Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2024 01:42

General

  • Target

    vrep.msi

  • Size

    39.7MB

  • MD5

    87ef82757aba83e7eb63c7c35dbae97a

  • SHA1

    7418c4ddeecba68e253e89622ad9ca45597d9350

  • SHA256

    79040421b5a48dcc6e611dfe187b2f3e355791ad8511adb84f5c0948aa1d6c89

  • SHA512

    605495995a07d7dfaa5d8f09b9d5bde1e0281b5b6581923b9fbd7c103e5ca9f2bb8dcf8e1049c21bd90ac4d68759270d5453e0414c2f6e1eb3ef877eee1a5533

  • SSDEEP

    786432:5HqloPKB2RMErvURcUNnywXha1rc3fZ+L28IB1P77y059ze5aaSJJgV6UBXYKe:5HqGRME72cUNnywXg63fxB1P3y031aS1

Malware Config

Signatures

  • NetSupport

    NetSupport is a remote access tool sold as a legitimate system administration software.

  • Netsupport family
  • Drops file in Drivers directory 6 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 1 IoCs
  • Drops file in System32 directory 34 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 48 IoCs
  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\vrep.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2100
    • C:\Windows\system32\cmd.exe
      cmd.exe /c ATTRIB -R "C:\Users\Admin\AppData\Local\Temp\{CBB68368-7767-4CFF-B3E5-211488346702}\\nsm.lic"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2884
      • C:\Windows\SysWOW64\attrib.exe
        ATTRIB -R "C:\Users\Admin\AppData\Local\Temp\{CBB68368-7767-4CFF-B3E5-211488346702}\\nsm.lic"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        • Views/modifies file attributes
        PID:2924
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2176
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 91FCA4DE7186DB814D27D0C405F30A1D C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:3020
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding C15ED951C9F8A1DC5143F1B2D0CEE1C2
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2572
    • C:\Windows\Installer\MSI7E79.tmp
      "C:\Windows\Installer\MSI7E79.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport Manager\" /EU
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2140
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 7ED01C81A58EC034C07696DF8C8A5717 M Global\MSI0000
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:2564
    • C:\Windows\Installer\MSI82F4.tmp
      "C:\Windows\Installer\MSI82F4.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport Manager\" /EU
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1584
    • C:\Program Files (x86)\NetSupport\NetSupport Manager\checkdvd.exe
      "C:\Program Files (x86)\NetSupport\NetSupport Manager\checkdvd.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2396
    • C:\Windows\Installer\MSI8863.tmp
      "C:\Windows\Installer\MSI8863.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport Manager\" /EV"NetSupport School" /EF".\Log Files" /EF".\Bookmarks" /EF".\Tests" /EF".\Store" /EF".\inv" /EF".\Resources" /EF".\Help" /EF".\Image" /EF".\Sound" /EF".\Video" /EA /EX /EC /Q /V /Q /I *
      2⤵
      • Sets service image path in registry
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1364
      • C:\Program Files (x86)\NetSupport\NetSupport Manager\winst64.exe
        winst64.exe /q /q /ex /i
        3⤵
        • Drops file in Drivers directory
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies data under HKEY_USERS
        PID:2280
    • C:\Windows\Installer\MSIA171.tmp
      "C:\Windows\Installer\MSIA171.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport Manager\" /EI
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2616
    • C:\Program Files (x86)\NetSupport\NetSupport Manager\pcicfgui_client.exe
      "C:\Program Files (x86)\NetSupport\NetSupport Manager\pcicfgui_client.exe" /Q "C:\Program Files (x86)\NetSupport\NetSupport Manager\Client32.ini"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Program Files directory
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:2548
      • C:\Program Files (x86)\NetSupport\NetSupport Manager\pcicfgui_client.exe
        "C:\Program Files (x86)\NetSupport\NetSupport Manager\pcicfgui_client.exe"
        3⤵
        • Executes dropped EXE
        PID:2600
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
      PID:1616
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000070" "0000000000000498"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:1164
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{1ad43768-5629-04c4-1aac-047a315b4438}\gdihook5.inf" "9" "6d3d268df" "00000000000005DC" "WinSta0\Default" "0000000000000494" "208" "c:\program files (x86)\netsupport\netsupport manager"
      1⤵
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:2404
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "2" "211" "ROOT\DISPLAY\0000" "C:\Windows\INF\oem2.inf" "gdihook5.inf:gdihook5.Mfg.NTamd64:gdihook5:11.11.0.704:pci_gdihook5_hwid" "6d3d268df" "00000000000005DC" "000000000000058C" "00000000000005FC"
      1⤵
      • Drops file in Drivers directory
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:1696
    • C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe
      "C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe" /* *
      1⤵
      • Drops file in System32 directory
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      PID:2684
      • C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe
        "C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe" * /VistaUI
        2⤵
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Checks SCSI registry key(s)
        • Checks processor information in registry
        • Modifies data under HKEY_USERS
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2424
        • C:\Windows\SysWOW64\cscript.exe
          "cscript.exe" C:\Windows\system32\Printing_Admin_Scripts\en-US\prnport.vbs -a -r NSM001 -h 127.0.0.1 -o raw -n 49890
          3⤵
          • System Location Discovery: System Language Discovery
          • Modifies data under HKEY_USERS
          PID:2584

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\f777783.rbs

      Filesize

      39KB

      MD5

      d2b51a0a6d4a810ab21a6226b3bcc5dd

      SHA1

      312a08575c45b8b65ca22049308776a222fc71b8

      SHA256

      45c5e8dbfe87f97bd32c4792ffe71d94019f4419cbb1f8b3420c1da61ca668f5

      SHA512

      94e9f1073e4443bd20714873e7a77424dc73ba2a808c7969dde8ec01d343d0601bff1806ad112fc64d716362f9953a77f1b1cd6157db8bc83d1c0eb439ecbba7

    • C:\Program Files (x86)\NetSupport\NetSupport Manager\product.dat

      Filesize

      506B

      MD5

      ff7c0d2dbb9195083bbabaff482d5ed6

      SHA1

      5c2efbf855c376ce1b93e681c54a367a407495dc

      SHA256

      065d817596d710d5a06060241acc207b82b844530cc56ff842ff53d8ff92a075

      SHA512

      ea226b3a55fc59175136f104df497ebf5055624fb1c1c8073b249dfc5e1ed5818a6feee995aa82cf9ed050f1adc7a62994c90b1af03569dfe0d4551ee2bc70c9

    • C:\Users\Admin\AppData\Local\Temp\CabEE57.tmp

      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    • C:\Users\Admin\AppData\Local\Temp\DLL_{CBB68368-7767-4CFF-B3E5-211488346702}.ini

      Filesize

      7KB

      MD5

      a3d0b08e2edda26505533bb3594bab0b

      SHA1

      9e17948471784c73be1f63981238fdbb27f7d2de

      SHA256

      17f384e12f546ff14a60cbba4338f216f3fb684741075cfd9d30741a0f4e683a

      SHA512

      3704eff090311dd310ec97b55e9f0badc34eda6877f1d961153b008063fc0d2a1bbfc3a9aa6b80549e2a3733409799abd3f1cb2e39fb5123ec748a8bce7fc1a9

    • C:\Users\Admin\AppData\Local\Temp\MSIF251.tmp

      Filesize

      169KB

      MD5

      0e6fda2b8425c9513c774cf29a1bc72d

      SHA1

      a79ffa24cb5956398ded44da24793a2067b85dd0

      SHA256

      e946b2fae0b36c43064463a8c16a2774adac30c4188c5af90e9338b903c501c9

      SHA512

      285bb7759a1214abed36162ac8be2d48df17a05278c4de97562448e20fd43b635563a6819f37e23d92a5f5ed0205a68bffe43dac0d3a67513bd0303b4e7f89aa

    • C:\Users\Admin\AppData\Local\Temp\MSIF2DF.tmp

      Filesize

      511KB

      MD5

      d524b639a3a088155981b9b4efa55631

      SHA1

      39d8eea673c02c1522b110829b93d61310555b98

      SHA256

      03d91c8cd20b846625a092a3dae6a12369930c65d6216a455a00449ebb0dc289

      SHA512

      84f8ab54122f93a40da08fd83bca767ab49eb0f73c4ab274d9bda11dd09224134df011fa02e5a3abbafcc6fbef6a60673dd48feabdf829a1e22c85a2a759b7ac

    • C:\Users\Admin\AppData\Local\Temp\MSIF35C.tmp

      Filesize

      153KB

      MD5

      a1b7850763af9593b66ee459a081bddf

      SHA1

      6e45955fae2b2494902a1b55a3873e542f0f5ce4

      SHA256

      41b8e92deba5206c78817236ed7f44df95636ca748d95fab05f032f5aec186af

      SHA512

      a87a302a9a0d19d7ce293b42f5e7bc09664b21307a5321f226157fcc57eb2df2b59c6651878cb23969a182c82b55e8671ff00f8462194b81a907974a49cb25b1

    • C:\Users\Admin\AppData\Local\Temp\MSIFE9D.tmp

      Filesize

      487KB

      MD5

      3085d62326cc1ae4ab21489576973621

      SHA1

      e3c847dee0ecc7176c1168d6d1df9b9e98b19936

      SHA256

      d2dc425f47d8c80abd8cadbcd8aa53516e7754c371bd3bad3907294a6ca57c5c

      SHA512

      f993e4e04b348f7eb346d2f3d00fdaed2212f28ba885bbe50c1959737c5b6cab9cfbe17c4aba992521aa0ecdcf5216fa9e6c36a47746077307d32170223a9a97

    • C:\Users\Admin\AppData\Local\Temp\TarEE89.tmp

      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    • C:\Windows\Installer\MSI82F4.tmp

      Filesize

      745KB

      MD5

      0fcf65c63e08e77732224b2d5d959f13

      SHA1

      5419b79fe14e21d1d5b51fe8187f7b86ec20de74

      SHA256

      f3e587f94a79c46a603b39286e93b17fabc895c6b71b26b0fc5d812cf155b7e5

      SHA512

      7c289aaf3ac1b998c8ca9593a58c8aa3a9aa9f41852c1ed4192b908e0ad51871400d585b4fe508d49368bdfc7378807d289971914870a7a47b0410a946e5e381

    • C:\Windows\Installer\MSIA102.tmp

      Filesize

      244KB

      MD5

      c4ca339bc85aae8999e4b101556239dd

      SHA1

      d090fc385e0002e35db276960a360c67c4fc85cd

      SHA256

      4ab23609cdc64d10b97c9ccb285ed7100f55d54d983cd50762da25ecac4357f9

      SHA512

      9185ec32545fc838d7fef6c9e4dd222dd02114c661b0b344f16287d55e6571bfe7a4233a852acc579d07bcdbab18c5c034c465b1f4bb78535ed51c3499087fe0

    • C:\Windows\Installer\f777781.msi

      Filesize

      39.7MB

      MD5

      87ef82757aba83e7eb63c7c35dbae97a

      SHA1

      7418c4ddeecba68e253e89622ad9ca45597d9350

      SHA256

      79040421b5a48dcc6e611dfe187b2f3e355791ad8511adb84f5c0948aa1d6c89

      SHA512

      605495995a07d7dfaa5d8f09b9d5bde1e0281b5b6581923b9fbd7c103e5ca9f2bb8dcf8e1049c21bd90ac4d68759270d5453e0414c2f6e1eb3ef877eee1a5533

    • C:\Windows\System32\DriverStore\Temp\{5cbf28ae-dad4-27ec-1e81-ef61b94fea00}\SET9BB5.tmp

      Filesize

      8KB

      MD5

      2d31ce5fe7cd81c996615ebcc29c058a

      SHA1

      4d74fe8e3170d36666df779e43fe8016986b154a

      SHA256

      019290c9b7e5b48fb6de95f9563ed481cd42f8658451c6fbc8ad131d61209ce0

      SHA512

      b8188481050630e7317d2f0687790a46e86f30a79f34164e4b02ec28da39334da80bd494a4f32ae8bb60fa2f01273cdcd9d15100f901517b0c01507678330052

    • C:\Windows\System32\DriverStore\Temp\{5cbf28ae-dad4-27ec-1e81-ef61b94fea00}\SET9BC6.tmp

      Filesize

      2KB

      MD5

      703c7774b981e5d02e058340a27a5b75

      SHA1

      37534d7f0b31d2328d70ca578047d597273b73b6

      SHA256

      4cfca868959f4e1b85bfd6b8a970ae06c0810d9c341f260df3ab8479089500e9

      SHA512

      758e84915fa7ebb343bafd096bc40d9d226fe0da7c167b2b8e59f664e1be796143228bc3405df7e3447cdc918004db516344365d3d07a8e6c040df2b90456d78

    • C:\Windows\System32\DriverStore\Temp\{5cbf28ae-dad4-27ec-1e81-ef61b94fea00}\x64\SET9BB3.tmp

      Filesize

      95KB

      MD5

      52b88eb20beb3b34a692a4cae0ff2196

      SHA1

      26a297b2baeb118f8856c1de41ee855572ba958a

      SHA256

      2b675e9c27d3fb01cb9df2583b380de8dc8c0d5bbbe18af458f90b47c6d62b03

      SHA512

      29567fc4db46d85f9ab8f6ecf2a708ec2c8def2e49eccd439daceda327b7411957b2014171a8370c3928d4a03a13bc6124d93678a87684370a5e6042d1c2ad6e

    • C:\Windows\System32\DriverStore\Temp\{5cbf28ae-dad4-27ec-1e81-ef61b94fea00}\x64\SET9BB4.tmp

      Filesize

      68KB

      MD5

      9a348ed02f8b1efc9bfc5f53827f8a9c

      SHA1

      c1f22705392af57b277d1fb4f46258dddffe8f33

      SHA256

      641f2b86f013a95707ffdf0f584e3a83fedc1392cea3b546905b9ccb54ae10cf

      SHA512

      9debb460fd74cb586ed66b7fa4bbb51a8e1184c1a061e81f4fd6f5e700fdb1e91b809a3f517fe55dd889f60df6ea29190455073dfa1cb5b85032b91efd12033f

    • C:\Windows\inf\oem2.PNF

      Filesize

      8KB

      MD5

      c391f20baff9276c43b6600e63e6fb73

      SHA1

      2582a2e865465c15a09611856251808becff683d

      SHA256

      021414165a3cbd807c7b6a81a235819c92c01bb738e588417f74be6c217b4110

      SHA512

      2cc77ab793997787ee619db0b075724e83151c94b4bc506e15cddf7f9232dc4fefa9c95f2afaccc212c5ec0f7e947b469600c9f4154e83faae7810e301fe4722

    • memory/2424-679-0x0000000008940000-0x00000000093FA000-memory.dmp

      Filesize

      10.7MB

    • memory/2424-681-0x00000000053C0000-0x00000000054C7000-memory.dmp

      Filesize

      1.0MB

    • memory/2548-661-0x0000000002690000-0x0000000002810000-memory.dmp

      Filesize

      1.5MB