z57fJw2nYvKlNXLNx2B4jSrDL3ej7L0C0tR3XiYAY3y%2FRUTn0UlzmgGtajSXub%2FqkB3jMkcneiuQVkUvZfMZakmAKoknEEF43Vp7dchQqRrxPT88VauEhdUr7xBAHuWT%2FrCQR2%2Fgn6ZxZ"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
  • flag-us
    GET
    http://geo.netsupportsoftware.com/location/loca.asp
    soft.exe
    Remote address:
    172.67.68.212:80
    Request
    GET /location/loca.asp HTTP/1.1
    Host: geo.netsupportsoftware.com
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 404 Not Found
    Date: Tue, 30 Jul 2024 14:19:23 GMT
    Content-Type: text/html; charset=us-ascii
    Transfer-Encoding: chunked
    Connection: keep-alive
    CF-Ray: 8ab5fbbeab296407-LHR
    CF-Cache-Status: DYNAMIC
    cf-apo-via: origin,host
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bGDRy68ceR%2FYjaxrBjZT06TvGvotAOTeDpv2XT2Z5rIXXbG2FJBr4jeC%2Bdx11mTJ2MxbpHVL5nmSG8Q25MvBYELbRPGLTouvtszywfaKX2NnDKPMVe%2Facc3rjor7f5V%2FeP3wBdxpVsLYRKTn"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
  • flag-us
    GET
    http://geo.netsupportsoftware.com/location/loca.asp
    soft.exe
    Remote address:
    172.67.68.212:80
    Request
    GET /location/loca.asp HTTP/1.1
    Host: geo.netsupportsoftware.com
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 404 Not Found
    Date: Tue, 30 Jul 2024 14:19:23 GMT
    Content-Type: text/html; charset=us-ascii
    Transfer-Encoding: chunked
    Connection: keep-alive
    CF-Ray: 8ab5fbbfaa7152ee-LHR
    CF-Cache-Status: DYNAMIC
    cf-apo-via: origin,host
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uUAFFl2b8FO%2Byr692BPopqNz2iz1BLkDnWAgJfY%2FpQHViWPU%2FUFRWZtASfGIYACSd4CkUwq%2BMbrfO%2BmpSMHbI%2BWaEH07x9XyL7EEwZRvTtZRWNfggda623GL4KRc5ShKthn5Upss7B1ERCOY"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
  • flag-us
    DNS
    212.68.67.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    212.68.67.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    209.205.72.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.205.72.20.in-addr.arpa
    IN PTR
    Response
  • 5.181.156.26:443
    http
    soft.exe
    2.2kB
     950 B
     9
    5
  • 172.67.68.212:80
    http://geo.netsupportsoftware.com/location/loca.asp
    http
    soft.exe
    440 B
     1.1kB
     7
    4

    HTTP Request

    GET http://geo.netsupportsoftware.com/location/loca.asp

    HTTP Response

    404
  • 172.67.68.212:80
    http://geo.netsupportsoftware.com/location/loca.asp
    http
    soft.exe
    440 B
     1.1kB
     7
    4

    HTTP Request

    GET http://geo.netsupportsoftware.com/location/loca.asp

    HTTP Response

    404
  • 172.67.68.212:80
    http://geo.netsupportsoftware.com/location/loca.asp
    http
    soft.exe
    440 B
     1.1kB
     7
    4

    HTTP Request

    GET http://geo.netsupportsoftware.com/location/loca.asp

    HTTP Response

    404
  • 13.85.23.86:443
  • 8.8.8.8:53
    154.239.44.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    154.239.44.20.in-addr.arpa

  • 8.8.8.8:53
    240.143.123.92.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    240.143.123.92.in-addr.arpa

  • 8.8.8.8:53
    6.181.190.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    6.181.190.20.in-addr.arpa

  • 8.8.8.8:53
    58.55.71.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    58.55.71.13.in-addr.arpa

  • 8.8.8.8:53
    geo.netsupportsoftware.com
    dns
    soft.exe
    144 B
     120 B
     2
    1

    DNS Request

    geo.netsupportsoftware.com

    DNS Request

    geo.netsupportsoftware.com

    DNS Response

    172.67.68.212
    104.26.1.231
    104.26.0.231

  • 8.8.8.8:53
    26.156.181.5.in-addr.arpa
    dns
    71 B
     106 B
     1
    1

    DNS Request

    26.156.181.5.in-addr.arpa

  • 8.8.8.8:53
    212.68.67.172.in-addr.arpa
    dns
    72 B
     134 B
     1
    1

    DNS Request

    212.68.67.172.in-addr.arpa

  • 8.8.8.8:53
    209.205.72.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    209.205.72.20.in-addr.arpa

  • 8.8.8.8:53

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3depuieo.my4.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Public\Pictures\programm\HTCTL32.DLL
    Filesize

    320KB

    MD5

    2d3b207c8a48148296156e5725426c7f

    SHA1

    ad464eb7cf5c19c8a443ab5b590440b32dbc618f

    SHA256

    edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796

    SHA512

    55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

    Download Submit

  • C:\Users\Public\Pictures\programm\MSVCR100.dll
    Filesize

    755KB

    MD5

    0e37fbfa79d349d672456923ec5fbbe3

    SHA1

    4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

    SHA256

    8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

    SHA512

    2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

    Download Submit

  • C:\Users\Public\Pictures\programm\NSM.LIC
    Filesize

    2KB

    MD5

    52696f6345ef7afbfa28380f140bc770

    SHA1

    102839cbfa6970c0ba5c1e12fe036cc4322620a2

    SHA256

    fdba04fb98dab25b2e60d5a0a95996f2cad7bff0d1803d884400a3d13acabcf1

    SHA512

    8143d6a021a6fbf1814fc1f9a110ca124c24cf2a72c320370dc3c18f50c1618999dcbd0dba0efa1ed12339531d30b5cfa0d5a5b2a019824d7dc0772aae5e5e2f

    Download Submit

  • C:\Users\Public\Pictures\programm\PCICHEK.DLL
    Filesize

    18KB

    MD5

    a0b9388c5f18e27266a31f8c5765b263

    SHA1

    906f7e94f841d464d4da144f7c858fa2160e36db

    SHA256

    313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a

    SHA512

    6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

    Download Submit

  • C:\Users\Public\Pictures\programm\PCICL32.dll
    Filesize

    3.5MB

    MD5

    ad51946b1659ed61b76ff4e599e36683

    SHA1

    dfe2439424886e8acf9fa3ffde6caaf7bfdd583e

    SHA256

    07a191254362664b3993479a277199f7ea5ee723b6c25803914eedb50250acf4

    SHA512

    6c30e7793f69508f6d9aa6edcec6930ba361628ef597e32c218e15d80586f5a86d89fcbee63a35eab7b1e0ae26277512f4c1a03df7912f9b7ff9a9a858cf3962

    Download Submit

  • C:\Users\Public\Pictures\programm\client32.ini
    Filesize

    641B

    MD5

    3c3efb32e77a115e45d570a83f1ddb8d

    SHA1

    b513339ff89f02ddd1f26101b880506238eb680e

    SHA256

    6cf0dff63f4e65bdf05677d3156692acaf2a8c4e7ec96cfe290e9a8c461a48b2

    SHA512

    28a26c92c20c2b812fe0ca61ab18e4361a0204792290205efe3215746e3904cf9c67016c211ca9ace02741fb9fbe6b22b9d6560d08dd84dc63e4281ecf170b12

    Download Submit

  • C:\Users\Public\Pictures\programm\pcicapi.dll
    Filesize

    32KB

    MD5

    dcde2248d19c778a41aa165866dd52d0

    SHA1

    7ec84be84fe23f0b0093b647538737e1f19ebb03

    SHA256

    9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917

    SHA512

    c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

    Download Submit

  • C:\Users\Public\Pictures\programm\programm1.7z
    Filesize

    1.4MB

    MD5

    b8182677ab16dce667e20d33a6176c1d

    SHA1

    40a506c1cec627a781f0ec49973e691a8f68e326

    SHA256

    51e5c3c3afa0744970e772bf0c53768d9d9856801e7cd682b1edbf52f7e689fa

    SHA512

    d86cafc98fac2dd5b1af1202adae3d35419439e9984f6027119a828d46f47e0d45fc6889b0182b2b2bf599d59e614f6d86b0348e20a4655c5be5b3c9d47e2457

    Download Submit

  • C:\Users\Public\Pictures\programm\programm2.7z
    Filesize

    1.4MB

    MD5

    0521bd9a3fb18805722e4473c09a7c43

    SHA1

    25ac677556421ecf2209b1d6ba70f9af20cdc7a7

    SHA256

    16f8bad5154d5c557794a43ba2acc260e70d142df25fc424eaea8378d4e70dc9

    SHA512

    507ce217b49fc53c535714e854378aed1531efe5697948fd982ffbc43a326e9a13d72c9557b5437b6e7d2ef620572cfc19ca9fc4807dd692877522ddce047fca

    Download Submit

  • C:\Users\Public\Pictures\programm\soft.exe
    Filesize

    54KB

    MD5

    4cb25a4d34304410017210125112bc79

    SHA1

    021f72c016402db9fef4e1953f1b4b7251fea2fb

    SHA256

    3d15fff559a6279db51ae58202c03167f69797340c4e581a6b5c4898d8e2e244

    SHA512

    62f32e442f587950223f816fbde09d4eaaea38c5365209894a7df6e3b296153ee480289666904b0feb9996277af750b539f0b8564bbe66e7e822bddc828d6e74

    Download Submit

  • memory/1156-12-0x00007FFA21140000-0x00007FFA21C01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1156-0-0x00007FFA21143000-0x00007FFA21145000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1156-7-0x0000018258D20000-0x0000018258D42000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1156-6-0x00007FFA21140000-0x00007FFA21C01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1156-62-0x00007FFA21140000-0x00007FFA21C01000-memory.dmp

    Filesize

    10.8MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.