netsupport | bacc798e623adf55c0c51a76552c99776b9c25cdfd721b719c28148dfab099a7

Analysis

max time kernel
144s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
23-03-2023 05:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

173672cca610f58caaeca8a2d61b8e98.exe
Size

2.3MB
MD5

173672cca610f58caaeca8a2d61b8e98
SHA1

4a39addcc787d70993723a4228233601f3e01cbe
SHA256

bacc798e623adf55c0c51a76552c99776b9c25cdfd721b719c28148dfab099a7
SHA512

529d8f6a9f86c4485857dab64bf56ad27a49db6eda5b460b81b91d5187557592b82eaad942d8b522711353a0ce6f30fee7d6760aec17f283aca126fdab599d0b
SSDEEP

49152:BZz196RF6Dm6ThBo37cWi2srl0SNjVwEKLxhOBuY+tbviO:/z1qMVThe37cWqdKLfO4Ye

Score

10^/10

netsupport rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

173672cca610f58caaeca8a2d61b8e98.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	173672cca610f58caaeca8a2d61b8e98.exe

Drops startup file 1 IoCs

Processes:

173672cca610f58caaeca8a2d61b8e98.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\autorunins_2022.ini.lnk	173672cca610f58caaeca8a2d61b8e98.exe

Executes dropped EXE 1 IoCs

Processes:

client32.exe

pid process

216 client32.exe
Loads dropped DLL 6 IoCs

Processes:

client32.exe

pid process

216 client32.exe
216 client32.exe
216 client32.exe
216 client32.exe
216 client32.exe
216 client32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

client32.exe

description pid process

Token: SeSecurityPrivilege 216 client32.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

client32.exe

pid process

216 client32.exe

pid	process
216	client32.exe

pid	process
216	client32.exe
216	client32.exe
216	client32.exe
216	client32.exe
216	client32.exe
216	client32.exe

description	pid	process
Token: SeSecurityPrivilege	216	client32.exe

pid	process
216	client32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

173672cca610f58caaeca8a2d61b8e98.exe

description	pid	process	target process
PID 2472 wrote to memory of 216	2472	173672cca610f58caaeca8a2d61b8e98.exe	client32.exe
PID 2472 wrote to memory of 216	2472	173672cca610f58caaeca8a2d61b8e98.exe	client32.exe
PID 2472 wrote to memory of 216	2472	173672cca610f58caaeca8a2d61b8e98.exe	client32.exe

C:\Users\Admin\AppData\Local\Temp\173672cca610f58caaeca8a2d61b8e98.exe
"C:\Users\Admin\AppData\Local\Temp\173672cca610f58caaeca8a2d61b8e98.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Users\Admin\AppData\Roaming\WinUpdate_2022\client32.exe
  "C:\Users\Admin\AppData\Roaming\WinUpdate_2022\client32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinUpdate_2022\HTCTL32.DLL

Filesize
320KB

MD5
c94005d2dcd2a54e40510344e0bb9435

SHA1
55b4a1620c5d0113811242c20bd9870a1e31d542

SHA256
3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899

SHA512
2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a

Download Submit
C:\Users\Admin\AppData\Roaming\WinUpdate_2022\HTCTL32.DLL

Filesize
320KB

MD5
c94005d2dcd2a54e40510344e0bb9435

SHA1
55b4a1620c5d0113811242c20bd9870a1e31d542

SHA256
3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899

SHA512
2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a

Download Submit
C:\Users\Admin\AppData\Roaming\WinUpdate_2022\MSVCR100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\Roaming\WinUpdate_2022\NSM.LIC

Filesize
259B

MD5
6b5215aa2cf4128127b390c5bcb90ce7

SHA1
100b116bae562f066f61cc5f0b339d466f90e0ff

SHA256
99dfc0b55bf27abc581f37c914ed0ca0522ad9f9685b3e4f73079e87ebbdbcba

SHA512
98ce6521c46880ee8e98796fc4e712f9e858201ca89a352884d7b0325b43d6e2de2c0a87ba504db5c9409aa699e91e26e616e285e26543388c6395696b6daa5c

Download Submit
C:\Users\Admin\AppData\Roaming\WinUpdate_2022\PCICHEK.DLL

Filesize
31KB

MD5
d6fcd63035d9b341c7e165e6e553d3cc

SHA1
3101fef674479b8b63da592d6b8feebfce7fd503

SHA256
265623112eafca985d5acd9db3b5f9e00b39cc1f15cdd5b181d3eb0d413b97de

SHA512
e7136af44c3a69126517046fb36fed38f0c396d2a0a43c00feee3438125b38f91efa6d5e2ba18750924a35431b347f30b71382a9549d24c397f8c5871d50aef3

Download Submit
C:\Users\Admin\AppData\Roaming\WinUpdate_2022\PCICL32.DLL

Filesize
3.6MB

MD5
d3d39180e85700f72aaae25e40c125ff

SHA1
f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15

SHA256
38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5

SHA512
471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f

Download Submit
C:\Users\Admin\AppData\Roaming\WinUpdate_2022\PCICL32.dll

Filesize
3.6MB

MD5
d3d39180e85700f72aaae25e40c125ff

SHA1
f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15

SHA256
38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5

SHA512
471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f

Download Submit
C:\Users\Admin\AppData\Roaming\WinUpdate_2022\client32.exe

Filesize
101KB

MD5
c4f1b50e3111d29774f7525039ff7086

SHA1
57539c95cba0986ec8df0fcdea433e7c71b724c6

SHA256
18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d

SHA512
005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

Download Submit
C:\Users\Admin\AppData\Roaming\WinUpdate_2022\client32.exe

Filesize
101KB

MD5
c4f1b50e3111d29774f7525039ff7086

SHA1
57539c95cba0986ec8df0fcdea433e7c71b724c6

SHA256
18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d

SHA512
005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

Download Submit
C:\Users\Admin\AppData\Roaming\WinUpdate_2022\client32.exe

Filesize
101KB

MD5
c4f1b50e3111d29774f7525039ff7086

SHA1
57539c95cba0986ec8df0fcdea433e7c71b724c6

SHA256
18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d

SHA512
005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

Download Submit
C:\Users\Admin\AppData\Roaming\WinUpdate_2022\client32.ini

Filesize
971B

MD5
5887b18cef1c7bd6af30ac2e1f5a80ab

SHA1
5a25aa37c731ef2299ddb4db9674e12ac710a983

SHA256
1b9240e64cbdb8bf01a8585b42df4ca724b3943c4e8135d216ec719c9087778f

SHA512
fa4ec439fc8b6c30203637d2d880fe9ea3b72901bddee6883fb42a50070fa6cfb111e2132e35623fa7bca395a37c06fd1863831cf5e67e491caebb47fbf633d6

Download Submit
C:\Users\Admin\AppData\Roaming\WinUpdate_2022\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\Roaming\WinUpdate_2022\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\Roaming\WinUpdate_2022\pcicapi.dll

Filesize
48KB

MD5
d3d2829d36586278c2bcb3f547d6e849

SHA1
72d9fd2397310de717b2bde13ea1483d9eb9af02

SHA256
ae84394ac568c590225d4470ed1a94be94240cbccb3c2b985bdfc4686d8afac8

SHA512
dd16e46e83e455c1b2a1c106926851ad289d5c83c1ee94630ee0457c0793c9a8a7ab3d37d64b978a3c8057ed9eceae2fae56ac97b39b3b5172f8472fbb49973c

Download Submit
C:\Users\Admin\AppData\Roaming\WinUpdate_2022\pcicapi.dll

Filesize
48KB

MD5
d3d2829d36586278c2bcb3f547d6e849

SHA1
72d9fd2397310de717b2bde13ea1483d9eb9af02

SHA256
ae84394ac568c590225d4470ed1a94be94240cbccb3c2b985bdfc4686d8afac8

SHA512
dd16e46e83e455c1b2a1c106926851ad289d5c83c1ee94630ee0457c0793c9a8a7ab3d37d64b978a3c8057ed9eceae2fae56ac97b39b3b5172f8472fbb49973c

Download Submit
C:\Users\Admin\AppData\Roaming\WinUpdate_2022\pcichek.dll

Filesize
31KB

MD5
d6fcd63035d9b341c7e165e6e553d3cc

SHA1
3101fef674479b8b63da592d6b8feebfce7fd503

SHA256
265623112eafca985d5acd9db3b5f9e00b39cc1f15cdd5b181d3eb0d413b97de

SHA512
e7136af44c3a69126517046fb36fed38f0c396d2a0a43c00feee3438125b38f91efa6d5e2ba18750924a35431b347f30b71382a9549d24c397f8c5871d50aef3

Download Submit