Overview
overview
10Static
static
Installer/...er.exe
windows10-2004_x64
10Installer/browser.dll
windows10-2004_x64
1Installer/...fi.dll
windows10-2004_x64
1Installer/...xe.dll
windows10-2004_x64
1Installer/...fi.dll
windows10-2004_x64
1Installer/...xe.dll
windows10-2004_x64
1Installer/...32.dll
windows10-2004_x64
1Analysis
-
max time kernel
1226s -
max time network
1238s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-06-2022 22:11
Static task
static1
Behavioral task
behavioral1
Sample
Installer/Installer.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral2
Sample
Installer/browser.dll
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
Installer/en-US/winload.efi.dll
Resource
win10v2004-20220414-en
Behavioral task
behavioral4
Sample
Installer/en-US/winload.exe.dll
Resource
win10v2004-20220414-en
Behavioral task
behavioral5
Sample
Installer/en-US/winresume.efi.dll
Resource
win10v2004-20220414-en
Behavioral task
behavioral6
Sample
Installer/en-US/winresume.exe.dll
Resource
win10v2004-20220414-en
Behavioral task
behavioral7
Sample
Installer/ssleay32.dll
Resource
win10v2004-20220414-en
General
-
Target
Installer/Installer.exe
-
Size
718.2MB
-
MD5
21789861e186b60def326d7fd6966fb1
-
SHA1
354987da5189498370577768cc3125f2d2b3167c
-
SHA256
ccfcbfa79a53af233a5f5fdea50eadd1f4868459cf241790dbbe6704ac054de5
-
SHA512
9b3f0beeb76011fcdf97e8a934920c7f74f5c3008d76d06f5b8ea20c8bc374305ff1e55b75fb8c6f746f1ca0123cdd61fc971299914524449670d23fd0a26839
Malware Config
Extracted
redline
777
89.22.227.140:31288
-
auth_value
e42115cf07e73321acdde5e388b0aef9
Signatures
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/4196-134-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
pumpal109061.execlient32.exepid process 4472 pumpal109061.exe 3348 client32.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Installer.exepumpal109061.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation Installer.exe Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation pumpal109061.exe -
Drops startup file 1 IoCs
Processes:
pumpal109061.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\autorunns.ini.lnk pumpal109061.exe -
Loads dropped DLL 6 IoCs
Processes:
client32.exepid process 3348 client32.exe 3348 client32.exe 3348 client32.exe 3348 client32.exe 3348 client32.exe 3348 client32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Installer.exedescription pid process target process PID 4248 set thread context of 4196 4248 Installer.exe Installer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
Installer.exeInstaller.exepid process 4248 Installer.exe 4248 Installer.exe 4248 Installer.exe 4248 Installer.exe 4248 Installer.exe 4248 Installer.exe 4248 Installer.exe 4248 Installer.exe 4248 Installer.exe 4248 Installer.exe 4196 Installer.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Installer.exeInstaller.execlient32.exedescription pid process Token: SeDebugPrivilege 4248 Installer.exe Token: SeDebugPrivilege 4196 Installer.exe Token: SeSecurityPrivilege 3348 client32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
client32.exepid process 3348 client32.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
Installer.exeInstaller.exepumpal109061.exedescription pid process target process PID 4248 wrote to memory of 4196 4248 Installer.exe Installer.exe PID 4248 wrote to memory of 4196 4248 Installer.exe Installer.exe PID 4248 wrote to memory of 4196 4248 Installer.exe Installer.exe PID 4248 wrote to memory of 4196 4248 Installer.exe Installer.exe PID 4248 wrote to memory of 4196 4248 Installer.exe Installer.exe PID 4248 wrote to memory of 4196 4248 Installer.exe Installer.exe PID 4248 wrote to memory of 4196 4248 Installer.exe Installer.exe PID 4248 wrote to memory of 4196 4248 Installer.exe Installer.exe PID 4196 wrote to memory of 4472 4196 Installer.exe pumpal109061.exe PID 4196 wrote to memory of 4472 4196 Installer.exe pumpal109061.exe PID 4196 wrote to memory of 4472 4196 Installer.exe pumpal109061.exe PID 4472 wrote to memory of 3348 4472 pumpal109061.exe client32.exe PID 4472 wrote to memory of 3348 4472 pumpal109061.exe client32.exe PID 4472 wrote to memory of 3348 4472 pumpal109061.exe client32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Installer\Installer.exe"C:\Users\Admin\AppData\Local\Temp\Installer\Installer.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Installer\Installer.exe"C:\Users\Admin\AppData\Local\Temp\Installer\Installer.exe"2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pumpal109061.exe"C:\Users\Admin\AppData\Local\Temp\pumpal109061.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\SupportWinUp\client32.exe"C:\Users\Admin\AppData\Roaming\SupportWinUp\client32.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Installer.exe.logFilesize
617B
MD585306571e7ae6002dd2a0fb3042b7472
SHA1c897ab7434b118a8ec1fe25205903f5ec8f71241
SHA25640c98b01052cd95102701b71b4fbe0eda48537435898c413239f5f888a614253
SHA5120e9853dab46fd5f6f9eea44377d3802e9cc2fff7ba2f9b45c7c8fc37b860ad9c3c4beb6e1572c87964e06144504210e29038cb03e00c7e7af6ad32e6e995c76a
-
C:\Users\Admin\AppData\Local\Temp\pumpal109061.exeFilesize
881.3MB
MD5584a88693e0f36323f641939df4fd568
SHA1cdcfa20be885a908c7e63c203240c7073899780f
SHA25670eec4200fcff6dd024ad3e623e97381165fca6a1c4aaf6dd63c995af5444d23
SHA512ff79a9276782a262039fc885dd3c677a7a6f99f7f5d0dfe2f509267811fcd94dfa7c9281c13a1b5111a4fa305f953831d9d9dba1e9dad7ce9ade29d707ca669e
-
C:\Users\Admin\AppData\Local\Temp\pumpal109061.exeFilesize
881.3MB
MD5584a88693e0f36323f641939df4fd568
SHA1cdcfa20be885a908c7e63c203240c7073899780f
SHA25670eec4200fcff6dd024ad3e623e97381165fca6a1c4aaf6dd63c995af5444d23
SHA512ff79a9276782a262039fc885dd3c677a7a6f99f7f5d0dfe2f509267811fcd94dfa7c9281c13a1b5111a4fa305f953831d9d9dba1e9dad7ce9ade29d707ca669e
-
C:\Users\Admin\AppData\Roaming\SupportWinUp\HTCTL32.DLLFilesize
320KB
MD5c94005d2dcd2a54e40510344e0bb9435
SHA155b4a1620c5d0113811242c20bd9870a1e31d542
SHA2563c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899
SHA5122e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a
-
C:\Users\Admin\AppData\Roaming\SupportWinUp\HTCTL32.DLLFilesize
320KB
MD5c94005d2dcd2a54e40510344e0bb9435
SHA155b4a1620c5d0113811242c20bd9870a1e31d542
SHA2563c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899
SHA5122e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a
-
C:\Users\Admin\AppData\Roaming\SupportWinUp\MSVCR100.dllFilesize
755KB
MD50e37fbfa79d349d672456923ec5fbbe3
SHA14e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA2568793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA5122bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630
-
C:\Users\Admin\AppData\Roaming\SupportWinUp\NSM.LICFilesize
261B
MD5a5090670b2a33d3172d86a5e37d8eb1f
SHA12cc5ac0a5998ceef432f761e838fc1dcea95844d
SHA25679cdc33dc604d8e5dfa3a03031235e4cf3dcf96563ee9dab52e41d91572ba2d9
SHA51270926685c88ad3f821170a21f5f034ec340af4b00d5b320b47444424ca44cf61acc196026bf945173bc08c94ade2a7f096b291fc82f6f73f457ecb56ab76e66e
-
C:\Users\Admin\AppData\Roaming\SupportWinUp\PCICHEK.DLLFilesize
18KB
MD5104b30fef04433a2d2fd1d5f99f179fe
SHA1ecb08e224a2f2772d1e53675bedc4b2c50485a41
SHA256956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd
SHA5125efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f
-
C:\Users\Admin\AppData\Roaming\SupportWinUp\PCICL32.DLLFilesize
3.6MB
MD5d3d39180e85700f72aaae25e40c125ff
SHA1f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15
SHA25638684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5
SHA512471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f
-
C:\Users\Admin\AppData\Roaming\SupportWinUp\PCICL32.dllFilesize
3.6MB
MD5d3d39180e85700f72aaae25e40c125ff
SHA1f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15
SHA25638684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5
SHA512471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f
-
C:\Users\Admin\AppData\Roaming\SupportWinUp\client32.exeFilesize
109KB
MD5b2b27ccaded1db8ee341d5bd2c373044
SHA11d0f9ca17c0961eeabffc2ba54e16854a13c8a9d
SHA256e4985a9739637aad4a409c95da33a1304dc17fd6ef9046159b27c0b137a57911
SHA5120987b11aa110ea6b6f4fe4361e587aff010508251644bdfb681a578fa4726fb56af039d55e0b74682fd7031414f665a98656186b220264c122a47d23751dcee1
-
C:\Users\Admin\AppData\Roaming\SupportWinUp\client32.exeFilesize
109KB
MD5b2b27ccaded1db8ee341d5bd2c373044
SHA11d0f9ca17c0961eeabffc2ba54e16854a13c8a9d
SHA256e4985a9739637aad4a409c95da33a1304dc17fd6ef9046159b27c0b137a57911
SHA5120987b11aa110ea6b6f4fe4361e587aff010508251644bdfb681a578fa4726fb56af039d55e0b74682fd7031414f665a98656186b220264c122a47d23751dcee1
-
C:\Users\Admin\AppData\Roaming\SupportWinUp\client32.iniFilesize
922B
MD5dffa0231dc24306b8e3b2bd039626008
SHA1045dfb40f236346bd81a3c4b066380e5836d210b
SHA256e6ebb4737718713aa429816324aa74dad33cd714ad120cf06f56398dfae42a49
SHA51228ad197d81f8c45dd211960e0a897ce1d99fdeff4a6f5f6f97933bb7aa7761e2827856d65be9197509bf1d853448e6fa5f1babbf9b067c9a5b75c49dfb5d2828
-
C:\Users\Admin\AppData\Roaming\SupportWinUp\msvcr100.dllFilesize
755KB
MD50e37fbfa79d349d672456923ec5fbbe3
SHA14e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA2568793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA5122bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630
-
C:\Users\Admin\AppData\Roaming\SupportWinUp\msvcr100.dllFilesize
755KB
MD50e37fbfa79d349d672456923ec5fbbe3
SHA14e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA2568793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA5122bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630
-
C:\Users\Admin\AppData\Roaming\SupportWinUp\pcicapi.dllFilesize
32KB
MD534dfb87e4200d852d1fb45dc48f93cfc
SHA135b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641
SHA2562d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703
SHA512f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2
-
C:\Users\Admin\AppData\Roaming\SupportWinUp\pcicapi.dllFilesize
32KB
MD534dfb87e4200d852d1fb45dc48f93cfc
SHA135b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641
SHA2562d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703
SHA512f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2
-
C:\Users\Admin\AppData\Roaming\SupportWinUp\pcichek.dllFilesize
18KB
MD5104b30fef04433a2d2fd1d5f99f179fe
SHA1ecb08e224a2f2772d1e53675bedc4b2c50485a41
SHA256956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd
SHA5125efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f
-
memory/3348-150-0x0000000000000000-mapping.dmp
-
memory/4196-141-0x0000000006110000-0x000000000612E000-memory.dmpFilesize
120KB
-
memory/4196-136-0x0000000005240000-0x0000000005252000-memory.dmpFilesize
72KB
-
memory/4196-144-0x0000000006F30000-0x00000000070F2000-memory.dmpFilesize
1.8MB
-
memory/4196-139-0x0000000005710000-0x00000000057A2000-memory.dmpFilesize
584KB
-
memory/4196-138-0x00000000052E0000-0x000000000531C000-memory.dmpFilesize
240KB
-
memory/4196-137-0x0000000005370000-0x000000000547A000-memory.dmpFilesize
1.0MB
-
memory/4196-142-0x0000000006260000-0x00000000062C6000-memory.dmpFilesize
408KB
-
memory/4196-143-0x0000000006D10000-0x0000000006D60000-memory.dmpFilesize
320KB
-
memory/4196-133-0x0000000000000000-mapping.dmp
-
memory/4196-140-0x00000000057B0000-0x0000000005826000-memory.dmpFilesize
472KB
-
memory/4196-134-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4196-135-0x0000000005840000-0x0000000005E58000-memory.dmpFilesize
6.1MB
-
memory/4196-145-0x0000000007630000-0x0000000007B5C000-memory.dmpFilesize
5.2MB
-
memory/4248-130-0x0000000000C60000-0x0000000000CF6000-memory.dmpFilesize
600KB
-
memory/4248-132-0x00000000082F0000-0x0000000008894000-memory.dmpFilesize
5.6MB
-
memory/4248-131-0x00000000056A0000-0x000000000573C000-memory.dmpFilesize
624KB
-
memory/4472-146-0x0000000000000000-mapping.dmp