netsupport | 230a116655f27e771451e599073e25ccbc3bb560c6f041089d896966d253539c

Analysis

max time kernel
119s
max time network
126s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
12/01/2024, 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad8dcc208be118c2aa52f2d5ed84c79a.exe
Size

3.4MB
MD5

ad8dcc208be118c2aa52f2d5ed84c79a
SHA1

468b334eea7ff5522dc401a5e523a2a6e6e9dd10
SHA256

230a116655f27e771451e599073e25ccbc3bb560c6f041089d896966d253539c
SHA512

46b5794be1df9017bf52bd4a89af406dc095b2972c15127702963abb404e5f50dbf9f34f65e54b72173da9fc2b35a681d5dc0e6fa2a3b9f4c72ce033b80cde30
SSDEEP

98304:ccl520NC/+l520NC/YGjkfSrmXcA7p8l6GKDTbD+tJMnb:pE/+E/JL217x1nb

Score

10^/10

netsupport rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\atechgame.lnk	ad8dcc208be118c2aa52f2d5ed84c79a.exe

Executes dropped EXE 1 IoCs

pid	Process
2572	ideo.exe

Loads dropped DLL 10 IoCs

pid	Process
2820	ad8dcc208be118c2aa52f2d5ed84c79a.exe
2820	ad8dcc208be118c2aa52f2d5ed84c79a.exe
2820	ad8dcc208be118c2aa52f2d5ed84c79a.exe
2820	ad8dcc208be118c2aa52f2d5ed84c79a.exe
2820	ad8dcc208be118c2aa52f2d5ed84c79a.exe
2572	ideo.exe
2572	ideo.exe
2572	ideo.exe
2572	ideo.exe
2572	ideo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2572	ideo.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2572	ideo.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 2572	2820	ad8dcc208be118c2aa52f2d5ed84c79a.exe	28
PID 2820 wrote to memory of 2572	2820	ad8dcc208be118c2aa52f2d5ed84c79a.exe	28
PID 2820 wrote to memory of 2572	2820	ad8dcc208be118c2aa52f2d5ed84c79a.exe	28
PID 2820 wrote to memory of 2572	2820	ad8dcc208be118c2aa52f2d5ed84c79a.exe	28

C:\Users\Admin\AppData\Local\Temp\ad8dcc208be118c2aa52f2d5ed84c79a.exe
"C:\Users\Admin\AppData\Local\Temp\ad8dcc208be118c2aa52f2d5ed84c79a.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Users\Admin\AppData\Roaming\atechgame\ideo.exe
  "C:\Users\Admin\AppData\Roaming\atechgame\ideo.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\atechgame\MSVCR100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\Roaming\atechgame\NSM.LIC

Filesize
257B

MD5
7067af414215ee4c50bfcd3ea43c84f0

SHA1
c331d410672477844a4ca87f43a14e643c863af9

SHA256
2050cc232710a2ea6a207bc78d1eac66a4042f2ee701cdfeee5de3ddcdc31d12

SHA512
17b888087192bcea9f56128d0950423b1807e294d1c4f953d1bf0f5bd08e5f8e35afeee584ebf9233bfc44e0723db3661911415798159ac118c8a42aaf0b902f

Download Submit
C:\Users\Admin\AppData\Roaming\atechgame\PCICL32.dll

Filesize
1024KB

MD5
8f485de844324c548f95faa66b4d5794

SHA1
ade6fb3e283644ee06c77e343fbac80e8742cda1

SHA256
a4e4cc70f70aaa6118e27dd962554274bc35f7cfdd57e87f79539a79f9bfd07a

SHA512
f526069aa7354e840a069bc025e2f0dfbd1f7882b73986df06112bb534f9c07ddb7c2b418075e60637981adb3749dd44380f5cae7d85e7a03193a0aee06fb62b

Download Submit
C:\Users\Admin\AppData\Roaming\atechgame\client32.ini

Filesize
665B

MD5
575e84941481dab9126f640e76374481

SHA1
33897cc2f367ce1857273b2af88ece4d1ad8163e

SHA256
ed42f484f03c101fe10484a3ec556009dbd4d1640964391ed339792ce254d793

SHA512
8de620b65da9ae80c9dd601266461d06218280e6c2f62760abe8feeab370150508f7f8a9f95c8e560d614572b075a54ce665dac80f68a66fd15131d38a84df6c

Download Submit
\Users\Admin\AppData\Roaming\atechgame\HTCTL32.DLL

Filesize
92KB

MD5
1445b149db1a58c77a9d0cc839e365e0

SHA1
4854a5766ded71882877f12cc7a47d77c1384e92

SHA256
a2316794c2b93a64897b635917ea115b720c1e9bd75afb07f1dccce149fa2730

SHA512
c057f32986c1289df94fb3b7d8d2bf6f5e58c6dc60ad7d7778a73f6b542d9d089e006e46e6ed4fc10a6ff6e6ce021eb8d900a987d04f85a9ed97cc505f0ceb41

Download Submit
\Users\Admin\AppData\Roaming\atechgame\PCICHEK.DLL

Filesize
18KB

MD5
a0b9388c5f18e27266a31f8c5765b263

SHA1
906f7e94f841d464d4da144f7c858fa2160e36db

SHA256
313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a

SHA512
6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

Download Submit
\Users\Admin\AppData\Roaming\atechgame\ideo.exe

Filesize
103KB

MD5
8d9709ff7d9c83bd376e01912c734f0a

SHA1
e3c92713ce1d7eaa5e2b1fabeb06cdc0bb499294

SHA256
49a568f8ac11173e3a0d76cff6bc1d4b9bdf2c35c6d8570177422f142dcfdbe3

SHA512
042ad89ed2e15671f5df67766d11e1fa7ada8241d4513e7c8f0d77b983505d63ebfb39fefa590a2712b77d7024c04445390a8bf4999648f83dbab6b0f04eb2ee

Download Submit
\Users\Admin\AppData\Roaming\atechgame\msvcr100.dll

Filesize
137KB

MD5
b2a3962915414ee837bf50e9dc1f16e5

SHA1
478b36968574e83237586a8e946b5dc5b889fa9f

SHA256
ee34b4a8a5b69d3c43cd68a935f2e80464307b91331ed610db3d9367dbb11cc7

SHA512
ec5e95b8eda7092e312595152aeb37d282e8809dcf4d60bb85836394bd13387b6202b12f18548bbc7d7f2ade907fb919c905f4ad37c9675c41eba79b2b928fc3

Download Submit
\Users\Admin\AppData\Roaming\atechgame\pcicapi.dll

Filesize
32KB

MD5
dcde2248d19c778a41aa165866dd52d0

SHA1
7ec84be84fe23f0b0093b647538737e1f19ebb03

SHA256
9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917

SHA512
c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

Download Submit