netsupport | c274d849d3bf25f38f966e07fb1dca7e421040902c38eb594e196a2b69320789

Analysis

max time kernel
105s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2025, 03:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c274d849d3bf25f38f966e07fb1dca7e421040902c38eb594e196a2b69320789.ps1
Size

3.6MB
MD5

9bdf65c880dda82bfbd775fb4b6517e2
SHA1

ee12202cecfdd151e5073b0686d0f365d8570267
SHA256

c274d849d3bf25f38f966e07fb1dca7e421040902c38eb594e196a2b69320789
SHA512

6406ec67a40395bd40b5cdf21a3dcdb1ece9cd9def9cc791b5293a53cd823e6fcec40f4415ba6caeebbbe2a9e45d3097961e651a7244da738ca7a004670d2fcc
SSDEEP

49152:kqTqa+Qtnal1tK6TFX9m4kCeRQ7OfmYz0ld5/TopuLAhvjYZJY51B:X

Score

10^/10

netsupport discovery execution persistence rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport
Netsupport family
netsupport

Executes dropped EXE 2 IoCs

pid	Process
1252	presentationhost.exe
2524	presentationhost.exe

Loads dropped DLL 14 IoCs

pid	Process
2524	presentationhost.exe
1252	presentationhost.exe
1252	presentationhost.exe
2524	presentationhost.exe
1252	presentationhost.exe
1252	presentationhost.exe
1252	presentationhost.exe
1252	presentationhost.exe
2524	presentationhost.exe
2524	presentationhost.exe
2524	presentationhost.exe
2524	presentationhost.exe
2524	presentationhost.exe
1252	presentationhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SoftwareUpdater = "C:\\Users\\Admin\\AppData\\Roaming\\y097TYvh\\presentationhost.exe"	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2240	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	presentationhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	presentationhost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2240	powershell.exe
2240	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeSecurityPrivilege	1252	presentationhost.exe
Token: SeSecurityPrivilege	2524	presentationhost.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2524	presentationhost.exe
1252	presentationhost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3320 wrote to memory of 1252	3320	cmd.exe	88
PID 3320 wrote to memory of 1252	3320	cmd.exe	88
PID 3320 wrote to memory of 1252	3320	cmd.exe	88
PID 2240 wrote to memory of 2524	2240	powershell.exe	89
PID 2240 wrote to memory of 2524	2240	powershell.exe	89
PID 2240 wrote to memory of 2524	2240	powershell.exe	89

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\c274d849d3bf25f38f966e07fb1dca7e421040902c38eb594e196a2b69320789.ps1
1⤵
- Adds Run key to start application
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Users\Admin\AppData\Roaming\y097TYvh\presentationhost.exe
  "C:\Users\Admin\AppData\Roaming\y097TYvh\presentationhost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\y097TYvh\presentationhost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3320
- C:\Users\Admin\AppData\Roaming\y097TYvh\presentationhost.exe
  C:\Users\Admin\AppData\Roaming\y097TYvh\presentationhost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1252

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xyjcq5az.hid.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\y097TYvh\HTCTL32.DLL

Filesize
316KB

MD5
051cdb6ac8e168d178e35489b6da4c74

SHA1
38c171457d160f8a6f26baa668f5c302f6c29cd1

SHA256
6562585009f15155eea9a489e474cebc4dd2a01a26d846fdd1b93fdc24b0c269

SHA512
602ab9999f7164a2d1704f712d8a622d69148eefe9a380c30bc8b310eadedf846ce6ae7940317437d5da59404d141dc2d1e0c3f954ca4ac7ae3497e56fcb4e36

Download Submit
C:\Users\Admin\AppData\Roaming\y097TYvh\NSM.LIC

Filesize
258B

MD5
9e482d086f86c0ea705aba09847b7491

SHA1
008e4fef872595a4d61a6977f26d8b6e45c7b758

SHA256
bb8591770a069d090a0208e9981e07a92ce01e560e48e4dbf0d7f2261e84dc95

SHA512
0e744e0b1f1c2a92bb54897609921e0e6578f295fe4f47adc570bc99855eb42e38f77b9069a68404473d566b8db4f5840b8da48345c5f9fb709ba82af84606de

Download Submit
C:\Users\Admin\AppData\Roaming\y097TYvh\PCICHEK.DLL

Filesize
14KB

MD5
3aabcd7c81425b3b9327a2bf643251c6

SHA1
ea841199baa7307280fc9e4688ac75e5624f2181

SHA256
0cff893b1e7716d09fb74b7a0313b78a09f3f48c586d31fc5f830bd72ce8331f

SHA512
97605b07be34948541462000345f1e8f9a9134d139448d4f331cefeeca6dad51c025fcab09d182b86e5a4a8e2f9412b3745ec86b514b0523497c821cb6b8c592

Download Submit
C:\Users\Admin\AppData\Roaming\y097TYvh\PCICL32.DLL

Filesize
3.3MB

MD5
e7b92529ea10176fe35ba73fa4edef74

SHA1
fc5b325d433cde797f6ad0d8b1305d6fb16d4e34

SHA256
b6d4ad0231941e0637485ac5833e0fdc75db35289b54e70f3858b70d36d04c80

SHA512
fb3a70e87772c1fb386ad8def6c7bdf325b8d525355d4386102649eb2d61f09ce101fce37ccc1f44d5878e604e2e426d96618e836367ab460cae01f627833517

Download Submit
C:\Users\Admin\AppData\Roaming\y097TYvh\client32.ini

Filesize
813B

MD5
08e6451962fb39a5f5d4611ec93bb90d

SHA1
6b95b72b00f137528c872af01350d34c738d1ffb

SHA256
adbb371faeac77cdf4c2dc1e5e83a6ce908057ab6459efcac95512db08f0dde0

SHA512
4dc19e5649c47dbd18be2175bade12fc15492939dcee131f14988495c2a8111360ef2279d244362672fc73cd63a92309d552b8ea74022c6d410fcbe443348de1

Download Submit
C:\Users\Admin\AppData\Roaming\y097TYvh\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\Roaming\y097TYvh\pcicapi.dll

Filesize
106KB

MD5
67c53a770390e8c038060a1921c20da9

SHA1
49e63af91169c8ce7ef7de3d6a6fb9f8f739fa3a

SHA256
2dfdc169dfc27462adc98dde39306de8d0526dcf4577a1a486c2eef447300689

SHA512
201e07dbccd83480d6c4d8562e6d0a9e4c52ed12895f0b91d875c2bbcc50b3b1802e11e5e829c948be302bf98ebde7fb2a99476065d1709b3bdbcd5d59a1612d

Download Submit
C:\Users\Admin\AppData\Roaming\y097TYvh\presentationhost.exe

Filesize
101KB

MD5
c4f1b50e3111d29774f7525039ff7086

SHA1
57539c95cba0986ec8df0fcdea433e7c71b724c6

SHA256
18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d

SHA512
005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

Download Submit
memory/1252-42-0x0000000001000000-0x000000000135F000-memory.dmp

Filesize
3.4MB

Download
memory/1252-54-0x0000000000E70000-0x0000000000E97000-memory.dmp

Filesize
156KB

Download
memory/2240-12-0x00007FFBF0A50000-0x00007FFBF0C45000-memory.dmp

Filesize
2.0MB

Download
memory/2240-62-0x00007FFBF0A50000-0x00007FFBF0C45000-memory.dmp

Filesize
2.0MB

Download
memory/2240-46-0x00007FFBF0A50000-0x00007FFBF0C45000-memory.dmp

Filesize
2.0MB

Download
memory/2240-1-0x00007FFBF0A50000-0x00007FFBF0C45000-memory.dmp

Filesize
2.0MB

Download
memory/2240-11-0x0000021E22420000-0x0000021E22442000-memory.dmp

Filesize
136KB

Download
memory/2240-0-0x00007FFBF0A50000-0x00007FFBF0C45000-memory.dmp

Filesize
2.0MB

Download
memory/2524-59-0x0000000000BB0000-0x0000000000BD7000-memory.dmp

Filesize
156KB

Download
memory/2524-43-0x0000000000D50000-0x00000000010AF000-memory.dmp

Filesize
3.4MB

Download