Overview

overview

10

Static

static

1

Chrome 134...052.js

windows10-2004-x64

10

Resubmissions

03/04/2025, 21:45

250403-1l23jsxk14 8

03/04/2025, 21:42

250403-1kssgsvsas 10

Analysis

  • max time kernel
    63s
  • max time network
    65s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/04/2025, 21:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Chrome 134.0.6999.57052.js

  • Size

    1.0MB

  • MD5

    5f024aa8bd4b5eec7abcb33a28c3b2e4

  • SHA1

    705218791dc6d4eccd0823a66fcaf3f3c6f42881

  • SHA256

    53e9511401000f61c9d910b92cd6d5a58e38ae541975135944885e53fa91ecb7

  • SHA512

    24a9858e4e62da8732f0b6295f9ef9ff0f2436a1a9be4d626d5493c08c5a260807856fead2f666afd06088c23949ae19215388ff23b08d3b1d629d81629b19ac

  • SSDEEP

    6144:Wb6NJhIrDjyeLyXyberDq91ItXMIX+CdppUyM4JMRUdt0FjyD0EjpQahloWbGhIW:5DUiZDWi0

Score
10/10
netsupportdiscoveryexecutionpersistencerat

Malware Config

Signatures

  • NetSupport

    NetSupport is a remote access tool sold as a legitimate system administration software.

    ratnetsupport
  • Netsupport family
    netsupport
  • Blocklisted process makes network request 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\Chrome 134.0.6999.57052.js"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Deletes itself
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1216
    • C:\ProgramData\45e379ab\client32.exe
      "C:\ProgramData\45e379ab\client32.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:6064
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\45e379ab\client32.exe
    1⤵
      PID:4084
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4820

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\45e379ab.zip
        Filesize

        2.9MB

        MD5

        2160c50a4cb75d7dede8a9a67e2ee0a1

        SHA1

        28482693a2bff96f9eff21002664633fb594bc1d

        SHA256

        d2e37391e8311473cb09cad08ee52af7717eb221e57e3d1db64c12640871d57b

        SHA512

        0485f6fae741b997bbfc3eeb2f2de5996afa0d9aa29748d97a9ad3fe2dd1137c09bc302bbe4bf2c966112b821698bc6de5ecbbd411ceb6d0ad3600f633a3890b

        Download Submit

      • C:\ProgramData\45e379ab\HTCTL32.DLL
        Filesize

        306KB

        MD5

        3eed18b47412d3f91a394ae880b56ed2

        SHA1

        1b521a3ed4a577a33cce78eee627ae02445694ab

        SHA256

        13a17f2ad9288aac8941d895251604beb9524fa3c65c781197841ee15480a13f

        SHA512

        835f35af4fd241caa8b6a639626b8762db8525ccceb43afe8fffc24dffad76ca10852a5a8e9fc114bfbf7d1dc1950130a67037fc09b63a74374517a1f5448990

        Download Submit

      • C:\ProgramData\45e379ab\MSVCR100.dll
        Filesize

        755KB

        MD5

        0e37fbfa79d349d672456923ec5fbbe3

        SHA1

        4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

        SHA256

        8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

        SHA512

        2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

        Download Submit

      • C:\ProgramData\45e379ab\NSM.LIC
        Filesize

        262B

        MD5

        b9956282a0fed076ed083892e498ac69

        SHA1

        d14a665438385203283030a189ff6c5e7c4bf518

        SHA256

        fcc6afd664a8045bd61c398be3c37a97536a199a48d277e11977f93868ae1acc

        SHA512

        7daa09113c0e8a36c91cc6d657c65851a20dff6b60ac3d2f40c5737c12c1613c553955f84d131ba2139959973fef9fc616ca5e968cb16c25acf2d4739eed87eb

        Download Submit

      • C:\ProgramData\45e379ab\PCICHEK.DLL
        Filesize

        27KB

        MD5

        e311935a26ee920d5b7176cfa469253c

        SHA1

        eda6c815a02c4c91c9aacd819dc06e32ececf8f0

        SHA256

        0038ab626624fa2df9f65dd5e310b1206a9cd4d8ab7e65fb091cc25f13ebd34e

        SHA512

        48164e8841cfc91f4cbf4d3291d4f359518d081d9079a7995378f970e4085b534f4bafc15b83f4824cc79b5a1e54457b879963589b1acbcfe727a03eb3dffd1c

        Download Submit

      • C:\ProgramData\45e379ab\PCICL32.dll
        Filesize

        3.3MB

        MD5

        1274cca13cc5e37ca94d35e5b0673e89

        SHA1

        a8754c94f88273c304bc45a5afd61a383bb52117

        SHA256

        cd5510c8bc7ea60be77ad4aab502ee02d871bf4e917aeeb6921c20eebd9693dd

        SHA512

        52eafa31ee942dc92d0b8f52c12206f6abc1d5fae799b37b371e97c38ce66bd0693263de86b4880748ba1405054701288caf2cd00cd327edc164e1390cf9191c

        Download Submit

      • C:\ProgramData\45e379ab\client32.exe
        Filesize

        117KB

        MD5

        1c19c2e97c5e6b30de69ee684e6e5589

        SHA1

        5734ef7f9e4dba0639c98881e00f03eea35a62ee

        SHA256

        312a0e4db34a40cb95ba1fac8bf87deb45d0c5f048d38ac65eb060273b07df67

        SHA512

        ab7240b81be04f1bced47701a5791bbeedcba6037ee936327478c304aa1ce5ae75856ca7f568f909f847e27db2a6b9c08db7cc1057a18fab14a39a5854f15cba

        Download Submit

      • C:\ProgramData\45e379ab\client32.ini
        Filesize

        723B

        MD5

        fef8b6284e29827706ce4bb45f5decaf

        SHA1

        5b9a3d6d0180e6b1752e369c581ae8735dce9505

        SHA256

        07e70f87f59e677203ac0b082d3e0d9522f93c47e4aad2ead1694041ce541e71

        SHA512

        0b68986cacbd22cedcd560b32a69a6ad51cf79f2eb504a4dae69e6b911be55b2f7fc31b3d75dd9935a7b7cf42c6beea1da9f670c5dc12d3b6b93afecd1e31105

        Download Submit

      • C:\ProgramData\45e379ab\pcicapi.dll
        Filesize

        44KB

        MD5

        9daa86d91a18131d5caf49d14fb8b6f2

        SHA1

        6b2f7ceb6157909e114a2b05a48a1a2606b5caf1

        SHA256

        1716640cce74322f7ee3e3e02b75cd53b91686f66e389d606dab01bd9f88c557

        SHA512

        9a98e0d9e2dda8aefa54bddb3c7b71501d638dff68863939de6caa117b0e7bf15e581a75419ef8a0da3f1c56a19f1b0f4c86d65f8581773ab88ff5764b9bb3aa

        Download Submit