Malware Analysis Report

2024-10-19 01:40

Sample ID 240208-jpzcdsdea6
Target E52BE8968152E665685D030C8D641540.exe
SHA256 ea35797a9556636378031645a48f089087cd258f8e40e1399aa371b2cca3cb7f
Tags
netsupport rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ea35797a9556636378031645a48f089087cd258f8e40e1399aa371b2cca3cb7f

Threat Level: Known bad

The file E52BE8968152E665685D030C8D641540.exe was found to be: Known bad.

Malicious Activity Summary

netsupport rat

NetSupport

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Drops startup file

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-08 07:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-08 07:51

Reported

2024-02-08 07:53

Platform

win7-20231129-en

Max time kernel

117s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\E52BE8968152E665685D030C8D641540.exe"

Signatures

NetSupport

rat netsupport

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\automnruns2012.ini.lnk C:\Users\Admin\AppData\Local\Temp\E52BE8968152E665685D030C8D641540.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\updatein1432\client32.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\updatein1432\client32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\updatein1432\client32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\E52BE8968152E665685D030C8D641540.exe

"C:\Users\Admin\AppData\Local\Temp\E52BE8968152E665685D030C8D641540.exe"

C:\Users\Admin\AppData\Roaming\updatein1432\client32.exe

"C:\Users\Admin\AppData\Roaming\updatein1432\client32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 geo.netsupportsoftware.com udp
US 104.26.0.231:80 geo.netsupportsoftware.com tcp
US 8.8.8.8:53 DcnLaleanae8.com udp
GB 45.11.180.127:3120 DcnLaleanae8.com tcp

Files

\Users\Admin\AppData\Roaming\updatein1432\client32.exe

MD5 c4f1b50e3111d29774f7525039ff7086
SHA1 57539c95cba0986ec8df0fcdea433e7c71b724c6
SHA256 18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d
SHA512 005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

C:\Users\Admin\AppData\Roaming\updatein1432\PCICL32.dll

MD5 f2fbe647c250337dcab3bb4856f83de5
SHA1 c15444821cf4c627119fa1e33eda48d08889f1ef
SHA256 95a71a44aec21501c1b2d9036eb0dc4d264a852e3c7ae83ae7e28220bd99bc58
SHA512 9094636ff5fd789ab256f0f44cb59f98347ae6dd589513adf59cad451c966e65346a4078f68ca226926b52ecc33916368057af765741918f534761f3ee3abb00

\Users\Admin\AppData\Roaming\updatein1432\PCICL32.DLL

MD5 6c0598943de38ef7f9f609646303f9a7
SHA1 2d44f497771db3b6d5649a2a7ca9dd554ac61cf9
SHA256 345c029a0f4a196c4dbe2127d975e869ced45f66516c25b0d47db108c8fb1a96
SHA512 c1bd6dfd88d01e425817add79798c743640244cedfc2e4466d55f2107e58401745571abd489433c8f0a00f8d6c50e60ab865a6b4d7d92672f86332dc2e938fc4

\Users\Admin\AppData\Roaming\updatein1432\PCICHEK.DLL

MD5 3aabcd7c81425b3b9327a2bf643251c6
SHA1 ea841199baa7307280fc9e4688ac75e5624f2181
SHA256 0cff893b1e7716d09fb74b7a0313b78a09f3f48c586d31fc5f830bd72ce8331f
SHA512 97605b07be34948541462000345f1e8f9a9134d139448d4f331cefeeca6dad51c025fcab09d182b86e5a4a8e2f9412b3745ec86b514b0523497c821cb6b8c592

\Users\Admin\AppData\Roaming\updatein1432\pcicapi.dll

MD5 49f39c0c4e6f78eb29bea573df15f726
SHA1 b6834fa506a7077c1fa9850c422d888b60bc7981
SHA256 fa549226d232d0289c9b77c76b817cd6aa5a2727012ddb706bc121c7369aee5d
SHA512 b6aacd3bf3e984a6bf02db676512206eadd2b5e39715a1c6874ba2eb4a50d037253e1f740febb4ea9e655b784f741562b435be4c622c0054952b035c3573c01b

C:\Users\Admin\AppData\Roaming\updatein1432\PCICAPI.dll

MD5 16d0c8247dfe152a356429fa87d1a6f4
SHA1 84528ea7f1bdf4bbcdb7f97eec0efd718aa5e062
SHA256 3306d9efe539863388845d9e544e92264485648ccd6717a6d0744de4239747a9
SHA512 5f2435c5856bb78894b5162fe594dd13a79fb7c13acfe0cd684d799407932a6d95f1cc202464e71388c56ed1b25bc56f6d3d665c17ced29c546d266d3c3b1b36

\Users\Admin\AppData\Roaming\updatein1432\msvcr100.dll

MD5 4a4a1c04f5ceee1366ec38c5bec6b2a4
SHA1 0526fc24e5ef9e48a500f5466f8543d02edcd0a3
SHA256 edd7be944556a697dc9cc606f702acd2f322303d5f535118fa6910e0edd40f08
SHA512 2aae2fefa27352aaa366e7d021c41a53c6f7887f920a6b56d3751396980bf8a469eacf392461133c3a6962717a3f0edd66d5fa62f333259c2f1cd4331b8502dc

C:\Users\Admin\AppData\Roaming\updatein1432\MSVCR100.dll

MD5 458efb098e14eec1f1176ba91c28333d
SHA1 0efbd2ec5f9e564e8064c1726b63a7ab573e1c34
SHA256 c89b64a2a63768b7531a45ab2477aa98bd7174e43bf6b2dadb13e50a2980113d
SHA512 2cfcc73822edf3ce86ff4206dcd4235ed6a0a1def2d92c7c4cb2f7f8a9fee99d66b71b12b48b8b969eee85b5af2934a39066d9d32ec467fc5cd03de9a484043c

\Users\Admin\AppData\Roaming\updatein1432\HTCTL32.DLL

MD5 3861de34bb7620f05666463e040edd80
SHA1 94d6601065b5da9318686ceb024abc4b49d1c16b
SHA256 624cc3438dd8bcca2605a010864dc7d860bea012f437bc79e63a2e2955ac7885
SHA512 48bf669b57fafb794e946c548e7c4ffd37f87b3306a73261ec1ec4712c7b31c3e335e50e2431e5835b8be613f4a9d2886f976875a0f7a4494c697a2db2cd15ab

C:\Users\Admin\AppData\Roaming\updatein1432\HTCTL32.DLL

MD5 6f70b428874d56d5706547fdcfbff9a3
SHA1 7d4eda7f6da4c6918f493c4c1a8b88b4af27d072
SHA256 6d0c6640d0eff7e53dab2e7e1d31cab177547c3d5fc93577b0237d2c1c42c1c1
SHA512 2ebc1ad181f7cec599d2e8cc49bf293fa64f6388d99aaec525ec37c58692ccbd992a7ba1411b13eacc97f526dd59eb9a093f572f73228a7b05dd9e927b9ac211

C:\Users\Admin\AppData\Roaming\updatein1432\client32.ini

MD5 c3bb1894b531c58a43d290e9f6cd91f0
SHA1 b9ccbde0b306c7727bba5dc329333454ef73c27b
SHA256 7d66b61e87088b93336ac1cf562c6a525fe5807d8b363e8b928125068bab626c
SHA512 f065e3c783e6ca3b48f4b37307c3100d4efb24006ac7d61cfc724225cb743f959580db0decd2db9415123096b5170f34937921db4d980ea73fefed70beb601e0

C:\Users\Admin\AppData\Roaming\updatein1432\NSM.LIC

MD5 6af7a794e1553154dd4fa63175494d3a
SHA1 125c582559647e8bf24081f35e2702c476b0af16
SHA256 09af8db75365407c9305a934caee8de6f2b46f2b338434bebafba55d684d0425
SHA512 ad8b57b5d99adae5fd1280e7d0dae5fe2d1b8d91dd36274ebd75b366961391281ea0b0b4ea0c644fe6aba19587cf8d25401f770664371a2079852bd951534527

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-08 07:51

Reported

2024-02-08 07:53

Platform

win10v2004-20231215-en

Max time kernel

141s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\E52BE8968152E665685D030C8D641540.exe"

Signatures

NetSupport

rat netsupport

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\E52BE8968152E665685D030C8D641540.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\automnruns2012.ini.lnk C:\Users\Admin\AppData\Local\Temp\E52BE8968152E665685D030C8D641540.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\updatein1432\client32.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\updatein1432\client32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\updatein1432\client32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\E52BE8968152E665685D030C8D641540.exe

"C:\Users\Admin\AppData\Local\Temp\E52BE8968152E665685D030C8D641540.exe"

C:\Users\Admin\AppData\Roaming\updatein1432\client32.exe

"C:\Users\Admin\AppData\Roaming\updatein1432\client32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 DcnLaleanae8.com udp
US 8.8.8.8:53 geo.netsupportsoftware.com udp
US 104.26.0.231:80 geo.netsupportsoftware.com tcp
US 8.8.8.8:53 231.0.26.104.in-addr.arpa udp
US 8.8.8.8:53 DcnLaleanae9.com udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 209.78.101.95.in-addr.arpa udp
US 8.8.8.8:53 DcnLaleanae8.com udp
GB 45.11.180.127:3120 DcnLaleanae8.com tcp
US 8.8.8.8:53 127.180.11.45.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\updatein1432\client32.exe

MD5 c4f1b50e3111d29774f7525039ff7086
SHA1 57539c95cba0986ec8df0fcdea433e7c71b724c6
SHA256 18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d
SHA512 005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

C:\Users\Admin\AppData\Roaming\updatein1432\PCICL32.dll

MD5 e7b92529ea10176fe35ba73fa4edef74
SHA1 fc5b325d433cde797f6ad0d8b1305d6fb16d4e34
SHA256 b6d4ad0231941e0637485ac5833e0fdc75db35289b54e70f3858b70d36d04c80
SHA512 fb3a70e87772c1fb386ad8def6c7bdf325b8d525355d4386102649eb2d61f09ce101fce37ccc1f44d5878e604e2e426d96618e836367ab460cae01f627833517

C:\Users\Admin\AppData\Roaming\updatein1432\PCICHEK.DLL

MD5 3aabcd7c81425b3b9327a2bf643251c6
SHA1 ea841199baa7307280fc9e4688ac75e5624f2181
SHA256 0cff893b1e7716d09fb74b7a0313b78a09f3f48c586d31fc5f830bd72ce8331f
SHA512 97605b07be34948541462000345f1e8f9a9134d139448d4f331cefeeca6dad51c025fcab09d182b86e5a4a8e2f9412b3745ec86b514b0523497c821cb6b8c592

C:\Users\Admin\AppData\Roaming\updatein1432\PCICAPI.dll

MD5 67c53a770390e8c038060a1921c20da9
SHA1 49e63af91169c8ce7ef7de3d6a6fb9f8f739fa3a
SHA256 2dfdc169dfc27462adc98dde39306de8d0526dcf4577a1a486c2eef447300689
SHA512 201e07dbccd83480d6c4d8562e6d0a9e4c52ed12895f0b91d875c2bbcc50b3b1802e11e5e829c948be302bf98ebde7fb2a99476065d1709b3bdbcd5d59a1612d

C:\Users\Admin\AppData\Roaming\updatein1432\msvcr100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

C:\Users\Admin\AppData\Roaming\updatein1432\NSM.LIC

MD5 6af7a794e1553154dd4fa63175494d3a
SHA1 125c582559647e8bf24081f35e2702c476b0af16
SHA256 09af8db75365407c9305a934caee8de6f2b46f2b338434bebafba55d684d0425
SHA512 ad8b57b5d99adae5fd1280e7d0dae5fe2d1b8d91dd36274ebd75b366961391281ea0b0b4ea0c644fe6aba19587cf8d25401f770664371a2079852bd951534527

C:\Users\Admin\AppData\Roaming\updatein1432\client32.ini

MD5 c3bb1894b531c58a43d290e9f6cd91f0
SHA1 b9ccbde0b306c7727bba5dc329333454ef73c27b
SHA256 7d66b61e87088b93336ac1cf562c6a525fe5807d8b363e8b928125068bab626c
SHA512 f065e3c783e6ca3b48f4b37307c3100d4efb24006ac7d61cfc724225cb743f959580db0decd2db9415123096b5170f34937921db4d980ea73fefed70beb601e0

C:\Users\Admin\AppData\Roaming\updatein1432\HTCTL32.DLL

MD5 051cdb6ac8e168d178e35489b6da4c74
SHA1 38c171457d160f8a6f26baa668f5c302f6c29cd1
SHA256 6562585009f15155eea9a489e474cebc4dd2a01a26d846fdd1b93fdc24b0c269
SHA512 602ab9999f7164a2d1704f712d8a622d69148eefe9a380c30bc8b310eadedf846ce6ae7940317437d5da59404d141dc2d1e0c3f954ca4ac7ae3497e56fcb4e36