netsupport | 6ae306cdc7fb28fca941a4475d903f1bf1c793b1406224400f7df0f8a1d403fb

Analysis

max time kernel
104s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
26/03/2025, 07:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64e5b32569d9f0f8494b23e6ed44b0f5ab5fe96308751cf3c0b0bdbe82d88605.exe
Size

7.0MB
MD5

7b3fad053f48326b3d69ce2ef83baf38
SHA1

304a1b55953b91822ee9b3eb4f8c6162eb39cf3e
SHA256

64e5b32569d9f0f8494b23e6ed44b0f5ab5fe96308751cf3c0b0bdbe82d88605
SHA512

0550fd571aed1a96a7925b4d3310bfb35132366cf48d072b6304a5337082c5d9b4c286e61a569c5152e9c1523894aad64a810aed6646cd1c86235bd42ddba9fb
SSDEEP

196608:ad/tGPPLAczgTTgvlHcQZyu2WyYGqGgujZ+FT+8LsOxtl:uULJcT0vlHtZyu2FLv5jtotl

Score

10^/10

netsupport discovery persistence rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport
Netsupport family
netsupport

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.lnk	null.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.lnk	null.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\WinUpdate\\null.exe\""	64e5b32569d9f0f8494b23e6ed44b0f5ab5fe96308751cf3c0b0bdbe82d88605.tmp

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	null.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	null.exe

Executes dropped EXE 6 IoCs

pid	Process
5540	64e5b32569d9f0f8494b23e6ed44b0f5ab5fe96308751cf3c0b0bdbe82d88605.tmp
2756	null.exe
2020	client32.exe
2952	ZCC.exe
3328	null.exe
6016	client32.exe

Loads dropped DLL 11 IoCs

pid	Process
5540	64e5b32569d9f0f8494b23e6ed44b0f5ab5fe96308751cf3c0b0bdbe82d88605.tmp
5540	64e5b32569d9f0f8494b23e6ed44b0f5ab5fe96308751cf3c0b0bdbe82d88605.tmp
2020	client32.exe
2020	client32.exe
2020	client32.exe
2020	client32.exe
2020	client32.exe
6016	client32.exe
6016	client32.exe
6016	client32.exe
6016	client32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	64e5b32569d9f0f8494b23e6ed44b0f5ab5fe96308751cf3c0b0bdbe82d88605.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	64e5b32569d9f0f8494b23e6ed44b0f5ab5fe96308751cf3c0b0bdbe82d88605.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	null.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	null.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5540	64e5b32569d9f0f8494b23e6ed44b0f5ab5fe96308751cf3c0b0bdbe82d88605.tmp
5540	64e5b32569d9f0f8494b23e6ed44b0f5ab5fe96308751cf3c0b0bdbe82d88605.tmp

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2020	client32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
5540	64e5b32569d9f0f8494b23e6ed44b0f5ab5fe96308751cf3c0b0bdbe82d88605.tmp
2020	client32.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 676 wrote to memory of 5540	676	64e5b32569d9f0f8494b23e6ed44b0f5ab5fe96308751cf3c0b0bdbe82d88605.exe	86
PID 676 wrote to memory of 5540	676	64e5b32569d9f0f8494b23e6ed44b0f5ab5fe96308751cf3c0b0bdbe82d88605.exe	86
PID 676 wrote to memory of 5540	676	64e5b32569d9f0f8494b23e6ed44b0f5ab5fe96308751cf3c0b0bdbe82d88605.exe	86
PID 5540 wrote to memory of 2756	5540	64e5b32569d9f0f8494b23e6ed44b0f5ab5fe96308751cf3c0b0bdbe82d88605.tmp	97
PID 5540 wrote to memory of 2756	5540	64e5b32569d9f0f8494b23e6ed44b0f5ab5fe96308751cf3c0b0bdbe82d88605.tmp	97
PID 5540 wrote to memory of 2756	5540	64e5b32569d9f0f8494b23e6ed44b0f5ab5fe96308751cf3c0b0bdbe82d88605.tmp	97
PID 2756 wrote to memory of 2020	2756	null.exe	98
PID 2756 wrote to memory of 2020	2756	null.exe	98
PID 2756 wrote to memory of 2020	2756	null.exe	98
PID 5540 wrote to memory of 2952	5540	64e5b32569d9f0f8494b23e6ed44b0f5ab5fe96308751cf3c0b0bdbe82d88605.tmp	101
PID 5540 wrote to memory of 2952	5540	64e5b32569d9f0f8494b23e6ed44b0f5ab5fe96308751cf3c0b0bdbe82d88605.tmp	101
PID 5540 wrote to memory of 3328	5540	64e5b32569d9f0f8494b23e6ed44b0f5ab5fe96308751cf3c0b0bdbe82d88605.tmp	102
PID 5540 wrote to memory of 3328	5540	64e5b32569d9f0f8494b23e6ed44b0f5ab5fe96308751cf3c0b0bdbe82d88605.tmp	102
PID 5540 wrote to memory of 3328	5540	64e5b32569d9f0f8494b23e6ed44b0f5ab5fe96308751cf3c0b0bdbe82d88605.tmp	102
PID 3328 wrote to memory of 6016	3328	null.exe	103
PID 3328 wrote to memory of 6016	3328	null.exe	103
PID 3328 wrote to memory of 6016	3328	null.exe	103

C:\Users\Admin\AppData\Local\Temp\64e5b32569d9f0f8494b23e6ed44b0f5ab5fe96308751cf3c0b0bdbe82d88605.exe
"C:\Users\Admin\AppData\Local\Temp\64e5b32569d9f0f8494b23e6ed44b0f5ab5fe96308751cf3c0b0bdbe82d88605.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:676
- C:\Users\Admin\AppData\Local\Temp\is-N8LTE.tmp\64e5b32569d9f0f8494b23e6ed44b0f5ab5fe96308751cf3c0b0bdbe82d88605.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-N8LTE.tmp\64e5b32569d9f0f8494b23e6ed44b0f5ab5fe96308751cf3c0b0bdbe82d88605.tmp" /SL5="$401D4,6564690,780288,C:\Users\Admin\AppData\Local\Temp\64e5b32569d9f0f8494b23e6ed44b0f5ab5fe96308751cf3c0b0bdbe82d88605.exe"
  2⤵
  - Adds Run key to start application
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:5540
- - C:\Users\Admin\AppData\Roaming\WinUpdate\null.exe
    "C:\Users\Admin\AppData\Roaming\WinUpdate\null.exe"
    3⤵
    - Drops startup file
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Users\Admin\AppData\Roaming\CodeIntegrity\WinSupport\client32.exe
      "C:\Users\Admin\AppData\Roaming\CodeIntegrity\WinSupport\client32.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:2020
- - C:\Users\Admin\AppData\Local\Programs\ZeldaWallet\ZCC.exe
    "C:\Users\Admin\AppData\Local\Programs\ZeldaWallet\ZCC.exe"
    3⤵
    - Executes dropped EXE
    PID:2952
- - C:\Users\Admin\AppData\Roaming\WinUpdate\null.exe
    "C:\Users\Admin\AppData\Roaming\WinUpdate\null.exe"
    3⤵
    - Drops startup file
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3328
  - - C:\Users\Admin\AppData\Roaming\CodeIntegrity\WinSupport\client32.exe
      "C:\Users\Admin\AppData\Roaming\CodeIntegrity\WinSupport\client32.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:6016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Programs\ZeldaWallet\MySql.Data.dll

Filesize
769KB

MD5
045c875e00218ce5348a705989acb329

SHA1
6a55c463c883a6bc1d7106629abb3d2750ccb857

SHA256
83d5f32b402bf60b6aeabdb45cfeeae292b2a590e9d351bf8072cf43658684ab

SHA512
a72191a784c7737985ceab96d459a13ac2508d1e219483e06224234bfc42f905f10aec9d5c9d588a3b46491c885aada44e3fdf4ba89695c7fb7bbab09aed9383

Download Submit
C:\Users\Admin\AppData\Local\Programs\ZeldaWallet\ZCC.exe

Filesize
125KB

MD5
c4087f092e6a8263bde7792f82dd70da

SHA1
8ecc727984d9c982fb62b0dea8af5d40df3a39bc

SHA256
5fe9df421ba1bf6959bccb3d8ab4a65e8eaba8c9eef22a3cac6d60156f906cd7

SHA512
48345af61a9ac6b70b57d7a4fba6eced09eefdc2223e98d37c6f8be3281e8b819d1c8f804c3b998bc9497c811d751e252687badcb6141638384aed7a227d9150

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KCF3Q.tmp\_isetup\_isdecmp.dll

Filesize
29KB

MD5
fd4743e2a51dd8e0d44f96eae1853226

SHA1
646cef384e949aaf61e6d0b243d8d84ab04e79b7

SHA256
6535ba91fcca7174c3974b19d9ab471f322c2bf49506ef03424517310080be1b

SHA512
4587c853871624414e957f083713ec62d50c46b7041f83faa45dbf99b99b8399fc08d586d240e4bccee5eb0d09e1cdcb3fd013f07878adf4defcc312712e468d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N8LTE.tmp\64e5b32569d9f0f8494b23e6ed44b0f5ab5fe96308751cf3c0b0bdbe82d88605.tmp

Filesize
2.5MB

MD5
5294b3139fb60c325957fc1dd663a494

SHA1
0af1a8b3652a7c973322c8b23c2598e462e13fa4

SHA256
725b45973382a7fc599eaee8c9eb294d032962c7809852bdec13daa5df90b4cd

SHA512
2d19d6abc62e59d59ace9ce56b36ffca59136dc202574433c864558ea66660cdd77fd572b11bb44b63a14ddc4863f4a80bb0c3eee7fc14df842d1c2e37e624cc

Download Submit
C:\Users\Admin\AppData\Roaming\CodeIntegrity\WinSupport\HTCTL32.DLL

Filesize
320KB

MD5
c94005d2dcd2a54e40510344e0bb9435

SHA1
55b4a1620c5d0113811242c20bd9870a1e31d542

SHA256
3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899

SHA512
2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a

Download Submit
C:\Users\Admin\AppData\Roaming\CodeIntegrity\WinSupport\NSM.LIC

Filesize
259B

MD5
ac5d5cc9acad4531ef1bd16145ea68bd

SHA1
f9d92f79a934815b645591ebbd6f5d20aa6a3e38

SHA256
68c787616681427557343e42ede5805dfbeeb580c59f69c4706b500f225e2c6b

SHA512
196863e039e9c83fb0f8eb3f0a6119db31a624e7ef4e9ba99516702e76796957f0ebf87e8728e1bd0de6cd7420bec6e644caa58a0724a7208e9a765d6eb78f64

Download Submit
C:\Users\Admin\AppData\Roaming\CodeIntegrity\WinSupport\PCICL32.dll

Filesize
3.6MB

MD5
d3d39180e85700f72aaae25e40c125ff

SHA1
f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15

SHA256
38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5

SHA512
471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f

Download Submit
C:\Users\Admin\AppData\Roaming\CodeIntegrity\WinSupport\client32.exe

Filesize
109KB

MD5
4db1552ee375c6df30a92bf4c9af7eb3

SHA1
3a064dcd2bb8e01d984c97799fb751d5707c4706

SHA256
09cbdb59a9200fba5bc5dd0cc111730cf67ee5cc182788e16349893dc6f43145

SHA512
813b2b4ebd537ddb3a276c9d155fb6a4eca9ee2a12cd220881fc520b16664cf67eeb5f02860bfc5b0ddbc95a4f9c9c7ea063deab3710182d906fc6406196c073

Download Submit
C:\Users\Admin\AppData\Roaming\CodeIntegrity\WinSupport\client32.ini

Filesize
597B

MD5
1644a7e52abec5a3b058af9fc88045fc

SHA1
7627946a0ef30dcec0db87f57f2fea025580a359

SHA256
cae26d0489fb72781d083ac253b667eb3ffac2f28384eef20f28d7794f161a8f

SHA512
48f324718b160e3917ab890edee0a1e7c4cba70c923cc4712281f5493844824d0d81c4f8cb9d59b2df6a86290a8e242c46fb08ab3676c590414100c619a38462

Download Submit
C:\Users\Admin\AppData\Roaming\CodeIntegrity\WinSupport\msvcr100.dll

Filesize
766KB

MD5
be04a8f1e5ed8d1bd0ed12c5de0ab2b9

SHA1
5014109f15bc986739a29a462f71393697f887d6

SHA256
a5b53742eb4247f371fe8f45e293bc9e8e6c491222c700f5dc69a8937067bea6

SHA512
f6b96f6b544eec88b30b5532978737e210d828330dd45264bf29ca1a8442c96db245e44ce123f4096fe52b121712ed19835467bce7c862cbe6b0481893fc06aa

Download Submit
C:\Users\Admin\AppData\Roaming\CodeIntegrity\WinSupport\pcicapi.dll

Filesize
38KB

MD5
fda59adb8f40841cf308d5ee67abe94b

SHA1
80ecac59362724b800de32627790b61f79aedf1c

SHA256
3a411f8bf527bdf1e664a00708518f82e7bb0333212ab1c953dda5dd4798d3fc

SHA512
6ad2e3ca1abe6b15e13874ded25662c6a34912e12e15cacb2c69915299c23de96f21ddae038810a7ea8517787f0418045770b968fc199efbc955f092e9c02e7c

Download Submit
C:\Users\Admin\AppData\Roaming\CodeIntegrity\WinSupport\pcichek.dll

Filesize
18KB

MD5
104b30fef04433a2d2fd1d5f99f179fe

SHA1
ecb08e224a2f2772d1e53675bedc4b2c50485a41

SHA256
956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd

SHA512
5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.lnk

Filesize
2KB

MD5
d79a9f482b0e1ee14279065cd6d264f9

SHA1
12adc584bb62558c72d70736f7576eb2be7fcdc4

SHA256
dd515310a552e6729709973f94764bc9d1793b417bee739efac53861c107b9fb

SHA512
ae9ed652d6bbd26a3c381daf33a322f7934d548fc481187b5789c5faf54e19ca801ac7025b2f89197b10e967dbcadbb1ab9769c0f5508df320773f6fe41e7268

Download Submit
C:\Users\Admin\AppData\Roaming\WinUpdate\null.exe

Filesize
2.1MB

MD5
ce767e1ab4d5615f0109a771681f6c95

SHA1
80f5064f32b8b63effbf7c6229202bf514d380c4

SHA256
c8425cf994f02784d3f8eeb570b6ac1edc5876908b64b40b532e2534a84a19ad

SHA512
87d86a1968de29f8985016e969a2005dc272165ab4400f61f34860d24bee7899f8b008dfbd899891e3cece873ecdd7042b165077d1bd1bfd21ac990a00e6a98f

Download Submit
memory/676-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/676-0-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/676-109-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/676-13-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2952-101-0x00000210A6020000-0x00000210A60E6000-memory.dmp

Filesize
792KB

Download
memory/2952-99-0x000002108BAE0000-0x000002108BB06000-memory.dmp

Filesize
152KB

Download
memory/5540-105-0x0000000000400000-0x0000000000682000-memory.dmp

Filesize
2.5MB

Download
memory/5540-6-0x0000000000400000-0x0000000000682000-memory.dmp

Filesize
2.5MB

Download
memory/5540-14-0x0000000000400000-0x0000000000682000-memory.dmp

Filesize
2.5MB

Download