netsupport | c2ba0018de8dcf0abfb2669cce95ed09377e9a9da7ff8e74e95688c99a025634

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-11-2024 16:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

das.php.zip
Size

2.2MB
MD5

0cc4ae68865ad3c85c1373f28ef04f81
SHA1

3572e86c09e8142ada3779d2aaaa46268c992273
SHA256

c2ba0018de8dcf0abfb2669cce95ed09377e9a9da7ff8e74e95688c99a025634
SHA512

d110b21e5981165bd497d6d174233b4a517a16afe185c14e90064af2f6e0baf4c117626cb067b7ec4c57600dbf770bc68f942e936c26ab6402c125a1ead29003
SSDEEP

49152:a51ZlklEDThXBJOhHvh6J6h2SFFGf0RBNTQfYc9jh23eWeB3/YSBm7WIqRRakTSR:E1tFXa/hRFY89YYc9jh23redpmQRY

Score

10^/10

netsupport discovery rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport
Netsupport family
netsupport

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
628	7zFM.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	628	7zFM.exe
Token: 35	628	7zFM.exe
Token: SeSecurityPrivilege	628	7zFM.exe
Token: SeSecurityPrivilege	1296	client32.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
628	7zFM.exe
628	7zFM.exe
1296	client32.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\das.php.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:628

C:\Users\Admin\Desktop\teste\client32.exe
"C:\Users\Admin\Desktop\teste\client32.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads