Malware Analysis Report

2024-10-19 01:38

Sample ID 241008-q2d1jszcqr
Target download.zip
SHA256 98ec780e46cd137c3c88ca3403063525c037196840092ff58309f74a82851849
Tags
discovery netsupport rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

98ec780e46cd137c3c88ca3403063525c037196840092ff58309f74a82851849

Threat Level: Known bad

The file download.zip was found to be: Known bad.

Malicious Activity Summary

discovery netsupport rat

NetSupport

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Program crash

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-08 13:45

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-08 13:45

Reported

2024-10-08 13:56

Platform

win11-20240802-en

Max time kernel

439s

Max time network

442s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\HTCTL32.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4516 wrote to memory of 4216 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4516 wrote to memory of 4216 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4516 wrote to memory of 4216 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\HTCTL32.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\HTCTL32.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4216 -ip 4216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 504

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-10-08 13:45

Reported

2024-10-08 13:56

Platform

win11-20241007-en

Max time kernel

428s

Max time network

432s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\PCICHEK.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5408 wrote to memory of 5360 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5408 wrote to memory of 5360 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5408 wrote to memory of 5360 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\PCICHEK.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\PCICHEK.dll,#1

Network

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-10-08 13:45

Reported

2024-10-08 13:56

Platform

win11-20241007-en

Max time kernel

441s

Max time network

445s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\PCICL32.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1224 wrote to memory of 1084 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1224 wrote to memory of 1084 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1224 wrote to memory of 1084 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\PCICL32.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\PCICL32.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-10-08 13:45

Reported

2024-10-08 13:56

Platform

win11-20241007-en

Max time kernel

445s

Max time network

447s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\pcicapi.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1412 wrote to memory of 1944 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1412 wrote to memory of 1944 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1412 wrote to memory of 1944 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\pcicapi.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\pcicapi.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-08 13:45

Reported

2024-10-08 13:56

Platform

win11-20241007-en

Max time kernel

436s

Max time network

440s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\LogoDev.png

Signatures

Enumerates physical storage devices

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\LogoDev.png

Network

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-10-08 13:45

Reported

2024-10-08 13:56

Platform

win11-20241007-en

Max time kernel

450s

Max time network

452s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\delegatedWebFeatures.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "2211324918" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31136199" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "4318" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\BrowserEmulation C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\delegatedWebFeatures.xml"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\delegatedWebFeatures.xml

Network

Files

memory/1064-0-0x00007FFB2F430000-0x00007FFB2F440000-memory.dmp

memory/1064-3-0x00007FFB2F430000-0x00007FFB2F440000-memory.dmp

memory/1064-4-0x00007FFB2F430000-0x00007FFB2F440000-memory.dmp

memory/1064-5-0x00007FFB2F430000-0x00007FFB2F440000-memory.dmp

memory/1064-1-0x00007FFB6F443000-0x00007FFB6F444000-memory.dmp

memory/1064-2-0x00007FFB2F430000-0x00007FFB2F440000-memory.dmp

memory/1064-6-0x00007FFB6F3A0000-0x00007FFB6F5A9000-memory.dmp

memory/1064-7-0x00007FFB6F3A0000-0x00007FFB6F5A9000-memory.dmp

memory/1064-8-0x00007FFB6F3A0000-0x00007FFB6F5A9000-memory.dmp

memory/1064-9-0x00007FFB6F3A0000-0x00007FFB6F5A9000-memory.dmp

memory/1064-11-0x00007FFB6F3A0000-0x00007FFB6F5A9000-memory.dmp

memory/1064-10-0x00007FFB6F3A0000-0x00007FFB6F5A9000-memory.dmp

memory/1064-12-0x00007FFB6F3A0000-0x00007FFB6F5A9000-memory.dmp

memory/1064-13-0x00007FFB6F3A0000-0x00007FFB6F5A9000-memory.dmp

memory/1064-17-0x00007FFB2F430000-0x00007FFB2F440000-memory.dmp

memory/1064-18-0x00007FFB6F3A0000-0x00007FFB6F5A9000-memory.dmp

memory/1064-16-0x00007FFB2F430000-0x00007FFB2F440000-memory.dmp

memory/1064-15-0x00007FFB2F430000-0x00007FFB2F440000-memory.dmp

memory/1064-14-0x00007FFB2F430000-0x00007FFB2F440000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-10-08 13:45

Reported

2024-10-08 13:56

Platform

win11-20240802-en

Max time kernel

425s

Max time network

429s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\install_state.json

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\install_state.json

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-08 13:45

Reported

2024-10-08 13:56

Platform

win11-20241007-en

Max time kernel

449s

Max time network

459s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\NSM.lic

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\NSM.lic

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-10-08 13:45

Reported

2024-10-08 13:56

Platform

win11-20241007-en

Max time kernel

437s

Max time network

458s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\NSM.ini

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\NSM.ini

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-10-08 13:45

Reported

2024-10-08 13:56

Platform

win11-20241007-en

Max time kernel

451s

Max time network

452s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Setup\2CEE836C30F61F46s

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Setup\2CEE836C30F61F46s

Network

Country Destination Domain Proto
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-10-08 13:45

Reported

2024-10-08 13:56

Platform

win11-20241007-en

Max time kernel

429s

Max time network

428s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Setup\Sigma\Advertising

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Setup\Sigma\Advertising

Network

Country Destination Domain Proto
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-10-08 13:45

Reported

2024-10-08 13:56

Platform

win11-20241007-en

Max time kernel

433s

Max time network

435s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Setup\Sigma\LICENSE

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Setup\Sigma\LICENSE

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-10-08 13:45

Reported

2024-10-08 13:56

Platform

win11-20241007-en

Max time kernel

449s

Max time network

452s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\msvcr100.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4592 wrote to memory of 1500 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4592 wrote to memory of 1500 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4592 wrote to memory of 1500 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\msvcr100.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\msvcr100.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1500 -ip 1500

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 448

Network

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-10-08 13:45

Reported

2024-10-08 13:56

Platform

win11-20241007-en

Max time kernel

437s

Max time network

437s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\nskbfltr.inf

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\nskbfltr.inf

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-10-08 13:45

Reported

2024-10-08 13:56

Platform

win11-20241007-en

Max time kernel

432s

Max time network

434s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Setup\CC88C062DAB6233Fs

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Setup\CC88C062DAB6233Fs

Network

Country Destination Domain Proto
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-10-08 13:45

Reported

2024-10-08 13:56

Platform

win11-20241007-en

Max time kernel

442s

Max time network

446s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Setup\Sigma\Staging

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Setup\Sigma\Staging

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-10-08 13:45

Reported

2024-10-08 13:56

Platform

win11-20241007-en

Max time kernel

442s

Max time network

444s

Command Line

"C:\Users\Admin\AppData\Local\Temp\remcmdstub.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\remcmdstub.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\remcmdstub.exe

"C:\Users\Admin\AppData\Local\Temp\remcmdstub.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-08 13:45

Reported

2024-10-08 13:55

Platform

win11-20241007-en

Max time kernel

434s

Max time network

459s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\download.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\download.zip

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-10-08 13:45

Reported

2024-10-08 13:56

Platform

win11-20241007-en

Max time kernel

440s

Max time network

442s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\TCCTL32.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1740 wrote to memory of 648 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1740 wrote to memory of 648 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1740 wrote to memory of 648 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\TCCTL32.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\TCCTL32.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-10-08 13:45

Reported

2024-10-08 13:56

Platform

win11-20241007-en

Max time kernel

446s

Max time network

544s

Command Line

"C:\Users\Admin\AppData\Local\Temp\client32.exe"

Signatures

NetSupport

rat netsupport

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\client32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\client32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\client32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\client32.exe

"C:\Users\Admin\AppData\Local\Temp\client32.exe"

Network

Country Destination Domain Proto
US 5.181.159.137:443 tcp
US 8.8.8.8:53 geo.netsupportsoftware.com udp
US 104.26.1.231:80 geo.netsupportsoftware.com tcp
US 104.26.1.231:80 geo.netsupportsoftware.com tcp
US 8.8.8.8:53 137.159.181.5.in-addr.arpa udp
US 8.8.8.8:53 231.1.26.104.in-addr.arpa udp
US 104.26.1.231:80 geo.netsupportsoftware.com tcp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-10-08 13:45

Reported

2024-10-08 13:56

Platform

win11-20241007-en

Max time kernel

426s

Max time network

459s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\client32.ini

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\client32.ini

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-10-08 13:45

Reported

2024-10-08 13:56

Platform

win11-20241007-en

Max time kernel

437s

Max time network

440s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\nsm_vpro.ini

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\nsm_vpro.ini

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-10-08 13:45

Reported

2024-10-08 13:56

Platform

win11-20240802-en

Max time kernel

436s

Max time network

439s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\package_metadata

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\package_metadata

Network

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-10-08 13:45

Reported

2024-10-08 13:56

Platform

win11-20241007-en

Max time kernel

425s

Max time network

459s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Setup\A88D1CCE15181E1Ds

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Setup\A88D1CCE15181E1Ds

Network

Files

N/A