netsupport | 05a0c04953b876fa8735a92f12cd74e9d82731a57efc45b4aa80b326eda14fd2

Analysis

max time kernel
100s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
27-06-2023 05:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

731KB
MD5

ad24182429cfc22b7505f15a7afe6641
SHA1

2cbc8915445f257150bd7fc9dd077696cd463de3
SHA256

05a0c04953b876fa8735a92f12cd74e9d82731a57efc45b4aa80b326eda14fd2
SHA512

392a98eee7eb8ae4ad23c3f997f59cfbc26835c9a8f768049abf196ebe533b8030438ef10b2b6462de9b9a84e868fea3a0845252fd5ba3aa3d427495eca631d9
SSDEEP

12288:uXCY50vo8hpf5s53tdIVOOBFP71p4pCAa++0x/gu7TH8TNBqrEHeph/q/Z:uyHo83Rs5sOsT4DHRMTN4rHph/i

Score

10^/10

netsupport rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Control Panel\International\Geo\Nation	file.exe

Executes dropped EXE 1 IoCs

pid	Process
4560	client32.exe

Loads dropped DLL 7 IoCs

pid	Process
4560	client32.exe
4560	client32.exe
4560	client32.exe
4560	client32.exe
4560	client32.exe
4560	client32.exe
4560	client32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2236	schtasks.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4560	client32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4560	client32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3376 wrote to memory of 2236	3376	file.exe	83
PID 3376 wrote to memory of 2236	3376	file.exe	83
PID 3376 wrote to memory of 2236	3376	file.exe	83
PID 3376 wrote to memory of 4560	3376	file.exe	84
PID 3376 wrote to memory of 4560	3376	file.exe	84
PID 3376 wrote to memory of 4560	3376	file.exe	84

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3376
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /create /sc ONLOGON /tn "MsCloudSync" /tr "C:\Users\Admin\AppData\Roaming\MsCloudSync\client32.exe" /RL HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:2236
- C:\Users\Admin\AppData\Roaming\MsCloudSync\client32.exe
  C:\Users\Admin\AppData\Roaming\MsCloudSync\client32.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\MsCloudSync\HTCTL32.DLL

Filesize
320KB

MD5
2d3b207c8a48148296156e5725426c7f

SHA1
ad464eb7cf5c19c8a443ab5b590440b32dbc618f

SHA256
edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796

SHA512
55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

Download Submit
C:\Users\Admin\AppData\Roaming\MsCloudSync\HTCTL32.DLL

Filesize
320KB

MD5
2d3b207c8a48148296156e5725426c7f

SHA1
ad464eb7cf5c19c8a443ab5b590440b32dbc618f

SHA256
edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796

SHA512
55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

Download Submit
C:\Users\Admin\AppData\Roaming\MsCloudSync\MSVCR100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\Roaming\MsCloudSync\NSM.LIC

Filesize
259B

MD5
3a88847f4bbf7199a2161ed963fe88ef

SHA1
8629803adb6af84691dc5431b6590df14bad4a61

SHA256
a680947aba5cf3316be50f1ec6a0d8bf72f7d7ca79d91430c26e24680eddd35e

SHA512
2b6408e7334946655045914b2cfa14dcfb39502f64ffafad784717a8ca036b73928bd7a5b02d650d8698357c54c31cac11a705baed0e1e7a3a07d659a2104e02

Download Submit
C:\Users\Admin\AppData\Roaming\MsCloudSync\PCICHEK.DLL

Filesize
18KB

MD5
a0b9388c5f18e27266a31f8c5765b263

SHA1
906f7e94f841d464d4da144f7c858fa2160e36db

SHA256
313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a

SHA512
6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

Download Submit
C:\Users\Admin\AppData\Roaming\MsCloudSync\PCICL32.DLL

Filesize
3.5MB

MD5
35f0259df06c4605fe2743c26dd9eac5

SHA1
5ed1de8fe63d1bdd4ea7321bd27d22f162cc4168

SHA256
412674e44fa27c523e0d968244f0e4d128487daf779de17b83b94da8bf602e59

SHA512
f4e28b3ab19614d3e915a5d8333adb7805a213b31b4c7159c5d65b386f8dcc95fe3a892098a46abe92bb4ba12a31c140c97d24546c97f9c702638644bd874b71

Download Submit
C:\Users\Admin\AppData\Roaming\MsCloudSync\PCICL32.dll

Filesize
3.5MB

MD5
35f0259df06c4605fe2743c26dd9eac5

SHA1
5ed1de8fe63d1bdd4ea7321bd27d22f162cc4168

SHA256
412674e44fa27c523e0d968244f0e4d128487daf779de17b83b94da8bf602e59

SHA512
f4e28b3ab19614d3e915a5d8333adb7805a213b31b4c7159c5d65b386f8dcc95fe3a892098a46abe92bb4ba12a31c140c97d24546c97f9c702638644bd874b71

Download Submit
C:\Users\Admin\AppData\Roaming\MsCloudSync\TCCTL32.DLL

Filesize
355KB

MD5
85db07eba81939098622ef88d572cd5b

SHA1
1af304730f1af2d4b99d20da11022bc8a1021a60

SHA256
47162edd0cf12cd37eacc44e4da35734b94f6e5a202be435c5c7a9e51eb0f3ec

SHA512
f02603e091f7fc0960cd228b845e5412934f41baaebec611f92718bf16d4f222c176734409f9bf2833ee6d8c26f3e8992eb01f9a5c53cdcbbde28eba2497cd64

Download Submit
C:\Users\Admin\AppData\Roaming\MsCloudSync\TCCTL32.DLL

Filesize
355KB

MD5
85db07eba81939098622ef88d572cd5b

SHA1
1af304730f1af2d4b99d20da11022bc8a1021a60

SHA256
47162edd0cf12cd37eacc44e4da35734b94f6e5a202be435c5c7a9e51eb0f3ec

SHA512
f02603e091f7fc0960cd228b845e5412934f41baaebec611f92718bf16d4f222c176734409f9bf2833ee6d8c26f3e8992eb01f9a5c53cdcbbde28eba2497cd64

Download Submit
C:\Users\Admin\AppData\Roaming\MsCloudSync\client32.exe

Filesize
99KB

MD5
f70b67c2b3204b7ddd8b755799cccff0

SHA1
a42e55e328d62d11e687c167bb7049d46f0f9b26

SHA256
213af995d4142854b81af3cf73dee7ffe9d8ad6e84fda6386029101dbf3df897

SHA512
54fcba8a063bfbaae4c3a39624bf3407db6af5699ab8686f936ab03c5864df7a44d089066fa2d4aedf5ad50d6b04624966a5111bf57bec1dda74a571f1dd7c63

Download Submit
C:\Users\Admin\AppData\Roaming\MsCloudSync\client32.exe

Filesize
99KB

MD5
f70b67c2b3204b7ddd8b755799cccff0

SHA1
a42e55e328d62d11e687c167bb7049d46f0f9b26

SHA256
213af995d4142854b81af3cf73dee7ffe9d8ad6e84fda6386029101dbf3df897

SHA512
54fcba8a063bfbaae4c3a39624bf3407db6af5699ab8686f936ab03c5864df7a44d089066fa2d4aedf5ad50d6b04624966a5111bf57bec1dda74a571f1dd7c63

Download Submit
C:\Users\Admin\AppData\Roaming\MsCloudSync\client32.ini

Filesize
718B

MD5
250742003e0adef05bdfa1b238f8a393

SHA1
e9fc8355a068113b59b19e4d127d024b8886f049

SHA256
2e86f64d70957a8e6813840d34e1a23c117c96632f0f644bdfccc313afd44378

SHA512
d6ac0178c2a1e21bf84a516db8c05b3b73a78b5eec33e1c4c3be49a3b18d792dbbfc4b9367eea7febb5fa111868ebdf31927184524656ebea93acb572be35ab9

Download Submit
C:\Users\Admin\AppData\Roaming\MsCloudSync\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\Roaming\MsCloudSync\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\Roaming\MsCloudSync\pcicapi.dll

Filesize
32KB

MD5
dcde2248d19c778a41aa165866dd52d0

SHA1
7ec84be84fe23f0b0093b647538737e1f19ebb03

SHA256
9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917

SHA512
c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

Download Submit
C:\Users\Admin\AppData\Roaming\MsCloudSync\pcicapi.dll

Filesize
32KB

MD5
dcde2248d19c778a41aa165866dd52d0

SHA1
7ec84be84fe23f0b0093b647538737e1f19ebb03

SHA256
9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917

SHA512
c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

Download Submit
C:\Users\Admin\AppData\Roaming\MsCloudSync\pcichek.dll

Filesize
18KB

MD5
a0b9388c5f18e27266a31f8c5765b263

SHA1
906f7e94f841d464d4da144f7c858fa2160e36db

SHA256
313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a

SHA512
6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

Download Submit
memory/3376-136-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/3376-161-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3376-137-0x0000000003ED0000-0x0000000003F06000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads