netsupport | f1f0d729245cd9272510e8fd258708ead8ed7ab0db39343c6f69cf9d35a35c2b | Triage

Submit
Reports

Overview

overview

Static

static

1

NetSupport...03.exe

windows7-x64

NetSupport...03.exe

windows10-2004-x64

Sharing

General

Target

NetSupport School 15.10.0003.exe
Size

146.9MB
Sample

240625-ybs1saydma
MD5

50c6a195ea8b2cac825a3bd2b2e5d5f7
SHA1

7704b7bc735066139657919cc589fef8fdfd76a1
SHA256

f1f0d729245cd9272510e8fd258708ead8ed7ab0db39343c6f69cf9d35a35c2b
SHA512

838332cb950b70aef47ffbff2dbb1503b26ee0fcb702376fbf6633e00bd33aa2b8add3432b28ce79ce0b44d51a7812dbb9c749782d4efc21c5df7c7a78a53088
SSDEEP

3145728:7ghv5tQmlmVPMfix3deHWzomfJ4dbOO+2iX3gvB159GRiYDNAC77:7gF7QmlmVPguPRfy62KwvO/BAe

Score

10^/10

netsupport persistence privilege_escalation rat

Static task

static1

Behavioral task

behavioral1

Sample

NetSupport School 15.10.0003.exe

Resource

win7-20231129-en

netsupport persistence privilege_escalation rat

windows7-x64

28 signatures

150 seconds

Behavioral task

behavioral2

Sample

NetSupport School 15.10.0003.exe

Resource

win10v2004-20240611-en

netsupport persistence privilege_escalation rat

windows10-2004-x64

28 signatures

150 seconds

Malware Config

Targets

- Target
  
  NetSupport School 15.10.0003.exe
- Size
  
  146.9MB
- MD5
  
  50c6a195ea8b2cac825a3bd2b2e5d5f7
- SHA1
  
  7704b7bc735066139657919cc589fef8fdfd76a1
- SHA256
  
  f1f0d729245cd9272510e8fd258708ead8ed7ab0db39343c6f69cf9d35a35c2b
- SHA512
  
  838332cb950b70aef47ffbff2dbb1503b26ee0fcb702376fbf6633e00bd33aa2b8add3432b28ce79ce0b44d51a7812dbb9c749782d4efc21c5df7c7a78a53088
- SSDEEP
  
  3145728:7ghv5tQmlmVPMfix3deHWzomfJ4dbOO+2iX3gvB159GRiYDNAC77:7gF7QmlmVPguPRfy62KwvO/BAe
Score

10^/10

netsupport persistence privilege_escalation rat
- NetSupport
  NetSupport is a remote access tool sold as a legitimate system administration software.
  rat netsupport
- Drops file in Drivers directory
- Sets service image path in registry
  persistence
- Blocklisted process makes network request
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Modifies WinLogon
  persistence
- Drops file in System32 directory
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Event Triggered Execution

Component Object Model Hijacking

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Event Triggered Execution

Component Object Model Hijacking

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

netsupportpersistenceprivilege_escalationrat

behavioral2

netsupportpersistenceprivilege_escalationrat

© 2018-2025

Terms | Privacy