Analysis

  • max time kernel
    118s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2024 08:23

General

  • Target

    15c5bedffb7e9c6fe6087703c2743078175cdfd562079593d1711719f2595ac8.exe

  • Size

    3.0MB

  • MD5

    28259efc0c77cc8824b1e556aa89f2a6

  • SHA1

    8fa343113fe56e5661fbfdd41a2ef71bb7a16bfe

  • SHA256

    15c5bedffb7e9c6fe6087703c2743078175cdfd562079593d1711719f2595ac8

  • SHA512

    fe45969c62f21220d737e53edeae577fe973a43684b59f0081def0d56358f5134f7dfe5f7c5e5ed8642e455e6b23123d74af279145870f706aa0b3be47ae8fd3

  • SSDEEP

    49152:+qe3f6eaRJ0VLchdr+pHHuOWMuM46LRoRvgpwa94teygbsy:vSiOusHTXotfdewy

Malware Config

Signatures

  • NetSupport

    NetSupport is a remote access tool sold as a legitimate system administration software.

  • Netsupport family
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\15c5bedffb7e9c6fe6087703c2743078175cdfd562079593d1711719f2595ac8.exe
    "C:\Users\Admin\AppData\Local\Temp\15c5bedffb7e9c6fe6087703c2743078175cdfd562079593d1711719f2595ac8.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2872
    • C:\Users\Admin\AppData\Local\Temp\is-VPT7R.tmp\15c5bedffb7e9c6fe6087703c2743078175cdfd562079593d1711719f2595ac8.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-VPT7R.tmp\15c5bedffb7e9c6fe6087703c2743078175cdfd562079593d1711719f2595ac8.tmp" /SL5="$501E2,2328649,779776,C:\Users\Admin\AppData\Local\Temp\15c5bedffb7e9c6fe6087703c2743078175cdfd562079593d1711719f2595ac8.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:3016
      • C:\Users\Admin\AppData\Roaming\WinSurrounder\RuntimeBroker.exe
        "C:\Users\Admin\AppData\Roaming\WinSurrounder\RuntimeBroker.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:2260

Network

  • flag-us
    DNS
    154.239.44.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.239.44.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    23.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    23.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    83.121.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    83.121.18.2.in-addr.arpa
    IN PTR
    Response
    83.121.18.2.in-addr.arpa
    IN PTR
    a2-18-121-83deploystaticakamaitechnologiescom
  • flag-us
    DNS
    donutduck.duckdns.org
    RuntimeBroker.exe
    Remote address:
    8.8.8.8:53
    Request
    donutduck.duckdns.org
    IN A
    Response
    donutduck.duckdns.org
    IN A
    82.115.223.32
  • flag-us
    DNS
    geo.netsupportsoftware.com
    RuntimeBroker.exe
    Remote address:
    8.8.8.8:53
    Request
    geo.netsupportsoftware.com
    IN A
    Response
    geo.netsupportsoftware.com
    IN A
    172.67.68.212
    geo.netsupportsoftware.com
    IN A
    104.26.0.231
    geo.netsupportsoftware.com
    IN A
    104.26.1.231
  • flag-us
    GET
    http://geo.netsupportsoftware.com/location/loca.asp
    RuntimeBroker.exe
    Remote address:
    172.67.68.212:80
    Request
    GET /location/loca.asp HTTP/1.1
    Host: geo.netsupportsoftware.com
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 404 Not Found
    Date: Sat, 23 Nov 2024 08:24:09 GMT
    Content-Type: text/html; charset=us-ascii
    Transfer-Encoding: chunked
    Connection: keep-alive
    CF-Ray: 8e6fc2e33bef4889-LHR
    CF-Cache-Status: DYNAMIC
    cf-apo-via: origin,host
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PzBt6Jk0u2XNZINm7HtdmoAXbfcqGA2lwIZwDkIkdaLs39b%2BdfLUb%2FkcCg01gk4GayYjlpomvzA2csTJ5Fle83tjsveUX36%2B0Em2aw1owkfPXltro8gC%2F1dI3e7OoJ6%2FLJXh46YbiWPsmSJ1"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    server-timing: cfL4;desc="?proto=TCP&rtt=59547&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
  • flag-us
    GET
    http://geo.netsupportsoftware.com/location/loca.asp
    RuntimeBroker.exe
    Remote address:
    172.67.68.212:80
    Request
    GET /location/loca.asp HTTP/1.1
    Host: geo.netsupportsoftware.com
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 404 Not Found
    Date: Sat, 23 Nov 2024 08:24:09 GMT
    Content-Type: text/html; charset=us-ascii
    Transfer-Encoding: chunked
    Connection: keep-alive
    CF-Ray: 8e6fc2e4b8289521-LHR
    CF-Cache-Status: DYNAMIC
    cf-apo-via: origin,host
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xSyQLJZCjJVUHqfAyppFrlHhjEm7h9cr8qmTNR9wcrdANWPzC0SBlAtqDOCvYseEqta%2BxQhFlV6tBKnghrXsdoe1FqQKGoCLHJDuO0iEhAI0Fav2sOFalHkv9fq%2BN64aMksFpD9xxcAE%2BYlb"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    server-timing: cfL4;desc="?proto=TCP&rtt=59442&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
  • flag-us
    GET
    http://geo.netsupportsoftware.com/location/loca.asp
    RuntimeBroker.exe
    Remote address:
    172.67.68.212:80
    Request
    GET /location/loca.asp HTTP/1.1
    Host: geo.netsupportsoftware.com
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 404 Not Found
    Date: Sat, 23 Nov 2024 08:24:09 GMT
    Content-Type: text/html; charset=us-ascii
    Transfer-Encoding: chunked
    Connection: keep-alive
    CF-Ray: 8e6fc2e5fae4bd84-LHR
    CF-Cache-Status: DYNAMIC
    cf-apo-via: origin,host
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Nv0RcZhDku0STx3ggAW7SCRgwL9JLmqHl2Oykz91YOWO6wtdU3B%2FyzGiiJUflXFXOi5BOdYkjJkwq6p%2B39eUEss2Hwa9m7LB6dME48EwlBl0Oc%2B6zaJxfI5Bg%2BIT6zkLDzkRpa26lLSWu3%2Ft"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    server-timing: cfL4;desc="?proto=TCP&rtt=59178&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
  • flag-us
    DNS
    212.68.67.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    212.68.67.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    28.118.140.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.118.140.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    coinduck.duckdns.org
    RuntimeBroker.exe
    Remote address:
    8.8.8.8:53
    Request
    coinduck.duckdns.org
    IN A
    Response
    coinduck.duckdns.org
    IN A
    83.217.208.141
  • flag-us
    DNS
    53.210.109.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    53.210.109.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    71.121.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    71.121.18.2.in-addr.arpa
    IN PTR
    Response
    71.121.18.2.in-addr.arpa
    IN PTR
    a2-18-121-71deploystaticakamaitechnologiescom
  • flag-us
    DNS
    101.209.201.84.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    101.209.201.84.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    43.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.229.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    donutduck.duckdns.org
    RuntimeBroker.exe
    Remote address:
    8.8.8.8:53
    Request
    donutduck.duckdns.org
    IN A
    Response
    donutduck.duckdns.org
    IN A
    82.115.223.32
  • flag-us
    DNS
    coinduck.duckdns.org
    RuntimeBroker.exe
    Remote address:
    8.8.8.8:53
    Request
    coinduck.duckdns.org
    IN A
    Response
    coinduck.duckdns.org
    IN A
    83.217.208.141
  • 172.67.68.212:80
    http://geo.netsupportsoftware.com/location/loca.asp
    http
    RuntimeBroker.exe
    440 B
    1.3kB
    7
    4

    HTTP Request

    GET http://geo.netsupportsoftware.com/location/loca.asp

    HTTP Response

    404
  • 82.115.223.32:1337
    donutduck.duckdns.org
    RuntimeBroker.exe
    260 B
    5
  • 172.67.68.212:80
    http://geo.netsupportsoftware.com/location/loca.asp
    http
    RuntimeBroker.exe
    486 B
    1.3kB
    8
    5

    HTTP Request

    GET http://geo.netsupportsoftware.com/location/loca.asp

    HTTP Response

    404
  • 172.67.68.212:80
    http://geo.netsupportsoftware.com/location/loca.asp
    http
    RuntimeBroker.exe
    440 B
    1.3kB
    7
    4

    HTTP Request

    GET http://geo.netsupportsoftware.com/location/loca.asp

    HTTP Response

    404
  • 83.217.208.141:1337
    coinduck.duckdns.org
    RuntimeBroker.exe
    260 B
    200 B
    5
    5
  • 82.115.223.32:1337
    donutduck.duckdns.org
    RuntimeBroker.exe
    260 B
    5
  • 83.217.208.141:1337
    coinduck.duckdns.org
    RuntimeBroker.exe
    156 B
    120 B
    3
    3
  • 8.8.8.8:53
    154.239.44.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    154.239.44.20.in-addr.arpa

  • 8.8.8.8:53
    23.159.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    23.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    83.121.18.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    83.121.18.2.in-addr.arpa

  • 8.8.8.8:53
    donutduck.duckdns.org
    dns
    RuntimeBroker.exe
    67 B
    83 B
    1
    1

    DNS Request

    donutduck.duckdns.org

    DNS Response

    82.115.223.32

  • 8.8.8.8:53
    geo.netsupportsoftware.com
    dns
    RuntimeBroker.exe
    72 B
    120 B
    1
    1

    DNS Request

    geo.netsupportsoftware.com

    DNS Response

    172.67.68.212
    104.26.0.231
    104.26.1.231

  • 8.8.8.8:53
    212.68.67.172.in-addr.arpa
    dns
    72 B
    134 B
    1
    1

    DNS Request

    212.68.67.172.in-addr.arpa

  • 8.8.8.8:53
    28.118.140.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    28.118.140.52.in-addr.arpa

  • 8.8.8.8:53
    coinduck.duckdns.org
    dns
    RuntimeBroker.exe
    66 B
    82 B
    1
    1

    DNS Request

    coinduck.duckdns.org

    DNS Response

    83.217.208.141

  • 8.8.8.8:53
    53.210.109.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    53.210.109.20.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    71.121.18.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    71.121.18.2.in-addr.arpa

  • 8.8.8.8:53
    101.209.201.84.in-addr.arpa
    dns
    73 B
    133 B
    1
    1

    DNS Request

    101.209.201.84.in-addr.arpa

  • 8.8.8.8:53
    43.229.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    43.229.111.52.in-addr.arpa

  • 8.8.8.8:53
    donutduck.duckdns.org
    dns
    RuntimeBroker.exe
    67 B
    83 B
    1
    1

    DNS Request

    donutduck.duckdns.org

    DNS Response

    82.115.223.32

  • 8.8.8.8:53
    coinduck.duckdns.org
    dns
    RuntimeBroker.exe
    66 B
    82 B
    1
    1

    DNS Request

    coinduck.duckdns.org

    DNS Response

    83.217.208.141

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\is-VPT7R.tmp\15c5bedffb7e9c6fe6087703c2743078175cdfd562079593d1711719f2595ac8.tmp

    Filesize

    3.0MB

    MD5

    d4d43c792aa5d73f0cd7b1d9d461487b

    SHA1

    f20d2a3840dad80ab7be903d5a7d9db0fd4a515d

    SHA256

    9f2f5a6aa41c4d27b4e98a1e97e775c390bf171b4ba81815dd769c6f4a5e2ca5

    SHA512

    1b29ed1538e166644328d48a7189e827bc8b5d732c94cc3dde6d28b62b30515892a8d17de7579e69074f876b7cad9b79425908c7721d2ce59f844d9ef83dc5b5

  • C:\Users\Admin\AppData\Roaming\WinSurrounder\HTCTL32.DLL

    Filesize

    319KB

    MD5

    bf9dd864f5822dc28ffce9529bae15ba

    SHA1

    ee578ba78ddaf0547edd23355dbc658cdc1b86ab

    SHA256

    74328f7f2d08cfc734cc5151bc68377962d1e0a75137908925a604b3d18b7be6

    SHA512

    ea00797c9e7117452e3a7f94db016e22dad0246c439daaae304ecfb5c5de19d2db0c63ce1edd135a409f07ba75b19bd6428a7ab6d80a9dc65ff473ff985ef43e

  • C:\Users\Admin\AppData\Roaming\WinSurrounder\NSM.LIC

    Filesize

    259B

    MD5

    ac5d5cc9acad4531ef1bd16145ea68bd

    SHA1

    f9d92f79a934815b645591ebbd6f5d20aa6a3e38

    SHA256

    68c787616681427557343e42ede5805dfbeeb580c59f69c4706b500f225e2c6b

    SHA512

    196863e039e9c83fb0f8eb3f0a6119db31a624e7ef4e9ba99516702e76796957f0ebf87e8728e1bd0de6cd7420bec6e644caa58a0724a7208e9a765d6eb78f64

  • C:\Users\Admin\AppData\Roaming\WinSurrounder\PCICL32.dll

    Filesize

    3.6MB

    MD5

    21e49d937a929db0ff9c265e8b2b6777

    SHA1

    88000b29bb69b3e8a29f30f0274de3e71a8b7ef7

    SHA256

    9b760f2aa4576d044bcd33e21943a8cbccd9c56d17d598fa509213e05f9939c1

    SHA512

    165664b4d3b6aa2c481665a9aed572a7445cd32052066faf7bf05340820d8afc3cf4660a344d2a06e6f3bcabbfa7923eb61c39b7367735ede0f5154f9696d1bf

  • C:\Users\Admin\AppData\Roaming\WinSurrounder\RuntimeBroker.exe

    Filesize

    85KB

    MD5

    1cb88aeae38477423560246200f68dac

    SHA1

    18a1a1631810045b96fed256be26b12aeda07fc1

    SHA256

    c6d455a464ca61777ace3d161d2d9e8fb27e135dd941e001c120a844f7005b9f

    SHA512

    d4754a7cd308dd4763dc01d0e4257f32114ea030f1c4eb955333b8cf106c0fcc9872b6c1002c5d2637ca8da476b4c9098b06bbf46211bdd22252fcc1cabc7eff

  • C:\Users\Admin\AppData\Roaming\WinSurrounder\client32.ini

    Filesize

    706B

    MD5

    812452fb7d6044657f21868f8b046ec8

    SHA1

    2a3d0cfa5ef48c687ed42c101c3466b8104379bf

    SHA256

    3a0fcc3de6f38f43bc68c3f7733470c5ae0ba7e44231f381a555c26f72cded2d

    SHA512

    ff72c6f6e830a34bcb84f44030568b709b422868d93a7ad0c12a2da1d7e1fdee6e048e23b90d87a0d98383d3964ab71d28db98f58ad381c93c06682ae1b4ec36

  • C:\Users\Admin\AppData\Roaming\WinSurrounder\msvcr100.dll

    Filesize

    759KB

    MD5

    7aa3e993ffef3a554ebab6532eac4075

    SHA1

    92b541293c63a4fb343327a1cc7708f96e7eec74

    SHA256

    aaf5bd6cdf7eae9d3ed153033917b3aed750d48ab11222569246db162d94b72e

    SHA512

    97d91945d2f90594505ce67e2ce6f9bf4cfabe7ec5a0461ac5bf82c8bd1094308c99a02d4cc25276dc9701c8109afe1f69726964f2e06dce98f005f0e8f5ec49

  • C:\Users\Admin\AppData\Roaming\WinSurrounder\pcicapi.dll

    Filesize

    31KB

    MD5

    191bd0cc859e47aaa7c5195f58f56d4e

    SHA1

    c2d91b7688ab3d4fbc08dc8df895323ca2c47460

    SHA256

    3d30caf999bbd1c39b681f4782c2f703c02b9956c4a77d7d531e20ca02ffaa29

    SHA512

    9c876afdc1b3cab2c01d1d369d6c532edc4377876ed95f324e0e638860852d41052796a16f7314ef922bb7ff6edb9f3687f6edfb342b6524951906340c614b08

  • C:\Users\Admin\AppData\Roaming\WinSurrounder\pcichek.dll

    Filesize

    17KB

    MD5

    018b7364f4de19d99c37665eb8555fc5

    SHA1

    661d32b263131f27c890a3a17e3a7f58b0035f93

    SHA256

    fb68bf34ae44c30267e5034d65e7d917033631f8290a17de264de5189f1c9e71

    SHA512

    82eb86e58894d3beed9f7efefdd9f8ece4d4d1af7d95e8751054eac18ff8eb08e6bfdd0ccf132f666b2bdd47669fdc4b1fcf4c172a4cf3f25b0464e6943489f8

  • memory/2872-0-0x0000000000400000-0x00000000004CC000-memory.dmp

    Filesize

    816KB

  • memory/2872-2-0x0000000000401000-0x00000000004B7000-memory.dmp

    Filesize

    728KB

  • memory/2872-68-0x0000000000400000-0x00000000004CC000-memory.dmp

    Filesize

    816KB

  • memory/2872-73-0x0000000000400000-0x00000000004CC000-memory.dmp

    Filesize

    816KB

  • memory/3016-6-0x0000000000400000-0x0000000000705000-memory.dmp

    Filesize

    3.0MB

  • memory/3016-69-0x0000000000400000-0x0000000000705000-memory.dmp

    Filesize

    3.0MB

  • memory/3016-71-0x0000000000400000-0x0000000000705000-memory.dmp

    Filesize

    3.0MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.