Malware Analysis Report

2024-10-19 01:37

Sample ID 241007-wc12ns1bjl
Target 7-zip.zip
SHA256 3d00468448abc115a138a0d7c0e39db72bf3c46ed086926e7b9f1854835676b6
Tags
netsupport discovery rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3d00468448abc115a138a0d7c0e39db72bf3c46ed086926e7b9f1854835676b6

Threat Level: Known bad

The file 7-zip.zip was found to be: Known bad.

Malicious Activity Summary

netsupport discovery rat

NetSupport

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-07 17:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-07 17:47

Reported

2024-10-07 18:18

Platform

win10v2004-20241007-en

Max time kernel

1332s

Max time network

1793s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7-zip\7-zip.exe"

Signatures

NetSupport

rat netsupport

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7-zip\7-zip.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7-zip\7-zip.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7-zip\7-zip.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7-zip\7-zip.exe

"C:\Users\Admin\AppData\Local\Temp\7-zip\7-zip.exe"

Network

Country Destination Domain Proto
DE 212.224.107.150:443 tcp
US 8.8.8.8:53 geo.netsupportsoftware.com udp
US 104.26.1.231:80 geo.netsupportsoftware.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 150.107.224.212.in-addr.arpa udp
US 8.8.8.8:53 231.1.26.104.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-07 17:47

Reported

2024-10-07 18:17

Platform

win11-20241007-en

Max time kernel

604s

Max time network

1793s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7-zip\7-zip.exe"

Signatures

NetSupport

rat netsupport

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7-zip\7-zip.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7-zip\7-zip.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7-zip\7-zip.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7-zip\7-zip.exe

"C:\Users\Admin\AppData\Local\Temp\7-zip\7-zip.exe"

Network

Country Destination Domain Proto
DE 212.224.107.150:443 tcp
US 8.8.8.8:53 geo.netsupportsoftware.com udp
US 104.26.1.231:80 geo.netsupportsoftware.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 231.1.26.104.in-addr.arpa udp

Files

N/A