Overview

overview

10

Static

static

1

sus.zip

windows11-21h2-x64

10

Resubmissions

20-06-2024 19:36

240620-ybmtrsycjm 10

20-06-2024 18:53

240620-xj5h4swgqq 10

Analysis

  • max time kernel
    207s
  • max time network
    213s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    20-06-2024 19:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sus.zip

  • Size

    3.0MB

  • MD5

    f2a03711d2c641a611574fa7e0850d71

  • SHA1

    b4a66f287a51a1531ea732dda54c7c673d8d1a75

  • SHA256

    d8f8ef643d68039ea91a48532f004dcf4aa05146fd1894b298cab4c7f0477f1b

  • SHA512

    c16116df56adca253bb8c055706e34c56045806439959be914b4024f77a280be35e923584722e7836b14bef39d47822cc57eb427de907f0610493bcc30d9524c

  • SSDEEP

    98304:D1JFXa/hRFY89YYc9jh23redpmQRbU6nJsjfD:RJSxYoY59V0redpmQRbdnJGD

Score
10/10
netsupportrat

Malware Config

Signatures

  • NetSupport

    NetSupport is a remote access tool sold as a legitimate system administration software.

    ratnetsupport
  • Checks processor information in registry 2 TTPs 10 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\sus.zip
    1⤵
      PID:2464
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:2624
      • C:\Users\Admin\Desktop\New folder\client32.exe
        "C:\Users\Admin\Desktop\New folder\client32.exe"
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:4584
      • C:\Users\Admin\Desktop\New folder\install\clidmgr.exe
        "C:\Users\Admin\Desktop\New folder\install\clidmgr.exe"
        1⤵
          PID:3464
        • C:\Windows\system32\OpenWith.exe
          C:\Windows\system32\OpenWith.exe -Embedding
          1⤵
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3636
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Desktop\New folder\all_zip"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:468
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Desktop\New folder\all_zip"
              3⤵
              • Checks processor information in registry
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1076
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1076.0.1684612087\559747520" -parentBuildID 20230214051806 -prefsHandle 1784 -prefMapHandle 1776 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {573eb71b-f774-4baa-a2ab-4e40fb3c018f} 1076 "\\.\pipe\gecko-crash-server-pipe.1076" 1864 24279f0cd58 gpu
                4⤵
                  PID:3180
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1076.1.1079443175\51733780" -parentBuildID 20230214051806 -prefsHandle 2380 -prefMapHandle 2376 -prefsLen 22925 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8336b199-dac3-47d6-9d16-fc6b5df8c046} 1076 "\\.\pipe\gecko-crash-server-pipe.1076" 2408 24265c86d58 socket
                  4⤵
                  • Checks processor information in registry
                  PID:3084
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1076.2.680611841\1127745044" -childID 1 -isForBrowser -prefsHandle 2840 -prefMapHandle 2864 -prefsLen 22963 -prefMapSize 235121 -jsInitHandle 1364 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {954ac8f2-e918-4808-a3a4-3745fe6b02c2} 1076 "\\.\pipe\gecko-crash-server-pipe.1076" 3008 2427cf51258 tab
                  4⤵
                    PID:1888
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1076.3.105197957\876536208" -childID 2 -isForBrowser -prefsHandle 1636 -prefMapHandle 2728 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1364 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {21d6d6f1-4ef2-4d21-82fb-4b9c771497e9} 1076 "\\.\pipe\gecko-crash-server-pipe.1076" 3392 2427f747158 tab
                    4⤵
                      PID:1804
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1076.4.1241333544\601046765" -childID 3 -isForBrowser -prefsHandle 5188 -prefMapHandle 5168 -prefsLen 27690 -prefMapSize 235121 -jsInitHandle 1364 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {669a1d17-3898-41ac-97a9-1788bbebf1a6} 1076 "\\.\pipe\gecko-crash-server-pipe.1076" 5196 24281dd5258 tab
                      4⤵
                        PID:4512
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1076.5.443548072\1419136808" -childID 4 -isForBrowser -prefsHandle 5332 -prefMapHandle 5340 -prefsLen 27690 -prefMapSize 235121 -jsInitHandle 1364 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {83d07671-59e0-4483-b9f0-3275c1703a87} 1076 "\\.\pipe\gecko-crash-server-pipe.1076" 5324 24282805358 tab
                        4⤵
                          PID:3916
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1076.6.1914939405\1313339989" -childID 5 -isForBrowser -prefsHandle 5600 -prefMapHandle 5596 -prefsLen 27690 -prefMapSize 235121 -jsInitHandle 1364 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {03f747fa-d413-4568-97bf-392cb4603aae} 1076 "\\.\pipe\gecko-crash-server-pipe.1076" 5608 24282805f58 tab
                          4⤵
                            PID:888
                    • C:\Program Files\7-Zip\7zFM.exe
                      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\New folder\all_zip"
                      1⤵
                      • Suspicious behavior: GetForegroundWindowSpam
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of FindShellTrayWindow
                      PID:5084

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\mg2c1myw.default-release\activity-stream.discovery_stream.json.tmp
                      Filesize

                      26KB

                      MD5

                      ec7f12f05f8c1344cdb344c32e48cfa4

                      SHA1

                      da37a1da62feb108410401b3de644f8f40fd75aa

                      SHA256

                      9e23c348b605e8e9ca46906bf9df5103bb165f2240f70c4a9230a98ff6cd1530

                      SHA512

                      1e3474a97570c3001e3c3751378a50121d31b2f2d1d48b305ba6ca22c1271f915ea56b2e64a99bf3fcf4d1ffe2321cf44d5fd867a1accf75be7edf8b81ef721d

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\prefs-1.js
                      Filesize

                      7KB

                      MD5

                      9cc630af4924694384709055d9d48a07

                      SHA1

                      a60430d3452574c0d7f39ec53c1ff9f6a3e5e6e3

                      SHA256

                      eff63a2eadbf4e9ef0906e37977607794c70dc6376203ac55cc47a08b7a0ed25

                      SHA512

                      8e9c3b91d795c4a487771e827b7562a8afb4d45ff4f20e899534df87e47611f72ad6347faaa35ed3f14e52416cb1b0ac4014a15da388f406574c9642dc85261b

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\sessionstore.jsonlz4
                      Filesize

                      626B

                      MD5

                      155475a172bd3cb93732ad37d01cb80b

                      SHA1

                      94375643323bba8c1bb90fb5ed5343511d20f398

                      SHA256

                      9d20a5cb13e6c89e27afdda0f5d1fcf2f9ead68fc4e461e90e71390031f0df41

                      SHA512

                      c1120be36475fae4a50fae3ae676f0c7f0d3fb1b7eba25d245771fcb902b0a72e18f5050750c6746df30d4440dff90a06396e828b5250524f82a1679cfcd69b5

                      Download Submit

                    • C:\Users\Admin\Downloads\U-8sm_En.part
                      Filesize

                      606KB

                      MD5

                      6d4ae04da5fa47ce707f3c60d7b8ded5

                      SHA1

                      a8790bf67c4915abe83bfb95becba3460be6f86a

                      SHA256

                      c02f8cb15ee9645a69d23a3232fb78e02ff25e29ecb0d1044e2a7e8afb3018c2

                      SHA512

                      63c54cf11dd7e7bef34888a3d2fd2fb7f201493f3295b3dccc5ad01c3e5c079aab4f1489c3c2446dc0a09c73c3c8aa9016b43bd4a56f50a5e9d82ee7bb4b27e5

                      Download Submit