Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    31/10/2024, 16:00 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    2.2MB

  • MD5

    87514bcfa421057dc1575ec1630d78ff

  • SHA1

    012029171ff901f1cb5495059da47143d193923c

  • SHA256

    50c263fc02412062ca239e7419880678f797408a243d0a2140bc7bbb96a716c1

  • SHA512

    0d37d146960abf699a35d8c66d4af38c68af12db62d8548457dc26f6a2e30dd07c3d2599f38befee0720e649b08884daa37961b74ff4e2622840ea3d8237501b

  • SSDEEP

    49152:kDjlabwz9Tvaw2EheBgtpsDf5Log8nUQkFG4tP5Deqk+H1Zf8NNbTs:0qwFvcEhQGa178UnxBkk1ZfWC

Score
10/10
netsupportdiscoveryrat

Malware Config

Signatures

  • NetSupport

    NetSupport is a remote access tool sold as a legitimate system administration software.

    ratnetsupport
  • Netsupport family
    netsupport
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2660
    • C:\Users\Public\Netstat\bild.exe
      "C:\Users\Public\Netstat\bild.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:2868

Network

  • flag-us
    DNS
    geo.netsupportsoftware.com
    bild.exe
    Remote address:
    8.8.8.8:53
    Request
    geo.netsupportsoftware.com
    IN A
    Response
    geo.netsupportsoftware.com
    IN A
    104.26.1.231
    geo.netsupportsoftware.com
    IN A
    172.67.68.212
    geo.netsupportsoftware.com
    IN A
    104.26.0.231
  • flag-us
    GET
    http://geo.netsupportsoftware.com/location/loca.asp
    bild.exe
    Remote address:
    104.26.1.231:80
    Request
    GET /location/loca.asp HTTP/1.1
    Host: geo.netsupportsoftware.com
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Thu, 31 Oct 2024 16:00:53 GMT
    Content-Type: text/html; Charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    CF-Ray: 8db4dc4ba8064134-LHR
    CF-Cache-Status: DYNAMIC
    Access-Control-Allow-Origin: *
    Cache-Control: private
    Set-Cookie: ASPSESSIONIDQSDTCBCQ=GGNGJKLBFONIFCBEPPIICFAN; path=/
    Strict-Transport-Security: max-age=31536000; includeSubDomains
    Vary: Accept-Encoding
    cf-apo-via: origin,host
    Referrer-Policy: strict-origin-when-cross-origin
    X-Content-Type-Options: nosniff
    X-Frame-Options: SAMEORIGIN
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NLLEBWqdTBQiLw05X2NvRTY9H8C%2F6HOS6%2BhWNGAWDtgOZAD3zErWgCI0dK937fzZ6EP%2B3fdX76oW8JZaqe4XKc0EhxrxV5cc442kONWrs4mudCU3deDYCkKcK0tXl2aryve7w7a4ciCDW0ay"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
  • 172.86.117.97:443
    http
    bild.exe
    3.1kB
     837 B
     13
    7
  • 104.26.1.231:80
    http://geo.netsupportsoftware.com/location/loca.asp
    http
    bild.exe
    394 B
     1.1kB
     6
    5

    HTTP Request

    GET http://geo.netsupportsoftware.com/location/loca.asp

    HTTP Response

    200
  • 8.8.8.8:53
    geo.netsupportsoftware.com
    dns
    bild.exe
    72 B
     120 B
     1
    1

    DNS Request

    geo.netsupportsoftware.com

    DNS Response

    104.26.1.231
    172.67.68.212
    104.26.0.231

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\Netstat\HTCTL32.DLL
    Filesize

    320KB

    MD5

    2d3b207c8a48148296156e5725426c7f

    SHA1

    ad464eb7cf5c19c8a443ab5b590440b32dbc618f

    SHA256

    edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796

    SHA512

    55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

    Download Submit

  • C:\Users\Public\Netstat\MSVCR100.dll
    Filesize

    755KB

    MD5

    0e37fbfa79d349d672456923ec5fbbe3

    SHA1

    4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

    SHA256

    8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

    SHA512

    2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

    Download Submit

  • C:\Users\Public\Netstat\NSM.LIC
    Filesize

    257B

    MD5

    7067af414215ee4c50bfcd3ea43c84f0

    SHA1

    c331d410672477844a4ca87f43a14e643c863af9

    SHA256

    2050cc232710a2ea6a207bc78d1eac66a4042f2ee701cdfeee5de3ddcdc31d12

    SHA512

    17b888087192bcea9f56128d0950423b1807e294d1c4f953d1bf0f5bd08e5f8e35afeee584ebf9233bfc44e0723db3661911415798159ac118c8a42aaf0b902f

    Download Submit

  • C:\Users\Public\Netstat\PCICL32.dll
    Filesize

    3.6MB

    MD5

    00587238d16012152c2e951a087f2cc9

    SHA1

    c4e27a43075ce993ff6bb033360af386b2fc58ff

    SHA256

    63aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8

    SHA512

    637950a1f78d3f3d02c30a49a16e91cf3dfccc59104041876789bd7fdf9224d187209547766b91404c67319e13d1606da7cec397315495962cbf3e2ccd5f1226

    Download Submit

  • C:\Users\Public\Netstat\bild.exe
    Filesize

    103KB

    MD5

    8d9709ff7d9c83bd376e01912c734f0a

    SHA1

    e3c92713ce1d7eaa5e2b1fabeb06cdc0bb499294

    SHA256

    49a568f8ac11173e3a0d76cff6bc1d4b9bdf2c35c6d8570177422f142dcfdbe3

    SHA512

    042ad89ed2e15671f5df67766d11e1fa7ada8241d4513e7c8f0d77b983505d63ebfb39fefa590a2712b77d7024c04445390a8bf4999648f83dbab6b0f04eb2ee

    Download Submit

  • C:\Users\Public\Netstat\client32.ini
    Filesize

    701B

    MD5

    a0a7b634ab8c28c9de3a0122f7e43f98

    SHA1

    676f7554b78eac6fefc97b40cd965b3dedfef4bc

    SHA256

    d28bc214691bf2b576411750bd8ae9d5b27ae66dc8e0b60c841d43c1abbbc9e5

    SHA512

    a8378e27f139f3524a45276416dba938cd788f6c299a29b6e241740972cb5dc1181e3f0fd908769f53751e1e3392bbc73279e01d3def6d322ece6fa9842879de

    Download Submit

  • C:\Users\Public\Netstat\pcicapi.dll
    Filesize

    32KB

    MD5

    dcde2248d19c778a41aa165866dd52d0

    SHA1

    7ec84be84fe23f0b0093b647538737e1f19ebb03

    SHA256

    9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917

    SHA512

    c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

    Download Submit

  • C:\Users\Public\Netstat\pcichek.dll
    Filesize

    18KB

    MD5

    a0b9388c5f18e27266a31f8c5765b263

    SHA1

    906f7e94f841d464d4da144f7c858fa2160e36db

    SHA256

    313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a

    SHA512

    6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.