netsupport | 98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7

Analysis

max time kernel
143s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-08-2024 01:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe
Size

3.7MB
MD5

188f24d52a3f17cf472f0b7860612c58
SHA1

0fec989f098085c68be25fc48d366808aaac610a
SHA256

98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7
SHA512

bd359f6061810c361d61e023b60ee4c9143216c40bd89ca8c38a02f8a19ea325998dc7f0e7cfed4c948b80215b973cb54bb9209d067f09233a5084c79ced8356
SSDEEP

98304:cVOXXUzpyl/iMcLtN4LS8dHxbuBTYoVXKhyRH0BwMX:0Vzpl4L7dHjo4hyRH7+

Score

10^/10

netsupport discovery rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Executes dropped EXE 4 IoCs

pid	Process
4840	98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe
932	scr_previw.exe
1512	scr_previw.exe
4068	client32.exe

Loads dropped DLL 8 IoCs

pid	Process
4840	98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe
932	scr_previw.exe
1512	scr_previw.exe
4068	client32.exe
4068	client32.exe
4068	client32.exe
4068	client32.exe
4068	client32.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1512 set thread context of 4000	1512	scr_previw.exe	99

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scr_previw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scr_previw.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
432	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
932	scr_previw.exe
1512	scr_previw.exe
1512	scr_previw.exe
4000	cmd.exe
4000	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1512	scr_previw.exe
4000	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4068	client32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4068	client32.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 3888 wrote to memory of 4840	3888	98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe	85
PID 3888 wrote to memory of 4840	3888	98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe	85
PID 3888 wrote to memory of 4840	3888	98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe	85
PID 4840 wrote to memory of 932	4840	98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe	97
PID 4840 wrote to memory of 932	4840	98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe	97
PID 4840 wrote to memory of 932	4840	98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe	97
PID 932 wrote to memory of 1512	932	scr_previw.exe	98
PID 932 wrote to memory of 1512	932	scr_previw.exe	98
PID 932 wrote to memory of 1512	932	scr_previw.exe	98
PID 1512 wrote to memory of 4000	1512	scr_previw.exe	99
PID 1512 wrote to memory of 4000	1512	scr_previw.exe	99
PID 1512 wrote to memory of 4000	1512	scr_previw.exe	99
PID 1512 wrote to memory of 4000	1512	scr_previw.exe	99
PID 4000 wrote to memory of 1484	4000	cmd.exe	104
PID 4000 wrote to memory of 1484	4000	cmd.exe	104
PID 4000 wrote to memory of 1484	4000	cmd.exe	104
PID 4000 wrote to memory of 1484	4000	cmd.exe	104
PID 1484 wrote to memory of 432	1484	explorer.exe	106
PID 1484 wrote to memory of 432	1484	explorer.exe	106
PID 1484 wrote to memory of 432	1484	explorer.exe	106
PID 1484 wrote to memory of 4068	1484	explorer.exe	107
PID 1484 wrote to memory of 4068	1484	explorer.exe	107
PID 1484 wrote to memory of 4068	1484	explorer.exe	107

C:\Users\Admin\AppData\Local\Temp\98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe
"C:\Users\Admin\AppData\Local\Temp\98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3888
- C:\Windows\TEMP\{80EBF7DD-0A5E-4017-89B8-017639819738}\.cr\98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe
  "C:\Windows\TEMP\{80EBF7DD-0A5E-4017-89B8-017639819738}\.cr\98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe" -burn.filehandle.attached=632 -burn.filehandle.self=720
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4840
- - C:\Windows\TEMP\{9B2025DF-2ED5-41CF-9A0E-1E920C1312C2}\.ba\scr_previw.exe
    "C:\Windows\TEMP\{9B2025DF-2ED5-41CF-9A0E-1E920C1312C2}\.ba\scr_previw.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:932
  - - C:\Users\Admin\AppData\Roaming\makeAdvancedQGU\scr_previw.exe
      C:\Users\Admin\AppData\Roaming\makeAdvancedQGU\scr_previw.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:1512
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:4000
      - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /create /sc ONLOGON /tn "OneDriveSync" /tr "C:\Users\Admin\AppData\Local\OneDriveSync\client32.exe" /RL HIGHEST
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:432
        
        C:\Users\Admin\AppData\Local\OneDriveSync\client32.exe
        
        C:\Users\Admin\AppData\Local\OneDriveSync\client32.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:4068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\OneDriveSync\HTCTL32.DLL

Filesize
320KB

MD5
2d3b207c8a48148296156e5725426c7f

SHA1
ad464eb7cf5c19c8a443ab5b590440b32dbc618f

SHA256
edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796

SHA512
55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

Download Submit
C:\Users\Admin\AppData\Local\OneDriveSync\NSM.LIC

Filesize
262B

MD5
b9956282a0fed076ed083892e498ac69

SHA1
d14a665438385203283030a189ff6c5e7c4bf518

SHA256
fcc6afd664a8045bd61c398be3c37a97536a199a48d277e11977f93868ae1acc

SHA512
7daa09113c0e8a36c91cc6d657c65851a20dff6b60ac3d2f40c5737c12c1613c553955f84d131ba2139959973fef9fc616ca5e968cb16c25acf2d4739eed87eb

Download Submit
C:\Users\Admin\AppData\Local\OneDriveSync\PCICL32.dll

Filesize
3.5MB

MD5
21f33a23a7aacc8f4bfd44158abe3ebb

SHA1
70170526c86ca4e86df02aa34c6234bc93ba573b

SHA256
85641fd7a9b535be13d0342b92e8655a83bc24ac7c33bda96fc66bd22d506c72

SHA512
b39800583aeb37fa3d776b43b454b69825f0e04c2985c2338c3d1dc4a158111f7fe176d096b2dd2f55fbe7663fd6b2c288d86feeca4b38a42713f273e64ade6e

Download Submit
C:\Users\Admin\AppData\Local\OneDriveSync\client32.exe

Filesize
118KB

MD5
f49fcba0ed27e57abacac277204e5df9

SHA1
93431b74a6a873e2c9e97f6df7f1bf7b208342ae

SHA256
931e07479ef72b69f9099318cf1207bd34ce47d63c265135f51f6810d1ab1a1f

SHA512
12a3839f21e05021c62947811aa8b5a251383508bcfa399161d11ca623d2e284741affffc16c4dfc737afb3c644457d349f5302e27f71b3800edbfbe874a9abe

Download Submit
C:\Users\Admin\AppData\Local\OneDriveSync\client32.ini

Filesize
637B

MD5
c4bf181a4ab30e66e101d8198f3a0a27

SHA1
b20036a3ed2cf540b2ab19857d2482e702220300

SHA256
9f3b56cdf82f336135d9a1da4a7442450fa11e35b04dbfccb9fb211e4c8d1f10

SHA512
a37b2b7de7fe99b953b1c46e5d125ad8e35ef5e8b6f214f3732b56db2e7cb1b56b1fb792bd04e3ee457a4abb2983122fba4a7ddca76053b9b07429259cfdf87d

Download Submit
C:\Users\Admin\AppData\Local\OneDriveSync\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\Local\OneDriveSync\pcicapi.dll

Filesize
32KB

MD5
dcde2248d19c778a41aa165866dd52d0

SHA1
7ec84be84fe23f0b0093b647538737e1f19ebb03

SHA256
9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917

SHA512
c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

Download Submit
C:\Users\Admin\AppData\Local\OneDriveSync\pcichek.dll

Filesize
18KB

MD5
a0b9388c5f18e27266a31f8c5765b263

SHA1
906f7e94f841d464d4da144f7c858fa2160e36db

SHA256
313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a

SHA512
6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\125e75f0

Filesize
856KB

MD5
cd54711edc3d0970530a50e4ac398761

SHA1
cdfef8b1b9e9b6c1b8ff9ea23b923602b0eafbce

SHA256
883f178b8c8b427b3486c2704abc34af986b11f0612e82c9b878c9a2e51122ea

SHA512
905ed093f4b3a06be748554ff22f1edd66e92a620d27412c73b7edb2ae1194d03c5f2274deee655f1d7e8aef549fd74c2d788e3167a72d226c03fb1a05d2bdda

Download Submit
C:\Windows\TEMP\{9B2025DF-2ED5-41CF-9A0E-1E920C1312C2}\.ba\delr

Filesize
66KB

MD5
d287578542c8e1042e228ff517584d62

SHA1
b496c8c0ee89e3ee3d86e99b22b0cc6a4518c8a6

SHA256
5e12046a7555aa5259703ed6910fbc969826dafdcde848fad710eb952960718c

SHA512
3c1015bbbd54d7960e800eb5a55e40e31670c91a2b63e9521cb73314bf9d10d535ee3b37fbf1cd83a46037cb128682f5eafbb873b1001ed07d92b9adf049415b

Download Submit
C:\Windows\TEMP\{9B2025DF-2ED5-41CF-9A0E-1E920C1312C2}\.ba\mhtb

Filesize
614KB

MD5
78bd91f9ad6c1a9813fca8bd17329bbe

SHA1
64a2ad004e23ccfd7325618e7f4d2be303bf71bd

SHA256
36c4e6886ff20758e6fcdc83a0714961a3454b861b2db1a8c7001f3f0fa06833

SHA512
8927b01237f05ca91117e1d0d06c906ff723d9a917b337594b3092999d8808febfca5a27f9e860027d9d832ef1f770aceda714217bfe101bb2ec064c7b3d6437

Download Submit
C:\Windows\Temp\{80EBF7DD-0A5E-4017-89B8-017639819738}\.cr\98cac6ef1484e379d2496f9a28b8c5077abab866e3977a6dfdd538b7817b65b7.exe

Filesize
3.0MB

MD5
c90969b61fa601af3b7fa9b955f1133b

SHA1
3ffb38c61ef331cf0557cdc18819cc192d565ab7

SHA256
0c71659a7e9f2a16be4252a166ac7d9bc75177a3f531f03ea91b3851ae819915

SHA512
bb8ffdec9d17f74306fed12a221a7c04bffb8bb931f354471222b315b553da983aa32347fac4304ba32fe67a3c8ab020435e621acec21288212a77fa585909b2

Download Submit
C:\Windows\Temp\{9B2025DF-2ED5-41CF-9A0E-1E920C1312C2}\.ba\Artifice.dll

Filesize
526KB

MD5
edffaeecf1d2be26df6ca2e455030dad

SHA1
1e9e96910d2599ae2c3ace86780236fa6801397d

SHA256
843cb536456a0bdf78dfcfd04a45575f0b2b231e12c8a26085437712f121fa4c

SHA512
74626114a098af8c384bbcc162e569c10b8cba32fe26b48080322cc7f5701e3fd6a7b8a5bc52fe628a110d4dbaf3bccfc1691d799c75003793519e0d962d1be9

Download Submit
C:\Windows\Temp\{9B2025DF-2ED5-41CF-9A0E-1E920C1312C2}\.ba\d3dx9_43.dll

Filesize
1.9MB

MD5
d0253aed34e4ed3c60b00a238edac4c9

SHA1
151c0e2832cb0437bcec96ef0310de6cf5584358

SHA256
790fde0ac7273303db48f501789370b0f2918d24381c9d4fca5d6f63e81a1241

SHA512
76d7a2f65f5ace8678a03479903667729cfa468c4aa1f7501dbb3dff110544786a19758de5f98a553cd9ea088cbe03dda9cb215401e9b037cf5ce0eebd463972

Download Submit
C:\Windows\Temp\{9B2025DF-2ED5-41CF-9A0E-1E920C1312C2}\.ba\scr_previw.exe

Filesize
2.2MB

MD5
d9530ecee42acccfd3871672a511bc9e

SHA1
89b4d2406f1294bd699ef231a4def5f495f12778

SHA256
81e04f9a131534acc0e9de08718c062d3d74c80c7f168ec7e699cd4b2bd0f280

SHA512
d5f048ea995affdf9893ec4c5ac5eb188b6714f5b6712e0b5a316702033421b145b8ee6a62d303eb4576bf8f57273ff35c5d675807563a31157136f79d8a9980

Download Submit
memory/932-21-0x00007FFF60990000-0x00007FFF60B85000-memory.dmp

Filesize
2.0MB

Download
memory/932-20-0x0000000073970000-0x0000000073AEB000-memory.dmp

Filesize
1.5MB

Download
memory/1484-90-0x0000000000740000-0x000000000076A000-memory.dmp

Filesize
168KB

Download
memory/1484-53-0x0000000000740000-0x000000000076A000-memory.dmp

Filesize
168KB

Download
memory/1484-44-0x0000000000740000-0x000000000076A000-memory.dmp

Filesize
168KB

Download
memory/1484-43-0x00007FFF60990000-0x00007FFF60B85000-memory.dmp

Filesize
2.0MB

Download
memory/1512-36-0x0000000073970000-0x0000000073AEB000-memory.dmp

Filesize
1.5MB

Download
memory/1512-34-0x00007FFF60990000-0x00007FFF60B85000-memory.dmp

Filesize
2.0MB

Download
memory/1512-33-0x0000000073970000-0x0000000073AEB000-memory.dmp

Filesize
1.5MB

Download
memory/4000-41-0x0000000073970000-0x0000000073AEB000-memory.dmp

Filesize
1.5MB

Download
memory/4000-39-0x00007FFF60990000-0x00007FFF60B85000-memory.dmp

Filesize
2.0MB

Download