netsupport | 0de9d11dc03f8927cabdf869b2bc48ea3536ec8c4f0f3b6eb87c86b976267965

Analysis

max time kernel
272s
max time network
330s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
04-11-2024 10:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

672.0MB
MD5

2317a9b2d6251c4584c704a45cd28a7d
SHA1

bcba0deb1f26eaa23d25851958bded4b7b820803
SHA256

0de9d11dc03f8927cabdf869b2bc48ea3536ec8c4f0f3b6eb87c86b976267965
SHA512

da934440092785452715f78e0aaf66ab88ab08dc401ee634e08dc1bd8a03e87a6773d46ef623944e0a700a949c375513d0a5b65ceaba66ea5f1c8c83806c2696
SSDEEP

12582912:X98vMvMvMvMvMvMvMvMvaVSsDLAVSsDLAVSsDLAVSsDLAVSsDLAVSsDLavMvMvMX:toYYYYYYYYa8sD88sD88sD88sD88sD8T

Score

10^/10

netsupport discovery rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport
Netsupport family
netsupport
Drops startup file 1 IoCs

Processes:

file.tmp

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.lnk file.tmp
Executes dropped EXE 2 IoCs

Processes:

file.tmpchrome.exe

pid process

2060 file.tmp
1052 chrome.exe
Loads dropped DLL 7 IoCs

Processes:

file.exefile.tmpchrome.exe

pid process

2896 file.exe
2060 file.tmp
1052 chrome.exe
1052 chrome.exe
1052 chrome.exe
1052 chrome.exe
1052 chrome.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.lnk	file.tmp

pid	process
2060	file.tmp
1052	chrome.exe

pid	process
2896	file.exe
2060	file.tmp
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe
1052	chrome.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

file.exefile.tmpchrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

file.tmp

pid process

2060 file.tmp
2060 file.tmp
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

file.tmp

pid process

2060 file.tmp
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

chrome.exe

description pid process

Token: SeSecurityPrivilege 1052 chrome.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

file.tmpchrome.exe

pid process

2060 file.tmp
1052 chrome.exe

pid	process
2060	file.tmp
2060	file.tmp

pid	process
2060	file.tmp

description	pid	process
Token: SeSecurityPrivilege	1052	chrome.exe

pid	process
2060	file.tmp
1052	chrome.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

file.exefile.tmp

description	pid	process	target process
PID 2896 wrote to memory of 2060	2896	file.exe	file.tmp
PID 2896 wrote to memory of 2060	2896	file.exe	file.tmp
PID 2896 wrote to memory of 2060	2896	file.exe	file.tmp
PID 2896 wrote to memory of 2060	2896	file.exe	file.tmp
PID 2896 wrote to memory of 2060	2896	file.exe	file.tmp
PID 2896 wrote to memory of 2060	2896	file.exe	file.tmp
PID 2896 wrote to memory of 2060	2896	file.exe	file.tmp
PID 2060 wrote to memory of 1052	2060	file.tmp	chrome.exe
PID 2060 wrote to memory of 1052	2060	file.tmp	chrome.exe
PID 2060 wrote to memory of 1052	2060	file.tmp	chrome.exe
PID 2060 wrote to memory of 1052	2060	file.tmp	chrome.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Users\Admin\AppData\Local\Temp\is-MLU8K.tmp\file.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-MLU8K.tmp\file.tmp" /SL5="$40108,703554386,1060352,C:\Users\Admin\AppData\Local\Temp\file.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Users\Admin\AppData\Roaming\Chrome\Application\chrome.exe
    "C:\Users\Admin\AppData\Roaming\Chrome\Application\chrome.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:1052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Chrome\Application\HTCTL32.DLL

Filesize
320KB

MD5
8a89ba232537736970bf98ecf01c54c7

SHA1
75edd42f3d01c082538b479006ae0323cbed942a

SHA256
5fec19686bca8df1cd6bf86284c9b8ed45e93219bc0dc3d7756a3bbf02c47240

SHA512
bee18154346c6ce76a2e3a6f41a0591504c2afb895c8652df6ed98a81606d5efe2b791857ae361ce905b79c0b433f805d5f0983dfc30c8b5c646bc4f594e7225

Download Submit
C:\Users\Admin\AppData\Roaming\Chrome\Application\NSM.LIC

Filesize
259B

MD5
4e8ecebce46ceef1f6e29c71b6d3be94

SHA1
2345f5203dc819c33782d8f3632f13e835066392

SHA256
76f0b30a1d93469ab744ac81a2f9f96f180e5df964189d3f9b71aef2673dff46

SHA512
80c0949bc0842e036a3ee3ca2023af9465c3f9d6a18a028b1453630a6b1005c9d9b44747600c41899ad551a57510fbe845a7f06df04763ec278189f22b4d2b3e

Download Submit
C:\Users\Admin\AppData\Roaming\Chrome\Application\chrome.exe

Filesize
82KB

MD5
f4f1bde08bfc4e0a23b8a839edbc1ee8

SHA1
e54f29e4cba5f6d80da2a0739c01d7935e460e98

SHA256
758f78eaf2c35d4988107303fbece4ce21a889b205d3ad7b2803626bae5aac78

SHA512
b989d4e73153bc43e40503c5bc98fdf6fd4bbf9672b83843de01ba0620c6f1f16dae124b954f012c0d6ae72dfa9bc887e303ad4a3c1a708cf468b5a394f99eb4

Download Submit
C:\Users\Admin\AppData\Roaming\Chrome\Application\client32.ini

Filesize
770B

MD5
b3fae2043958490e4603920a741d3a57

SHA1
475a74d1f3b770716894604a4dbd251f3080a20a

SHA256
02134f381ec8dd3770f4cbcd9ffa2a583c301a337579203a6b8473cae4156310

SHA512
2fe7520d1bf73437083b4972e1329209b889f2c63a3e4d3349deb555be321cd025a0e50f9c909431a268ae60ef37c25669068bdc51f2e980e43ccc1ad5dce713

Download Submit
C:\Users\Admin\AppData\Roaming\PokemonGo\Game\OpenImageDenoise1.dll

Filesize
47.5MB

MD5
43b8ae36fb551bb0226bb59cf21431ce

SHA1
a18980353bce3abb27d40ec1e17b4d25f155c30d

SHA256
11213c268e6c67262d48e7351e1f6c196acbb91a9a1cf059d4d758c34368f08a

SHA512
26e3a28976ad880bafb12eba9d2fd7cf86cb21dcde465094a78ccb6aad4e33b0465dd8fad7df7c36a2787cb94010768e2e4c403ef24e4de2cefa7eb77e3d55ba

Download Submit
\Users\Admin\AppData\Local\Temp\is-MLU8K.tmp\file.tmp

Filesize
3.4MB

MD5
88fa0ce520cc6437f540a7c3086f7377

SHA1
1f87a36721f159dbe4e30ab5c05906de9534fc98

SHA256
117335a2f5f92f5d4f3ac77e560dfc91cca49146a11de954959bda5794ba5900

SHA512
1640662c66138379f1d49154e8a2121eec99438f64f8dcd0338872824667b8528b2cf7f7d73b3f3f7cfd840aa9ae90a79ba8ea3c130ff34fe8dd1d899135949a

Download Submit
\Users\Admin\AppData\Roaming\Chrome\Application\PCICHEK.DLL

Filesize
18KB

MD5
50b98335b28799586bfacba3a99f0fa1

SHA1
f26f3ef57aab527e2a017852f410b31a69477b3d

SHA256
10d8c59abf00412a45e0e1a1c726e2fa592f1eb375f0d3bad4e2156f26038be5

SHA512
c45b0f10ed58855c00f0a652139772daf35b314692b9e29d11c81c7100e27b15327cc9a0bbf988fdc05f12a461615f5a0f4bc2be44d26924d9c678b38cda1693

Download Submit
\Users\Admin\AppData\Roaming\Chrome\Application\PCICL32.DLL

Filesize
3.3MB

MD5
8eb6ca52ec883b2757df3c0f6faa8a86

SHA1
b0426740647284b4d9359d2ec3e5a769404a0893

SHA256
e255f67ab3326a61a66c63d38aad008a6c3f1465d30d81165398d814728a7e3f

SHA512
01d6d098874ff79303845a8adb9dbf3c967fb237285cfac269155b67abab34536a8aeab367b4dbbb294fc6630c0687de5f2e187cf29fd796f5d995add687eb10

Download Submit
\Users\Admin\AppData\Roaming\Chrome\Application\msvcr100.dll

Filesize
760KB

MD5
05d8ddd5f846e359c2a47a1acaf48152

SHA1
55536e57c01994522f0df20f1d90d42f50b87c26

SHA256
5419dd057de5c6540a16404a104e12d7604eebb385e409cbcf06d129aaad2cee

SHA512
5e51a362643e40ec3c887e50f6668bfce63da10e6fe2ec44d72b9233117b75f2c906aae995d9079c2620737db95689ba4dcd2c8180e0ec450776b5c3ec3576e2

Download Submit
\Users\Admin\AppData\Roaming\Chrome\Application\pcicapi.DLL

Filesize
110KB

MD5
b6a351c84deac783adf1908e15df03a9

SHA1
9d72998c03c3fa2b12e6c72e6645554d88dd1025

SHA256
df4d6022658e493436896190ed3b1302e2ffc6a7e23e6ab7959adbe67f0edcfe

SHA512
83942f8d226538baf39f728e0946806fdac0508379ce8ce71829ca09ee9a268a10d833dcd92904882f30e84a8c4e5ce7da79a2adbad8660204c8a14551c30f19

Download Submit
memory/2060-65-0x0000000000870000-0x0000000000BE0000-memory.dmp

Filesize
3.4MB

Download
memory/2060-73-0x0000000000870000-0x0000000000BE0000-memory.dmp

Filesize
3.4MB

Download
memory/2060-86-0x0000000000870000-0x0000000000BE0000-memory.dmp

Filesize
3.4MB

Download
memory/2060-99-0x0000000000870000-0x0000000000BE0000-memory.dmp

Filesize
3.4MB

Download
memory/2060-107-0x0000000000870000-0x0000000000BE0000-memory.dmp

Filesize
3.4MB

Download
memory/2060-115-0x0000000000870000-0x0000000000BE0000-memory.dmp

Filesize
3.4MB

Download
memory/2060-120-0x0000000000870000-0x0000000000BE0000-memory.dmp

Filesize
3.4MB

Download
memory/2060-128-0x0000000000870000-0x0000000000BE0000-memory.dmp

Filesize
3.4MB

Download
memory/2060-78-0x0000000000870000-0x0000000000BE0000-memory.dmp

Filesize
3.4MB

Download
memory/2060-94-0x0000000000870000-0x0000000000BE0000-memory.dmp

Filesize
3.4MB

Download
memory/2060-8-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2060-56-0x0000000000870000-0x0000000000BE0000-memory.dmp

Filesize
3.4MB

Download
memory/2060-57-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2060-148-0x0000000000870000-0x0000000000BE0000-memory.dmp

Filesize
3.4MB

Download
memory/2896-150-0x0000000000340000-0x0000000000451000-memory.dmp

Filesize
1.1MB

Download
memory/2896-55-0x0000000000340000-0x0000000000451000-memory.dmp

Filesize
1.1MB

Download
memory/2896-2-0x0000000000341000-0x00000000003E9000-memory.dmp

Filesize
672KB

Download
memory/2896-0-0x0000000000340000-0x0000000000451000-memory.dmp

Filesize
1.1MB

Download