Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

31/01/2025, 13:58

250131-raba1sxmhw 10

31/01/2025, 13:56

250131-q8rvzszjgm 10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/01/2025, 13:56

General

  • Target

    NetSupportInstall.bat

  • Size

    66B

  • MD5

    c64fd547b11cc65bfbb93bdbfa750eef

  • SHA1

    216ce7fa10a536b32b868746da7b970382c61453

  • SHA256

    7994b920cb245256765becf9fe5bd8e09b3525814846eed4296204b454303a15

  • SHA512

    60afdc2621be2491eaa4ddda0c1f7aa689c18a022646292afed94d92a8344622bc05c36738724dbedcc1c5310ad57890e1ab9142b06c5f9127e5bedb987a2179

Malware Config

Signatures

  • NetSupport

    NetSupport is a remote access tool sold as a legitimate system administration software.

  • Netsupport family
  • Drops file in Drivers directory 2 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

  • Executes dropped EXE 17 IoCs
  • Loads dropped DLL 64 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 1 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies data under HKEY_USERS 10 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NetSupportInstall.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2584
    • C:\Users\Admin\AppData\Local\Temp\NetSupport School 15.10.0003.exe
      "NetSupport School 15.10.0003" /S /v/qn
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1812
      • C:\Windows\SysWOW64\MSIEXEC.EXE
        "C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\AppData\Local\Temp\{04A6110F-8E25-4C5A-82AC-94D7442363AA}\NetSupport School.msi" /qn SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="NetSupport School 15.10.0003.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4560
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4656
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 102A92A484DF2A66A4703288BF7A64B4
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3964
    • C:\Windows\system32\cmd.exe
      cmd.exe /c ATTRIB -R "C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\\nsm.lic
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4828
      • C:\Windows\SysWOW64\attrib.exe
        ATTRIB -R "C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\\nsm.lic
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:4252
    • C:\Windows\system32\cmd.exe
      cmd.exe /c ATTRIB -R "C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\\nsm.lic
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3908
      • C:\Windows\SysWOW64\attrib.exe
        ATTRIB -R "C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\\nsm.lic
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:1972
    • C:\Windows\Installer\MSID746.tmp
      "C:\Windows\Installer\MSID746.tmp" /p "C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\\Detect64LSP.txt"
      2⤵
      • Executes dropped EXE
      PID:1888
    • C:\Windows\Installer\MSID7C4.tmp
      "C:\Windows\Installer\MSID7C4.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport School\" /EU
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3008
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding BBFAD4EC6E2D1A102C3337ECE1699BC2 E Global\MSI0000
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      PID:1440
    • C:\Windows\Installer\MSIDDB8.tmp
      "C:\Windows\Installer\MSIDDB8.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport School\" /EU
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4296
    • C:\Program Files (x86)\NetSupport\NetSupport School\checkdvd.exe
      "C:\Program Files (x86)\NetSupport\NetSupport School\checkdvd.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3504
    • C:\Windows\Installer\MSIE76F.tmp
      "C:\Windows\Installer\MSIE76F.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport School\" /EC /Q /Q /C
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:32
    • C:\Windows\Installer\MSIE8F7.tmp
      "C:\Windows\Installer\MSIE8F7.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport School\" /EV"NetSupport School" /EC /Q /Q /I *
      2⤵
      • Sets service image path in registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4984
      • C:\Program Files (x86)\NetSupport\NetSupport School\winst64.exe
        winst64.exe /q /q /i
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • Modifies registry class
        PID:4132
    • C:\Windows\system32\cmd.exe
      cmd.exe /c secedit /configure /areas SECURITYPOLICY /db hisecws.sdb /cfg "C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\NS.inf" /log "C:\Program Files (x86)\NetSupport\NetSupport School\sec.log" /overwrite /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3752
      • C:\Windows\SysWOW64\SecEdit.exe
        secedit /configure /areas SECURITYPOLICY /db hisecws.sdb /cfg "C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\NS.inf" /log "C:\Program Files (x86)\NetSupport\NetSupport School\sec.log" /overwrite /quiet
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2088
    • C:\Program Files (x86)\NetSupport\NetSupport School\pcicfgui_setup.exe
      "C:\Program Files (x86)\NetSupport\NetSupport School\pcicfgui_setup.exe" /Q "C:\Program Files (x86)\NetSupport\NetSupport School\Client32.ini"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2796
      • C:\Program Files (x86)\NetSupport\NetSupport School\pcicfgui_setup.exe
        "C:\Program Files (x86)\NetSupport\NetSupport School\pcicfgui_setup.exe"
        3⤵
        • Executes dropped EXE
        PID:3296
    • C:\Windows\Installer\MSIF53E.tmp
      "C:\Windows\Installer\MSIF53E.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport School\" /EI
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1292
  • C:\Program Files (x86)\NetSupport\NetSupport School\client32.exe
    "C:\Program Files (x86)\NetSupport\NetSupport School\client32.exe" /* *
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1848
    • C:\Program Files (x86)\NetSupport\NetSupport School\client32.exe
      "C:\Program Files (x86)\NetSupport\NetSupport School\client32.exe" * /VistaUI
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2080
      • C:\Program Files (x86)\NetSupport\NetSupport School\winst64.exe
        "C:\Program Files (x86)\NetSupport\NetSupport School\winst64.exe" /Q /Q /EBa024e,0
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:844
      • C:\Program Files (x86)\NetSupport\NetSupport School\runplugin.exe
        "C:\Program Files (x86)\NetSupport\NetSupport School\runplugin.exe" /USER=SYSTEM
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:5004
      • C:\Program Files (x86)\NetSupport\NetSupport School\runplugin64.exe
        "C:\Program Files (x86)\NetSupport\NetSupport School\runplugin64.exe" /USER=SYSTEM
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:4920
      • C:\Program Files (x86)\NetSupport\NetSupport School\runplugin.exe
        "C:\Program Files (x86)\NetSupport\NetSupport School\runplugin.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4076
      • C:\Program Files (x86)\NetSupport\NetSupport School\runplugin64.exe
        "C:\Program Files (x86)\NetSupport\NetSupport School\runplugin64.exe"
        3⤵
        • Executes dropped EXE
        PID:3592

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\e57c75a.rbs

    Filesize

    52KB

    MD5

    fc7c0e70a1bf51f4d06a17f7fe1592f3

    SHA1

    ada183231218428be1defaf8dc86288f78a26116

    SHA256

    2e5642aacee53a478e1af80e88746957990f9a2bec84cbcbe529da9dc0884188

    SHA512

    18f1afd34b737fa7586c3da386c096ac5da5dfcb1609405b333b95c0834764f12aa53cf22db1623eba9a937f34a58d587917fef962b66e41cd6f9224d503a29d

  • C:\Program Files (x86)\NetSupport\NetSupport School\WINSTALL.EXE

    Filesize

    745KB

    MD5

    0228cb02aa58ef2876713130990c8ccf

    SHA1

    f6766273a186b6911a6127fbb5af90125e267bbe

    SHA256

    3651a2131f423c5c553476236be7ad4f26a63c67d872c3b9ecc135d1d184b1ed

    SHA512

    a07664e639252a2bd34f42fb6907b95889d31657aa81fcdeea4b171bf3410bd3d56f5e404ee8fc16938d826f7cfffc46efcfe74126afec6e87cb048618d26e89

  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NetSupport School\NetSupport School Student Configurator.lnk

    Filesize

    2KB

    MD5

    c4ee9286b9f616243f89db8e142640a5

    SHA1

    a9ac321858bfe4484588a1c367da7c475a4023fd

    SHA256

    9437650bc48c7a859b7407a48bde931662de8d8e7343971182d16723b12f1fe0

    SHA512

    a1dbc6487c5357919b942556f1dd051aeda23017f1ae636807d8f07cc0550b2baac0685bfe9b8da61bf03a4b2019e24f9b8a2efcb7bf2e5866e8f3a77df77157

  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NetSupport School\NetSupport School Student Configurator.lnk~RFe57e6e5.TMP

    Filesize

    2KB

    MD5

    78d63a2281f694d3be134a9ed40bb713

    SHA1

    fe122d98690fdd788171d23825ffd20f51f14d4d

    SHA256

    d0ec7a2a637043d8f29b7f5b74c442b2a53b8d851e6d21b53c37a0fda8ac3618

    SHA512

    0667c3863e0852dccb39461de32cf7584305f8498d84d64ccf2110b09790595c142fdbc1bd5fc7f03baed284e5149b0c1aad98e5e5093fe5e86ff3304ea0e795

  • C:\Users\Admin\AppData\Local\Temp\DLL_{F021B863-9473-4467-93B2-6FC48C30E42F}.ini

    Filesize

    4KB

    MD5

    66842a7c0f23f5fa9344147b73ea41cf

    SHA1

    b8d435d72bac5231cafcbe032f2c5b106e6b4c8b

    SHA256

    b862ef26d002235865f04e145acbee1e0de012e1816a212b05df0d29fe0a3f17

    SHA512

    572572eaa60ce6d2c83595865573899b96b886433184e46fbc32a0a64fcf9ded5985b7d6040710cc9a35299ab1bc1b26ec8b9887eb49bd148b32130b2a5104a6

  • C:\Users\Admin\AppData\Local\Temp\{04A6110F-8E25-4C5A-82AC-94D7442363AA}\0x0409.ini

    Filesize

    21KB

    MD5

    a108f0030a2cda00405281014f897241

    SHA1

    d112325fa45664272b08ef5e8ff8c85382ebb991

    SHA256

    8b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948

    SHA512

    d83894b039316c38915a789920758664257680dcb549a9b740cf5361addbee4d4a96a3ff2999b5d8acfb1d9336da055ec20012d29a9f83ee5459f103fbeec298

  • C:\Users\Admin\AppData\Local\Temp\{04A6110F-8E25-4C5A-82AC-94D7442363AA}\Setup.INI

    Filesize

    5KB

    MD5

    6fbf86629f47eca07aaed1a95fc56777

    SHA1

    55fe7be7e600b74d5b67a66ce0d7c379c41bf550

    SHA256

    32687c846ddb54be27dd5a4f2674ef4ce08b1d3cf8621301e36b319df28ecb26

    SHA512

    89832543df122de7b0cb2cca77624e1f993b499f6d8bd514a2e86fae72867ae3e26f2c130cc216c9929d65ab7f55f93feafc549053f29157fcfd8061baf8cb84

  • C:\Users\Admin\AppData\Local\Temp\{04A6110F-8E25-4C5A-82AC-94D7442363AA}\_ISMSIDEL.INI

    Filesize

    668B

    MD5

    f897539910b6f973077e4312ac449035

    SHA1

    356cf427f015c8696adacc1b52ace2c5f88b987d

    SHA256

    ab040258dd6681133c309e7704d8c59ce296ff89a9d7f0b194f49517915faa51

    SHA512

    95a176bb206f8e537fc2a3f9d31918c64987768ac4af46d5d6d6226c5678bb82a4196d53b55e0d79550580601bb58fdbe6111c9c22f42f6a5f4659fded4c1bb4

  • C:\Users\Admin\AppData\Local\Temp\{04A6110F-8E25-4C5A-82AC-94D7442363AA}\_ISMSIDEL.INI

    Filesize

    20B

    MD5

    db9af7503f195df96593ac42d5519075

    SHA1

    1b487531bad10f77750b8a50aca48593379e5f56

    SHA256

    0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

    SHA512

    6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

  • C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\Client32.upd

    Filesize

    25B

    MD5

    c05c19b006d57dd4c90785cbe5c7877b

    SHA1

    34beebb832e53e4a3b9b3349919689fdf1401151

    SHA256

    00e0c629d5645c15df66adcf99e8a0a3e517d7a7876141ae7a752f0585eec047

    SHA512

    bede1e24476a12e9b1f29962254b19b357bfdfbe5c6eec9a2fca6c1b2105f4cec1d5872f6be269ef39d6e5cc542dc587ea9555ef87687bac64b3ff0de16c0f8c

  • C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\NSM.LIC

    Filesize

    282B

    MD5

    39030ae352cc16a7fd0bf49261d97403

    SHA1

    485f2944ead7b484a052c2f436ed950327bfc961

    SHA256

    52703269ec26d1988de1efda21597a3faf563e980e1afc5434441ecd34d80ded

    SHA512

    7c89c1263b693e0802379bfbbd785d354b0686f354abb2aa9f982b3c53dda316d7c584a3af0d4b3fc1a072c49986fa4b93a99b63d9dc2645f798ff8913a29a3d

  • C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\product.dat

    Filesize

    506B

    MD5

    ff7c0d2dbb9195083bbabaff482d5ed6

    SHA1

    5c2efbf855c376ce1b93e681c54a367a407495dc

    SHA256

    065d817596d710d5a06060241acc207b82b844530cc56ff842ff53d8ff92a075

    SHA512

    ea226b3a55fc59175136f104df497ebf5055624fb1c1c8073b249dfc5e1ed5818a6feee995aa82cf9ed050f1adc7a62994c90b1af03569dfe0d4551ee2bc70c9

  • C:\Windows\Installer\MSICBFB.tmp

    Filesize

    169KB

    MD5

    0e6fda2b8425c9513c774cf29a1bc72d

    SHA1

    a79ffa24cb5956398ded44da24793a2067b85dd0

    SHA256

    e946b2fae0b36c43064463a8c16a2774adac30c4188c5af90e9338b903c501c9

    SHA512

    285bb7759a1214abed36162ac8be2d48df17a05278c4de97562448e20fd43b635563a6819f37e23d92a5f5ed0205a68bffe43dac0d3a67513bd0303b4e7f89aa

  • C:\Windows\Installer\MSICCF6.tmp

    Filesize

    511KB

    MD5

    d524b639a3a088155981b9b4efa55631

    SHA1

    39d8eea673c02c1522b110829b93d61310555b98

    SHA256

    03d91c8cd20b846625a092a3dae6a12369930c65d6216a455a00449ebb0dc289

    SHA512

    84f8ab54122f93a40da08fd83bca767ab49eb0f73c4ab274d9bda11dd09224134df011fa02e5a3abbafcc6fbef6a60673dd48feabdf829a1e22c85a2a759b7ac

  • C:\Windows\Installer\MSICD06.tmp

    Filesize

    487KB

    MD5

    d21afcbb8d2e5a043841b4d145af1df6

    SHA1

    849db8ddad9e942bfe20a50666d17484b56a26e3

    SHA256

    c9d4fd904650e4e53de4018951906c1434420d65cdb33e48c23b6c22bc9fdd4c

    SHA512

    ecb8fbb2826f7f47eed46897701d42873b17b7599cd785ca54e900b793e3de1179c4d6441f317aa5298ae52c1c11157ae43b11822aa0076b9ec93ad5e46f0225

  • C:\Windows\Installer\MSICEC1.tmp

    Filesize

    153KB

    MD5

    a1b7850763af9593b66ee459a081bddf

    SHA1

    6e45955fae2b2494902a1b55a3873e542f0f5ce4

    SHA256

    41b8e92deba5206c78817236ed7f44df95636ca748d95fab05f032f5aec186af

    SHA512

    a87a302a9a0d19d7ce293b42f5e7bc09664b21307a5321f226157fcc57eb2df2b59c6651878cb23969a182c82b55e8671ff00f8462194b81a907974a49cb25b1

  • C:\Windows\Installer\MSIE72F.tmp

    Filesize

    244KB

    MD5

    c4ca339bc85aae8999e4b101556239dd

    SHA1

    d090fc385e0002e35db276960a360c67c4fc85cd

    SHA256

    4ab23609cdc64d10b97c9ccb285ed7100f55d54d983cd50762da25ecac4357f9

    SHA512

    9185ec32545fc838d7fef6c9e4dd222dd02114c661b0b344f16287d55e6571bfe7a4233a852acc579d07bcdbab18c5c034c465b1f4bb78535ed51c3499087fe0

  • memory/2080-550-0x0000000007160000-0x0000000007284000-memory.dmp

    Filesize

    1.1MB

  • memory/2796-502-0x0000000002600000-0x00000000027A3000-memory.dmp

    Filesize

    1.6MB