Malware Analysis Report

2024-10-23 16:12

Sample ID 241016-cwrgssxhld
Target 6cbac4c735bba82b907ccfd6d5e5f65523860afcdf40e1c37a4295d209701665.zip
SHA256 6cbac4c735bba82b907ccfd6d5e5f65523860afcdf40e1c37a4295d209701665
Tags
netsupport discovery persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6cbac4c735bba82b907ccfd6d5e5f65523860afcdf40e1c37a4295d209701665

Threat Level: Known bad

The file 6cbac4c735bba82b907ccfd6d5e5f65523860afcdf40e1c37a4295d209701665.zip was found to be: Known bad.

Malicious Activity Summary

netsupport discovery persistence rat

NetSupport

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

System Location Discovery: System Language Discovery

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 02:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 02:25

Reported

2024-10-16 02:28

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\alsodiscussionpro\alsodiscussionpro.exe"

Signatures

NetSupport

rat netsupport

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\alsodiscussion.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\DNScache\client32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\alsodiscussionpro\alsodiscussionpro.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2144 set thread context of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\alsodiscussion.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\alsodiscussion.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\DNScache\client32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\alsodiscussion.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\DNScache\client32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\DNScache\client32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1848 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\alsodiscussionpro\alsodiscussionpro.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\alsodiscussion.exe
PID 1848 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\alsodiscussionpro\alsodiscussionpro.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\alsodiscussion.exe
PID 1848 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\alsodiscussionpro\alsodiscussionpro.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\alsodiscussion.exe
PID 2144 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\alsodiscussion.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2144 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\alsodiscussion.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2144 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\alsodiscussion.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2144 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\alsodiscussion.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2144 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\alsodiscussion.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2144 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\alsodiscussion.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2144 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\alsodiscussion.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2144 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\alsodiscussion.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2144 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\alsodiscussion.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2144 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\alsodiscussion.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2144 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\alsodiscussion.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2904 wrote to memory of 584 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\SysWOW64\schtasks.exe
PID 2904 wrote to memory of 584 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\SysWOW64\schtasks.exe
PID 2904 wrote to memory of 584 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\SysWOW64\schtasks.exe
PID 2904 wrote to memory of 4112 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\AppData\Local\DNScache\client32.exe
PID 2904 wrote to memory of 4112 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\AppData\Local\DNScache\client32.exe
PID 2904 wrote to memory of 4112 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\AppData\Local\DNScache\client32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\alsodiscussionpro\alsodiscussionpro.exe

"C:\Users\Admin\AppData\Local\Temp\alsodiscussionpro\alsodiscussionpro.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\alsodiscussion.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\alsodiscussion.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /sc ONLOGON /tn "DNScache" /tr "C:\Users\Admin\AppData\Local\DNScache\client32.exe" /RL HIGHEST

C:\Users\Admin\AppData\Local\DNScache\client32.exe

C:\Users\Admin\AppData\Local\DNScache\client32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 cycleconf.com udp
NL 23.254.224.41:443 cycleconf.com tcp
US 8.8.8.8:53 41.224.254.23.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 ganeres1.com udp
NL 91.201.112.10:3785 ganeres1.com tcp
US 8.8.8.8:53 geo.netsupportsoftware.com udp
US 172.67.68.212:80 geo.netsupportsoftware.com tcp
US 172.67.68.212:80 geo.netsupportsoftware.com tcp
US 8.8.8.8:53 10.112.201.91.in-addr.arpa udp
US 8.8.8.8:53 212.68.67.172.in-addr.arpa udp
US 172.67.68.212:80 geo.netsupportsoftware.com tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\alsodiscussion.exe

MD5 aedf7f67cf6d7f8ef348ba681046fe51
SHA1 707ac1c67e2d569613c1b5cc3f809d6bd3cddc26
SHA256 6ba3976f8956dceb2903dc89b9b66c3d81ceb93566b6244b58c4929a454815c0
SHA512 83297d6611b3c168952c700a10fcca736fe96205298a81eb4d21523b260f933b41f71f4fc9da41b60098d0687d822be6a93b3b29caf692bfaa32e1762a392a01

memory/2144-5-0x00000000748DE000-0x00000000748DF000-memory.dmp

memory/2144-6-0x0000000000150000-0x0000000000268000-memory.dmp

memory/2144-7-0x0000000004F60000-0x0000000004FFC000-memory.dmp

memory/2144-8-0x00000000055B0000-0x0000000005B54000-memory.dmp

memory/2144-9-0x00000000050A0000-0x0000000005132000-memory.dmp

memory/2144-10-0x00000000748D0000-0x0000000075080000-memory.dmp

memory/2144-11-0x0000000005140000-0x00000000051DE000-memory.dmp

memory/2144-12-0x0000000005210000-0x000000000521A000-memory.dmp

memory/2144-13-0x00000000748D0000-0x0000000075080000-memory.dmp

memory/2144-14-0x00000000748DE000-0x00000000748DF000-memory.dmp

memory/2144-15-0x00000000748D0000-0x0000000075080000-memory.dmp

memory/2144-16-0x0000000006CA0000-0x0000000006CBA000-memory.dmp

memory/2144-17-0x00000000092A0000-0x00000000092A6000-memory.dmp

memory/2904-18-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2904-20-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2144-21-0x00000000748D0000-0x0000000075080000-memory.dmp

C:\Users\Admin\AppData\Local\DNScache\client32.exe

MD5 9497aece91e1ccc495ca26ae284600b9
SHA1 a005d8ce0c1ea8901c1b4ea86c40f4925bd2c6da
SHA256 1b63f83f06dbd9125a6983a36e0dbd64026bb4f535e97c5df67c1563d91eff89
SHA512 4c892e5029a707bcf73b85ac110d8078cb273632b68637e9b296a7474ab0202320ff24cf6206de04af08abf087654b0d80cbecfae824c06616c47ce93f0929c9

C:\Users\Admin\AppData\Local\DNScache\PCICL32.dll

MD5 ad51946b1659ed61b76ff4e599e36683
SHA1 dfe2439424886e8acf9fa3ffde6caaf7bfdd583e
SHA256 07a191254362664b3993479a277199f7ea5ee723b6c25803914eedb50250acf4
SHA512 6c30e7793f69508f6d9aa6edcec6930ba361628ef597e32c218e15d80586f5a86d89fcbee63a35eab7b1e0ae26277512f4c1a03df7912f9b7ff9a9a858cf3962

C:\Users\Admin\AppData\Local\DNScache\HTCTL32.DLL

MD5 2d3b207c8a48148296156e5725426c7f
SHA1 ad464eb7cf5c19c8a443ab5b590440b32dbc618f
SHA256 edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796
SHA512 55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

C:\Users\Admin\AppData\Local\DNScache\client32.ini

MD5 5274a126ee2f7f926fb8f9ac53a57abd
SHA1 10eeb6dbd99013c7969c27d09104fcb0ffbd97da
SHA256 b3f198f6976b2a97a0aafd4127bf1a274c3ca388226de13da37f3b5976b439ca
SHA512 fcf0b3c57bd2db6544274cb622c4855e915c74705c311e3f94749a401238ebf525fb4c9607528dedb9944b8c682a3da2e4bcdd9a0e6d7367241430e54ab290db

C:\Users\Admin\AppData\Local\DNScache\NSM.LIC

MD5 1dc87146379e5e3f85fd23b25889ae2a
SHA1 b750c56c757ad430c9421803649acf9acd15a860
SHA256 f7d80e323e7d0ed1e3ddd9b5df08af23dcecb47a3e289314134d4b76b3adcaf2
SHA512 7861abe50eefdf4452e4baacc4b788895610196b387b70ddeab7bc70735391ed0a015f47eada94a368b82f8e5cedb5a2096e624f4a881ff067937ad159e3562c

C:\Users\Admin\AppData\Local\DNScache\msvcr100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

C:\Users\Admin\AppData\Local\DNScache\pcicapi.dll

MD5 dcde2248d19c778a41aa165866dd52d0
SHA1 7ec84be84fe23f0b0093b647538737e1f19ebb03
SHA256 9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917
SHA512 c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

C:\Users\Admin\AppData\Local\DNScache\PCICHEK.DLL

MD5 a0b9388c5f18e27266a31f8c5765b263
SHA1 906f7e94f841d464d4da144f7c858fa2160e36db
SHA256 313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a
SHA512 6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd