netsupport | 5ced2a0af6adc07ee0352b6b23ee44ad8b4880411f84787e21390b70737f8caa | Triage

Analysis

max time kernel
122s
max time network
138s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
02-11-2023 09:25

Sharing

Report Analysis Logs

General

Target

IRomvWG3/presentationhost.exe
Size

109KB
MD5

b2b27ccaded1db8ee341d5bd2c373044
SHA1

1d0f9ca17c0961eeabffc2ba54e16854a13c8a9d
SHA256

e4985a9739637aad4a409c95da33a1304dc17fd6ef9046159b27c0b137a57911
SHA512

0987b11aa110ea6b6f4fe4361e587aff010508251644bdfb681a578fa4726fb56af039d55e0b74682fd7031414f665a98656186b220264c122a47d23751dcee1
SSDEEP

768:O5VZl6FhWr80/0fVtVriR9ri8fbktVtiriXiR3i:O90hG8fVPriPW8jkPsWXio

Score

10^/10

netsupport rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

presentationhost.exe

description pid process

Token: SeSecurityPrivilege 2920 presentationhost.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

presentationhost.exe

pid process

2920 presentationhost.exe

C:\Users\Admin\AppData\Local\Temp\IRomvWG3\presentationhost.exe
"C:\Users\Admin\AppData\Local\Temp\IRomvWG3\presentationhost.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2920

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...