Analysis Overview
SHA256
a378a6a5e51b753df66e6d1111d415dd61208f7e1489128ff9cc6cd1c726ac00
Threat Level: Known bad
The file a378a6a5e51b753df66e6d1111d415dd61208f7e1489128ff9cc6cd1c726ac00.zip was found to be: Known bad.
Malicious Activity Summary
NetSupport
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Unsigned PE
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-16 05:21
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-16 05:21
Reported
2024-10-16 05:24
Platform
win10v2004-20241007-en
Max time kernel
140s
Max time network
135s
Command Line
Signatures
NetSupport
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yearprogram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\DNScache\client32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\DNScache\client32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\DNScache\client32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\DNScache\client32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\DNScache\client32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\DNScache\client32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\DNScache\client32.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\yearprogrampro\yearprogrampro.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1000 set thread context of 3084 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yearprogram.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yearprogram.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\DNScache\client32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yearprogram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yearprogram.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yearprogram.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yearprogram.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\DNScache\client32.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\DNScache\client32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\yearprogrampro\yearprogrampro.exe
"C:\Users\Admin\AppData\Local\Temp\yearprogrampro\yearprogrampro.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yearprogram.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yearprogram.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /sc ONLOGON /tn "DNScache" /tr "C:\Users\Admin\AppData\Local\DNScache\client32.exe" /RL HIGHEST
C:\Users\Admin\AppData\Local\DNScache\client32.exe
C:\Users\Admin\AppData\Local\DNScache\client32.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cycleconf.com | udp |
| NL | 23.254.224.41:443 | cycleconf.com | tcp |
| US | 8.8.8.8:53 | 41.224.254.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | geo.netsupportsoftware.com | udp |
| US | 8.8.8.8:53 | ganeres1.com | udp |
| US | 104.26.0.231:80 | geo.netsupportsoftware.com | tcp |
| NL | 91.201.112.10:3785 | ganeres1.com | tcp |
| US | 104.26.0.231:80 | geo.netsupportsoftware.com | tcp |
| US | 104.26.0.231:80 | geo.netsupportsoftware.com | tcp |
| US | 8.8.8.8:53 | 231.0.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.112.201.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yearprogram.exe
| MD5 | 6fa89393a624a32bc158ee1332e59a62 |
| SHA1 | 29fc34d4f4a968a39e0a63aa02c52efa6326ab21 |
| SHA256 | eb80160b232aed097a23127ccc243649aa6939901186de4bf319d549418f663c |
| SHA512 | 91750d3d0c0e68a17b0a725703deaa7c1b1f3090af2a1fd756254e5b338407de2ae6f6f75beacf56a297e83ae3b3918ab83ae6042068211d58b5c23d2593d45b |
memory/1000-5-0x0000000074CDE000-0x0000000074CDF000-memory.dmp
memory/1000-6-0x0000000000270000-0x0000000000388000-memory.dmp
memory/1000-7-0x0000000005820000-0x0000000005DC4000-memory.dmp
memory/1000-8-0x0000000005310000-0x00000000053A2000-memory.dmp
memory/1000-9-0x00000000053B0000-0x000000000544C000-memory.dmp
memory/1000-10-0x0000000074CD0000-0x0000000075480000-memory.dmp
memory/1000-11-0x0000000005450000-0x00000000054EE000-memory.dmp
memory/1000-12-0x0000000005530000-0x000000000553A000-memory.dmp
memory/1000-13-0x0000000074CD0000-0x0000000075480000-memory.dmp
memory/1000-14-0x0000000074CDE000-0x0000000074CDF000-memory.dmp
memory/1000-15-0x0000000074CD0000-0x0000000075480000-memory.dmp
memory/1000-16-0x0000000006890000-0x00000000068AA000-memory.dmp
memory/1000-17-0x0000000006A00000-0x0000000006A06000-memory.dmp
memory/3084-18-0x0000000000400000-0x0000000000428000-memory.dmp
memory/3084-20-0x0000000000400000-0x0000000000428000-memory.dmp
memory/1000-21-0x0000000074CD0000-0x0000000075480000-memory.dmp
C:\Users\Admin\AppData\Local\DNScache\client32.exe
| MD5 | 9497aece91e1ccc495ca26ae284600b9 |
| SHA1 | a005d8ce0c1ea8901c1b4ea86c40f4925bd2c6da |
| SHA256 | 1b63f83f06dbd9125a6983a36e0dbd64026bb4f535e97c5df67c1563d91eff89 |
| SHA512 | 4c892e5029a707bcf73b85ac110d8078cb273632b68637e9b296a7474ab0202320ff24cf6206de04af08abf087654b0d80cbecfae824c06616c47ce93f0929c9 |
C:\Users\Admin\AppData\Local\DNScache\PCICL32.dll
| MD5 | ad51946b1659ed61b76ff4e599e36683 |
| SHA1 | dfe2439424886e8acf9fa3ffde6caaf7bfdd583e |
| SHA256 | 07a191254362664b3993479a277199f7ea5ee723b6c25803914eedb50250acf4 |
| SHA512 | 6c30e7793f69508f6d9aa6edcec6930ba361628ef597e32c218e15d80586f5a86d89fcbee63a35eab7b1e0ae26277512f4c1a03df7912f9b7ff9a9a858cf3962 |
C:\Users\Admin\AppData\Local\DNScache\pcicapi.dll
| MD5 | dcde2248d19c778a41aa165866dd52d0 |
| SHA1 | 7ec84be84fe23f0b0093b647538737e1f19ebb03 |
| SHA256 | 9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917 |
| SHA512 | c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166 |
C:\Users\Admin\AppData\Local\DNScache\MSVCR100.dll
| MD5 | 0e37fbfa79d349d672456923ec5fbbe3 |
| SHA1 | 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335 |
| SHA256 | 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18 |
| SHA512 | 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630 |
C:\Users\Admin\AppData\Local\DNScache\client32.ini
| MD5 | 6eeb15a71863a041860f4d235f262c43 |
| SHA1 | 56d8f4bc78e9ba306ae76c78bf63199da85bb157 |
| SHA256 | 8c4058275296cdac4be580f5b4b5edaad854202977544f1cba66afbf5e80ca59 |
| SHA512 | 2b02a3b94c91d0d6f836dfe501d360492dd01d01adedbd231e8bbe1db6052fd418a0c41ad0d72de1835a3427ee24b50f95c97b4929db48214432cc284a5d9cd1 |
C:\Users\Admin\AppData\Local\DNScache\NSM.LIC
| MD5 | 1dc87146379e5e3f85fd23b25889ae2a |
| SHA1 | b750c56c757ad430c9421803649acf9acd15a860 |
| SHA256 | f7d80e323e7d0ed1e3ddd9b5df08af23dcecb47a3e289314134d4b76b3adcaf2 |
| SHA512 | 7861abe50eefdf4452e4baacc4b788895610196b387b70ddeab7bc70735391ed0a015f47eada94a368b82f8e5cedb5a2096e624f4a881ff067937ad159e3562c |
C:\Users\Admin\AppData\Local\DNScache\PCICHEK.DLL
| MD5 | a0b9388c5f18e27266a31f8c5765b263 |
| SHA1 | 906f7e94f841d464d4da144f7c858fa2160e36db |
| SHA256 | 313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a |
| SHA512 | 6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd |
C:\Users\Admin\AppData\Local\DNScache\HTCTL32.DLL
| MD5 | 2d3b207c8a48148296156e5725426c7f |
| SHA1 | ad464eb7cf5c19c8a443ab5b590440b32dbc618f |
| SHA256 | edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796 |
| SHA512 | 55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c |