netsupport | 6bdf18220b60167f19d0294e351432cbe3ec83e905b620dcad8aea8260d3fbf3

Resubmissions

31/01/2025, 13:58

250131-raba1sxmhw 10

31/01/2025, 13:56

250131-q8rvzszjgm 10

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
31/01/2025, 13:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NetSupportInstall.bat
Size

66B
MD5

c64fd547b11cc65bfbb93bdbfa750eef
SHA1

216ce7fa10a536b32b868746da7b970382c61453
SHA256

7994b920cb245256765becf9fe5bd8e09b3525814846eed4296204b454303a15
SHA512

60afdc2621be2491eaa4ddda0c1f7aa689c18a022646292afed94d92a8344622bc05c36738724dbedcc1c5310ad57890e1ab9142b06c5f9127e5bedb987a2179

Score

10^/10

netsupport discovery persistence privilege_escalation rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport
Netsupport family
netsupport

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\nskbfltr2.sys	winst64.exe
File created	C:\Windows\system32\drivers\nskbfltr.sys	winst64.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nskbfltr\ImagePath = "\\SystemRoot\\system32\\drivers\\nskbfltr.sys"	MSIE8F7.tmp

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 17 IoCs

pid	Process
1888	MSID746.tmp
3008	MSID7C4.tmp
4296	MSIDDB8.tmp
3504	checkdvd.exe
32	MSIE76F.tmp
4984	MSIE8F7.tmp
4132	winst64.exe
2796	pcicfgui_setup.exe
3296	pcicfgui_setup.exe
1292	MSIF53E.tmp
1848	client32.exe
2080	client32.exe
844	winst64.exe
5004	runplugin.exe
4920	runplugin64.exe
4076	runplugin.exe
3592	runplugin64.exe

Loads dropped DLL 64 IoCs

pid	Process
3964	MsiExec.exe
3964	MsiExec.exe
3964	MsiExec.exe
3964	MsiExec.exe
3964	MsiExec.exe
3964	MsiExec.exe
3964	MsiExec.exe
3964	MsiExec.exe
3964	MsiExec.exe
3964	MsiExec.exe
3964	MsiExec.exe
3964	MsiExec.exe
3964	MsiExec.exe
3964	MsiExec.exe
3964	MsiExec.exe
3964	MsiExec.exe
3964	MsiExec.exe
3964	MsiExec.exe
3964	MsiExec.exe
3964	MsiExec.exe
3964	MsiExec.exe
3964	MsiExec.exe
3964	MsiExec.exe
3964	MsiExec.exe
3964	MsiExec.exe
3964	MsiExec.exe
3964	MsiExec.exe
3964	MsiExec.exe
3964	MsiExec.exe
3964	MsiExec.exe
3964	MsiExec.exe
3964	MsiExec.exe
3964	MsiExec.exe
3964	MsiExec.exe
3964	MsiExec.exe
1440	MsiExec.exe
1440	MsiExec.exe
1440	MsiExec.exe
1440	MsiExec.exe
1440	MsiExec.exe
4132	winst64.exe
4984	MSIE8F7.tmp
1440	MsiExec.exe
3964	MsiExec.exe
2796	pcicfgui_setup.exe
2796	pcicfgui_setup.exe
2796	pcicfgui_setup.exe
2796	pcicfgui_setup.exe
2796	pcicfgui_setup.exe
1848	client32.exe
1848	client32.exe
1848	client32.exe
1848	client32.exe
1848	client32.exe
1848	client32.exe
1848	client32.exe
1848	client32.exe
3964	MsiExec.exe
3964	MsiExec.exe
3964	MsiExec.exe
2080	client32.exe
2080	client32.exe
2080	client32.exe
2080	client32.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
19	4656	msiexec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	runplugin.exe
File opened (read-only)	\??\Y:	runplugin.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	runplugin.exe
File opened (read-only)	\??\K:	runplugin.exe
File opened (read-only)	\??\G:	runplugin64.exe
File opened (read-only)	\??\I:	runplugin64.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	runplugin.exe
File opened (read-only)	\??\R:	runplugin.exe
File opened (read-only)	\??\B:	runplugin64.exe
File opened (read-only)	\??\M:	runplugin64.exe
File opened (read-only)	\??\N:	runplugin.exe
File opened (read-only)	\??\A:	runplugin64.exe
File opened (read-only)	\??\E:	runplugin64.exe
File opened (read-only)	\??\T:	runplugin64.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	runplugin.exe
File opened (read-only)	\??\F:	runplugin64.exe
File opened (read-only)	\??\H:	runplugin64.exe
File opened (read-only)	\??\P:	runplugin64.exe
File opened (read-only)	\??\U:	runplugin64.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	runplugin.exe
File opened (read-only)	\??\Z:	runplugin64.exe
File opened (read-only)	\??\L:	runplugin.exe
File opened (read-only)	\??\V:	runplugin64.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	runplugin.exe
File opened (read-only)	\??\F:	runplugin.exe
File opened (read-only)	\??\J:	runplugin64.exe
File opened (read-only)	\??\N:	runplugin64.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	runplugin.exe
File opened (read-only)	\??\Z:	runplugin.exe
File opened (read-only)	\??\S:	runplugin64.exe
File opened (read-only)	\??\X:	runplugin64.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	runplugin.exe
File opened (read-only)	\??\R:	runplugin64.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	runplugin.exe
File opened (read-only)	\??\H:	runplugin.exe
File opened (read-only)	\??\O:	runplugin.exe
File opened (read-only)	\??\Q:	runplugin.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	runplugin.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	runplugin.exe
File opened (read-only)	\??\K:	runplugin64.exe
File opened (read-only)	\??\W:	runplugin64.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\S:	runplugin.exe
File opened (read-only)	\??\L:	runplugin64.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "0"	MSIE8F7.tmp

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\client32provider.dll	winst64.exe
File created	C:\Windows\SysWOW64\pcimsg.dll	MSIE8F7.tmp
File opened for modification	C:\Windows\SysWOW64\pcimsg.dll	MSIE8F7.tmp
File created	C:\Windows\system32\client32provider.dll	winst64.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2796	pcicfgui_setup.exe
2796	pcicfgui_setup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\NetSupport\NetSupport School\nsmexec.exe	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\blockapp.jpg	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\gdihook5.INF	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\pcivideovi.exe	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\nssres_250.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-core-processthreads-l1-1-1.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-crt-locale-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\PCINSSCD.EXE	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\pluginiemodule.DLL	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\PciHooksApp64.exe	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\pcicfgui_setup.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\NetSupport\NetSupport School\client32u.ini	MSIE8F7.tmp
File created	C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-core-interlocked-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\ucrtbase.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\pcicapi.DLL	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\PCICTL.DLL	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\Control.kbd	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\startlogo.bmp	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-core-processenvironment-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-crt-private-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-core-handle-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\nss_lock_image_ws.jpg	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\PluginSoftwareModule64.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\NSS.ini	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-core-datetime-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-core-processthreads-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-crt-conio-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\PCIAPPCTRL.DLL	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\Client32Provider.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\KeyShowHook64.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\NSL\WdfCoinstaller01009.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\pcicfgui.exe	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-core-memory-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\NSM.LIC	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\icule51.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\icuuc51.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\pluginprintmanmodule.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\keyShow64.exe	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\ismetro.exe	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\StoreSoftwareCtl.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\nspowershell.exe	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\BCGCBPRO3350u141.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\ReportDb.htf	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\url_list.gif	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-core-synch-l1-2-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-crt-convert-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\DBI.EXE	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\pluginsoftwaremodule.DLL	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\runplugin.exe	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\PciHooks64.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\supporttool.exe	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-core-string-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\clhook4.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\NSSecurity.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\Sounds\StudentAnswered.wav	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\Sounds\ShowAnswer.wav	msiexec.exe
File opened for modification	C:\Program Files (x86)\NetSupport\NetSupport School\_Shared Data.lnk	MSIE8F7.tmp
File created	C:\Program Files (x86)\NetSupport\NetSupport School\PCIIMAGE.DLL	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\pciinv.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\msvcr100.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\nskbfltr.sys	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-crt-time-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-core-sysinfo-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-core-util-l1-1-0.dll	msiexec.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSID2C9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID3D5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\schdesigner.exe_5E9E1DA4475445BE9255D1E30AFF412C.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICBFB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICCF6.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{F021B863-9473-4467-93B2-6FC48C30E42F}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID244.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDA18.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\NewShortcut5_0CEE40B1A09F47C29DE0582B6A44A9EC_1.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\NewShortcut1_1045CC3CC07549BB86C478A6B724F98D.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE72F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICDE4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID234.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID7C4.tmp	msiexec.exe
File created	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\schdesigner.exe_5E9E1DA4475445BE9255D1E30AFF412C.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\NewShortcut8_134A4E1756504D7CA2A1E16C4AA879D9.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\VideoShortcutWin7Abo_484D413D0D3342A2A692F037061C1AA9.exe	msiexec.exe
File opened for modification	C:\Windows\setupact.log	MSIE8F7.tmp
File opened for modification	C:\Windows\Installer\MSIF9C4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID483.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDDB8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\NewShortcut3_80D45F4DD8E3472CB2C7080AAA34AB2A.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF9D5.tmp	msiexec.exe
File created	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\NewShortcut8_134A4E1756504D7CA2A1E16C4AA879D9.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICE81.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID1D3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID3E6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDAC5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF145.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICD06.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICD95.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID2B8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDA07.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE76F.tmp	msiexec.exe
File created	C:\Windows\Installer\e57c75b.msi	msiexec.exe
File created	C:\Windows\Installer\e57c757.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID2A7.tmp	msiexec.exe
File created	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\pcinssui.exe1_28874BA5F8594ADCBE8AB571ECB4C1AB.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\NewShortcut3_80D45F4DD8E3472CB2C7080AAA34AB2A.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICEC1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID233.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDFEB.tmp	msiexec.exe
File created	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\pcideply.exe_5E9E1DA4475445BE9255D1E30AFF412C.exe	msiexec.exe
File opened for modification	C:\Windows\setuperr.log	MSIE8F7.tmp
File opened for modification	C:\Windows\Installer\MSID1A3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID2CA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID735.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE8F7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID5DC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDC6D.tmp	msiexec.exe
File created	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\pcinssui.exe_5E9E1DA4475445BE9255D1E30AFF412C.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF53E.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID173.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID245.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID257.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\NewShortcut4_28874BA5F8594ADCBE8AB571ECB4C1AB.exe	msiexec.exe
File created	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\NewShortcut5_0CEE40B1A09F47C29DE0582B6A44A9EC_1.exe	msiexec.exe
File created	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\VideoShortcutWin7Abo_484D413D0D3342A2A692F037061C1AA9.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF9B4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57c757.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIEXEC.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIE8F7.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pcicfgui_setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIF53E.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	checkdvd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIE76F.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	runplugin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SecEdit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	runplugin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetSupport School 15.10.0003.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSID7C4.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIDDB8.tmp

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Isolation_old_student = "PMEM"	client32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Isolation = "PMIL"	client32.exe

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%systemroot%\system32\FirewallControlPanel.dll,-12122 = "Windows Defender Firewall"	client32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0"	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-11 = "Power saver"	client32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E	client32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-15 = "Balanced"	client32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-13 = "High performance"	client32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\movfile\shell\show	MSIE8F7.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nd8d7bad1	MSIE8F7.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nd8d7bad1\a = "S"	MSIE8F7.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\368B120F37497644392BF64CC8034EF2\Student = "NSS"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\368B120F37497644392BF64CC8034EF2\ProductIcon = "C:\\Windows\\Installer\\{F021B863-9473-4467-93B2-6FC48C30E42F}\\ARPPRODUCTICON.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\368B120F37497644392BF64CC8034EF2\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\368B120F37497644392BF64CC8034EF2\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\368B120F37497644392BF64CC8034EF2\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\368B120F37497644392BF64CC8034EF2\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rpf\ = "NSReplayFile"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\shell\show	MSIE8F7.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mpegfile\shell\show	MSIE8F7.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WMVFile\shell\show\command\ = "\"C:\\Program Files (x86)\\NetSupport\\NetSupport School\\pcinssui.exe\" /ShowVideo \"%L\""	MSIE8F7.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71C5A887-11E0-4c5a-9B9B-D4A074555692}	winst64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\368B120F37497644392BF64CC8034EF2\Common = "NSS"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\368B120F37497644392BF64CC8034EF2\UseOnlineHelpYes = "Common"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\368B120F37497644392BF64CC8034EF2\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\BrowserFlags = "8"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\Shell\Play	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\368B120F37497644392BF64CC8034EF2\InstalledBySetup = "Common"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\368B120F37497644392BF64CC8034EF2\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\Shell\ = "Play"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\ = "NetSupport School Replay File"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\Shell\Play\Command\ = "\"C:\\Program Files (x86)\\NetSupport\\NetSupport School\\client32.exe\" /r\"%1\""	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\shell	MSIE8F7.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\368B120F37497644392BF64CC8034EF2\Configurator = "NSS"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.rpf	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\Shell\Play\Command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nd8d7bad1	MSIE76F.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\shell\show\command	MSIE8F7.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\movfile	MSIE8F7.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\movfile\shell\show\command	MSIE8F7.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mpegfile\shell\show\command	MSIE8F7.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\368B120F37497644392BF64CC8034EF2\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\368B120F37497644392BF64CC8034EF2\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\{04A6110F-8E25-4C5A-82AC-94D7442363AA}\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\Shell	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\NSReplayFile	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile\shell\show\command	MSIE8F7.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WMVFile\shell\show	MSIE8F7.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WMVFile\shell\show\ = "&Show with NetSupport School"	MSIE8F7.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\NSReplayFile\DefaultIcon	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WMVFile\shell\show\command	MSIE8F7.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\368B120F37497644392BF64CC8034EF2\Temp = "NSS"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\368B120F37497644392BF64CC8034EF2\ProductName = "NetSupport School"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\368B120F37497644392BF64CC8034EF2\PackageCode = "FB5CF6184E1C03947993AD8D0BD0DFCB"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\368B120F37497644392BF64CC8034EF2\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile\shell\show	MSIE8F7.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile\shell\show\command\ = "\"C:\\Program Files (x86)\\NetSupport\\NetSupport School\\pcinssui.exe\" /ShowVideo \"%L\""	MSIE8F7.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\movfile\shell\show\command\ = "\"C:\\Program Files (x86)\\NetSupport\\NetSupport School\\pcinssui.exe\" /ShowVideo \"%L\""	MSIE8F7.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WMVFile\shell	MSIE8F7.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71C5A887-11E0-4c5a-9B9B-D4A074555692}\InProcServer32	winst64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\943C1EEA70369E845B409AAF32BEB8CD	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\368B120F37497644392BF64CC8034EF2\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\{04A6110F-8E25-4C5A-82AC-94D7442363AA}\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\368B120F37497644392BF64CC8034EF2\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile\shell	MSIE8F7.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile	MSIE8F7.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mpegfile\shell	MSIE8F7.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\368B120F37497644392BF64CC8034EF2	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\368B120F37497644392BF64CC8034EF2\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile\shell\show\ = "&Show with NetSupport School"	MSIE8F7.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\movfile\shell\show\ = "&Show with NetSupport School"	MSIE8F7.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71C5A887-11E0-4c5a-9B9B-D4A074555692}\InProcServer32\ThreadingModel = "Apartment"	winst64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile	MSIE8F7.tmp

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2080	client32.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3964	MsiExec.exe
3964	MsiExec.exe
4656	msiexec.exe
4656	msiexec.exe
4984	MSIE8F7.tmp
4984	MSIE8F7.tmp
4984	MSIE8F7.tmp
4984	MSIE8F7.tmp
1848	client32.exe
1848	client32.exe
2080	client32.exe
2080	client32.exe
4920	runplugin64.exe
4920	runplugin64.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5004	runplugin.exe
4920	runplugin64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4560	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	4560	MSIEXEC.EXE
Token: SeSecurityPrivilege	4656	msiexec.exe
Token: SeCreateTokenPrivilege	4560	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	4560	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	4560	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	4560	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	4560	MSIEXEC.EXE
Token: SeTcbPrivilege	4560	MSIEXEC.EXE
Token: SeSecurityPrivilege	4560	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	4560	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	4560	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	4560	MSIEXEC.EXE
Token: SeSystemtimePrivilege	4560	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	4560	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	4560	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	4560	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	4560	MSIEXEC.EXE
Token: SeBackupPrivilege	4560	MSIEXEC.EXE
Token: SeRestorePrivilege	4560	MSIEXEC.EXE
Token: SeShutdownPrivilege	4560	MSIEXEC.EXE
Token: SeDebugPrivilege	4560	MSIEXEC.EXE
Token: SeAuditPrivilege	4560	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	4560	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	4560	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	4560	MSIEXEC.EXE
Token: SeUndockPrivilege	4560	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	4560	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	4560	MSIEXEC.EXE
Token: SeManageVolumePrivilege	4560	MSIEXEC.EXE
Token: SeImpersonatePrivilege	4560	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	4560	MSIEXEC.EXE
Token: SeRestorePrivilege	4656	msiexec.exe
Token: SeTakeOwnershipPrivilege	4656	msiexec.exe
Token: SeRestorePrivilege	4656	msiexec.exe
Token: SeTakeOwnershipPrivilege	4656	msiexec.exe
Token: SeRestorePrivilege	4656	msiexec.exe
Token: SeTakeOwnershipPrivilege	4656	msiexec.exe
Token: SeRestorePrivilege	4656	msiexec.exe
Token: SeTakeOwnershipPrivilege	4656	msiexec.exe
Token: SeRestorePrivilege	4656	msiexec.exe
Token: SeTakeOwnershipPrivilege	4656	msiexec.exe
Token: SeRestorePrivilege	4656	msiexec.exe
Token: SeTakeOwnershipPrivilege	4656	msiexec.exe
Token: SeRestorePrivilege	4656	msiexec.exe
Token: SeTakeOwnershipPrivilege	4656	msiexec.exe
Token: SeRestorePrivilege	4656	msiexec.exe
Token: SeTakeOwnershipPrivilege	4656	msiexec.exe
Token: SeRestorePrivilege	4656	msiexec.exe
Token: SeTakeOwnershipPrivilege	4656	msiexec.exe
Token: SeRestorePrivilege	4656	msiexec.exe
Token: SeTakeOwnershipPrivilege	4656	msiexec.exe
Token: SeRestorePrivilege	4656	msiexec.exe
Token: SeTakeOwnershipPrivilege	4656	msiexec.exe
Token: SeRestorePrivilege	4656	msiexec.exe
Token: SeTakeOwnershipPrivilege	4656	msiexec.exe
Token: SeRestorePrivilege	4656	msiexec.exe
Token: SeTakeOwnershipPrivilege	4656	msiexec.exe
Token: SeRestorePrivilege	4656	msiexec.exe
Token: SeTakeOwnershipPrivilege	4656	msiexec.exe
Token: SeRestorePrivilege	4656	msiexec.exe
Token: SeTakeOwnershipPrivilege	4656	msiexec.exe
Token: SeRestorePrivilege	4656	msiexec.exe
Token: SeTakeOwnershipPrivilege	4656	msiexec.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
2080	client32.exe
2080	client32.exe
2080	client32.exe
2080	client32.exe
2080	client32.exe
2080	client32.exe
2080	client32.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2080	client32.exe
2080	client32.exe
2080	client32.exe
2080	client32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
844	winst64.exe
5004	runplugin.exe
4920	runplugin64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2584 wrote to memory of 1812	2584	cmd.exe	85
PID 2584 wrote to memory of 1812	2584	cmd.exe	85
PID 2584 wrote to memory of 1812	2584	cmd.exe	85
PID 1812 wrote to memory of 4560	1812	NetSupport School 15.10.0003.exe	86
PID 1812 wrote to memory of 4560	1812	NetSupport School 15.10.0003.exe	86
PID 1812 wrote to memory of 4560	1812	NetSupport School 15.10.0003.exe	86
PID 4656 wrote to memory of 3964	4656	msiexec.exe	89
PID 4656 wrote to memory of 3964	4656	msiexec.exe	89
PID 4656 wrote to memory of 3964	4656	msiexec.exe	89
PID 4656 wrote to memory of 4828	4656	msiexec.exe	90
PID 4656 wrote to memory of 4828	4656	msiexec.exe	90
PID 4828 wrote to memory of 4252	4828	cmd.exe	92
PID 4828 wrote to memory of 4252	4828	cmd.exe	92
PID 4828 wrote to memory of 4252	4828	cmd.exe	92
PID 4656 wrote to memory of 3908	4656	msiexec.exe	93
PID 4656 wrote to memory of 3908	4656	msiexec.exe	93
PID 3908 wrote to memory of 1972	3908	cmd.exe	95
PID 3908 wrote to memory of 1972	3908	cmd.exe	95
PID 3908 wrote to memory of 1972	3908	cmd.exe	95
PID 4656 wrote to memory of 1888	4656	msiexec.exe	96
PID 4656 wrote to memory of 1888	4656	msiexec.exe	96
PID 4656 wrote to memory of 3008	4656	msiexec.exe	98
PID 4656 wrote to memory of 3008	4656	msiexec.exe	98
PID 4656 wrote to memory of 3008	4656	msiexec.exe	98
PID 4656 wrote to memory of 1440	4656	msiexec.exe	99
PID 4656 wrote to memory of 1440	4656	msiexec.exe	99
PID 4656 wrote to memory of 1440	4656	msiexec.exe	99
PID 4656 wrote to memory of 4296	4656	msiexec.exe	100
PID 4656 wrote to memory of 4296	4656	msiexec.exe	100
PID 4656 wrote to memory of 4296	4656	msiexec.exe	100
PID 4656 wrote to memory of 3504	4656	msiexec.exe	101
PID 4656 wrote to memory of 3504	4656	msiexec.exe	101
PID 4656 wrote to memory of 3504	4656	msiexec.exe	101
PID 4656 wrote to memory of 32	4656	msiexec.exe	102
PID 4656 wrote to memory of 32	4656	msiexec.exe	102
PID 4656 wrote to memory of 32	4656	msiexec.exe	102
PID 4656 wrote to memory of 4984	4656	msiexec.exe	103
PID 4656 wrote to memory of 4984	4656	msiexec.exe	103
PID 4656 wrote to memory of 4984	4656	msiexec.exe	103
PID 4984 wrote to memory of 4132	4984	MSIE8F7.tmp	104
PID 4984 wrote to memory of 4132	4984	MSIE8F7.tmp	104
PID 4656 wrote to memory of 3752	4656	msiexec.exe	105
PID 4656 wrote to memory of 3752	4656	msiexec.exe	105
PID 3752 wrote to memory of 2088	3752	cmd.exe	107
PID 3752 wrote to memory of 2088	3752	cmd.exe	107
PID 3752 wrote to memory of 2088	3752	cmd.exe	107
PID 4656 wrote to memory of 2796	4656	msiexec.exe	108
PID 4656 wrote to memory of 2796	4656	msiexec.exe	108
PID 4656 wrote to memory of 2796	4656	msiexec.exe	108
PID 2796 wrote to memory of 3296	2796	pcicfgui_setup.exe	109
PID 2796 wrote to memory of 3296	2796	pcicfgui_setup.exe	109
PID 2796 wrote to memory of 3296	2796	pcicfgui_setup.exe	109
PID 4656 wrote to memory of 1292	4656	msiexec.exe	111
PID 4656 wrote to memory of 1292	4656	msiexec.exe	111
PID 4656 wrote to memory of 1292	4656	msiexec.exe	111
PID 1848 wrote to memory of 2080	1848	client32.exe	113
PID 1848 wrote to memory of 2080	1848	client32.exe	113
PID 1848 wrote to memory of 2080	1848	client32.exe	113
PID 2080 wrote to memory of 844	2080	client32.exe	114
PID 2080 wrote to memory of 844	2080	client32.exe	114
PID 2080 wrote to memory of 5004	2080	client32.exe	115
PID 2080 wrote to memory of 5004	2080	client32.exe	115
PID 2080 wrote to memory of 5004	2080	client32.exe	115
PID 2080 wrote to memory of 4920	2080	client32.exe	116

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4252	attrib.exe
1972	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NetSupportInstall.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Users\Admin\AppData\Local\Temp\NetSupport School 15.10.0003.exe
  "NetSupport School 15.10.0003" /S /v/qn
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Windows\SysWOW64\MSIEXEC.EXE
    "C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\AppData\Local\Temp\{04A6110F-8E25-4C5A-82AC-94D7442363AA}\NetSupport School.msi" /qn SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="NetSupport School 15.10.0003.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4560

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 102A92A484DF2A66A4703288BF7A64B4
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3964
- C:\Windows\system32\cmd.exe
  cmd.exe /c ATTRIB -R "C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\\nsm.lic
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\Windows\SysWOW64\attrib.exe
    ATTRIB -R "C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\\nsm.lic
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:4252
- C:\Windows\system32\cmd.exe
  cmd.exe /c ATTRIB -R "C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\\nsm.lic
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3908
- - C:\Windows\SysWOW64\attrib.exe
    ATTRIB -R "C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\\nsm.lic
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1972
- C:\Windows\Installer\MSID746.tmp
  "C:\Windows\Installer\MSID746.tmp" /p "C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\\Detect64LSP.txt"
  2⤵
  - Executes dropped EXE
  PID:1888
- C:\Windows\Installer\MSID7C4.tmp
  "C:\Windows\Installer\MSID7C4.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport School\" /EU
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3008
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding BBFAD4EC6E2D1A102C3337ECE1699BC2 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:1440
- C:\Windows\Installer\MSIDDB8.tmp
  "C:\Windows\Installer\MSIDDB8.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport School\" /EU
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4296
- C:\Program Files (x86)\NetSupport\NetSupport School\checkdvd.exe
  "C:\Program Files (x86)\NetSupport\NetSupport School\checkdvd.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3504
- C:\Windows\Installer\MSIE76F.tmp
  "C:\Windows\Installer\MSIE76F.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport School\" /EC /Q /Q /C
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:32
- C:\Windows\Installer\MSIE8F7.tmp
  "C:\Windows\Installer\MSIE8F7.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport School\" /EV"NetSupport School" /EC /Q /Q /I *
  2⤵
  - Sets service image path in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Program Files (x86)\NetSupport\NetSupport School\winst64.exe
    winst64.exe /q /q /i
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    PID:4132
- C:\Windows\system32\cmd.exe
  cmd.exe /c secedit /configure /areas SECURITYPOLICY /db hisecws.sdb /cfg "C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\NS.inf" /log "C:\Program Files (x86)\NetSupport\NetSupport School\sec.log" /overwrite /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3752
- - C:\Windows\SysWOW64\SecEdit.exe
    secedit /configure /areas SECURITYPOLICY /db hisecws.sdb /cfg "C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\NS.inf" /log "C:\Program Files (x86)\NetSupport\NetSupport School\sec.log" /overwrite /quiet
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2088
- C:\Program Files (x86)\NetSupport\NetSupport School\pcicfgui_setup.exe
  "C:\Program Files (x86)\NetSupport\NetSupport School\pcicfgui_setup.exe" /Q "C:\Program Files (x86)\NetSupport\NetSupport School\Client32.ini"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Program Files (x86)\NetSupport\NetSupport School\pcicfgui_setup.exe
    "C:\Program Files (x86)\NetSupport\NetSupport School\pcicfgui_setup.exe"
    3⤵
    - Executes dropped EXE
    PID:3296
- C:\Windows\Installer\MSIF53E.tmp
  "C:\Windows\Installer\MSIF53E.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport School\" /EI
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1292

C:\Program Files (x86)\NetSupport\NetSupport School\client32.exe
"C:\Program Files (x86)\NetSupport\NetSupport School\client32.exe" /* *
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Program Files (x86)\NetSupport\NetSupport School\client32.exe
  "C:\Program Files (x86)\NetSupport\NetSupport School\client32.exe" * /VistaUI
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Program Files (x86)\NetSupport\NetSupport School\winst64.exe
    "C:\Program Files (x86)\NetSupport\NetSupport School\winst64.exe" /Q /Q /EBa024e,0
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:844
- - C:\Program Files (x86)\NetSupport\NetSupport School\runplugin.exe
    "C:\Program Files (x86)\NetSupport\NetSupport School\runplugin.exe" /USER=SYSTEM
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:5004
- - C:\Program Files (x86)\NetSupport\NetSupport School\runplugin64.exe
    "C:\Program Files (x86)\NetSupport\NetSupport School\runplugin64.exe" /USER=SYSTEM
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:4920
- - C:\Program Files (x86)\NetSupport\NetSupport School\runplugin.exe
    "C:\Program Files (x86)\NetSupport\NetSupport School\runplugin.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4076
- - C:\Program Files (x86)\NetSupport\NetSupport School\runplugin64.exe
    "C:\Program Files (x86)\NetSupport\NetSupport School\runplugin64.exe"
    3⤵
    - Executes dropped EXE
    PID:3592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57c75a.rbs

Filesize
52KB

MD5
fc7c0e70a1bf51f4d06a17f7fe1592f3

SHA1
ada183231218428be1defaf8dc86288f78a26116

SHA256
2e5642aacee53a478e1af80e88746957990f9a2bec84cbcbe529da9dc0884188

SHA512
18f1afd34b737fa7586c3da386c096ac5da5dfcb1609405b333b95c0834764f12aa53cf22db1623eba9a937f34a58d587917fef962b66e41cd6f9224d503a29d

Download Submit
C:\Program Files (x86)\NetSupport\NetSupport School\WINSTALL.EXE

Filesize
745KB

MD5
0228cb02aa58ef2876713130990c8ccf

SHA1
f6766273a186b6911a6127fbb5af90125e267bbe

SHA256
3651a2131f423c5c553476236be7ad4f26a63c67d872c3b9ecc135d1d184b1ed

SHA512
a07664e639252a2bd34f42fb6907b95889d31657aa81fcdeea4b171bf3410bd3d56f5e404ee8fc16938d826f7cfffc46efcfe74126afec6e87cb048618d26e89

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NetSupport School\NetSupport School Student Configurator.lnk

Filesize
2KB

MD5
c4ee9286b9f616243f89db8e142640a5

SHA1
a9ac321858bfe4484588a1c367da7c475a4023fd

SHA256
9437650bc48c7a859b7407a48bde931662de8d8e7343971182d16723b12f1fe0

SHA512
a1dbc6487c5357919b942556f1dd051aeda23017f1ae636807d8f07cc0550b2baac0685bfe9b8da61bf03a4b2019e24f9b8a2efcb7bf2e5866e8f3a77df77157

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NetSupport School\NetSupport School Student Configurator.lnk~RFe57e6e5.TMP

Filesize
2KB

MD5
78d63a2281f694d3be134a9ed40bb713

SHA1
fe122d98690fdd788171d23825ffd20f51f14d4d

SHA256
d0ec7a2a637043d8f29b7f5b74c442b2a53b8d851e6d21b53c37a0fda8ac3618

SHA512
0667c3863e0852dccb39461de32cf7584305f8498d84d64ccf2110b09790595c142fdbc1bd5fc7f03baed284e5149b0c1aad98e5e5093fe5e86ff3304ea0e795

Download Submit
C:\Users\Admin\AppData\Local\Temp\DLL_{F021B863-9473-4467-93B2-6FC48C30E42F}.ini

Filesize
4KB

MD5
66842a7c0f23f5fa9344147b73ea41cf

SHA1
b8d435d72bac5231cafcbe032f2c5b106e6b4c8b

SHA256
b862ef26d002235865f04e145acbee1e0de012e1816a212b05df0d29fe0a3f17

SHA512
572572eaa60ce6d2c83595865573899b96b886433184e46fbc32a0a64fcf9ded5985b7d6040710cc9a35299ab1bc1b26ec8b9887eb49bd148b32130b2a5104a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\{04A6110F-8E25-4C5A-82AC-94D7442363AA}\0x0409.ini

Filesize
21KB

MD5
a108f0030a2cda00405281014f897241

SHA1
d112325fa45664272b08ef5e8ff8c85382ebb991

SHA256
8b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948

SHA512
d83894b039316c38915a789920758664257680dcb549a9b740cf5361addbee4d4a96a3ff2999b5d8acfb1d9336da055ec20012d29a9f83ee5459f103fbeec298

Download Submit
C:\Users\Admin\AppData\Local\Temp\{04A6110F-8E25-4C5A-82AC-94D7442363AA}\Setup.INI

Filesize
5KB

MD5
6fbf86629f47eca07aaed1a95fc56777

SHA1
55fe7be7e600b74d5b67a66ce0d7c379c41bf550

SHA256
32687c846ddb54be27dd5a4f2674ef4ce08b1d3cf8621301e36b319df28ecb26

SHA512
89832543df122de7b0cb2cca77624e1f993b499f6d8bd514a2e86fae72867ae3e26f2c130cc216c9929d65ab7f55f93feafc549053f29157fcfd8061baf8cb84

Download Submit
C:\Users\Admin\AppData\Local\Temp\{04A6110F-8E25-4C5A-82AC-94D7442363AA}\_ISMSIDEL.INI

Filesize
668B

MD5
f897539910b6f973077e4312ac449035

SHA1
356cf427f015c8696adacc1b52ace2c5f88b987d

SHA256
ab040258dd6681133c309e7704d8c59ce296ff89a9d7f0b194f49517915faa51

SHA512
95a176bb206f8e537fc2a3f9d31918c64987768ac4af46d5d6d6226c5678bb82a4196d53b55e0d79550580601bb58fdbe6111c9c22f42f6a5f4659fded4c1bb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{04A6110F-8E25-4C5A-82AC-94D7442363AA}\_ISMSIDEL.INI

Filesize
20B

MD5
db9af7503f195df96593ac42d5519075

SHA1
1b487531bad10f77750b8a50aca48593379e5f56

SHA256
0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

SHA512
6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\Client32.upd

Filesize
25B

MD5
c05c19b006d57dd4c90785cbe5c7877b

SHA1
34beebb832e53e4a3b9b3349919689fdf1401151

SHA256
00e0c629d5645c15df66adcf99e8a0a3e517d7a7876141ae7a752f0585eec047

SHA512
bede1e24476a12e9b1f29962254b19b357bfdfbe5c6eec9a2fca6c1b2105f4cec1d5872f6be269ef39d6e5cc542dc587ea9555ef87687bac64b3ff0de16c0f8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\NSM.LIC

Filesize
282B

MD5
39030ae352cc16a7fd0bf49261d97403

SHA1
485f2944ead7b484a052c2f436ed950327bfc961

SHA256
52703269ec26d1988de1efda21597a3faf563e980e1afc5434441ecd34d80ded

SHA512
7c89c1263b693e0802379bfbbd785d354b0686f354abb2aa9f982b3c53dda316d7c584a3af0d4b3fc1a072c49986fa4b93a99b63d9dc2645f798ff8913a29a3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\product.dat

Filesize
506B

MD5
ff7c0d2dbb9195083bbabaff482d5ed6

SHA1
5c2efbf855c376ce1b93e681c54a367a407495dc

SHA256
065d817596d710d5a06060241acc207b82b844530cc56ff842ff53d8ff92a075

SHA512
ea226b3a55fc59175136f104df497ebf5055624fb1c1c8073b249dfc5e1ed5818a6feee995aa82cf9ed050f1adc7a62994c90b1af03569dfe0d4551ee2bc70c9

Download Submit
C:\Windows\Installer\MSICBFB.tmp

Filesize
169KB

MD5
0e6fda2b8425c9513c774cf29a1bc72d

SHA1
a79ffa24cb5956398ded44da24793a2067b85dd0

SHA256
e946b2fae0b36c43064463a8c16a2774adac30c4188c5af90e9338b903c501c9

SHA512
285bb7759a1214abed36162ac8be2d48df17a05278c4de97562448e20fd43b635563a6819f37e23d92a5f5ed0205a68bffe43dac0d3a67513bd0303b4e7f89aa

Download Submit
C:\Windows\Installer\MSICCF6.tmp

Filesize
511KB

MD5
d524b639a3a088155981b9b4efa55631

SHA1
39d8eea673c02c1522b110829b93d61310555b98

SHA256
03d91c8cd20b846625a092a3dae6a12369930c65d6216a455a00449ebb0dc289

SHA512
84f8ab54122f93a40da08fd83bca767ab49eb0f73c4ab274d9bda11dd09224134df011fa02e5a3abbafcc6fbef6a60673dd48feabdf829a1e22c85a2a759b7ac

Download Submit
C:\Windows\Installer\MSICD06.tmp

Filesize
487KB

MD5
d21afcbb8d2e5a043841b4d145af1df6

SHA1
849db8ddad9e942bfe20a50666d17484b56a26e3

SHA256
c9d4fd904650e4e53de4018951906c1434420d65cdb33e48c23b6c22bc9fdd4c

SHA512
ecb8fbb2826f7f47eed46897701d42873b17b7599cd785ca54e900b793e3de1179c4d6441f317aa5298ae52c1c11157ae43b11822aa0076b9ec93ad5e46f0225

Download Submit
C:\Windows\Installer\MSICEC1.tmp

Filesize
153KB

MD5
a1b7850763af9593b66ee459a081bddf

SHA1
6e45955fae2b2494902a1b55a3873e542f0f5ce4

SHA256
41b8e92deba5206c78817236ed7f44df95636ca748d95fab05f032f5aec186af

SHA512
a87a302a9a0d19d7ce293b42f5e7bc09664b21307a5321f226157fcc57eb2df2b59c6651878cb23969a182c82b55e8671ff00f8462194b81a907974a49cb25b1

Download Submit
C:\Windows\Installer\MSIE72F.tmp

Filesize
244KB

MD5
c4ca339bc85aae8999e4b101556239dd

SHA1
d090fc385e0002e35db276960a360c67c4fc85cd

SHA256
4ab23609cdc64d10b97c9ccb285ed7100f55d54d983cd50762da25ecac4357f9

SHA512
9185ec32545fc838d7fef6c9e4dd222dd02114c661b0b344f16287d55e6571bfe7a4233a852acc579d07bcdbab18c5c034c465b1f4bb78535ed51c3499087fe0

Download Submit
memory/2080-550-0x0000000007160000-0x0000000007284000-memory.dmp

Filesize
1.1MB

Download
memory/2796-502-0x0000000002600000-0x00000000027A3000-memory.dmp

Filesize
1.6MB

Download