Overview

overview

10

Static

static

Installer/...er.exe

windows10-2004_x64

10

Installer/browser.dll

windows10-2004_x64

1

Installer/...fi.dll

windows10-2004_x64

1

Installer/...xe.dll

windows10-2004_x64

1

Installer/...fi.dll

windows10-2004_x64

1

Installer/...xe.dll

windows10-2004_x64

1

Installer/...32.dll

windows10-2004_x64

1

Analysis

  • max time kernel
    1226s
  • max time network
    1238s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    20-06-2022 22:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Installer/Installer.exe

  • Size

    718.2MB

  • MD5

    21789861e186b60def326d7fd6966fb1

  • SHA1

    354987da5189498370577768cc3125f2d2b3167c

  • SHA256

    ccfcbfa79a53af233a5f5fdea50eadd1f4868459cf241790dbbe6704ac054de5

  • SHA512

    9b3f0beeb76011fcdf97e8a934920c7f74f5c3008d76d06f5b8ea20c8bc374305ff1e55b75fb8c6f746f1ca0123cdd61fc971299914524449670d23fd0a26839

Score
10/10
netsupportredline777discoveryinfostealerratspywarestealer

Malware Config

Extracted

Family

redline

Botnet

777

C2

89.22.227.140:31288

Attributes
  • auth_value

    e42115cf07e73321acdde5e388b0aef9

Signatures

  • NetSupport

    NetSupport is a remote access tool sold as a legitimate system administration software.

    ratnetsupport
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Installer\Installer.exe
    "C:\Users\Admin\AppData\Local\Temp\Installer\Installer.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4248
    • C:\Users\Admin\AppData\Local\Temp\Installer\Installer.exe
      "C:\Users\Admin\AppData\Local\Temp\Installer\Installer.exe"
      2⤵
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4196
      • C:\Users\Admin\AppData\Local\Temp\pumpal109061.exe
        "C:\Users\Admin\AppData\Local\Temp\pumpal109061.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Drops startup file
        • Suspicious use of WriteProcessMemory
        PID:4472
        • C:\Users\Admin\AppData\Roaming\SupportWinUp\client32.exe
          "C:\Users\Admin\AppData\Roaming\SupportWinUp\client32.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          PID:3348
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3552

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Credentials in Files

    2
    T1081

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Installer.exe.log
      Filesize

      617B

      MD5

      85306571e7ae6002dd2a0fb3042b7472

      SHA1

      c897ab7434b118a8ec1fe25205903f5ec8f71241

      SHA256

      40c98b01052cd95102701b71b4fbe0eda48537435898c413239f5f888a614253

      SHA512

      0e9853dab46fd5f6f9eea44377d3802e9cc2fff7ba2f9b45c7c8fc37b860ad9c3c4beb6e1572c87964e06144504210e29038cb03e00c7e7af6ad32e6e995c76a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\pumpal109061.exe
      Filesize

      881.3MB

      MD5

      584a88693e0f36323f641939df4fd568

      SHA1

      cdcfa20be885a908c7e63c203240c7073899780f

      SHA256

      70eec4200fcff6dd024ad3e623e97381165fca6a1c4aaf6dd63c995af5444d23

      SHA512

      ff79a9276782a262039fc885dd3c677a7a6f99f7f5d0dfe2f509267811fcd94dfa7c9281c13a1b5111a4fa305f953831d9d9dba1e9dad7ce9ade29d707ca669e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\pumpal109061.exe
      Filesize

      881.3MB

      MD5

      584a88693e0f36323f641939df4fd568

      SHA1

      cdcfa20be885a908c7e63c203240c7073899780f

      SHA256

      70eec4200fcff6dd024ad3e623e97381165fca6a1c4aaf6dd63c995af5444d23

      SHA512

      ff79a9276782a262039fc885dd3c677a7a6f99f7f5d0dfe2f509267811fcd94dfa7c9281c13a1b5111a4fa305f953831d9d9dba1e9dad7ce9ade29d707ca669e

      Download Submit
    • C:\Users\Admin\AppData\Roaming\SupportWinUp\HTCTL32.DLL
      Filesize

      320KB

      MD5

      c94005d2dcd2a54e40510344e0bb9435

      SHA1

      55b4a1620c5d0113811242c20bd9870a1e31d542

      SHA256

      3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899

      SHA512

      2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a

      Download Submit
    • C:\Users\Admin\AppData\Roaming\SupportWinUp\HTCTL32.DLL
      Filesize

      320KB

      MD5

      c94005d2dcd2a54e40510344e0bb9435

      SHA1

      55b4a1620c5d0113811242c20bd9870a1e31d542

      SHA256

      3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899

      SHA512

      2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a

      Download Submit
    • C:\Users\Admin\AppData\Roaming\SupportWinUp\MSVCR100.dll
      Filesize

      755KB

      MD5

      0e37fbfa79d349d672456923ec5fbbe3

      SHA1

      4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

      SHA256

      8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

      SHA512

      2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

      Download Submit
    • C:\Users\Admin\AppData\Roaming\SupportWinUp\NSM.LIC
      Filesize

      261B

      MD5

      a5090670b2a33d3172d86a5e37d8eb1f

      SHA1

      2cc5ac0a5998ceef432f761e838fc1dcea95844d

      SHA256

      79cdc33dc604d8e5dfa3a03031235e4cf3dcf96563ee9dab52e41d91572ba2d9

      SHA512

      70926685c88ad3f821170a21f5f034ec340af4b00d5b320b47444424ca44cf61acc196026bf945173bc08c94ade2a7f096b291fc82f6f73f457ecb56ab76e66e

      Download Submit
    • C:\Users\Admin\AppData\Roaming\SupportWinUp\PCICHEK.DLL
      Filesize

      18KB

      MD5

      104b30fef04433a2d2fd1d5f99f179fe

      SHA1

      ecb08e224a2f2772d1e53675bedc4b2c50485a41

      SHA256

      956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd

      SHA512

      5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f

      Download Submit
    • C:\Users\Admin\AppData\Roaming\SupportWinUp\PCICL32.DLL
      Filesize

      3.6MB

      MD5

      d3d39180e85700f72aaae25e40c125ff

      SHA1

      f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15

      SHA256

      38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5

      SHA512

      471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f

      Download Submit
    • C:\Users\Admin\AppData\Roaming\SupportWinUp\PCICL32.dll
      Filesize

      3.6MB

      MD5

      d3d39180e85700f72aaae25e40c125ff

      SHA1

      f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15

      SHA256

      38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5

      SHA512

      471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f

      Download Submit
    • C:\Users\Admin\AppData\Roaming\SupportWinUp\client32.exe
      Filesize

      109KB

      MD5

      b2b27ccaded1db8ee341d5bd2c373044

      SHA1

      1d0f9ca17c0961eeabffc2ba54e16854a13c8a9d

      SHA256

      e4985a9739637aad4a409c95da33a1304dc17fd6ef9046159b27c0b137a57911

      SHA512

      0987b11aa110ea6b6f4fe4361e587aff010508251644bdfb681a578fa4726fb56af039d55e0b74682fd7031414f665a98656186b220264c122a47d23751dcee1

      Download Submit
    • C:\Users\Admin\AppData\Roaming\SupportWinUp\client32.exe
      Filesize

      109KB

      MD5

      b2b27ccaded1db8ee341d5bd2c373044

      SHA1

      1d0f9ca17c0961eeabffc2ba54e16854a13c8a9d

      SHA256

      e4985a9739637aad4a409c95da33a1304dc17fd6ef9046159b27c0b137a57911

      SHA512

      0987b11aa110ea6b6f4fe4361e587aff010508251644bdfb681a578fa4726fb56af039d55e0b74682fd7031414f665a98656186b220264c122a47d23751dcee1

      Download Submit
    • C:\Users\Admin\AppData\Roaming\SupportWinUp\client32.ini
      Filesize

      922B

      MD5

      dffa0231dc24306b8e3b2bd039626008

      SHA1

      045dfb40f236346bd81a3c4b066380e5836d210b

      SHA256

      e6ebb4737718713aa429816324aa74dad33cd714ad120cf06f56398dfae42a49

      SHA512

      28ad197d81f8c45dd211960e0a897ce1d99fdeff4a6f5f6f97933bb7aa7761e2827856d65be9197509bf1d853448e6fa5f1babbf9b067c9a5b75c49dfb5d2828

      Download Submit
    • C:\Users\Admin\AppData\Roaming\SupportWinUp\msvcr100.dll
      Filesize

      755KB

      MD5

      0e37fbfa79d349d672456923ec5fbbe3

      SHA1

      4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

      SHA256

      8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

      SHA512

      2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

      Download Submit
    • C:\Users\Admin\AppData\Roaming\SupportWinUp\msvcr100.dll
      Filesize

      755KB

      MD5

      0e37fbfa79d349d672456923ec5fbbe3

      SHA1

      4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

      SHA256

      8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

      SHA512

      2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

      Download Submit
    • C:\Users\Admin\AppData\Roaming\SupportWinUp\pcicapi.dll
      Filesize

      32KB

      MD5

      34dfb87e4200d852d1fb45dc48f93cfc

      SHA1

      35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641

      SHA256

      2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703

      SHA512

      f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2

      Download Submit
    • C:\Users\Admin\AppData\Roaming\SupportWinUp\pcicapi.dll
      Filesize

      32KB

      MD5

      34dfb87e4200d852d1fb45dc48f93cfc

      SHA1

      35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641

      SHA256

      2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703

      SHA512

      f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2

      Download Submit
    • C:\Users\Admin\AppData\Roaming\SupportWinUp\pcichek.dll
      Filesize

      18KB

      MD5

      104b30fef04433a2d2fd1d5f99f179fe

      SHA1

      ecb08e224a2f2772d1e53675bedc4b2c50485a41

      SHA256

      956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd

      SHA512

      5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f

      Download Submit
    • memory/3348-150-0x0000000000000000-mapping.dmp
      Download
    • memory/4196-141-0x0000000006110000-0x000000000612E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/4196-136-0x0000000005240000-0x0000000005252000-memory.dmp
      Filesize

      72KB

      Download
    • memory/4196-144-0x0000000006F30000-0x00000000070F2000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/4196-139-0x0000000005710000-0x00000000057A2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4196-138-0x00000000052E0000-0x000000000531C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/4196-137-0x0000000005370000-0x000000000547A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/4196-142-0x0000000006260000-0x00000000062C6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4196-143-0x0000000006D10000-0x0000000006D60000-memory.dmp
      Filesize

      320KB

      Download
    • memory/4196-133-0x0000000000000000-mapping.dmp
      Download
    • memory/4196-140-0x00000000057B0000-0x0000000005826000-memory.dmp
      Filesize

      472KB

      Download
    • memory/4196-134-0x0000000000400000-0x0000000000420000-memory.dmp
      Filesize

      128KB

      Download
    • memory/4196-135-0x0000000005840000-0x0000000005E58000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/4196-145-0x0000000007630000-0x0000000007B5C000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/4248-130-0x0000000000C60000-0x0000000000CF6000-memory.dmp
      Filesize

      600KB

      Download
    • memory/4248-132-0x00000000082F0000-0x0000000008894000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/4248-131-0x00000000056A0000-0x000000000573C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/4472-146-0x0000000000000000-mapping.dmp
      Download