netsupport | 01910bddacbf2ea878b487dd3dfc2cfbeabf1a3dba94309b4a84c9e6b4b4afc9

Analysis

max time kernel
8s
max time network
139s
platform
windows7_x64
resource
win7v20210410
submitted
07-05-2021 23:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

778740fde9b90b9dba00950061087e9a.exe
Size

3.2MB
MD5

778740fde9b90b9dba00950061087e9a
SHA1

a2b0d310fe8acb98d21ab9ffb7dac7cdcedf5348
SHA256

01910bddacbf2ea878b487dd3dfc2cfbeabf1a3dba94309b4a84c9e6b4b4afc9
SHA512

1fb987544a2031b45e659b9f87fbea2d437c96e64748d02d856b014aa952bced4514119a7e97d19511423765e8eef30765c7ee5f3768f464bb95c2404bf046b5

Score

10^/10

netsupport rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport
Executes dropped EXE 3 IoCs

Processes:

DS3.exeDS3.tmpclient32.exe

pid process

1420 DS3.exe
1748 DS3.tmp
592 client32.exe

pid	process
1420	DS3.exe
1748	DS3.tmp
592	client32.exe

Loads dropped DLL 14 IoCs

Processes:

778740fde9b90b9dba00950061087e9a.exeDS3.exeDS3.tmpclient32.exe

pid	process
1996	778740fde9b90b9dba00950061087e9a.exe
1996	778740fde9b90b9dba00950061087e9a.exe
1996	778740fde9b90b9dba00950061087e9a.exe
1996	778740fde9b90b9dba00950061087e9a.exe
1420	DS3.exe
1748	DS3.tmp
1748	DS3.tmp
1748	DS3.tmp
1748	DS3.tmp
592	client32.exe
592	client32.exe
592	client32.exe
592	client32.exe
592	client32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

DS3.tmp

pid process

1748 DS3.tmp
1748 DS3.tmp
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

client32.exe

description pid process

Token: SeSecurityPrivilege 592 client32.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

DS3.tmpclient32.exe

pid process

1748 DS3.tmp
592 client32.exe

pid	process
1748	DS3.tmp
1748	DS3.tmp

description	pid	process
Token: SeSecurityPrivilege	592	client32.exe

pid	process
1748	DS3.tmp
592	client32.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

778740fde9b90b9dba00950061087e9a.exeDS3.exeDS3.tmp

description	pid	process	target process
PID 1996 wrote to memory of 1420	1996	778740fde9b90b9dba00950061087e9a.exe	DS3.exe
PID 1996 wrote to memory of 1420	1996	778740fde9b90b9dba00950061087e9a.exe	DS3.exe
PID 1996 wrote to memory of 1420	1996	778740fde9b90b9dba00950061087e9a.exe	DS3.exe
PID 1996 wrote to memory of 1420	1996	778740fde9b90b9dba00950061087e9a.exe	DS3.exe
PID 1996 wrote to memory of 1420	1996	778740fde9b90b9dba00950061087e9a.exe	DS3.exe
PID 1996 wrote to memory of 1420	1996	778740fde9b90b9dba00950061087e9a.exe	DS3.exe
PID 1996 wrote to memory of 1420	1996	778740fde9b90b9dba00950061087e9a.exe	DS3.exe
PID 1420 wrote to memory of 1748	1420	DS3.exe	DS3.tmp
PID 1420 wrote to memory of 1748	1420	DS3.exe	DS3.tmp
PID 1420 wrote to memory of 1748	1420	DS3.exe	DS3.tmp
PID 1420 wrote to memory of 1748	1420	DS3.exe	DS3.tmp
PID 1420 wrote to memory of 1748	1420	DS3.exe	DS3.tmp
PID 1420 wrote to memory of 1748	1420	DS3.exe	DS3.tmp
PID 1420 wrote to memory of 1748	1420	DS3.exe	DS3.tmp
PID 1748 wrote to memory of 592	1748	DS3.tmp	client32.exe
PID 1748 wrote to memory of 592	1748	DS3.tmp	client32.exe
PID 1748 wrote to memory of 592	1748	DS3.tmp	client32.exe
PID 1748 wrote to memory of 592	1748	DS3.tmp	client32.exe

C:\Users\Admin\AppData\Local\Temp\778740fde9b90b9dba00950061087e9a.exe
"C:\Users\Admin\AppData\Local\Temp\778740fde9b90b9dba00950061087e9a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DS3.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\DS3.exe" /VERYSILENT /SP-
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1420

C:\Users\Admin\AppData\Local\Temp\is-GN95S.tmp\DS3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-GN95S.tmp\DS3.tmp" /SL5="$1017C,2809640,780800,C:\Users\Admin\AppData\Local\Temp\RarSFX0\DS3.exe" /VERYSILENT /SP-
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1748

C:\Users\Admin\AppData\Roaming\WindowsUpdate\client32.exe
"C:\Users\Admin\AppData\Roaming\WindowsUpdate\client32.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:592

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DS3.exe
MD5
196c51b04013f65bc6d857f6cfe34ca2

SHA1
a08307aec683b6beec52ae39a4a76f54c3f8ea78

SHA256
72e24354f29eeb59d5a33ea9edafddfe9b983a6323c0a8687c1d043ea965bd4f

SHA512
5f69fbff0cc94571c48345f7c0c2952ae3ab1ce8bfe0ae0036e72ff6f84467d29f30c154dd2969e9c5b7e6180ef0338a9d9bb8226ce3e83f0690087cd6ca33c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\DS3.exe
MD5
196c51b04013f65bc6d857f6cfe34ca2

SHA1
a08307aec683b6beec52ae39a4a76f54c3f8ea78

SHA256
72e24354f29eeb59d5a33ea9edafddfe9b983a6323c0a8687c1d043ea965bd4f

SHA512
5f69fbff0cc94571c48345f7c0c2952ae3ab1ce8bfe0ae0036e72ff6f84467d29f30c154dd2969e9c5b7e6180ef0338a9d9bb8226ce3e83f0690087cd6ca33c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GN95S.tmp\DS3.tmp
MD5
c622b0970f4d2e3146bb00840cef3e5a

SHA1
22edbc60da2bcaec3ccc14cb729e8e12e4b2eb93

SHA256
904f3e825cbb7d41b9e9b3eb1b58a9a269df751738ba58ebecba74e8aa9e0294

SHA512
698413616a50e5c3ef5ac084d366d94e10b2eb1195e4f30536e97d54ba8f8237348a44380c78789c0c9eb551b61af14f9b3d8d05c45dd7f1c08f450fadcb4972

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsUpdate\HTCTL32.DLL
MD5
580458344285d0baede4a903bf528f7c

SHA1
189d4003105c870f9c06b081035e1835c4100c68

SHA256
f9c6042866655032bc0c1192806844f31f9775bcf39961d49ca4fa58b9539840

SHA512
6971cd8d4c1ff4f38e2bccba65fc50fbc947d821593aea72c57cc056034f358c68427e3b158350f3e8256382f48f499916e06fbcf1f7ad3ae9a7d53a1f7d302d

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsUpdate\MSVCR100.dll
MD5
33d7e92c15cf68ede5df6eb024722681

SHA1
590813d6f81fb34031fcb387e1da4bb4dfee3b8e

SHA256
c20c75eb4f419e6e69cd595fd785d7061c0379c0c1a0ea1e756794c51882e7f2

SHA512
47ccd10002cafdccf2f0cbe3f55b7578892ca9b8622331ea6d93e7ca3f6fe816fcb43d34adcb792cecfc7f804f4a809992be98459f17764ebb0e1b40ab5dae4b

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsUpdate\NSM.LIC
MD5
ac5d5cc9acad4531ef1bd16145ea68bd

SHA1
f9d92f79a934815b645591ebbd6f5d20aa6a3e38

SHA256
68c787616681427557343e42ede5805dfbeeb580c59f69c4706b500f225e2c6b

SHA512
196863e039e9c83fb0f8eb3f0a6119db31a624e7ef4e9ba99516702e76796957f0ebf87e8728e1bd0de6cd7420bec6e644caa58a0724a7208e9a765d6eb78f64

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsUpdate\PCICL32.dll
MD5
e335d6f4ad2831371fcac867a1be9d0b

SHA1
9aa816d9fa32dcb1f6db518a3ccdb995692f3062

SHA256
2063622eb7297a0dd51315175aab88bace572a6ee07c2a6447afceaa9549900e

SHA512
0faa140022feec4b17f9ee702e033f267ef27116e0f40138a711d3784f36fd0d9db4744feb5319857e60ef1c91f1c45679ccb3f92c2bf1f77474c1b08094068f

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsUpdate\client32.exe
MD5
877c80b68ba9e784d36ae8cab4125d43

SHA1
1e49fe1789cb943f07950c593ed109bab9e634ab

SHA256
fbd832accf3fc85b6bce198b63ece09b69cef9be7e7e9513b3fcf40184f537e6

SHA512
429d14f24b14db24057ab7901855915c77f57ecb6917a2672b5081daef1403c56dc0ef0c5fdb08e2275358bdb28f28c9d9998f455d8baa3dc811d07f7d9f0dc5

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsUpdate\client32.ini
MD5
b1bad9a1f72059e718459cd6a26956ef

SHA1
7ef2158e334d05af773948eaccf9996cc96f2146

SHA256
e9443eecd51f64e2a52631726d602b39ef64a3ba4f962778b3b6dfe719251bbd

SHA512
41b9b0901eb44d0a0094048f9faf22e79a229bca943f99a5c901c57d721fc7b0b7e64e30b6478573daa508ee4d83e9155defa78ec8cf04e3abf5ce69048f7a03

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsUpdate\pcicapi.dll
MD5
eaa5d9ce3cf8054e71a5a13076f0dbb3

SHA1
b48046c9d41f652be8e21e8e47068d9be0800ca7

SHA256
dd629c8a1396d9d5748a4b04213ab29771e65875dd60d5125c4703daf94117c9

SHA512
dd57e6fba126a2f6bb05761298abbee0cf13602e0bf829b778e3e8bb109d3bde7731eeb483058f564fea4371aec3f8cb72952755a50f47e4df028b628ffda20c

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsUpdate\pcichek.dll
MD5
83335b9eace69554d05edbcc562be369

SHA1
78772989137e95ffb3ebcec9008f0fa3ef1f24f4

SHA256
aff89746ce83d085a4a479170f4c4176f4e5c7e942590c3b48bbe18720588ecc

SHA512
de51ee9563d6f359a03fc1da2db92da565eee020f594f33188a14dc86276fb31632661032a9383a25c75a9148a22a916dade4d79b3ce17ef2ddf8b4b800a2fa0

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\DS3.exe
MD5
196c51b04013f65bc6d857f6cfe34ca2

SHA1
a08307aec683b6beec52ae39a4a76f54c3f8ea78

SHA256
72e24354f29eeb59d5a33ea9edafddfe9b983a6323c0a8687c1d043ea965bd4f

SHA512
5f69fbff0cc94571c48345f7c0c2952ae3ab1ce8bfe0ae0036e72ff6f84467d29f30c154dd2969e9c5b7e6180ef0338a9d9bb8226ce3e83f0690087cd6ca33c4

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\DS3.exe
MD5
196c51b04013f65bc6d857f6cfe34ca2

SHA1
a08307aec683b6beec52ae39a4a76f54c3f8ea78

SHA256
72e24354f29eeb59d5a33ea9edafddfe9b983a6323c0a8687c1d043ea965bd4f

SHA512
5f69fbff0cc94571c48345f7c0c2952ae3ab1ce8bfe0ae0036e72ff6f84467d29f30c154dd2969e9c5b7e6180ef0338a9d9bb8226ce3e83f0690087cd6ca33c4

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\DS3.exe
MD5
196c51b04013f65bc6d857f6cfe34ca2

SHA1
a08307aec683b6beec52ae39a4a76f54c3f8ea78

SHA256
72e24354f29eeb59d5a33ea9edafddfe9b983a6323c0a8687c1d043ea965bd4f

SHA512
5f69fbff0cc94571c48345f7c0c2952ae3ab1ce8bfe0ae0036e72ff6f84467d29f30c154dd2969e9c5b7e6180ef0338a9d9bb8226ce3e83f0690087cd6ca33c4

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\DS3.exe
MD5
196c51b04013f65bc6d857f6cfe34ca2

SHA1
a08307aec683b6beec52ae39a4a76f54c3f8ea78

SHA256
72e24354f29eeb59d5a33ea9edafddfe9b983a6323c0a8687c1d043ea965bd4f

SHA512
5f69fbff0cc94571c48345f7c0c2952ae3ab1ce8bfe0ae0036e72ff6f84467d29f30c154dd2969e9c5b7e6180ef0338a9d9bb8226ce3e83f0690087cd6ca33c4

Download Submit
\Users\Admin\AppData\Local\Temp\is-GN95S.tmp\DS3.tmp
MD5
c622b0970f4d2e3146bb00840cef3e5a

SHA1
22edbc60da2bcaec3ccc14cb729e8e12e4b2eb93

SHA256
904f3e825cbb7d41b9e9b3eb1b58a9a269df751738ba58ebecba74e8aa9e0294

SHA512
698413616a50e5c3ef5ac084d366d94e10b2eb1195e4f30536e97d54ba8f8237348a44380c78789c0c9eb551b61af14f9b3d8d05c45dd7f1c08f450fadcb4972

Download Submit
\Users\Admin\AppData\Local\Temp\is-MDK2H.tmp\_isetup\_isdecmp.dll
MD5
c6ae924ad02500284f7e4efa11fa7cfc

SHA1
2a7770b473b0a7dc9a331d017297ff5af400fed8

SHA256
31d04c1e4bfdfa34704c142fa98f80c0a3076e4b312d6ada57c4be9d9c7dcf26

SHA512
f321e4820b39d1642fc43bf1055471a323edcc0c4cbd3ddd5ad26a7b28c4fb9fc4e57c00ae7819a4f45a3e0bb9c7baa0ba19c3ceedacf38b911cdf625aa7ddae

Download Submit
\Users\Admin\AppData\Roaming\WindowsCertification\client32.exe
MD5
877c80b68ba9e784d36ae8cab4125d43

SHA1
1e49fe1789cb943f07950c593ed109bab9e634ab

SHA256
fbd832accf3fc85b6bce198b63ece09b69cef9be7e7e9513b3fcf40184f537e6

SHA512
429d14f24b14db24057ab7901855915c77f57ecb6917a2672b5081daef1403c56dc0ef0c5fdb08e2275358bdb28f28c9d9998f455d8baa3dc811d07f7d9f0dc5

Download Submit
\Users\Admin\AppData\Roaming\WindowsUpdate\HTCTL32.DLL
MD5
580458344285d0baede4a903bf528f7c

SHA1
189d4003105c870f9c06b081035e1835c4100c68

SHA256
f9c6042866655032bc0c1192806844f31f9775bcf39961d49ca4fa58b9539840

SHA512
6971cd8d4c1ff4f38e2bccba65fc50fbc947d821593aea72c57cc056034f358c68427e3b158350f3e8256382f48f499916e06fbcf1f7ad3ae9a7d53a1f7d302d

Download Submit
\Users\Admin\AppData\Roaming\WindowsUpdate\PCICHEK.DLL
MD5
83335b9eace69554d05edbcc562be369

SHA1
78772989137e95ffb3ebcec9008f0fa3ef1f24f4

SHA256
aff89746ce83d085a4a479170f4c4176f4e5c7e942590c3b48bbe18720588ecc

SHA512
de51ee9563d6f359a03fc1da2db92da565eee020f594f33188a14dc86276fb31632661032a9383a25c75a9148a22a916dade4d79b3ce17ef2ddf8b4b800a2fa0

Download Submit
\Users\Admin\AppData\Roaming\WindowsUpdate\PCICL32.DLL
MD5
e335d6f4ad2831371fcac867a1be9d0b

SHA1
9aa816d9fa32dcb1f6db518a3ccdb995692f3062

SHA256
2063622eb7297a0dd51315175aab88bace572a6ee07c2a6447afceaa9549900e

SHA512
0faa140022feec4b17f9ee702e033f267ef27116e0f40138a711d3784f36fd0d9db4744feb5319857e60ef1c91f1c45679ccb3f92c2bf1f77474c1b08094068f

Download Submit
\Users\Admin\AppData\Roaming\WindowsUpdate\client32.exe
MD5
877c80b68ba9e784d36ae8cab4125d43

SHA1
1e49fe1789cb943f07950c593ed109bab9e634ab

SHA256
fbd832accf3fc85b6bce198b63ece09b69cef9be7e7e9513b3fcf40184f537e6

SHA512
429d14f24b14db24057ab7901855915c77f57ecb6917a2672b5081daef1403c56dc0ef0c5fdb08e2275358bdb28f28c9d9998f455d8baa3dc811d07f7d9f0dc5

Download Submit
\Users\Admin\AppData\Roaming\WindowsUpdate\client32.exe
MD5
877c80b68ba9e784d36ae8cab4125d43

SHA1
1e49fe1789cb943f07950c593ed109bab9e634ab

SHA256
fbd832accf3fc85b6bce198b63ece09b69cef9be7e7e9513b3fcf40184f537e6

SHA512
429d14f24b14db24057ab7901855915c77f57ecb6917a2672b5081daef1403c56dc0ef0c5fdb08e2275358bdb28f28c9d9998f455d8baa3dc811d07f7d9f0dc5

Download Submit
\Users\Admin\AppData\Roaming\WindowsUpdate\msvcr100.dll
MD5
33d7e92c15cf68ede5df6eb024722681

SHA1
590813d6f81fb34031fcb387e1da4bb4dfee3b8e

SHA256
c20c75eb4f419e6e69cd595fd785d7061c0379c0c1a0ea1e756794c51882e7f2

SHA512
47ccd10002cafdccf2f0cbe3f55b7578892ca9b8622331ea6d93e7ca3f6fe816fcb43d34adcb792cecfc7f804f4a809992be98459f17764ebb0e1b40ab5dae4b

Download Submit
\Users\Admin\AppData\Roaming\WindowsUpdate\pcicapi.dll
MD5
eaa5d9ce3cf8054e71a5a13076f0dbb3

SHA1
b48046c9d41f652be8e21e8e47068d9be0800ca7

SHA256
dd629c8a1396d9d5748a4b04213ab29771e65875dd60d5125c4703daf94117c9

SHA512
dd57e6fba126a2f6bb05761298abbee0cf13602e0bf829b778e3e8bb109d3bde7731eeb483058f564fea4371aec3f8cb72952755a50f47e4df028b628ffda20c

Download Submit
memory/592-80-0x0000000000000000-mapping.dmp

Download
memory/1420-67-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1420-64-0x0000000000000000-mapping.dmp

Download
memory/1748-75-0x0000000073D71000-0x0000000073D73000-memory.dmp

Filesize
8KB

Download
memory/1748-70-0x0000000000000000-mapping.dmp

Download
memory/1748-76-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1996-59-0x0000000075D41000-0x0000000075D43000-memory.dmp

Filesize
8KB

Download