Malware Analysis Report

2024-10-19 01:40

Sample ID 240208-jptrxadb52
Target E52BE8968152E665685D030C8D641540.exe
SHA256 ea35797a9556636378031645a48f089087cd258f8e40e1399aa371b2cca3cb7f
Tags
netsupport rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ea35797a9556636378031645a48f089087cd258f8e40e1399aa371b2cca3cb7f

Threat Level: Known bad

The file E52BE8968152E665685D030C8D641540.exe was found to be: Known bad.

Malicious Activity Summary

netsupport rat

NetSupport

Drops startup file

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Enumerates physical storage devices

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-08 07:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-08 07:51

Reported

2024-02-08 07:53

Platform

win7-20231215-en

Max time kernel

117s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\E52BE8968152E665685D030C8D641540.exe"

Signatures

NetSupport

rat netsupport

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\automnruns2012.ini.lnk C:\Users\Admin\AppData\Local\Temp\E52BE8968152E665685D030C8D641540.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\updatein1432\client32.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\updatein1432\client32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\updatein1432\client32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\E52BE8968152E665685D030C8D641540.exe

"C:\Users\Admin\AppData\Local\Temp\E52BE8968152E665685D030C8D641540.exe"

C:\Users\Admin\AppData\Roaming\updatein1432\client32.exe

"C:\Users\Admin\AppData\Roaming\updatein1432\client32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 DcnLaleanae8.com udp
US 8.8.8.8:53 geo.netsupportsoftware.com udp
US 104.26.0.231:80 geo.netsupportsoftware.com tcp
GB 45.11.180.127:3120 DcnLaleanae8.com tcp

Files

\Users\Admin\AppData\Roaming\updatein1432\client32.exe

MD5 c4f1b50e3111d29774f7525039ff7086
SHA1 57539c95cba0986ec8df0fcdea433e7c71b724c6
SHA256 18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d
SHA512 005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

C:\Users\Admin\AppData\Roaming\updatein1432\PCICL32.dll

MD5 e7b92529ea10176fe35ba73fa4edef74
SHA1 fc5b325d433cde797f6ad0d8b1305d6fb16d4e34
SHA256 b6d4ad0231941e0637485ac5833e0fdc75db35289b54e70f3858b70d36d04c80
SHA512 fb3a70e87772c1fb386ad8def6c7bdf325b8d525355d4386102649eb2d61f09ce101fce37ccc1f44d5878e604e2e426d96618e836367ab460cae01f627833517

C:\Users\Admin\AppData\Roaming\updatein1432\pcichek.dll

MD5 3aabcd7c81425b3b9327a2bf643251c6
SHA1 ea841199baa7307280fc9e4688ac75e5624f2181
SHA256 0cff893b1e7716d09fb74b7a0313b78a09f3f48c586d31fc5f830bd72ce8331f
SHA512 97605b07be34948541462000345f1e8f9a9134d139448d4f331cefeeca6dad51c025fcab09d182b86e5a4a8e2f9412b3745ec86b514b0523497c821cb6b8c592

C:\Users\Admin\AppData\Roaming\updatein1432\MSVCR100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

\Users\Admin\AppData\Roaming\updatein1432\pcicapi.dll

MD5 67c53a770390e8c038060a1921c20da9
SHA1 49e63af91169c8ce7ef7de3d6a6fb9f8f739fa3a
SHA256 2dfdc169dfc27462adc98dde39306de8d0526dcf4577a1a486c2eef447300689
SHA512 201e07dbccd83480d6c4d8562e6d0a9e4c52ed12895f0b91d875c2bbcc50b3b1802e11e5e829c948be302bf98ebde7fb2a99476065d1709b3bdbcd5d59a1612d

C:\Users\Admin\AppData\Roaming\updatein1432\NSM.LIC

MD5 6af7a794e1553154dd4fa63175494d3a
SHA1 125c582559647e8bf24081f35e2702c476b0af16
SHA256 09af8db75365407c9305a934caee8de6f2b46f2b338434bebafba55d684d0425
SHA512 ad8b57b5d99adae5fd1280e7d0dae5fe2d1b8d91dd36274ebd75b366961391281ea0b0b4ea0c644fe6aba19587cf8d25401f770664371a2079852bd951534527

C:\Users\Admin\AppData\Roaming\updatein1432\client32.ini

MD5 c3bb1894b531c58a43d290e9f6cd91f0
SHA1 b9ccbde0b306c7727bba5dc329333454ef73c27b
SHA256 7d66b61e87088b93336ac1cf562c6a525fe5807d8b363e8b928125068bab626c
SHA512 f065e3c783e6ca3b48f4b37307c3100d4efb24006ac7d61cfc724225cb743f959580db0decd2db9415123096b5170f34937921db4d980ea73fefed70beb601e0

\Users\Admin\AppData\Roaming\updatein1432\HTCTL32.DLL

MD5 051cdb6ac8e168d178e35489b6da4c74
SHA1 38c171457d160f8a6f26baa668f5c302f6c29cd1
SHA256 6562585009f15155eea9a489e474cebc4dd2a01a26d846fdd1b93fdc24b0c269
SHA512 602ab9999f7164a2d1704f712d8a622d69148eefe9a380c30bc8b310eadedf846ce6ae7940317437d5da59404d141dc2d1e0c3f954ca4ac7ae3497e56fcb4e36

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-08 07:51

Reported

2024-02-08 07:53

Platform

win10v2004-20231215-en

Max time kernel

139s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\E52BE8968152E665685D030C8D641540.exe"

Signatures

NetSupport

rat netsupport

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\E52BE8968152E665685D030C8D641540.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\automnruns2012.ini.lnk C:\Users\Admin\AppData\Local\Temp\E52BE8968152E665685D030C8D641540.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\updatein1432\client32.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\updatein1432\client32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\updatein1432\client32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\E52BE8968152E665685D030C8D641540.exe

"C:\Users\Admin\AppData\Local\Temp\E52BE8968152E665685D030C8D641540.exe"

C:\Users\Admin\AppData\Roaming\updatein1432\client32.exe

"C:\Users\Admin\AppData\Roaming\updatein1432\client32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 DcnLaleanae8.com udp
GB 45.11.180.127:3120 DcnLaleanae8.com tcp
US 8.8.8.8:53 geo.netsupportsoftware.com udp
US 104.26.1.231:80 geo.netsupportsoftware.com tcp
US 8.8.8.8:53 127.180.11.45.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 231.1.26.104.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 209.78.101.95.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\updatein1432\client32.exe

MD5 c4f1b50e3111d29774f7525039ff7086
SHA1 57539c95cba0986ec8df0fcdea433e7c71b724c6
SHA256 18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d
SHA512 005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

C:\Users\Admin\AppData\Roaming\updatein1432\PCICL32.dll

MD5 5c47ccc7e7a9054580f4fd9d03bdc163
SHA1 fe2dcf45803340db29ba6966d5fd611f5c8f8367
SHA256 4ac07d4080ea4c5b4682f8344b89f1475ffebf60ef970e84a876439928f8afee
SHA512 7357f447f32e6b9ea39818b40c6d773bcdae98e173c347ff32d91cada2273dca5ed12c92d2a1a25ce93372aa514687c83e7967a46075e2580fdd56f0fa6eb2ee

C:\Users\Admin\AppData\Roaming\updatein1432\pcichek.dll

MD5 3aabcd7c81425b3b9327a2bf643251c6
SHA1 ea841199baa7307280fc9e4688ac75e5624f2181
SHA256 0cff893b1e7716d09fb74b7a0313b78a09f3f48c586d31fc5f830bd72ce8331f
SHA512 97605b07be34948541462000345f1e8f9a9134d139448d4f331cefeeca6dad51c025fcab09d182b86e5a4a8e2f9412b3745ec86b514b0523497c821cb6b8c592

C:\Users\Admin\AppData\Roaming\updatein1432\PCICL32.DLL

MD5 1d397fb2a63fc1f1023b133df9a01b84
SHA1 5427f4888e24d1ec3a94fbc4c9550c459b85e24a
SHA256 d1413bcd9867bc7778f9f3db434f0a163fa304f9bcc7502df425c11dea1a4f5e
SHA512 11bd0ea13dc0e49d05abebba6e2411c2668ed77b4acd8101a91c3e423c36e69f66f1040e14d030ccefca8992df147426269925c73c567397d20ee63078ca6919

C:\Users\Admin\AppData\Roaming\updatein1432\pcicapi.dll

MD5 67c53a770390e8c038060a1921c20da9
SHA1 49e63af91169c8ce7ef7de3d6a6fb9f8f739fa3a
SHA256 2dfdc169dfc27462adc98dde39306de8d0526dcf4577a1a486c2eef447300689
SHA512 201e07dbccd83480d6c4d8562e6d0a9e4c52ed12895f0b91d875c2bbcc50b3b1802e11e5e829c948be302bf98ebde7fb2a99476065d1709b3bdbcd5d59a1612d

C:\Users\Admin\AppData\Roaming\updatein1432\msvcr100.dll

MD5 2c471db265a31cf82850c473ce9fe3c3
SHA1 e1112e19a661a65f9c91da7c9a5bcc319f3f9ef7
SHA256 927166e61a63c308c3f895886d10f6a584f61f1378896c873ebb228587009a60
SHA512 1472fe08461a70059edbdb27f1849b1124d8c3c48dcc5e28e6ed73b91d354b4aa36f52e7979a65e3b60626e0eb2a172d330a3080b406a5f423f530b207409e68

C:\Users\Admin\AppData\Roaming\updatein1432\MSVCR100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

C:\Users\Admin\AppData\Roaming\updatein1432\client32.ini

MD5 c3bb1894b531c58a43d290e9f6cd91f0
SHA1 b9ccbde0b306c7727bba5dc329333454ef73c27b
SHA256 7d66b61e87088b93336ac1cf562c6a525fe5807d8b363e8b928125068bab626c
SHA512 f065e3c783e6ca3b48f4b37307c3100d4efb24006ac7d61cfc724225cb743f959580db0decd2db9415123096b5170f34937921db4d980ea73fefed70beb601e0

C:\Users\Admin\AppData\Roaming\updatein1432\NSM.LIC

MD5 6af7a794e1553154dd4fa63175494d3a
SHA1 125c582559647e8bf24081f35e2702c476b0af16
SHA256 09af8db75365407c9305a934caee8de6f2b46f2b338434bebafba55d684d0425
SHA512 ad8b57b5d99adae5fd1280e7d0dae5fe2d1b8d91dd36274ebd75b366961391281ea0b0b4ea0c644fe6aba19587cf8d25401f770664371a2079852bd951534527

C:\Users\Admin\AppData\Roaming\updatein1432\HTCTL32.DLL

MD5 051cdb6ac8e168d178e35489b6da4c74
SHA1 38c171457d160f8a6f26baa668f5c302f6c29cd1
SHA256 6562585009f15155eea9a489e474cebc4dd2a01a26d846fdd1b93fdc24b0c269
SHA512 602ab9999f7164a2d1704f712d8a622d69148eefe9a380c30bc8b310eadedf846ce6ae7940317437d5da59404d141dc2d1e0c3f954ca4ac7ae3497e56fcb4e36