netsupport | c6917fdef434526178ff8007cbf4545c96db6a41987cb2c74590778e37716bff

Analysis

max time kernel
130s
max time network
225s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
29/10/2022, 04:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6917fdef434526178ff8007cbf4545c96db6a41987cb2c74590778e37716bff.exe
Size

412.4MB
MD5

d70c7c364098ca54e7582e3f27d989ce
SHA1

e8735b1382cb6f8880a09716dfd79262735b8b69
SHA256

c6917fdef434526178ff8007cbf4545c96db6a41987cb2c74590778e37716bff
SHA512

8b34d9b1a3cc9cd06dcdc2120d8c960a2ad209c5eaf5772b371eb35588342854ea344eff222680c2ad570be15419fda27943b9bad8c22092b30ea80c4156f648
SSDEEP

98304:qDsqmfeoT5qEM+1+LofOz7VNBLghT2tNcTWTQbictE:X5GoVasEofyrRsEEWTQ3tE

Score

10^/10

netsupport persistence rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Executes dropped EXE 1 IoCs

pid	Process
4896	Cunt.exe.pif

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c6917fdef434526178ff8007cbf4545c96db6a41987cb2c74590778e37716bff.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c6917fdef434526178ff8007cbf4545c96db6a41987cb2c74590778e37716bff.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
1776	tasklist.exe
4060	tasklist.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
4788	PING.EXE
812	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4896	Cunt.exe.pif
4896	Cunt.exe.pif
4896	Cunt.exe.pif
4896	Cunt.exe.pif
4896	Cunt.exe.pif
4896	Cunt.exe.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1776	tasklist.exe
Token: SeDebugPrivilege	4060	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4896	Cunt.exe.pif
4896	Cunt.exe.pif
4896	Cunt.exe.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4896	Cunt.exe.pif
4896	Cunt.exe.pif
4896	Cunt.exe.pif

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 3156 wrote to memory of 5060	3156	c6917fdef434526178ff8007cbf4545c96db6a41987cb2c74590778e37716bff.exe	67
PID 3156 wrote to memory of 5060	3156	c6917fdef434526178ff8007cbf4545c96db6a41987cb2c74590778e37716bff.exe	67
PID 3156 wrote to memory of 5060	3156	c6917fdef434526178ff8007cbf4545c96db6a41987cb2c74590778e37716bff.exe	67
PID 3156 wrote to memory of 4520	3156	c6917fdef434526178ff8007cbf4545c96db6a41987cb2c74590778e37716bff.exe	70
PID 3156 wrote to memory of 4520	3156	c6917fdef434526178ff8007cbf4545c96db6a41987cb2c74590778e37716bff.exe	70
PID 3156 wrote to memory of 4520	3156	c6917fdef434526178ff8007cbf4545c96db6a41987cb2c74590778e37716bff.exe	70
PID 4520 wrote to memory of 2664	4520	cmd.exe	69
PID 4520 wrote to memory of 2664	4520	cmd.exe	69
PID 4520 wrote to memory of 2664	4520	cmd.exe	69
PID 2664 wrote to memory of 1776	2664	cmd.exe	72
PID 2664 wrote to memory of 1776	2664	cmd.exe	72
PID 2664 wrote to memory of 1776	2664	cmd.exe	72
PID 2664 wrote to memory of 1652	2664	cmd.exe	71
PID 2664 wrote to memory of 1652	2664	cmd.exe	71
PID 2664 wrote to memory of 1652	2664	cmd.exe	71
PID 2664 wrote to memory of 4060	2664	cmd.exe	75
PID 2664 wrote to memory of 4060	2664	cmd.exe	75
PID 2664 wrote to memory of 4060	2664	cmd.exe	75
PID 2664 wrote to memory of 4692	2664	cmd.exe	74
PID 2664 wrote to memory of 4692	2664	cmd.exe	74
PID 2664 wrote to memory of 4692	2664	cmd.exe	74
PID 2664 wrote to memory of 3384	2664	cmd.exe	76
PID 2664 wrote to memory of 3384	2664	cmd.exe	76
PID 2664 wrote to memory of 3384	2664	cmd.exe	76
PID 2664 wrote to memory of 4896	2664	cmd.exe	77
PID 2664 wrote to memory of 4896	2664	cmd.exe	77
PID 2664 wrote to memory of 4896	2664	cmd.exe	77
PID 2664 wrote to memory of 4788	2664	cmd.exe	78
PID 2664 wrote to memory of 4788	2664	cmd.exe	78
PID 2664 wrote to memory of 4788	2664	cmd.exe	78
PID 4520 wrote to memory of 812	4520	cmd.exe	79
PID 4520 wrote to memory of 812	4520	cmd.exe	79
PID 4520 wrote to memory of 812	4520	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\c6917fdef434526178ff8007cbf4545c96db6a41987cb2c74590778e37716bff.exe
"C:\Users\Admin\AppData\Local\Temp\c6917fdef434526178ff8007cbf4545c96db6a41987cb2c74590778e37716bff.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3156
- C:\Windows\SysWOW64\dllhost.exe
  dllhost vfrfgh ningggfdee
  2⤵
  PID:5060
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cmd < Fox.wks & ping -n 5 localhost
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4520
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 5 localhost
    3⤵
    - Runs ping.exe
    PID:812

C:\Windows\SysWOW64\cmd.exe
cmd
1⤵
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\SysWOW64\find.exe
  find /I /N "avastui.exe"
  2⤵
  PID:1652
- C:\Windows\SysWOW64\tasklist.exe
  tasklist /FI "imagename eq AvastUI.exe"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:1776
- C:\Windows\SysWOW64\find.exe
  find /I /N "avgui.exe"
  2⤵
  PID:4692
- C:\Windows\SysWOW64\tasklist.exe
  tasklist /FI "imagename eq AVGUI.exe"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:4060
- C:\Windows\SysWOW64\findstr.exe
  findstr /V /R "^xogwVTG$" Karma.wks
  2⤵
  PID:3384
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cunt.exe.pif
  Cunt.exe.pif t
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4896
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cunt.exe.pif
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cunt.exe.pif
    3⤵
    PID:96
- C:\Windows\SysWOW64\PING.EXE
  ping localhost -n 5
  2⤵
  - Runs ping.exe
  PID:4788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cunt.exe.pif

Filesize
179KB

MD5
cd8ae08685c6624c3692a67abaf8a1d3

SHA1
0be0de7de6d413d4c122dd0009329f2482eb02ff

SHA256
7234202badf33ff2f41105504fd9b1c8d9ade240c85b535d139b495fe4a76eb8

SHA512
88176593c65815c5f1ae5cdeee4ad6f7d80f973322c96b0e6f80ec42ecdf1fdf48292ca4270e52cc231c217720f46a577c32a24403aa6f09cdefc83edaeac88c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cunt.exe.pif

Filesize
66KB

MD5
f64d3be988ef742c4c6adf3322fe7b98

SHA1
55e705e079de0a572f84b77c307c9445aa1e8d63

SHA256
9f64b8580c126c9a69d4cfa96e0b13ec943d6da4523fdf79dd67228c6896d9bf

SHA512
c141a450b7dcb8911c84b41244c166a8dfd479db3dcd9616aebaee9e93a8830b4cb7666b1c3085f4dbd0cec80ef1b270225c13a96f5cf63540006d3aff9230ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fox.wks

Filesize
10KB

MD5
c39714e32d3c98a8a2afd420d527095d

SHA1
5b924df4bb3614a9f1358b8ed0e818277acaccea

SHA256
f2f514c76e7c8411d37ea79c7be6d0dd4024a9ac83e3a5d59acb6480b2a13573

SHA512
df0f89acb6535c144308ff78322416441d2f3f8b83840f4edce3348481ee94402e9b4cb0d7753c0b46db1c0a7f4305539860a2d75c6a54bacb70d53baa2c4b7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\I.wks

Filesize
256KB

MD5
396680b2ad6ef1645d6932c67d3d4cea

SHA1
15ce4cee3b1c08e0709c04d54a4be453ea088246

SHA256
6fed926d8d7570434a7c6972773a889fa40643f117b0f9d02087163b5a255b4a

SHA512
415a3f95b22ecf2373131c2ab2704c78f6605ea4e2a0501e9e1b03b3fa31a97d1d19c0b87e3d0879d487224695cad338308c0f3b8c828cb9f2552b496c9a3828

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Karma.wks

Filesize
74KB

MD5
134bdbb5e58a1328364db1f474c46db7

SHA1
187f8308b08851e9415b57cbe7793d6fe12bde3b

SHA256
9c23dea4d574e5c58d9d5bdd32b34ea6b7eec7e2c5c59a0c1dd8ab01b07a72c5

SHA512
b6565d87ed30345f17a145d42b3a94dd0ba5d7b68bd6846dc92e0f3e1769ab888cc3fce3827f8d0b325d131fa43de92a7c4555d35869e8a5c38c4a5305b8c64f

Download Submit
memory/2664-183-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-130-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-150-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-128-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-129-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-156-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-131-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-132-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-133-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-134-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-136-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-135-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-137-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-138-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-139-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-140-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-141-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-142-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-143-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-144-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-145-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-146-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-148-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-151-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-116-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-149-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-147-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-152-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-153-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-154-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-159-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-117-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-119-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-121-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-122-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-123-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-157-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-158-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-124-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-126-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-127-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-125-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-120-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-118-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-155-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/3156-160-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/4520-177-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/4520-178-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/4520-179-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/4520-176-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/4520-180-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/5060-169-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/5060-174-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/5060-170-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/5060-166-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/5060-171-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/5060-173-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/5060-167-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/5060-172-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/5060-165-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/5060-168-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/5060-163-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/5060-164-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download
memory/5060-162-0x00000000779D0000-0x0000000077B5E000-memory.dmp

Filesize
1.6MB

Download