netsupport | 7a5f2afe726768008f80860aa992e56e01cb609d6a0510348a528182ae4ad8d1

Analysis

max time kernel
149s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 02:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

247e8d7c97da1778e87233b14e27d7b0.exe
Size

3.5MB
MD5

247e8d7c97da1778e87233b14e27d7b0
SHA1

355362876088aa1859bbd1ec9612c8722f3cdbd7
SHA256

7a5f2afe726768008f80860aa992e56e01cb609d6a0510348a528182ae4ad8d1
SHA512

3016bb3550979c1ec4895bd6905b74e7c7fe789d41ddcf944958686d4f67b10b2d61b3f629a4a098b89c2a0912b43e50493d248bf0350d611f73b0dbf7909c90
SSDEEP

98304:QmYkk/dwG9dx8s/2gEY131oV0oAVSSH931:tYkWwGnx8C2zq31He

Score

10^/10

netsupport rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	247e8d7c97da1778e87233b14e27d7b0.exe

Executes dropped EXE 3 IoCs

pid	Process
4744	BunnySwap.exe
3252	BunnySwap.tmp
4480	updater.exe

Loads dropped DLL 8 IoCs

pid	Process
3252	BunnySwap.tmp
3252	BunnySwap.tmp
4480	updater.exe
4480	updater.exe
4480	updater.exe
4480	updater.exe
4480	updater.exe
4480	updater.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3252	BunnySwap.tmp
3252	BunnySwap.tmp

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4480	updater.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3252	BunnySwap.tmp
4480	updater.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 4744	2068	247e8d7c97da1778e87233b14e27d7b0.exe	96
PID 2068 wrote to memory of 4744	2068	247e8d7c97da1778e87233b14e27d7b0.exe	96
PID 2068 wrote to memory of 4744	2068	247e8d7c97da1778e87233b14e27d7b0.exe	96
PID 4744 wrote to memory of 3252	4744	BunnySwap.exe	102
PID 4744 wrote to memory of 3252	4744	BunnySwap.exe	102
PID 4744 wrote to memory of 3252	4744	BunnySwap.exe	102
PID 3252 wrote to memory of 4480	3252	BunnySwap.tmp	107
PID 3252 wrote to memory of 4480	3252	BunnySwap.tmp	107
PID 3252 wrote to memory of 4480	3252	BunnySwap.tmp	107

C:\Users\Admin\AppData\Local\Temp\247e8d7c97da1778e87233b14e27d7b0.exe
"C:\Users\Admin\AppData\Local\Temp\247e8d7c97da1778e87233b14e27d7b0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\BunnySwap.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\BunnySwap.exe" /VERYSILENT /SP-
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4744
- - C:\Users\Admin\AppData\Local\Temp\is-QEJ0V.tmp\BunnySwap.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-QEJ0V.tmp\BunnySwap.tmp" /SL5="$E0058,2795622,780800,C:\Users\Admin\AppData\Local\Temp\RarSFX0\BunnySwap.exe" /VERYSILENT /SP-
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3252
  - - C:\Users\Admin\AppData\Roaming\WindowsUserCerts\updater.exe
      "C:\Users\Admin\AppData\Roaming\WindowsUserCerts\updater.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:4480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\BunnySwap.exe

Filesize
3.5MB

MD5
c8f3e604a88d2b25f9eaaf3f5ca625d9

SHA1
4f312f7d0489df0dddf50c3b097a249ff7b59c01

SHA256
7879720cfa32665c40e8ffaaa0171ed47563698960d5885d20e0b6a7af8e08ff

SHA512
0c397c8bedb17e057048e19ef1f8fc905a500c2160566313e08ba8c635a07dbd56cf040b132afb235a59b1c460b787210a8ec5df69833d742a8355051c11c2aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3BO7P.tmp\_isetup\_isdecmp.dll

Filesize
34KB

MD5
c6ae924ad02500284f7e4efa11fa7cfc

SHA1
2a7770b473b0a7dc9a331d017297ff5af400fed8

SHA256
31d04c1e4bfdfa34704c142fa98f80c0a3076e4b312d6ada57c4be9d9c7dcf26

SHA512
f321e4820b39d1642fc43bf1055471a323edcc0c4cbd3ddd5ad26a7b28c4fb9fc4e57c00ae7819a4f45a3e0bb9c7baa0ba19c3ceedacf38b911cdf625aa7ddae

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QEJ0V.tmp\BunnySwap.tmp

Filesize
2.9MB

MD5
11c74753d375ba44e845bfecbfe88cd6

SHA1
5df09e6a5673ad6bf4835bdc2c1a5886fbc864ee

SHA256
0f83ce1f2649207ee8fc3a0dcf27765fe7ae5b9f708192545e25e1ab4ea2ba95

SHA512
185bae3cc7f3038817ece2af8363020416a974655d445b53fdaea31e42062c3d3702cfee0514b08327bc161fbc45c1eb3cb269adc7ac0b4d11d0588e28a86c9f

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsUserCerts\is-6L9C5.tmp

Filesize
6KB

MD5
88b1dab8f4fd1ae879685995c90bd902

SHA1
3d23fb4036dc17fa4bee27e3e2a56ff49beed59d

SHA256
60fe386112ad51f40a1ee9e1b15eca802ced174d7055341c491dee06780b3f92

SHA512
4ea2c20991189fe1d6d5c700603c038406303cca594577ddcbc16ab9a7915cb4d4aa9e53093747db164f068a7ba0f568424bc8cb7682f1a3fb17e4c9ec01f047

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsUserCerts\is-7I7GE.tmp

Filesize
633B

MD5
eb16dff6b2fe07568d65c4621f30de1c

SHA1
a1dc780c832274553c0f742ba3e16eef5f5fee8d

SHA256
9dbe97259c0c5384d67b7d3dc7a8995660dbe69f8a7f56ccf99bbfed6d5bfb28

SHA512
2921479829d7f2533f4205941369d232531a52fceb1ebd9291119a5024a85a15c6b246b44988e9371fda6b721d3a751cb4425e7e7d36970e981d928ea07109a7

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsUserCerts\is-856CF.tmp

Filesize
72KB

MD5
8ad660f867c54740021e61f16b826813

SHA1
26729b288218c341fdd3831d9557d87c3aed8c64

SHA256
52719d8ff086e4136c06c46f788a02a6e995ea25a2dd50eeab129e4347284ee3

SHA512
88290218f38fc20820c5b6b05db021f4160b19c8430bd97a4715b3bf1bb99106583a3cbc93c1e0414ffdaffd88646cf3940f796196d9fb04ced6319f9badbf44

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsUserCerts\is-AHSJK.tmp

Filesize
319KB

MD5
bf9dd864f5822dc28ffce9529bae15ba

SHA1
ee578ba78ddaf0547edd23355dbc658cdc1b86ab

SHA256
74328f7f2d08cfc734cc5151bc68377962d1e0a75137908925a604b3d18b7be6

SHA512
ea00797c9e7117452e3a7f94db016e22dad0246c439daaae304ecfb5c5de19d2db0c63ce1edd135a409f07ba75b19bd6428a7ab6d80a9dc65ff473ff985ef43e

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsUserCerts\is-BORSD.tmp

Filesize
46B

MD5
3be27483fdcdbf9ebae93234785235e3

SHA1
360b61fe19cdc1afb2b34d8c25d8b88a4c843a82

SHA256
4bfa4c00414660ba44bddde5216a7f28aeccaa9e2d42df4bbff66db57c60522b

SHA512
edbe8cf1cbc5fed80fedf963ade44e08052b19c064e8bca66fa0fe1b332141fbe175b8b727f8f56978d1584baaf27d331947c0b3593aaff5632756199dc470e5

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsUserCerts\is-GQ5PV.tmp

Filesize
17KB

MD5
018b7364f4de19d99c37665eb8555fc5

SHA1
661d32b263131f27c890a3a17e3a7f58b0035f93

SHA256
fb68bf34ae44c30267e5034d65e7d917033631f8290a17de264de5189f1c9e71

SHA512
82eb86e58894d3beed9f7efefdd9f8ece4d4d1af7d95e8751054eac18ff8eb08e6bfdd0ccf132f666b2bdd47669fdc4b1fcf4c172a4cf3f25b0464e6943489f8

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsUserCerts\is-HBJHB.tmp

Filesize
3.6MB

MD5
21e49d937a929db0ff9c265e8b2b6777

SHA1
88000b29bb69b3e8a29f30f0274de3e71a8b7ef7

SHA256
9b760f2aa4576d044bcd33e21943a8cbccd9c56d17d598fa509213e05f9939c1

SHA512
165664b4d3b6aa2c481665a9aed572a7445cd32052066faf7bf05340820d8afc3cf4660a344d2a06e6f3bcabbfa7923eb61c39b7367735ede0f5154f9696d1bf

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsUserCerts\is-HC5RV.tmp

Filesize
31KB

MD5
191bd0cc859e47aaa7c5195f58f56d4e

SHA1
c2d91b7688ab3d4fbc08dc8df895323ca2c47460

SHA256
3d30caf999bbd1c39b681f4782c2f703c02b9956c4a77d7d531e20ca02ffaa29

SHA512
9c876afdc1b3cab2c01d1d369d6c532edc4377876ed95f324e0e638860852d41052796a16f7314ef922bb7ff6edb9f3687f6edfb342b6524951906340c614b08

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsUserCerts\is-JF8HN.tmp

Filesize
113KB

MD5
5c25d0078a58280be572bfe68f5fe73c

SHA1
47f2bcc1e9405b863cce67bcac6a4a77ef957050

SHA256
0ec80b42ee511c5970c8810b9079df07761e4c528e493ea6f73b36d2d3a61e32

SHA512
654f9101067a58210e9b6cfd1a57bfe4572b08fa8381bd1d1b454c971e8acdf735ddf6333b94355a789ffd384ff41e5925aff295315ee3a5058b207137e0329b

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsUserCerts\is-MVJJA.tmp

Filesize
386KB

MD5
4ae68042d513cba160cdaafe45d35582

SHA1
9a07ebd26fab57947b20647ac6ca0019475ffb44

SHA256
cc2b02ac7ed7656e4d26574367c571dfc44d3f167838f0ee868cdb8b493b3ff4

SHA512
b78f80697ba16c33ba9ede2d2019ceb6173c8a2d335d6990b75613c1af21669f25ea8f2d0e3c56af08578d038cf3b66ca4e55ca252ad699a805598993a3d5be8

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsUserCerts\is-N7IG6.tmp

Filesize
328B

MD5
26e28c01461f7e65c402bdf09923d435

SHA1
1d9b5cfcc30436112a7e31d5e4624f52e845c573

SHA256
d96856cd944a9f1587907cacef974c0248b7f4210f1689c1e6bcac5fed289368

SHA512
c30ec66fecb0a41e91a31804be3a8b6047fc3789306adc106c723b3e5b166127766670c7da38d77d3694d99a8cddb26bc266ee21dba60a148cdf4d6ee10d27d7

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsUserCerts\is-QQRD5.tmp

Filesize
259B

MD5
ac5d5cc9acad4531ef1bd16145ea68bd

SHA1
f9d92f79a934815b645591ebbd6f5d20aa6a3e38

SHA256
68c787616681427557343e42ede5805dfbeeb580c59f69c4706b500f225e2c6b

SHA512
196863e039e9c83fb0f8eb3f0a6119db31a624e7ef4e9ba99516702e76796957f0ebf87e8728e1bd0de6cd7420bec6e644caa58a0724a7208e9a765d6eb78f64

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsUserCerts\is-TSMHR.tmp

Filesize
759KB

MD5
7aa3e993ffef3a554ebab6532eac4075

SHA1
92b541293c63a4fb343327a1cc7708f96e7eec74

SHA256
aaf5bd6cdf7eae9d3ed153033917b3aed750d48ab11222569246db162d94b72e

SHA512
97d91945d2f90594505ce67e2ce6f9bf4cfabe7ec5a0461ac5bf82c8bd1094308c99a02d4cc25276dc9701c8109afe1f69726964f2e06dce98f005f0e8f5ec49

Download Submit
memory/3252-28-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/3252-19-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/3252-132-0x0000000000400000-0x00000000006EE000-memory.dmp

Filesize
2.9MB

Download
memory/4744-27-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4744-18-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4744-12-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4744-133-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download