Malware Analysis Report

2024-10-19 01:40

Sample ID 240203-t34jdadfe4
Target 8cd067bd2a3245b62f0411ca93594b1b
SHA256 8075a6c09ff4c8e8637128dc8500d59fc6b2e24fcfe34b7bc782c079f10428fa
Tags
netsupport rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8075a6c09ff4c8e8637128dc8500d59fc6b2e24fcfe34b7bc782c079f10428fa

Threat Level: Known bad

The file 8cd067bd2a3245b62f0411ca93594b1b was found to be: Known bad.

Malicious Activity Summary

netsupport rat

NetSupport

Drops startup file

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-03 16:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-03 16:35

Reported

2024-02-03 16:38

Platform

win7-20231215-en

Max time kernel

118s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8cd067bd2a3245b62f0411ca93594b1b.exe"

Signatures

NetSupport

rat netsupport

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\autoruning.ini.lnk C:\Users\Admin\AppData\Local\Temp\8cd067bd2a3245b62f0411ca93594b1b.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\WinSupport\client32.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\WinSupport\client32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\WinSupport\client32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8cd067bd2a3245b62f0411ca93594b1b.exe

"C:\Users\Admin\AppData\Local\Temp\8cd067bd2a3245b62f0411ca93594b1b.exe"

C:\Users\Admin\AppData\Roaming\WinSupport\client32.exe

"C:\Users\Admin\AppData\Roaming\WinSupport\client32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 uzurtela1.com udp
US 8.8.8.8:53 geo.netsupportsoftware.com udp
US 104.26.1.231:80 geo.netsupportsoftware.com tcp
US 8.8.8.8:53 uzurtela42.com udp

Files

\Users\Admin\AppData\Roaming\WinSupport\client32.exe

MD5 f76954b68cc390f8009f1a052283a740
SHA1 3112a39aad950045d6422fb2abe98bed05931e6c
SHA256 63315df7981130853d75dc753e5776bdf371811bcfce351557c1e45afdd1ebfb
SHA512 d3aea0867b488161f62e43e7c250ad3917713b8b183139fb6e06c71594fb0cec769e1494b7cc257117992ae4aa891e056f99c25431ae19f032b1ba779051a880

C:\Users\Admin\AppData\Roaming\WinSupport\PCICL32.dll

MD5 287034270e3dba21671932ed8352727b
SHA1 60b1180941a78c487c37cae1f7d61c8fe7c94896
SHA256 b45cecc6bb0e1c0fb0758edb22490d1ab47de6d2feff31fb641dcc0a313ec602
SHA512 598b499dd58d4a86cd1b1d3eb7d6fcfa7d9aef2ee020a6ed21f1094afe0646e6780ab34cb3e9b7e05d58432d1020cc2ac09a7c70502ce07e24711e9c985856a0

\Users\Admin\AppData\Roaming\WinSupport\PCICL32.DLL

MD5 c984fdc831911ea8ad0a772a8166cab7
SHA1 93254b08d183b7cc0c5a8b3ebf958f5f9ad94ea0
SHA256 3a85e0eab1142917b7f4d6b465d1a145d53be8936183386cc4761e5b3e169cf6
SHA512 ad0f4124b7c9813ad6f2546d6a85f41eaa26aa0eaf5396881c9dbb883ff39768628f3e008898c1e14055a8622ebd21f8a86dcb296a50deb42c549ca1341bd102

\Users\Admin\AppData\Roaming\WinSupport\pcicapi.dll

MD5 dcde2248d19c778a41aa165866dd52d0
SHA1 7ec84be84fe23f0b0093b647538737e1f19ebb03
SHA256 9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917
SHA512 c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

\Users\Admin\AppData\Roaming\WinSupport\msvcr100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

\Users\Admin\AppData\Roaming\WinSupport\PCICHEK.DLL

MD5 a0b9388c5f18e27266a31f8c5765b263
SHA1 906f7e94f841d464d4da144f7c858fa2160e36db
SHA256 313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a
SHA512 6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

C:\Users\Admin\AppData\Roaming\WinSupport\client32.ini

MD5 348247b5c9e5762245f79ade1b2c53fe
SHA1 283bdb541b1649da56768da106908f0935c55c56
SHA256 b2a0e55605b899eccba3e57d29b2c2a0033d27a0ad76d8202c51fa90c67507e5
SHA512 69d49a8b6ed39d822206a6df9c6967fad401341559a2a98e7ab7d302ae909886718da7d61e7809817805b3a0526c04f79cb9862ee477ba57e42f15f317f0d9cf

\Users\Admin\AppData\Roaming\WinSupport\TCCTL32.DLL

MD5 eab603d12705752e3d268d86dff74ed4
SHA1 01873977c871d3346d795cf7e3888685de9f0b16
SHA256 6795d760ce7a955df6c2f5a062e296128efdb8c908908eda4d666926980447ea
SHA512 77de0d9c93ccba967db70b280a85a770b3d8bea3b707b1abb037b2826b48898fec87924e1a6cce218c43478e5209e9eb9781051b4c3b450bea3cd27dbd32c7f3

\Users\Admin\AppData\Roaming\WinSupport\HTCTL32.DLL

MD5 2d3b207c8a48148296156e5725426c7f
SHA1 ad464eb7cf5c19c8a443ab5b590440b32dbc618f
SHA256 edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796
SHA512 55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

C:\Users\Admin\AppData\Roaming\WinSupport\NSM.LIC

MD5 8614c2008044a081e9d26d8db1571f4a
SHA1 1b007f05c289d0b71d542520b25fe65c6b6fcbe3
SHA256 df622fc8bc605023730d3ad952d69fcbd8383ce5440d63da0df20fb139355ec9
SHA512 449244a508daaacde53078b826f7b482650acc3f61e8235fa892a737bebbecb178061d0aa1e99cd74da7885c86cebb2727d6e85384ecd68187d7e6e94f018ae9

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-03 16:35

Reported

2024-02-03 16:38

Platform

win10v2004-20231222-en

Max time kernel

144s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8cd067bd2a3245b62f0411ca93594b1b.exe"

Signatures

NetSupport

rat netsupport

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8cd067bd2a3245b62f0411ca93594b1b.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\autoruning.ini.lnk C:\Users\Admin\AppData\Local\Temp\8cd067bd2a3245b62f0411ca93594b1b.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\WinSupport\client32.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\WinSupport\client32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\WinSupport\client32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8cd067bd2a3245b62f0411ca93594b1b.exe

"C:\Users\Admin\AppData\Local\Temp\8cd067bd2a3245b62f0411ca93594b1b.exe"

C:\Users\Admin\AppData\Roaming\WinSupport\client32.exe

"C:\Users\Admin\AppData\Roaming\WinSupport\client32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 uzurtela1.com udp
US 8.8.8.8:53 geo.netsupportsoftware.com udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 uzurtela42.com udp
US 172.67.68.212:80 geo.netsupportsoftware.com tcp
US 8.8.8.8:53 212.68.67.172.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 uzurtela1.com udp
US 8.8.8.8:53 uzurtela42.com udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 16.234.44.23.in-addr.arpa udp
US 8.8.8.8:53 uzurtela1.com udp
US 8.8.8.8:53 uzurtela42.com udp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\WinSupport\client32.exe

MD5 f76954b68cc390f8009f1a052283a740
SHA1 3112a39aad950045d6422fb2abe98bed05931e6c
SHA256 63315df7981130853d75dc753e5776bdf371811bcfce351557c1e45afdd1ebfb
SHA512 d3aea0867b488161f62e43e7c250ad3917713b8b183139fb6e06c71594fb0cec769e1494b7cc257117992ae4aa891e056f99c25431ae19f032b1ba779051a880

C:\Users\Admin\AppData\Roaming\WinSupport\PCICL32.dll

MD5 6be1c6af09322b2c2d4e97ee7c69b34b
SHA1 1881adf8c6585193fbb0c9945fc4095f6053d97d
SHA256 f84d9e85311b96ca3665f22dce3722a3d4918950667bca75938a20f5d66a8c66
SHA512 a9c4c5c75b036a451c1d4e783f963e4173f24aa9cff65f9e9c3417967ad00510ff34a4dd5e34e65e1bd43ff16cfe82b619408bcfcca3c3691c4c4a147667cefa

C:\Users\Admin\AppData\Roaming\WinSupport\PCICL32.DLL

MD5 ed183fc135659cf89e5dd9761ae2b60d
SHA1 0cb45db7844e42989075008dd989d05bffd8a4df
SHA256 11adcce406cba8a4642027d1690a9ed458df3bd673e56a224986f9c1412c1ee0
SHA512 984495b3d5914eb1ebc49e3c1a9fdd25b116850daeb906f93f1e387703a1c4097f56137ea0a87a466abd279aff8fd1bf5a0a5bb715c3df03e0736aecf46afefa

C:\Users\Admin\AppData\Roaming\WinSupport\PCICHEK.DLL

MD5 a0b9388c5f18e27266a31f8c5765b263
SHA1 906f7e94f841d464d4da144f7c858fa2160e36db
SHA256 313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a
SHA512 6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

C:\Users\Admin\AppData\Roaming\WinSupport\pcicapi.dll

MD5 dcde2248d19c778a41aa165866dd52d0
SHA1 7ec84be84fe23f0b0093b647538737e1f19ebb03
SHA256 9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917
SHA512 c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

C:\Users\Admin\AppData\Roaming\WinSupport\MSVCR100.dll

MD5 caf6161eecffab1eb87298ce425ce636
SHA1 37e3460b82284c962ed3cc2bb4cda7e04dac67b7
SHA256 3c5f5179eca7d76f5fe24cad4166cad7bd4cb32c3b2870a8ec0ac4ba87cd35b9
SHA512 d4a9a50441d5ce8ec0fd84ef8c7524b7a680554f4d53242464a41d2756f03a1dd8ca56a9a0cb98004a8af4db24dd59c2e0188596cd6754d78fd07dfc58c3a964

C:\Users\Admin\AppData\Roaming\WinSupport\msvcr100.dll

MD5 0fc43678e21adb54f7a60e0034d1f85b
SHA1 934df400dc4c483df46736f6548b59685cbe774e
SHA256 8c7945bc8651c463a48ad6a269301bd41d6df96237c2a1274925062d3d88a7c3
SHA512 f7c30daf12435c911b40a05651b001ecc4ae209272b239f9a2e7a74171f5092ae9b5ca240a955c4127fbe0481261d19a4f401e98653b3319e178d4d3cbc94604

C:\Users\Admin\AppData\Roaming\WinSupport\msvcr100.dll

MD5 a2fbd8bbc007534f1ec3205497573581
SHA1 8cbba3c347cd40ef92f2f8d7b537b20c63e029ab
SHA256 d422c471ef6205f675c8dd8d4fc3cbc9e0ef453f752d9e2f1d95722b3fe924c7
SHA512 01e32f9f25dadee6eca76dd3478668671e0aa35253affcef2a92c26ec2fbdfe065eabfb9a82c6d008215400b5528501a1c06edf473140a693310d18c0e47a1c4

C:\Users\Admin\AppData\Roaming\WinSupport\client32.ini

MD5 348247b5c9e5762245f79ade1b2c53fe
SHA1 283bdb541b1649da56768da106908f0935c55c56
SHA256 b2a0e55605b899eccba3e57d29b2c2a0033d27a0ad76d8202c51fa90c67507e5
SHA512 69d49a8b6ed39d822206a6df9c6967fad401341559a2a98e7ab7d302ae909886718da7d61e7809817805b3a0526c04f79cb9862ee477ba57e42f15f317f0d9cf

C:\Users\Admin\AppData\Roaming\WinSupport\NSM.LIC

MD5 8614c2008044a081e9d26d8db1571f4a
SHA1 1b007f05c289d0b71d542520b25fe65c6b6fcbe3
SHA256 df622fc8bc605023730d3ad952d69fcbd8383ce5440d63da0df20fb139355ec9
SHA512 449244a508daaacde53078b826f7b482650acc3f61e8235fa892a737bebbecb178061d0aa1e99cd74da7885c86cebb2727d6e85384ecd68187d7e6e94f018ae9

C:\Users\Admin\AppData\Roaming\WinSupport\HTCTL32.DLL

MD5 2d3b207c8a48148296156e5725426c7f
SHA1 ad464eb7cf5c19c8a443ab5b590440b32dbc618f
SHA256 edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796
SHA512 55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

C:\Users\Admin\AppData\Roaming\WinSupport\TCCTL32.DLL

MD5 eab603d12705752e3d268d86dff74ed4
SHA1 01873977c871d3346d795cf7e3888685de9f0b16
SHA256 6795d760ce7a955df6c2f5a062e296128efdb8c908908eda4d666926980447ea
SHA512 77de0d9c93ccba967db70b280a85a770b3d8bea3b707b1abb037b2826b48898fec87924e1a6cce218c43478e5209e9eb9781051b4c3b450bea3cd27dbd32c7f3