netsupport | 1d78526f6b8a98475210e12d2183805bbd22469b63d2e11354987c1c6782ed72 | Triage

Submit
Reports

Overview

overview

Static

static

1

NetSupport School.msi

windows10-1703-x64

Sharing

General

Target

NetSupport School.msi
Size

150.2MB
Sample

240902-aes8yswblm
MD5

32c821d567a2d7a63d638eba7a6a22cd
SHA1

35a2a92dc9aab0acf09e931cd21bd52c796a0e6a
SHA256

1d78526f6b8a98475210e12d2183805bbd22469b63d2e11354987c1c6782ed72
SHA512

98c46dcdf257d42d6115a5a73119fe0a1b33a89c257fb9ffe78b85d949ec08243003887f65ef86bd15a01a0911599490b98033f86e57b399247343b7ac9368d5
SSDEEP

3145728:/9wr2EaPT3kDVqZDYFnCkp0wbKrtE8yoP+ANeEkqic+w8:/62NDkDgE/pTb/8yoN82+w

Score

10^/10

netsupport discovery persistence privilege_escalation rat

Static task

static1

Behavioral task

behavioral1

Sample

NetSupport School.msi

Resource

win10-20240404-en

netsupport discovery persistence privilege_escalation rat

windows10-1703-x64

29 signatures

150 seconds

Malware Config

Targets

- Target
  
  NetSupport School.msi
- Size
  
  150.2MB
- MD5
  
  32c821d567a2d7a63d638eba7a6a22cd
- SHA1
  
  35a2a92dc9aab0acf09e931cd21bd52c796a0e6a
- SHA256
  
  1d78526f6b8a98475210e12d2183805bbd22469b63d2e11354987c1c6782ed72
- SHA512
  
  98c46dcdf257d42d6115a5a73119fe0a1b33a89c257fb9ffe78b85d949ec08243003887f65ef86bd15a01a0911599490b98033f86e57b399247343b7ac9368d5
- SSDEEP
  
  3145728:/9wr2EaPT3kDVqZDYFnCkp0wbKrtE8yoP+ANeEkqic+w8:/62NDkDgE/pTb/8yoN82+w
Score

10^/10

netsupport discovery persistence privilege_escalation rat
- NetSupport
  NetSupport is a remote access tool sold as a legitimate system administration software.
  rat netsupport
- Drops file in Drivers directory
- Sets service image path in registry
  persistence
- Blocklisted process makes network request
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Modifies WinLogon
  persistence
- Drops file in System32 directory
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Event Triggered Execution

Component Object Model Hijacking

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Event Triggered Execution

Component Object Model Hijacking

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

netsupportdiscoverypersistenceprivilege_escalationrat

© 2018-2025

Terms | Privacy