netsupport | 011c45deea7f50338e56529fb8705caa6e86b3920e7f4f79926bcb7933ffa0ba

Analysis

max time kernel
118s
max time network
138s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04/01/2024, 16:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

94C0CEB9BF2BA3EA4B60D67DB728132C.exe
Size

99KB
MD5

94c0ceb9bf2ba3ea4b60d67db728132c
SHA1

1fa5ca6058e19602675076907748b08948495897
SHA256

011c45deea7f50338e56529fb8705caa6e86b3920e7f4f79926bcb7933ffa0ba
SHA512

2d5e24f01237875317272afec8c0fcfbbee5bf56532332f129345931f0c1444f84a0f0415cf72ce4872e90157c5229338b8fc7cff4404d60e68a1ff80a5aeb88
SSDEEP

1536:TaRU9m4HYvSIX0u+7+j71+s5g2YEcIQ7/AzWOWuEdeHZMcziqU1ZyiL:BOhX0N7+f135dcIxWazScuqCMY

Score

10^/10

netsupport zgrat persistence rat

Malware Config

Signatures

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral1/memory/1656-10-0x0000000004210000-0x00000000042BA000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-11-0x0000000004210000-0x00000000042B3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-12-0x0000000004210000-0x00000000042B3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-20-0x0000000004210000-0x00000000042B3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-18-0x0000000004210000-0x00000000042B3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-16-0x0000000004210000-0x00000000042B3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-22-0x0000000004210000-0x00000000042B3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-24-0x0000000004210000-0x00000000042B3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-14-0x0000000004210000-0x00000000042B3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-26-0x0000000004210000-0x00000000042B3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-28-0x0000000004210000-0x00000000042B3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-36-0x0000000004210000-0x00000000042B3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-38-0x0000000004210000-0x00000000042B3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-34-0x0000000004210000-0x00000000042B3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-32-0x0000000004210000-0x00000000042B3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-44-0x0000000004210000-0x00000000042B3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-42-0x0000000004210000-0x00000000042B3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-48-0x0000000004210000-0x00000000042B3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-50-0x0000000004210000-0x00000000042B3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-46-0x0000000004210000-0x00000000042B3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-52-0x0000000004210000-0x00000000042B3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-54-0x0000000004210000-0x00000000042B3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-56-0x0000000004210000-0x00000000042B3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-60-0x0000000004210000-0x00000000042B3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-62-0x0000000004210000-0x00000000042B3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-64-0x0000000004210000-0x00000000042B3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-68-0x0000000004210000-0x00000000042B3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-70-0x0000000004210000-0x00000000042B3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-66-0x0000000004210000-0x00000000042B3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-58-0x0000000004210000-0x00000000042B3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-72-0x0000000004210000-0x00000000042B3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-74-0x0000000004210000-0x00000000042B3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-40-0x0000000004210000-0x00000000042B3000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-30-0x0000000004210000-0x00000000042B3000-memory.dmp	family_zgrat_v1

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 3 IoCs

pid	Process
1656	mouthcoordinate.exe
2284	mouthcoordinate.exe
1720	client32.exe

Loads dropped DLL 8 IoCs

pid	Process
2000	94C0CEB9BF2BA3EA4B60D67DB728132C.exe
1656	mouthcoordinate.exe
2284	mouthcoordinate.exe
1720	client32.exe
1720	client32.exe
1720	client32.exe
1720	client32.exe
1720	client32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	94C0CEB9BF2BA3EA4B60D67DB728132C.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1656 set thread context of 2284	1656	mouthcoordinate.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1320	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1656	mouthcoordinate.exe
Token: SeSecurityPrivilege	1720	client32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1720	client32.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 1656	2000	94C0CEB9BF2BA3EA4B60D67DB728132C.exe	19
PID 2000 wrote to memory of 1656	2000	94C0CEB9BF2BA3EA4B60D67DB728132C.exe	19
PID 2000 wrote to memory of 1656	2000	94C0CEB9BF2BA3EA4B60D67DB728132C.exe	19
PID 2000 wrote to memory of 1656	2000	94C0CEB9BF2BA3EA4B60D67DB728132C.exe	19
PID 1656 wrote to memory of 2284	1656	mouthcoordinate.exe	31
PID 1656 wrote to memory of 2284	1656	mouthcoordinate.exe	31
PID 1656 wrote to memory of 2284	1656	mouthcoordinate.exe	31
PID 1656 wrote to memory of 2284	1656	mouthcoordinate.exe	31
PID 1656 wrote to memory of 2284	1656	mouthcoordinate.exe	31
PID 1656 wrote to memory of 2284	1656	mouthcoordinate.exe	31
PID 1656 wrote to memory of 2284	1656	mouthcoordinate.exe	31
PID 1656 wrote to memory of 2284	1656	mouthcoordinate.exe	31
PID 1656 wrote to memory of 2284	1656	mouthcoordinate.exe	31
PID 1656 wrote to memory of 2284	1656	mouthcoordinate.exe	31
PID 1656 wrote to memory of 2284	1656	mouthcoordinate.exe	31
PID 1656 wrote to memory of 2284	1656	mouthcoordinate.exe	31
PID 2284 wrote to memory of 1320	2284	mouthcoordinate.exe	34
PID 2284 wrote to memory of 1320	2284	mouthcoordinate.exe	34
PID 2284 wrote to memory of 1320	2284	mouthcoordinate.exe	34
PID 2284 wrote to memory of 1320	2284	mouthcoordinate.exe	34
PID 2284 wrote to memory of 1720	2284	mouthcoordinate.exe	35
PID 2284 wrote to memory of 1720	2284	mouthcoordinate.exe	35
PID 2284 wrote to memory of 1720	2284	mouthcoordinate.exe	35
PID 2284 wrote to memory of 1720	2284	mouthcoordinate.exe	35

C:\Users\Admin\AppData\Local\Temp\94C0CEB9BF2BA3EA4B60D67DB728132C.exe
"C:\Users\Admin\AppData\Local\Temp\94C0CEB9BF2BA3EA4B60D67DB728132C.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mouthcoordinate.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mouthcoordinate.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1656
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mouthcoordinate.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mouthcoordinate.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2284
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /create /sc ONLOGON /tn "temo_clean" /tr "C:\Users\Admin\AppData\Local\temo_clean\client32.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:1320
  - - C:\Users\Admin\AppData\Local\temo_clean\client32.exe
      C:\Users\Admin\AppData\Local\temo_clean\client32.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mouthcoordinate.exe

Filesize
18KB

MD5
57e3a39940a2e1c44beb4f9db2bff62a

SHA1
385322bc1caab1a92ee1309b3d1f8ed49fecce6b

SHA256
198487618c0a63e523213a3971209a22489c927e768cc6d7b9203ab89edde96d

SHA512
0c779f67baffe73a4505705abb90439667840a85b2af9a0008134cce58d9c0d1d635e4021e30fb188d2c442cb29f1ed52afc96aa0e4a912394c73c8f90e6ffe4

Download Submit
C:\Users\Admin\AppData\Local\temo_clean\MSVCR100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\Local\temo_clean\NSM.LIC

Filesize
259B

MD5
3a88847f4bbf7199a2161ed963fe88ef

SHA1
8629803adb6af84691dc5431b6590df14bad4a61

SHA256
a680947aba5cf3316be50f1ec6a0d8bf72f7d7ca79d91430c26e24680eddd35e

SHA512
2b6408e7334946655045914b2cfa14dcfb39502f64ffafad784717a8ca036b73928bd7a5b02d650d8698357c54c31cac11a705baed0e1e7a3a07d659a2104e02

Download Submit
C:\Users\Admin\AppData\Local\temo_clean\PCICL32.dll

Filesize
1.8MB

MD5
d0b77258911ce4a9264d7e086f2d14f2

SHA1
f8b34b501625acfd50cf4da6f3db9cd3de5a320f

SHA256
030534a3675968e31feffda881a23e1f572f451a25e443e015a44667c123c38c

SHA512
9acc8f4dbf4dec6d1a1f86621586ae9ae8a9d2e08f45c45bbd9195158411c0d9998f7f4ee0c677b34106c2fa8f228e5fb489a6cc4381e3182c19b4006de4cf2b

Download Submit
C:\Users\Admin\AppData\Local\temo_clean\client32.exe

Filesize
117KB

MD5
a2b46c59f6e7e395d479b09464ecdba0

SHA1
92c132307dd21189b6d7912ddd934b50e50d1ec1

SHA256
89f0c8f170fe9ea28b1056517160e92e2d7d4e8aa81f4ed696932230413a6ce1

SHA512
4f4479ddcd9d0986aec3d789f9e14f9285e8d9d63a5b8f73c9e3203d3a53cd575b1e15edf0d5f640816bb7f25bd3501244e0f7c181a716a6804742ed2f1cf916

Download Submit
C:\Users\Admin\AppData\Local\temo_clean\client32.ini

Filesize
731B

MD5
5dd29bf537f942e8f740eef7115597b9

SHA1
f46c544c5ee2cfdd310ad2573637dfea270e6d48

SHA256
1817536fd60e66f91b2271bf67eb6b9257a1e88be1627de968ac5aa6b4fe6443

SHA512
fe1f8bfb7211b4cb29442f8e22b0a892006a06bb20e5174ae2205775554737ef1a4c79778d2fbf1a9934a0691f0cfc9177dfbef1c212a831c665ed246775aadb

Download Submit
\Users\Admin\AppData\Local\temo_clean\HTCTL32.DLL

Filesize
320KB

MD5
2d3b207c8a48148296156e5725426c7f

SHA1
ad464eb7cf5c19c8a443ab5b590440b32dbc618f

SHA256
edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796

SHA512
55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

Download Submit
\Users\Admin\AppData\Local\temo_clean\PCICHEK.DLL

Filesize
18KB

MD5
a0b9388c5f18e27266a31f8c5765b263

SHA1
906f7e94f841d464d4da144f7c858fa2160e36db

SHA256
313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a

SHA512
6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

Download Submit
\Users\Admin\AppData\Local\temo_clean\PCICL32.DLL

Filesize
852KB

MD5
a9398e819f3ad3428da3274740bde0d4

SHA1
c6fa99704a2b585071c51fd120902c444eb45770

SHA256
3a9249fe7bd0b57479bdd545de954817c61e9ca0a079de91c902be8c71403015

SHA512
f3c9bfec7e0719471157b52c6af0d7f339f3a8641e2fcaaa0367c03c3d05c452cb6df189ff2d84d554852138ea0384567afd6c034e834cc67d449979fe116773

Download Submit
\Users\Admin\AppData\Local\temo_clean\pcicapi.dll

Filesize
32KB

MD5
dcde2248d19c778a41aa165866dd52d0

SHA1
7ec84be84fe23f0b0093b647538737e1f19ebb03

SHA256
9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917

SHA512
c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

Download Submit
memory/1656-48-0x0000000004210000-0x00000000042B3000-memory.dmp

Filesize
652KB

Download
memory/1656-62-0x0000000004210000-0x00000000042B3000-memory.dmp

Filesize
652KB

Download
memory/1656-20-0x0000000004210000-0x00000000042B3000-memory.dmp

Filesize
652KB

Download
memory/1656-18-0x0000000004210000-0x00000000042B3000-memory.dmp

Filesize
652KB

Download
memory/1656-16-0x0000000004210000-0x00000000042B3000-memory.dmp

Filesize
652KB

Download
memory/1656-22-0x0000000004210000-0x00000000042B3000-memory.dmp

Filesize
652KB

Download
memory/1656-24-0x0000000004210000-0x00000000042B3000-memory.dmp

Filesize
652KB

Download
memory/1656-14-0x0000000004210000-0x00000000042B3000-memory.dmp

Filesize
652KB

Download
memory/1656-26-0x0000000004210000-0x00000000042B3000-memory.dmp

Filesize
652KB

Download
memory/1656-28-0x0000000004210000-0x00000000042B3000-memory.dmp

Filesize
652KB

Download
memory/1656-36-0x0000000004210000-0x00000000042B3000-memory.dmp

Filesize
652KB

Download
memory/1656-38-0x0000000004210000-0x00000000042B3000-memory.dmp

Filesize
652KB

Download
memory/1656-34-0x0000000004210000-0x00000000042B3000-memory.dmp

Filesize
652KB

Download
memory/1656-32-0x0000000004210000-0x00000000042B3000-memory.dmp

Filesize
652KB

Download
memory/1656-44-0x0000000004210000-0x00000000042B3000-memory.dmp

Filesize
652KB

Download
memory/1656-42-0x0000000004210000-0x00000000042B3000-memory.dmp

Filesize
652KB

Download
memory/1656-11-0x0000000004210000-0x00000000042B3000-memory.dmp

Filesize
652KB

Download
memory/1656-50-0x0000000004210000-0x00000000042B3000-memory.dmp

Filesize
652KB

Download
memory/1656-46-0x0000000004210000-0x00000000042B3000-memory.dmp

Filesize
652KB

Download
memory/1656-52-0x0000000004210000-0x00000000042B3000-memory.dmp

Filesize
652KB

Download
memory/1656-54-0x0000000004210000-0x00000000042B3000-memory.dmp

Filesize
652KB

Download
memory/1656-56-0x0000000004210000-0x00000000042B3000-memory.dmp

Filesize
652KB

Download
memory/1656-60-0x0000000004210000-0x00000000042B3000-memory.dmp

Filesize
652KB

Download
memory/1656-12-0x0000000004210000-0x00000000042B3000-memory.dmp

Filesize
652KB

Download
memory/1656-64-0x0000000004210000-0x00000000042B3000-memory.dmp

Filesize
652KB

Download
memory/1656-68-0x0000000004210000-0x00000000042B3000-memory.dmp

Filesize
652KB

Download
memory/1656-70-0x0000000004210000-0x00000000042B3000-memory.dmp

Filesize
652KB

Download
memory/1656-66-0x0000000004210000-0x00000000042B3000-memory.dmp

Filesize
652KB

Download
memory/1656-58-0x0000000004210000-0x00000000042B3000-memory.dmp

Filesize
652KB

Download
memory/1656-72-0x0000000004210000-0x00000000042B3000-memory.dmp

Filesize
652KB

Download
memory/1656-74-0x0000000004210000-0x00000000042B3000-memory.dmp

Filesize
652KB

Download
memory/1656-40-0x0000000004210000-0x00000000042B3000-memory.dmp

Filesize
652KB

Download
memory/1656-30-0x0000000004210000-0x00000000042B3000-memory.dmp

Filesize
652KB

Download
memory/1656-943-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/1656-945-0x0000000004C40000-0x0000000004C8C000-memory.dmp

Filesize
304KB

Download
memory/1656-944-0x0000000004B90000-0x0000000004BD0000-memory.dmp

Filesize
256KB

Download
memory/1656-946-0x0000000074870000-0x0000000074F5E000-memory.dmp

Filesize
6.9MB

Download
memory/1656-947-0x00000000042E0000-0x0000000004320000-memory.dmp

Filesize
256KB

Download
memory/1656-10-0x0000000004210000-0x00000000042BA000-memory.dmp

Filesize
680KB

Download
memory/1656-9-0x00000000042E0000-0x0000000004320000-memory.dmp

Filesize
256KB

Download
memory/1656-7-0x0000000000E00000-0x0000000000E0A000-memory.dmp

Filesize
40KB

Download
memory/1656-8-0x0000000074870000-0x0000000074F5E000-memory.dmp

Filesize
6.9MB

Download
memory/1656-967-0x0000000074870000-0x0000000074F5E000-memory.dmp

Filesize
6.9MB

Download
memory/2284-969-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2284-999-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads