Overview

overview

10

Static

static

3

getuname.zip

windows10-2004-x64

10

Analysis

  • max time kernel
    198s
  • max time network
    217s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250313-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/03/2025, 13:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    getuname.zip

  • Size

    3.1MB

  • MD5

    16b13445843c75d166f34120691de87c

  • SHA1

    060926e71b593d955e796e5b61396bc260318371

  • SHA256

    05e971644f982bad382bab47fb7831417bf1e526661a9128e1793b396d18db7b

  • SHA512

    72d0222fdc3193e2a1d6d50fbc04466fd1c0fb9dc2112d6ade05389b8d258dce551339a93a71188149d431b73526c2cae1be16b269c1dffc9f51b428f239ec3b

  • SSDEEP

    98304:7NaVx9kGrbRboocCY4aJPpc3AM/85dqNkqVF:7N+oGJbJa43AMcnqj

Score
10/10
netsupportdiscoveryrat

Malware Config

Signatures

  • NetSupport

    NetSupport is a remote access tool sold as a legitimate system administration software.

    ratnetsupport
  • Netsupport family
    netsupport
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Opens file in notepad (likely ransom note) 3 IoCs
    ransomware
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 28 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\getuname.zip
    1⤵
      PID:1680
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4608
      • C:\Program Files\7-Zip\7zG.exe
        "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\getuname\" -spe -an -ai#7zMap5601:96:7zEvent6194
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:2044
      • C:\Users\Admin\AppData\Local\Temp\getuname\remcmdstub.exe
        "C:\Users\Admin\AppData\Local\Temp\getuname\remcmdstub.exe"
        1⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4436
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\getuname\NSM.ini
        1⤵
        • Opens file in notepad (likely ransom note)
        PID:5888
      • C:\Windows\system32\OpenWith.exe
        C:\Windows\system32\OpenWith.exe -Embedding
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4560
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\getuname\NSM.LIC
          2⤵
          • Opens file in notepad (likely ransom note)
          PID:2356
      • C:\Users\Admin\AppData\Local\Temp\getuname\client32.exe
        "C:\Users\Admin\AppData\Local\Temp\getuname\client32.exe"
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:4984
      • C:\Users\Admin\AppData\Local\Temp\getuname\cksini (2).exe
        "C:\Users\Admin\AppData\Local\Temp\getuname\cksini (2).exe"
        1⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4308
      • C:\Windows\system32\OpenWith.exe
        C:\Windows\system32\OpenWith.exe -Embedding
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:5940
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\getuname\PrivacySandboxAttestationsPreloaded\manifest.json
          2⤵
          • Opens file in notepad (likely ransom note)
          PID:5352

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\getuname\HTCTL32.DLL
        Filesize

        306KB

        MD5

        3eed18b47412d3f91a394ae880b56ed2

        SHA1

        1b521a3ed4a577a33cce78eee627ae02445694ab

        SHA256

        13a17f2ad9288aac8941d895251604beb9524fa3c65c781197841ee15480a13f

        SHA512

        835f35af4fd241caa8b6a639626b8762db8525ccceb43afe8fffc24dffad76ca10852a5a8e9fc114bfbf7d1dc1950130a67037fc09b63a74374517a1f5448990

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\getuname\NSM.LIC
        Filesize

        262B

        MD5

        b9956282a0fed076ed083892e498ac69

        SHA1

        d14a665438385203283030a189ff6c5e7c4bf518

        SHA256

        fcc6afd664a8045bd61c398be3c37a97536a199a48d277e11977f93868ae1acc

        SHA512

        7daa09113c0e8a36c91cc6d657c65851a20dff6b60ac3d2f40c5737c12c1613c553955f84d131ba2139959973fef9fc616ca5e968cb16c25acf2d4739eed87eb

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\getuname\NSM.ini
        Filesize

        5KB

        MD5

        99f493dce7fab330dc47f0cab8fe6172

        SHA1

        16906fb5988303bb462b65ff4ece23539a12f4b5

        SHA256

        e0ed36c897eaa5352fab181c20020b60df4c58986193d6aaf5bf3e3ecdc4c05d

        SHA512

        2c58171c30aec8ae131a7c32162856fce551b55f861d0d9fb0e27a91bd7084388df5860392f80cdbc6df6e64e97d8bf2cae587c3d6b7c142ce711ae8e240bb01

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\getuname\PCICAPI.dll
        Filesize

        44KB

        MD5

        9daa86d91a18131d5caf49d14fb8b6f2

        SHA1

        6b2f7ceb6157909e114a2b05a48a1a2606b5caf1

        SHA256

        1716640cce74322f7ee3e3e02b75cd53b91686f66e389d606dab01bd9f88c557

        SHA512

        9a98e0d9e2dda8aefa54bddb3c7b71501d638dff68863939de6caa117b0e7bf15e581a75419ef8a0da3f1c56a19f1b0f4c86d65f8581773ab88ff5764b9bb3aa

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\getuname\PCICHEK.DLL
        Filesize

        27KB

        MD5

        e311935a26ee920d5b7176cfa469253c

        SHA1

        eda6c815a02c4c91c9aacd819dc06e32ececf8f0

        SHA256

        0038ab626624fa2df9f65dd5e310b1206a9cd4d8ab7e65fb091cc25f13ebd34e

        SHA512

        48164e8841cfc91f4cbf4d3291d4f359518d081d9079a7995378f970e4085b534f4bafc15b83f4824cc79b5a1e54457b879963589b1acbcfe727a03eb3dffd1c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\getuname\PCICL32.dll
        Filesize

        3.3MB

        MD5

        77b3988cbae5a2550caec42cc5e8ec35

        SHA1

        5fa1eeb60e881bfd82eb7c3d9e911587982aaa38

        SHA256

        650382fe6596c8dc0c1739713c2076d4ddff32d5c177210b1241550bb8148cfd

        SHA512

        480f3abef7b799bd604ba9825e2b8cf681e7850373761c579ef181607980d5159c225fb486996e3088f39662f873743d25b52368045d3ae5bd8d45e44d1e8bec

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\getuname\PrivacySandboxAttestationsPreloaded\manifest.json
        Filesize

        123B

        MD5

        2b6f737dc8b2ae315e5d244aa680da8a

        SHA1

        fd75055e0b00a306afdd59cf8510ead189779eeb

        SHA256

        0afa9f67afc9e1a240847c74123a597cb5cb5c1a37166ef0940a5f9e422f73ac

        SHA512

        73595642930e27f616dc9914a7cb88a3a2cf0927926db604a48d435801384e8d9eb960666faf5bd5b7f90869ecf9cae8d592fbde1ba1214b64653bcb2476bd17

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\getuname\cksini (2).exe
        Filesize

        85KB

        MD5

        953896600dfb86750506706f1599d415

        SHA1

        80204dd5ff71618de5e09d8090738672eaa966b0

        SHA256

        f37f6c1c401ebaf3f2879f62a524e1d5bb302e0ef5ae867ccfe7fafc7464f47d

        SHA512

        06f702a2b09afa24356d2d1fa9331f6351e8ac58394d02edaa6a0673fb25dd02ab790bc8b2b157bdd10e631df59fbbfd5691543e522f92be9922fb95e3140085

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\getuname\client32.exe
        Filesize

        117KB

        MD5

        1c19c2e97c5e6b30de69ee684e6e5589

        SHA1

        5734ef7f9e4dba0639c98881e00f03eea35a62ee

        SHA256

        312a0e4db34a40cb95ba1fac8bf87deb45d0c5f048d38ac65eb060273b07df67

        SHA512

        ab7240b81be04f1bced47701a5791bbeedcba6037ee936327478c304aa1ce5ae75856ca7f568f909f847e27db2a6b9c08db7cc1057a18fab14a39a5854f15cba

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\getuname\client32.ini
        Filesize

        723B

        MD5

        037effdb39d55d10733be7cd5df322c2

        SHA1

        6dddf2c8ddf018545d96550e24eb3c06c3efee66

        SHA256

        5b6f65c9bf7d7b0fbb768eb00df8aff71bd67d2ce64a7c7994d859212d9edd68

        SHA512

        ac530e397f4b2ecf99b555e1af752cb935e1099193526bf9b032adc6d95305ea446de4a78d520cdfd46ff5d6065cd4668da75aa56e4e869cd40aecf047cf38ba

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\getuname\msvcr100.dll
        Filesize

        755KB

        MD5

        0e37fbfa79d349d672456923ec5fbbe3

        SHA1

        4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

        SHA256

        8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

        SHA512

        2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\getuname\remcmdstub.exe
        Filesize

        67KB

        MD5

        62cb7909b5247f472b0e3f748faedf35

        SHA1

        f424005eb21deb09f1617f33814d6e6c3851b7dc

        SHA256

        f6aac87863a73299b260315748cb0bc0b964d860cf5710993ca54bd79aaae5db

        SHA512

        2f4e36f6a0718e7fc9e08e5cca13b76089cb6c42ab772475a2fd68128268e3c0b6c6371ea665b793a8f6bcc3da76c6a57cb0b916d1d8b71c47d603933a7d72c4

        Download Submit