Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    122s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    25/09/2024, 02:04 UTC

General

  • Target

    client32.exe

  • Size

    104KB

  • MD5

    f76954b68cc390f8009f1a052283a740

  • SHA1

    3112a39aad950045d6422fb2abe98bed05931e6c

  • SHA256

    63315df7981130853d75dc753e5776bdf371811bcfce351557c1e45afdd1ebfb

  • SHA512

    d3aea0867b488161f62e43e7c250ad3917713b8b183139fb6e06c71594fb0cec769e1494b7cc257117992ae4aa891e056f99c25431ae19f032b1ba779051a880

  • SSDEEP

    384:qkhNAEVV5+6j6Qa86Fkv2Wr120hZl4gtV5ttV2ikB:qwRVVZl6FhWr80/WgtV7tV2ikB

Malware Config

Signatures

  • NetSupport

    NetSupport is a remote access tool sold as a legitimate system administration software.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\client32.exe
    "C:\Users\Admin\AppData\Local\Temp\client32.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2640

Network

  • flag-us
    DNS
    geo.netsupportsoftware.com
    client32.exe
    Remote address:
    8.8.8.8:53
    Request
    geo.netsupportsoftware.com
    IN A
    Response
    geo.netsupportsoftware.com
    IN A
    104.26.1.231
    geo.netsupportsoftware.com
    IN A
    172.67.68.212
    geo.netsupportsoftware.com
    IN A
    104.26.0.231
  • flag-us
    GET
    http://geo.netsupportsoftware.com/location/loca.asp
    client32.exe
    Remote address:
    104.26.1.231:80
    Request
    GET /location/loca.asp HTTP/1.1
    Host: geo.netsupportsoftware.com
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 404 Not Found
    Date: Wed, 25 Sep 2024 02:04:40 GMT
    Content-Type: text/html; charset=us-ascii
    Transfer-Encoding: chunked
    Connection: keep-alive
    CF-Ray: 8c8771e35f703d88-LHR
    CF-Cache-Status: DYNAMIC
    cf-apo-via: origin,host
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5QTllNn%2B%2FhRI%2F6vWT7V5WES4bkvY9nmODyLileNvUNqhFD%2FEprJDzB566nTlUGEx%2Fmokres6E2yf0w8ff1RTLmNI0MI3lcCoWqHy2jJ%2BtSgCjTm%2F0ZRU7oH4mtikjsfCgWF4Ad8uLUJyhytv"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
  • flag-us
    DNS
    blahadfurtik.com
    client32.exe
    Remote address:
    8.8.8.8:53
    Request
    blahadfurtik.com
    IN A
    Response
    blahadfurtik.com
    IN A
    58.64.137.69
  • flag-us
    GET
    http://geo.netsupportsoftware.com/location/loca.asp
    client32.exe
    Remote address:
    104.26.1.231:80
    Request
    GET /location/loca.asp HTTP/1.1
    Host: geo.netsupportsoftware.com
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 404 Not Found
    Date: Wed, 25 Sep 2024 02:04:41 GMT
    Content-Type: text/html; charset=us-ascii
    Transfer-Encoding: chunked
    Connection: keep-alive
    CF-Ray: 8c8771e3fed8636d-LHR
    CF-Cache-Status: DYNAMIC
    cf-apo-via: origin,host
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Y7Mw6VkxQzFA0e6v6qO2rjGYt5UVvsZE7X6sQjyQkKENdyr9xE4QhpXe%2F1j4aL0z3%2Fac2zLCz1EqQGNW1XYALnLAh6QZnUdh1Hhl7YSs%2Ff7WmKyjs0h1zuvkAPL%2FKXGtrD20qbO1gWNsJl0G"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
  • flag-us
    GET
    http://geo.netsupportsoftware.com/location/loca.asp
    client32.exe
    Remote address:
    104.26.1.231:80
    Request
    GET /location/loca.asp HTTP/1.1
    Host: geo.netsupportsoftware.com
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 404 Not Found
    Date: Wed, 25 Sep 2024 02:04:41 GMT
    Content-Type: text/html; charset=us-ascii
    Transfer-Encoding: chunked
    Connection: keep-alive
    CF-Ray: 8c8771e4981893e5-LHR
    CF-Cache-Status: DYNAMIC
    cf-apo-via: origin,host
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PrTsBrx%2FtURXVLp2GyyhXj5RBVQSpNQPeb03YzuPH5hppttiLxm7%2Bfx9KW2Iqfwqz4QGo0ParP43m7NQl5jgObZmTtVip3AX5BQxD2xagtqDDb47EBUJJ%2F9gURzl5I%2FvT0gN8eg%2B2XEwrDOh"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
  • flag-us
    DNS
    blahadfurtik2.com
    client32.exe
    Remote address:
    8.8.8.8:53
    Request
    blahadfurtik2.com
    IN A
    Response
  • 104.26.1.231:80
    http://geo.netsupportsoftware.com/location/loca.asp
    http
    client32.exe
    394 B
    1.1kB
    6
    4

    HTTP Request

    GET http://geo.netsupportsoftware.com/location/loca.asp

    HTTP Response

    404
  • 104.26.1.231:80
    http://geo.netsupportsoftware.com/location/loca.asp
    http
    client32.exe
    394 B
    1.1kB
    6
    4

    HTTP Request

    GET http://geo.netsupportsoftware.com/location/loca.asp

    HTTP Response

    404
  • 104.26.1.231:80
    http://geo.netsupportsoftware.com/location/loca.asp
    http
    client32.exe
    394 B
    1.1kB
    6
    4

    HTTP Request

    GET http://geo.netsupportsoftware.com/location/loca.asp

    HTTP Response

    404
  • 58.64.137.69:5222
    blahadfurtik.com
    client32.exe
    152 B
    3
  • 58.64.137.69:5222
    blahadfurtik.com
    client32.exe
    152 B
    3
  • 8.8.8.8:53
    geo.netsupportsoftware.com
    dns
    client32.exe
    72 B
    120 B
    1
    1

    DNS Request

    geo.netsupportsoftware.com

    DNS Response

    104.26.1.231
    172.67.68.212
    104.26.0.231

  • 8.8.8.8:53
    blahadfurtik.com
    dns
    client32.exe
    62 B
    78 B
    1
    1

    DNS Request

    blahadfurtik.com

    DNS Response

    58.64.137.69

  • 8.8.8.8:53
    blahadfurtik2.com
    dns
    client32.exe
    63 B
    136 B
    1
    1

    DNS Request

    blahadfurtik2.com

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.