netsupport | d2f9dc8e7278a2ec0aa634536ac8d23db209aba8ca0e109ce80469c27517ab33

General

Target

snd16061.exe
Size

2.1MB
MD5

e24d2cdf95e080f2b6a1db32352d8a3c
SHA1

780ac662ba88d28882c2821d1c5fdc9894b1fcb9
SHA256

d2f9dc8e7278a2ec0aa634536ac8d23db209aba8ca0e109ce80469c27517ab33
SHA512

b623c6991acd2b437e88d5de6fb61aaa0a28ec79f3586b5e1eb1d749af374eb8f3d1b23e6138f00168d77518d3c2c5793ecdb32f94ec67df1e45687f13addbb1
SSDEEP

49152:XMHaSOxCBcuLX54FiFdrAskBlVgEKEZv5zauP+Tx77KZbYj57O7Tfle:XM6FMBcuEEdrAstEnv53P+xhOfM

Score

10^/10

netsupport discovery rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport
Netsupport family
netsupport

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	snd16061.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\autorunns.ini.lnk	snd16061.exe

Executes dropped EXE 1 IoCs

pid	Process
1772	client32.exe

Loads dropped DLL 6 IoCs

pid	Process
1772	client32.exe
1772	client32.exe
1772	client32.exe
1772	client32.exe
1772	client32.exe
1772	client32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	snd16061.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1772	client32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1772	client32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 1772	2552	snd16061.exe	88
PID 2552 wrote to memory of 1772	2552	snd16061.exe	88
PID 2552 wrote to memory of 1772	2552	snd16061.exe	88

C:\Users\Admin\AppData\Local\Temp\snd16061.exe
"C:\Users\Admin\AppData\Local\Temp\snd16061.exe"
1⤵
- Checks computer location settings
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Users\Admin\AppData\Roaming\WinSupUpdata\client32.exe
  "C:\Users\Admin\AppData\Roaming\WinSupUpdata\client32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1772

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSupUpdata\HTCTL32.DLL

Filesize
320KB

MD5
c94005d2dcd2a54e40510344e0bb9435

SHA1
55b4a1620c5d0113811242c20bd9870a1e31d542

SHA256
3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899

SHA512
2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a

Download Submit
C:\Users\Admin\AppData\Roaming\WinSupUpdata\NSM.LIC

Filesize
256B

MD5
523727c74d4097a62a16d15cf8ad1db5

SHA1
14dc19cf244e45d66c103044eeb016946249dd13

SHA256
05f0b1546fa629e5c9b0f08f8232cd9714f0aa556ebb7acd8e3a27603ed061a8

SHA512
d1d59c5cd68ea67c1ec32db2924fd731b0854056a05d8e543c12ee35b1ca04dfef8119b5d905f19a5c17e0b1ca69bbd1eb6a017ea98436bc3521a7e4ff8acfc1

Download Submit
C:\Users\Admin\AppData\Roaming\WinSupUpdata\PCICHEK.DLL

Filesize
18KB

MD5
104b30fef04433a2d2fd1d5f99f179fe

SHA1
ecb08e224a2f2772d1e53675bedc4b2c50485a41

SHA256
956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd

SHA512
5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f

Download Submit
C:\Users\Admin\AppData\Roaming\WinSupUpdata\PCICL32.dll

Filesize
3.6MB

MD5
d3d39180e85700f72aaae25e40c125ff

SHA1
f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15

SHA256
38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5

SHA512
471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f

Download Submit
C:\Users\Admin\AppData\Roaming\WinSupUpdata\client32.exe

Filesize
103KB

MD5
c60ac6a6e6e582ab0ecb1fdbd607705b

SHA1
ba9de479beb82fd97bbdfbc04ef22e08224724ba

SHA256
4d24b359176389301c14a92607b5c26b8490c41e7e3a2abbc87510d1376f4a87

SHA512
f91b964f8b9a0e7445fc260b8c75c831e7ce462701a64a39989304468c9c5ab5d1e8bfe376940484f824b399aef903bf51c679fcf45208426fff7e4e518482ca

Download Submit
C:\Users\Admin\AppData\Roaming\WinSupUpdata\client32.ini

Filesize
922B

MD5
7bb1ec296d0d1b255fb99b52a413735a

SHA1
51d3b917b776816297181f46c8a24087bffba72f

SHA256
3efe6b8ec7e9751a01b92c73ca08785b142b2421311530462f51025a63b409a9

SHA512
3cedc6fd295b98a725ec92bd09ed66b6cfcc0e861523281988221b2837e066b2c29b42f6d9381d9b6aed26ce272230471962c4e292448c39ccb5240cb433e2a0

Download Submit
C:\Users\Admin\AppData\Roaming\WinSupUpdata\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\Roaming\WinSupUpdata\pcicapi.dll

Filesize
32KB

MD5
34dfb87e4200d852d1fb45dc48f93cfc

SHA1
35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641

SHA256
2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703

SHA512
f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2

Download Submit

Analysis

Sharing