Malware Analysis Report

2025-04-13 09:52

Sample ID 230713-ajx3psfh8v
Target 8efcacd9f737126c4c4ef0c5299f0c5ff83c83c7d2591b150117817e1fda4190
SHA256 8efcacd9f737126c4c4ef0c5299f0c5ff83c83c7d2591b150117817e1fda4190
Tags
netsupport rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8efcacd9f737126c4c4ef0c5299f0c5ff83c83c7d2591b150117817e1fda4190

Threat Level: Known bad

The file 8efcacd9f737126c4c4ef0c5299f0c5ff83c83c7d2591b150117817e1fda4190 was found to be: Known bad.

Malicious Activity Summary

netsupport rat

NetSupport

Loads dropped DLL

Executes dropped EXE

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-13 00:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-13 00:15

Reported

2023-07-13 00:20

Platform

win7-20230712-en

Max time kernel

118s

Max time network

277s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8efcacd9f737126c4c4ef0c5299f0c5ff83c83c7d2591b150117817e1fda4190.exe"

Signatures

NetSupport

rat netsupport

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\TaskBrowser\client32.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\8efcacd9f737126c4c4ef0c5299f0c5ff83c83c7d2591b150117817e1fda4190.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\8efcacd9f737126c4c4ef0c5299f0c5ff83c83c7d2591b150117817e1fda4190.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\8efcacd9f737126c4c4ef0c5299f0c5ff83c83c7d2591b150117817e1fda4190.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\8efcacd9f737126c4c4ef0c5299f0c5ff83c83c7d2591b150117817e1fda4190.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\8efcacd9f737126c4c4ef0c5299f0c5ff83c83c7d2591b150117817e1fda4190.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\8efcacd9f737126c4c4ef0c5299f0c5ff83c83c7d2591b150117817e1fda4190.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\TaskBrowser\client32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\TaskBrowser\client32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2604 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\8efcacd9f737126c4c4ef0c5299f0c5ff83c83c7d2591b150117817e1fda4190.exe C:\Windows\SysWOW64\schtasks.exe
PID 2604 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\8efcacd9f737126c4c4ef0c5299f0c5ff83c83c7d2591b150117817e1fda4190.exe C:\Windows\SysWOW64\schtasks.exe
PID 2604 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\8efcacd9f737126c4c4ef0c5299f0c5ff83c83c7d2591b150117817e1fda4190.exe C:\Windows\SysWOW64\schtasks.exe
PID 2604 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\8efcacd9f737126c4c4ef0c5299f0c5ff83c83c7d2591b150117817e1fda4190.exe C:\Windows\SysWOW64\schtasks.exe
PID 2604 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\8efcacd9f737126c4c4ef0c5299f0c5ff83c83c7d2591b150117817e1fda4190.exe C:\Users\Admin\AppData\Roaming\TaskBrowser\client32.exe
PID 2604 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\8efcacd9f737126c4c4ef0c5299f0c5ff83c83c7d2591b150117817e1fda4190.exe C:\Users\Admin\AppData\Roaming\TaskBrowser\client32.exe
PID 2604 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\8efcacd9f737126c4c4ef0c5299f0c5ff83c83c7d2591b150117817e1fda4190.exe C:\Users\Admin\AppData\Roaming\TaskBrowser\client32.exe
PID 2604 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\8efcacd9f737126c4c4ef0c5299f0c5ff83c83c7d2591b150117817e1fda4190.exe C:\Users\Admin\AppData\Roaming\TaskBrowser\client32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8efcacd9f737126c4c4ef0c5299f0c5ff83c83c7d2591b150117817e1fda4190.exe

"C:\Users\Admin\AppData\Local\Temp\8efcacd9f737126c4c4ef0c5299f0c5ff83c83c7d2591b150117817e1fda4190.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /sc ONLOGON /tn "TaskBrowser" /tr "C:\Users\Admin\AppData\Roaming\TaskBrowser\client32.exe" /RL HIGHEST

C:\Users\Admin\AppData\Roaming\TaskBrowser\client32.exe

C:\Users\Admin\AppData\Roaming\TaskBrowser\client32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 luckynight.shop udp
RU 176.111.174.168:443 luckynight.shop tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.121.68:80 apps.identrust.com tcp
US 8.8.8.8:53 savastijir1.com udp
US 8.8.8.8:53 geo.netsupportsoftware.com udp
NL 95.179.140.179:1212 savastijir1.com tcp
GB 51.142.119.24:80 geo.netsupportsoftware.com tcp

Files

memory/2604-54-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2604-55-0x0000000000340000-0x0000000000376000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab9629.tmp

MD5 3ac860860707baaf32469fa7cc7c0192
SHA1 c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256 d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512 d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

C:\Users\Admin\AppData\Local\Temp\Tar96D8.tmp

MD5 4ff65ad929cd9a367680e0e5b1c08166
SHA1 c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256 c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512 f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 73423a281fa9afdb891da3c6d662fcf9
SHA1 5402318db44821aaa1404a1642220a8be679088c
SHA256 ae525df3a2543f89f9dfacd621b554a8a8e3ffaddce04d47a932f1eb853cf6e4
SHA512 a567a94f8d211f96f05646f5757f7e42503ec55ef49f9b3ab02f61f05016832ee4918c96d932f68e4929fc0d136e76d244ffab128fa4eb52fba2703af6c7bea5

memory/2604-161-0x0000000000400000-0x0000000000531000-memory.dmp

\Users\Admin\AppData\Roaming\TaskBrowser\client32.exe

MD5 f70b67c2b3204b7ddd8b755799cccff0
SHA1 a42e55e328d62d11e687c167bb7049d46f0f9b26
SHA256 213af995d4142854b81af3cf73dee7ffe9d8ad6e84fda6386029101dbf3df897
SHA512 54fcba8a063bfbaae4c3a39624bf3407db6af5699ab8686f936ab03c5864df7a44d089066fa2d4aedf5ad50d6b04624966a5111bf57bec1dda74a571f1dd7c63

C:\Users\Admin\AppData\Roaming\TaskBrowser\PCICL32.dll

MD5 35f0259df06c4605fe2743c26dd9eac5
SHA1 5ed1de8fe63d1bdd4ea7321bd27d22f162cc4168
SHA256 412674e44fa27c523e0d968244f0e4d128487daf779de17b83b94da8bf602e59
SHA512 f4e28b3ab19614d3e915a5d8333adb7805a213b31b4c7159c5d65b386f8dcc95fe3a892098a46abe92bb4ba12a31c140c97d24546c97f9c702638644bd874b71

C:\Users\Admin\AppData\Roaming\TaskBrowser\client32.exe

MD5 f70b67c2b3204b7ddd8b755799cccff0
SHA1 a42e55e328d62d11e687c167bb7049d46f0f9b26
SHA256 213af995d4142854b81af3cf73dee7ffe9d8ad6e84fda6386029101dbf3df897
SHA512 54fcba8a063bfbaae4c3a39624bf3407db6af5699ab8686f936ab03c5864df7a44d089066fa2d4aedf5ad50d6b04624966a5111bf57bec1dda74a571f1dd7c63

\Users\Admin\AppData\Roaming\TaskBrowser\PCICL32.DLL

MD5 35f0259df06c4605fe2743c26dd9eac5
SHA1 5ed1de8fe63d1bdd4ea7321bd27d22f162cc4168
SHA256 412674e44fa27c523e0d968244f0e4d128487daf779de17b83b94da8bf602e59
SHA512 f4e28b3ab19614d3e915a5d8333adb7805a213b31b4c7159c5d65b386f8dcc95fe3a892098a46abe92bb4ba12a31c140c97d24546c97f9c702638644bd874b71

C:\Users\Admin\AppData\Roaming\TaskBrowser\pcichek.dll

MD5 a0b9388c5f18e27266a31f8c5765b263
SHA1 906f7e94f841d464d4da144f7c858fa2160e36db
SHA256 313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a
SHA512 6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

\Users\Admin\AppData\Roaming\TaskBrowser\PCICHEK.DLL

MD5 a0b9388c5f18e27266a31f8c5765b263
SHA1 906f7e94f841d464d4da144f7c858fa2160e36db
SHA256 313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a
SHA512 6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

C:\Users\Admin\AppData\Roaming\TaskBrowser\MSVCR100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

C:\Users\Admin\AppData\Roaming\TaskBrowser\pcicapi.dll

MD5 dcde2248d19c778a41aa165866dd52d0
SHA1 7ec84be84fe23f0b0093b647538737e1f19ebb03
SHA256 9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917
SHA512 c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

\Users\Admin\AppData\Roaming\TaskBrowser\pcicapi.dll

MD5 dcde2248d19c778a41aa165866dd52d0
SHA1 7ec84be84fe23f0b0093b647538737e1f19ebb03
SHA256 9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917
SHA512 c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

\Users\Admin\AppData\Roaming\TaskBrowser\msvcr100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

C:\Users\Admin\AppData\Roaming\TaskBrowser\client32.ini

MD5 3a0000407dd239c1e4247138def47413
SHA1 6c88ab844b433590300cd44b2ae49e71f99e5974
SHA256 520c6cf87d2903886a274134a2a94466de7a4315b4c48c97d0144dc995cef84d
SHA512 01cafc3453093b856148f2bf12b332dbe8d812e0de6cea7d1631f109a66079fc6d5f4ee05cd173f4534df45004db168b3a4dbd1c29f2e974d6ae3daffd0ed688

C:\Users\Admin\AppData\Roaming\TaskBrowser\NSM.LIC

MD5 3a88847f4bbf7199a2161ed963fe88ef
SHA1 8629803adb6af84691dc5431b6590df14bad4a61
SHA256 a680947aba5cf3316be50f1ec6a0d8bf72f7d7ca79d91430c26e24680eddd35e
SHA512 2b6408e7334946655045914b2cfa14dcfb39502f64ffafad784717a8ca036b73928bd7a5b02d650d8698357c54c31cac11a705baed0e1e7a3a07d659a2104e02

C:\Users\Admin\AppData\Roaming\TaskBrowser\HTCTL32.DLL

MD5 2d3b207c8a48148296156e5725426c7f
SHA1 ad464eb7cf5c19c8a443ab5b590440b32dbc618f
SHA256 edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796
SHA512 55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

\Users\Admin\AppData\Roaming\TaskBrowser\HTCTL32.DLL

MD5 2d3b207c8a48148296156e5725426c7f
SHA1 ad464eb7cf5c19c8a443ab5b590440b32dbc618f
SHA256 edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796
SHA512 55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-13 00:15

Reported

2023-07-13 00:20

Platform

win10-20230703-en

Max time kernel

96s

Max time network

265s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8efcacd9f737126c4c4ef0c5299f0c5ff83c83c7d2591b150117817e1fda4190.exe"

Signatures

NetSupport

rat netsupport

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\TaskBrowser\client32.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\TaskBrowser\client32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\TaskBrowser\client32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8efcacd9f737126c4c4ef0c5299f0c5ff83c83c7d2591b150117817e1fda4190.exe

"C:\Users\Admin\AppData\Local\Temp\8efcacd9f737126c4c4ef0c5299f0c5ff83c83c7d2591b150117817e1fda4190.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /sc ONLOGON /tn "TaskBrowser" /tr "C:\Users\Admin\AppData\Roaming\TaskBrowser\client32.exe" /RL HIGHEST

C:\Users\Admin\AppData\Roaming\TaskBrowser\client32.exe

C:\Users\Admin\AppData\Roaming\TaskBrowser\client32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 luckynight.shop udp
RU 176.111.174.168:443 luckynight.shop tcp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 168.174.111.176.in-addr.arpa udp
US 8.8.8.8:53 142.33.222.23.in-addr.arpa udp
US 8.8.8.8:53 68.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 savastijir1.com udp
NL 95.179.140.179:1212 savastijir1.com tcp
US 8.8.8.8:53 geo.netsupportsoftware.com udp
GB 62.172.138.8:80 geo.netsupportsoftware.com tcp
GB 62.172.138.8:80 geo.netsupportsoftware.com tcp
GB 62.172.138.8:80 geo.netsupportsoftware.com tcp
US 8.8.8.8:53 179.140.179.95.in-addr.arpa udp
US 8.8.8.8:53 8.138.172.62.in-addr.arpa udp
US 8.8.8.8:53 203.151.224.20.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp

Files

memory/3116-122-0x0000000002280000-0x0000000002281000-memory.dmp

memory/3116-123-0x0000000000400000-0x0000000000531000-memory.dmp

memory/3116-124-0x0000000002350000-0x0000000002386000-memory.dmp

C:\Users\Admin\AppData\Roaming\TaskBrowser\client32.exe

MD5 f70b67c2b3204b7ddd8b755799cccff0
SHA1 a42e55e328d62d11e687c167bb7049d46f0f9b26
SHA256 213af995d4142854b81af3cf73dee7ffe9d8ad6e84fda6386029101dbf3df897
SHA512 54fcba8a063bfbaae4c3a39624bf3407db6af5699ab8686f936ab03c5864df7a44d089066fa2d4aedf5ad50d6b04624966a5111bf57bec1dda74a571f1dd7c63

C:\Users\Admin\AppData\Roaming\TaskBrowser\client32.exe

MD5 f70b67c2b3204b7ddd8b755799cccff0
SHA1 a42e55e328d62d11e687c167bb7049d46f0f9b26
SHA256 213af995d4142854b81af3cf73dee7ffe9d8ad6e84fda6386029101dbf3df897
SHA512 54fcba8a063bfbaae4c3a39624bf3407db6af5699ab8686f936ab03c5864df7a44d089066fa2d4aedf5ad50d6b04624966a5111bf57bec1dda74a571f1dd7c63

C:\Users\Admin\AppData\Roaming\TaskBrowser\PCICL32.dll

MD5 35f0259df06c4605fe2743c26dd9eac5
SHA1 5ed1de8fe63d1bdd4ea7321bd27d22f162cc4168
SHA256 412674e44fa27c523e0d968244f0e4d128487daf779de17b83b94da8bf602e59
SHA512 f4e28b3ab19614d3e915a5d8333adb7805a213b31b4c7159c5d65b386f8dcc95fe3a892098a46abe92bb4ba12a31c140c97d24546c97f9c702638644bd874b71

memory/3116-152-0x0000000000400000-0x0000000000531000-memory.dmp

\Users\Admin\AppData\Roaming\TaskBrowser\PCICL32.DLL

MD5 35f0259df06c4605fe2743c26dd9eac5
SHA1 5ed1de8fe63d1bdd4ea7321bd27d22f162cc4168
SHA256 412674e44fa27c523e0d968244f0e4d128487daf779de17b83b94da8bf602e59
SHA512 f4e28b3ab19614d3e915a5d8333adb7805a213b31b4c7159c5d65b386f8dcc95fe3a892098a46abe92bb4ba12a31c140c97d24546c97f9c702638644bd874b71

\Users\Admin\AppData\Roaming\TaskBrowser\PCICHEK.DLL

MD5 a0b9388c5f18e27266a31f8c5765b263
SHA1 906f7e94f841d464d4da144f7c858fa2160e36db
SHA256 313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a
SHA512 6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

\Users\Admin\AppData\Roaming\TaskBrowser\pcicapi.dll

MD5 dcde2248d19c778a41aa165866dd52d0
SHA1 7ec84be84fe23f0b0093b647538737e1f19ebb03
SHA256 9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917
SHA512 c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

\Users\Admin\AppData\Roaming\TaskBrowser\msvcr100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

\Users\Admin\AppData\Roaming\TaskBrowser\msvcr100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

C:\Users\Admin\AppData\Roaming\TaskBrowser\MSVCR100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

C:\Users\Admin\AppData\Roaming\TaskBrowser\pcicapi.dll

MD5 dcde2248d19c778a41aa165866dd52d0
SHA1 7ec84be84fe23f0b0093b647538737e1f19ebb03
SHA256 9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917
SHA512 c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

C:\Users\Admin\AppData\Roaming\TaskBrowser\pcichek.dll

MD5 a0b9388c5f18e27266a31f8c5765b263
SHA1 906f7e94f841d464d4da144f7c858fa2160e36db
SHA256 313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a
SHA512 6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

C:\Users\Admin\AppData\Roaming\TaskBrowser\client32.ini

MD5 3a0000407dd239c1e4247138def47413
SHA1 6c88ab844b433590300cd44b2ae49e71f99e5974
SHA256 520c6cf87d2903886a274134a2a94466de7a4315b4c48c97d0144dc995cef84d
SHA512 01cafc3453093b856148f2bf12b332dbe8d812e0de6cea7d1631f109a66079fc6d5f4ee05cd173f4534df45004db168b3a4dbd1c29f2e974d6ae3daffd0ed688

C:\Users\Admin\AppData\Roaming\TaskBrowser\NSM.LIC

MD5 3a88847f4bbf7199a2161ed963fe88ef
SHA1 8629803adb6af84691dc5431b6590df14bad4a61
SHA256 a680947aba5cf3316be50f1ec6a0d8bf72f7d7ca79d91430c26e24680eddd35e
SHA512 2b6408e7334946655045914b2cfa14dcfb39502f64ffafad784717a8ca036b73928bd7a5b02d650d8698357c54c31cac11a705baed0e1e7a3a07d659a2104e02

\Users\Admin\AppData\Roaming\TaskBrowser\HTCTL32.DLL

MD5 2d3b207c8a48148296156e5725426c7f
SHA1 ad464eb7cf5c19c8a443ab5b590440b32dbc618f
SHA256 edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796
SHA512 55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

C:\Users\Admin\AppData\Roaming\TaskBrowser\HTCTL32.DLL

MD5 2d3b207c8a48148296156e5725426c7f
SHA1 ad464eb7cf5c19c8a443ab5b590440b32dbc618f
SHA256 edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796
SHA512 55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c