netsupport | 64d3eef726267d18037a898e65f9a98aa609a37d6cda7762013f9362ef424dd6

Analysis

max time kernel
97s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2023 22:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae63b342d6211f00ff9e256b1e2339b3.exe
Size

2.5MB
MD5

ae63b342d6211f00ff9e256b1e2339b3
SHA1

f2cb5fef98dd61c96e79896bd9ee84f258f3e856
SHA256

64d3eef726267d18037a898e65f9a98aa609a37d6cda7762013f9362ef424dd6
SHA512

f35155e7fcae0f5a4e70856bac54eeaa398bafa7c8a95cd34fe7f31c4f07dfa719af1a6738f875f95eda8dd9ce02edfdc5ee9b7d67bb61f94fc78b71e9503f4e
SSDEEP

49152:xdoHdxkp92TMp2OSSyWi/TlV56nNeDyQ41Huw9If8DQtqKPi/VBK:id6Ugp24+6UyQ41uw9IkDUii

Score

10^/10

netsupport rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ae63b342d6211f00ff9e256b1e2339b3.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	ae63b342d6211f00ff9e256b1e2339b3.exe

Drops startup file 1 IoCs

Processes:

ae63b342d6211f00ff9e256b1e2339b3.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\autorunins_2022.ini.lnk	ae63b342d6211f00ff9e256b1e2339b3.exe

Executes dropped EXE 1 IoCs

Processes:

client32.exe

pid process

2608 client32.exe
Loads dropped DLL 5 IoCs

Processes:

client32.exe

pid process

2608 client32.exe
2608 client32.exe
2608 client32.exe
2608 client32.exe
2608 client32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

client32.exe

description pid process

Token: SeSecurityPrivilege 2608 client32.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

client32.exe

pid process

2608 client32.exe

pid	process
2608	client32.exe

pid	process
2608	client32.exe
2608	client32.exe
2608	client32.exe
2608	client32.exe
2608	client32.exe

description	pid	process
Token: SeSecurityPrivilege	2608	client32.exe

pid	process
2608	client32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

ae63b342d6211f00ff9e256b1e2339b3.exe

description	pid	process	target process
PID 1952 wrote to memory of 2608	1952	ae63b342d6211f00ff9e256b1e2339b3.exe	client32.exe
PID 1952 wrote to memory of 2608	1952	ae63b342d6211f00ff9e256b1e2339b3.exe	client32.exe
PID 1952 wrote to memory of 2608	1952	ae63b342d6211f00ff9e256b1e2339b3.exe	client32.exe

C:\Users\Admin\AppData\Local\Temp\ae63b342d6211f00ff9e256b1e2339b3.exe
"C:\Users\Admin\AppData\Local\Temp\ae63b342d6211f00ff9e256b1e2339b3.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1952

C:\Users\Admin\AppData\Roaming\WinUpdate_2022\client32.exe
"C:\Users\Admin\AppData\Roaming\WinUpdate_2022\client32.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2608

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinUpdate_2022\HTCTL32.DLL
Filesize
299KB

MD5
369388ac78ca4ca8a64219cf9aafad4c

SHA1
dfa6c01c55ac799f041c65df9a35aba8cf0d8c2d

SHA256
c76ee648639406c81469772311c39b46042bf1b91e47d9201908f3cf70407f30

SHA512
7d090f033ffc48b870d692877f3804a69dcb1ff61b96936f1ab77bf42b156839bfd787c387bc7d642c732868e3dcd8c0ff3b319f057c0157b5afc6843b302bc5

Download Submit
C:\Users\Admin\AppData\Roaming\WinUpdate_2022\HTCTL32.DLL
Filesize
299KB

MD5
369388ac78ca4ca8a64219cf9aafad4c

SHA1
dfa6c01c55ac799f041c65df9a35aba8cf0d8c2d

SHA256
c76ee648639406c81469772311c39b46042bf1b91e47d9201908f3cf70407f30

SHA512
7d090f033ffc48b870d692877f3804a69dcb1ff61b96936f1ab77bf42b156839bfd787c387bc7d642c732868e3dcd8c0ff3b319f057c0157b5afc6843b302bc5

Download Submit
C:\Users\Admin\AppData\Roaming\WinUpdate_2022\MSVCR100.dll
Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\Roaming\WinUpdate_2022\NSM.LIC
Filesize
258B

MD5
c8e98888195af80508c1900df67abd3b

SHA1
36f4acb21978f5c47d0ff226790f86a1d891496a

SHA256
cdd35ab3123f2b83ffa58bc6491cfafe3a048deb4eafd836822f49ee704697d0

SHA512
e1288e49313194bb87183c7561a821748dd7e589cb601f22dbc50a465cb3f8fe1127d6327e2906c266134cf49ad7a7f8193ad5bc91f6ed76db3c5f54a5dc7e8a

Download Submit
C:\Users\Admin\AppData\Roaming\WinUpdate_2022\PCICAPI.dll
Filesize
100KB

MD5
f0d7d2a77eee2b3146405d3ad0d56230

SHA1
37c323faf58584606ee5847cb9a25346c588f78f

SHA256
f043653ab1b8fbe5a33922df5b4fb46797e9694e5fcee807b97cc6aaef650131

SHA512
861258b5b97665f649437fd25aadc5dc66e5bc5a87d7482300f9931810f0d89d0ed9c01890cd038daa7c6d2f1850a3208fc20b3c1dc2e588c7688e228a4baade

Download Submit
C:\Users\Admin\AppData\Roaming\WinUpdate_2022\PCICHEK.DLL
Filesize
8KB

MD5
07b474ab5c503f35873b94cd48d01592

SHA1
e6f699d6c021d9d434cc6a4e68516c4c2ac80ddc

SHA256
c8911c298f860de85037f8634e8539627f5a1c13b1fffe5568d63612e29b9cd4

SHA512
a995b0d1fba6e99dd89afbf5161efc18b0268c001c27155876e642abc8639f79c2c320530039cfa5ec9f6ca10e1d716060b0fb86414245f578f920f11c9bbbc8

Download Submit
C:\Users\Admin\AppData\Roaming\WinUpdate_2022\PCICL32.DLL
Filesize
3.3MB

MD5
1274cca13cc5e37ca94d35e5b0673e89

SHA1
a8754c94f88273c304bc45a5afd61a383bb52117

SHA256
cd5510c8bc7ea60be77ad4aab502ee02d871bf4e917aeeb6921c20eebd9693dd

SHA512
52eafa31ee942dc92d0b8f52c12206f6abc1d5fae799b37b371e97c38ce66bd0693263de86b4880748ba1405054701288caf2cd00cd327edc164e1390cf9191c

Download Submit
C:\Users\Admin\AppData\Roaming\WinUpdate_2022\PCICL32.dll
Filesize
3.3MB

MD5
1274cca13cc5e37ca94d35e5b0673e89

SHA1
a8754c94f88273c304bc45a5afd61a383bb52117

SHA256
cd5510c8bc7ea60be77ad4aab502ee02d871bf4e917aeeb6921c20eebd9693dd

SHA512
52eafa31ee942dc92d0b8f52c12206f6abc1d5fae799b37b371e97c38ce66bd0693263de86b4880748ba1405054701288caf2cd00cd327edc164e1390cf9191c

Download Submit
C:\Users\Admin\AppData\Roaming\WinUpdate_2022\client32.exe
Filesize
101KB

MD5
c4f1b50e3111d29774f7525039ff7086

SHA1
57539c95cba0986ec8df0fcdea433e7c71b724c6

SHA256
18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d

SHA512
005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

Download Submit
C:\Users\Admin\AppData\Roaming\WinUpdate_2022\client32.exe
Filesize
101KB

MD5
c4f1b50e3111d29774f7525039ff7086

SHA1
57539c95cba0986ec8df0fcdea433e7c71b724c6

SHA256
18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d

SHA512
005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

Download Submit
C:\Users\Admin\AppData\Roaming\WinUpdate_2022\client32.exe
Filesize
101KB

MD5
c4f1b50e3111d29774f7525039ff7086

SHA1
57539c95cba0986ec8df0fcdea433e7c71b724c6

SHA256
18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d

SHA512
005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

Download Submit
C:\Users\Admin\AppData\Roaming\WinUpdate_2022\client32.ini
Filesize
971B

MD5
5887b18cef1c7bd6af30ac2e1f5a80ab

SHA1
5a25aa37c731ef2299ddb4db9674e12ac710a983

SHA256
1b9240e64cbdb8bf01a8585b42df4ca724b3943c4e8135d216ec719c9087778f

SHA512
fa4ec439fc8b6c30203637d2d880fe9ea3b72901bddee6883fb42a50070fa6cfb111e2132e35623fa7bca395a37c06fd1863831cf5e67e491caebb47fbf633d6

Download Submit
C:\Users\Admin\AppData\Roaming\WinUpdate_2022\msvcr100.dll
Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\Roaming\WinUpdate_2022\pcicapi.dll
Filesize
100KB

MD5
f0d7d2a77eee2b3146405d3ad0d56230

SHA1
37c323faf58584606ee5847cb9a25346c588f78f

SHA256
f043653ab1b8fbe5a33922df5b4fb46797e9694e5fcee807b97cc6aaef650131

SHA512
861258b5b97665f649437fd25aadc5dc66e5bc5a87d7482300f9931810f0d89d0ed9c01890cd038daa7c6d2f1850a3208fc20b3c1dc2e588c7688e228a4baade

Download Submit
C:\Users\Admin\AppData\Roaming\WinUpdate_2022\pcichek.dll
Filesize
8KB

MD5
07b474ab5c503f35873b94cd48d01592

SHA1
e6f699d6c021d9d434cc6a4e68516c4c2ac80ddc

SHA256
c8911c298f860de85037f8634e8539627f5a1c13b1fffe5568d63612e29b9cd4

SHA512
a995b0d1fba6e99dd89afbf5161efc18b0268c001c27155876e642abc8639f79c2c320530039cfa5ec9f6ca10e1d716060b0fb86414245f578f920f11c9bbbc8

Download Submit