Overview

overview

10

Static

static

1

update.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    update.js

  • Size

    3.9MB

  • Sample

    240822-ps3f4sxcnc

  • MD5

    7ae2c0b6d43f26aa5ace1cc7d6bca642

  • SHA1

    1374b07383ca3c2b4d8bce31726777dbeb35d21f

  • SHA256

    a607c02158d86e5a8f2f63db938a321d26b727c7a73f3d98bb730c398ccd737b

  • SHA512

    a88343e5efabdf7a582186e75b0dfeeb3cecd435f0394010ed03ef5eaf6d1a49c064b5960035753ec3343eea95bbfbca26438cd937b3c1cab6dfbf2eee63a9b8

  • SSDEEP

    49152:6sz6FvpOiHY7sz6FvpOiHYXsz6FvpOiHY7sz6FvpOiHY2sz6FvpOiHY7sz6FvpOQ:60WQ0Ws0WQ0WB0WQ0W5

Score
10/10
netsupportdiscoveryexecutionpersistencerat

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://aweland.store/data.php?11502
exe.dropper

https://aweland.store/data.php?11502

Targets

    • Target

      update.js

    • Size

      3.9MB

    • MD5

      7ae2c0b6d43f26aa5ace1cc7d6bca642

    • SHA1

      1374b07383ca3c2b4d8bce31726777dbeb35d21f

    • SHA256

      a607c02158d86e5a8f2f63db938a321d26b727c7a73f3d98bb730c398ccd737b

    • SHA512

      a88343e5efabdf7a582186e75b0dfeeb3cecd435f0394010ed03ef5eaf6d1a49c064b5960035753ec3343eea95bbfbca26438cd937b3c1cab6dfbf2eee63a9b8

    • SSDEEP

      49152:6sz6FvpOiHY7sz6FvpOiHYXsz6FvpOiHY7sz6FvpOiHY2sz6FvpOiHY7sz6FvpOQ:60WQ0Ws0WQ0WB0WQ0W5

    Score
    10/10
    netsupportdiscoveryexecutionpersistencerat

    • NetSupport

      NetSupport is a remote access tool sold as a legitimate system administration software.

      ratnetsupport

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1

MITRE ATT&CK Enterprise v15

Tasks