analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

ldrmgan18011.exe

Full analysis: https://app.any.run/tasks/f64884ff-e947-4929-9d9d-101a2de7340d
Verdict: Malicious activity
Analysis date: January 21, 2022, 01:01:25
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
unwanted
netsupport
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

46FA5C3B6FDF73BEFE0A50031999ECB2

SHA1:

0EDE58F3CFF351439B94E2E81B2E4495340FEED3

SHA256:

3DFD99F196890BA6195F1ED90DA2F3263B5A2F001D313741DF764E7F14606B40

SSDEEP:

49152:PyIWGBEq+uzjqlofFg3/YVrS5zjYOD/bw8mkUuZerutyHBY:PyhGJ+uzjqWtAoW5oOCkLZe0yHBY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • client32.exe (PID: 1456)

    • Connects to CnC server

      • client32.exe (PID: 1456)

    • Writes to a start menu file

      • ldrmgan18011.exe (PID: 2068)

    • Application was dropped or rewritten from another process

      • client32.exe (PID: 1456)

    • Drops executable file immediately after starts

      • ldrmgan18011.exe (PID: 2068)

  • SUSPICIOUS

    • Creates files in the user directory

      • ldrmgan18011.exe (PID: 2068)

    • Executed via COM

      • DllHost.exe (PID: 2120)

    • Drops a file that was compiled in debug mode

      • ldrmgan18011.exe (PID: 2068)

    • Checks supported languages

      • client32.exe (PID: 1456)
      • ldrmgan18011.exe (PID: 2068)

    • Reads the computer name

      • client32.exe (PID: 1456)
      • ldrmgan18011.exe (PID: 2068)

    • Executable content was dropped or overwritten

      • ldrmgan18011.exe (PID: 2068)

  • INFO

    • Checks supported languages

      • DllHost.exe (PID: 2120)

    • Reads the computer name

      • DllHost.exe (PID: 2120)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (35.8)
.exe | Win64 Executable (generic) (31.7)
.scr | Windows screen saver (15)
.dll | Win32 Dynamic Link Library (generic) (7.5)
.exe | Win32 Executable (generic) (5.1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:03:02 08:40:33+01:00
PEType: PE32
LinkerVersion: 9
CodeSize: 52224
InitializedDataSize: 218624
UninitializedDataSize: -
EntryPoint: 0x9aca
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 02-Mar-2011 07:40:33
Detected languages:
  • English - United States
  • Process Default Language
Debug artifacts:
  • d:\Projects\WinRAR\SFX\build\sfxzip32\Release\sfxzip.pdb

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000E0

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 02-Mar-2011 07:40:33
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0000CB8B
0x0000CC00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.53498
.rdata
0x0000E000
0x00001B75
0x00001C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.9646
.data
0x00010000
0x0001D9D8
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
1.31952
.CRT
0x0002E000
0x00000010
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
0.213101
.rsrc
0x0002F000
0x000335C0
0x00033600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.38085

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.20816
1464
Latin 1 / Western European
English - United States
RT_MANIFEST
2
4.70489
67624
Latin 1 / Western European
Process Default Language
RT_ICON
3
5.06499
38056
Latin 1 / Western European
Process Default Language
RT_ICON
4
5.11564
26600
Latin 1 / Western European
Process Default Language
RT_ICON
5
5.09564
21640
Latin 1 / Western European
Process Default Language
RT_ICON
6
4.82288
16936
Latin 1 / Western European
Process Default Language
RT_ICON
7
3.24143
556
Latin 1 / Western European
English - United States
RT_STRING
8
3.26996
974
Latin 1 / Western European
English - United States
RT_STRING
9
3.04375
530
Latin 1 / Western European
English - United States
RT_STRING
10
3.16254
776
Latin 1 / Western European
English - United States
RT_STRING

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
OLEAUT32.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
ole32.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start ldrmgan18011.exe client32.exe DllHost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2068"C:\Users\admin\AppData\Local\Temp\ldrmgan18011.exe" C:\Users\admin\AppData\Local\Temp\ldrmgan18011.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\ldrmgan18011.exe
c:\windows\syswow64\ntdll.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
1456"C:\Users\admin\AppData\Roaming\WinSupUpdate\client32.exe" C:\Users\admin\AppData\Roaming\WinSupUpdate\client32.exe
ldrmgan18011.exe
User:
admin
Company:
NetSupport Ltd
Integrity Level:
MEDIUM
Description:
NetSupport Client Application
Version:
V12.50
Modules
Images
c:\users\admin\appdata\roaming\winsupupdate\client32.exe
c:\windows\syswow64\ntdll.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2120C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\rpcrt4.dll
Total events
1 277
Read events
1 255
Write events
22
Delete events
0

Modification events

(PID) Process:(2068) ldrmgan18011.exeKey:HKEY_CURRENT_USER\Software\WinRAR SFX
Operation:writeName:C%%Users%admin%AppData%Roaming
Value:
C:\Users\admin\AppData\Roaming
(PID) Process:(2068) ldrmgan18011.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2068) ldrmgan18011.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2068) ldrmgan18011.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2068) ldrmgan18011.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1456) client32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(1456) client32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000087000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1456) client32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1456) client32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1456) client32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
Executable files
9
Suspicious files
4
Text files
4
Unknown types
1

Dropped files

PID
Process
Filename
Type
2120DllHost.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
MD5:
SHA256:
2068ldrmgan18011.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\autorunings.ini.lnklnk
MD5:ADFC4229C9498C192F2683227595BD77
SHA256:3AF46677527D5FE12FF71C2BF6BEE55ADD3EE5FE7A8AE380E3066C35DC8FFFC9
2120DllHost.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WebCache\V01.chkbinary
MD5:3DA00FFBA5690F6AF13370F00CAE5A17
SHA256:FD0449A09A4627216BFABE3DB5243B0DB1818F01ACD3E617AD075668D5D3D011
2068ldrmgan18011.exeC:\Users\admin\AppData\Roaming\WinSupUpdate\client32.initext
MD5:CB3399E1F648DD63BE3605FA9D69993D
SHA256:972F42C6905CD81AAF300D95A8AC4B6E8A76F7A3C2729EA0A002E3E793CA7136
2120DllHost.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WebCache\V01.logbinary
MD5:5E3C6B74D1FD73C5D74C3871945A55DB
SHA256:B6CB57DE1A5EBF078CFCD4EBC2630DB260D2F2A377D0AEA280B603DC0E8A8CF9
2068ldrmgan18011.exeC:\Users\admin\AppData\Roaming\WinSupUpdate\pcicapi.dllexecutable
MD5:DCDE2248D19C778A41AA165866DD52D0
SHA256:9074FD40EA6A0CAA892E6361A6A4E834C2E51E6E98D1FFCDA7A9A537594A6917
2068ldrmgan18011.exeC:\Users\admin\AppData\Roaming\WinSupUpdate\nskbfltr.infbinary
MD5:26E28C01461F7E65C402BDF09923D435
SHA256:D96856CD944A9F1587907CACEF974C0248B7F4210F1689C1E6BCAC5FED289368
2068ldrmgan18011.exeC:\Users\admin\AppData\Roaming\WinSupUpdate\PCICHEK.DLLexecutable
MD5:A0B9388C5F18E27266A31F8C5765B263
SHA256:313117E723DDA6EA3911FAACD23F4405003FB651C73DE8DEFF10B9EB5B4A058A
2068ldrmgan18011.exeC:\Users\admin\AppData\Roaming\WinSupUpdate\NSM.LICtext
MD5:8614C2008044A081E9D26D8DB1571F4A
SHA256:DF622FC8BC605023730D3AD952D69FCBD8383CE5440D63DA0DF20FB139355EC9
2068ldrmgan18011.exeC:\Users\admin\AppData\Roaming\WinSupUpdate\client32.exeexecutable
MD5:F76954B68CC390F8009F1A052283A740
SHA256:63315DF7981130853D75DC753E5776BDF371811BCFCE351557C1E45AFDD1EBFB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
2
DNS requests
3
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1456
client32.exe
POST
200
23.108.57.114:1998
http://23.108.57.114/fakeurl.htm
US
binary
159 b
suspicious
1456
client32.exe
GET
200
62.172.138.35:80
http://geo.netsupportsoftware.com/location/loca.asp
GB
text
17 b
suspicious
1456
client32.exe
POST
23.108.57.114:1998
http://23.108.57.114/fakeurl.htm
US
suspicious
1456
client32.exe
POST
23.108.57.114:1998
http://23.108.57.114/fakeurl.htm
US
suspicious
1456
client32.exe
POST
200
23.108.57.114:1998
http://23.108.57.114/fakeurl.htm
US
binary
61 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1456
client32.exe
62.172.138.35:80
geo.netsupportsoftware.com
British Telecommunications PLC
GB
suspicious
1456
client32.exe
23.108.57.114:1998
Jalalymola17.com
Nobis Technology Group, LLC
US
suspicious

DNS requests

Domain
IP
Reputation
Jalalymola11.com
unknown
Jalalymola17.com
  • 23.108.57.114
suspicious
geo.netsupportsoftware.com
  • 62.172.138.35
  • 195.171.92.116
suspicious

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET POLICY NetSupport GeoLocation Lookup Request
5 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
ldrmgan18011.exe