Malware Analysis Report

2024-10-19 01:40

Sample ID 240209-pfj41aah8s
Target desktop.exe_
SHA256 64068c0cb87977af622fdf485815f914d1676816daf650e16e360a334339fcc4
Tags
netsupport rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

64068c0cb87977af622fdf485815f914d1676816daf650e16e360a334339fcc4

Threat Level: Known bad

The file desktop.exe_ was found to be: Known bad.

Malicious Activity Summary

netsupport rat

NetSupport

Drops startup file

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-09 12:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-09 12:16

Reported

2024-02-09 12:22

Platform

win7-20231215-en

Max time kernel

153s

Max time network

300s

Command Line

"C:\Users\Admin\AppData\Local\Temp\desktop.exe"

Signatures

NetSupport

rat netsupport

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\automnruns2012.ini.lnk C:\Users\Admin\AppData\Local\Temp\desktop.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\updatein1432\client32.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\updatein1432\client32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\updatein1432\client32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\desktop.exe

"C:\Users\Admin\AppData\Local\Temp\desktop.exe"

C:\Users\Admin\AppData\Roaming\updatein1432\client32.exe

"C:\Users\Admin\AppData\Roaming\updatein1432\client32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 DcnLaleanae8.com udp
US 8.8.8.8:53 geo.netsupportsoftware.com udp
US 104.26.0.231:80 geo.netsupportsoftware.com tcp
US 8.8.8.8:53 DcnLaleanae9.com udp
N/A 127.0.0.127:3120 tcp
US 8.8.8.8:53 DcnLaleanae8.com udp
US 8.8.8.8:53 DcnLaleanae9.com udp
N/A 127.0.0.127:3120 tcp
US 8.8.8.8:53 DcnLaleanae8.com udp
GB 45.11.180.127:3120 DcnLaleanae8.com tcp

Files

memory/1096-0-0x0000000000400000-0x00000000004DE000-memory.dmp

\Users\Admin\AppData\Roaming\updatein1432\client32.exe

MD5 c4f1b50e3111d29774f7525039ff7086
SHA1 57539c95cba0986ec8df0fcdea433e7c71b724c6
SHA256 18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d
SHA512 005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

C:\Users\Admin\AppData\Roaming\updatein1432\PCICL32.dll

MD5 b67f21183bb0fcc90a394aafb41c4822
SHA1 410b1742f66aa6d60548333ab22c16b79c61d11a
SHA256 f5d2303a66dd466486bad63423dced7ae9da7b0808e1b1bc5c354687d3492a3a
SHA512 723a245b19d21fb1b6b47a90c8828afeb984622afd1ff78db897e39c19d2b2f9ba1ad9fac4fe0903dc199377fb6ed4e2d12e6fb01134677817e5478aa5d05809

\Users\Admin\AppData\Roaming\updatein1432\PCICL32.DLL

MD5 51338dc3e1256bb869a4481ad54572b0
SHA1 589fa1b046a7c59b79b4334f6427510f5ad4f649
SHA256 2aeb98b55d769b9a29240089f55c28cb675313df0aa18e3f6b4dbe480e0db836
SHA512 46507424c757f1e3717cab5df746e927ea386e9906b4c18e9d9025c2425a7af0527eaa30d6b90f9ac17d3c975ce998032011112354a204a8b171a7f75846580b

C:\Users\Admin\AppData\Roaming\updatein1432\pcichek.dll

MD5 3aabcd7c81425b3b9327a2bf643251c6
SHA1 ea841199baa7307280fc9e4688ac75e5624f2181
SHA256 0cff893b1e7716d09fb74b7a0313b78a09f3f48c586d31fc5f830bd72ce8331f
SHA512 97605b07be34948541462000345f1e8f9a9134d139448d4f331cefeeca6dad51c025fcab09d182b86e5a4a8e2f9412b3745ec86b514b0523497c821cb6b8c592

memory/1096-40-0x0000000000400000-0x00000000004DE000-memory.dmp

C:\Users\Admin\AppData\Roaming\updatein1432\MSVCR100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

C:\Users\Admin\AppData\Roaming\updatein1432\PCICAPI.dll

MD5 67c53a770390e8c038060a1921c20da9
SHA1 49e63af91169c8ce7ef7de3d6a6fb9f8f739fa3a
SHA256 2dfdc169dfc27462adc98dde39306de8d0526dcf4577a1a486c2eef447300689
SHA512 201e07dbccd83480d6c4d8562e6d0a9e4c52ed12895f0b91d875c2bbcc50b3b1802e11e5e829c948be302bf98ebde7fb2a99476065d1709b3bdbcd5d59a1612d

C:\Users\Admin\AppData\Roaming\updatein1432\client32.ini

MD5 d6ab548cef2a8a905ff711ec285b97ce
SHA1 f8587a38b408759e2c4b24d135f7b7e35840f712
SHA256 545a0768987bc6efd4134c397e092c026f4bc57a18536e15a02032f6f6f3cf6b
SHA512 de7ed0e41f7c7d1e39dcc128e22bfc98602ae99798903b6abfdd9070db7752d786ea9b49dbfd092ee670a2665855442449a6853808c26ad896a7b8b71ecd5120

C:\Users\Admin\AppData\Roaming\updatein1432\NSM.LIC

MD5 973c4ae4cd184a3913111eb60eefbad0
SHA1 e03f97864390c9ab88c19c97fe7529eea29b204a
SHA256 bd73c8aa4ef7f7616734416c92b27935a7c8209527c78751d2d61cb9c0f8e92a
SHA512 419d71d63c7394d6565ef46d012bec79710aca8ac8ae1ede3511c5e1e6b317a02eac23632dcb2b456afb65560d38e8100727458bedf5bb11bbcf3e88d7ca6f81

C:\Users\Admin\AppData\Roaming\updatein1432\HTCTL32.DLL

MD5 1dff9b2c678d50bb3d82b4c0ee195ba6
SHA1 acf8be8f7cf6bcd2111c70a6fc6b1cfdbe26e8a6
SHA256 ee448a587147af42a17d373415b0560f93e1b1faaefada9ec09941fe2465bf16
SHA512 693ee214ff52d729556e543bd3e7aa9e5236ff5a27481761794ea43b4bb3502eb8635138742d5f988f47109c234fa29aac7aceaddf4feb8adb30765a2770fbd1

\Users\Admin\AppData\Roaming\updatein1432\HTCTL32.DLL

MD5 60d005d07f637093f658c1b4ba26aa19
SHA1 7964eebf614e2942ff942d7176c630501ffc75ce
SHA256 f10636a4fa90bf461f7209469a4aad2cd51df760d854cd76f67afbb8a309a83e
SHA512 daf3b0ea2b6301db151cdadc93dc0a66e4418e378709734781f357899a78b0a97d7a99b68778061465891eac5699be3512631b034ae99089aff44dcd26bcd25f

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-09 12:16

Reported

2024-02-09 12:22

Platform

win10v2004-20231215-en

Max time kernel

136s

Max time network

247s

Command Line

"C:\Users\Admin\AppData\Local\Temp\desktop.exe"

Signatures

NetSupport

rat netsupport

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\desktop.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\automnruns2012.ini.lnk C:\Users\Admin\AppData\Local\Temp\desktop.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\updatein1432\client32.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\updatein1432\client32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\updatein1432\client32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\desktop.exe

"C:\Users\Admin\AppData\Local\Temp\desktop.exe"

C:\Users\Admin\AppData\Roaming\updatein1432\client32.exe

"C:\Users\Admin\AppData\Roaming\updatein1432\client32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 DcnLaleanae8.com udp
US 8.8.8.8:53 geo.netsupportsoftware.com udp
GB 45.11.180.127:3120 DcnLaleanae8.com tcp
US 104.26.0.231:80 geo.netsupportsoftware.com tcp
US 8.8.8.8:53 127.180.11.45.in-addr.arpa udp
US 8.8.8.8:53 231.0.26.104.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 152.78.101.95.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/3268-0-0x0000000000400000-0x00000000004DE000-memory.dmp

C:\Users\Admin\AppData\Roaming\updatein1432\client32.exe

MD5 c4f1b50e3111d29774f7525039ff7086
SHA1 57539c95cba0986ec8df0fcdea433e7c71b724c6
SHA256 18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d
SHA512 005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

C:\Users\Admin\AppData\Roaming\updatein1432\PCICL32.dll

MD5 e7b92529ea10176fe35ba73fa4edef74
SHA1 fc5b325d433cde797f6ad0d8b1305d6fb16d4e34
SHA256 b6d4ad0231941e0637485ac5833e0fdc75db35289b54e70f3858b70d36d04c80
SHA512 fb3a70e87772c1fb386ad8def6c7bdf325b8d525355d4386102649eb2d61f09ce101fce37ccc1f44d5878e604e2e426d96618e836367ab460cae01f627833517

C:\Users\Admin\AppData\Roaming\updatein1432\PCICAPI.dll

MD5 67c53a770390e8c038060a1921c20da9
SHA1 49e63af91169c8ce7ef7de3d6a6fb9f8f739fa3a
SHA256 2dfdc169dfc27462adc98dde39306de8d0526dcf4577a1a486c2eef447300689
SHA512 201e07dbccd83480d6c4d8562e6d0a9e4c52ed12895f0b91d875c2bbcc50b3b1802e11e5e829c948be302bf98ebde7fb2a99476065d1709b3bdbcd5d59a1612d

C:\Users\Admin\AppData\Roaming\updatein1432\PCICHEK.DLL

MD5 3aabcd7c81425b3b9327a2bf643251c6
SHA1 ea841199baa7307280fc9e4688ac75e5624f2181
SHA256 0cff893b1e7716d09fb74b7a0313b78a09f3f48c586d31fc5f830bd72ce8331f
SHA512 97605b07be34948541462000345f1e8f9a9134d139448d4f331cefeeca6dad51c025fcab09d182b86e5a4a8e2f9412b3745ec86b514b0523497c821cb6b8c592

C:\Users\Admin\AppData\Roaming\updatein1432\msvcr100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

memory/3268-50-0x0000000000400000-0x00000000004DE000-memory.dmp

C:\Users\Admin\AppData\Roaming\updatein1432\NSM.LIC

MD5 973c4ae4cd184a3913111eb60eefbad0
SHA1 e03f97864390c9ab88c19c97fe7529eea29b204a
SHA256 bd73c8aa4ef7f7616734416c92b27935a7c8209527c78751d2d61cb9c0f8e92a
SHA512 419d71d63c7394d6565ef46d012bec79710aca8ac8ae1ede3511c5e1e6b317a02eac23632dcb2b456afb65560d38e8100727458bedf5bb11bbcf3e88d7ca6f81

C:\Users\Admin\AppData\Roaming\updatein1432\client32.ini

MD5 d6ab548cef2a8a905ff711ec285b97ce
SHA1 f8587a38b408759e2c4b24d135f7b7e35840f712
SHA256 545a0768987bc6efd4134c397e092c026f4bc57a18536e15a02032f6f6f3cf6b
SHA512 de7ed0e41f7c7d1e39dcc128e22bfc98602ae99798903b6abfdd9070db7752d786ea9b49dbfd092ee670a2665855442449a6853808c26ad896a7b8b71ecd5120

C:\Users\Admin\AppData\Roaming\updatein1432\HTCTL32.DLL

MD5 051cdb6ac8e168d178e35489b6da4c74
SHA1 38c171457d160f8a6f26baa668f5c302f6c29cd1
SHA256 6562585009f15155eea9a489e474cebc4dd2a01a26d846fdd1b93fdc24b0c269
SHA512 602ab9999f7164a2d1704f712d8a622d69148eefe9a380c30bc8b310eadedf846ce6ae7940317437d5da59404d141dc2d1e0c3f954ca4ac7ae3497e56fcb4e36