netsupport | b4fc1f1ec4841c672740024138b18332033eec5a8378ee9f6496211a05497bd2

Analysis

max time kernel
94s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-11-2024 20:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dropper (infected).zip
Size

2.4MB
MD5

b8d0924ea981b99d8e856b1f013cfeda
SHA1

e57a6dd63d3186ad6e61bba5e782cce0be589183
SHA256

b4fc1f1ec4841c672740024138b18332033eec5a8378ee9f6496211a05497bd2
SHA512

5216523da5ff0a543a79bdb60bf76ccc287b1f49caf9c7f8748f7b98edfcf72fdd7ccae0edee578fb307cd3e0679eeae2bf86826e47c96d1d580ab7c13741674
SSDEEP

49152:CoEdoCPK4sUz4OOAZJF8m9aMpw6T+rCG0swc/KE1K8mSNNO1pTz3dQXXM:sRmUz35b8EbwY+r9x6ANNOf3+nM

Score

10^/10

netsupport discovery rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport
Netsupport family
netsupport

Executes dropped EXE 4 IoCs

Processes:

client32.exeImagingDevices.exeremcmdstub.exewabmig.exe

pid	Process
3448	client32.exe
2908	ImagingDevices.exe
2332	remcmdstub.exe
1924	wabmig.exe

Loads dropped DLL 5 IoCs

Processes:

client32.exe

pid	Process
3448	client32.exe
3448	client32.exe
3448	client32.exe
3448	client32.exe
3448	client32.exe

Drops file in Windows directory 1 IoCs

Processes:

ImagingDevices.exe

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	ImagingDevices.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

remcmdstub.execlient32.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcmdstub.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client32.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

7zFM.execlient32.exesvchost.exe

description	pid	Process
Token: SeRestorePrivilege	2932	7zFM.exe
Token: 35	2932	7zFM.exe
Token: SeSecurityPrivilege	2932	7zFM.exe
Token: SeSecurityPrivilege	3448	client32.exe
Token: SeBackupPrivilege	1888	svchost.exe
Token: SeRestorePrivilege	1888	svchost.exe
Token: SeSecurityPrivilege	1888	svchost.exe
Token: SeTakeOwnershipPrivilege	1888	svchost.exe
Token: 35	1888	svchost.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

7zFM.execlient32.exe

pid	Process
2932	7zFM.exe
2932	7zFM.exe
3448	client32.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\dropper (infected).zip"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2932

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1860

C:\Users\Admin\Desktop\dropper\client32.exe
"C:\Users\Admin\Desktop\dropper\client32.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3448

C:\Users\Admin\Desktop\dropper\ImagingDevices.exe
"C:\Users\Admin\Desktop\dropper\ImagingDevices.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:2340

C:\Users\Admin\Desktop\dropper\remcmdstub.exe
"C:\Users\Admin\Desktop\dropper\remcmdstub.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2332

C:\Users\Admin\Desktop\dropper\wabmig.exe
"C:\Users\Admin\Desktop\dropper\wabmig.exe"
1⤵
- Executes dropped EXE
PID:1924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\dropper\HTCTL32.DLL

Filesize
320KB

MD5
2d3b207c8a48148296156e5725426c7f

SHA1
ad464eb7cf5c19c8a443ab5b590440b32dbc618f

SHA256
edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796

SHA512
55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

Download Submit
C:\Users\Admin\Desktop\dropper\ImagingDevices.exe

Filesize
95KB

MD5
00c143b07ddbf5995bd03f79a1ebd945

SHA1
fec30f688fedcdf6fd573d36beeb3952a8b4d245

SHA256
b722655b93bcb804802f6a20d17492f9c0f08b197b09e8cd57cf3b087ca5a347

SHA512
058a564cab337a66e9efa2106baa65ed505c4003348e3c32d0bdb564330094c5ca4e73dde0f09820d2a983444405bc8b4b36293e99f265ef728f307dfea106a5

Download Submit
C:\Users\Admin\Desktop\dropper\NSM.LIC

Filesize
259B

MD5
b8bdfa6ca3fe9cbfc46824e8355c3622

SHA1
fb5384eca34ff76723b947dd6b0e5ac1ed60a959

SHA256
be556bc2c58e56e6054ec017df771cf086cb6e4bfeafa5e6f2da5e6068ee1262

SHA512
0d9a35e7c264fcfd97774d3e9454d032f5dbbdff7e6eac3985b1133985bc27f7b86a04bbf70899c9374b766ccb395417ee51ea4e6ebe028e4244a156448d651b

Download Submit
C:\Users\Admin\Desktop\dropper\PCICHEK.DLL

Filesize
18KB

MD5
a0b9388c5f18e27266a31f8c5765b263

SHA1
906f7e94f841d464d4da144f7c858fa2160e36db

SHA256
313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a

SHA512
6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

Download Submit
C:\Users\Admin\Desktop\dropper\PCICL32.dll

Filesize
3.5MB

MD5
ad51946b1659ed61b76ff4e599e36683

SHA1
dfe2439424886e8acf9fa3ffde6caaf7bfdd583e

SHA256
07a191254362664b3993479a277199f7ea5ee723b6c25803914eedb50250acf4

SHA512
6c30e7793f69508f6d9aa6edcec6930ba361628ef597e32c218e15d80586f5a86d89fcbee63a35eab7b1e0ae26277512f4c1a03df7912f9b7ff9a9a858cf3962

Download Submit
C:\Users\Admin\Desktop\dropper\client32.exe

Filesize
104KB

MD5
8bdcbba121984169948dfd09c629d6ae

SHA1
e9943b73cc66fc0a561d477a05d76cea5f5fb966

SHA256
168f1b974b31df0889e6dbe75f0fe8486cf932d72f0d6ad8348c97a2e537a738

SHA512
6f352d4ca667bfeccb3f95cc677f1e6d3f238a1fb0ffc7937407b9cdd40d3ce6fafe7de9c6323a737704676a908fffad0faf49d143953511f3c522683dc97dbd

Download Submit
C:\Users\Admin\Desktop\dropper\client32.ini

Filesize
646B

MD5
f0add3a3b594faa631f091ba20e3f9c4

SHA1
bca5a57eaff07dfe203de805cc5c96caa25cd8b8

SHA256
73c7ab7d2611ce18a3ff36440f92b005d6ee24d5aa2d28ac233897ebed61f111

SHA512
7722bee3c35724272e46e113e150d1fbaa0125038ff12ea23c8c35b7b939da069f44dce0d4040966c97435fb60683378def7c69a1766094aaf1d35217c7385bb

Download Submit
C:\Users\Admin\Desktop\dropper\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\Desktop\dropper\pcicapi.dll

Filesize
32KB

MD5
dcde2248d19c778a41aa165866dd52d0

SHA1
7ec84be84fe23f0b0093b647538737e1f19ebb03

SHA256
9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917

SHA512
c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

Download Submit
C:\Users\Admin\Desktop\dropper\remcmdstub.exe

Filesize
61KB

MD5
35da3b727567fab0c7c8426f1261c7f5

SHA1
b71557d67bcd427ef928efce7b6a6529226415e6

SHA256
89027f1449be9ba1e56dd82d13a947cb3ca319adfe9782f4874fbdc26dc59d09

SHA512
14edadceeceb95f5c21fd3a0a349dd2a312d1965268610d6a6067049f34e3577fc96f6ba37b1d6ab8ce21444208c462fa97fab24bbcd77059bc819e12c5efc5a

Download Submit
C:\Users\Admin\Desktop\dropper\wabmig.exe

Filesize
68KB

MD5
b9ac6f8ea946cb0f4b1ab79e2172fd83

SHA1
f3d97e233594df89731c266f23ff546a4b2b832c

SHA256
5ad4fa74e71fb4ce0a885b1efb912a00c2ce3c7b4ad251ae67e6c3a8676ede02

SHA512
bbccb916b41631d7e806d0b1f6c4bb3d0d49dd09921b17b79704c1e8701a1b8c867057aa195e7ad03de5a470c69b88fcb6374baf767951d3894866acb113a504

Download Submit