Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    101s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/11/2024, 16:41 UTC

General

  • Target

    das.php.zip

  • Size

    2.2MB

  • MD5

    0cc4ae68865ad3c85c1373f28ef04f81

  • SHA1

    3572e86c09e8142ada3779d2aaaa46268c992273

  • SHA256

    c2ba0018de8dcf0abfb2669cce95ed09377e9a9da7ff8e74e95688c99a025634

  • SHA512

    d110b21e5981165bd497d6d174233b4a517a16afe185c14e90064af2f6e0baf4c117626cb067b7ec4c57600dbf770bc68f942e936c26ab6402c125a1ead29003

  • SSDEEP

    49152:a51ZlklEDThXBJOhHvh6J6h2SFFGf0RBNTQfYc9jh23eWeB3/YSBm7WIqRRakTSR:E1tFXa/hRFY89YYc9jh23redpmQRY

Malware Config

Signatures

  • NetSupport

    NetSupport is a remote access tool sold as a legitimate system administration software.

  • Netsupport family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\das.php.zip"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4352
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:5084
    • C:\Users\Admin\Desktop\Teste\client32.exe
      "C:\Users\Admin\Desktop\Teste\client32.exe"
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:4408

    Network

    • flag-us
      DNS
      97.17.167.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      97.17.167.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      17.160.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      17.160.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      13.86.106.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      13.86.106.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      241.150.49.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      241.150.49.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      53.210.109.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      53.210.109.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      206.23.85.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      206.23.85.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      81.139.73.23.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      81.139.73.23.in-addr.arpa
      IN PTR
      Response
      81.139.73.23.in-addr.arpa
      IN PTR
      a23-73-139-81deploystaticakamaitechnologiescom
    • flag-us
      DNS
      geo.netsupportsoftware.com
      client32.exe
      Remote address:
      8.8.8.8:53
      Request
      geo.netsupportsoftware.com
      IN A
      Response
      geo.netsupportsoftware.com
      IN A
      104.26.0.231
      geo.netsupportsoftware.com
      IN A
      172.67.68.212
      geo.netsupportsoftware.com
      IN A
      104.26.1.231
    • flag-us
      GET
      http://geo.netsupportsoftware.com/location/loca.asp
      client32.exe
      Remote address:
      104.26.0.231:80
      Request
      GET /location/loca.asp HTTP/1.1
      Host: geo.netsupportsoftware.com
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 404 Not Found
      Date: Fri, 15 Nov 2024 16:43:12 GMT
      Content-Type: text/html; charset=us-ascii
      Transfer-Encoding: chunked
      Connection: keep-alive
      CF-Ray: 8e30b2ecf946886b-LHR
      CF-Cache-Status: DYNAMIC
      cf-apo-via: origin,host
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HmaBqvDNYuUtMCqhE2tcNql5dZlCB5BUrQc%2FQ7e%2FciZE4qgM6fpYAQQ9KXAYO6Ti1zl5J7mMORb0lbu%2BO3wQLY5kK33DtxMlFAs3y8WjrA%2FlSDAdNby2JJq5BfGXzL9h4TJxyWv%2FQuv0BoKq"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      server-timing: cfL4;desc="?proto=TCP&rtt=26564&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=240&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
    • flag-us
      GET
      http://geo.netsupportsoftware.com/location/loca.asp
      client32.exe
      Remote address:
      104.26.0.231:80
      Request
      GET /location/loca.asp HTTP/1.1
      Host: geo.netsupportsoftware.com
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 404 Not Found
      Date: Fri, 15 Nov 2024 16:43:13 GMT
      Content-Type: text/html; charset=us-ascii
      Transfer-Encoding: chunked
      Connection: keep-alive
      CF-Ray: 8e30b2edeecf79af-LHR
      CF-Cache-Status: DYNAMIC
      cf-apo-via: origin,host
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Tgd%2Blloy8wxEphXWELhnHyA9b0kEJjd6Dl38uctOKc8Hz2MR9PbpdS4rCqO%2BttJaD%2BN8QU%2BGCdQtoqQ8jz3rO2Z%2Fkk5ldjFkZxLnP0Q86wEb4koHd%2Fs2%2BCH%2BHb77QohL4LlP90d%2BS5sp4WIy"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      server-timing: cfL4;desc="?proto=TCP&rtt=26612&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=243&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
    • flag-us
      GET
      http://geo.netsupportsoftware.com/location/loca.asp
      client32.exe
      Remote address:
      104.26.0.231:80
      Request
      GET /location/loca.asp HTTP/1.1
      Host: geo.netsupportsoftware.com
      Connection: Keep-Alive
      Cache-Control: no-cache
      Response
      HTTP/1.1 404 Not Found
      Date: Fri, 15 Nov 2024 16:43:13 GMT
      Content-Type: text/html; charset=us-ascii
      Transfer-Encoding: chunked
      Connection: keep-alive
      CF-Ray: 8e30b2eecbd2cd16-LHR
      CF-Cache-Status: DYNAMIC
      cf-apo-via: origin,host
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XI9wNxcQ5HSjB8%2B7k1y1aUg0CvVeC6h7dx%2BQQ2YaSI3tadJq01R8esl4bW3KauYIPgoISzZFyaqxGPnDLYDNtwPwRTdtyFAh88ElsSgzg%2BzqzkC0UAoV6pOpmd4DRRuRW3pRN%2BHtNCLnNb11"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      server-timing: cfL4;desc="?proto=TCP&rtt=26638&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=230&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
    • flag-us
      DNS
      143.159.181.5.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      143.159.181.5.in-addr.arpa
      IN PTR
      Response
      143.159.181.5.in-addr.arpa
      IN PTR
      5-181-159-143 mivocloudcom
    • flag-us
      DNS
      231.0.26.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      231.0.26.104.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      19.229.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      19.229.111.52.in-addr.arpa
      IN PTR
      Response
    • 5.181.159.143:443
      http
      client32.exe
      1.7kB
      774 B
      7
      6
    • 104.26.0.231:80
      http://geo.netsupportsoftware.com/location/loca.asp
      http
      client32.exe
      440 B
      1.3kB
      7
      4

      HTTP Request

      GET http://geo.netsupportsoftware.com/location/loca.asp

      HTTP Response

      404
    • 104.26.0.231:80
      http://geo.netsupportsoftware.com/location/loca.asp
      http
      client32.exe
      440 B
      1.3kB
      7
      4

      HTTP Request

      GET http://geo.netsupportsoftware.com/location/loca.asp

      HTTP Response

      404
    • 104.26.0.231:80
      http://geo.netsupportsoftware.com/location/loca.asp
      http
      client32.exe
      440 B
      1.3kB
      7
      4

      HTTP Request

      GET http://geo.netsupportsoftware.com/location/loca.asp

      HTTP Response

      404
    • 8.8.8.8:53
      97.17.167.52.in-addr.arpa
      dns
      71 B
      145 B
      1
      1

      DNS Request

      97.17.167.52.in-addr.arpa

    • 8.8.8.8:53
      17.160.190.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      17.160.190.20.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
      144 B
      1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      241.150.49.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      241.150.49.20.in-addr.arpa

    • 8.8.8.8:53
      13.86.106.20.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      13.86.106.20.in-addr.arpa

    • 8.8.8.8:53
      53.210.109.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      53.210.109.20.in-addr.arpa

    • 8.8.8.8:53
      206.23.85.13.in-addr.arpa
      dns
      71 B
      145 B
      1
      1

      DNS Request

      206.23.85.13.in-addr.arpa

    • 8.8.8.8:53
      81.139.73.23.in-addr.arpa
      dns
      71 B
      135 B
      1
      1

      DNS Request

      81.139.73.23.in-addr.arpa

    • 8.8.8.8:53
      geo.netsupportsoftware.com
      dns
      client32.exe
      72 B
      120 B
      1
      1

      DNS Request

      geo.netsupportsoftware.com

      DNS Response

      104.26.0.231
      172.67.68.212
      104.26.1.231

    • 8.8.8.8:53
      143.159.181.5.in-addr.arpa
      dns
      72 B
      113 B
      1
      1

      DNS Request

      143.159.181.5.in-addr.arpa

    • 8.8.8.8:53
      231.0.26.104.in-addr.arpa
      dns
      71 B
      133 B
      1
      1

      DNS Request

      231.0.26.104.in-addr.arpa

    • 8.8.8.8:53
      19.229.111.52.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      19.229.111.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\Desktop\Teste\HTCTL32.DLL

      Filesize

      320KB

      MD5

      c94005d2dcd2a54e40510344e0bb9435

      SHA1

      55b4a1620c5d0113811242c20bd9870a1e31d542

      SHA256

      3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899

      SHA512

      2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a

    • C:\Users\Admin\Desktop\Teste\NSM.LIC

      Filesize

      195B

      MD5

      e9609072de9c29dc1963be208948ba44

      SHA1

      03bbe27d0d1ba651ff43363587d3d6d2e170060f

      SHA256

      dc6a52ad6d637eb407cc060e98dfeedcca1167e7f62688fb1c18580dd1d05747

      SHA512

      f0e26aa63b0c7f1b31074b9d6eef88d0cfbc467f86b12205cb539a45b0352e77ce2f99f29baeab58960a197714e72289744143ba17975699d058fe75d978dfd0

    • C:\Users\Admin\Desktop\Teste\PCICL32.dll

      Filesize

      3.6MB

      MD5

      d3d39180e85700f72aaae25e40c125ff

      SHA1

      f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15

      SHA256

      38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5

      SHA512

      471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f

    • C:\Users\Admin\Desktop\Teste\client32.exe

      Filesize

      101KB

      MD5

      c4f1b50e3111d29774f7525039ff7086

      SHA1

      57539c95cba0986ec8df0fcdea433e7c71b724c6

      SHA256

      18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d

      SHA512

      005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

    • C:\Users\Admin\Desktop\Teste\client32.ini

      Filesize

      669B

      MD5

      f734588a7620c48021688d3c2940353a

      SHA1

      c9b9aece48b4c134b838217426145fdd542f60e6

      SHA256

      97a2ce9683de5c9e03331d22309b5348f45cf65e77b1f011ba3505e2deafafc6

      SHA512

      0549dcc50347802c774078f6f9ecfec2b21b0c489aa8e96168ea12a2cec55169d4172baac13819a07686755697794f05ac5b75d554229faf268f9e64f54e2033

    • C:\Users\Admin\Desktop\Teste\msvcr100.dll

      Filesize

      755KB

      MD5

      0e37fbfa79d349d672456923ec5fbbe3

      SHA1

      4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

      SHA256

      8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

      SHA512

      2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

    • C:\Users\Admin\Desktop\Teste\pcicapi.dll

      Filesize

      32KB

      MD5

      34dfb87e4200d852d1fb45dc48f93cfc

      SHA1

      35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641

      SHA256

      2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703

      SHA512

      f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2

    • C:\Users\Admin\Desktop\Teste\pcichek.dll

      Filesize

      18KB

      MD5

      104b30fef04433a2d2fd1d5f99f179fe

      SHA1

      ecb08e224a2f2772d1e53675bedc4b2c50485a41

      SHA256

      956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd

      SHA512

      5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.