netsupport | c464db92b9cdb0069156187fd9320829452bd71b2fc2907fb1215a4d133ae79c

Analysis

max time kernel
58s
max time network
301s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
26/05/2023, 14:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rt.php.ps1
Size

2.8MB
MD5

d2fc96f1c1c1404df8a0ca2282448ad2
SHA1

de1d9b6dcdcf5398b4b9599e1c8f5a7197e3297b
SHA256

c464db92b9cdb0069156187fd9320829452bd71b2fc2907fb1215a4d133ae79c
SHA512

71ac93240aaef1f84b0d19887af5a3511e4f0a7f9f739d189ab95119ff361acc48b75bfdda7c772f768d564dc3f72768f556a36ae9e11d7f29ee9c32d92a7c77
SSDEEP

24576:CA6WYne7IMJTrEFpg6v81zWmla7C6FWs8ct7Qx+TBL4Orh8JfbmfmMeWI4eIrenr:D7Ihp0aTYs8chGnFsu8PgnTNEQALjla

Score

10^/10

netsupport persistence rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Deletes itself 1 IoCs

pid	Process
4468	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4104	whost.exe

Loads dropped DLL 6 IoCs

pid	Process
4104	whost.exe
4104	whost.exe
4104	whost.exe
4104	whost.exe
4104	whost.exe
4104	whost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Windows\CurrentVersion\Run\ExpirienceHost = "C:\\Users\\Admin\\AppData\\Roaming\\zch0654KGlqQ\\whost.exe"	powershell.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4468	powershell.exe
4468	powershell.exe
4468	powershell.exe
3576	powershell.exe
3576	powershell.exe
3576	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4468	powershell.exe
Token: SeDebugPrivilege	3576	powershell.exe
Token: SeSecurityPrivilege	4104	whost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4104	whost.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4468 wrote to memory of 3576	4468	powershell.exe	67
PID 4468 wrote to memory of 3576	4468	powershell.exe	67

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\rt.php.ps1
1⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name ExpirienceHost -Value ""C:\Users\Admin\AppData\Roaming\zch0654KGlqQ\whost.exe""
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3576

C:\Users\Admin\AppData\Roaming\zch0654KGlqQ\whost.exe
C:\Users\Admin\AppData\Roaming\zch0654KGlqQ\whost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
5d574dc518025fad52b7886c1bff0e13

SHA1
68217a5f9e9a64ca8fed9eefa4171786a8f9f8f7

SHA256
755c4768f6e384030805284ab88689a325431667e9ab11d9aeaa55e9739742f2

SHA512
21de152e07d269b265dae58d46e8c68a3268b2f78d771d4fc44377a14e0c6e73aadae923dcfd34ce2ef53c2eaa53d4df8f281d9b8a627edee213946c9ef37d13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
deba287a7915d97aa3effa085cb26478

SHA1
d8ea674a03011988f2cc1875e0a4b57a10c7b270

SHA256
29efd3693655108d8c21e80fb38a6d19a2ced00982843c64bc4eb19715c0bf32

SHA512
6b8c37b80e3ea3fcce94f52d0598a05652612b134db5f2c7a2c89e9dc615bb19ca2417fb8dee8113628c2b06170abafb1d241fc551e72d3516dcf33ecad9a6cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_izedtsvs.pbb.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\zch0654KGlqQ\HTCTL32.DLL

Filesize
320KB

MD5
2d3b207c8a48148296156e5725426c7f

SHA1
ad464eb7cf5c19c8a443ab5b590440b32dbc618f

SHA256
edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796

SHA512
55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

Download Submit
C:\Users\Admin\AppData\Roaming\zch0654KGlqQ\MSVCR100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\Roaming\zch0654KGlqQ\NSM.LIC

Filesize
257B

MD5
390c964070626a64888d385c514f568e

SHA1
a556209655dcb5e939fd404f57d199f2bb6da9b3

SHA256
ad0d05305fdeb3736c1e8d49c3a6746073d27b4703eb6de6589bdc4aa72d7b54

SHA512
f089c59a24f33410cf98fba7ea0dd2ca0fd997efc9a03e5355cde3c1a1f4a78b13cebd387099b9de824bffea01c489d8f0e90df56f89973007dabb6afdde607f

Download Submit
C:\Users\Admin\AppData\Roaming\zch0654KGlqQ\PCICL32.dll

Filesize
3.6MB

MD5
00587238d16012152c2e951a087f2cc9

SHA1
c4e27a43075ce993ff6bb033360af386b2fc58ff

SHA256
63aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8

SHA512
637950a1f78d3f3d02c30a49a16e91cf3dfccc59104041876789bd7fdf9224d187209547766b91404c67319e13d1606da7cec397315495962cbf3e2ccd5f1226

Download Submit
C:\Users\Admin\AppData\Roaming\zch0654KGlqQ\client32.ini

Filesize
904B

MD5
02d6a1a6aa31fa14c1d895b29fff67d2

SHA1
378c10548e568fe29971289975e40d71e6fc1525

SHA256
de551b0f1cb2e3563b01ef72942bff8b4e58740d121c3e390d56d472e7868c51

SHA512
14c109c7ea87d73381d9c2e280b4ea828879938b00270d1962a3dde60d4095e2b12f6603562f89c4e9c51d1f790c1ad60ee3ea62bf043a9f2cc944878106a3f5

Download Submit
C:\Users\Admin\AppData\Roaming\zch0654KGlqQ\pcicapi.dll

Filesize
32KB

MD5
dcde2248d19c778a41aa165866dd52d0

SHA1
7ec84be84fe23f0b0093b647538737e1f19ebb03

SHA256
9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917

SHA512
c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

Download Submit
C:\Users\Admin\AppData\Roaming\zch0654KGlqQ\pcichek.dll

Filesize
18KB

MD5
a0b9388c5f18e27266a31f8c5765b263

SHA1
906f7e94f841d464d4da144f7c858fa2160e36db

SHA256
313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a

SHA512
6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

Download Submit
C:\Users\Admin\AppData\Roaming\zch0654KGlqQ\whost.exe

Filesize
117KB

MD5
c0eb3eac96511077dafc0afa64c6388c

SHA1
33e81f25493eda3bbf0b7cdcddd523547fa6c31e

SHA256
eec4f18f3655f7eab0c08783ad42d2b3ce3ef21ecad7394e165f11acdb41c42a

SHA512
2632bef55323d9a272e1519e2b2792527d28cbd9fe6a9f9d253e5729978be0de6f36b8e3b2acee70449ba22a33efb41c82c82afe19dad14698b3ada0006ca7fc

Download Submit
C:\Users\Admin\AppData\Roaming\zch0654KGlqQ\whost.exe

Filesize
117KB

MD5
c0eb3eac96511077dafc0afa64c6388c

SHA1
33e81f25493eda3bbf0b7cdcddd523547fa6c31e

SHA256
eec4f18f3655f7eab0c08783ad42d2b3ce3ef21ecad7394e165f11acdb41c42a

SHA512
2632bef55323d9a272e1519e2b2792527d28cbd9fe6a9f9d253e5729978be0de6f36b8e3b2acee70449ba22a33efb41c82c82afe19dad14698b3ada0006ca7fc

Download Submit
\Users\Admin\AppData\Roaming\zch0654KGlqQ\HTCTL32.DLL

Filesize
320KB

MD5
2d3b207c8a48148296156e5725426c7f

SHA1
ad464eb7cf5c19c8a443ab5b590440b32dbc618f

SHA256
edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796

SHA512
55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

Download Submit
\Users\Admin\AppData\Roaming\zch0654KGlqQ\PCICHEK.DLL

Filesize
18KB

MD5
a0b9388c5f18e27266a31f8c5765b263

SHA1
906f7e94f841d464d4da144f7c858fa2160e36db

SHA256
313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a

SHA512
6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

Download Submit
\Users\Admin\AppData\Roaming\zch0654KGlqQ\PCICL32.DLL

Filesize
3.6MB

MD5
00587238d16012152c2e951a087f2cc9

SHA1
c4e27a43075ce993ff6bb033360af386b2fc58ff

SHA256
63aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8

SHA512
637950a1f78d3f3d02c30a49a16e91cf3dfccc59104041876789bd7fdf9224d187209547766b91404c67319e13d1606da7cec397315495962cbf3e2ccd5f1226

Download Submit
\Users\Admin\AppData\Roaming\zch0654KGlqQ\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
\Users\Admin\AppData\Roaming\zch0654KGlqQ\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
\Users\Admin\AppData\Roaming\zch0654KGlqQ\pcicapi.dll

Filesize
32KB

MD5
dcde2248d19c778a41aa165866dd52d0

SHA1
7ec84be84fe23f0b0093b647538737e1f19ebb03

SHA256
9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917

SHA512
c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

Download Submit
memory/3576-218-0x00000246FA270000-0x00000246FA280000-memory.dmp

Filesize
64KB

Download
memory/3576-216-0x00000246FA270000-0x00000246FA280000-memory.dmp

Filesize
64KB

Download
memory/4468-161-0x0000026DADA20000-0x0000026DADA30000-memory.dmp

Filesize
64KB

Download
memory/4468-123-0x0000026DAD9B0000-0x0000026DAD9D2000-memory.dmp

Filesize
136KB

Download
memory/4468-181-0x0000026DADC30000-0x0000026DADC3A000-memory.dmp

Filesize
40KB

Download
memory/4468-182-0x0000026DADC60000-0x0000026DADC72000-memory.dmp

Filesize
72KB

Download
memory/4468-160-0x0000026DADA20000-0x0000026DADA30000-memory.dmp

Filesize
64KB

Download
memory/4468-127-0x0000026DADA20000-0x0000026DADA30000-memory.dmp

Filesize
64KB

Download
memory/4468-128-0x0000026DADA20000-0x0000026DADA30000-memory.dmp

Filesize
64KB

Download
memory/4468-126-0x0000026DADCB0000-0x0000026DADD26000-memory.dmp

Filesize
472KB

Download