netsupport | 14072a3c84df1196b77f73565c0e0c26760cba4f83eeee2c654fc6a5925174e0

Analysis

max time kernel
27s
max time network
137s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
21-03-2023 14:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ec96a074255b7e90ae95d772c3b89e23289958eec3649ee26ca4071b3e66e9c.exe
Size

2.3MB
MD5

2344df683dc8295da9e132d132083a26
SHA1

de94138ee8c7724089ef9faa80b8453c0b3986a3
SHA256

8ec96a074255b7e90ae95d772c3b89e23289958eec3649ee26ca4071b3e66e9c
SHA512

83a5270c189a78fd6415488a01c16010e944b17ad23f42cc31d1d19f0e4bdece27e10cf385affe4e3eca61ebb273690824de0c18a119b59409d77d21b31c3486
SSDEEP

49152:5ypEkkYclR4EpZeJyKn20ZvtV4RuK52Z+bm9pg6tUywG6EjXpp/7:5vkJclR4oeJy2NNt+Jpbm9aOOOr/7

Score

10^/10

netsupport rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Drops startup file 1 IoCs

Processes:

8ec96a074255b7e90ae95d772c3b89e23289958eec3649ee26ca4071b3e66e9c.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\autorunins_2022.ini.lnk	8ec96a074255b7e90ae95d772c3b89e23289958eec3649ee26ca4071b3e66e9c.exe

Executes dropped EXE 1 IoCs

Processes:

client32.exe

pid process

684 client32.exe

pid	process
684	client32.exe

Loads dropped DLL 10 IoCs

Processes:

8ec96a074255b7e90ae95d772c3b89e23289958eec3649ee26ca4071b3e66e9c.execlient32.exe

pid	process
1040	8ec96a074255b7e90ae95d772c3b89e23289958eec3649ee26ca4071b3e66e9c.exe
1040	8ec96a074255b7e90ae95d772c3b89e23289958eec3649ee26ca4071b3e66e9c.exe
1040	8ec96a074255b7e90ae95d772c3b89e23289958eec3649ee26ca4071b3e66e9c.exe
1040	8ec96a074255b7e90ae95d772c3b89e23289958eec3649ee26ca4071b3e66e9c.exe
1040	8ec96a074255b7e90ae95d772c3b89e23289958eec3649ee26ca4071b3e66e9c.exe
684	client32.exe
684	client32.exe
684	client32.exe
684	client32.exe
684	client32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

client32.exe

description pid process

Token: SeSecurityPrivilege 684 client32.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

client32.exe

pid process

684 client32.exe

description	pid	process
Token: SeSecurityPrivilege	684	client32.exe

pid	process
684	client32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

8ec96a074255b7e90ae95d772c3b89e23289958eec3649ee26ca4071b3e66e9c.exe

description	pid	process	target process
PID 1040 wrote to memory of 684	1040	8ec96a074255b7e90ae95d772c3b89e23289958eec3649ee26ca4071b3e66e9c.exe	client32.exe
PID 1040 wrote to memory of 684	1040	8ec96a074255b7e90ae95d772c3b89e23289958eec3649ee26ca4071b3e66e9c.exe	client32.exe
PID 1040 wrote to memory of 684	1040	8ec96a074255b7e90ae95d772c3b89e23289958eec3649ee26ca4071b3e66e9c.exe	client32.exe
PID 1040 wrote to memory of 684	1040	8ec96a074255b7e90ae95d772c3b89e23289958eec3649ee26ca4071b3e66e9c.exe	client32.exe
PID 1040 wrote to memory of 684	1040	8ec96a074255b7e90ae95d772c3b89e23289958eec3649ee26ca4071b3e66e9c.exe	client32.exe
PID 1040 wrote to memory of 684	1040	8ec96a074255b7e90ae95d772c3b89e23289958eec3649ee26ca4071b3e66e9c.exe	client32.exe
PID 1040 wrote to memory of 684	1040	8ec96a074255b7e90ae95d772c3b89e23289958eec3649ee26ca4071b3e66e9c.exe	client32.exe

C:\Users\Admin\AppData\Local\Temp\8ec96a074255b7e90ae95d772c3b89e23289958eec3649ee26ca4071b3e66e9c.exe
"C:\Users\Admin\AppData\Local\Temp\8ec96a074255b7e90ae95d772c3b89e23289958eec3649ee26ca4071b3e66e9c.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1040

C:\Users\Admin\AppData\Roaming\WinUpdate_2022\client32.exe
"C:\Users\Admin\AppData\Roaming\WinUpdate_2022\client32.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinUpdate_2022\HTCTL32.DLL

Filesize
320KB

MD5
c94005d2dcd2a54e40510344e0bb9435

SHA1
55b4a1620c5d0113811242c20bd9870a1e31d542

SHA256
3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899

SHA512
2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a

Download Submit
C:\Users\Admin\AppData\Roaming\WinUpdate_2022\MSVCR100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\Roaming\WinUpdate_2022\NSM.LIC

Filesize
259B

MD5
6b5215aa2cf4128127b390c5bcb90ce7

SHA1
100b116bae562f066f61cc5f0b339d466f90e0ff

SHA256
99dfc0b55bf27abc581f37c914ed0ca0522ad9f9685b3e4f73079e87ebbdbcba

SHA512
98ce6521c46880ee8e98796fc4e712f9e858201ca89a352884d7b0325b43d6e2de2c0a87ba504db5c9409aa699e91e26e616e285e26543388c6395696b6daa5c

Download Submit
C:\Users\Admin\AppData\Roaming\WinUpdate_2022\PCICL32.dll

Filesize
3.6MB

MD5
d3d39180e85700f72aaae25e40c125ff

SHA1
f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15

SHA256
38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5

SHA512
471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f

Download Submit
C:\Users\Admin\AppData\Roaming\WinUpdate_2022\client32.exe

Filesize
101KB

MD5
c4f1b50e3111d29774f7525039ff7086

SHA1
57539c95cba0986ec8df0fcdea433e7c71b724c6

SHA256
18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d

SHA512
005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

Download Submit
C:\Users\Admin\AppData\Roaming\WinUpdate_2022\client32.exe

Filesize
101KB

MD5
c4f1b50e3111d29774f7525039ff7086

SHA1
57539c95cba0986ec8df0fcdea433e7c71b724c6

SHA256
18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d

SHA512
005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

Download Submit
C:\Users\Admin\AppData\Roaming\WinUpdate_2022\client32.ini

Filesize
971B

MD5
5887b18cef1c7bd6af30ac2e1f5a80ab

SHA1
5a25aa37c731ef2299ddb4db9674e12ac710a983

SHA256
1b9240e64cbdb8bf01a8585b42df4ca724b3943c4e8135d216ec719c9087778f

SHA512
fa4ec439fc8b6c30203637d2d880fe9ea3b72901bddee6883fb42a50070fa6cfb111e2132e35623fa7bca395a37c06fd1863831cf5e67e491caebb47fbf633d6

Download Submit
C:\Users\Admin\AppData\Roaming\WinUpdate_2022\pcicapi.dll

Filesize
48KB

MD5
d3d2829d36586278c2bcb3f547d6e849

SHA1
72d9fd2397310de717b2bde13ea1483d9eb9af02

SHA256
ae84394ac568c590225d4470ed1a94be94240cbccb3c2b985bdfc4686d8afac8

SHA512
dd16e46e83e455c1b2a1c106926851ad289d5c83c1ee94630ee0457c0793c9a8a7ab3d37d64b978a3c8057ed9eceae2fae56ac97b39b3b5172f8472fbb49973c

Download Submit
C:\Users\Admin\AppData\Roaming\WinUpdate_2022\pcichek.dll

Filesize
31KB

MD5
d6fcd63035d9b341c7e165e6e553d3cc

SHA1
3101fef674479b8b63da592d6b8feebfce7fd503

SHA256
265623112eafca985d5acd9db3b5f9e00b39cc1f15cdd5b181d3eb0d413b97de

SHA512
e7136af44c3a69126517046fb36fed38f0c396d2a0a43c00feee3438125b38f91efa6d5e2ba18750924a35431b347f30b71382a9549d24c397f8c5871d50aef3

Download Submit
\Users\Admin\AppData\Roaming\WinUpdate_2022\HTCTL32.DLL

Filesize
320KB

MD5
c94005d2dcd2a54e40510344e0bb9435

SHA1
55b4a1620c5d0113811242c20bd9870a1e31d542

SHA256
3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899

SHA512
2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a

Download Submit
\Users\Admin\AppData\Roaming\WinUpdate_2022\PCICHEK.DLL

Filesize
31KB

MD5
d6fcd63035d9b341c7e165e6e553d3cc

SHA1
3101fef674479b8b63da592d6b8feebfce7fd503

SHA256
265623112eafca985d5acd9db3b5f9e00b39cc1f15cdd5b181d3eb0d413b97de

SHA512
e7136af44c3a69126517046fb36fed38f0c396d2a0a43c00feee3438125b38f91efa6d5e2ba18750924a35431b347f30b71382a9549d24c397f8c5871d50aef3

Download Submit
\Users\Admin\AppData\Roaming\WinUpdate_2022\PCICL32.DLL

Filesize
3.6MB

MD5
d3d39180e85700f72aaae25e40c125ff

SHA1
f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15

SHA256
38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5

SHA512
471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f

Download Submit
\Users\Admin\AppData\Roaming\WinUpdate_2022\client32.exe

Filesize
101KB

MD5
c4f1b50e3111d29774f7525039ff7086

SHA1
57539c95cba0986ec8df0fcdea433e7c71b724c6

SHA256
18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d

SHA512
005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

Download Submit
\Users\Admin\AppData\Roaming\WinUpdate_2022\client32.exe

Filesize
101KB

MD5
c4f1b50e3111d29774f7525039ff7086

SHA1
57539c95cba0986ec8df0fcdea433e7c71b724c6

SHA256
18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d

SHA512
005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

Download Submit
\Users\Admin\AppData\Roaming\WinUpdate_2022\client32.exe

Filesize
101KB

MD5
c4f1b50e3111d29774f7525039ff7086

SHA1
57539c95cba0986ec8df0fcdea433e7c71b724c6

SHA256
18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d

SHA512
005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

Download Submit
\Users\Admin\AppData\Roaming\WinUpdate_2022\client32.exe

Filesize
101KB

MD5
c4f1b50e3111d29774f7525039ff7086

SHA1
57539c95cba0986ec8df0fcdea433e7c71b724c6

SHA256
18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d

SHA512
005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

Download Submit
\Users\Admin\AppData\Roaming\WinUpdate_2022\client32.exe

Filesize
101KB

MD5
c4f1b50e3111d29774f7525039ff7086

SHA1
57539c95cba0986ec8df0fcdea433e7c71b724c6

SHA256
18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d

SHA512
005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

Download Submit
\Users\Admin\AppData\Roaming\WinUpdate_2022\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
\Users\Admin\AppData\Roaming\WinUpdate_2022\pcicapi.dll

Filesize
48KB

MD5
d3d2829d36586278c2bcb3f547d6e849

SHA1
72d9fd2397310de717b2bde13ea1483d9eb9af02

SHA256
ae84394ac568c590225d4470ed1a94be94240cbccb3c2b985bdfc4686d8afac8

SHA512
dd16e46e83e455c1b2a1c106926851ad289d5c83c1ee94630ee0457c0793c9a8a7ab3d37d64b978a3c8057ed9eceae2fae56ac97b39b3b5172f8472fbb49973c

Download Submit