netsupport | a179d25f0ca4b9f6b7b1b7b4376664e422a6341650f80ba58626881638b64d50

General

Target

SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe
Size

137KB
MD5

aace5ed77f7d47cad3e45e0ccdc5411c
SHA1

cb9c403e8ba1a5531543d6c3b46250065b7f49c0
SHA256

a179d25f0ca4b9f6b7b1b7b4376664e422a6341650f80ba58626881638b64d50
SHA512

a73b05d441f2815db2cfdecb00e7df1574d510a28b73e15c365bd94ecb70cebc2ab624783a14874a64da27caa308d58c710ef8c09b96ebf36c04459dd7899874
SSDEEP

3072:IAthOjYt6ktOt/nYUHal/5+LeLEsSkRqneaNn2qSzAuK2raS:dthOjYt6ktCYUHal/hwhkReeunZceS

Score

10^/10

netsupport discovery rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe

Executes dropped EXE 1 IoCs

pid	Process
3360	client32.exe

Loads dropped DLL 6 IoCs

pid	Process
3360	client32.exe
3360	client32.exe
3360	client32.exe
3360	client32.exe
3360	client32.exe
3360	client32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2204	schtasks.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	3360	client32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3360	client32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3256 wrote to memory of 2204	3256	SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe	86
PID 3256 wrote to memory of 2204	3256	SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe	86
PID 3256 wrote to memory of 2204	3256	SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe	86
PID 3256 wrote to memory of 3360	3256	SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe	88
PID 3256 wrote to memory of 3360	3256	SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe	88
PID 3256 wrote to memory of 3360	3256	SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe	88

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3256
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /create /sc ONLOGON /tn "MSOneDrive" /tr "C:\Users\Admin\AppData\Local/MSOneDrive\client32.exe" /RL HIGHEST
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2204
- C:\Users\Admin\AppData\Local\MSOneDrive\client32.exe
  C:\Users\Admin\AppData\Local/MSOneDrive\client32.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\MSOneDrive\HTCTL32.DLL

Filesize
306KB

MD5
3eed18b47412d3f91a394ae880b56ed2

SHA1
1b521a3ed4a577a33cce78eee627ae02445694ab

SHA256
13a17f2ad9288aac8941d895251604beb9524fa3c65c781197841ee15480a13f

SHA512
835f35af4fd241caa8b6a639626b8762db8525ccceb43afe8fffc24dffad76ca10852a5a8e9fc114bfbf7d1dc1950130a67037fc09b63a74374517a1f5448990

Download Submit
C:\Users\Admin\AppData\Local\MSOneDrive\MSVCR100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\Local\MSOneDrive\NSM.LIC

Filesize
262B

MD5
b9956282a0fed076ed083892e498ac69

SHA1
d14a665438385203283030a189ff6c5e7c4bf518

SHA256
fcc6afd664a8045bd61c398be3c37a97536a199a48d277e11977f93868ae1acc

SHA512
7daa09113c0e8a36c91cc6d657c65851a20dff6b60ac3d2f40c5737c12c1613c553955f84d131ba2139959973fef9fc616ca5e968cb16c25acf2d4739eed87eb

Download Submit
C:\Users\Admin\AppData\Local\MSOneDrive\PCICAPI.dll

Filesize
44KB

MD5
9daa86d91a18131d5caf49d14fb8b6f2

SHA1
6b2f7ceb6157909e114a2b05a48a1a2606b5caf1

SHA256
1716640cce74322f7ee3e3e02b75cd53b91686f66e389d606dab01bd9f88c557

SHA512
9a98e0d9e2dda8aefa54bddb3c7b71501d638dff68863939de6caa117b0e7bf15e581a75419ef8a0da3f1c56a19f1b0f4c86d65f8581773ab88ff5764b9bb3aa

Download Submit
C:\Users\Admin\AppData\Local\MSOneDrive\PCICHEK.DLL

Filesize
27KB

MD5
e311935a26ee920d5b7176cfa469253c

SHA1
eda6c815a02c4c91c9aacd819dc06e32ececf8f0

SHA256
0038ab626624fa2df9f65dd5e310b1206a9cd4d8ab7e65fb091cc25f13ebd34e

SHA512
48164e8841cfc91f4cbf4d3291d4f359518d081d9079a7995378f970e4085b534f4bafc15b83f4824cc79b5a1e54457b879963589b1acbcfe727a03eb3dffd1c

Download Submit
C:\Users\Admin\AppData\Local\MSOneDrive\PCICL32.dll

Filesize
3.3MB

MD5
f782c24a376285c9b8a3a116175093f8

SHA1
b8fdb6e95c7313cf31f14a3a31cc334b56e6df09

SHA256
c7baf1647f6fef1b1a4231c9743f20f7a4b524ca4eb987a0acbeeef7e037d7e3

SHA512
256385a6663dcf70a5a9a1b766d1f826760f07efa9b9248047dc43d41f6a9f4dd56ca2b218c222ea1d441e2f7ba9bb114cde6954827b9761ebb1f23bba7ad1bb

Download Submit
C:\Users\Admin\AppData\Local\MSOneDrive\client32.exe

Filesize
104KB

MD5
f6abef857450c97ea74cd8f0eb9a8c0a

SHA1
a1acdd10f5a8f8b086e293c6a60c53630ad319fb

SHA256
db0acb4a3082edc19ca9a78b059258ea36b4be16eee4f1172115fc83e693a903

SHA512
b6a2196ebfa51bb3fb8fb2b95ad5275828ab5435fd859fc993e2b3ed92a74799fe1c8b178270f99c79432f39aa9dbc0090038f037fcb651ab75c14b18102671f

Download Submit
C:\Users\Admin\AppData\Local\MSOneDrive\client32.ini

Filesize
664B

MD5
14f6ebed5e1176f17c18d00a2dc64b2e

SHA1
cb9c079373658ce098e1d07d4a2c997bf3141b4b

SHA256
d4c1f00382f01abbb3142ef6d9c3e51557d0ced12a52861d8c5df44d1ce723ac

SHA512
e5f24a695749d693e873ea60b8caaff5cb3b306887721e3f9f308afe697fba37f3a6226322aedebb46764d6bbbaf21df44d4c6a02db49b067437d7e7d0cceaf9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads