netsupport | hxxp://geo[.]netsupportsoftware[.]com

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19-06-2024 07:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://geo.netsupportsoftware.com

Score

10^/10

netsupport rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133632554470209639"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2372	chrome.exe
2372	chrome.exe
452	chrome.exe
452	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe
Token: SeShutdownPrivilege	2372	chrome.exe
Token: SeCreatePagefilePrivilege	2372	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe
2372	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 4720	2372	chrome.exe	83
PID 2372 wrote to memory of 4720	2372	chrome.exe	83
PID 2372 wrote to memory of 4752	2372	chrome.exe	85
PID 2372 wrote to memory of 4752	2372	chrome.exe	85
PID 2372 wrote to memory of 4752	2372	chrome.exe	85
PID 2372 wrote to memory of 4752	2372	chrome.exe	85
PID 2372 wrote to memory of 4752	2372	chrome.exe	85
PID 2372 wrote to memory of 4752	2372	chrome.exe	85
PID 2372 wrote to memory of 4752	2372	chrome.exe	85
PID 2372 wrote to memory of 4752	2372	chrome.exe	85
PID 2372 wrote to memory of 4752	2372	chrome.exe	85
PID 2372 wrote to memory of 4752	2372	chrome.exe	85
PID 2372 wrote to memory of 4752	2372	chrome.exe	85
PID 2372 wrote to memory of 4752	2372	chrome.exe	85
PID 2372 wrote to memory of 4752	2372	chrome.exe	85
PID 2372 wrote to memory of 4752	2372	chrome.exe	85
PID 2372 wrote to memory of 4752	2372	chrome.exe	85
PID 2372 wrote to memory of 4752	2372	chrome.exe	85
PID 2372 wrote to memory of 4752	2372	chrome.exe	85
PID 2372 wrote to memory of 4752	2372	chrome.exe	85
PID 2372 wrote to memory of 4752	2372	chrome.exe	85
PID 2372 wrote to memory of 4752	2372	chrome.exe	85
PID 2372 wrote to memory of 4752	2372	chrome.exe	85
PID 2372 wrote to memory of 4752	2372	chrome.exe	85
PID 2372 wrote to memory of 4752	2372	chrome.exe	85
PID 2372 wrote to memory of 4752	2372	chrome.exe	85
PID 2372 wrote to memory of 4752	2372	chrome.exe	85
PID 2372 wrote to memory of 4752	2372	chrome.exe	85
PID 2372 wrote to memory of 4752	2372	chrome.exe	85
PID 2372 wrote to memory of 4752	2372	chrome.exe	85
PID 2372 wrote to memory of 4752	2372	chrome.exe	85
PID 2372 wrote to memory of 4752	2372	chrome.exe	85
PID 2372 wrote to memory of 4752	2372	chrome.exe	85
PID 2372 wrote to memory of 3436	2372	chrome.exe	86
PID 2372 wrote to memory of 3436	2372	chrome.exe	86
PID 2372 wrote to memory of 1384	2372	chrome.exe	87
PID 2372 wrote to memory of 1384	2372	chrome.exe	87
PID 2372 wrote to memory of 1384	2372	chrome.exe	87
PID 2372 wrote to memory of 1384	2372	chrome.exe	87
PID 2372 wrote to memory of 1384	2372	chrome.exe	87
PID 2372 wrote to memory of 1384	2372	chrome.exe	87
PID 2372 wrote to memory of 1384	2372	chrome.exe	87
PID 2372 wrote to memory of 1384	2372	chrome.exe	87
PID 2372 wrote to memory of 1384	2372	chrome.exe	87
PID 2372 wrote to memory of 1384	2372	chrome.exe	87
PID 2372 wrote to memory of 1384	2372	chrome.exe	87
PID 2372 wrote to memory of 1384	2372	chrome.exe	87
PID 2372 wrote to memory of 1384	2372	chrome.exe	87
PID 2372 wrote to memory of 1384	2372	chrome.exe	87
PID 2372 wrote to memory of 1384	2372	chrome.exe	87
PID 2372 wrote to memory of 1384	2372	chrome.exe	87
PID 2372 wrote to memory of 1384	2372	chrome.exe	87
PID 2372 wrote to memory of 1384	2372	chrome.exe	87
PID 2372 wrote to memory of 1384	2372	chrome.exe	87
PID 2372 wrote to memory of 1384	2372	chrome.exe	87
PID 2372 wrote to memory of 1384	2372	chrome.exe	87
PID 2372 wrote to memory of 1384	2372	chrome.exe	87
PID 2372 wrote to memory of 1384	2372	chrome.exe	87
PID 2372 wrote to memory of 1384	2372	chrome.exe	87
PID 2372 wrote to memory of 1384	2372	chrome.exe	87
PID 2372 wrote to memory of 1384	2372	chrome.exe	87
PID 2372 wrote to memory of 1384	2372	chrome.exe	87
PID 2372 wrote to memory of 1384	2372	chrome.exe	87
PID 2372 wrote to memory of 1384	2372	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://geo.netsupportsoftware.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8f40eab58,0x7ff8f40eab68,0x7ff8f40eab78
  2⤵
  PID:4720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1600 --field-trial-handle=1956,i,17089454956312958672,7825814827623296717,131072 /prefetch:2
  2⤵
  PID:4752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1956,i,17089454956312958672,7825814827623296717,131072 /prefetch:8
  2⤵
  PID:3436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2240 --field-trial-handle=1956,i,17089454956312958672,7825814827623296717,131072 /prefetch:8
  2⤵
  PID:1384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2960 --field-trial-handle=1956,i,17089454956312958672,7825814827623296717,131072 /prefetch:1
  2⤵
  PID:4944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2964 --field-trial-handle=1956,i,17089454956312958672,7825814827623296717,131072 /prefetch:1
  2⤵
  PID:4020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4608 --field-trial-handle=1956,i,17089454956312958672,7825814827623296717,131072 /prefetch:8
  2⤵
  PID:1340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4828 --field-trial-handle=1956,i,17089454956312958672,7825814827623296717,131072 /prefetch:8
  2⤵
  PID:4072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5104 --field-trial-handle=1956,i,17089454956312958672,7825814827623296717,131072 /prefetch:1
  2⤵
  PID:4048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3124 --field-trial-handle=1956,i,17089454956312958672,7825814827623296717,131072 /prefetch:1
  2⤵
  PID:2424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3900 --field-trial-handle=1956,i,17089454956312958672,7825814827623296717,131072 /prefetch:1
  2⤵
  PID:4320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5108 --field-trial-handle=1956,i,17089454956312958672,7825814827623296717,131072 /prefetch:1
  2⤵
  PID:3276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1560 --field-trial-handle=1956,i,17089454956312958672,7825814827623296717,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4012 --field-trial-handle=1956,i,17089454956312958672,7825814827623296717,131072 /prefetch:1
  2⤵
  PID:3684

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
228b933067491a42aac1253459b1d066

SHA1
fca91f26e8853b8c113fb3026ef09b973e8b9a82

SHA256
cfd39afe7c9df16a8e8c9d8e6f883a1dc2baea25208408d5557aaeacf2e33868

SHA512
dfc9936338cb942f2fc64845d672e76b0b818354e55b05a8e2bf1e6a767529e80e71009c3075e01c9cbab09be7fd3b908eec45703953b77493de7812af382188

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
d3a7bc471552e64fd6193efa1048ffb6

SHA1
9330c02b3bd3140724db96ce0a9f6783d0bc8a4e

SHA256
eaf376b12ebc11cef0b0bd5dbe69add148304fed53963096a4ece11f62cd383b

SHA512
8cc2e25578ec4ef86d9fcd8933d694795207d3da647304a8c6e2e75ecc18a714cd67938953e837d47c9626aee0dc8463858da8a33648c35dd49b5c2065c8787b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
255KB

MD5
fd03ca81ac3868eae7c32fcba2c367c0

SHA1
4e7f07f643bbd9df72520fcaab2047dd42e2b835

SHA256
0697bee303ac5b0831a2f5664c91e8f0664a3408c8e11f331b001bda3424c3ce

SHA512
b49566b715d3f515d093fe31967baba8f5189f1e5a8277641a75825098576d576d282a50b0b627b418a7d696d91617f7070ba8a63f33fd4a652d904b41637ca0

Download Submit