Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
NetSupport School Student 15.10.0003.zip
-
Size
146.3MB
-
Sample
250131-raba1sxmhw
-
MD5
3bf1612dfb04b1c0d671c07da43a3f44
-
SHA1
e5480a23c5a335f165b2fb90c2c54cb048dbae5c
-
SHA256
6bdf18220b60167f19d0294e351432cbe3ec83e905b620dcad8aea8260d3fbf3
-
SHA512
64c4f5bda6bd8e46094d43b75d451e80c946fed52d38b651899f8e896116ab8610a0b20149f8428b1252e82b4e032f206aac9b2ff52b32ead5b0caa770fc8474
-
SSDEEP
3145728:HKB1f/SCtkhbkn+3fXSRyNg+VfMdbUiAEopNWdH1RBWXUsThIudv:HKTnSCtkhbAi1BVE2Egcd8dlI0
Static task
static1
Behavioral task
behavioral1
Sample
NetSupport School 15.10.0003.exe
Resource
win11-20241007-en
Behavioral task
behavioral2
Sample
NetSupportInstall.bat
Resource
win11-20241007-en
Malware Config
Targets
-
-
Target
NetSupport School 15.10.0003.exe
-
Size
146.9MB
-
MD5
50c6a195ea8b2cac825a3bd2b2e5d5f7
-
SHA1
7704b7bc735066139657919cc589fef8fdfd76a1
-
SHA256
f1f0d729245cd9272510e8fd258708ead8ed7ab0db39343c6f69cf9d35a35c2b
-
SHA512
838332cb950b70aef47ffbff2dbb1503b26ee0fcb702376fbf6633e00bd33aa2b8add3432b28ce79ce0b44d51a7812dbb9c749782d4efc21c5df7c7a78a53088
-
SSDEEP
3145728:7ghv5tQmlmVPMfix3deHWzomfJ4dbOO+2iX3gvB159GRiYDNAC77:7gF7QmlmVPguPRfy62KwvO/BAe
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Netsupport family
-
Drops file in Drivers directory
-
Sets service image path in registry
-
Blocklisted process makes network request
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies WinLogon
-
Drops file in System32 directory
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
NetSupportInstall.bat
-
Size
66B
-
MD5
c64fd547b11cc65bfbb93bdbfa750eef
-
SHA1
216ce7fa10a536b32b868746da7b970382c61453
-
SHA256
7994b920cb245256765becf9fe5bd8e09b3525814846eed4296204b454303a15
-
SHA512
60afdc2621be2491eaa4ddda0c1f7aa689c18a022646292afed94d92a8344622bc05c36738724dbedcc1c5310ad57890e1ab9142b06c5f9127e5bedb987a2179
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Netsupport family
-
Drops file in Drivers directory
-
Sets service image path in registry
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Blocklisted process makes network request
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies WinLogon
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Component Object Model Hijacking
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
3