Malware analysis lada.zip Malicious activity | ANY.RUN

Add for printing

File name:	lada.zip
Full analysis:	https://app.any.run/tasks/e23007e2-f498-4365-bef6-69a2cf7e2c54
Verdict:	Malicious activity
Threats:	NetSupport RAT is a malicious adaptation of the legitimate NetSupport Manager, a remote access tool used for IT support, which cybercriminals exploit to gain unauthorized control over systems. It has gained significant traction due to its sophisticated evasion techniques, widespread distribution campaigns, and the challenge it poses to security professionals who must distinguish between legitimate and malicious uses of the underlying software. Malware Trends Tracker >>>
Analysis date:	August 09, 2024, 01:24:17
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	netsupport unwanted remote
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=store
MD5:	3D53EE9D7DFB6E64871826D789424C49
SHA1:	09FECBB2B606F01C0E921DFED341F9F44506D8C5
SHA256:	177B044664D7A6B98423049D8FEAD8DC3847FC15505A8B2C983096A27876ECC2
SSDEEP:	98304:9L2T9mibsp6fQ99VBwHsC/gyPLYBjC3dQBV22LWqZ2OECvDfTL7BSkzTu1ex2lpD:IDAmFPCk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: on
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- NETSUPPORT has been detected (SURICATA)
  - host.exe (PID: 6848)
- Connects to the CnC server
  - host.exe (PID: 6848)
SUSPICIOUS
- Drops the executable file immediately after the start
  - WinRAR.exe (PID: 1168)
- Connects to the server without a host name
  - host.exe (PID: 6848)
- There is functionality for communication over UDP network (YARA)
  - host.exe (PID: 6848)
- The process creates files with name similar to system file names
  - WinRAR.exe (PID: 1168)
- Process drops legitimate windows executable
  - WinRAR.exe (PID: 1168)
- Reads security settings of Internet Explorer
  - host.exe (PID: 6848)
- Contacting a server suspected of hosting an CnC
  - host.exe (PID: 6848)
- Potential Corporate Privacy Violation
  - host.exe (PID: 6848)
- There is functionality for taking screenshot (YARA)
  - host.exe (PID: 6848)
INFO
- Drop NetSupport executable file
  - WinRAR.exe (PID: 1168)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 1168)
- Checks supported languages
  - host.exe (PID: 6848)
- Manual execution by a user
  - host.exe (PID: 6848)
- Reads Environment values
  - host.exe (PID: 6848)
- Reads the computer name
  - host.exe (PID: 6848)
- Checks proxy server information
  - host.exe (PID: 6848)
- Creates files or folders in the user directory
  - host.exe (PID: 6848)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	20
ZipBitFlag:	-
ZipCompression:	None
ZipModifyDate:	2024:08:08 08:11:56
ZipCRC:	0x00000000
ZipCompressedSize:	-
ZipUncompressedSize:	-
ZipFileName:	lada/

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

124

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1168

"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\lada.zip

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

6800

C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\rundll32.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows host process (Rundll32)

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll

6848

"C:\Users\admin\Desktop\lada\host.exe"

C:\Users\admin\Desktop\lada\host.exe

explorer.exe

User:

admin

Company:

NetSupport Ltd

Integrity Level:

MEDIUM

Description:

CrossTec Client Application

Version:

V11.00

Modules

Images
c:\users\admin\desktop\lada\host.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\users\admin\desktop\lada\pcicl32.dll

Add for printing

Total events

5 993

Read events

5 974

Write events

Delete events

Modification events


(PID) Process:	(1168) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(1168) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(1168) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:	(1168) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\lada.zip
(PID) Process:	(1168) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(1168) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(1168) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(1168) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(6848) host.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(6848) host.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
1168	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa1168.48312\lada\PCICHEK.DLL		executable
		MD5:A0B9388C5F18E27266A31F8C5765B263	SHA256:313117E723DDA6EA3911FAACD23F4405003FB651C73DE8DEFF10B9EB5B4A058A
1168	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa1168.48312\lada\nsm_vpro.ini		text
		MD5:3BE27483FDCDBF9EBAE93234785235E3	SHA256:4BFA4C00414660BA44BDDDE5216A7F28AECCAA9E2D42DF4BBFF66DB57C60522B
1168	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa1168.48312\lada\nskbfltr.inf		binary
		MD5:26E28C01461F7E65C402BDF09923D435	SHA256:D96856CD944A9F1587907CACEF974C0248B7F4210F1689C1E6BCAC5FED289368
1168	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa1168.48312\lada\TCCTL32.DLL		executable
		MD5:405A7BCA024D33D7D6464129C1B58451	SHA256:092C3EC01883D3B4B131985B3971F7E2E523252B75F9C2470E0821505C4A3A83
1168	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa1168.48312\lada\remcmdstub.exe		executable
		MD5:35DA3B727567FAB0C7C8426F1261C7F5	SHA256:89027F1449BE9BA1E56DD82D13A947CB3CA319ADFE9782F4874FBDC26DC59D09
1168	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa1168.48312\lada\host.exe		executable
		MD5:D57ADAB3CC9E13A11446B91CB5E70AE6	SHA256:A88888590829B569D43285C672246C12908E07DC15DB9982B578EFF37871D585
1168	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa1168.48312\lada\PCICL32.DLL		executable
		MD5:AD51946B1659ED61B76FF4E599E36683	SHA256:07A191254362664B3993479A277199F7EA5EE723B6C25803914EEDB50250ACF4
1168	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa1168.48312\lada\msvcr100.dll		executable
		MD5:0E37FBFA79D349D672456923EC5FBBE3	SHA256:8793353461826FBD48F25EA8B835BE204B758CE7510DB2AF631B28850355BD18
1168	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa1168.48312\lada\client32.ini		text
		MD5:1A7E50CE9A691CF96328B923C0F54FE3	SHA256:6E996DD0AC1EE37D990130A743B0732B1BC0C67F38DFE9D4B51C20AD4D4F0A12
1168	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa1168.48312\lada\AudioCapture.dll		executable
		MD5:4182F37B9BA1FA315268C669B5335DDE	SHA256:A74612AE5234D1A8F1263545400668097F9EB6A01DFB8037BC61CA9CAE82C5B8

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6848	host.exe	POST	200	45.82.84.13:443	http://45.82.84.13/fakeurl.htm	US	binary	61 b	unknown
6848	host.exe	GET	200	104.26.0.231:80	http://geo.netsupportsoftware.com/location/loca.asp	US	text	15 b	malicious
6848	host.exe	POST	—	45.82.84.13:443	http://45.82.84.13/fakeurl.htm	US	—	—	unknown
6848	host.exe	POST	200	45.82.84.13:443	http://45.82.84.13/fakeurl.htm	US	binary	159 b	unknown
6848	host.exe	POST	—	45.82.84.13:443	http://45.82.84.13/fakeurl.htm	US	—	—	unknown
6848	host.exe	POST	—	45.82.84.13:443	http://45.82.84.13/fakeurl.htm	US	—	—	unknown
6848	host.exe	POST	—	45.82.84.13:443	http://45.82.84.13/fakeurl.htm	US	—	—	unknown
6848	host.exe	POST	—	45.82.84.13:443	http://45.82.84.13/fakeurl.htm	US	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
5044	svchost.exe	52.140.118.28:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IN	unknown
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
—	—	52.140.118.28:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IN	unknown
4324	svchost.exe	52.140.118.28:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IN	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
5044	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6848	host.exe	45.82.84.13:443	—	ASN-QUADRANET-GLOBAL	US	unknown
6848	host.exe	104.26.0.231:80	geo.netsupportsoftware.com	CLOUDFLARENET	US	unknown
964	SIHClient.exe	20.12.23.50:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	52.140.118.28 4.231.128.59	whitelisted
google.com	142.250.185.238	whitelisted
geo.netsupportsoftware.com	104.26.0.231	unknown
slscr.update.microsoft.com	20.12.23.50	whitelisted
fe3cr.delivery.mp.microsoft.com	20.242.39.171	whitelisted

Threats

PID	Process	Class	Message
6848	host.exe	Potential Corporate Privacy Violation	ET POLICY NetSupport GeoLocation Lookup Request
6848	host.exe	Potentially Bad Traffic	ET POLICY HTTP traffic on port 443 (POST)
6848	host.exe	Misc activity	ET INFO NetSupport Remote Admin Response
6848	host.exe	Misc activity	ET INFO NetSupport Remote Admin Checkin
6848	host.exe	Potentially Bad Traffic	ET POLICY HTTP traffic on port 443 (POST)
6848	host.exe	Misc activity	ET INFO NetSupport Remote Admin Response
6848	host.exe	Misc activity	ET INFO NetSupport Remote Admin Checkin
6848	host.exe	Potentially Bad Traffic	ET POLICY HTTP traffic on port 443 (POST)
6848	host.exe	Misc activity	ET INFO NetSupport Remote Admin Checkin

3 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

lada.zip

3D53EE9D7DFB6E64871826D789424C49

09FECBB2B606F01C0E921DFED341F9F44506D8C5

177B044664D7A6B98423049D8FEAD8DC3847FC15505A8B2C983096A27876ECC2

98304:9L2T9mibsp6fQ99VBwHsC/gyPLYBjC3dQBV22LWqZ2OECvDfTL7BSkzTu1ex2lpD:IDAmFPCk

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

NETSUPPORT has been detected (SURICATA)

Connects to the CnC server

SUSPICIOUS

Drops the executable file immediately after the start

Connects to the server without a host name

There is functionality for communication over UDP network (YARA)

The process creates files with name similar to system file names

Process drops legitimate windows executable

Reads security settings of Internet Explorer

Contacting a server suspected of hosting an CnC

Potential Corporate Privacy Violation

There is functionality for taking screenshot (YARA)

INFO

Drop NetSupport executable file

Executable content was dropped or overwritten

Checks supported languages

Manual execution by a user

Reads Environment values

Reads the computer name

Checks proxy server information

Creates files or folders in the user directory

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings