netsupport | c38f9d7b02cb20690aae34a7b85ca91c95be43813ca609694d79a13111357bf4

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11-06-2024 11:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TestFKRT.exe
Size

375KB
MD5

7167b97b30f2650bc2fe30ea6aea8c60
SHA1

1df3d35a76b75545a092db90ad74a5732a52be00
SHA256

c38f9d7b02cb20690aae34a7b85ca91c95be43813ca609694d79a13111357bf4
SHA512

183fbe184aae509f5e7728316dc6e31e1505476dce42c17e433d0c3b1c6865bef55ff806ad359bd0dfb0e7d945d4ba11a7565067b88fec3f514ee3e3d4128b0c
SSDEEP

6144:MOGkB/vhyOc10KgGwHqwOOELha+sm2D2+UhngNQK4t6DqeLUEEiRgc5uJV/qb:vhzc10KgGXFhazmdVg+K4t6DqbEBuJV

Score

10^/10

netsupport rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	TestFKRT.exe

Executes dropped EXE 2 IoCs

pid	Process
760	client.exe
1212	client32.exe

Loads dropped DLL 5 IoCs

pid	Process
1212	client32.exe
1212	client32.exe
1212	client32.exe
1212	client32.exe
1212	client32.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	bitbucket.org
4	bitbucket.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4024	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3740	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3020	TestFKRT.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3020	TestFKRT.exe
Token: SeDebugPrivilege	760	client.exe
Token: SeSecurityPrivilege	1212	client32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1212	client32.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 760	3020	TestFKRT.exe	80
PID 3020 wrote to memory of 760	3020	TestFKRT.exe	80
PID 760 wrote to memory of 4908	760	client.exe	81
PID 760 wrote to memory of 4908	760	client.exe	81
PID 4908 wrote to memory of 3132	4908	cmd.exe	83
PID 4908 wrote to memory of 3132	4908	cmd.exe	83
PID 760 wrote to memory of 4256	760	client.exe	84
PID 760 wrote to memory of 4256	760	client.exe	84
PID 4256 wrote to memory of 4024	4256	cmd.exe	86
PID 4256 wrote to memory of 4024	4256	cmd.exe	86
PID 760 wrote to memory of 5060	760	client.exe	87
PID 760 wrote to memory of 5060	760	client.exe	87
PID 5060 wrote to memory of 1212	5060	cmd.exe	89
PID 5060 wrote to memory of 1212	5060	cmd.exe	89
PID 5060 wrote to memory of 1212	5060	cmd.exe	89
PID 3020 wrote to memory of 4144	3020	TestFKRT.exe	90
PID 3020 wrote to memory of 4144	3020	TestFKRT.exe	90
PID 4144 wrote to memory of 3740	4144	cmd.exe	94
PID 4144 wrote to memory of 3740	4144	cmd.exe	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\TestFKRT.exe
"C:\Users\Admin\AppData\Local\Temp\TestFKRT.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Users\Admin\AppData\Roaming\wnsp_44558\winsup\client.exe
  "C:\Users\Admin\AppData\Roaming\wnsp_44558\winsup\client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:760
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /c schtasks /query /tn "Adobe Acrobat Update Task 2.0"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4908
  - - C:\Windows\system32\schtasks.exe
      schtasks /query /tn "Adobe Acrobat Update Task 2.0"
      4⤵
      PID:3132
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /c schtasks /create /tn "Adobe Acrobat Update Task 2.0" /tr "C:\Users\Admin\AppData\Roaming\wnsp_44558\winsup\client.exe" /sc onlogon
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4256
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /tn "Adobe Acrobat Update Task 2.0" /tr "C:\Users\Admin\AppData\Roaming\wnsp_44558\winsup\client.exe" /sc onlogon
      4⤵
      Creates scheduled task(s)
      PID:4024
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /c C:\Users\Admin\AppData\Roaming\wnsp_44558\winsup\client32.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5060
  - - C:\Users\Admin\AppData\Roaming\wnsp_44558\winsup\client32.exe
      C:\Users\Admin\AppData\Roaming\wnsp_44558\winsup\client32.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:1212
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3001 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\TestFKRT.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4144
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 3001
    3⤵
    - Runs ping.exe
    PID:3740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\wnsp_44558\winsup\HTCTL32.DLL

Filesize
316KB

MD5
051cdb6ac8e168d178e35489b6da4c74

SHA1
38c171457d160f8a6f26baa668f5c302f6c29cd1

SHA256
6562585009f15155eea9a489e474cebc4dd2a01a26d846fdd1b93fdc24b0c269

SHA512
602ab9999f7164a2d1704f712d8a622d69148eefe9a380c30bc8b310eadedf846ce6ae7940317437d5da59404d141dc2d1e0c3f954ca4ac7ae3497e56fcb4e36

Download Submit
C:\Users\Admin\AppData\Roaming\wnsp_44558\winsup\MSVCR100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\Roaming\wnsp_44558\winsup\NSM.LIC

Filesize
261B

MD5
886e4bb84e1ecc4a04ae599d76fcce1d

SHA1
3f0493bb2088af50bcc8223462db0b207354e946

SHA256
5eeb014e3b390e0c85ce72988d422dcd9de1520566b11755c70bdd9bb7376060

SHA512
f4db9038a113c4b1e2462b3e0becef2500c9532a79c8187f51d011d690bc68c6d1a99585e43136cb082bd6a232136546db50265f226ff19e67d8430306a8761f

Download Submit
C:\Users\Admin\AppData\Roaming\wnsp_44558\winsup\PCICAPI.dll

Filesize
106KB

MD5
67c53a770390e8c038060a1921c20da9

SHA1
49e63af91169c8ce7ef7de3d6a6fb9f8f739fa3a

SHA256
2dfdc169dfc27462adc98dde39306de8d0526dcf4577a1a486c2eef447300689

SHA512
201e07dbccd83480d6c4d8562e6d0a9e4c52ed12895f0b91d875c2bbcc50b3b1802e11e5e829c948be302bf98ebde7fb2a99476065d1709b3bdbcd5d59a1612d

Download Submit
C:\Users\Admin\AppData\Roaming\wnsp_44558\winsup\PCICL32.dll

Filesize
3.3MB

MD5
e7b92529ea10176fe35ba73fa4edef74

SHA1
fc5b325d433cde797f6ad0d8b1305d6fb16d4e34

SHA256
b6d4ad0231941e0637485ac5833e0fdc75db35289b54e70f3858b70d36d04c80

SHA512
fb3a70e87772c1fb386ad8def6c7bdf325b8d525355d4386102649eb2d61f09ce101fce37ccc1f44d5878e604e2e426d96618e836367ab460cae01f627833517

Download Submit
C:\Users\Admin\AppData\Roaming\wnsp_44558\winsup\client.exe

Filesize
96KB

MD5
fe20ebcd69e728d57ff058b5f9830a4a

SHA1
6304cddd5023683db90c0148629ff07b6fd1710d

SHA256
eda423d23645a1c7ad5597636fb5a69c612423777751eb6c29ef93ac9e450ca5

SHA512
5a8a38cad9b38e86a6a9e8f79a6b08125184afad02d9183a96c0c54cd6d1800a06308747a5cc8178ac9d865c4a40f5aea4a36bf557ad2f37c563a09fdbb694bc

Download Submit
C:\Users\Admin\AppData\Roaming\wnsp_44558\winsup\client32.exe

Filesize
101KB

MD5
c4f1b50e3111d29774f7525039ff7086

SHA1
57539c95cba0986ec8df0fcdea433e7c71b724c6

SHA256
18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d

SHA512
005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

Download Submit
C:\Users\Admin\AppData\Roaming\wnsp_44558\winsup\client32.ini

Filesize
712B

MD5
14f8e0f5b04cf17366770cdaed40f420

SHA1
7362897e7d48934971dead1f0ae70f9db328017d

SHA256
248a22716a2b9555cd21cbe12506887db59f2a30441a1eae8781a31febbe710b

SHA512
6284b884a9c8892d50f161d9ffb80a51e26f71db90ff1c386d75a60b38d38e9e1151f864c45f8248f3e3acee666765c0b63a035ab9c19d884e00176f4e12f5ab

Download Submit
C:\Users\Admin\AppData\Roaming\wnsp_44558\winsup\pcichek.dll

Filesize
14KB

MD5
3aabcd7c81425b3b9327a2bf643251c6

SHA1
ea841199baa7307280fc9e4688ac75e5624f2181

SHA256
0cff893b1e7716d09fb74b7a0313b78a09f3f48c586d31fc5f830bd72ce8331f

SHA512
97605b07be34948541462000345f1e8f9a9134d139448d4f331cefeeca6dad51c025fcab09d182b86e5a4a8e2f9412b3745ec86b514b0523497c821cb6b8c592

Download Submit
memory/760-40-0x00007FFB470E0000-0x00007FFB47BA1000-memory.dmp

Filesize
10.8MB

Download
memory/760-39-0x00007FFB470E0000-0x00007FFB47BA1000-memory.dmp

Filesize
10.8MB

Download
memory/760-38-0x000001FBF7A00000-0x000001FBF7A1C000-memory.dmp

Filesize
112KB

Download
memory/760-58-0x00007FFB470E0000-0x00007FFB47BA1000-memory.dmp

Filesize
10.8MB

Download
memory/3020-1-0x0000021392860000-0x00000213928C2000-memory.dmp

Filesize
392KB

Download
memory/3020-5-0x0000021394520000-0x0000021394532000-memory.dmp

Filesize
72KB

Download
memory/3020-4-0x00000213944F0000-0x00000213944FA000-memory.dmp

Filesize
40KB

Download
memory/3020-2-0x00007FFB470E0000-0x00007FFB47BA1000-memory.dmp

Filesize
10.8MB

Download
memory/3020-0-0x00007FFB470E3000-0x00007FFB470E5000-memory.dmp

Filesize
8KB

Download
memory/3020-56-0x00007FFB470E0000-0x00007FFB47BA1000-memory.dmp

Filesize
10.8MB

Download