netsupport | 980fcb6365092cd752934417abb0f2a95bca452c58856240157107e70c1d754d

Analysis

max time kernel
93s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
14/04/2024, 01:33 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

980fcb6365092cd752934417abb0f2a95bca452c58856240157107e70c1d754d.exe
Size

2.1MB
MD5

77970896073bbafdc8c1811414c62536
SHA1

c2d2fdbc9e80daa95e3046e2d3bd13e7ca312e18
SHA256

980fcb6365092cd752934417abb0f2a95bca452c58856240157107e70c1d754d
SHA512

5fc31572ad864ca15cd2eb7e8baadc62b72a72ad5d28da4ae04158f67b6cbfd1985983586fd6e51a4781bdffbdd557b30d44d38a3a37ae88cf785c834d739a30
SSDEEP

49152:/Xe2JFJ0l5VO6T9xX2AdPj15GZ0yB/dqyvVamJW:/Xe2JFJ0liu3GAdPj15GZft6

Score

10^/10

netsupport rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	980fcb6365092cd752934417abb0f2a95bca452c58856240157107e70c1d754d.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\automrunner201.ini.lnk	980fcb6365092cd752934417abb0f2a95bca452c58856240157107e70c1d754d.exe

Executes dropped EXE 1 IoCs

pid	Process
2208	client32.exe

Loads dropped DLL 5 IoCs

pid	Process
2208	client32.exe
2208	client32.exe
2208	client32.exe
2208	client32.exe
2208	client32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2208	client32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2208	client32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4540 wrote to memory of 2208	4540	980fcb6365092cd752934417abb0f2a95bca452c58856240157107e70c1d754d.exe	87
PID 4540 wrote to memory of 2208	4540	980fcb6365092cd752934417abb0f2a95bca452c58856240157107e70c1d754d.exe	87
PID 4540 wrote to memory of 2208	4540	980fcb6365092cd752934417abb0f2a95bca452c58856240157107e70c1d754d.exe	87

C:\Users\Admin\AppData\Local\Temp\980fcb6365092cd752934417abb0f2a95bca452c58856240157107e70c1d754d.exe
"C:\Users\Admin\AppData\Local\Temp\980fcb6365092cd752934417abb0f2a95bca452c58856240157107e70c1d754d.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:4540
- C:\Users\Admin\AppData\Roaming\updtewinsup221\client32.exe
  "C:\Users\Admin\AppData\Roaming\updtewinsup221\client32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2208

Network

DNS

138.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

138.32.126.40.in-addr.arpa

IN PTR

Response
DNS

Amnahuseta19.com

client32.exe

Remote address:

8.8.8.8:53

Request

Amnahuseta19.com

IN A

Response

Amnahuseta19.com

IN A

162.33.178.156
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

204.79.197.237

dual-a-0034.a-msedge.net

IN A

13.107.21.237
DNS

geo.netsupportsoftware.com

client32.exe

Remote address:

8.8.8.8:53

Request

geo.netsupportsoftware.com

IN A

Response

geo.netsupportsoftware.com

IN A

172.67.68.212

geo.netsupportsoftware.com

IN A

104.26.0.231

geo.netsupportsoftware.com

IN A

104.26.1.231
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3344752f4ed7448eb3bfee3cbbe4d8cd&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3344752f4ed7448eb3bfee3cbbe4d8cd&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=170E25E762D9649A085E318663FE65ED; domain=.bing.com; expires=Fri, 09-May-2025 01:33:29 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 0DFDC77E5A7F4CDFBE9CDA72D5C22215 Ref B: LON04EDGE0708 Ref C: 2024-04-14T01:33:29Z
date: Sun, 14 Apr 2024 01:33:29 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=3344752f4ed7448eb3bfee3cbbe4d8cd&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=3344752f4ed7448eb3bfee3cbbe4d8cd&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=170E25E762D9649A085E318663FE65ED

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=sgh6s3S0iG2NP8GuMoOO9Jn7nlk8TShCz_hJTcHJuak; domain=.bing.com; expires=Fri, 09-May-2025 01:33:29 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 97C7FF404FE340A69756CFEC43D87420 Ref B: LON04EDGE0708 Ref C: 2024-04-14T01:33:29Z
date: Sun, 14 Apr 2024 01:33:29 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3344752f4ed7448eb3bfee3cbbe4d8cd&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3344752f4ed7448eb3bfee3cbbe4d8cd&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=170E25E762D9649A085E318663FE65ED; MSPTC=sgh6s3S0iG2NP8GuMoOO9Jn7nlk8TShCz_hJTcHJuak

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E68804167F1A4A348DA240F9752B0921 Ref B: LON04EDGE0708 Ref C: 2024-04-14T01:33:29Z
date: Sun, 14 Apr 2024 01:33:29 GMT
GET

http://geo.netsupportsoftware.com/location/loca.asp

client32.exe

Remote address:

172.67.68.212:80

Request

GET /location/loca.asp HTTP/1.1
Host: geo.netsupportsoftware.com
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Sun, 14 Apr 2024 01:33:29 GMT
Content-Type: text/html; Charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
CF-Ray: 873ff2b1db0877a6-LHR
CF-Cache-Status: DYNAMIC
Access-Control-Allow-Origin: *
Cache-Control: private
Set-Cookie: ASPSESSIONIDSSRSABDA=EOGKOONANBIBPKHBCHPJHINP; path=/
Strict-Transport-Security: max-age=31536000; includeSubDomains
Vary: Accept-Encoding
cf-apo-via: origin,host
Referrer-Policy: strict-origin-when-cross-origin
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2dpDeqFE%2BwiPeRXuFA7FfKmSOhwIyS8v2fymDhllKB5moxTIpFie5XGDSL17P42W1Rqs7566oxZMs2b%2B05E6kIjte3eTVkIT8WnS9tIOy3GPXLAMEe9fs2w3s2HAETUDoTruiCmNxlb6MYfS"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

241.154.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.154.82.20.in-addr.arpa

IN PTR

Response
DNS

237.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.197.79.204.in-addr.arpa

IN PTR

Response
DNS

212.68.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

212.68.67.172.in-addr.arpa

IN PTR

Response
DNS

156.178.33.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

156.178.33.162.in-addr.arpa

IN PTR

Response
DNS

88.156.103.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.156.103.20.in-addr.arpa

IN PTR

Response
DNS

21.114.53.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

21.114.53.23.in-addr.arpa

IN PTR

Response

21.114.53.23.in-addr.arpa

IN PTR

a23-53-114-21deploystaticakamaitechnologiescom
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

103.169.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

103.169.127.40.in-addr.arpa

IN PTR

Response
DNS

65.139.73.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

65.139.73.23.in-addr.arpa

IN PTR

Response

65.139.73.23.in-addr.arpa

IN PTR

a23-73-139-65deploystaticakamaitechnologiescom
DNS

43.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.229.111.52.in-addr.arpa

IN PTR

Response

204.79.197.237:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3344752f4ed7448eb3bfee3cbbe4d8cd&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid=

tls, http2

2.0kB
9.2kB
22
19

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3344752f4ed7448eb3bfee3cbbe4d8cd&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=3344752f4ed7448eb3bfee3cbbe4d8cd&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=3344752f4ed7448eb3bfee3cbbe4d8cd&localId=w:19F07DA7-5FDD-B751-CD70-D7618FCDFF22&deviceId=6755467521684215&anid=

HTTP Response

204
172.67.68.212:80

http://geo.netsupportsoftware.com/location/loca.asp

http

client32.exe

440 B
1.1kB
7
5

HTTP Request

GET http://geo.netsupportsoftware.com/location/loca.asp

HTTP Response

200
162.33.178.156:3122

Amnahuseta19.com

http

client32.exe

2.1kB
816 B
9
7

8.8.8.8:53

138.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

138.32.126.40.in-addr.arpa
8.8.8.8:53

Amnahuseta19.com

dns

client32.exe

62 B
78 B
1
1

DNS Request

Amnahuseta19.com

DNS Response

162.33.178.156
8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.237

13.107.21.237
8.8.8.8:53

geo.netsupportsoftware.com

dns

client32.exe

72 B
120 B
1
1

DNS Request

geo.netsupportsoftware.com

DNS Response

172.67.68.212

104.26.0.231

104.26.1.231
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

241.154.82.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.154.82.20.in-addr.arpa
8.8.8.8:53

237.197.79.204.in-addr.arpa

dns

73 B
143 B
1
1

DNS Request

237.197.79.204.in-addr.arpa
8.8.8.8:53

212.68.67.172.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

212.68.67.172.in-addr.arpa
8.8.8.8:53

156.178.33.162.in-addr.arpa

dns

73 B
128 B
1
1

DNS Request

156.178.33.162.in-addr.arpa
8.8.8.8:53

88.156.103.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

88.156.103.20.in-addr.arpa
8.8.8.8:53

21.114.53.23.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

21.114.53.23.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

103.169.127.40.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

103.169.127.40.in-addr.arpa
8.8.8.8:53

65.139.73.23.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

65.139.73.23.in-addr.arpa
8.8.8.8:53

43.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

43.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\updtewinsup221\HTCTL32.DLL

Filesize
316KB

MD5
051cdb6ac8e168d178e35489b6da4c74

SHA1
38c171457d160f8a6f26baa668f5c302f6c29cd1

SHA256
6562585009f15155eea9a489e474cebc4dd2a01a26d846fdd1b93fdc24b0c269

SHA512
602ab9999f7164a2d1704f712d8a622d69148eefe9a380c30bc8b310eadedf846ce6ae7940317437d5da59404d141dc2d1e0c3f954ca4ac7ae3497e56fcb4e36

Download Submit
C:\Users\Admin\AppData\Roaming\updtewinsup221\NSM.LIC

Filesize
261B

MD5
886e4bb84e1ecc4a04ae599d76fcce1d

SHA1
3f0493bb2088af50bcc8223462db0b207354e946

SHA256
5eeb014e3b390e0c85ce72988d422dcd9de1520566b11755c70bdd9bb7376060

SHA512
f4db9038a113c4b1e2462b3e0becef2500c9532a79c8187f51d011d690bc68c6d1a99585e43136cb082bd6a232136546db50265f226ff19e67d8430306a8761f

Download Submit
C:\Users\Admin\AppData\Roaming\updtewinsup221\PCICHEK.DLL

Filesize
14KB

MD5
3aabcd7c81425b3b9327a2bf643251c6

SHA1
ea841199baa7307280fc9e4688ac75e5624f2181

SHA256
0cff893b1e7716d09fb74b7a0313b78a09f3f48c586d31fc5f830bd72ce8331f

SHA512
97605b07be34948541462000345f1e8f9a9134d139448d4f331cefeeca6dad51c025fcab09d182b86e5a4a8e2f9412b3745ec86b514b0523497c821cb6b8c592

Download Submit
C:\Users\Admin\AppData\Roaming\updtewinsup221\PCICL32.dll

Filesize
3.3MB

MD5
e7b92529ea10176fe35ba73fa4edef74

SHA1
fc5b325d433cde797f6ad0d8b1305d6fb16d4e34

SHA256
b6d4ad0231941e0637485ac5833e0fdc75db35289b54e70f3858b70d36d04c80

SHA512
fb3a70e87772c1fb386ad8def6c7bdf325b8d525355d4386102649eb2d61f09ce101fce37ccc1f44d5878e604e2e426d96618e836367ab460cae01f627833517

Download Submit
C:\Users\Admin\AppData\Roaming\updtewinsup221\client32.exe

Filesize
101KB

MD5
c4f1b50e3111d29774f7525039ff7086

SHA1
57539c95cba0986ec8df0fcdea433e7c71b724c6

SHA256
18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d

SHA512
005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

Download Submit
C:\Users\Admin\AppData\Roaming\updtewinsup221\client32.ini

Filesize
761B

MD5
d08afe2af7e89b127b3e9388ea505915

SHA1
f9d9e682417410d7046c7ecf6958458f245c9eff

SHA256
7fb2efd09c92cff4d5cb3efb26628aba91ec17f28c0dbdb407384dbc4627d7f8

SHA512
ce521154ba568fb27bddcb02fe6211294717d2d541cb25bcf6ab8bfe4dae74316c12df9754dc98473037d5610f8b70e02337f9c96fe9426e24ad86b91eb207a3

Download Submit
C:\Users\Admin\AppData\Roaming\updtewinsup221\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\Roaming\updtewinsup221\pcicapi.dll

Filesize
106KB

MD5
67c53a770390e8c038060a1921c20da9

SHA1
49e63af91169c8ce7ef7de3d6a6fb9f8f739fa3a

SHA256
2dfdc169dfc27462adc98dde39306de8d0526dcf4577a1a486c2eef447300689

SHA512
201e07dbccd83480d6c4d8562e6d0a9e4c52ed12895f0b91d875c2bbcc50b3b1802e11e5e829c948be302bf98ebde7fb2a99476065d1709b3bdbcd5d59a1612d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.