Analysis
-
max time kernel
69s -
max time network
68s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
-
submitted
20-01-2025 13:30
General
-
Target
https://www.4sync.com/web/directDownload/RPjWS2ET/tBq1mUpE.f0fa2e9d3a71d39b343bad0edd034306
Malware Config
Signatures
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Netsupport family
-
Blocklisted process makes network request 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 5 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in Program Files directory 52 IoCs
-
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 5 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://www.4sync.com/web/directDownload/RPjWS2ET/tBq1mUpE.f0fa2e9d3a71d39b343bad0edd034306"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://www.4sync.com/web/directDownload/RPjWS2ET/tBq1mUpE.f0fa2e9d3a71d39b343bad0edd0343062⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2336.0.1140775274\724470258" -parentBuildID 20221007134813 -prefsHandle 1244 -prefMapHandle 1236 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {67b80dd3-6620-4f75-a9ba-6820e513bf89} 2336 "\\.\pipe\gecko-crash-server-pipe.2336" 1308 faf1658 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2336.1.742297516\1345397608" -parentBuildID 20221007134813 -prefsHandle 1512 -prefMapHandle 1508 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e590a5cc-96b8-40e0-9f9d-77812524e7d3} 2336 "\\.\pipe\gecko-crash-server-pipe.2336" 1524 f75258 socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2336.2.648739090\1725088274" -childID 1 -isForBrowser -prefsHandle 2064 -prefMapHandle 2060 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 832 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8fe1ee98-d489-43a0-9be5-b522cecaa936} 2336 "\\.\pipe\gecko-crash-server-pipe.2336" 2076 1ac93f58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2336.3.397719642\261834541" -childID 2 -isForBrowser -prefsHandle 2892 -prefMapHandle 2888 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 832 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {26a9dac4-d7d7-429e-aaa3-684c24ba5a83} 2336 "\\.\pipe\gecko-crash-server-pipe.2336" 2904 1d6edf58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2336.4.358491895\167990230" -childID 3 -isForBrowser -prefsHandle 3624 -prefMapHandle 3628 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 832 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {554e4309-09fd-4442-8ccc-9cbfa71a591f} 2336 "\\.\pipe\gecko-crash-server-pipe.2336" 3636 1f11e058 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2336.5.1063037951\1093953086" -childID 4 -isForBrowser -prefsHandle 3760 -prefMapHandle 3764 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 832 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f0e5538-d3d9-47b9-a224-d553d694a27f} 2336 "\\.\pipe\gecko-crash-server-pipe.2336" 3748 1f11f258 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2336.6.356191705\2076331059" -childID 5 -isForBrowser -prefsHandle 3920 -prefMapHandle 3924 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 832 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c6da755a-7ef1-4e52-8ec4-b043df9b1b4b} 2336 "\\.\pipe\gecko-crash-server-pipe.2336" 3912 1f11f558 tab3⤵
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\Payment_35.js"1⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\ProgramData\f8em5kk\client32.exe"C:\ProgramData\f8em5kk\client32.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.4MB
MD518605ec1a9b44bd056dfbeef79a27f89
SHA1a67fccff3666f82dc3b517a0bb9a76604c33c9f2
SHA2565d5e67fb50030d44113ab3fff345319a7fc366957c7f9368e94264416de2dbf1
SHA512e839b984a8c06924ef0507050ee406005eb166b8e8edf2c87dc79fecca5750b85d0ef5947183cc8360a3e67c83c33e663f771874b3d643e0150971a9ee056a22
-
Filesize
740KB
MD5975ea37829f057463e66b3c237f1c27a
SHA1972cb78912f7e975383a8137a2e982b25333e633
SHA2568b496688cf2d963eca198f0291d1448b0f357fbd764e22db7dcc7b252bd71562
SHA5128463210ed0238785848a65b0d51fbe6b0f67e01a1659a0db5ee9493a1ef3ea9fcd504246e3fde5898ad60692d106319845ebedf6bd9dc159e6b2bfe307ff3d8a
-
Filesize
1.0MB
MD5bba1fe328cea501fcce1e5df16276439
SHA1ed4ad3a8d6f0e3dd86abb19bc18127f960ea2131
SHA256f5522d2c936de8d53f97a6ec439d8f8391cb50a0bc6008a399f9454c00929d35
SHA5128f585d57baa39d3e5e6b62efea53b6b3797319ae86c0c4373774d08e284a49c0bd005e200ae4fabc789470b3f100f98c8ce503fd4702f79dcbf4be4aabc58a9e
-
Filesize
320KB
MD5c94005d2dcd2a54e40510344e0bb9435
SHA155b4a1620c5d0113811242c20bd9870a1e31d542
SHA2563c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899
SHA5122e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a
-
Filesize
755KB
MD50e37fbfa79d349d672456923ec5fbbe3
SHA14e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA2568793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA5122bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630
-
Filesize
195B
MD5e9609072de9c29dc1963be208948ba44
SHA103bbe27d0d1ba651ff43363587d3d6d2e170060f
SHA256dc6a52ad6d637eb407cc060e98dfeedcca1167e7f62688fb1c18580dd1d05747
SHA512f0e26aa63b0c7f1b31074b9d6eef88d0cfbc467f86b12205cb539a45b0352e77ce2f99f29baeab58960a197714e72289744143ba17975699d058fe75d978dfd0
-
Filesize
3.6MB
MD5d3d39180e85700f72aaae25e40c125ff
SHA1f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15
SHA25638684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5
SHA512471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f
-
Filesize
101KB
MD5c4f1b50e3111d29774f7525039ff7086
SHA157539c95cba0986ec8df0fcdea433e7c71b724c6
SHA25618df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d
SHA512005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5
-
Filesize
675B
MD5c2f1650f30a58d315d63afcb41477e2c
SHA107e4bc45bee544addb3adede9707eabdec07e59f
SHA25642c08ee408c75ed058844294e303143012063e6d0689d3b5ad7d8932be159803
SHA512a5acef1bfe7bdb81cb5361654c869a41fd14436e3de0aeffb1388dad1ee3b0bfb02cdeafe61c48395c696e4dcc2eea298bca38527144c35ee1180126b95b1137
-
Filesize
18KB
MD5104b30fef04433a2d2fd1d5f99f179fe
SHA1ecb08e224a2f2772d1e53675bedc4b2c50485a41
SHA256956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd
SHA5125efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f
-
Filesize
30KB
MD5ad5f37eb237e5d7131cf81809b40504e
SHA18fc3b9faf639f54793293b0cd516bda33aa22555
SHA256e61f023cd8f749fe4b98198181c33b2fde31671f6674413063b2d88880b1c443
SHA512399aee7dd7d6f914a8c0061c58cc837306d2422bfdf248954d8898675cb7d23de7d945d91c7231914546063906cd7296dcb161cee7a1d60a0977f7a6b449d3dc
-
Filesize
15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
Filesize
2KB
MD5fb59b3e89215cb52ba0dc519734562c0
SHA116b457488192043475eccb50e47f1eb8f84f9a15
SHA2564e98890473065e3de0d030b5351cec361c33080a6197cdf4a020486cffa971b8
SHA512f40f2706f43f3130a5a907f79886f21bc178880c82c50da0225d0a796c519d3c13a3f060b15da519faaafbe9cc1a31b5708428d4b1076242f8fada4a1893c4ad
-
Filesize
10KB
MD5a2fc85c0aad52dcf9d4ffc3808507ebd
SHA1ad398bdfa24db4e4b637f593f7ba222aa4016c4b
SHA256e2375e90ea05114a47a25d5cb8ec7ca2f9e9fec0efb393ecbb45e4198fb6d97d
SHA512fef2274632496b6f2c90bb7d5b4429a019007208fd7e3cd7222fdb9745f2fdf83401b71d098999d9f794e9949288fe35d78e8cb9f4058bbe0ce6513da0aa8f36
-
Filesize
745B
MD5126ed992137579b3a7443cb27a5e71f7
SHA1b1bdc8c02f3c905a2be2d9d443e63e756c6d6b51
SHA256b23b9cd56052f4a292e4539ab4c1691dcfdcb7e97fdb3ac4b63433de94679c8f
SHA51298a1497e61cf43f6fb7a16485b04c83a8493e6e166ba128320f09fd44232f2e4b464b1a53f05a94efd999e673d6449db580eff5745271055c7d9d65f871491fe
-
Filesize
997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
Filesize
116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
Filesize
479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
Filesize
372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
Filesize
11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
Filesize
1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
Filesize
1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
7KB
MD516bf30c048833e5e49a64c1a7286e532
SHA1a761f74e3b5176933f6e56e7d04ea14071c3e1bd
SHA2563550ebfff2348d66803c0c8e17deee6dc694b7ed12616ac424940756a281c6e1
SHA5124d42049737ee3065513f6ee601936028525e1ea6d3f411bca36e9cd974557257054eac834d7a82d0a2fb95767630f1d83a5f096d2ca04e46c77ef61117daf445
-
Filesize
6KB
MD5e3d4652ba39ebd8af8cd76c0bd314bf0
SHA1af89d095d3282bbb2b7e50ee4d4750ec1d2d5cf2
SHA256a3cb3d7c586c81eaf1058dd646d446d41817720e26596116a66d6206ad1041d7
SHA51297353c164fc87d3db1e373b70bb8a5bb88c51ebd90d9c9232e101508d3e50fc7f0d65fd42940bed72263ed5101819edabb746c48f2ce2672fc6ec9ad060991a7
-
Filesize
6KB
MD5adff8f164bac131901467914f337b0fe
SHA1683c66b8f6db8d18e10800ca81fa831583038a18
SHA256bc85de7f8039327712ee95cd2d5e23fcfac2a92b1c2914b509577267e5f5c759
SHA5122f69d2e1607c73f4f6228e07249c2f71a8eca7338fdbc00cf727309f2dcb0fd4fadede6cbc35080fed83ed2ba21c738ff2b365c1ad95baa325cd3452da55da39
-
Filesize
6KB
MD587c1b4d0c4dec3f62175cb29ddd61dbe
SHA11a515e12e90959425542bb29b8792ab9f98cb753
SHA25616a9050a13be4f2e6b8a2c66c0e4ccc11ee240fac46099b4a8ed568c9b29a393
SHA5126005aa8dd13be020fa478b98cc7e41ecf9ea7f08ea3d1988de49b5cbc4948a2ad9fb84740d58b02d3993a0aca4dd6adcdf9c8ce7654212fdc25d1854acf3d843
-
Filesize
939B
MD544d2af64551953427f1c0c55cb1cb3c6
SHA1290fd9df41b74f0e620619d058346b376c063ae7
SHA25637295e14818dff0f46e4189550f40b08f4caa21c398d6e7d40e5b5bb6e453a8d
SHA5127c52a99f81a27cfd1fa5c2fb3e6402d480d7db04f98f22360e7a6764b263c73eda08a62041c0a958949d72e970d0bc3e7b243878aa5a507969635f59e9dbed7c
-
Filesize
184KB
MD55671dbc213999ff86186bdae0d26380a
SHA1e8460f586eff0f9ea830903db27715d479299fe0
SHA256174c0c683d26c5eac26840c82d8ba41b01a5c1a0cd1c354268241d31bdd62ae4
SHA51285fe11d42a209cc086b84a06c8873e4ddad05547611b81ecdbb3a9a4ac7880c36fcbb4aba995bff5278f3ae0b469eb6814e3bfda24ddf7919f7377bfe7158cb8
-
Filesize
305KB
MD5613be2f3d8e38c1efb0695db731504d7
SHA1f0d898ab166ace2d8a6a298e5c8c9bc63bcb10fb
SHA256a54d6513e3f1538d8b7d8756cd09a208e04890aec4976d83882ed500e817e313
SHA512e93d31e429e8915a5e245d3d1b1a5800dfb52dc984abd9dd6a89db37e8512d075322dd3d827224384fd57b50b24fd5c38ba2c6c714ab2d457db4e5d14dd7035b
-
Filesize
4.0MB
MD5aa22b147ea79a429797315b0282a57b1
SHA19c3df87d03afc87a88b92ca9e52bc4593c1fc42e
SHA25618b281c467bde8cf246990bf8bacf1e8fd8d70107a04aa528f9f56343f15b690
SHA5126b665a7c648e352ef0e0ba79c1c0ca90d35c5036af8c2b476fde41a87df140f38ae5f9bde881f9c7da3714f6af6b3e883bc997e9efd2694224ff047e9ef1e563
-
Filesize
32KB
MD534dfb87e4200d852d1fb45dc48f93cfc
SHA135b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641
SHA2562d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703
SHA512f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2