Overview

overview

10

Static

static

3

547ef48f46...d.appx

windows7-x64

547ef48f46...d.appx

windows10-2004-x64

10

ChromeSetup.exe

windows7-x64

6

ChromeSetup.exe

windows10-2004-x64

6

PsfLauncher32.exe

windows7-x64

1

PsfLauncher32.exe

windows10-2004-x64

3

PsfLauncher64.exe

windows7-x64

1

PsfLauncher64.exe

windows10-2004-x64

1

PsfRunDll32.exe

windows7-x64

1

PsfRunDll32.exe

windows10-2004-x64

3

PsfRunDll64.exe

windows7-x64

1

PsfRunDll64.exe

windows10-2004-x64

1

PsfRuntime32.dll

windows7-x64

3

PsfRuntime32.dll

windows10-2004-x64

3

PsfRuntime64.dll

windows7-x64

1

PsfRuntime64.dll

windows10-2004-x64

1

StartingSc...er.ps1

windows7-x64

3

StartingSc...er.ps1

windows10-2004-x64

3

VFS/Progra...13.exe

windows7-x64

3

VFS/Progra...13.exe

windows10-2004-x64

3

VFS/Progra...za.dll

windows7-x64

3

VFS/Progra...za.dll

windows10-2004-x64

3

VFS/Progra...xa.dll

windows7-x64

3

VFS/Progra...xa.dll

windows10-2004-x64

3

VFS/Progra...ar.dll

windows7-x64

3

VFS/Progra...ar.dll

windows10-2004-x64

3

VFS/Progra...64.dll

windows7-x64

1

VFS/Progra...64.dll

windows10-2004-x64

1

VFS/Progra...ar.dll

windows7-x64

1

VFS/Progra...ar.dll

windows10-2004-x64

1

VFS/Progra...za.dll

windows7-x64

1

VFS/Progra...za.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    121s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2024 15:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    547ef48f46ecfe31ee7edc7bbff0c2406f43d11915bcef84372172873012eacd.appx

  • Size

    15.0MB

  • MD5

    6eaa4c8938016293d2153ccd78b473fc

  • SHA1

    d044e629b6c0bafa9b312ab6c7f00cbcaa37b8a0

  • SHA256

    547ef48f46ecfe31ee7edc7bbff0c2406f43d11915bcef84372172873012eacd

  • SHA512

    74aa6933f80e5efd3bf4867a904d26f0f2211723a22eb5c467a1652c8808b0857e178022750bf6fa8027a9ab4060041c8c8334f632acfd0bdeeacbdce27c5cdc

  • SSDEEP

    393216:WOUkApd7IlEhy+XkJ6fbyOOe8grIR2B2arSIHpYP:WOUkehIrJ6jbOe8gMm2aT2P

Score
10/10
netsupportdiscoveryexecutionpersistenceprivilege_escalationrat

Malware Config

Signatures

  • NetSupport

    NetSupport is a remote access tool sold as a legitimate system administration software.

    ratnetsupport
  • Netsupport family
    netsupport
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 64 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 21 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell start shell:AppsFolder\7-Zip_wxpajgjyvm7kj!NOTEPAD
    1⤵
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2200
  • C:\Program Files\WindowsApps\7-Zip_4.12.158.0_x64__wxpajgjyvm7kj\PsfLauncher64.exe
    "C:\Program Files\WindowsApps\7-Zip_4.12.158.0_x64__wxpajgjyvm7kj\PsfLauncher64.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3888
    • C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
      Powershell.exe -ExecutionPolicy RemoteSigned -file "C:\Program Files\WindowsApps\7-Zip_4.12.158.0_x64__wxpajgjyvm7kj\StartingScriptWrapper.ps1" "Powershell.exe -ExecutionPolicy RemoteSigned -file '.\sofgnarfoj.ps1'"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3216
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -file .\sofgnarfoj.ps1
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1696
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c "VFS\ProgramFilesX64\13\13.exe e VFS\ProgramFilesX64\7z24083.7z -oC:\Users\Public\7z2408 -p7z24083"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1368
          • C:\Program Files\WindowsApps\7-Zip_4.12.158.0_x64__wxpajgjyvm7kj\VFS\ProgramFilesX64\13\13.exe
            VFS\ProgramFilesX64\13\13.exe e VFS\ProgramFilesX64\7z24083.7z -oC:\Users\Public\7z2408 -p7z24083
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            • Suspicious use of AdjustPrivilegeToken
            PID:2504
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c "VFS\ProgramFilesX64\13\13.exe e C:\Users\Public\7z2408\7z24082.7z -oC:\Users\Public\7z2408 -p7z24082"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3756
          • C:\Program Files\WindowsApps\7-Zip_4.12.158.0_x64__wxpajgjyvm7kj\VFS\ProgramFilesX64\13\13.exe
            VFS\ProgramFilesX64\13\13.exe e C:\Users\Public\7z2408\7z24082.7z -oC:\Users\Public\7z2408 -p7z24082
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            • Suspicious use of AdjustPrivilegeToken
            PID:4644
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c "VFS\ProgramFilesX64\13\13.exe e C:\Users\Public\7z2408\7z24081.7z -oC:\Users\Public\7z2408 -p7z24081"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3352
          • C:\Program Files\WindowsApps\7-Zip_4.12.158.0_x64__wxpajgjyvm7kj\VFS\ProgramFilesX64\13\13.exe
            VFS\ProgramFilesX64\13\13.exe e C:\Users\Public\7z2408\7z24081.7z -oC:\Users\Public\7z2408 -p7z24081
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            • Suspicious use of AdjustPrivilegeToken
            PID:1632
        • C:\Users\Public\7z2408\7z2408.exe
          "C:\Users\Public\7z2408\7z2408.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          PID:1272
        • C:\Users\Public\7z2408\7z2408-x64.exe
          "C:\Users\Public\7z2408\7z2408-x64.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:3932
    • C:\Program Files\WindowsApps\7-Zip_4.12.158.0_x64__wxpajgjyvm7kj\VFS\ProgramFilesX64\PsfRunDll64.exe
      "PsfRunDll64.exe"
      2⤵
        PID:3532

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      64B

      MD5

      8194b8209bd7dff1a5ce02ced85e3cc2

      SHA1

      2c488b57d962181af78b08c5eeefd672d62b3ab0

      SHA256

      33972e7a36c3fe16257646d8cfec6f7974eafd8e899250980456c91ad87f6f83

      SHA512

      00f6d0ee7f268290d5139c825dbac2592bf9e7c2f30cf8b5769717dc582c50540f46406f8d54538b4aba93527e0257abeb2123749ff39c4d69a9ed3a492bb8ac

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      63e62e02ee9c90b7adfb2eefe7efa04f

      SHA1

      9bc1eda86f7f95345c2a3901288b6867447dee6b

      SHA256

      cbafbcef08446541d49da9d11842ab860628a7d317db15f570b7b1e1048ade11

      SHA512

      3d2bf16c2a9b42e28dc9d2c18d6d697d3749b14f2f6c708ea9e587022aeb5fbbcffaa49c4f4f994f1cd1f6c886b8d8b6ab3a29d3b65fe0659ea0f2fa9d47ba52

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3dmza3r2.4yt.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Public\7z2408\7z2408-x64.exe
      Filesize

      1.5MB

      MD5

      0330d0bd7341a9afe5b6d161b1ff4aa1

      SHA1

      86918e72f2e43c9c664c246e62b41452d662fbf3

      SHA256

      67cb9d3452c9dd974b04f4a5fd842dbcba8184f2344ff72e3662d7cdb68b099b

      SHA512

      850382414d9d33eab134f8bd89dc99759f8d0459b7ad48bd9588405a3705aeb2cd727898529e3f71d9776a42e141c717e844e0b5c358818bbeac01d096907ad1

      Download Submit

    • C:\Users\Public\7z2408\7z2408.exe
      Filesize

      54KB

      MD5

      e7629e75a194c681b1bc19cce7d320ce

      SHA1

      c7376ce541fb66026bb1b1978966adbe17640cbf

      SHA256

      09456b07402683123588328d32f1a8e40a06b36478f30b8412bc9b38c110330b

      SHA512

      22b1845561a7695df10aa4fa720aa94968237d2459a980b100612cce8884bf184f4f38dde8fe0047e617b3b536b554569b105bbe35ecf778c40af7953e7cca8f

      Download Submit

    • C:\Users\Public\7z2408\7z24081.7z
      Filesize

      3.0MB

      MD5

      05b06612114f626daf65ece5e5d3d047

      SHA1

      f23ef8087700e45d5746d61a2a2d1cfc53faf2c3

      SHA256

      8a1a15a1f014f3f08b18d43b593443462f9e6ab4d7167df1610eec81d86152ee

      SHA512

      2b6f60670e1177bd4c5bb618d33ec6cd3c856df824e0810ff680df41110d584e83d8ebd40a8fa6be5825d7324e81e9293313db3a5ed81b22ead9acd5fd9d9279

      Download Submit

    • C:\Users\Public\7z2408\7z24082.7z
      Filesize

      3.0MB

      MD5

      79e255e588742b10ec9348b9a8205bc6

      SHA1

      56f73225fd7c9c6bdf7bc7f02c4355af649f6f5d

      SHA256

      c0db8858788980ae13768924ca33392200c0333688ddaec4064b9ed9b9c597b3

      SHA512

      ddb19b862b9cb70965be97df99ad698e9e29bbaeacb22d32183c6e84630f586952799264b8194c0475f03874fa076fb64eee890dcc1499b098d60382b6f782ce

      Download Submit

    • C:\Users\Public\7z2408\HTCTL32.DLL
      Filesize

      320KB

      MD5

      2d3b207c8a48148296156e5725426c7f

      SHA1

      ad464eb7cf5c19c8a443ab5b590440b32dbc618f

      SHA256

      edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796

      SHA512

      55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

      Download Submit

    • C:\Users\Public\7z2408\NSM.LIC
      Filesize

      2KB

      MD5

      c3acb1af45f26f321b16254a1150e5cc

      SHA1

      49267c214c8fafed1570a61b4aafb5b2a02fba6a

      SHA256

      6f22d4f19fd1bd72005354747065f6be2282983481def538cdede31df6bebdea

      SHA512

      97520c355b4b68bbe96606debd9fcb6fb13ecddcd35e6281c34175e4c582111c3f23bf16d27945a5f436a4a99472838de643b700ffb0f45cbeda45fe158436f3

      Download Submit

    • C:\Users\Public\7z2408\PCICL32.dll
      Filesize

      3.5MB

      MD5

      ad51946b1659ed61b76ff4e599e36683

      SHA1

      dfe2439424886e8acf9fa3ffde6caaf7bfdd583e

      SHA256

      07a191254362664b3993479a277199f7ea5ee723b6c25803914eedb50250acf4

      SHA512

      6c30e7793f69508f6d9aa6edcec6930ba361628ef597e32c218e15d80586f5a86d89fcbee63a35eab7b1e0ae26277512f4c1a03df7912f9b7ff9a9a858cf3962

      Download Submit

    • C:\Users\Public\7z2408\client32.ini
      Filesize

      641B

      MD5

      070e44bb65445b9811e938a52818736e

      SHA1

      44d64648d74882537cd7fefe0f548fa65045a386

      SHA256

      12b8cbfdc4e9fbd81b889fe28e1064745e9940ce6068b460c225b1bef3d9c818

      SHA512

      a4abd44501f3488ef8015feac37642ac64ee7d10f078a5cde9ce68ca7833377472a6defac5325960d01d97cc02f577fec2983b4b4bedbb7f0fd807474a782a74

      Download Submit

    • C:\Users\Public\7z2408\msvcr100.dll
      Filesize

      755KB

      MD5

      0e37fbfa79d349d672456923ec5fbbe3

      SHA1

      4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

      SHA256

      8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

      SHA512

      2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

      Download Submit

    • C:\Users\Public\7z2408\pcicapi.dll
      Filesize

      32KB

      MD5

      dcde2248d19c778a41aa165866dd52d0

      SHA1

      7ec84be84fe23f0b0093b647538737e1f19ebb03

      SHA256

      9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917

      SHA512

      c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

      Download Submit

    • C:\Users\Public\7z2408\pcichek.dll
      Filesize

      18KB

      MD5

      a0b9388c5f18e27266a31f8c5765b263

      SHA1

      906f7e94f841d464d4da144f7c858fa2160e36db

      SHA256

      313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a

      SHA512

      6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

      Download Submit

    • memory/2200-0-0x00007FFFAEA13000-0x00007FFFAEA15000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2200-14-0x00007FFFAEA10000-0x00007FFFAF4D1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2200-12-0x00007FFFAEA10000-0x00007FFFAF4D1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2200-11-0x00007FFFAEA10000-0x00007FFFAF4D1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2200-10-0x0000025160C40000-0x0000025160C62000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3532-18-0x00007FF7A0070000-0x00007FF7A0080000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3532-20-0x00007FF7A0070000-0x00007FF7A0080000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3888-21-0x00007FF6A5F30000-0x00007FF6A5F40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3888-15-0x00007FF6A5F30000-0x00007FF6A5F40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3888-16-0x00007FFF816A0000-0x00007FFF816B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3888-17-0x00007FFFC16BC000-0x00007FFFC16BD000-memory.dmp

      Filesize

      4KB

      Download