netsupport | f578371283ea332b5118e584b1c6f0910dad7140554f8a05148f6709c6cad1da

Analysis

max time kernel
143s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2023, 08:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

servs6572.js
Size

46KB
MD5

d0bae3a9204c735791f07d7c0d6d2951
SHA1

e78a56d38f7ed6fa8516f6924f8378e9716bac5c
SHA256

f578371283ea332b5118e584b1c6f0910dad7140554f8a05148f6709c6cad1da
SHA512

ffd13cf98bdc9a00d73a4d13723e11a08926d6204023b941f8f318d870f42d4d54030800629fd746e04a415135d2eea6c99f01408307e9dba353189b3d18c51a
SSDEEP

768:MHisCv89uYMvvd2q8g8oI/+I/aJ09blD31TZPu2Bfjn55BYEPrOBoZKnDM:MCs1lYI/+LJ09bh3NZ221b55BVOBCKDM

Score

10^/10

netsupport rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://ecotree.co.in/images/cora.zip

exe.dropper

https://ecotree.co.in/images/files/cora.zip

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 1 IoCs

pid	Process
4952	client32.exe

Loads dropped DLL 6 IoCs

pid	Process
4952	client32.exe
4952	client32.exe
4952	client32.exe
4952	client32.exe
4952	client32.exe
4952	client32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4284	powershell.exe
4284	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4284	powershell.exe
Token: SeSecurityPrivilege	4952	client32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4952	client32.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 732 wrote to memory of 4284	732	wscript.exe	87
PID 732 wrote to memory of 4284	732	wscript.exe	87
PID 4284 wrote to memory of 4952	4284	powershell.exe	91
PID 4284 wrote to memory of 4952	4284	powershell.exe	91
PID 4284 wrote to memory of 4952	4284	powershell.exe	91

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\servs6572.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle hidden -File C:\Users\Admin\AppData\Local\Temp\sakjn6z.ps1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4284
- - C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe
    "C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:4952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hfshpcek.f1x.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\sakjn6z.ps1

Filesize
1KB

MD5
54136c032a9ee250b5fc02b41156700e

SHA1
8bbb4e445790a23f175ff9f67deb3c8d7d142015

SHA256
53d1ec4232d3560aa7df57113082e292a8efb9d0529a8e7760e29435a81f8940

SHA512
35693aa7fc2f0873d8d48f803e50e2f40f30e123aa3b79c7b7b285198de359f43374366dd4197bfc890c75eaee9c3760a6f76af7ce4618a67bb0e60e46eccbcd

Download Submit
C:\Users\Admin\AppData\RoamingOfficeStartup\HTCTL32.DLL

Filesize
320KB

MD5
c94005d2dcd2a54e40510344e0bb9435

SHA1
55b4a1620c5d0113811242c20bd9870a1e31d542

SHA256
3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899

SHA512
2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a

Download Submit
C:\Users\Admin\AppData\RoamingOfficeStartup\HTCTL32.DLL

Filesize
320KB

MD5
c94005d2dcd2a54e40510344e0bb9435

SHA1
55b4a1620c5d0113811242c20bd9870a1e31d542

SHA256
3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899

SHA512
2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a

Download Submit
C:\Users\Admin\AppData\RoamingOfficeStartup\MSVCR100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\RoamingOfficeStartup\NSM.LIC

Filesize
262B

MD5
b9956282a0fed076ed083892e498ac69

SHA1
d14a665438385203283030a189ff6c5e7c4bf518

SHA256
fcc6afd664a8045bd61c398be3c37a97536a199a48d277e11977f93868ae1acc

SHA512
7daa09113c0e8a36c91cc6d657c65851a20dff6b60ac3d2f40c5737c12c1613c553955f84d131ba2139959973fef9fc616ca5e968cb16c25acf2d4739eed87eb

Download Submit
C:\Users\Admin\AppData\RoamingOfficeStartup\PCICHEK.DLL

Filesize
18KB

MD5
104b30fef04433a2d2fd1d5f99f179fe

SHA1
ecb08e224a2f2772d1e53675bedc4b2c50485a41

SHA256
956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd

SHA512
5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f

Download Submit
C:\Users\Admin\AppData\RoamingOfficeStartup\PCICL32.DLL

Filesize
3.5MB

MD5
9c9302e75c25c2ba996efd89a1047205

SHA1
9e79627ff32d5abd3382b65a509baeb31c78a7f2

SHA256
beb7b9a9fb02b2ad9965364fd6769ea0d8b324049da86eedd406e1c3703502c1

SHA512
d120b380ecd937826ab992802d8aae85f747031d50c1f6421a6c5ac32871a08f1a9c612c41946dd0aeabc01b1737cae6a1de70f9af36020af2b679e556d54fa1

Download Submit
C:\Users\Admin\AppData\RoamingOfficeStartup\PCICL32.dll

Filesize
3.5MB

MD5
9c9302e75c25c2ba996efd89a1047205

SHA1
9e79627ff32d5abd3382b65a509baeb31c78a7f2

SHA256
beb7b9a9fb02b2ad9965364fd6769ea0d8b324049da86eedd406e1c3703502c1

SHA512
d120b380ecd937826ab992802d8aae85f747031d50c1f6421a6c5ac32871a08f1a9c612c41946dd0aeabc01b1737cae6a1de70f9af36020af2b679e556d54fa1

Download Submit
C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe

Filesize
113KB

MD5
45fe5531717cd1b9532cbb6a5daaeb3a

SHA1
cb908e267a08c37d7e184f47f788e82cca38f83e

SHA256
ab6a4ccb752858c8c6e8223cd3510503928c3f9816cc655f0033d86c15c28ed9

SHA512
5ce8ea56144345802342f618c51acdbcfef3349e81e145c200ff77e217e86556f833236d85caf6ff1c8d954370bbb88e9581d9b0807b530344a8e084ede60bcb

Download Submit
C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe

Filesize
113KB

MD5
45fe5531717cd1b9532cbb6a5daaeb3a

SHA1
cb908e267a08c37d7e184f47f788e82cca38f83e

SHA256
ab6a4ccb752858c8c6e8223cd3510503928c3f9816cc655f0033d86c15c28ed9

SHA512
5ce8ea56144345802342f618c51acdbcfef3349e81e145c200ff77e217e86556f833236d85caf6ff1c8d954370bbb88e9581d9b0807b530344a8e084ede60bcb

Download Submit
C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe

Filesize
113KB

MD5
45fe5531717cd1b9532cbb6a5daaeb3a

SHA1
cb908e267a08c37d7e184f47f788e82cca38f83e

SHA256
ab6a4ccb752858c8c6e8223cd3510503928c3f9816cc655f0033d86c15c28ed9

SHA512
5ce8ea56144345802342f618c51acdbcfef3349e81e145c200ff77e217e86556f833236d85caf6ff1c8d954370bbb88e9581d9b0807b530344a8e084ede60bcb

Download Submit
C:\Users\Admin\AppData\RoamingOfficeStartup\client32.ini

Filesize
605B

MD5
a252f22f61f960c54fa32ae0de7dd17c

SHA1
00fe1097e70f1f6307e6bc68f40d49abb01dd2d5

SHA256
a5be7a73bbed8ec4e1a7819289da5412fe9ddf628941aa3b35fbe7454f148618

SHA512
7998e6cd43853b77e38cfedf0b6081c2965c9facb891ebd9a33db0e39b71d683f218174d87f99d5ab22983632c4c319bd63ec9dcbf1cbc81a77e3053ae3f1593

Download Submit
C:\Users\Admin\AppData\RoamingOfficeStartup\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\RoamingOfficeStartup\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\RoamingOfficeStartup\pcicapi.dll

Filesize
32KB

MD5
34dfb87e4200d852d1fb45dc48f93cfc

SHA1
35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641

SHA256
2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703

SHA512
f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2

Download Submit
C:\Users\Admin\AppData\RoamingOfficeStartup\pcicapi.dll

Filesize
32KB

MD5
34dfb87e4200d852d1fb45dc48f93cfc

SHA1
35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641

SHA256
2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703

SHA512
f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2

Download Submit
C:\Users\Admin\AppData\RoamingOfficeStartup\pcichek.dll

Filesize
18KB

MD5
104b30fef04433a2d2fd1d5f99f179fe

SHA1
ecb08e224a2f2772d1e53675bedc4b2c50485a41

SHA256
956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd

SHA512
5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f

Download Submit
memory/4284-153-0x000002822BE30000-0x000002822BE3A000-memory.dmp

Filesize
40KB

Download
memory/4284-152-0x000002822BE60000-0x000002822BE72000-memory.dmp

Filesize
72KB

Download
memory/4284-149-0x000002822BE90000-0x000002822BEA0000-memory.dmp

Filesize
64KB

Download
memory/4284-151-0x000002822BE90000-0x000002822BEA0000-memory.dmp

Filesize
64KB

Download
memory/4284-150-0x000002822BE40000-0x000002822BE54000-memory.dmp

Filesize
80KB

Download
memory/4284-148-0x000002822BE90000-0x000002822BEA0000-memory.dmp

Filesize
64KB

Download
memory/4284-137-0x0000028213860000-0x0000028213882000-memory.dmp

Filesize
136KB

Download