Overview

overview

10

Static

static

5

iu35ryECDc...9O.exe

windows7_x64

10

iu35ryECDc...9O.exe

windows10_x64

10

Resubmissions

05-11-2021 06:17

211105-g2bezsfhaj 10

05-11-2021 06:04

211105-gsw1bsfggr 10

Analysis

  • max time kernel
    150s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    05-11-2021 06:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    iu35ryECDcB7YnmA9O.exe

  • Size

    854KB

  • MD5

    6160d9cc6de5bd6d63abf3a90492f72b

  • SHA1

    b37c3ef6fc4c4af664ba0b8dbaaeb065988980d5

  • SHA256

    6542a64376516f4aa87b9dd2cb2978b6e83441964110aa291d7a04bceb511d97

  • SHA512

    f5ef576b2b5de73b6287be8b49454072744afae2e233e3efaf6666f8509472339eb8d9123220b8b1fbe4100b76f51777294551afa3dab8c095b71e2f51414c08

Score
10/10
netsupportredline031121discoveryinfostealerratspywarestealer

Malware Config

Extracted

Family

redline

Botnet

031121

C2

m360li.info:81

Signatures

  • NetSupport

    NetSupport is a remote access tool sold as a legitimate system administration software.

    ratnetsupport
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 11 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\iu35ryECDcB7YnmA9O.exe
    "C:\Users\Admin\AppData\Local\Temp\iu35ryECDcB7YnmA9O.exe"
    1⤵
    • Loads dropped DLL
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:304
    • C:\Users\Admin\AppData\Local\Temp\Skype.exe
      C:\Users\Admin\AppData\Local\Temp\Skype.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:960
    • C:\Users\Admin\AppData\Local\Temp\WinRar.exe
      C:\Users\Admin\AppData\Local\Temp\WinRar.exe
      2⤵
      • Executes dropped EXE
      • Drops startup file
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1772
      • C:\Users\Admin\AppData\Roaming\WinSup\client32.exe
        "C:\Users\Admin\AppData\Roaming\WinSup\client32.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:608
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://www.binance.com/en/register?ref=WDA8929C
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1072
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1072 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1788
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /k ping 0 & del C:\Users\Admin\AppData\Local\Temp\iu35ryECDcB7YnmA9O.exe & exit
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1200
      • C:\Windows\SysWOW64\PING.EXE
        ping 0
        3⤵
        • Runs ping.exe
        PID:1968

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    MD5

    acaeda60c79c6bcac925eeb3653f45e0

    SHA1

    2aaae490bcdaccc6172240ff1697753b37ac5578

    SHA256

    6b0ceccf0103afd89844761417c1d23acc41f8aebf3b7230765209b61eee5658

    SHA512

    feaa6e7ed7dda1583739b3e531ab5c562a222ee6ecd042690ae7dcff966717c6e968469a7797265a11f6e899479ae0f3031e8cf5bebe1492d5205e9c59690900

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    MD5

    f79b1aba622998646960a5620939297f

    SHA1

    bd4f08856e4ba71eeda385e863a2ef4f19da9311

    SHA256

    db798f47b40fc1e1a99333eb9f0e366af23694756d1bbdb80d8d5398af833161

    SHA512

    b4132264d83c63d0ae6ce587f0ac0d141541e295f4ab3aba9da323f9e82a0c97f2615aacbd49b8c8f163de04b207315316a7f601330d2cfa2485793048c2233e

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    MD5

    de9bc5a6c1f410524c94287e73756a4d

    SHA1

    ea0397ee750e5beb93d93776a33cd07fd7502c7b

    SHA256

    caf1c8fe7aa1bdca3916438288d77c9a2689ef1e6c717c9700257e79f4d9cedb

    SHA512

    3bc2d1ba2cb62d79f4f8906c1e4dc1d4bc58997a6882cf83fef0dee0ee7899de45f0047f2ca6dc7570ac11a9ac529e8ff52c77dfe8563afdf5a943bdddee85c4

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\r32q9i9\imagestore.dat
    MD5

    226c980862125950ce9095486307f961

    SHA1

    27a83fb9016f41ccb6a73a9fc6721a28df377fd9

    SHA256

    bd6fffa33a3504355b5d16726dad0b76c4f75088e9e5b3776a09a3af03bd2324

    SHA512

    470a53eb67646258629c089c46aef5b88ad2d64403752ee94a7f42e58af925f22bc50d5ab7546e582051184c6d6c8c75ccda0b09cdf691ed81faf68c6455a37b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Skype.exe
    MD5

    21eac16294ef9ac3a75775be71d7549b

    SHA1

    31b25f77abb0edfcd1fa6a6432b780e865df6bce

    SHA256

    634d3655e595ce29d36051ce297f6a28ad93bc620b030b0ac0d1345fb7fd505a

    SHA512

    8f1e4498f7eb46bccd20da995fc7c76607f400e81b88a5e7a08bc74e0345f8898a63feaa9f1ae01140aef4321cb29ae8fddcd152b2b1789e8f581fca1ddd0f5a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\WinRar.exe
    MD5

    3a4a597fb97793b774baca24094fa9bc

    SHA1

    f143c5cffb22a1c49d52b446966df19f9196918e

    SHA256

    7c7d0cb1027501458bae61f641a5b2ccd97df0b2f0635ec9c545fd31d3e438d0

    SHA512

    4d8bbce1d8790be564672723f58216d1be023a248ad163af274b5f210ad227f151767394b3d04413112b5d24c90cdfe357f3b879fd1ceefffd426fe3136f3f0c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\WinRar.exe
    MD5

    3a4a597fb97793b774baca24094fa9bc

    SHA1

    f143c5cffb22a1c49d52b446966df19f9196918e

    SHA256

    7c7d0cb1027501458bae61f641a5b2ccd97df0b2f0635ec9c545fd31d3e438d0

    SHA512

    4d8bbce1d8790be564672723f58216d1be023a248ad163af274b5f210ad227f151767394b3d04413112b5d24c90cdfe357f3b879fd1ceefffd426fe3136f3f0c

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\VX0LIJVL.txt
    MD5

    52ab0f111b152b8983f6466b534d0a0d

    SHA1

    325db4789b1309f8071b3b5a001eaedc49983b7e

    SHA256

    3494f78b9dbab84e57ac453142a7edcb753e549a87f0fb95517e82e224070547

    SHA512

    3bb38967906e6acd6ef174df18bb6cac0d8d0044e9280763461cde56248965584305e072ab5718a781d27e529175f981d5af4aee3aa12ccb7fae8664fae11660

    Download Submit
  • C:\Users\Admin\AppData\Roaming\WinSup\HTCTL32.DLL
    MD5

    2d3b207c8a48148296156e5725426c7f

    SHA1

    ad464eb7cf5c19c8a443ab5b590440b32dbc618f

    SHA256

    edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796

    SHA512

    55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

    Download Submit
  • C:\Users\Admin\AppData\Roaming\WinSup\MSVCR100.dll
    MD5

    0e37fbfa79d349d672456923ec5fbbe3

    SHA1

    4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

    SHA256

    8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

    SHA512

    2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

    Download Submit
  • C:\Users\Admin\AppData\Roaming\WinSup\NSM.LIC
    MD5

    8614c2008044a081e9d26d8db1571f4a

    SHA1

    1b007f05c289d0b71d542520b25fe65c6b6fcbe3

    SHA256

    df622fc8bc605023730d3ad952d69fcbd8383ce5440d63da0df20fb139355ec9

    SHA512

    449244a508daaacde53078b826f7b482650acc3f61e8235fa892a737bebbecb178061d0aa1e99cd74da7885c86cebb2727d6e85384ecd68187d7e6e94f018ae9

    Download Submit
  • C:\Users\Admin\AppData\Roaming\WinSup\PCICL32.dll
    MD5

    00587238d16012152c2e951a087f2cc9

    SHA1

    c4e27a43075ce993ff6bb033360af386b2fc58ff

    SHA256

    63aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8

    SHA512

    637950a1f78d3f3d02c30a49a16e91cf3dfccc59104041876789bd7fdf9224d187209547766b91404c67319e13d1606da7cec397315495962cbf3e2ccd5f1226

    Download Submit
  • C:\Users\Admin\AppData\Roaming\WinSup\TCCTL32.DLL
    MD5

    eab603d12705752e3d268d86dff74ed4

    SHA1

    01873977c871d3346d795cf7e3888685de9f0b16

    SHA256

    6795d760ce7a955df6c2f5a062e296128efdb8c908908eda4d666926980447ea

    SHA512

    77de0d9c93ccba967db70b280a85a770b3d8bea3b707b1abb037b2826b48898fec87924e1a6cce218c43478e5209e9eb9781051b4c3b450bea3cd27dbd32c7f3

    Download Submit
  • C:\Users\Admin\AppData\Roaming\WinSup\client32.exe
    MD5

    f76954b68cc390f8009f1a052283a740

    SHA1

    3112a39aad950045d6422fb2abe98bed05931e6c

    SHA256

    63315df7981130853d75dc753e5776bdf371811bcfce351557c1e45afdd1ebfb

    SHA512

    d3aea0867b488161f62e43e7c250ad3917713b8b183139fb6e06c71594fb0cec769e1494b7cc257117992ae4aa891e056f99c25431ae19f032b1ba779051a880

    Download Submit
  • C:\Users\Admin\AppData\Roaming\WinSup\client32.ini
    MD5

    a92b98b93eb9300863341b02a9c10b86

    SHA1

    73df28c26d7dfa9b663afbe556b5c318a28b474d

    SHA256

    2bbbfcbc30c0bb04fa94a9dbdc842ec7c9e6f5fee0bdbe22776460496cfc13bd

    SHA512

    82f18a84babb91cf4aa9db27972a2ad6be1f33cd687499e4de76bd264f0ad1fe6df8fa216f9328fd33ad0ad558516638b9c2f515ec4c7c88c642cd6e53f0a198

    Download Submit
  • C:\Users\Admin\AppData\Roaming\WinSup\pcicapi.dll
    MD5

    dcde2248d19c778a41aa165866dd52d0

    SHA1

    7ec84be84fe23f0b0093b647538737e1f19ebb03

    SHA256

    9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917

    SHA512

    c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

    Download Submit
  • C:\Users\Admin\AppData\Roaming\WinSup\pcichek.dll
    MD5

    a0b9388c5f18e27266a31f8c5765b263

    SHA1

    906f7e94f841d464d4da144f7c858fa2160e36db

    SHA256

    313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a

    SHA512

    6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

    Download Submit
  • \Users\Admin\AppData\Local\Temp\Skype.exe
    MD5

    21eac16294ef9ac3a75775be71d7549b

    SHA1

    31b25f77abb0edfcd1fa6a6432b780e865df6bce

    SHA256

    634d3655e595ce29d36051ce297f6a28ad93bc620b030b0ac0d1345fb7fd505a

    SHA512

    8f1e4498f7eb46bccd20da995fc7c76607f400e81b88a5e7a08bc74e0345f8898a63feaa9f1ae01140aef4321cb29ae8fddcd152b2b1789e8f581fca1ddd0f5a

    Download Submit
  • \Users\Admin\AppData\Local\Temp\Skype.exe
    MD5

    21eac16294ef9ac3a75775be71d7549b

    SHA1

    31b25f77abb0edfcd1fa6a6432b780e865df6bce

    SHA256

    634d3655e595ce29d36051ce297f6a28ad93bc620b030b0ac0d1345fb7fd505a

    SHA512

    8f1e4498f7eb46bccd20da995fc7c76607f400e81b88a5e7a08bc74e0345f8898a63feaa9f1ae01140aef4321cb29ae8fddcd152b2b1789e8f581fca1ddd0f5a

    Download Submit
  • \Users\Admin\AppData\Local\Temp\WinRar.exe
    MD5

    3a4a597fb97793b774baca24094fa9bc

    SHA1

    f143c5cffb22a1c49d52b446966df19f9196918e

    SHA256

    7c7d0cb1027501458bae61f641a5b2ccd97df0b2f0635ec9c545fd31d3e438d0

    SHA512

    4d8bbce1d8790be564672723f58216d1be023a248ad163af274b5f210ad227f151767394b3d04413112b5d24c90cdfe357f3b879fd1ceefffd426fe3136f3f0c

    Download Submit
  • \Users\Admin\AppData\Roaming\WinSup\HTCTL32.DLL
    MD5

    2d3b207c8a48148296156e5725426c7f

    SHA1

    ad464eb7cf5c19c8a443ab5b590440b32dbc618f

    SHA256

    edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796

    SHA512

    55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

    Download Submit
  • \Users\Admin\AppData\Roaming\WinSup\PCICHEK.DLL
    MD5

    a0b9388c5f18e27266a31f8c5765b263

    SHA1

    906f7e94f841d464d4da144f7c858fa2160e36db

    SHA256

    313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a

    SHA512

    6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

    Download Submit
  • \Users\Admin\AppData\Roaming\WinSup\PCICL32.DLL
    MD5

    00587238d16012152c2e951a087f2cc9

    SHA1

    c4e27a43075ce993ff6bb033360af386b2fc58ff

    SHA256

    63aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8

    SHA512

    637950a1f78d3f3d02c30a49a16e91cf3dfccc59104041876789bd7fdf9224d187209547766b91404c67319e13d1606da7cec397315495962cbf3e2ccd5f1226

    Download Submit
  • \Users\Admin\AppData\Roaming\WinSup\TCCTL32.DLL
    MD5

    eab603d12705752e3d268d86dff74ed4

    SHA1

    01873977c871d3346d795cf7e3888685de9f0b16

    SHA256

    6795d760ce7a955df6c2f5a062e296128efdb8c908908eda4d666926980447ea

    SHA512

    77de0d9c93ccba967db70b280a85a770b3d8bea3b707b1abb037b2826b48898fec87924e1a6cce218c43478e5209e9eb9781051b4c3b450bea3cd27dbd32c7f3

    Download Submit
  • \Users\Admin\AppData\Roaming\WinSup\client32.exe
    MD5

    f76954b68cc390f8009f1a052283a740

    SHA1

    3112a39aad950045d6422fb2abe98bed05931e6c

    SHA256

    63315df7981130853d75dc753e5776bdf371811bcfce351557c1e45afdd1ebfb

    SHA512

    d3aea0867b488161f62e43e7c250ad3917713b8b183139fb6e06c71594fb0cec769e1494b7cc257117992ae4aa891e056f99c25431ae19f032b1ba779051a880

    Download Submit
  • \Users\Admin\AppData\Roaming\WinSup\client32.exe
    MD5

    f76954b68cc390f8009f1a052283a740

    SHA1

    3112a39aad950045d6422fb2abe98bed05931e6c

    SHA256

    63315df7981130853d75dc753e5776bdf371811bcfce351557c1e45afdd1ebfb

    SHA512

    d3aea0867b488161f62e43e7c250ad3917713b8b183139fb6e06c71594fb0cec769e1494b7cc257117992ae4aa891e056f99c25431ae19f032b1ba779051a880

    Download Submit
  • \Users\Admin\AppData\Roaming\WinSup\msvcr100.dll
    MD5

    0e37fbfa79d349d672456923ec5fbbe3

    SHA1

    4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

    SHA256

    8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

    SHA512

    2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

    Download Submit
  • \Users\Admin\AppData\Roaming\WinSup\pcicapi.dll
    MD5

    dcde2248d19c778a41aa165866dd52d0

    SHA1

    7ec84be84fe23f0b0093b647538737e1f19ebb03

    SHA256

    9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917

    SHA512

    c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

    Download Submit
  • memory/304-55-0x0000000075B71000-0x0000000075B73000-memory.dmp
    Filesize

    8KB

    Download
  • memory/608-78-0x0000000000000000-mapping.dmp
    Download
  • memory/960-69-0x0000000004D92000-0x0000000004D93000-memory.dmp
    Filesize

    4KB

    Download
  • memory/960-70-0x0000000004D94000-0x0000000004D95000-memory.dmp
    Filesize

    4KB

    Download
  • memory/960-68-0x0000000004D91000-0x0000000004D92000-memory.dmp
    Filesize

    4KB

    Download
  • memory/960-66-0x0000000000800000-0x0000000000819000-memory.dmp
    Filesize

    100KB

    Download
  • memory/960-60-0x0000000000380000-0x00000000003AE000-memory.dmp
    Filesize

    184KB

    Download
  • memory/960-58-0x0000000000000000-mapping.dmp
    Download
  • memory/1072-92-0x0000000000000000-mapping.dmp
    Download
  • memory/1200-96-0x0000000000000000-mapping.dmp
    Download
  • memory/1772-72-0x0000000000000000-mapping.dmp
    Download
  • memory/1788-98-0x0000000000000000-mapping.dmp
    Download
  • memory/1968-97-0x0000000000000000-mapping.dmp
    Download