Analysis Overview
SHA256
6cbac4c735bba82b907ccfd6d5e5f65523860afcdf40e1c37a4295d209701665
Threat Level: Known bad
The file 6cbac4c735bba82b907ccfd6d5e5f65523860afcdf40e1c37a4295d209701665.zip was found to be: Known bad.
Malicious Activity Summary
NetSupport
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
System Location Discovery: System Language Discovery
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-16 02:25
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-16 02:25
Reported
2024-10-16 02:28
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
NetSupport
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\alsodiscussion.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\DNScache\client32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\DNScache\client32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\DNScache\client32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\DNScache\client32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\DNScache\client32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\DNScache\client32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\DNScache\client32.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\alsodiscussionpro\alsodiscussionpro.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2144 set thread context of 2904 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\alsodiscussion.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\alsodiscussion.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\DNScache\client32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\alsodiscussion.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\alsodiscussion.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\alsodiscussion.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\alsodiscussion.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\DNScache\client32.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\DNScache\client32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\alsodiscussionpro\alsodiscussionpro.exe
"C:\Users\Admin\AppData\Local\Temp\alsodiscussionpro\alsodiscussionpro.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\alsodiscussion.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\alsodiscussion.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /sc ONLOGON /tn "DNScache" /tr "C:\Users\Admin\AppData\Local\DNScache\client32.exe" /RL HIGHEST
C:\Users\Admin\AppData\Local\DNScache\client32.exe
C:\Users\Admin\AppData\Local\DNScache\client32.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cycleconf.com | udp |
| NL | 23.254.224.41:443 | cycleconf.com | tcp |
| US | 8.8.8.8:53 | 41.224.254.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ganeres1.com | udp |
| NL | 91.201.112.10:3785 | ganeres1.com | tcp |
| US | 8.8.8.8:53 | geo.netsupportsoftware.com | udp |
| US | 172.67.68.212:80 | geo.netsupportsoftware.com | tcp |
| US | 172.67.68.212:80 | geo.netsupportsoftware.com | tcp |
| US | 8.8.8.8:53 | 10.112.201.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.68.67.172.in-addr.arpa | udp |
| US | 172.67.68.212:80 | geo.netsupportsoftware.com | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\alsodiscussion.exe
| MD5 | aedf7f67cf6d7f8ef348ba681046fe51 |
| SHA1 | 707ac1c67e2d569613c1b5cc3f809d6bd3cddc26 |
| SHA256 | 6ba3976f8956dceb2903dc89b9b66c3d81ceb93566b6244b58c4929a454815c0 |
| SHA512 | 83297d6611b3c168952c700a10fcca736fe96205298a81eb4d21523b260f933b41f71f4fc9da41b60098d0687d822be6a93b3b29caf692bfaa32e1762a392a01 |
memory/2144-5-0x00000000748DE000-0x00000000748DF000-memory.dmp
memory/2144-6-0x0000000000150000-0x0000000000268000-memory.dmp
memory/2144-7-0x0000000004F60000-0x0000000004FFC000-memory.dmp
memory/2144-8-0x00000000055B0000-0x0000000005B54000-memory.dmp
memory/2144-9-0x00000000050A0000-0x0000000005132000-memory.dmp
memory/2144-10-0x00000000748D0000-0x0000000075080000-memory.dmp
memory/2144-11-0x0000000005140000-0x00000000051DE000-memory.dmp
memory/2144-12-0x0000000005210000-0x000000000521A000-memory.dmp
memory/2144-13-0x00000000748D0000-0x0000000075080000-memory.dmp
memory/2144-14-0x00000000748DE000-0x00000000748DF000-memory.dmp
memory/2144-15-0x00000000748D0000-0x0000000075080000-memory.dmp
memory/2144-16-0x0000000006CA0000-0x0000000006CBA000-memory.dmp
memory/2144-17-0x00000000092A0000-0x00000000092A6000-memory.dmp
memory/2904-18-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2904-20-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2144-21-0x00000000748D0000-0x0000000075080000-memory.dmp
C:\Users\Admin\AppData\Local\DNScache\client32.exe
| MD5 | 9497aece91e1ccc495ca26ae284600b9 |
| SHA1 | a005d8ce0c1ea8901c1b4ea86c40f4925bd2c6da |
| SHA256 | 1b63f83f06dbd9125a6983a36e0dbd64026bb4f535e97c5df67c1563d91eff89 |
| SHA512 | 4c892e5029a707bcf73b85ac110d8078cb273632b68637e9b296a7474ab0202320ff24cf6206de04af08abf087654b0d80cbecfae824c06616c47ce93f0929c9 |
C:\Users\Admin\AppData\Local\DNScache\PCICL32.dll
| MD5 | ad51946b1659ed61b76ff4e599e36683 |
| SHA1 | dfe2439424886e8acf9fa3ffde6caaf7bfdd583e |
| SHA256 | 07a191254362664b3993479a277199f7ea5ee723b6c25803914eedb50250acf4 |
| SHA512 | 6c30e7793f69508f6d9aa6edcec6930ba361628ef597e32c218e15d80586f5a86d89fcbee63a35eab7b1e0ae26277512f4c1a03df7912f9b7ff9a9a858cf3962 |
C:\Users\Admin\AppData\Local\DNScache\HTCTL32.DLL
| MD5 | 2d3b207c8a48148296156e5725426c7f |
| SHA1 | ad464eb7cf5c19c8a443ab5b590440b32dbc618f |
| SHA256 | edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796 |
| SHA512 | 55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c |
C:\Users\Admin\AppData\Local\DNScache\client32.ini
| MD5 | 5274a126ee2f7f926fb8f9ac53a57abd |
| SHA1 | 10eeb6dbd99013c7969c27d09104fcb0ffbd97da |
| SHA256 | b3f198f6976b2a97a0aafd4127bf1a274c3ca388226de13da37f3b5976b439ca |
| SHA512 | fcf0b3c57bd2db6544274cb622c4855e915c74705c311e3f94749a401238ebf525fb4c9607528dedb9944b8c682a3da2e4bcdd9a0e6d7367241430e54ab290db |
C:\Users\Admin\AppData\Local\DNScache\NSM.LIC
| MD5 | 1dc87146379e5e3f85fd23b25889ae2a |
| SHA1 | b750c56c757ad430c9421803649acf9acd15a860 |
| SHA256 | f7d80e323e7d0ed1e3ddd9b5df08af23dcecb47a3e289314134d4b76b3adcaf2 |
| SHA512 | 7861abe50eefdf4452e4baacc4b788895610196b387b70ddeab7bc70735391ed0a015f47eada94a368b82f8e5cedb5a2096e624f4a881ff067937ad159e3562c |
C:\Users\Admin\AppData\Local\DNScache\msvcr100.dll
| MD5 | 0e37fbfa79d349d672456923ec5fbbe3 |
| SHA1 | 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335 |
| SHA256 | 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18 |
| SHA512 | 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630 |
C:\Users\Admin\AppData\Local\DNScache\pcicapi.dll
| MD5 | dcde2248d19c778a41aa165866dd52d0 |
| SHA1 | 7ec84be84fe23f0b0093b647538737e1f19ebb03 |
| SHA256 | 9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917 |
| SHA512 | c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166 |
C:\Users\Admin\AppData\Local\DNScache\PCICHEK.DLL
| MD5 | a0b9388c5f18e27266a31f8c5765b263 |
| SHA1 | 906f7e94f841d464d4da144f7c858fa2160e36db |
| SHA256 | 313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a |
| SHA512 | 6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd |