netsupport | b4d61c536730fbab0d2d81ec2f7bf8cdda541e4fd9200ddf50cf773c90c019c0

Analysis

max time kernel
31s
max time network
125s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
18/05/2023, 16:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15f7867fee9b4bbcb91168ecc52eb5d2.exe
Size

2.0MB
MD5

15f7867fee9b4bbcb91168ecc52eb5d2
SHA1

8ab83f49f98b1188de7c52a5bd7bccc3f7b0bd8f
SHA256

b4d61c536730fbab0d2d81ec2f7bf8cdda541e4fd9200ddf50cf773c90c019c0
SHA512

35da5c82e9f7d7be624034625fde2f271cfe8dd8b42d74941499b11fe44665f74caf4d5299d31fc3f647d8edf4ca980f7414ab33f30191d87185c91b44aaae68
SSDEEP

49152:/BrdfcoIsGlR4EpZeYzg/6aU2/trEvGony/78Ro6:5rWBblR4oesg/6ajtovD28

Score

10^/10

netsupport rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\autorun_2023.ini.lnk	15f7867fee9b4bbcb91168ecc52eb5d2.exe

Executes dropped EXE 1 IoCs

pid	Process
1548	client32.exe

Loads dropped DLL 10 IoCs

pid	Process
1252	15f7867fee9b4bbcb91168ecc52eb5d2.exe
1252	15f7867fee9b4bbcb91168ecc52eb5d2.exe
1252	15f7867fee9b4bbcb91168ecc52eb5d2.exe
1252	15f7867fee9b4bbcb91168ecc52eb5d2.exe
1252	15f7867fee9b4bbcb91168ecc52eb5d2.exe
1548	client32.exe
1548	client32.exe
1548	client32.exe
1548	client32.exe
1548	client32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1548	client32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1548	client32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 1548	1252	15f7867fee9b4bbcb91168ecc52eb5d2.exe	28
PID 1252 wrote to memory of 1548	1252	15f7867fee9b4bbcb91168ecc52eb5d2.exe	28
PID 1252 wrote to memory of 1548	1252	15f7867fee9b4bbcb91168ecc52eb5d2.exe	28
PID 1252 wrote to memory of 1548	1252	15f7867fee9b4bbcb91168ecc52eb5d2.exe	28
PID 1252 wrote to memory of 1548	1252	15f7867fee9b4bbcb91168ecc52eb5d2.exe	28
PID 1252 wrote to memory of 1548	1252	15f7867fee9b4bbcb91168ecc52eb5d2.exe	28
PID 1252 wrote to memory of 1548	1252	15f7867fee9b4bbcb91168ecc52eb5d2.exe	28

C:\Users\Admin\AppData\Local\Temp\15f7867fee9b4bbcb91168ecc52eb5d2.exe
"C:\Users\Admin\AppData\Local\Temp\15f7867fee9b4bbcb91168ecc52eb5d2.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Users\Admin\AppData\Roaming\UpdateWin_202317\client32.exe
  "C:\Users\Admin\AppData\Roaming\UpdateWin_202317\client32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\UpdateWin_202317\HTCTL32.DLL

Filesize
299KB

MD5
369388ac78ca4ca8a64219cf9aafad4c

SHA1
dfa6c01c55ac799f041c65df9a35aba8cf0d8c2d

SHA256
c76ee648639406c81469772311c39b46042bf1b91e47d9201908f3cf70407f30

SHA512
7d090f033ffc48b870d692877f3804a69dcb1ff61b96936f1ab77bf42b156839bfd787c387bc7d642c732868e3dcd8c0ff3b319f057c0157b5afc6843b302bc5

Download Submit
C:\Users\Admin\AppData\Roaming\UpdateWin_202317\MSVCR100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\Roaming\UpdateWin_202317\NSM.LIC

Filesize
259B

MD5
a69c513e526ff2985e16ba01cad6df8c

SHA1
7150bcd99d437b6e2bfecfa985c7cbb0e61a3820

SHA256
f35df375fe7090e85a0e151cd65cbbf50ade5e060a31692197bbfbc84dea7bf0

SHA512
87136d98b11ef43cbaae142ed61f306764baf39d75fe92d10261f2b2f1e4da94bc059ec69a11ca5753a9e3be348dc9e368cb15634d1fa09df9f994faea68b56e

Download Submit
C:\Users\Admin\AppData\Roaming\UpdateWin_202317\PCICAPI.dll

Filesize
100KB

MD5
f0d7d2a77eee2b3146405d3ad0d56230

SHA1
37c323faf58584606ee5847cb9a25346c588f78f

SHA256
f043653ab1b8fbe5a33922df5b4fb46797e9694e5fcee807b97cc6aaef650131

SHA512
861258b5b97665f649437fd25aadc5dc66e5bc5a87d7482300f9931810f0d89d0ed9c01890cd038daa7c6d2f1850a3208fc20b3c1dc2e588c7688e228a4baade

Download Submit
C:\Users\Admin\AppData\Roaming\UpdateWin_202317\PCICL32.dll

Filesize
3.3MB

MD5
1274cca13cc5e37ca94d35e5b0673e89

SHA1
a8754c94f88273c304bc45a5afd61a383bb52117

SHA256
cd5510c8bc7ea60be77ad4aab502ee02d871bf4e917aeeb6921c20eebd9693dd

SHA512
52eafa31ee942dc92d0b8f52c12206f6abc1d5fae799b37b371e97c38ce66bd0693263de86b4880748ba1405054701288caf2cd00cd327edc164e1390cf9191c

Download Submit
C:\Users\Admin\AppData\Roaming\UpdateWin_202317\client32.exe

Filesize
101KB

MD5
c4f1b50e3111d29774f7525039ff7086

SHA1
57539c95cba0986ec8df0fcdea433e7c71b724c6

SHA256
18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d

SHA512
005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

Download Submit
C:\Users\Admin\AppData\Roaming\UpdateWin_202317\client32.exe

Filesize
101KB

MD5
c4f1b50e3111d29774f7525039ff7086

SHA1
57539c95cba0986ec8df0fcdea433e7c71b724c6

SHA256
18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d

SHA512
005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

Download Submit
C:\Users\Admin\AppData\Roaming\UpdateWin_202317\client32.ini

Filesize
973B

MD5
ed3db54979b289c9bfd5127ece806259

SHA1
1cd0318746eeacf8fdcd78a6eac61690bb563e39

SHA256
5e32caff84582bdc67843d44bc3213f4bcc4da6944da5f8e1035b15b669e0b45

SHA512
f7874727d30d4383ea00adf39f574494e8e7c7310e09287af66bc1a4066c8acf6572c20f55f12ac307ee5f19a6293949393ff28844fd6a4840ef372689a5d6f9

Download Submit
C:\Users\Admin\AppData\Roaming\UpdateWin_202317\pcichek.dll

Filesize
8KB

MD5
07b474ab5c503f35873b94cd48d01592

SHA1
e6f699d6c021d9d434cc6a4e68516c4c2ac80ddc

SHA256
c8911c298f860de85037f8634e8539627f5a1c13b1fffe5568d63612e29b9cd4

SHA512
a995b0d1fba6e99dd89afbf5161efc18b0268c001c27155876e642abc8639f79c2c320530039cfa5ec9f6ca10e1d716060b0fb86414245f578f920f11c9bbbc8

Download Submit
\Users\Admin\AppData\Roaming\UpdateWin_202317\HTCTL32.DLL

Filesize
299KB

MD5
369388ac78ca4ca8a64219cf9aafad4c

SHA1
dfa6c01c55ac799f041c65df9a35aba8cf0d8c2d

SHA256
c76ee648639406c81469772311c39b46042bf1b91e47d9201908f3cf70407f30

SHA512
7d090f033ffc48b870d692877f3804a69dcb1ff61b96936f1ab77bf42b156839bfd787c387bc7d642c732868e3dcd8c0ff3b319f057c0157b5afc6843b302bc5

Download Submit
\Users\Admin\AppData\Roaming\UpdateWin_202317\PCICHEK.DLL

Filesize
8KB

MD5
07b474ab5c503f35873b94cd48d01592

SHA1
e6f699d6c021d9d434cc6a4e68516c4c2ac80ddc

SHA256
c8911c298f860de85037f8634e8539627f5a1c13b1fffe5568d63612e29b9cd4

SHA512
a995b0d1fba6e99dd89afbf5161efc18b0268c001c27155876e642abc8639f79c2c320530039cfa5ec9f6ca10e1d716060b0fb86414245f578f920f11c9bbbc8

Download Submit
\Users\Admin\AppData\Roaming\UpdateWin_202317\PCICL32.DLL

Filesize
3.3MB

MD5
1274cca13cc5e37ca94d35e5b0673e89

SHA1
a8754c94f88273c304bc45a5afd61a383bb52117

SHA256
cd5510c8bc7ea60be77ad4aab502ee02d871bf4e917aeeb6921c20eebd9693dd

SHA512
52eafa31ee942dc92d0b8f52c12206f6abc1d5fae799b37b371e97c38ce66bd0693263de86b4880748ba1405054701288caf2cd00cd327edc164e1390cf9191c

Download Submit
\Users\Admin\AppData\Roaming\UpdateWin_202317\client32.exe

Filesize
101KB

MD5
c4f1b50e3111d29774f7525039ff7086

SHA1
57539c95cba0986ec8df0fcdea433e7c71b724c6

SHA256
18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d

SHA512
005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

Download Submit
\Users\Admin\AppData\Roaming\UpdateWin_202317\client32.exe

Filesize
101KB

MD5
c4f1b50e3111d29774f7525039ff7086

SHA1
57539c95cba0986ec8df0fcdea433e7c71b724c6

SHA256
18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d

SHA512
005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

Download Submit
\Users\Admin\AppData\Roaming\UpdateWin_202317\client32.exe

Filesize
101KB

MD5
c4f1b50e3111d29774f7525039ff7086

SHA1
57539c95cba0986ec8df0fcdea433e7c71b724c6

SHA256
18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d

SHA512
005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

Download Submit
\Users\Admin\AppData\Roaming\UpdateWin_202317\client32.exe

Filesize
101KB

MD5
c4f1b50e3111d29774f7525039ff7086

SHA1
57539c95cba0986ec8df0fcdea433e7c71b724c6

SHA256
18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d

SHA512
005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

Download Submit
\Users\Admin\AppData\Roaming\UpdateWin_202317\client32.exe

Filesize
101KB

MD5
c4f1b50e3111d29774f7525039ff7086

SHA1
57539c95cba0986ec8df0fcdea433e7c71b724c6

SHA256
18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d

SHA512
005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

Download Submit
\Users\Admin\AppData\Roaming\UpdateWin_202317\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
\Users\Admin\AppData\Roaming\UpdateWin_202317\pcicapi.dll

Filesize
100KB

MD5
f0d7d2a77eee2b3146405d3ad0d56230

SHA1
37c323faf58584606ee5847cb9a25346c588f78f

SHA256
f043653ab1b8fbe5a33922df5b4fb46797e9694e5fcee807b97cc6aaef650131

SHA512
861258b5b97665f649437fd25aadc5dc66e5bc5a87d7482300f9931810f0d89d0ed9c01890cd038daa7c6d2f1850a3208fc20b3c1dc2e588c7688e228a4baade

Download Submit