Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
1AudioCapture.dll
windows7-x64
3AudioCapture.dll
windows10-2004-x64
3HTCTL32.dll
windows7-x64
3HTCTL32.dll
windows10-2004-x64
3PCICHEK.dll
windows7-x64
3PCICHEK.dll
windows10-2004-x64
3PCICL32.dll
windows7-x64
3PCICL32.dll
windows10-2004-x64
3TCCTL32.dll
windows7-x64
3TCCTL32.dll
windows10-2004-x64
3client32.exe
windows7-x64
10client32.exe
windows10-2004-x64
msvcr100.dll
windows7-x64
3msvcr100.dll
windows10-2004-x64
3pcicapi.dll
windows7-x64
3pcicapi.dll
windows10-2004-x64
3remcmdstub.exe
windows7-x64
3remcmdstub.exe
windows10-2004-x64
3Analysis
-
max time kernel
122s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
25/09/2024, 02:04 UTC
Static task
static1
Behavioral task
behavioral1
Sample
AudioCapture.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
AudioCapture.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
HTCTL32.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
HTCTL32.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
PCICHEK.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
PCICHEK.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
PCICL32.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
PCICL32.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
TCCTL32.dll
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
TCCTL32.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
client32.exe
Resource
win7-20240729-en
Behavioral task
behavioral12
Sample
client32.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
msvcr100.dll
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
msvcr100.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
pcicapi.dll
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
pcicapi.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral17
Sample
remcmdstub.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
remcmdstub.exe
Resource
win10v2004-20240802-en
General
-
Target
client32.exe
-
Size
104KB
-
MD5
f76954b68cc390f8009f1a052283a740
-
SHA1
3112a39aad950045d6422fb2abe98bed05931e6c
-
SHA256
63315df7981130853d75dc753e5776bdf371811bcfce351557c1e45afdd1ebfb
-
SHA512
d3aea0867b488161f62e43e7c250ad3917713b8b183139fb6e06c71594fb0cec769e1494b7cc257117992ae4aa891e056f99c25431ae19f032b1ba779051a880
-
SSDEEP
384:qkhNAEVV5+6j6Qa86Fkv2Wr120hZl4gtV5ttV2ikB:qwRVVZl6FhWr80/WgtV7tV2ikB
Malware Config
Signatures
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language client32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeSecurityPrivilege 2640 client32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2640 client32.exe
Processes
Network
-
Remote address:8.8.8.8:53Requestgeo.netsupportsoftware.comIN AResponsegeo.netsupportsoftware.comIN A104.26.1.231geo.netsupportsoftware.comIN A172.67.68.212geo.netsupportsoftware.comIN A104.26.0.231
-
Remote address:104.26.1.231:80RequestGET /location/loca.asp HTTP/1.1
Host: geo.netsupportsoftware.com
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 404 Not Found
Content-Type: text/html; charset=us-ascii
Transfer-Encoding: chunked
Connection: keep-alive
CF-Ray: 8c8771e35f703d88-LHR
CF-Cache-Status: DYNAMIC
cf-apo-via: origin,host
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5QTllNn%2B%2FhRI%2F6vWT7V5WES4bkvY9nmODyLileNvUNqhFD%2FEprJDzB566nTlUGEx%2Fmokres6E2yf0w8ff1RTLmNI0MI3lcCoWqHy2jJ%2BtSgCjTm%2F0ZRU7oH4mtikjsfCgWF4Ad8uLUJyhytv"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
-
Remote address:8.8.8.8:53Requestblahadfurtik.comIN AResponseblahadfurtik.comIN A58.64.137.69
-
Remote address:104.26.1.231:80RequestGET /location/loca.asp HTTP/1.1
Host: geo.netsupportsoftware.com
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 404 Not Found
Content-Type: text/html; charset=us-ascii
Transfer-Encoding: chunked
Connection: keep-alive
CF-Ray: 8c8771e3fed8636d-LHR
CF-Cache-Status: DYNAMIC
cf-apo-via: origin,host
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Y7Mw6VkxQzFA0e6v6qO2rjGYt5UVvsZE7X6sQjyQkKENdyr9xE4QhpXe%2F1j4aL0z3%2Fac2zLCz1EqQGNW1XYALnLAh6QZnUdh1Hhl7YSs%2Ff7WmKyjs0h1zuvkAPL%2FKXGtrD20qbO1gWNsJl0G"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
-
Remote address:104.26.1.231:80RequestGET /location/loca.asp HTTP/1.1
Host: geo.netsupportsoftware.com
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 404 Not Found
Content-Type: text/html; charset=us-ascii
Transfer-Encoding: chunked
Connection: keep-alive
CF-Ray: 8c8771e4981893e5-LHR
CF-Cache-Status: DYNAMIC
cf-apo-via: origin,host
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PrTsBrx%2FtURXVLp2GyyhXj5RBVQSpNQPeb03YzuPH5hppttiLxm7%2Bfx9KW2Iqfwqz4QGo0ParP43m7NQl5jgObZmTtVip3AX5BQxD2xagtqDDb47EBUJJ%2F9gURzl5I%2FvT0gN8eg%2B2XEwrDOh"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
-
Remote address:8.8.8.8:53Requestblahadfurtik2.comIN AResponse
-
394 B 1.1kB 6 4
HTTP Request
GET http://geo.netsupportsoftware.com/location/loca.aspHTTP Response
404 -
394 B 1.1kB 6 4
HTTP Request
GET http://geo.netsupportsoftware.com/location/loca.aspHTTP Response
404 -
394 B 1.1kB 6 4
HTTP Request
GET http://geo.netsupportsoftware.com/location/loca.aspHTTP Response
404 -
152 B 3
-
152 B 3
-
72 B 120 B 1 1
DNS Request
geo.netsupportsoftware.com
DNS Response
104.26.1.231172.67.68.212104.26.0.231
-
62 B 78 B 1 1
DNS Request
blahadfurtik.com
DNS Response
58.64.137.69
-
63 B 136 B 1 1
DNS Request
blahadfurtik2.com