Overview

overview

10

Static

static

1

Chrome 134...115.js

windows10-2004-x64

10

Resubmissions

27/03/2025, 20:13

250327-yzgmnaxwav 8

27/03/2025, 19:56

250327-ynsksazjs7 10

Analysis

  • max time kernel
    104s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/03/2025, 19:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Chrome 134.0.6999.14115.js

  • Size

    1.3MB

  • MD5

    e276013cd57428820cccef3b09456fce

  • SHA1

    fc4202cf424ce4084ea5cc98af0b0e164786beb9

  • SHA256

    3c4b87be8450e3120b7ad2b11ff59850950beb39906dc1636b3ee7b6390f2086

  • SHA512

    c3838300e48ccf8f45cfbb691f968d7fcad86fdc289f0a93e4caf0972563d682cac1c72253d5942439414152e5a3219fb77a5e496718d763f8a0a0f82c524f8c

  • SSDEEP

    12288:wum1wz4FL5dM2f8f3ue1wz4FL5dM2f8f7:OCz4F9dM2f8frCz4F9dM2f8f7

Score
10/10
netsupportdiscoveryexecutionpersistencerat

Malware Config

Signatures

  • NetSupport

    NetSupport is a remote access tool sold as a legitimate system administration software.

    ratnetsupport
  • Netsupport family
    netsupport
  • Blocklisted process makes network request 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\Chrome 134.0.6999.14115.js"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Deletes itself
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:5796
    • C:\ProgramData\77i08ci3\client32.exe
      "C:\ProgramData\77i08ci3\client32.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:4084
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\77i08ci3\client32.exe
    1⤵
      PID:4532
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:1364

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\77i08ci3.zip
        Filesize

        3.7MB

        MD5

        746e8ad922e763cc5e8f01dca0212a11

        SHA1

        08cb0a733ff575481fd044bbf3eeeb79a642caea

        SHA256

        ab09b3a43da699819cdd63b612f02e22f33feba29deecdeef9893e98cf44c518

        SHA512

        c242d44d9e10841fa20428cd0d8203fef706a5258c8d68ccc74183f936ef16e641e426a1d52e6c8a34314760eb579a47287af16a598002f376a4fdeb6f70535e

        Download Submit

      • C:\ProgramData\77i08ci3\HTCTL32.DLL
        Filesize

        306KB

        MD5

        3eed18b47412d3f91a394ae880b56ed2

        SHA1

        1b521a3ed4a577a33cce78eee627ae02445694ab

        SHA256

        13a17f2ad9288aac8941d895251604beb9524fa3c65c781197841ee15480a13f

        SHA512

        835f35af4fd241caa8b6a639626b8762db8525ccceb43afe8fffc24dffad76ca10852a5a8e9fc114bfbf7d1dc1950130a67037fc09b63a74374517a1f5448990

        Download Submit

      • C:\ProgramData\77i08ci3\NSM.LIC
        Filesize

        262B

        MD5

        b9956282a0fed076ed083892e498ac69

        SHA1

        d14a665438385203283030a189ff6c5e7c4bf518

        SHA256

        fcc6afd664a8045bd61c398be3c37a97536a199a48d277e11977f93868ae1acc

        SHA512

        7daa09113c0e8a36c91cc6d657c65851a20dff6b60ac3d2f40c5737c12c1613c553955f84d131ba2139959973fef9fc616ca5e968cb16c25acf2d4739eed87eb

        Download Submit

      • C:\ProgramData\77i08ci3\PCICAPI.dll
        Filesize

        44KB

        MD5

        9daa86d91a18131d5caf49d14fb8b6f2

        SHA1

        6b2f7ceb6157909e114a2b05a48a1a2606b5caf1

        SHA256

        1716640cce74322f7ee3e3e02b75cd53b91686f66e389d606dab01bd9f88c557

        SHA512

        9a98e0d9e2dda8aefa54bddb3c7b71501d638dff68863939de6caa117b0e7bf15e581a75419ef8a0da3f1c56a19f1b0f4c86d65f8581773ab88ff5764b9bb3aa

        Download Submit

      • C:\ProgramData\77i08ci3\PCICL32.dll
        Filesize

        3.3MB

        MD5

        1274cca13cc5e37ca94d35e5b0673e89

        SHA1

        a8754c94f88273c304bc45a5afd61a383bb52117

        SHA256

        cd5510c8bc7ea60be77ad4aab502ee02d871bf4e917aeeb6921c20eebd9693dd

        SHA512

        52eafa31ee942dc92d0b8f52c12206f6abc1d5fae799b37b371e97c38ce66bd0693263de86b4880748ba1405054701288caf2cd00cd327edc164e1390cf9191c

        Download Submit

      • C:\ProgramData\77i08ci3\client32.exe
        Filesize

        117KB

        MD5

        1c19c2e97c5e6b30de69ee684e6e5589

        SHA1

        5734ef7f9e4dba0639c98881e00f03eea35a62ee

        SHA256

        312a0e4db34a40cb95ba1fac8bf87deb45d0c5f048d38ac65eb060273b07df67

        SHA512

        ab7240b81be04f1bced47701a5791bbeedcba6037ee936327478c304aa1ce5ae75856ca7f568f909f847e27db2a6b9c08db7cc1057a18fab14a39a5854f15cba

        Download Submit

      • C:\ProgramData\77i08ci3\client32.ini
        Filesize

        724B

        MD5

        f86798beead6be1e0e4b389e901f7640

        SHA1

        a222244bc199be44e1c041b6ee296a62fc2062bd

        SHA256

        3d725d512aec4e8708884334c7f180b7d071da8560ba49c2836fc6acb726afa6

        SHA512

        68945896e265d67d13cf2155bb58715b68a0ade556025d9ce063eef8034cd3a40614f366f139bdd953d2306cdd53e479b4c1ff05babc85c91b5a0ace1acc0332

        Download Submit

      • C:\ProgramData\77i08ci3\msvcr100.dll
        Filesize

        755KB

        MD5

        0e37fbfa79d349d672456923ec5fbbe3

        SHA1

        4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

        SHA256

        8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

        SHA512

        2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

        Download Submit

      • C:\ProgramData\77i08ci3\pcichek.dll
        Filesize

        27KB

        MD5

        e311935a26ee920d5b7176cfa469253c

        SHA1

        eda6c815a02c4c91c9aacd819dc06e32ececf8f0

        SHA256

        0038ab626624fa2df9f65dd5e310b1206a9cd4d8ab7e65fb091cc25f13ebd34e

        SHA512

        48164e8841cfc91f4cbf4d3291d4f359518d081d9079a7995378f970e4085b534f4bafc15b83f4824cc79b5a1e54457b879963589b1acbcfe727a03eb3dffd1c

        Download Submit