Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://coconnexion....

windows10-ltsc_2021-x64

10

Resubmissions

31/03/2025, 20:39

250331-zfkewazqs3 10

31/03/2025, 20:25

250331-y7dkzaxwg1 10

31/03/2025, 20:23

250331-y55lnsxwez 4

Analysis

  • max time kernel
    151s
  • max time network
    155s
  • platform
    windows10-ltsc_2021_x64
  • resource
    win10ltsc2021-20250314-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
  • submitted
    31/03/2025, 20:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://coconnexion.com/comcat.zip?&audio=623

Score
10/10
netsupportdiscoveryrat

Malware Config

Signatures

  • NetSupport

    NetSupport is a remote access tool sold as a legitimate system administration software.

    ratnetsupport
  • Netsupport family
    netsupport
  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://coconnexion.com/comcat.zip?&audio=623
    1⤵
    • Drops file in Windows directory
    • Checks processor information in registry
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:5056
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffa864bdcf8,0x7ffa864bdd04,0x7ffa864bdd10
      2⤵
        PID:2360
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2000,i,6215932747561988161,9684479894832142680,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1988 /prefetch:2
        2⤵
          PID:2100
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2236,i,6215932747561988161,9684479894832142680,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2248 /prefetch:3
          2⤵
            PID:5672
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2388,i,6215932747561988161,9684479894832142680,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2560 /prefetch:8
            2⤵
              PID:1596
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,6215932747561988161,9684479894832142680,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3160 /prefetch:1
              2⤵
                PID:4460
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3164,i,6215932747561988161,9684479894832142680,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3220 /prefetch:1
                2⤵
                  PID:1200
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4396,i,6215932747561988161,9684479894832142680,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4412 /prefetch:2
                  2⤵
                    PID:3588
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5464,i,6215932747561988161,9684479894832142680,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5480 /prefetch:8
                    2⤵
                      PID:4508
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4720,i,6215932747561988161,9684479894832142680,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6100 /prefetch:8
                      2⤵
                        PID:3056
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5488,i,6215932747561988161,9684479894832142680,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5996 /prefetch:8
                        2⤵
                          PID:528
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3912,i,6215932747561988161,9684479894832142680,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6004 /prefetch:8
                          2⤵
                            PID:2540
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4548,i,6215932747561988161,9684479894832142680,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6052 /prefetch:8
                            2⤵
                              PID:3276
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=5692,i,6215932747561988161,9684479894832142680,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4744 /prefetch:8
                              2⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:4732
                          • C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
                            "C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
                            1⤵
                              PID:4464
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                              1⤵
                                PID:2704
                              • C:\Windows\System32\rundll32.exe
                                C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                1⤵
                                  PID:5652
                                • C:\Users\Admin\Downloads\comcat\client32.exe
                                  "C:\Users\Admin\Downloads\comcat\client32.exe"
                                  1⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:4476
                                • C:\Users\Admin\Downloads\comcat\remcmdstub.exe
                                  "C:\Users\Admin\Downloads\comcat\remcmdstub.exe"
                                  1⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:5304
                                • C:\Users\Admin\Downloads\comcat\client32.exe
                                  "C:\Users\Admin\Downloads\comcat\client32.exe"
                                  1⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:3564
                                • C:\Users\Admin\Downloads\comcat\client32.exe
                                  "C:\Users\Admin\Downloads\comcat\client32.exe"
                                  1⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:6024

                                Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
                                  Filesize

                                  649B

                                  MD5

                                  ae0764c75d91fb2ba65c94718b875e1f

                                  SHA1

                                  69a77c68e5c6ff411d4d052691e9e112068fe853

                                  SHA256

                                  546cda3a40a811da49fdf4579cf3efc100c57c4250bf80bfc5f00e6046705528

                                  SHA512

                                  08f36f561d0ea475547853e203500ad16041f80606895519d8dd20d19c198d2ad29f8bfad5ab48995a6ce9ae9264116ce507fdbcc8952c68ad80b0844745886d

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
                                  Filesize

                                  2KB

                                  MD5

                                  b51b92b1e90336887d9ac71648033e15

                                  SHA1

                                  19f7a82ecca72a0e4323e1dc7313912758be42a2

                                  SHA256

                                  ec07ded0c3d3ca26f939fe71a12916fb3d00268ff7910750d9b67ffa61b1f3fb

                                  SHA512

                                  2e17d4016289666cd2b94aa77a0bc2dc18933123318924908ce23366e5f0bd185f5ae26cda7a79403a2f23978574b6f7e18134a2851274a4b997fbafe739ce7f

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                                  Filesize

                                  2B

                                  MD5

                                  d751713988987e9331980363e24189ce

                                  SHA1

                                  97d170e1550eee4afc0af065b78cda302a97674c

                                  SHA256

                                  4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                  SHA512

                                  b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\aa01b5eb-febb-4c47-ab78-201622ede0cf.tmp
                                  Filesize

                                  2KB

                                  MD5

                                  8a514fce932c6f966d6060a089e6a5c2

                                  SHA1

                                  e5be17737803ca910a81f330a65e6f5f5896405a

                                  SHA256

                                  a2dafe3e6c1b0e21fb3e3d0a7245152b5d5ed77019ade4943feed1dcb9ddf178

                                  SHA512

                                  2f81baba3e02ed41b2878822937a0154948c7102ef9533c73413ac382cbba6f8d43ff406cfbb71102a5e71cc95c29429bbd47097457fd83d7e4f4e8ef63fb5cf

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                  Filesize

                                  10KB

                                  MD5

                                  ce1d13b1bdaa03ff6463e4d2a2753149

                                  SHA1

                                  44d3b75e033b650e286beba3640ce1d9da6615fd

                                  SHA256

                                  dc1d48f18cbcbe90d2d0e3a759ae6cded81fe6283628a083a6c9ee29e3b7ea1d

                                  SHA512

                                  00d1091b10ce82ec260b127b9fa9030db2d1443c6365a039e5d81c4af407d1e88492f8fa7af8a24d6fb79d4fc713dc25d11503dbcf7879f859ea49650f022453

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
                                  Filesize

                                  15KB

                                  MD5

                                  b291e3ea9c421d85b906ca3844f73643

                                  SHA1

                                  cdafed28636bd9bfa5c2f55e3f3ab132d4837aee

                                  SHA256

                                  2cc48f2e515df079a80f68ce5aceb17b945c1e890bfe39e30546f87670e1c028

                                  SHA512

                                  7c30856cae91b70e7dbc313d043b86ae5989bd7bcf382ff61a2d7ed75a5b5721407085cd69e0a9b5f8fe509c0c1e0cea23cda2a02db8bebfd74d6cedddd1593a

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
                                  Filesize

                                  72B

                                  MD5

                                  09e556f354c38fd4fbe2a2c1f8b69dc5

                                  SHA1

                                  737440ca499936f01082fcf3207e3ac0a992a4b9

                                  SHA256

                                  79b0c9b6d4c358a7dee6b49081ca308bb4baa98c1cccaa8af585eb8cc0342494

                                  SHA512

                                  c95687bd2b63d78d97d4ae65f6ab1fa0b8c5d3672ff7750f520cf23d6b42fc0717698588321a95a62fae3a250a170c15f9527b1e5ce8d058be0299410ba586be

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57c69c.TMP
                                  Filesize

                                  48B

                                  MD5

                                  737faf9fb7842b0c4f097a547b775912

                                  SHA1

                                  119396459dceac7ebbeae2bbc55f42d2755f5892

                                  SHA256

                                  a66fd83fc2b3cdd398af269a363ff971c597ef9f30667d80206600f8a1c9e475

                                  SHA512

                                  6889647f5035254680013cb6a052ddba84f8fc8f01da43fc3575d94a5e008648eba4371520fbef937c27e4e1e834c5c1200ba933cf23b338b10aece9333502c0

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                  Filesize

                                  80KB

                                  MD5

                                  939ea59f873fd30ef01253efdfd255ca

                                  SHA1

                                  28879eeb312c910c974aebab318c0c902722ce90

                                  SHA256

                                  188b4e2010b87b6d05e169b70a1046ea0c28648381b7023a3cb92aa908811e14

                                  SHA512

                                  c6f1dff20e3e979bac6a244f1ac65eed8d21318aa3e1a6d2fea43e889c44492398f6b8ea4f1b9e025f01464c5b6ab772ffa2b474f57d31e76f3aec4ad17d70ee

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                  Filesize

                                  81KB

                                  MD5

                                  10366727b4c4648d6c6612611ef5ee96

                                  SHA1

                                  9499a347928c509887811aca34e7d766bfb31b4d

                                  SHA256

                                  c82a927f6d44c9d4bd05cd44fe0be5c2ae84597c0ff59e756bf4c8adc931a4d4

                                  SHA512

                                  3cce4b3302c9ed2168e203b42fc255ee831ffaa70851fbf26cc4c17594d0f617a9ff6253d4b563e3803bc0d80813441efdc52cea48c1ef5b472eb1be8e432a3a

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                  Filesize

                                  81KB

                                  MD5

                                  53bc2dddb583254d714a182faf753ead

                                  SHA1

                                  2ec865ab6c82cd58d7235f540563779358a89442

                                  SHA256

                                  b637d8a28c0bc57249e9b7183f05c9fd5460693bd93bc747f3457b6a8c528769

                                  SHA512

                                  e0120ecd197fd0d18db08e16c8c94f220dfa3b23a9b74925d404c6d40f319f5be62dd2a30b3b67f2eec7f3665250c80209ce718e1f651eec91913bc9a7fc0473

                                  Download Submit

                                • C:\Users\Admin\Downloads\comcat.zip
                                  Filesize

                                  3.7MB

                                  MD5

                                  a931850be10516b7357eda47ff30712d

                                  SHA1

                                  651ac4fcafb2a73dee0ad70c0c97f1d648723b98

                                  SHA256

                                  12b15788820107bd87654629df386c64cd15e7125bdb8de2c647c8e63dc319a5

                                  SHA512

                                  b8c614c03a4b3dd66681ace00ec963b2fe1281c27c721702f181ec2f3b5c140626570d01d1d7df9edf255569bf18896d902269ef7e8ee555193cff904922be41

                                  Download Submit