netsupport | 565db3321218ef2d24120a3b0e3a79ce8b3238b37a89a1d163b01f3be472b15b

Resubmissions

11-02-2025 19:41

250211-yd22gaykhq 8

11-02-2025 18:32

250211-w6m2xawmap 10

Analysis

max time kernel
93s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250211-en
resource tags

arch:x64arch:x86image:win10v2004-20250211-enlocale:en-usos:windows10-2004-x64system
submitted
11-02-2025 18:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Update 3633.js
Size

1.3MB
MD5

77072f5bc07cfb3ce99655ac33e1174f
SHA1

645ab809d65dc9a57f979a5309a580aa2e5f9e54
SHA256

565db3321218ef2d24120a3b0e3a79ce8b3238b37a89a1d163b01f3be472b15b
SHA512

a26906ae0b5984a2e621312e4881337cf1e434534a8b1318b60a0d9dd4dbe81489a3cb1dd0092a1dcc92223e7d32b1fd2eb07787cb24eb8414d82e029ed2fb62
SSDEEP

12288:wum1wz4FL5dM2f8f3ue1wz4FL5dM2f8fr:OCz4F9dM2f8frCz4F9dM2f8fr

Score

10^/10

netsupport discovery execution persistence rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport
Netsupport family
netsupport

Blocklisted process makes network request 4 IoCs

flow	pid	Process
2	4464	wscript.exe
9	4464	wscript.exe
12	4464	wscript.exe
14	4464	wscript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000\Control Panel\International\Geo\Nation	wscript.exe

Deletes itself 1 IoCs

pid	Process
4464	wscript.exe

Executes dropped EXE 1 IoCs

pid	Process
4488	client32.exe

Loads dropped DLL 5 IoCs

pid	Process
4488	client32.exe
4488	client32.exe
4488	client32.exe
4488	client32.exe
4488	client32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\ProgramData\\a5hfkhfk\\client32.exe"	wscript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client32.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4488	client32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4488	client32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4464 wrote to memory of 4488	4464	wscript.exe	89
PID 4464 wrote to memory of 4488	4464	wscript.exe	89
PID 4464 wrote to memory of 4488	4464	wscript.exe	89

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Update 3633.js"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Deletes itself
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4464
- C:\ProgramData\a5hfkhfk\client32.exe
  "C:\ProgramData\a5hfkhfk\client32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\a5hfkhfk.zip

Filesize
2.6MB

MD5
ab92a65c828bc4077f2671b8e6ee2a45

SHA1
886edf3d56914684514f7fd69d2bf26f75cf3d79

SHA256
ef1be5fb3731a5e5c38e415c3fdf2573e622c1bf7ea7decd99edbbc45c79049a

SHA512
bf7d7280f02bfcac903676e07fe5996951a9f61d669e059340962f2bc232bc545f763f6db45c9c97ed436d7ed69183a6666cb31bd7015bf7c39c7d559b3f0eeb

Download Submit
C:\ProgramData\a5hfkhfk\HTCTL32.DLL

Filesize
306KB

MD5
3eed18b47412d3f91a394ae880b56ed2

SHA1
1b521a3ed4a577a33cce78eee627ae02445694ab

SHA256
13a17f2ad9288aac8941d895251604beb9524fa3c65c781197841ee15480a13f

SHA512
835f35af4fd241caa8b6a639626b8762db8525ccceb43afe8fffc24dffad76ca10852a5a8e9fc114bfbf7d1dc1950130a67037fc09b63a74374517a1f5448990

Download Submit
C:\ProgramData\a5hfkhfk\NSM.LIC

Filesize
262B

MD5
b9956282a0fed076ed083892e498ac69

SHA1
d14a665438385203283030a189ff6c5e7c4bf518

SHA256
fcc6afd664a8045bd61c398be3c37a97536a199a48d277e11977f93868ae1acc

SHA512
7daa09113c0e8a36c91cc6d657c65851a20dff6b60ac3d2f40c5737c12c1613c553955f84d131ba2139959973fef9fc616ca5e968cb16c25acf2d4739eed87eb

Download Submit
C:\ProgramData\a5hfkhfk\PCICAPI.dll

Filesize
44KB

MD5
9daa86d91a18131d5caf49d14fb8b6f2

SHA1
6b2f7ceb6157909e114a2b05a48a1a2606b5caf1

SHA256
1716640cce74322f7ee3e3e02b75cd53b91686f66e389d606dab01bd9f88c557

SHA512
9a98e0d9e2dda8aefa54bddb3c7b71501d638dff68863939de6caa117b0e7bf15e581a75419ef8a0da3f1c56a19f1b0f4c86d65f8581773ab88ff5764b9bb3aa

Download Submit
C:\ProgramData\a5hfkhfk\PCICHEK.DLL

Filesize
27KB

MD5
e311935a26ee920d5b7176cfa469253c

SHA1
eda6c815a02c4c91c9aacd819dc06e32ececf8f0

SHA256
0038ab626624fa2df9f65dd5e310b1206a9cd4d8ab7e65fb091cc25f13ebd34e

SHA512
48164e8841cfc91f4cbf4d3291d4f359518d081d9079a7995378f970e4085b534f4bafc15b83f4824cc79b5a1e54457b879963589b1acbcfe727a03eb3dffd1c

Download Submit
C:\ProgramData\a5hfkhfk\PCICL32.dll

Filesize
3.3MB

MD5
77b3988cbae5a2550caec42cc5e8ec35

SHA1
5fa1eeb60e881bfd82eb7c3d9e911587982aaa38

SHA256
650382fe6596c8dc0c1739713c2076d4ddff32d5c177210b1241550bb8148cfd

SHA512
480f3abef7b799bd604ba9825e2b8cf681e7850373761c579ef181607980d5159c225fb486996e3088f39662f873743d25b52368045d3ae5bd8d45e44d1e8bec

Download Submit
C:\ProgramData\a5hfkhfk\client32.exe

Filesize
117KB

MD5
1c19c2e97c5e6b30de69ee684e6e5589

SHA1
5734ef7f9e4dba0639c98881e00f03eea35a62ee

SHA256
312a0e4db34a40cb95ba1fac8bf87deb45d0c5f048d38ac65eb060273b07df67

SHA512
ab7240b81be04f1bced47701a5791bbeedcba6037ee936327478c304aa1ce5ae75856ca7f568f909f847e27db2a6b9c08db7cc1057a18fab14a39a5854f15cba

Download Submit
C:\ProgramData\a5hfkhfk\client32.ini

Filesize
559B

MD5
cd726acf24b3b54b44e26217e9ac345a

SHA1
1e3bbfd46a06c0816152ed0848dc5a5ac12420c5

SHA256
07e5fb7a5cc6927b5e138e354c3eb64241a1262441042c016a880ab177d4d94d

SHA512
d7879f613070a72e27ef835275dcdefa19ce634d704afce3cc2458289501e86f1a13dd90051cc23bda0d96dd54bae28d29b9387ce9716dcac01c0e42bd6c154f

Download Submit
C:\ProgramData\a5hfkhfk\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads