Malware Analysis Report

2024-10-19 01:39

Sample ID 240208-jpgscaegck
Target E52BE8968152E665685D030C8D641540.exe
SHA256 ea35797a9556636378031645a48f089087cd258f8e40e1399aa371b2cca3cb7f
Tags
netsupport rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ea35797a9556636378031645a48f089087cd258f8e40e1399aa371b2cca3cb7f

Threat Level: Known bad

The file E52BE8968152E665685D030C8D641540.exe was found to be: Known bad.

Malicious Activity Summary

netsupport rat

NetSupport

Drops startup file

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-08 07:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-08 07:50

Reported

2024-02-08 07:53

Platform

win7-20231129-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\E52BE8968152E665685D030C8D641540.exe"

Signatures

NetSupport

rat netsupport

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\automnruns2012.ini.lnk C:\Users\Admin\AppData\Local\Temp\E52BE8968152E665685D030C8D641540.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\updatein1432\client32.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\updatein1432\client32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\updatein1432\client32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\E52BE8968152E665685D030C8D641540.exe

"C:\Users\Admin\AppData\Local\Temp\E52BE8968152E665685D030C8D641540.exe"

C:\Users\Admin\AppData\Roaming\updatein1432\client32.exe

"C:\Users\Admin\AppData\Roaming\updatein1432\client32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 geo.netsupportsoftware.com udp
US 8.8.8.8:53 DcnLaleanae8.com udp
US 104.26.0.231:80 geo.netsupportsoftware.com tcp
GB 45.11.180.127:3120 DcnLaleanae8.com tcp

Files

\Users\Admin\AppData\Roaming\updatein1432\client32.exe

MD5 c4f1b50e3111d29774f7525039ff7086
SHA1 57539c95cba0986ec8df0fcdea433e7c71b724c6
SHA256 18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d
SHA512 005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

C:\Users\Admin\AppData\Roaming\updatein1432\PCICL32.dll

MD5 7f8fcf69e50f90e0d2028b36d033dcec
SHA1 997d8a8f159059b3d133811ce8dc6eeeeb6ce96e
SHA256 6d85ec0221d14c8cab77176398042644b9d440619ea365f71be9ed302b86ec26
SHA512 8b0d668e92f07f63e0642b9787d149c27ffe6975fcc1377f2c0b705521101319064ae99ebfec9a736d021f6ccd95319376ccb01422ae77ed1943b116f65c530e

\Users\Admin\AppData\Roaming\updatein1432\pcicapi.dll

MD5 67c53a770390e8c038060a1921c20da9
SHA1 49e63af91169c8ce7ef7de3d6a6fb9f8f739fa3a
SHA256 2dfdc169dfc27462adc98dde39306de8d0526dcf4577a1a486c2eef447300689
SHA512 201e07dbccd83480d6c4d8562e6d0a9e4c52ed12895f0b91d875c2bbcc50b3b1802e11e5e829c948be302bf98ebde7fb2a99476065d1709b3bdbcd5d59a1612d

C:\Users\Admin\AppData\Roaming\updatein1432\client32.ini

MD5 c3bb1894b531c58a43d290e9f6cd91f0
SHA1 b9ccbde0b306c7727bba5dc329333454ef73c27b
SHA256 7d66b61e87088b93336ac1cf562c6a525fe5807d8b363e8b928125068bab626c
SHA512 f065e3c783e6ca3b48f4b37307c3100d4efb24006ac7d61cfc724225cb743f959580db0decd2db9415123096b5170f34937921db4d980ea73fefed70beb601e0

\Users\Admin\AppData\Roaming\updatein1432\HTCTL32.DLL

MD5 051cdb6ac8e168d178e35489b6da4c74
SHA1 38c171457d160f8a6f26baa668f5c302f6c29cd1
SHA256 6562585009f15155eea9a489e474cebc4dd2a01a26d846fdd1b93fdc24b0c269
SHA512 602ab9999f7164a2d1704f712d8a622d69148eefe9a380c30bc8b310eadedf846ce6ae7940317437d5da59404d141dc2d1e0c3f954ca4ac7ae3497e56fcb4e36

C:\Users\Admin\AppData\Roaming\updatein1432\NSM.LIC

MD5 6af7a794e1553154dd4fa63175494d3a
SHA1 125c582559647e8bf24081f35e2702c476b0af16
SHA256 09af8db75365407c9305a934caee8de6f2b46f2b338434bebafba55d684d0425
SHA512 ad8b57b5d99adae5fd1280e7d0dae5fe2d1b8d91dd36274ebd75b366961391281ea0b0b4ea0c644fe6aba19587cf8d25401f770664371a2079852bd951534527

\Users\Admin\AppData\Roaming\updatein1432\msvcr100.dll

MD5 c553ed89d91a24cc9d10f91d039dc91a
SHA1 dea9f1310d69a2e037b7babd050296d33bfc33ac
SHA256 303777fd33b406bdfdc6569fbdd045e04cdf4cc0bcfde4fbd718a6503c8f9870
SHA512 37843ff3229905cdc72989fe7948ed28f19c77d33d54fa09420ce6d4b040dac0ea2d80410c21473ffc52b451304d9f2e965839e64979bbc141e99616a96af9ca

C:\Users\Admin\AppData\Roaming\updatein1432\MSVCR100.dll

MD5 ba7d73057ae1e5d07fd8348f0abecfd8
SHA1 338382ed4dde4e0b8535266b636864bb3d0a5d74
SHA256 737295417b8068d41bd99d4988915da8981f2d8e9913e8ee4a1cd660fb3af363
SHA512 c86dd4137339dc912d5a40d48aa0e78d5876bfe7b8b333ced0b3c82933d4fe2f62d1182f3f4a0ec65e2d0f28d44b24b8122177fbc9b70d6203c7b6bb63eff334

\Users\Admin\AppData\Roaming\updatein1432\PCICHEK.DLL

MD5 3aabcd7c81425b3b9327a2bf643251c6
SHA1 ea841199baa7307280fc9e4688ac75e5624f2181
SHA256 0cff893b1e7716d09fb74b7a0313b78a09f3f48c586d31fc5f830bd72ce8331f
SHA512 97605b07be34948541462000345f1e8f9a9134d139448d4f331cefeeca6dad51c025fcab09d182b86e5a4a8e2f9412b3745ec86b514b0523497c821cb6b8c592

\Users\Admin\AppData\Roaming\updatein1432\PCICL32.DLL

MD5 54589ed7b58c316a5dc274cde7ad3fd9
SHA1 8c330b60b2609f62d55a7d0a9ef89ff23ca46c63
SHA256 448c4d2f09e21b255e0c57f646c08fa2742e47b7bafb0dd29e767d3b02a09226
SHA512 325ae8e6d30a7d89dabec4925fb0843167667439e9a1b30368043382ea20dc3cff6e2e84e45c88e33ea85c81c538fccd551b593affa8b88e7ba1b473f9de4a14

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-08 07:50

Reported

2024-02-08 07:53

Platform

win10v2004-20231215-en

Max time kernel

141s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\E52BE8968152E665685D030C8D641540.exe"

Signatures

NetSupport

rat netsupport

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\E52BE8968152E665685D030C8D641540.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\automnruns2012.ini.lnk C:\Users\Admin\AppData\Local\Temp\E52BE8968152E665685D030C8D641540.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\updatein1432\client32.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\updatein1432\client32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\updatein1432\client32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\E52BE8968152E665685D030C8D641540.exe

"C:\Users\Admin\AppData\Local\Temp\E52BE8968152E665685D030C8D641540.exe"

C:\Users\Admin\AppData\Roaming\updatein1432\client32.exe

"C:\Users\Admin\AppData\Roaming\updatein1432\client32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 DcnLaleanae8.com udp
US 8.8.8.8:53 geo.netsupportsoftware.com udp
US 172.67.68.212:80 geo.netsupportsoftware.com tcp
US 8.8.8.8:53 212.68.67.172.in-addr.arpa udp
US 8.8.8.8:53 DcnLaleanae9.com udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 DcnLaleanae8.com udp
GB 45.11.180.127:3120 DcnLaleanae8.com tcp
US 8.8.8.8:53 127.180.11.45.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 209.78.101.95.in-addr.arpa udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\updatein1432\client32.exe

MD5 c4f1b50e3111d29774f7525039ff7086
SHA1 57539c95cba0986ec8df0fcdea433e7c71b724c6
SHA256 18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d
SHA512 005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

C:\Users\Admin\AppData\Roaming\updatein1432\PCICL32.dll

MD5 e7b92529ea10176fe35ba73fa4edef74
SHA1 fc5b325d433cde797f6ad0d8b1305d6fb16d4e34
SHA256 b6d4ad0231941e0637485ac5833e0fdc75db35289b54e70f3858b70d36d04c80
SHA512 fb3a70e87772c1fb386ad8def6c7bdf325b8d525355d4386102649eb2d61f09ce101fce37ccc1f44d5878e604e2e426d96618e836367ab460cae01f627833517

C:\Users\Admin\AppData\Roaming\updatein1432\PCICHEK.DLL

MD5 3aabcd7c81425b3b9327a2bf643251c6
SHA1 ea841199baa7307280fc9e4688ac75e5624f2181
SHA256 0cff893b1e7716d09fb74b7a0313b78a09f3f48c586d31fc5f830bd72ce8331f
SHA512 97605b07be34948541462000345f1e8f9a9134d139448d4f331cefeeca6dad51c025fcab09d182b86e5a4a8e2f9412b3745ec86b514b0523497c821cb6b8c592

C:\Users\Admin\AppData\Roaming\updatein1432\PCICAPI.dll

MD5 67c53a770390e8c038060a1921c20da9
SHA1 49e63af91169c8ce7ef7de3d6a6fb9f8f739fa3a
SHA256 2dfdc169dfc27462adc98dde39306de8d0526dcf4577a1a486c2eef447300689
SHA512 201e07dbccd83480d6c4d8562e6d0a9e4c52ed12895f0b91d875c2bbcc50b3b1802e11e5e829c948be302bf98ebde7fb2a99476065d1709b3bdbcd5d59a1612d

C:\Users\Admin\AppData\Roaming\updatein1432\MSVCR100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

C:\Users\Admin\AppData\Roaming\updatein1432\client32.ini

MD5 c3bb1894b531c58a43d290e9f6cd91f0
SHA1 b9ccbde0b306c7727bba5dc329333454ef73c27b
SHA256 7d66b61e87088b93336ac1cf562c6a525fe5807d8b363e8b928125068bab626c
SHA512 f065e3c783e6ca3b48f4b37307c3100d4efb24006ac7d61cfc724225cb743f959580db0decd2db9415123096b5170f34937921db4d980ea73fefed70beb601e0

C:\Users\Admin\AppData\Roaming\updatein1432\NSM.LIC

MD5 6af7a794e1553154dd4fa63175494d3a
SHA1 125c582559647e8bf24081f35e2702c476b0af16
SHA256 09af8db75365407c9305a934caee8de6f2b46f2b338434bebafba55d684d0425
SHA512 ad8b57b5d99adae5fd1280e7d0dae5fe2d1b8d91dd36274ebd75b366961391281ea0b0b4ea0c644fe6aba19587cf8d25401f770664371a2079852bd951534527

C:\Users\Admin\AppData\Roaming\updatein1432\HTCTL32.DLL

MD5 051cdb6ac8e168d178e35489b6da4c74
SHA1 38c171457d160f8a6f26baa668f5c302f6c29cd1
SHA256 6562585009f15155eea9a489e474cebc4dd2a01a26d846fdd1b93fdc24b0c269
SHA512 602ab9999f7164a2d1704f712d8a622d69148eefe9a380c30bc8b310eadedf846ce6ae7940317437d5da59404d141dc2d1e0c3f954ca4ac7ae3497e56fcb4e36