Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

31/01/2025, 13:58

250131-raba1sxmhw 10

31/01/2025, 13:56

250131-q8rvzszjgm 10

Analysis

  • max time kernel
    149s
  • max time network
    129s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    31/01/2025, 13:58

General

  • Target

    NetSupportInstall.bat

  • Size

    66B

  • MD5

    c64fd547b11cc65bfbb93bdbfa750eef

  • SHA1

    216ce7fa10a536b32b868746da7b970382c61453

  • SHA256

    7994b920cb245256765becf9fe5bd8e09b3525814846eed4296204b454303a15

  • SHA512

    60afdc2621be2491eaa4ddda0c1f7aa689c18a022646292afed94d92a8344622bc05c36738724dbedcc1c5310ad57890e1ab9142b06c5f9127e5bedb987a2179

Malware Config

Signatures

  • NetSupport

    NetSupport is a remote access tool sold as a legitimate system administration software.

  • Netsupport family
  • Drops file in Drivers directory 2 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

  • Executes dropped EXE 18 IoCs
  • Loads dropped DLL 64 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 1 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies data under HKEY_USERS 10 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NetSupportInstall.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4884
    • C:\Users\Admin\AppData\Local\Temp\NetSupport School 15.10.0003.exe
      "NetSupport School 15.10.0003" /S /v/qn
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2572
      • C:\Windows\SysWOW64\MSIEXEC.EXE
        "C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\AppData\Local\Temp\{7F8E22A1-B40D-4672-9572-82E039B78705}\NetSupport School.msi" /qn SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="NetSupport School 15.10.0003.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4092
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2320
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding F5DBAAF99353CE0CA02EBC44D97F83D6
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2440
    • C:\Windows\system32\cmd.exe
      cmd.exe /c ATTRIB -R "C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\\nsm.lic
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4580
      • C:\Windows\SysWOW64\attrib.exe
        ATTRIB -R "C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\\nsm.lic
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:4616
    • C:\Windows\system32\cmd.exe
      cmd.exe /c ATTRIB -R "C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\\nsm.lic
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:652
      • C:\Windows\SysWOW64\attrib.exe
        ATTRIB -R "C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\\nsm.lic
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:4352
    • C:\Windows\Installer\MSIAC7D.tmp
      "C:\Windows\Installer\MSIAC7D.tmp" /p "C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\\Detect64LSP.txt"
      2⤵
      • Executes dropped EXE
      PID:1580
    • C:\Windows\Installer\MSIACDC.tmp
      "C:\Windows\Installer\MSIACDC.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport School\" /EU
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:640
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 06BAF650E2FD561D4D095D03667891F9 E Global\MSI0000
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      PID:3896
    • C:\Windows\Installer\MSIB214.tmp
      "C:\Windows\Installer\MSIB214.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport School\" /EU
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4992
    • C:\Program Files (x86)\NetSupport\NetSupport School\checkdvd.exe
      "C:\Program Files (x86)\NetSupport\NetSupport School\checkdvd.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      PID:968
    • C:\Windows\Installer\MSIBB2F.tmp
      "C:\Windows\Installer\MSIBB2F.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport School\" /EC /Q /Q /C
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      PID:3232
    • C:\Windows\Installer\MSIBD24.tmp
      "C:\Windows\Installer\MSIBD24.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport School\" /EV"NetSupport School" /EC /Q /Q /I *
      2⤵
      • Sets service image path in registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2084
      • C:\Program Files (x86)\NetSupport\NetSupport School\winst64.exe
        winst64.exe /q /q /i
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • Modifies registry class
        PID:2168
    • C:\Windows\system32\cmd.exe
      cmd.exe /c secedit /configure /areas SECURITYPOLICY /db hisecws.sdb /cfg "C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\NS.inf" /log "C:\Program Files (x86)\NetSupport\NetSupport School\sec.log" /overwrite /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3204
      • C:\Windows\SysWOW64\SecEdit.exe
        secedit /configure /areas SECURITYPOLICY /db hisecws.sdb /cfg "C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\NS.inf" /log "C:\Program Files (x86)\NetSupport\NetSupport School\sec.log" /overwrite /quiet
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2604
    • C:\Program Files (x86)\NetSupport\NetSupport School\pcicfgui_setup.exe
      "C:\Program Files (x86)\NetSupport\NetSupport School\pcicfgui_setup.exe" /Q "C:\Program Files (x86)\NetSupport\NetSupport School\Client32.ini"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3944
      • C:\Program Files (x86)\NetSupport\NetSupport School\pcicfgui_setup.exe
        "C:\Program Files (x86)\NetSupport\NetSupport School\pcicfgui_setup.exe"
        3⤵
        • Executes dropped EXE
        PID:1696
    • C:\Windows\Installer\MSIC8C0.tmp
      "C:\Windows\Installer\MSIC8C0.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport School\" /EI
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4272
  • C:\Program Files (x86)\NetSupport\NetSupport School\client32.exe
    "C:\Program Files (x86)\NetSupport\NetSupport School\client32.exe" /* *
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3088
    • C:\Program Files (x86)\NetSupport\NetSupport School\client32.exe
      "C:\Program Files (x86)\NetSupport\NetSupport School\client32.exe" * /VistaUI
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:476
      • C:\Program Files (x86)\NetSupport\NetSupport School\winst64.exe
        "C:\Program Files (x86)\NetSupport\NetSupport School\winst64.exe" /Q /Q /EBd01ac,0
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1372
      • C:\Program Files (x86)\NetSupport\NetSupport School\runplugin.exe
        "C:\Program Files (x86)\NetSupport\NetSupport School\runplugin.exe" /USER=SYSTEM
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2484
      • C:\Program Files (x86)\NetSupport\NetSupport School\runplugin64.exe
        "C:\Program Files (x86)\NetSupport\NetSupport School\runplugin64.exe" /USER=SYSTEM
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:5068
      • C:\Program Files (x86)\NetSupport\NetSupport School\runplugin.exe
        "C:\Program Files (x86)\NetSupport\NetSupport School\runplugin.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:108
      • C:\Program Files (x86)\NetSupport\NetSupport School\runplugin64.exe
        "C:\Program Files (x86)\NetSupport\NetSupport School\runplugin64.exe"
        3⤵
        • Executes dropped EXE
        PID:2108

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\e579d4c.rbs

    Filesize

    52KB

    MD5

    7ae42d9502d3d64a5332ea67e223b86f

    SHA1

    c922e032e4819bc3c44ab869aecec03710ee9671

    SHA256

    505adfed006420526aca191aec8e225eafdefaa5614e529b9e2fa410d9013516

    SHA512

    c019f3e925ed70351988d3081455630b844bd850185f1eed103f007160e34afb816b5b816539cca96d099805fa92d90b0ddc40a832a4db0881d5a2d5404e47cd

  • C:\Program Files (x86)\NetSupport\NetSupport School\WINSTALL.EXE

    Filesize

    745KB

    MD5

    0228cb02aa58ef2876713130990c8ccf

    SHA1

    f6766273a186b6911a6127fbb5af90125e267bbe

    SHA256

    3651a2131f423c5c553476236be7ad4f26a63c67d872c3b9ecc135d1d184b1ed

    SHA512

    a07664e639252a2bd34f42fb6907b95889d31657aa81fcdeea4b171bf3410bd3d56f5e404ee8fc16938d826f7cfffc46efcfe74126afec6e87cb048618d26e89

  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NetSupport School\NetSupport School Student Configurator.lnk

    Filesize

    2KB

    MD5

    c33b53c84be54eb4f18f7b874183547b

    SHA1

    f01387ee5bc1f32585dede46585cd32eec4d6855

    SHA256

    d4ac904bd35f016ec0b48a3533c375ed6b3a7a105a1bbdde41828b15e90daab5

    SHA512

    f88005d5c65dab4a5f18b4d6a73224567f03e3f6a5c750e73bf0fe22f2fafab0465207c9786e8b86d1f5f371ceb5196c08d40042aeb5ca946ec4235ad76c9e59

  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NetSupport School\NetSupport School Student Configurator.lnk~RFe57bab5.TMP

    Filesize

    2KB

    MD5

    f2000d3d4b4dcd99f1bc9470015fcdd1

    SHA1

    b2ca34dfcbbc8965ac98ef12a84e480bfe2b9109

    SHA256

    32111161cf89f75aa5b8cf5cdf3d31d8d5829997720334417fb2c6f24122b09e

    SHA512

    910cb00fc6f1f7f0793187376bddba88fea923b5db7794533b5879c1b181e34643cde81df0dd324560e74e2ae16ece2fd85a90fd9c52d55c0368b5299f35118b

  • C:\Users\Admin\AppData\Local\Temp\DLL_{F021B863-9473-4467-93B2-6FC48C30E42F}.ini

    Filesize

    4KB

    MD5

    76a3c5f600cb28734f861e690bbfdd2d

    SHA1

    f5161f9935ca4473fc3bf91c7497b14bf9545732

    SHA256

    8cf3ffca4173bbd4fbb760e38d2470752a49b0bcd8a62435bbcdd7b38b3f3fd9

    SHA512

    198b769be0a0ea3491a7ba3fe94ec6180569350100ec0d4938ed613e2ec7f2b4da5c7b9c220b0a809f1358c5cf4ae5bf6abf8745cd0b443b69936de4a72e92f1

  • C:\Users\Admin\AppData\Local\Temp\{7F8E22A1-B40D-4672-9572-82E039B78705}\0x0409.ini

    Filesize

    21KB

    MD5

    a108f0030a2cda00405281014f897241

    SHA1

    d112325fa45664272b08ef5e8ff8c85382ebb991

    SHA256

    8b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948

    SHA512

    d83894b039316c38915a789920758664257680dcb549a9b740cf5361addbee4d4a96a3ff2999b5d8acfb1d9336da055ec20012d29a9f83ee5459f103fbeec298

  • C:\Users\Admin\AppData\Local\Temp\{7F8E22A1-B40D-4672-9572-82E039B78705}\Setup.INI

    Filesize

    5KB

    MD5

    6fbf86629f47eca07aaed1a95fc56777

    SHA1

    55fe7be7e600b74d5b67a66ce0d7c379c41bf550

    SHA256

    32687c846ddb54be27dd5a4f2674ef4ce08b1d3cf8621301e36b319df28ecb26

    SHA512

    89832543df122de7b0cb2cca77624e1f993b499f6d8bd514a2e86fae72867ae3e26f2c130cc216c9929d65ab7f55f93feafc549053f29157fcfd8061baf8cb84

  • C:\Users\Admin\AppData\Local\Temp\{7F8E22A1-B40D-4672-9572-82E039B78705}\_ISMSIDEL.INI

    Filesize

    20B

    MD5

    db9af7503f195df96593ac42d5519075

    SHA1

    1b487531bad10f77750b8a50aca48593379e5f56

    SHA256

    0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

    SHA512

    6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

  • C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\Client32.upd

    Filesize

    25B

    MD5

    c05c19b006d57dd4c90785cbe5c7877b

    SHA1

    34beebb832e53e4a3b9b3349919689fdf1401151

    SHA256

    00e0c629d5645c15df66adcf99e8a0a3e517d7a7876141ae7a752f0585eec047

    SHA512

    bede1e24476a12e9b1f29962254b19b357bfdfbe5c6eec9a2fca6c1b2105f4cec1d5872f6be269ef39d6e5cc542dc587ea9555ef87687bac64b3ff0de16c0f8c

  • C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\NSM.LIC

    Filesize

    282B

    MD5

    39030ae352cc16a7fd0bf49261d97403

    SHA1

    485f2944ead7b484a052c2f436ed950327bfc961

    SHA256

    52703269ec26d1988de1efda21597a3faf563e980e1afc5434441ecd34d80ded

    SHA512

    7c89c1263b693e0802379bfbbd785d354b0686f354abb2aa9f982b3c53dda316d7c584a3af0d4b3fc1a072c49986fa4b93a99b63d9dc2645f798ff8913a29a3d

  • C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\product.dat

    Filesize

    506B

    MD5

    ff7c0d2dbb9195083bbabaff482d5ed6

    SHA1

    5c2efbf855c376ce1b93e681c54a367a407495dc

    SHA256

    065d817596d710d5a06060241acc207b82b844530cc56ff842ff53d8ff92a075

    SHA512

    ea226b3a55fc59175136f104df497ebf5055624fb1c1c8073b249dfc5e1ed5818a6feee995aa82cf9ed050f1adc7a62994c90b1af03569dfe0d4551ee2bc70c9

  • C:\Windows\Installer\MSIA2D7.tmp

    Filesize

    169KB

    MD5

    0e6fda2b8425c9513c774cf29a1bc72d

    SHA1

    a79ffa24cb5956398ded44da24793a2067b85dd0

    SHA256

    e946b2fae0b36c43064463a8c16a2774adac30c4188c5af90e9338b903c501c9

    SHA512

    285bb7759a1214abed36162ac8be2d48df17a05278c4de97562448e20fd43b635563a6819f37e23d92a5f5ed0205a68bffe43dac0d3a67513bd0303b4e7f89aa

  • C:\Windows\Installer\MSIA3C3.tmp

    Filesize

    511KB

    MD5

    d524b639a3a088155981b9b4efa55631

    SHA1

    39d8eea673c02c1522b110829b93d61310555b98

    SHA256

    03d91c8cd20b846625a092a3dae6a12369930c65d6216a455a00449ebb0dc289

    SHA512

    84f8ab54122f93a40da08fd83bca767ab49eb0f73c4ab274d9bda11dd09224134df011fa02e5a3abbafcc6fbef6a60673dd48feabdf829a1e22c85a2a759b7ac

  • C:\Windows\Installer\MSIA3E3.tmp

    Filesize

    487KB

    MD5

    d21afcbb8d2e5a043841b4d145af1df6

    SHA1

    849db8ddad9e942bfe20a50666d17484b56a26e3

    SHA256

    c9d4fd904650e4e53de4018951906c1434420d65cdb33e48c23b6c22bc9fdd4c

    SHA512

    ecb8fbb2826f7f47eed46897701d42873b17b7599cd785ca54e900b793e3de1179c4d6441f317aa5298ae52c1c11157ae43b11822aa0076b9ec93ad5e46f0225

  • C:\Windows\Installer\MSIA446.tmp

    Filesize

    153KB

    MD5

    a1b7850763af9593b66ee459a081bddf

    SHA1

    6e45955fae2b2494902a1b55a3873e542f0f5ce4

    SHA256

    41b8e92deba5206c78817236ed7f44df95636ca748d95fab05f032f5aec186af

    SHA512

    a87a302a9a0d19d7ce293b42f5e7bc09664b21307a5321f226157fcc57eb2df2b59c6651878cb23969a182c82b55e8671ff00f8462194b81a907974a49cb25b1

  • C:\Windows\Installer\MSIBAFF.tmp

    Filesize

    244KB

    MD5

    c4ca339bc85aae8999e4b101556239dd

    SHA1

    d090fc385e0002e35db276960a360c67c4fc85cd

    SHA256

    4ab23609cdc64d10b97c9ccb285ed7100f55d54d983cd50762da25ecac4357f9

    SHA512

    9185ec32545fc838d7fef6c9e4dd222dd02114c661b0b344f16287d55e6571bfe7a4233a852acc579d07bcdbab18c5c034c465b1f4bb78535ed51c3499087fe0

  • memory/476-554-0x00000000063A0000-0x00000000064C6000-memory.dmp

    Filesize

    1.1MB

  • memory/3944-506-0x00000000026B0000-0x0000000002859000-memory.dmp

    Filesize

    1.7MB