netsupport | 2c59f3552a77d2c9527970ae99e204ec279756ac24815a899ab43356420057e7

Analysis

max time kernel
143s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26-09-2024 10:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7z2408x64.appx
Size

8.6MB
MD5

b32a3b7070b1715b38b39621c3957fdc
SHA1

3633ccc1ccb35c1b0dfb2cbe2e3d281a9652f821
SHA256

2c59f3552a77d2c9527970ae99e204ec279756ac24815a899ab43356420057e7
SHA512

0a18a335c364e9a8b78f414fcc943397150028fe0133db21d22b750c9a9b5004b0893a4159f51b69424b2cefd1a22630f320a9319cfade29f0b10e33f52a30f1
SSDEEP

196608:+zFuy7ANIXCjHhtK7hEjZr3MLoWM4J8wfwjPjnesXfX:+zjAnHm7hCr3UJVfwjbnesv

Score

10^/10

netsupport discovery execution rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Executes dropped EXE 2 IoCs

pid	Process
4804	7-zip.exe
4776	7z2408-x64.exe

Loads dropped DLL 5 IoCs

pid	Process
4804	7-zip.exe
4804	7-zip.exe
4804	7-zip.exe
4804	7-zip.exe
4804	7-zip.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2216	Powershell.exe
1140	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	13.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7-zip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z2408-x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	13.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	13.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 3 IoCs

pid	Process
3604	13.exe
3644	13.exe
4368	13.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5056	powershell.exe
5056	powershell.exe
2216	Powershell.exe
2216	Powershell.exe
1140	powershell.exe
1140	powershell.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	5056	powershell.exe
Token: SeDebugPrivilege	2216	Powershell.exe
Token: SeDebugPrivilege	1140	powershell.exe
Token: SeRestorePrivilege	3604	13.exe
Token: 35	3604	13.exe
Token: SeSecurityPrivilege	3604	13.exe
Token: SeSecurityPrivilege	3604	13.exe
Token: SeRestorePrivilege	3644	13.exe
Token: 35	3644	13.exe
Token: SeSecurityPrivilege	3644	13.exe
Token: SeSecurityPrivilege	3644	13.exe
Token: SeRestorePrivilege	4368	13.exe
Token: 35	4368	13.exe
Token: SeSecurityPrivilege	4368	13.exe
Token: SeSecurityPrivilege	4368	13.exe
Token: SeSecurityPrivilege	4804	7-zip.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4804	7-zip.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 3784 wrote to memory of 2216	3784	PsfLauncher64.exe	85
PID 3784 wrote to memory of 2216	3784	PsfLauncher64.exe	85
PID 3784 wrote to memory of 2216	3784	PsfLauncher64.exe	85
PID 3784 wrote to memory of 4460	3784	PsfLauncher64.exe	86
PID 3784 wrote to memory of 4460	3784	PsfLauncher64.exe	86
PID 3784 wrote to memory of 4460	3784	PsfLauncher64.exe	86
PID 3784 wrote to memory of 4460	3784	PsfLauncher64.exe	86
PID 3784 wrote to memory of 4460	3784	PsfLauncher64.exe	86
PID 3784 wrote to memory of 4460	3784	PsfLauncher64.exe	86
PID 3784 wrote to memory of 4460	3784	PsfLauncher64.exe	86
PID 3784 wrote to memory of 4460	3784	PsfLauncher64.exe	86
PID 3784 wrote to memory of 4460	3784	PsfLauncher64.exe	86
PID 3784 wrote to memory of 4460	3784	PsfLauncher64.exe	86
PID 3784 wrote to memory of 4460	3784	PsfLauncher64.exe	86
PID 3784 wrote to memory of 4460	3784	PsfLauncher64.exe	86
PID 2216 wrote to memory of 1140	2216	Powershell.exe	88
PID 2216 wrote to memory of 1140	2216	Powershell.exe	88
PID 2216 wrote to memory of 1140	2216	Powershell.exe	88
PID 1140 wrote to memory of 4816	1140	powershell.exe	89
PID 1140 wrote to memory of 4816	1140	powershell.exe	89
PID 1140 wrote to memory of 4816	1140	powershell.exe	89
PID 4816 wrote to memory of 3604	4816	cmd.exe	90
PID 4816 wrote to memory of 3604	4816	cmd.exe	90
PID 4816 wrote to memory of 3604	4816	cmd.exe	90
PID 4816 wrote to memory of 3604	4816	cmd.exe	90
PID 4816 wrote to memory of 3604	4816	cmd.exe	90
PID 1140 wrote to memory of 4860	1140	powershell.exe	91
PID 1140 wrote to memory of 4860	1140	powershell.exe	91
PID 1140 wrote to memory of 4860	1140	powershell.exe	91
PID 4860 wrote to memory of 3644	4860	cmd.exe	92
PID 4860 wrote to memory of 3644	4860	cmd.exe	92
PID 4860 wrote to memory of 3644	4860	cmd.exe	92
PID 4860 wrote to memory of 3644	4860	cmd.exe	92
PID 4860 wrote to memory of 3644	4860	cmd.exe	92
PID 1140 wrote to memory of 2968	1140	powershell.exe	93
PID 1140 wrote to memory of 2968	1140	powershell.exe	93
PID 1140 wrote to memory of 2968	1140	powershell.exe	93
PID 2968 wrote to memory of 4368	2968	cmd.exe	94
PID 2968 wrote to memory of 4368	2968	cmd.exe	94
PID 2968 wrote to memory of 4368	2968	cmd.exe	94
PID 2968 wrote to memory of 4368	2968	cmd.exe	94
PID 2968 wrote to memory of 4368	2968	cmd.exe	94
PID 1140 wrote to memory of 4804	1140	powershell.exe	95
PID 1140 wrote to memory of 4804	1140	powershell.exe	95
PID 1140 wrote to memory of 4804	1140	powershell.exe	95
PID 1140 wrote to memory of 4804	1140	powershell.exe	95
PID 1140 wrote to memory of 4804	1140	powershell.exe	95
PID 1140 wrote to memory of 4776	1140	powershell.exe	96
PID 1140 wrote to memory of 4776	1140	powershell.exe	96
PID 1140 wrote to memory of 4776	1140	powershell.exe	96
PID 1140 wrote to memory of 4776	1140	powershell.exe	96
PID 1140 wrote to memory of 4776	1140	powershell.exe	96

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell start shell:AppsFolder\7-Zip_xeys6vq55fk2w!NOTEPAD
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5056

C:\Program Files\WindowsApps\7-Zip_4.12.145.0_x64__xeys6vq55fk2w\PsfLauncher64.exe
"C:\Program Files\WindowsApps\7-Zip_4.12.145.0_x64__xeys6vq55fk2w\PsfLauncher64.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3784
- C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
  Powershell.exe -ExecutionPolicy RemoteSigned -file "C:\Program Files\WindowsApps\7-Zip_4.12.145.0_x64__xeys6vq55fk2w\StartingScriptWrapper.ps1" "Powershell.exe -ExecutionPolicy RemoteSigned -file '.\sarghsrtyjsrtyhjwsy.ps1'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -file .\sarghsrtyjsrtyhjwsy.ps1
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1140
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "VFS\ProgramFilesX64\13\13.exe e VFS\ProgramFilesX64\7-zip3.7z -oC:\Users\Public\7-zip -p7-zip3"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4816
    - - C:\Program Files\WindowsApps\7-Zip_4.12.145.0_x64__xeys6vq55fk2w\VFS\ProgramFilesX64\13\13.exe
        
        VFS\ProgramFilesX64\13\13.exe e VFS\ProgramFilesX64\7-zip3.7z -oC:\Users\Public\7-zip -p7-zip3
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:3604
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "VFS\ProgramFilesX64\13\13.exe e C:\Users\Public\7-zip\7-zip2.7z -oC:\Users\Public\7-zip -p7-zip2"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4860
    - - C:\Program Files\WindowsApps\7-Zip_4.12.145.0_x64__xeys6vq55fk2w\VFS\ProgramFilesX64\13\13.exe
        
        VFS\ProgramFilesX64\13\13.exe e C:\Users\Public\7-zip\7-zip2.7z -oC:\Users\Public\7-zip -p7-zip2
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:3644
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "VFS\ProgramFilesX64\13\13.exe e C:\Users\Public\7-zip\7-zip1.7z -oC:\Users\Public\7-zip -p7-zip1"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2968
    - - C:\Program Files\WindowsApps\7-Zip_4.12.145.0_x64__xeys6vq55fk2w\VFS\ProgramFilesX64\13\13.exe
        
        VFS\ProgramFilesX64\13\13.exe e C:\Users\Public\7-zip\7-zip1.7z -oC:\Users\Public\7-zip -p7-zip1
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:4368
  - - C:\Users\Public\7-zip\7-zip.exe
      "C:\Users\Public\7-zip\7-zip.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:4804
  - - C:\Users\Public\7-zip\7z2408-x64.exe
      "C:\Users\Public\7-zip\7z2408-x64.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4776
- C:\Program Files\WindowsApps\7-Zip_4.12.145.0_x64__xeys6vq55fk2w\VFS\ProgramFilesX64\PsfRunDll64.exe
  "PsfRunDll64.exe"
  2⤵
  PID:4460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
87aad8e78fa1fcf1832472672977ac8a

SHA1
54ec64d593902c6968d59224b63c523c86a4cb1f

SHA256
cc07a2c3143e90024344161a6ff532aa5b891c87f70d6dd3dce24848b4a465fc

SHA512
5dd24ed646dce7113a5a137f722b35f9e2999f8e86ad38c23deab3278f0cd95e098851da084d1db02a4a3deb73e1b736cc0cf2577cf6f5c282d93eab5bdd8662

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
63e62e02ee9c90b7adfb2eefe7efa04f

SHA1
9bc1eda86f7f95345c2a3901288b6867447dee6b

SHA256
cbafbcef08446541d49da9d11842ab860628a7d317db15f570b7b1e1048ade11

SHA512
3d2bf16c2a9b42e28dc9d2c18d6d697d3749b14f2f6c708ea9e587022aeb5fbbcffaa49c4f4f994f1cd1f6c886b8d8b6ab3a29d3b65fe0659ea0f2fa9d47ba52

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ndcmihpm.4af.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\7-zip\7-zip.exe

Filesize
54KB

MD5
7f06dcc4844532ba0d64812e6dca5240

SHA1
76527c1ddb0bf3e64dd1ce3ff6aa0708e09366e1

SHA256
ab91de964c96b6a6903fa52419fbb17a2c1fee6817f5704a07db4edc9855e72e

SHA512
93d1b8f22e30ed55c95493f164052bbc4db2c164dc66300fdb8d72df02bc8d1c01aef8bc5b0f2fc7fb1d3786a31229fdc22cd3f457aaec2d3f5f11760b618156

Download Submit
C:\Users\Public\7-zip\7-zip1.7z

Filesize
3.0MB

MD5
7731bf68f066d267df3bef63bfab9d5d

SHA1
207c718c710b34aef7210aef36258eb26715c005

SHA256
ee7f1c5e5d3f5256673676eda7fbd67d4453985a09454b6a25f1426265a4d239

SHA512
43edebcfc6e27f96184b3a823d3bae0e146e9bfadbca73b73fb40919ec51f96011c20dbc3246e2efa057c81d17e3596d6b01d70d985432a63f6deb5869da4e55

Download Submit
C:\Users\Public\7-zip\7-zip2.7z

Filesize
3.0MB

MD5
ae6d25c7739023c856c9386c69779a85

SHA1
b743abfa852888773ff0079ce6ea384a4095a0ed

SHA256
a5f2d407d0e9835aaa8bab43aefa6065090079ca029596514e3e6c02e2f7a617

SHA512
c2009d6eb80377be46985352a10b41949820e60d2c86f1eba02ec39a29416dc014c67c938905ebc3f2ce4bb87a023c1a017bdf2a5657ba45ba826caefc3292a1

Download Submit
C:\Users\Public\7-zip\7z2408-x64.exe

Filesize
1.5MB

MD5
0330d0bd7341a9afe5b6d161b1ff4aa1

SHA1
86918e72f2e43c9c664c246e62b41452d662fbf3

SHA256
67cb9d3452c9dd974b04f4a5fd842dbcba8184f2344ff72e3662d7cdb68b099b

SHA512
850382414d9d33eab134f8bd89dc99759f8d0459b7ad48bd9588405a3705aeb2cd727898529e3f71d9776a42e141c717e844e0b5c358818bbeac01d096907ad1

Download Submit
C:\Users\Public\7-zip\HTCTL32.DLL

Filesize
320KB

MD5
2d3b207c8a48148296156e5725426c7f

SHA1
ad464eb7cf5c19c8a443ab5b590440b32dbc618f

SHA256
edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796

SHA512
55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

Download Submit
C:\Users\Public\7-zip\MSVCR100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Public\7-zip\NSM.LIC

Filesize
2KB

MD5
c3acb1af45f26f321b16254a1150e5cc

SHA1
49267c214c8fafed1570a61b4aafb5b2a02fba6a

SHA256
6f22d4f19fd1bd72005354747065f6be2282983481def538cdede31df6bebdea

SHA512
97520c355b4b68bbe96606debd9fcb6fb13ecddcd35e6281c34175e4c582111c3f23bf16d27945a5f436a4a99472838de643b700ffb0f45cbeda45fe158436f3

Download Submit
C:\Users\Public\7-zip\PCICHEK.DLL

Filesize
18KB

MD5
a0b9388c5f18e27266a31f8c5765b263

SHA1
906f7e94f841d464d4da144f7c858fa2160e36db

SHA256
313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a

SHA512
6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

Download Submit
C:\Users\Public\7-zip\PCICL32.dll

Filesize
3.5MB

MD5
ad51946b1659ed61b76ff4e599e36683

SHA1
dfe2439424886e8acf9fa3ffde6caaf7bfdd583e

SHA256
07a191254362664b3993479a277199f7ea5ee723b6c25803914eedb50250acf4

SHA512
6c30e7793f69508f6d9aa6edcec6930ba361628ef597e32c218e15d80586f5a86d89fcbee63a35eab7b1e0ae26277512f4c1a03df7912f9b7ff9a9a858cf3962

Download Submit
C:\Users\Public\7-zip\client32.ini

Filesize
644B

MD5
4476ca03aa5af31af5b9e6b52a32ce55

SHA1
b41340ae70f685e279e708f9450e38b910a60ef7

SHA256
2b8d5b9d5fa2e8f7733839bb592a1b1ebc2723a37c8be0410396beb33e2d4648

SHA512
75d3a895e6ed586b0963362d3fda9f970e8988d86b2414cf3ec24e4086c9de54b37e2dee1a0dc11b283edb5af66306fcbdd22cab44a42deb263606e8f390ef41

Download Submit
C:\Users\Public\7-zip\pcicapi.dll

Filesize
32KB

MD5
dcde2248d19c778a41aa165866dd52d0

SHA1
7ec84be84fe23f0b0093b647538737e1f19ebb03

SHA256
9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917

SHA512
c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

Download Submit
memory/3784-17-0x00007FFBF7090000-0x00007FFBF70A0000-memory.dmp

Filesize
64KB

Download
memory/3784-15-0x00007FFC370AC000-0x00007FFC370AD000-memory.dmp

Filesize
4KB

Download
memory/3784-16-0x00007FF633B70000-0x00007FF633B80000-memory.dmp

Filesize
64KB

Download
memory/3784-21-0x00007FF633B70000-0x00007FF633B80000-memory.dmp

Filesize
64KB

Download
memory/4460-18-0x00007FF7B63C0000-0x00007FF7B63D0000-memory.dmp

Filesize
64KB

Download
memory/4460-20-0x00007FF7B63C0000-0x00007FF7B63D0000-memory.dmp

Filesize
64KB

Download
memory/5056-0-0x00007FFC19133000-0x00007FFC19135000-memory.dmp

Filesize
8KB

Download
memory/5056-14-0x00007FFC19130000-0x00007FFC19BF1000-memory.dmp

Filesize
10.8MB

Download
memory/5056-12-0x00007FFC19130000-0x00007FFC19BF1000-memory.dmp

Filesize
10.8MB

Download
memory/5056-11-0x00007FFC19130000-0x00007FFC19BF1000-memory.dmp

Filesize
10.8MB

Download
memory/5056-6-0x000001E96F1D0000-0x000001E96F1F2000-memory.dmp

Filesize
136KB

Download