Overview

overview

10

Static

static

1

a6b7839d28...57.msi

windows7-x64

10

a6b7839d28...57.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    08-11-2024 17:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a6b7839d287c71e8c724df8cc024c4f7d7ae9057.msi

  • Size

    4.5MB

  • MD5

    999440b3b0609a7fa2f06f4d07fa8e6e

  • SHA1

    a6b7839d287c71e8c724df8cc024c4f7d7ae9057

  • SHA256

    2a0f495cd25dcbf02b2b0b11032d32a0460c9b7c5ad491afa4060ea3ca675f90

  • SHA512

    c98a2dc0d1aba3b4e8488461caba4fa09656b623914161c7956a09c98c1d12835cddf5d499f97535c4886b104bd0870e4f2fd27a7e69ba9c4d58165e3907bb7d

  • SSDEEP

    98304:DAowTTYcM2Pewg9Y6mnjZpLhL8QaQs74iQlSKsrM18o4bbmo+IW/+b:DAouq2PW9YJjjLhPq4VlSKuMkb7r++b

Score
10/10
netsupportdiscoverypersistenceprivilege_escalationrat

Malware Config

Signatures

  • NetSupport

    NetSupport is a remote access tool sold as a legitimate system administration software.

    ratnetsupport
  • Netsupport family
    netsupport
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Blocklisted process makes network request 3 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 10 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 43 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\a6b7839d287c71e8c724df8cc024c4f7d7ae9057.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1056
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2688
    • C:\Windows\system32\reg.exe
      reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v ScreenConnect /t REG_SZ /d "C:\ProgramData\MScreenConnect\client32.exe"
      2⤵
      • Adds Run key to start application
      • Modifies registry key
      PID:2428
    • C:\ProgramData\MScreenConnect\client32.exe
      "C:\ProgramData\MScreenConnect\client32.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      PID:2440
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:760
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005DC" "00000000000003D8"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2352

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\f772ae9.rbs
    Filesize

    9KB

    MD5

    85fd535136b23bc2531cc2ef05d83eda

    SHA1

    437790971691fb585210bba9e85eac7a6641411e

    SHA256

    051c804c2c9eca993d643bba87077446589dc53b78166b453cc3fecf3225beee

    SHA512

    9c5d89ff0265614e27fa72a4e4759ea6a96e4aaf22b772adc8be92c0d0e59b4efafee67a1fd22e9e6609daaf4cec29cdf6d83e8cecd748b12c6544a05a732d0e

    Download Submit

  • C:\ProgramData\MScreenConnect\HTCTL32.DLL
    Filesize

    306KB

    MD5

    3eed18b47412d3f91a394ae880b56ed2

    SHA1

    1b521a3ed4a577a33cce78eee627ae02445694ab

    SHA256

    13a17f2ad9288aac8941d895251604beb9524fa3c65c781197841ee15480a13f

    SHA512

    835f35af4fd241caa8b6a639626b8762db8525ccceb43afe8fffc24dffad76ca10852a5a8e9fc114bfbf7d1dc1950130a67037fc09b63a74374517a1f5448990

    Download Submit

  • C:\ProgramData\MScreenConnect\MSVCR100.dll
    Filesize

    755KB

    MD5

    0e37fbfa79d349d672456923ec5fbbe3

    SHA1

    4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

    SHA256

    8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

    SHA512

    2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

    Download Submit

  • C:\ProgramData\MScreenConnect\NSM.LIC
    Filesize

    262B

    MD5

    b9956282a0fed076ed083892e498ac69

    SHA1

    d14a665438385203283030a189ff6c5e7c4bf518

    SHA256

    fcc6afd664a8045bd61c398be3c37a97536a199a48d277e11977f93868ae1acc

    SHA512

    7daa09113c0e8a36c91cc6d657c65851a20dff6b60ac3d2f40c5737c12c1613c553955f84d131ba2139959973fef9fc616ca5e968cb16c25acf2d4739eed87eb

    Download Submit

  • C:\ProgramData\MScreenConnect\PCICL32.dll
    Filesize

    3.3MB

    MD5

    f782c24a376285c9b8a3a116175093f8

    SHA1

    b8fdb6e95c7313cf31f14a3a31cc334b56e6df09

    SHA256

    c7baf1647f6fef1b1a4231c9743f20f7a4b524ca4eb987a0acbeeef7e037d7e3

    SHA512

    256385a6663dcf70a5a9a1b766d1f826760f07efa9b9248047dc43d41f6a9f4dd56ca2b218c222ea1d441e2f7ba9bb114cde6954827b9761ebb1f23bba7ad1bb

    Download Submit

  • C:\ProgramData\MScreenConnect\client32.exe
    Filesize

    104KB

    MD5

    f6abef857450c97ea74cd8f0eb9a8c0a

    SHA1

    a1acdd10f5a8f8b086e293c6a60c53630ad319fb

    SHA256

    db0acb4a3082edc19ca9a78b059258ea36b4be16eee4f1172115fc83e693a903

    SHA512

    b6a2196ebfa51bb3fb8fb2b95ad5275828ab5435fd859fc993e2b3ed92a74799fe1c8b178270f99c79432f39aa9dbc0090038f037fcb651ab75c14b18102671f

    Download Submit

  • C:\ProgramData\MScreenConnect\client32.ini
    Filesize

    664B

    MD5

    14f6ebed5e1176f17c18d00a2dc64b2e

    SHA1

    cb9c079373658ce098e1d07d4a2c997bf3141b4b

    SHA256

    d4c1f00382f01abbb3142ef6d9c3e51557d0ced12a52861d8c5df44d1ce723ac

    SHA512

    e5f24a695749d693e873ea60b8caaff5cb3b306887721e3f9f308afe697fba37f3a6226322aedebb46764d6bbbaf21df44d4c6a02db49b067437d7e7d0cceaf9

    Download Submit

  • C:\ProgramData\MScreenConnect\pcichek.dll
    Filesize

    27KB

    MD5

    e311935a26ee920d5b7176cfa469253c

    SHA1

    eda6c815a02c4c91c9aacd819dc06e32ececf8f0

    SHA256

    0038ab626624fa2df9f65dd5e310b1206a9cd4d8ab7e65fb091cc25f13ebd34e

    SHA512

    48164e8841cfc91f4cbf4d3291d4f359518d081d9079a7995378f970e4085b534f4bafc15b83f4824cc79b5a1e54457b879963589b1acbcfe727a03eb3dffd1c

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\538F535B7FBDE384E456CC9F5DA5FBAB
    Filesize

    1KB

    MD5

    6d469ed9256d08235b5e747d1e27dbf2

    SHA1

    d3dd483e2bbf4c05e8af10f5fa7626cfd3dc3092

    SHA256

    b676f2eddae8775cd36cb0f63cd1d4603961f49e6265ba013a2f0307b6d0b804

    SHA512

    04cbf2a5f740d030208136b0ee1db38299943c74efa55045f564268246a929018fcaf26aa02768bb20321aa3f70c4609c163c75a3929ef8da016de000566a74c

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\538F535B7FBDE384E456CC9F5DA5FBAB
    Filesize

    194B

    MD5

    fd5335c31be2671f83941a01e658c1cd

    SHA1

    f9631bbda86a4f1a6ed119142ac4ea730f36b86f

    SHA256

    e870619b2d57a13c6de7005229a79d937a13d64b6f5989637f1d5b51b5fafb67

    SHA512

    ee762ba0b8bd77d63a84c801ddc3670b0ebebcf2c8f07ff2f9e875bdfd3bdeee2031f797eff9e465116a624ca8a2f65861c8016592c723f7647ab9f75e303ea0

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    4029326d63e9abbb6f0b24513774f1c9

    SHA1

    3f6c34e0e45fb8c7a9820cf73c7d41419c9b0788

    SHA256

    e8204869c01d7d7fa564be840c8135a4ff81b40da3967bbcd7c11602ed252575

    SHA512

    ff7bfd59a3b0d31f8f065651810e52b80112d56dbd6c97aa025867a5a29d3f134b76d81325011aeed56593777da239dfd1939f408561f7905de6af24cac9b04d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabE948.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarE96A.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Windows\Installer\f772ae7.msi
    Filesize

    4.5MB

    MD5

    999440b3b0609a7fa2f06f4d07fa8e6e

    SHA1

    a6b7839d287c71e8c724df8cc024c4f7d7ae9057

    SHA256

    2a0f495cd25dcbf02b2b0b11032d32a0460c9b7c5ad491afa4060ea3ca675f90

    SHA512

    c98a2dc0d1aba3b4e8488461caba4fa09656b623914161c7956a09c98c1d12835cddf5d499f97535c4886b104bd0870e4f2fd27a7e69ba9c4d58165e3907bb7d

    Download Submit

  • \ProgramData\MScreenConnect\pcicapi.dll
    Filesize

    44KB

    MD5

    9daa86d91a18131d5caf49d14fb8b6f2

    SHA1

    6b2f7ceb6157909e114a2b05a48a1a2606b5caf1

    SHA256

    1716640cce74322f7ee3e3e02b75cd53b91686f66e389d606dab01bd9f88c557

    SHA512

    9a98e0d9e2dda8aefa54bddb3c7b71501d638dff68863939de6caa117b0e7bf15e581a75419ef8a0da3f1c56a19f1b0f4c86d65f8581773ab88ff5764b9bb3aa

    Download Submit