Malware Analysis Report

2025-04-13 09:52

Sample ID 230713-akggcafh9v
Target d111276375ceda84f1daeef8945151dc38287cd6100b73626f0cf5c49dcf5a2b
SHA256 d111276375ceda84f1daeef8945151dc38287cd6100b73626f0cf5c49dcf5a2b
Tags
netsupport rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d111276375ceda84f1daeef8945151dc38287cd6100b73626f0cf5c49dcf5a2b

Threat Level: Known bad

The file d111276375ceda84f1daeef8945151dc38287cd6100b73626f0cf5c49dcf5a2b was found to be: Known bad.

Malicious Activity Summary

netsupport rat

NetSupport

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

Modifies system certificate store

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-13 00:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-13 00:16

Reported

2023-07-13 00:21

Platform

win7-20230712-en

Max time kernel

121s

Max time network

279s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d111276375ceda84f1daeef8945151dc38287cd6100b73626f0cf5c49dcf5a2b.exe"

Signatures

NetSupport

rat netsupport

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\TaskBrowser\client32.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\d111276375ceda84f1daeef8945151dc38287cd6100b73626f0cf5c49dcf5a2b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\d111276375ceda84f1daeef8945151dc38287cd6100b73626f0cf5c49dcf5a2b.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\d111276375ceda84f1daeef8945151dc38287cd6100b73626f0cf5c49dcf5a2b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\d111276375ceda84f1daeef8945151dc38287cd6100b73626f0cf5c49dcf5a2b.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\TaskBrowser\client32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\TaskBrowser\client32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2472 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\d111276375ceda84f1daeef8945151dc38287cd6100b73626f0cf5c49dcf5a2b.exe C:\Windows\SysWOW64\schtasks.exe
PID 2472 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\d111276375ceda84f1daeef8945151dc38287cd6100b73626f0cf5c49dcf5a2b.exe C:\Windows\SysWOW64\schtasks.exe
PID 2472 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\d111276375ceda84f1daeef8945151dc38287cd6100b73626f0cf5c49dcf5a2b.exe C:\Windows\SysWOW64\schtasks.exe
PID 2472 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\d111276375ceda84f1daeef8945151dc38287cd6100b73626f0cf5c49dcf5a2b.exe C:\Windows\SysWOW64\schtasks.exe
PID 2472 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\d111276375ceda84f1daeef8945151dc38287cd6100b73626f0cf5c49dcf5a2b.exe C:\Users\Admin\AppData\Roaming\TaskBrowser\client32.exe
PID 2472 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\d111276375ceda84f1daeef8945151dc38287cd6100b73626f0cf5c49dcf5a2b.exe C:\Users\Admin\AppData\Roaming\TaskBrowser\client32.exe
PID 2472 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\d111276375ceda84f1daeef8945151dc38287cd6100b73626f0cf5c49dcf5a2b.exe C:\Users\Admin\AppData\Roaming\TaskBrowser\client32.exe
PID 2472 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\d111276375ceda84f1daeef8945151dc38287cd6100b73626f0cf5c49dcf5a2b.exe C:\Users\Admin\AppData\Roaming\TaskBrowser\client32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d111276375ceda84f1daeef8945151dc38287cd6100b73626f0cf5c49dcf5a2b.exe

"C:\Users\Admin\AppData\Local\Temp\d111276375ceda84f1daeef8945151dc38287cd6100b73626f0cf5c49dcf5a2b.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /sc ONLOGON /tn "TaskBrowser" /tr "C:\Users\Admin\AppData\Roaming\TaskBrowser\client32.exe" /RL HIGHEST

C:\Users\Admin\AppData\Roaming\TaskBrowser\client32.exe

C:\Users\Admin\AppData\Roaming\TaskBrowser\client32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 luckynight.shop udp
RU 176.111.174.168:443 luckynight.shop tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.121.70:80 apps.identrust.com tcp
US 8.8.8.8:53 savastijir1.com udp
NL 95.179.140.179:1212 savastijir1.com tcp
US 8.8.8.8:53 geo.netsupportsoftware.com udp
GB 62.172.138.8:80 geo.netsupportsoftware.com tcp
GB 62.172.138.8:80 geo.netsupportsoftware.com tcp
GB 62.172.138.8:80 geo.netsupportsoftware.com tcp

Files

memory/2472-53-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2472-54-0x0000000000540000-0x0000000000576000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabB09C.tmp

MD5 3ac860860707baaf32469fa7cc7c0192
SHA1 c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256 d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512 d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

C:\Users\Admin\AppData\Local\Temp\TarB189.tmp

MD5 4ff65ad929cd9a367680e0e5b1c08166
SHA1 c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256 c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512 f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 077bb5ee0f5da65605f3a8c6c7382297
SHA1 ce7ef0d02e711723b3598c19af55a0cbe5b3f0c6
SHA256 48a0217f9d299d0b5394ee578736a682acaf231de6defa54de199f7887c68cb7
SHA512 600a80fe73f959e207e6fd0c1e4ac4825fad0b59b4b4bb5a92b14bfcf3c3685980c9719c1707f3aa9e5ae3b2e26fbe9db37f2611b5410f09c5483095fecc3de2

memory/2472-160-0x0000000000400000-0x0000000000531000-memory.dmp

\Users\Admin\AppData\Roaming\TaskBrowser\client32.exe

MD5 f70b67c2b3204b7ddd8b755799cccff0
SHA1 a42e55e328d62d11e687c167bb7049d46f0f9b26
SHA256 213af995d4142854b81af3cf73dee7ffe9d8ad6e84fda6386029101dbf3df897
SHA512 54fcba8a063bfbaae4c3a39624bf3407db6af5699ab8686f936ab03c5864df7a44d089066fa2d4aedf5ad50d6b04624966a5111bf57bec1dda74a571f1dd7c63

C:\Users\Admin\AppData\Roaming\TaskBrowser\PCICL32.dll

MD5 35f0259df06c4605fe2743c26dd9eac5
SHA1 5ed1de8fe63d1bdd4ea7321bd27d22f162cc4168
SHA256 412674e44fa27c523e0d968244f0e4d128487daf779de17b83b94da8bf602e59
SHA512 f4e28b3ab19614d3e915a5d8333adb7805a213b31b4c7159c5d65b386f8dcc95fe3a892098a46abe92bb4ba12a31c140c97d24546c97f9c702638644bd874b71

C:\Users\Admin\AppData\Roaming\TaskBrowser\client32.exe

MD5 f70b67c2b3204b7ddd8b755799cccff0
SHA1 a42e55e328d62d11e687c167bb7049d46f0f9b26
SHA256 213af995d4142854b81af3cf73dee7ffe9d8ad6e84fda6386029101dbf3df897
SHA512 54fcba8a063bfbaae4c3a39624bf3407db6af5699ab8686f936ab03c5864df7a44d089066fa2d4aedf5ad50d6b04624966a5111bf57bec1dda74a571f1dd7c63

\Users\Admin\AppData\Roaming\TaskBrowser\PCICL32.DLL

MD5 35f0259df06c4605fe2743c26dd9eac5
SHA1 5ed1de8fe63d1bdd4ea7321bd27d22f162cc4168
SHA256 412674e44fa27c523e0d968244f0e4d128487daf779de17b83b94da8bf602e59
SHA512 f4e28b3ab19614d3e915a5d8333adb7805a213b31b4c7159c5d65b386f8dcc95fe3a892098a46abe92bb4ba12a31c140c97d24546c97f9c702638644bd874b71

C:\Users\Admin\AppData\Roaming\TaskBrowser\pcichek.dll

MD5 a0b9388c5f18e27266a31f8c5765b263
SHA1 906f7e94f841d464d4da144f7c858fa2160e36db
SHA256 313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a
SHA512 6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

\Users\Admin\AppData\Roaming\TaskBrowser\PCICHEK.DLL

MD5 a0b9388c5f18e27266a31f8c5765b263
SHA1 906f7e94f841d464d4da144f7c858fa2160e36db
SHA256 313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a
SHA512 6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

C:\Users\Admin\AppData\Roaming\TaskBrowser\MSVCR100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

C:\Users\Admin\AppData\Roaming\TaskBrowser\pcicapi.dll

MD5 dcde2248d19c778a41aa165866dd52d0
SHA1 7ec84be84fe23f0b0093b647538737e1f19ebb03
SHA256 9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917
SHA512 c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

\Users\Admin\AppData\Roaming\TaskBrowser\pcicapi.dll

MD5 dcde2248d19c778a41aa165866dd52d0
SHA1 7ec84be84fe23f0b0093b647538737e1f19ebb03
SHA256 9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917
SHA512 c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

\Users\Admin\AppData\Roaming\TaskBrowser\msvcr100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

C:\Users\Admin\AppData\Roaming\TaskBrowser\client32.ini

MD5 3a0000407dd239c1e4247138def47413
SHA1 6c88ab844b433590300cd44b2ae49e71f99e5974
SHA256 520c6cf87d2903886a274134a2a94466de7a4315b4c48c97d0144dc995cef84d
SHA512 01cafc3453093b856148f2bf12b332dbe8d812e0de6cea7d1631f109a66079fc6d5f4ee05cd173f4534df45004db168b3a4dbd1c29f2e974d6ae3daffd0ed688

C:\Users\Admin\AppData\Roaming\TaskBrowser\NSM.LIC

MD5 3a88847f4bbf7199a2161ed963fe88ef
SHA1 8629803adb6af84691dc5431b6590df14bad4a61
SHA256 a680947aba5cf3316be50f1ec6a0d8bf72f7d7ca79d91430c26e24680eddd35e
SHA512 2b6408e7334946655045914b2cfa14dcfb39502f64ffafad784717a8ca036b73928bd7a5b02d650d8698357c54c31cac11a705baed0e1e7a3a07d659a2104e02

C:\Users\Admin\AppData\Roaming\TaskBrowser\HTCTL32.DLL

MD5 2d3b207c8a48148296156e5725426c7f
SHA1 ad464eb7cf5c19c8a443ab5b590440b32dbc618f
SHA256 edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796
SHA512 55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

\Users\Admin\AppData\Roaming\TaskBrowser\HTCTL32.DLL

MD5 2d3b207c8a48148296156e5725426c7f
SHA1 ad464eb7cf5c19c8a443ab5b590440b32dbc618f
SHA256 edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796
SHA512 55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-13 00:16

Reported

2023-07-13 00:21

Platform

win10-20230703-en

Max time kernel

128s

Max time network

266s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d111276375ceda84f1daeef8945151dc38287cd6100b73626f0cf5c49dcf5a2b.exe"

Signatures

NetSupport

rat netsupport

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\TaskBrowser\client32.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\TaskBrowser\client32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\TaskBrowser\client32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d111276375ceda84f1daeef8945151dc38287cd6100b73626f0cf5c49dcf5a2b.exe

"C:\Users\Admin\AppData\Local\Temp\d111276375ceda84f1daeef8945151dc38287cd6100b73626f0cf5c49dcf5a2b.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /sc ONLOGON /tn "TaskBrowser" /tr "C:\Users\Admin\AppData\Roaming\TaskBrowser\client32.exe" /RL HIGHEST

C:\Users\Admin\AppData\Roaming\TaskBrowser\client32.exe

C:\Users\Admin\AppData\Roaming\TaskBrowser\client32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 luckynight.shop udp
RU 176.111.174.168:443 luckynight.shop tcp
US 8.8.8.8:53 168.174.111.176.in-addr.arpa udp
US 8.8.8.8:53 126.140.241.8.in-addr.arpa udp
US 8.8.8.8:53 142.33.222.23.in-addr.arpa udp
US 8.8.8.8:53 71.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 savastijir1.com udp
US 8.8.8.8:53 geo.netsupportsoftware.com udp
NL 95.179.140.179:1212 savastijir1.com tcp
GB 62.172.138.67:80 geo.netsupportsoftware.com tcp
US 8.8.8.8:53 179.140.179.95.in-addr.arpa udp
US 8.8.8.8:53 67.138.172.62.in-addr.arpa udp
US 8.8.8.8:53 45.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

memory/600-117-0x00000000007D0000-0x00000000007D1000-memory.dmp

memory/600-118-0x0000000003D30000-0x0000000003D66000-memory.dmp

memory/600-127-0x0000000000400000-0x0000000000531000-memory.dmp

C:\Users\Admin\AppData\Roaming\TaskBrowser\client32.exe

MD5 f70b67c2b3204b7ddd8b755799cccff0
SHA1 a42e55e328d62d11e687c167bb7049d46f0f9b26
SHA256 213af995d4142854b81af3cf73dee7ffe9d8ad6e84fda6386029101dbf3df897
SHA512 54fcba8a063bfbaae4c3a39624bf3407db6af5699ab8686f936ab03c5864df7a44d089066fa2d4aedf5ad50d6b04624966a5111bf57bec1dda74a571f1dd7c63

C:\Users\Admin\AppData\Roaming\TaskBrowser\PCICL32.dll

MD5 35f0259df06c4605fe2743c26dd9eac5
SHA1 5ed1de8fe63d1bdd4ea7321bd27d22f162cc4168
SHA256 412674e44fa27c523e0d968244f0e4d128487daf779de17b83b94da8bf602e59
SHA512 f4e28b3ab19614d3e915a5d8333adb7805a213b31b4c7159c5d65b386f8dcc95fe3a892098a46abe92bb4ba12a31c140c97d24546c97f9c702638644bd874b71

memory/600-146-0x0000000000400000-0x0000000000531000-memory.dmp

C:\Users\Admin\AppData\Roaming\TaskBrowser\client32.exe

MD5 f70b67c2b3204b7ddd8b755799cccff0
SHA1 a42e55e328d62d11e687c167bb7049d46f0f9b26
SHA256 213af995d4142854b81af3cf73dee7ffe9d8ad6e84fda6386029101dbf3df897
SHA512 54fcba8a063bfbaae4c3a39624bf3407db6af5699ab8686f936ab03c5864df7a44d089066fa2d4aedf5ad50d6b04624966a5111bf57bec1dda74a571f1dd7c63

\Users\Admin\AppData\Roaming\TaskBrowser\PCICL32.DLL

MD5 35f0259df06c4605fe2743c26dd9eac5
SHA1 5ed1de8fe63d1bdd4ea7321bd27d22f162cc4168
SHA256 412674e44fa27c523e0d968244f0e4d128487daf779de17b83b94da8bf602e59
SHA512 f4e28b3ab19614d3e915a5d8333adb7805a213b31b4c7159c5d65b386f8dcc95fe3a892098a46abe92bb4ba12a31c140c97d24546c97f9c702638644bd874b71

\Users\Admin\AppData\Roaming\TaskBrowser\pcicapi.dll

MD5 dcde2248d19c778a41aa165866dd52d0
SHA1 7ec84be84fe23f0b0093b647538737e1f19ebb03
SHA256 9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917
SHA512 c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

\Users\Admin\AppData\Roaming\TaskBrowser\msvcr100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

\Users\Admin\AppData\Roaming\TaskBrowser\msvcr100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

C:\Users\Admin\AppData\Roaming\TaskBrowser\MSVCR100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

\Users\Admin\AppData\Roaming\TaskBrowser\PCICHEK.DLL

MD5 a0b9388c5f18e27266a31f8c5765b263
SHA1 906f7e94f841d464d4da144f7c858fa2160e36db
SHA256 313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a
SHA512 6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

C:\Users\Admin\AppData\Roaming\TaskBrowser\pcicapi.dll

MD5 dcde2248d19c778a41aa165866dd52d0
SHA1 7ec84be84fe23f0b0093b647538737e1f19ebb03
SHA256 9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917
SHA512 c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

C:\Users\Admin\AppData\Roaming\TaskBrowser\pcichek.dll

MD5 a0b9388c5f18e27266a31f8c5765b263
SHA1 906f7e94f841d464d4da144f7c858fa2160e36db
SHA256 313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a
SHA512 6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

C:\Users\Admin\AppData\Roaming\TaskBrowser\client32.ini

MD5 3a0000407dd239c1e4247138def47413
SHA1 6c88ab844b433590300cd44b2ae49e71f99e5974
SHA256 520c6cf87d2903886a274134a2a94466de7a4315b4c48c97d0144dc995cef84d
SHA512 01cafc3453093b856148f2bf12b332dbe8d812e0de6cea7d1631f109a66079fc6d5f4ee05cd173f4534df45004db168b3a4dbd1c29f2e974d6ae3daffd0ed688

C:\Users\Admin\AppData\Roaming\TaskBrowser\NSM.LIC

MD5 3a88847f4bbf7199a2161ed963fe88ef
SHA1 8629803adb6af84691dc5431b6590df14bad4a61
SHA256 a680947aba5cf3316be50f1ec6a0d8bf72f7d7ca79d91430c26e24680eddd35e
SHA512 2b6408e7334946655045914b2cfa14dcfb39502f64ffafad784717a8ca036b73928bd7a5b02d650d8698357c54c31cac11a705baed0e1e7a3a07d659a2104e02

\Users\Admin\AppData\Roaming\TaskBrowser\HTCTL32.DLL

MD5 2d3b207c8a48148296156e5725426c7f
SHA1 ad464eb7cf5c19c8a443ab5b590440b32dbc618f
SHA256 edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796
SHA512 55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

C:\Users\Admin\AppData\Roaming\TaskBrowser\HTCTL32.DLL

MD5 2d3b207c8a48148296156e5725426c7f
SHA1 ad464eb7cf5c19c8a443ab5b590440b32dbc618f
SHA256 edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796
SHA512 55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c