Overview

overview

10

Static

static

1

Chrome 135...363.js

windows10-2004-x64

10

Analysis

  • max time kernel
    69s
  • max time network
    70s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/04/2025, 17:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Chrome 135.0.7049.87363.js

  • Size

    1.1MB

  • MD5

    c6ae1c6b01fa51111c9f86e12bd18eb9

  • SHA1

    7b1671915c0605539c2c3d96ca88539831490b27

  • SHA256

    21a24922b29742977c4f7e25dd2be056dc02bc5e70c98e32ec3e0c6206f4d9ef

  • SHA512

    4144c2d56cff73b5afb7b842715e4b12939292c22912ecb9c2c5dcfa9a0614b95843c4a746f9232d93737b83bb4e010e4b7a3417f41faa49f22bde7b127c9d5f

  • SSDEEP

    6144:Wb6NJhIrDjyeLyXyberDq91ItXMIX+CdppUyM4JMRUdt0FjyD0EjpQahloWbGhIR:5DUiZDWiYle

Score
10/10
netsupportdiscoveryexecutionpersistencerat

Malware Config

Signatures

  • NetSupport

    NetSupport is a remote access tool sold as a legitimate system administration software.

    ratnetsupport
  • Netsupport family
    netsupport
  • Blocklisted process makes network request 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\Chrome 135.0.7049.87363.js"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Deletes itself
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3028
    • C:\ProgramData\dfkg1ole\client32.exe
      "C:\ProgramData\dfkg1ole\client32.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:2776
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\dfkg1ole\client32.exe
    1⤵
      PID:716
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:5356

      Network

      MITRE ATT&CK Enterprise v16

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\dfkg1ole.zip
        Filesize

        4.7MB

        MD5

        33088f1f9b632ed561a53f97a9858739

        SHA1

        b9612c4e862fba59a44d25e96299a01c8ea86137

        SHA256

        4d528959d600d23597d8ade531353e8fc58cb95f4075cc94950593f2875f9675

        SHA512

        9e292718dbd7592a4c4e512b5f403f110ace5dd17d06b3404f874d3caf13fd4f6fb69523a7dcde7d14cdbf959ec6b5be3cdf05184fbd6d7bab51661be1fdfefc

        Download Submit

      • C:\ProgramData\dfkg1ole\HTCTL32.DLL
        Filesize

        306KB

        MD5

        3eed18b47412d3f91a394ae880b56ed2

        SHA1

        1b521a3ed4a577a33cce78eee627ae02445694ab

        SHA256

        13a17f2ad9288aac8941d895251604beb9524fa3c65c781197841ee15480a13f

        SHA512

        835f35af4fd241caa8b6a639626b8762db8525ccceb43afe8fffc24dffad76ca10852a5a8e9fc114bfbf7d1dc1950130a67037fc09b63a74374517a1f5448990

        Download Submit

      • C:\ProgramData\dfkg1ole\NSM.LIC
        Filesize

        262B

        MD5

        b9956282a0fed076ed083892e498ac69

        SHA1

        d14a665438385203283030a189ff6c5e7c4bf518

        SHA256

        fcc6afd664a8045bd61c398be3c37a97536a199a48d277e11977f93868ae1acc

        SHA512

        7daa09113c0e8a36c91cc6d657c65851a20dff6b60ac3d2f40c5737c12c1613c553955f84d131ba2139959973fef9fc616ca5e968cb16c25acf2d4739eed87eb

        Download Submit

      • C:\ProgramData\dfkg1ole\PCICAPI.dll
        Filesize

        44KB

        MD5

        9daa86d91a18131d5caf49d14fb8b6f2

        SHA1

        6b2f7ceb6157909e114a2b05a48a1a2606b5caf1

        SHA256

        1716640cce74322f7ee3e3e02b75cd53b91686f66e389d606dab01bd9f88c557

        SHA512

        9a98e0d9e2dda8aefa54bddb3c7b71501d638dff68863939de6caa117b0e7bf15e581a75419ef8a0da3f1c56a19f1b0f4c86d65f8581773ab88ff5764b9bb3aa

        Download Submit

      • C:\ProgramData\dfkg1ole\PCICL32.dll
        Filesize

        3.3MB

        MD5

        1274cca13cc5e37ca94d35e5b0673e89

        SHA1

        a8754c94f88273c304bc45a5afd61a383bb52117

        SHA256

        cd5510c8bc7ea60be77ad4aab502ee02d871bf4e917aeeb6921c20eebd9693dd

        SHA512

        52eafa31ee942dc92d0b8f52c12206f6abc1d5fae799b37b371e97c38ce66bd0693263de86b4880748ba1405054701288caf2cd00cd327edc164e1390cf9191c

        Download Submit

      • C:\ProgramData\dfkg1ole\client32.exe
        Filesize

        117KB

        MD5

        1c19c2e97c5e6b30de69ee684e6e5589

        SHA1

        5734ef7f9e4dba0639c98881e00f03eea35a62ee

        SHA256

        312a0e4db34a40cb95ba1fac8bf87deb45d0c5f048d38ac65eb060273b07df67

        SHA512

        ab7240b81be04f1bced47701a5791bbeedcba6037ee936327478c304aa1ce5ae75856ca7f568f909f847e27db2a6b9c08db7cc1057a18fab14a39a5854f15cba

        Download Submit

      • C:\ProgramData\dfkg1ole\client32.ini
        Filesize

        724B

        MD5

        18d78473117572d07f9fba97b752a59d

        SHA1

        2e0035972219b71b2922305b25d4847c7f5cac80

        SHA256

        54c475bc78c365a6d1857fc86564eedf558df815a6b1e8b390b62f019d08bafa

        SHA512

        c4eab3ec994443bed1d04f7cf6b7017b45707ab99d2296c1b6f7708c5c2a0f2fd776c08d7686aff66c2cfe322f0e008a279a29855eed6588380aa3abf45d28cb

        Download Submit

      • C:\ProgramData\dfkg1ole\msvcr100.dll
        Filesize

        755KB

        MD5

        0e37fbfa79d349d672456923ec5fbbe3

        SHA1

        4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

        SHA256

        8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

        SHA512

        2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

        Download Submit

      • C:\ProgramData\dfkg1ole\pcichek.dll
        Filesize

        27KB

        MD5

        e311935a26ee920d5b7176cfa469253c

        SHA1

        eda6c815a02c4c91c9aacd819dc06e32ececf8f0

        SHA256

        0038ab626624fa2df9f65dd5e310b1206a9cd4d8ab7e65fb091cc25f13ebd34e

        SHA512

        48164e8841cfc91f4cbf4d3291d4f359518d081d9079a7995378f970e4085b534f4bafc15b83f4824cc79b5a1e54457b879963589b1acbcfe727a03eb3dffd1c

        Download Submit