Overview

overview

10

Static

static

1

alhasba com.js

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/04/2025, 16:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    alhasba com.js

  • Size

    6.8MB

  • MD5

    8c52e67eeec211199bc11eb330eb03a2

  • SHA1

    f059016354e9f48b0db9eac4751d4746e4134492

  • SHA256

    b784301cb2edafea875f779cf24e018f06732561069f6c4c3d86548029671642

  • SHA512

    c4f43a8ad24d5763b0a226974f74de8ca2302896a07fa0122d961443156b0e6da734964f11e58ed03f8d7efd0251d7244f1168e97247a43813677a8e28184c1d

  • SSDEEP

    49152:oZc5mjfM16ThMjjrFs6kSQ+iVV8qaz+1F3jIcgQuFTYlz0R7xxR3Ioxt6ZQSD9lT:+

Score
10/10
netsupportdiscoveryexecutionpersistencerat

Malware Config

Signatures

  • NetSupport

    NetSupport is a remote access tool sold as a legitimate system administration software.

    ratnetsupport
  • Netsupport family
    netsupport
  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\alhasba com.js"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Deletes itself
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:5368
    • C:\ProgramData\24e1d50e\client32.exe
      "C:\ProgramData\24e1d50e\client32.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:1152
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\24e1d50e\client32.exe
    1⤵
      PID:2380

    Network

    MITRE ATT&CK Enterprise v16

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\24e1d50e.zip
      Filesize

      3.2MB

      MD5

      2dfd29658cb0b2e6cb5359b89d6b46ae

      SHA1

      2513b0196a492ba6a8ee5b01e2143c9be168136d

      SHA256

      f5f7755398b900646df36199808d99cae08c2270831b9aba536580e459fabd6e

      SHA512

      7dc52ca28455dd806847e25ee3eda85ac281ea88ab18fc7cc4d4eb4b18df967e1eb3c8a5e4475ccee0a0fb67d36b481ed32d1bb234c6b4f5868b5bbc2ebfb1ef

      Download Submit

    • C:\ProgramData\24e1d50e\HTCTL32.DLL
      Filesize

      306KB

      MD5

      3eed18b47412d3f91a394ae880b56ed2

      SHA1

      1b521a3ed4a577a33cce78eee627ae02445694ab

      SHA256

      13a17f2ad9288aac8941d895251604beb9524fa3c65c781197841ee15480a13f

      SHA512

      835f35af4fd241caa8b6a639626b8762db8525ccceb43afe8fffc24dffad76ca10852a5a8e9fc114bfbf7d1dc1950130a67037fc09b63a74374517a1f5448990

      Download Submit

    • C:\ProgramData\24e1d50e\NSM.LIC
      Filesize

      262B

      MD5

      b9956282a0fed076ed083892e498ac69

      SHA1

      d14a665438385203283030a189ff6c5e7c4bf518

      SHA256

      fcc6afd664a8045bd61c398be3c37a97536a199a48d277e11977f93868ae1acc

      SHA512

      7daa09113c0e8a36c91cc6d657c65851a20dff6b60ac3d2f40c5737c12c1613c553955f84d131ba2139959973fef9fc616ca5e968cb16c25acf2d4739eed87eb

      Download Submit

    • C:\ProgramData\24e1d50e\PCICAPI.dll
      Filesize

      44KB

      MD5

      9daa86d91a18131d5caf49d14fb8b6f2

      SHA1

      6b2f7ceb6157909e114a2b05a48a1a2606b5caf1

      SHA256

      1716640cce74322f7ee3e3e02b75cd53b91686f66e389d606dab01bd9f88c557

      SHA512

      9a98e0d9e2dda8aefa54bddb3c7b71501d638dff68863939de6caa117b0e7bf15e581a75419ef8a0da3f1c56a19f1b0f4c86d65f8581773ab88ff5764b9bb3aa

      Download Submit

    • C:\ProgramData\24e1d50e\PCICL32.dll
      Filesize

      3.3MB

      MD5

      1274cca13cc5e37ca94d35e5b0673e89

      SHA1

      a8754c94f88273c304bc45a5afd61a383bb52117

      SHA256

      cd5510c8bc7ea60be77ad4aab502ee02d871bf4e917aeeb6921c20eebd9693dd

      SHA512

      52eafa31ee942dc92d0b8f52c12206f6abc1d5fae799b37b371e97c38ce66bd0693263de86b4880748ba1405054701288caf2cd00cd327edc164e1390cf9191c

      Download Submit

    • C:\ProgramData\24e1d50e\client32.exe
      Filesize

      117KB

      MD5

      1c19c2e97c5e6b30de69ee684e6e5589

      SHA1

      5734ef7f9e4dba0639c98881e00f03eea35a62ee

      SHA256

      312a0e4db34a40cb95ba1fac8bf87deb45d0c5f048d38ac65eb060273b07df67

      SHA512

      ab7240b81be04f1bced47701a5791bbeedcba6037ee936327478c304aa1ce5ae75856ca7f568f909f847e27db2a6b9c08db7cc1057a18fab14a39a5854f15cba

      Download Submit

    • C:\ProgramData\24e1d50e\client32.ini
      Filesize

      724B

      MD5

      18d78473117572d07f9fba97b752a59d

      SHA1

      2e0035972219b71b2922305b25d4847c7f5cac80

      SHA256

      54c475bc78c365a6d1857fc86564eedf558df815a6b1e8b390b62f019d08bafa

      SHA512

      c4eab3ec994443bed1d04f7cf6b7017b45707ab99d2296c1b6f7708c5c2a0f2fd776c08d7686aff66c2cfe322f0e008a279a29855eed6588380aa3abf45d28cb

      Download Submit

    • C:\ProgramData\24e1d50e\msvcr100.dll
      Filesize

      755KB

      MD5

      0e37fbfa79d349d672456923ec5fbbe3

      SHA1

      4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

      SHA256

      8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

      SHA512

      2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

      Download Submit

    • C:\ProgramData\24e1d50e\pcichek.dll
      Filesize

      27KB

      MD5

      e311935a26ee920d5b7176cfa469253c

      SHA1

      eda6c815a02c4c91c9aacd819dc06e32ececf8f0

      SHA256

      0038ab626624fa2df9f65dd5e310b1206a9cd4d8ab7e65fb091cc25f13ebd34e

      SHA512

      48164e8841cfc91f4cbf4d3291d4f359518d081d9079a7995378f970e4085b534f4bafc15b83f4824cc79b5a1e54457b879963589b1acbcfe727a03eb3dffd1c

      Download Submit