Overview

overview

10

Static

static

3

NeftPaymen...pg.exe

windows7-x64

10

NeftPaymen...pg.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-10-2024 08:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NeftPaymentError_details__Emdtd22102024_jpg.exe

  • Size

    2.3MB

  • MD5

    09ea0337f7f0473922a718413cc6bc5e

  • SHA1

    9ed5e11b7e1f07ce71952748da306be20fcc39be

  • SHA256

    981925c258affa8325776606cb6da874b915b67f6c3632dbea8881813b22cef7

  • SHA512

    41564c74cf91d46775ca4a8b71a263854338eadbb3f388608f2d61dcefc8dbf355003ce57306ca874b0c9da4ae2c367a572970c197184c2468c14851ef65dd1f

  • SSDEEP

    49152:s9SCKBC24/xi+jpOQEojbkYML+E60CO/JKYhuI:sYCK022w+pO9ofML+EfVcYAI

Score
10/10
netsupportdiscoveryrat

Malware Config

Signatures

  • NetSupport

    NetSupport is a remote access tool sold as a legitimate system administration software.

    ratnetsupport
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NeftPaymentError_details__Emdtd22102024_jpg.exe
    "C:\Users\Admin\AppData\Local\Temp\NeftPaymentError_details__Emdtd22102024_jpg.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1756
    • C:\Users\Admin\AppData\Roaming\updatein1432\client32.exe
      "C:\Users\Admin\AppData\Roaming\updatein1432\client32.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:3696

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\updatein1432\HTCTL32.DLL
    Filesize

    316KB

    MD5

    051cdb6ac8e168d178e35489b6da4c74

    SHA1

    38c171457d160f8a6f26baa668f5c302f6c29cd1

    SHA256

    6562585009f15155eea9a489e474cebc4dd2a01a26d846fdd1b93fdc24b0c269

    SHA512

    602ab9999f7164a2d1704f712d8a622d69148eefe9a380c30bc8b310eadedf846ce6ae7940317437d5da59404d141dc2d1e0c3f954ca4ac7ae3497e56fcb4e36

    Download Submit

  • C:\Users\Admin\AppData\Roaming\updatein1432\NSM.LIC
    Filesize

    262B

    MD5

    35b4ea845eb5d44743a5e68ad8f24c91

    SHA1

    4109e52c70a3d3749207d7b48d632f044bbc090d

    SHA256

    88448fa440aeaff2b4c43f9daca92f9948e32d1e42e822695902a870a23173bc

    SHA512

    b47f8bc0dcb99de187f09cfd79a15f0c3ed59b36df088c0ffb36b6970759511ef93cd868693f727c2a9ac043b3721c127f1b494c45a246c90c1fc038409b96fa

    Download Submit

  • C:\Users\Admin\AppData\Roaming\updatein1432\PCICL32.dll
    Filesize

    3.3MB

    MD5

    e7b92529ea10176fe35ba73fa4edef74

    SHA1

    fc5b325d433cde797f6ad0d8b1305d6fb16d4e34

    SHA256

    b6d4ad0231941e0637485ac5833e0fdc75db35289b54e70f3858b70d36d04c80

    SHA512

    fb3a70e87772c1fb386ad8def6c7bdf325b8d525355d4386102649eb2d61f09ce101fce37ccc1f44d5878e604e2e426d96618e836367ab460cae01f627833517

    Download Submit

  • C:\Users\Admin\AppData\Roaming\updatein1432\client32.exe
    Filesize

    117KB

    MD5

    297ea82401acbead6ba4b19880df2b8c

    SHA1

    32664b5f0b27e26e75dbd97f1ed11397e4d1c9a6

    SHA256

    72d9bd23541500a0f0fb657da320a039894939500be7d217c6627d05fcc5e629

    SHA512

    c29951bed7cd6a6431bf15848dafe3a438a05e1021eac4b5a73585a6b39e7ecfb94567566d1641284533b80dba3ef45070e933b98e472bf206e65cc5a6ce5b06

    Download Submit

  • C:\Users\Admin\AppData\Roaming\updatein1432\client32.ini
    Filesize

    817B

    MD5

    e56108e0f4c58cbcaf1eec8700d490a0

    SHA1

    91bf59720ea436934a6c38a9e7dd857392563c8a

    SHA256

    2f2f709bf04dcc1198f5b7c9b3ed5d0a21936ff745ec3a99e1fb993474ca0c22

    SHA512

    36e28ff4fe3b956941ffa9fbed20ab99a50a149cb17696555d15e75c5c727d30eacd4cbd47dd339d459a5681843f9e5b9ab4319f19fc084d6ad8cfa31edfad8e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\updatein1432\msvcr100.dll
    Filesize

    755KB

    MD5

    0e37fbfa79d349d672456923ec5fbbe3

    SHA1

    4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

    SHA256

    8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

    SHA512

    2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

    Download Submit

  • C:\Users\Admin\AppData\Roaming\updatein1432\pcicapi.dll
    Filesize

    106KB

    MD5

    67c53a770390e8c038060a1921c20da9

    SHA1

    49e63af91169c8ce7ef7de3d6a6fb9f8f739fa3a

    SHA256

    2dfdc169dfc27462adc98dde39306de8d0526dcf4577a1a486c2eef447300689

    SHA512

    201e07dbccd83480d6c4d8562e6d0a9e4c52ed12895f0b91d875c2bbcc50b3b1802e11e5e829c948be302bf98ebde7fb2a99476065d1709b3bdbcd5d59a1612d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\updatein1432\pcichek.dll
    Filesize

    14KB

    MD5

    3aabcd7c81425b3b9327a2bf643251c6

    SHA1

    ea841199baa7307280fc9e4688ac75e5624f2181

    SHA256

    0cff893b1e7716d09fb74b7a0313b78a09f3f48c586d31fc5f830bd72ce8331f

    SHA512

    97605b07be34948541462000345f1e8f9a9134d139448d4f331cefeeca6dad51c025fcab09d182b86e5a4a8e2f9412b3745ec86b514b0523497c821cb6b8c592

    Download Submit