Malware Analysis Report

2024-10-23 16:12

Sample ID 241016-fzfq9aydpk
Target a378a6a5e51b753df66e6d1111d415dd61208f7e1489128ff9cc6cd1c726ac00.zip
SHA256 a378a6a5e51b753df66e6d1111d415dd61208f7e1489128ff9cc6cd1c726ac00
Tags
netsupport discovery persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a378a6a5e51b753df66e6d1111d415dd61208f7e1489128ff9cc6cd1c726ac00

Threat Level: Known bad

The file a378a6a5e51b753df66e6d1111d415dd61208f7e1489128ff9cc6cd1c726ac00.zip was found to be: Known bad.

Malicious Activity Summary

netsupport discovery persistence rat

NetSupport

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 05:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 05:18

Reported

2024-10-16 05:20

Platform

win10v2004-20241007-en

Max time kernel

141s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\yearprogrampro\yearprogrampro.exe"

Signatures

NetSupport

rat netsupport

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yearprogram.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\DNScache\client32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\yearprogrampro\yearprogrampro.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3312 set thread context of 5112 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yearprogram.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\DNScache\client32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yearprogram.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yearprogram.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\DNScache\client32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\DNScache\client32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1564 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\yearprogrampro\yearprogrampro.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yearprogram.exe
PID 1564 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\yearprogrampro\yearprogrampro.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yearprogram.exe
PID 1564 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\yearprogrampro\yearprogrampro.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yearprogram.exe
PID 3312 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yearprogram.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 3312 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yearprogram.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 3312 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yearprogram.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 3312 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yearprogram.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 3312 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yearprogram.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 3312 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yearprogram.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 3312 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yearprogram.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 3312 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yearprogram.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 3312 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yearprogram.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 3312 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yearprogram.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 3312 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yearprogram.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 3312 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yearprogram.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 3312 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yearprogram.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 3312 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yearprogram.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 3312 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yearprogram.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 3312 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yearprogram.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 3312 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yearprogram.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 3312 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yearprogram.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 3312 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yearprogram.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 3312 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yearprogram.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 3312 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yearprogram.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 3312 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yearprogram.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 5112 wrote to memory of 2716 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\SysWOW64\schtasks.exe
PID 5112 wrote to memory of 2716 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\SysWOW64\schtasks.exe
PID 5112 wrote to memory of 2716 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\SysWOW64\schtasks.exe
PID 5112 wrote to memory of 3632 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\AppData\Local\DNScache\client32.exe
PID 5112 wrote to memory of 3632 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\AppData\Local\DNScache\client32.exe
PID 5112 wrote to memory of 3632 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\AppData\Local\DNScache\client32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\yearprogrampro\yearprogrampro.exe

"C:\Users\Admin\AppData\Local\Temp\yearprogrampro\yearprogrampro.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yearprogram.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yearprogram.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /sc ONLOGON /tn "DNScache" /tr "C:\Users\Admin\AppData\Local\DNScache\client32.exe" /RL HIGHEST

C:\Users\Admin\AppData\Local\DNScache\client32.exe

C:\Users\Admin\AppData\Local\DNScache\client32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 cycleconf.com udp
NL 23.254.224.41:443 cycleconf.com tcp
US 8.8.8.8:53 41.224.254.23.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 ganeres1.com udp
US 8.8.8.8:53 geo.netsupportsoftware.com udp
US 104.26.1.231:80 geo.netsupportsoftware.com tcp
NL 91.201.112.10:3785 ganeres1.com tcp
US 104.26.1.231:80 geo.netsupportsoftware.com tcp
US 104.26.1.231:80 geo.netsupportsoftware.com tcp
US 8.8.8.8:53 231.1.26.104.in-addr.arpa udp
US 8.8.8.8:53 10.112.201.91.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yearprogram.exe

MD5 6fa89393a624a32bc158ee1332e59a62
SHA1 29fc34d4f4a968a39e0a63aa02c52efa6326ab21
SHA256 eb80160b232aed097a23127ccc243649aa6939901186de4bf319d549418f663c
SHA512 91750d3d0c0e68a17b0a725703deaa7c1b1f3090af2a1fd756254e5b338407de2ae6f6f75beacf56a297e83ae3b3918ab83ae6042068211d58b5c23d2593d45b

memory/3312-5-0x0000000074CDE000-0x0000000074CDF000-memory.dmp

memory/3312-6-0x0000000000DA0000-0x0000000000EB8000-memory.dmp

memory/3312-7-0x0000000005940000-0x0000000005EE4000-memory.dmp

memory/3312-8-0x0000000005390000-0x0000000005422000-memory.dmp

memory/3312-9-0x0000000005430000-0x00000000054CC000-memory.dmp

memory/3312-10-0x0000000074CD0000-0x0000000075480000-memory.dmp

memory/3312-11-0x00000000054D0000-0x000000000556E000-memory.dmp

memory/3312-12-0x00000000055B0000-0x00000000055BA000-memory.dmp

memory/3312-13-0x0000000074CD0000-0x0000000075480000-memory.dmp

memory/3312-14-0x0000000074CDE000-0x0000000074CDF000-memory.dmp

memory/3312-15-0x0000000074CD0000-0x0000000075480000-memory.dmp

memory/3312-16-0x0000000007030000-0x000000000704A000-memory.dmp

memory/3312-17-0x0000000009620000-0x0000000009626000-memory.dmp

memory/5112-18-0x0000000000400000-0x0000000000428000-memory.dmp

memory/5112-20-0x0000000000400000-0x0000000000428000-memory.dmp

memory/3312-21-0x0000000074CD0000-0x0000000075480000-memory.dmp

C:\Users\Admin\AppData\Local\DNScache\client32.exe

MD5 9497aece91e1ccc495ca26ae284600b9
SHA1 a005d8ce0c1ea8901c1b4ea86c40f4925bd2c6da
SHA256 1b63f83f06dbd9125a6983a36e0dbd64026bb4f535e97c5df67c1563d91eff89
SHA512 4c892e5029a707bcf73b85ac110d8078cb273632b68637e9b296a7474ab0202320ff24cf6206de04af08abf087654b0d80cbecfae824c06616c47ce93f0929c9

C:\Users\Admin\AppData\Local\DNScache\PCICL32.dll

MD5 ad51946b1659ed61b76ff4e599e36683
SHA1 dfe2439424886e8acf9fa3ffde6caaf7bfdd583e
SHA256 07a191254362664b3993479a277199f7ea5ee723b6c25803914eedb50250acf4
SHA512 6c30e7793f69508f6d9aa6edcec6930ba361628ef597e32c218e15d80586f5a86d89fcbee63a35eab7b1e0ae26277512f4c1a03df7912f9b7ff9a9a858cf3962

C:\Users\Admin\AppData\Local\DNScache\pcicapi.dll

MD5 dcde2248d19c778a41aa165866dd52d0
SHA1 7ec84be84fe23f0b0093b647538737e1f19ebb03
SHA256 9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917
SHA512 c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

C:\Users\Admin\AppData\Local\DNScache\PCICHEK.DLL

MD5 a0b9388c5f18e27266a31f8c5765b263
SHA1 906f7e94f841d464d4da144f7c858fa2160e36db
SHA256 313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a
SHA512 6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

C:\Users\Admin\AppData\Local\DNScache\msvcr100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

C:\Users\Admin\AppData\Local\DNScache\client32.ini

MD5 6eeb15a71863a041860f4d235f262c43
SHA1 56d8f4bc78e9ba306ae76c78bf63199da85bb157
SHA256 8c4058275296cdac4be580f5b4b5edaad854202977544f1cba66afbf5e80ca59
SHA512 2b02a3b94c91d0d6f836dfe501d360492dd01d01adedbd231e8bbe1db6052fd418a0c41ad0d72de1835a3427ee24b50f95c97b4929db48214432cc284a5d9cd1

C:\Users\Admin\AppData\Local\DNScache\NSM.LIC

MD5 1dc87146379e5e3f85fd23b25889ae2a
SHA1 b750c56c757ad430c9421803649acf9acd15a860
SHA256 f7d80e323e7d0ed1e3ddd9b5df08af23dcecb47a3e289314134d4b76b3adcaf2
SHA512 7861abe50eefdf4452e4baacc4b788895610196b387b70ddeab7bc70735391ed0a015f47eada94a368b82f8e5cedb5a2096e624f4a881ff067937ad159e3562c

C:\Users\Admin\AppData\Local\DNScache\HTCTL32.DLL

MD5 2d3b207c8a48148296156e5725426c7f
SHA1 ad464eb7cf5c19c8a443ab5b590440b32dbc618f
SHA256 edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796
SHA512 55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c