Overview

overview

10

Static

static

3

Merge.exe

windows7-x64

1

Merge.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-12-2024 10:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Merge.exe

  • Size

    42.9MB

  • MD5

    d024ff2fc7acb7c172f0ba38a9fbc2c3

  • SHA1

    fd79908540ba4abf2beeeb7e93705b8bd8c6609f

  • SHA256

    113290aaa5c0b0793d50de6819f2b2eead5e321e9300d91b9a36d62ba8e5bbc1

  • SHA512

    a9b8d4404f7e8338b33e218c1ab8fe773beae991b951ebbd574b8e2da991fd17f6d7c41a479b53684a0514a740a2fdeec3ae2cb2a61d5ccbb840415c8bbbc1a9

  • SSDEEP

    786432:BIOK9MrmgNNKBYjUMojDqpPBm1I+yuCUegHOdUXedH0:W6mgNNKqjMfsZECUhRA

Score
10/10
netsupportdiscoveryrat

Malware Config

Signatures

  • NetSupport

    NetSupport is a remote access tool sold as a legitimate system administration software.

    ratnetsupport
  • Netsupport family
    netsupport
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 12 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Embeds OpenSSL 1 IoCs

    Embeds OpenSSL, may be used to circumvent TLS interception.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Merge.exe
    "C:\Users\Admin\AppData\Local\Temp\Merge.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1256
    • C:\Users\Admin\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exe
      "C:\Users\Admin\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      PID:1336
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x150 0x308
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:540
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
    1⤵
    • System Location Discovery: System Language Discovery
    PID:4628

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\3delite\Secondary Display Photo Viewer\DisplayPhotoViewer.ini
    Filesize

    2B

    MD5

    f3b25701fe362ec84616a93a45ce9998

    SHA1

    d62636d8caec13f04e28442a0a6fa1afeb024bbb

    SHA256

    b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

    SHA512

    98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak
    Filesize

    9KB

    MD5

    7050d5ae8acfbe560fa11073fef8185d

    SHA1

    5bc38e77ff06785fe0aec5a345c4ccd15752560e

    SHA256

    cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

    SHA512

    a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

    Download Submit

  • C:\Users\Admin\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exe
    Filesize

    6.7MB

    MD5

    f78f5cc0a0b3af7af5485bb47b4809c0

    SHA1

    47d2c43f246e204733a09dfaa7e749b0c2860089

    SHA256

    86ae0078776c0411504cf97f4369512013306fcf568cc1dc7a07e180dde08eda

    SHA512

    31947c7d9748c079e6fb0a32e4465b3aff1e10179f8f9dcc0d72e1a0752b205e0c09912b1a853ffb1a9f87e4741b187db93d9540a7dc05844d01225b44b9bdaa

    Download Submit

  • C:\Users\Admin\AppData\Local\Programs\Advanced Photo Studio\FilesystemDialogs.dll
    Filesize

    15.5MB

    MD5

    7bcb496eca53ccfac7c6cfb9802c4bb1

    SHA1

    f4f82664848f5c3aca0e7c275f238cf9b9449d26

    SHA256

    979a53f54d540c3b8a3d1d8ff9a138912b351d1e5c48e98273a170668883f594

    SHA512

    ffdf9ec47b467ca94e5b7f27c77dc68aa0500a8406b4726c1432c4ddbedbfd576a7938f2a6d2eeca7af2d49c6c22757e9e9a9df62ab0dee5d271135d3c305af4

    Download Submit

  • C:\Users\Admin\AppData\Local\Programs\Advanced Photo Studio\FreeImage.dll
    Filesize

    5.7MB

    MD5

    33082bf128b1700be41bbc0377520abb

    SHA1

    b8aa3500d08ed31cdb13313311496e6e706967f3

    SHA256

    f5914cf345f20177203e72987eca4a442ddd50934eb6273aa433c177e9640a41

    SHA512

    f513af6cdc480a4e0963976618ffa95763960311e257478fcb06b0210ab12704e53d5bccdf1d9331481acc10b819661c5c36df62d69610aa206678da302a5251

    Download Submit

  • C:\Users\Admin\AppData\Local\Programs\Advanced Photo Studio\JEncrypt.dll
    Filesize

    20.3MB

    MD5

    849c3f4b28eb18b791695d08c407a543

    SHA1

    15568664f0914aa6ebc33b3a9430e302f52bddb6

    SHA256

    6b8e41ea8b38426749e7a41bf7bbdaca1cf083b59b0a512c24c242e74f540227

    SHA512

    e19bd0329fc770f8c8db2c3e674bc7699da66870903345998cf451a2ce587f5859e74c7aa22adbc74e0417d81a6b8023a32282babbd11553d61c55c9a6bf372e

    Download Submit

  • C:\Users\Admin\AppData\Local\Programs\Advanced Photo Studio\MediaInfo.dll
    Filesize

    4.9MB

    MD5

    b38c9b2b76254fdf958769db2b9242a8

    SHA1

    b6374308a0338aac7509fc547e07908b98800625

    SHA256

    4dc4b7fcab02e7c53f69e5ec59eeff60be22bc1a7ccc7f0ef9828c9e3090fc91

    SHA512

    40d7bcc8f13a8a5f98843d10a92518e54279ed56ca010dddf5efe1a75c49703bc0bcdfa575e856adc0853cbd03b0ecf1ee0ff245671c0eed555ccc31ab6d2ef9

    Download Submit

  • C:\Users\Admin\AppData\Local\Programs\Advanced Photo Studio\RwcTouch.dll
    Filesize

    2.6MB

    MD5

    92ddf7fd13fb43ebd9d0008cc7dfd5a8

    SHA1

    e1990fd53a885806db7375dd27d9761c43d68ec7

    SHA256

    3a38f912bf0f93e266ad7d2ec2a54416b10798f3a6c8eb58e393eb96eb0548fd

    SHA512

    c9103849807b6ff987c74fed9b57d703e5cdd8e2341a42d91d09fc477805c11c73cb60f11dda357e858e535f64db2e24d3377499b301dc8acaa7f00e8f3ffc52

    Download Submit

  • C:\Users\Admin\AppData\Local\Programs\Advanced Photo Studio\Sales.sav
    Filesize

    5.1MB

    MD5

    9039c30d9218bbdccd365e3b09134085

    SHA1

    e8ba1634c798fe66ff9ec8d7a04a71d75ce15843

    SHA256

    32684bd13bf3deb98f8604e1f885dbf427c819208b8376de7f60c49ff78686d5

    SHA512

    01ad5186b2eecafec69e95e0974d0fa45fbee8bc80943eb8df55389f9225b178f19112f842e48c776c59b7092ad4679ceb619c204bb0f54c2a8c0a8d62a646ec

    Download Submit

  • C:\Users\Admin\AppData\Local\Programs\Advanced Photo Studio\bass.dll
    Filesize

    135KB

    MD5

    8e58fcc0672a66c827c6f90fa4b58538

    SHA1

    3e807dfd27259ae7548692a05af4fe54f8dd32ed

    SHA256

    6e1bf8ea63f9923687709f4e2f0dac7ff558b2ab923e8c8aa147384746e05b1d

    SHA512

    0e9faf457a278ad4c5dd171f65c24f6a027696d931a9a2a2edd4e467da8b8a9e4ab3b1fd2d758f5744bf84bece88c046cda5f7e4204bead14d7c36a46702b768

    Download Submit

  • C:\Users\Admin\AppData\Local\Programs\Advanced Photo Studio\htctl32.dll
    Filesize

    316KB

    MD5

    051cdb6ac8e168d178e35489b6da4c74

    SHA1

    38c171457d160f8a6f26baa668f5c302f6c29cd1

    SHA256

    6562585009f15155eea9a489e474cebc4dd2a01a26d846fdd1b93fdc24b0c269

    SHA512

    602ab9999f7164a2d1704f712d8a622d69148eefe9a380c30bc8b310eadedf846ce6ae7940317437d5da59404d141dc2d1e0c3f954ca4ac7ae3497e56fcb4e36

    Download Submit

  • C:\Users\Admin\AppData\Local\Programs\Advanced Photo Studio\msvcr100.dll
    Filesize

    755KB

    MD5

    0e37fbfa79d349d672456923ec5fbbe3

    SHA1

    4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

    SHA256

    8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

    SHA512

    2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

    Download Submit

  • C:\Users\Admin\AppData\Local\Programs\Advanced Photo Studio\nsm.lic
    Filesize

    261B

    MD5

    886e4bb84e1ecc4a04ae599d76fcce1d

    SHA1

    3f0493bb2088af50bcc8223462db0b207354e946

    SHA256

    5eeb014e3b390e0c85ce72988d422dcd9de1520566b11755c70bdd9bb7376060

    SHA512

    f4db9038a113c4b1e2462b3e0becef2500c9532a79c8187f51d011d690bc68c6d1a99585e43136cb082bd6a232136546db50265f226ff19e67d8430306a8761f

    Download Submit

  • C:\Users\Admin\AppData\Local\Programs\Advanced Photo Studio\pcicapi.dll
    Filesize

    106KB

    MD5

    67c53a770390e8c038060a1921c20da9

    SHA1

    49e63af91169c8ce7ef7de3d6a6fb9f8f739fa3a

    SHA256

    2dfdc169dfc27462adc98dde39306de8d0526dcf4577a1a486c2eef447300689

    SHA512

    201e07dbccd83480d6c4d8562e6d0a9e4c52ed12895f0b91d875c2bbcc50b3b1802e11e5e829c948be302bf98ebde7fb2a99476065d1709b3bdbcd5d59a1612d

    Download Submit

  • C:\Users\Admin\AppData\Local\Programs\Advanced Photo Studio\pcichek.dll
    Filesize

    14KB

    MD5

    3aabcd7c81425b3b9327a2bf643251c6

    SHA1

    ea841199baa7307280fc9e4688ac75e5624f2181

    SHA256

    0cff893b1e7716d09fb74b7a0313b78a09f3f48c586d31fc5f830bd72ce8331f

    SHA512

    97605b07be34948541462000345f1e8f9a9134d139448d4f331cefeeca6dad51c025fcab09d182b86e5a4a8e2f9412b3745ec86b514b0523497c821cb6b8c592

    Download Submit

  • C:\Users\Admin\AppData\Local\Programs\Advanced Photo Studio\pcicl32.dll
    Filesize

    3.3MB

    MD5

    e7b92529ea10176fe35ba73fa4edef74

    SHA1

    fc5b325d433cde797f6ad0d8b1305d6fb16d4e34

    SHA256

    b6d4ad0231941e0637485ac5833e0fdc75db35289b54e70f3858b70d36d04c80

    SHA512

    fb3a70e87772c1fb386ad8def6c7bdf325b8d525355d4386102649eb2d61f09ce101fce37ccc1f44d5878e604e2e426d96618e836367ab460cae01f627833517

    Download Submit

  • C:\Users\Admin\AppData\Local\Programs\Advanced Photo Studio\skins\savegame.wav
    Filesize

    4.8MB

    MD5

    83c72a36afae7542ce660730959c8e2f

    SHA1

    318694cbf96d828d284aace9ea0148ba56d1ccb0

    SHA256

    634d9f12d277e1a2c8e2e20364ae9fe31543f485ddff08cb6bf07a611b5bd054

    SHA512

    9dda43fa2323deaa5dd868a8a8d375b7e8a3b7802735511051a7d0c258949cfda0243bd143bd3d981d9097816be716b27205f9b7aedaee5919156e2b4bdd84d5

    Download Submit

  • C:\Users\Admin\AppData\Local\Programs\Advanced Photo Studio\zxing.dll
    Filesize

    10.6MB

    MD5

    da5b9a31f05338118a3877ec516be04a

    SHA1

    1084ab557940f064c6b2cf12129e6376fac6ed27

    SHA256

    0919bb5672c2289161194940b030495c1e4d5cdcfbc1d8fed652b4652525f687

    SHA512

    7ac4ff3aff9b3c50c6c5ca57b5820a831efec9dcdda1c69fb82b1df1e3e0e7b3f5631288774d3ccfdd2a7debdf7b7062da59ab6fe024edb282d55ff3ff05e44b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\syw.4
    Filesize

    16KB

    MD5

    3abe7d831a5850a8fe596a85f6dbc884

    SHA1

    6b0b5e490aa2857966970dfbd0c1047f14c03164

    SHA256

    87974d12afeb3274935821b94e1fe5c9cd2b7fd19fc30e8a1624b589d7e29fb5

    SHA512

    cd1784fecc5a148fb7dc15234339b71c6a05c5d28f64884047c42e6c4e62d1444dd8910cabdac42a7f459cd89e791bc40e522b8e5cb53fcbf1435e3d94a5196d

    Download Submit

  • memory/1336-87-0x0000000006F50000-0x00000000070A9000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1336-113-0x0000000003740000-0x0000000003741000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1336-114-0x0000000000A20000-0x0000000001108000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1336-115-0x0000000074030000-0x0000000074FE3000-memory.dmp

    Filesize

    15.7MB

    Download

  • memory/1336-118-0x0000000006F50000-0x00000000070A9000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1336-132-0x0000000006F50000-0x00000000070A9000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1336-91-0x0000000074030000-0x0000000074FE3000-memory.dmp

    Filesize

    15.7MB

    Download

  • memory/1336-146-0x0000000006F50000-0x00000000070A9000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1336-145-0x0000000006F50000-0x00000000070A9000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1336-90-0x0000000000A20000-0x0000000001108000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1336-85-0x0000000006F50000-0x00000000070A9000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1336-61-0x0000000006F50000-0x00000000070A9000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1336-60-0x0000000070370000-0x0000000070601000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/1336-34-0x0000000003740000-0x0000000003741000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1336-164-0x0000000074030000-0x0000000074FE3000-memory.dmp

    Filesize

    15.7MB

    Download