Overview

overview

10

Static

static

10

virus11.ps1

windows7_x64

8

virus11.ps1

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    virus11.ps1

  • Size

    14KB

  • Sample

    210503-n75z3xk872

  • MD5

    102f6e180a2f67c7cff24e4e47e319e3

  • SHA1

    413906407b384e6a2221c31631271686dd4dc8fd

  • SHA256

    1ec71f936075a6b54858d0ca24538bfe6e74c1f37eec5d9ee065f5ebe12d5ab5

  • SHA512

    589f74c995c9277a54b63b9d7111afd7f85aa535e4b99f02710c8ce333364a4cfd79019809814706de8cdcb88b95c14292c69c1e3a42154e08e4363fd7400128

Score
10/10
netsupportpersistencerat

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://cutt.ly

Targets

    • Target

      virus11.ps1

    • Size

      14KB

    • MD5

      102f6e180a2f67c7cff24e4e47e319e3

    • SHA1

      413906407b384e6a2221c31631271686dd4dc8fd

    • SHA256

      1ec71f936075a6b54858d0ca24538bfe6e74c1f37eec5d9ee065f5ebe12d5ab5

    • SHA512

      589f74c995c9277a54b63b9d7111afd7f85aa535e4b99f02710c8ce333364a4cfd79019809814706de8cdcb88b95c14292c69c1e3a42154e08e4363fd7400128

    Score
    10/10
    persistencenetsupportrat

    • NetSupport

      NetSupport is a remote access tool sold as a legitimate system administration software.

      ratnetsupport

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks