Overview

overview

10

Static

static

1

updates.js

windows7-x64

10

updates.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    updates.js

  • Size

    2.7MB

  • Sample

    240726-zbzc8swelg

  • MD5

    1b17ec51d8be6e80d530e36aa0f8bb41

  • SHA1

    65aa99559627a07851e2f21aa465a4dc10e84e02

  • SHA256

    b36668956d6f6f8f789d39130d8b45f6794ec91b9a6b895512af6f88181a1f81

  • SHA512

    daf20dfbde0d7660cef950641697c239ac7fb6c5d7f928b5c5396cd578ed7e130b78f21db80a9721573807f6a02e6fbd8f9e46695803cac1fb2694e1a1d2166a

  • SSDEEP

    49152:DA4yxjzCgTpCffzZtrCP7sQs0iy/ss7+ZdhN6j4GusjtWsDtzXY7aIvJLwKXq2XI:4

Score
10/10
netsupportdiscoveryexecutionpersistencerat

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://hhic.top/data.php?11163
exe.dropper

http://hhic.top/data.php?11163

Targets

    • Target

      updates.js

    • Size

      2.7MB

    • MD5

      1b17ec51d8be6e80d530e36aa0f8bb41

    • SHA1

      65aa99559627a07851e2f21aa465a4dc10e84e02

    • SHA256

      b36668956d6f6f8f789d39130d8b45f6794ec91b9a6b895512af6f88181a1f81

    • SHA512

      daf20dfbde0d7660cef950641697c239ac7fb6c5d7f928b5c5396cd578ed7e130b78f21db80a9721573807f6a02e6fbd8f9e46695803cac1fb2694e1a1d2166a

    • SSDEEP

      49152:DA4yxjzCgTpCffzZtrCP7sQs0iy/ss7+ZdhN6j4GusjtWsDtzXY7aIvJLwKXq2XI:4

    Score
    10/10
    executionnetsupportdiscoverypersistencerat

    • NetSupport

      NetSupport is a remote access tool sold as a legitimate system administration software.

      ratnetsupport

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks