Overview

overview

10

Static

static

1

data/vulkan-1.dll

windows7-x64

3

data/vulkan-1.dll

windows10-2004-x64

3

setup.exe

windows7-x64

10

setup.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    245s
  • max time network
    293s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-02-2023 07:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup.exe

  • Size

    565.8MB

  • MD5

    b34cf82d7d10a1c8421ef3fe65e4de46

  • SHA1

    574c8dd9986952916786b03c0261230a933f3e9d

  • SHA256

    7e73c496079d96e4ccec427679b791518f25aaca20585a5d54f632064ff880ae

  • SHA512

    69fb1cb2e37c7b3321ff898aac936233521026834c07b92a7c8fa7885a363f5b2a6d6d455309435802f70827bc7ecb955ed9e4c7a8fdbcde212bc479748647ed

  • SSDEEP

    1536:8rae78zjORCDGwfdCSog01313fs5gG8m:kahKyd2n31E5d

Score
10/10
purecrypterredline@fjiif563downloaderinfostealerloaderpersistence

Malware Config

Extracted

Family

purecrypter

C2

https://speedysecurity.com.br/images/css/waves/bo/Upjcuf.bmp

Extracted

Family

redline

Botnet

@fjiif563

C2

45.15.157.131:36457

Attributes
  • auth_value

    ef361597d90539bf547a8edad2ebafde

Signatures

  • Detect PureCrypter injector 33 IoCs
    loader
  • PureCrypter

    PureCrypter is a .NET malware loader first seen in early 2021.

    loaderdownloaderpurecrypter
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4576
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_ovl11.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_ovl11.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1312
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1760
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4560
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3868
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_ovl11.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_ovl11.exe
        3⤵
        • Executes dropped EXE
        PID:2348
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_ovl11.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_ovl11.exe
        3⤵
        • Executes dropped EXE
        PID:3900

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\setup_ovl11.exe.log
    Filesize

    1KB

    MD5

    3a9188331a78f1dbce606db64b841fcb

    SHA1

    8e2c99b7c477d06591a856a4ea3e1e214719eee8

    SHA256

    db4137e258a0f6159fda559a5f6dd2704be0582c3f0586f65040c7ad1eb68451

    SHA512

    d1a994610a045d89d5d306866c24ae56bf16555414b8f63f632552568e67b5586f26d5a17a1f0a55ada376730298e6d856e9161828d4eae9decfa4e015e0e90a

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
    Filesize

    53KB

    MD5

    06ad34f9739c5159b4d92d702545bd49

    SHA1

    9152a0d4f153f3f40f7e606be75f81b582ee0c17

    SHA256

    474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

    SHA512

    c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    16KB

    MD5

    af9dfb354313d48a214dab0454e6f492

    SHA1

    6e61fbc09a21376c7e17194f6e14c66b3f16e6da

    SHA256

    b8d6ec55513c9f10085a6acfa87c890bd6bb996f96d6b125987f2ef31943c464

    SHA512

    eb9665b6cafc7b41d6d2c295790fe2b23128bde6005711adf04d140dbd70d82252618f80739e461422ff765f60086e0da414f24436187555b96e85a698591ef2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_ovl11.exe
    Filesize

    229.0MB

    MD5

    96741647799e382c9a2714879775a661

    SHA1

    fa88f5f72c7584999acd75d9963a22c98fd006ea

    SHA256

    a1d5f5819a063190b5bfeb38483a3ce0ba5779c057eeeab76dad25d78f9610e9

    SHA512

    24eecb9acc724ce9dcfd100bc7e19cc5434e6d3f2d9a4b43ceced9a3502a5705f72ca5398f42141f30751ee454ac1b6668cd4771c51efbce3625d8d29fd544af

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_ovl11.exe
    Filesize

    230.9MB

    MD5

    8d4ab4d1d6c430797e003a1f9ba7e80a

    SHA1

    f07adccebb21122f5ea1efba3ae572ffa2fe8a04

    SHA256

    65347678380595a23071625f6cafde102ecc935b80723064730ea1abee8318f0

    SHA512

    ee977107e89ec36beb8ac1e43fc7a9d1d329d9fb9165f82b88acdce3da261d19d660841a77bbe8c2b64661385085b4cb51edea16f6b031663a0b0186053eb057

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_ovl11.exe
    Filesize

    362.4MB

    MD5

    86953017061f31e70b969e6c7f572c7f

    SHA1

    3bebe208120c374bc63b80b76d47caefabdca19a

    SHA256

    9412c0bf2b0d8f61bf6e8df011bd32f3a5be8a6d96bc0b0e4eee1bb3a43fe9da

    SHA512

    5a5afd57382e44034832f66d92b0d180d8e525ec4f22c54be4bf391604370814c622b4210e5f8f8c3c595dc63753d0dffc180ec1697a663a15598dae5491fa7c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_ovl11.exe
    Filesize

    362.4MB

    MD5

    86953017061f31e70b969e6c7f572c7f

    SHA1

    3bebe208120c374bc63b80b76d47caefabdca19a

    SHA256

    9412c0bf2b0d8f61bf6e8df011bd32f3a5be8a6d96bc0b0e4eee1bb3a43fe9da

    SHA512

    5a5afd57382e44034832f66d92b0d180d8e525ec4f22c54be4bf391604370814c622b4210e5f8f8c3c595dc63753d0dffc180ec1697a663a15598dae5491fa7c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kslq4h5f.ecx.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/1312-175-0x0000000005DF0000-0x0000000006046000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/1312-185-0x0000000005DF0000-0x0000000006046000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/1312-151-0x0000000005DF0000-0x0000000006046000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/1312-153-0x0000000005DF0000-0x0000000006046000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/1312-155-0x0000000005DF0000-0x0000000006046000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/1312-157-0x0000000005DF0000-0x0000000006046000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/1312-159-0x0000000005DF0000-0x0000000006046000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/1312-161-0x0000000005DF0000-0x0000000006046000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/1312-163-0x0000000005DF0000-0x0000000006046000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/1312-165-0x0000000005DF0000-0x0000000006046000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/1312-167-0x0000000005DF0000-0x0000000006046000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/1312-169-0x0000000005DF0000-0x0000000006046000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/1312-171-0x0000000005DF0000-0x0000000006046000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/1312-173-0x0000000005DF0000-0x0000000006046000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/1312-10239-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1312-177-0x0000000005DF0000-0x0000000006046000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/1312-181-0x0000000005DF0000-0x0000000006046000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/1312-179-0x0000000005DF0000-0x0000000006046000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/1312-183-0x0000000005DF0000-0x0000000006046000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/1312-149-0x0000000005DF0000-0x0000000006046000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/1312-187-0x0000000005DF0000-0x0000000006046000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/1312-189-0x0000000005DF0000-0x0000000006046000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/1312-191-0x0000000005DF0000-0x0000000006046000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/1312-193-0x0000000005DF0000-0x0000000006046000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/1312-195-0x0000000005DF0000-0x0000000006046000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/1312-197-0x0000000005DF0000-0x0000000006046000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/1312-199-0x0000000005DF0000-0x0000000006046000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/1312-201-0x0000000005DF0000-0x0000000006046000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/1312-203-0x0000000005DF0000-0x0000000006046000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/1312-10218-0x0000000004A80000-0x0000000004AA2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1312-10219-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1312-147-0x0000000005DF0000-0x0000000006046000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/1312-145-0x0000000005DF0000-0x0000000006046000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/1312-143-0x0000000005DF0000-0x0000000006046000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/1312-141-0x0000000005DF0000-0x0000000006046000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/1312-140-0x0000000005DF0000-0x0000000006046000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/1312-139-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1312-138-0x0000000000210000-0x0000000000218000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1760-10221-0x0000000005690000-0x0000000005CB8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1760-10222-0x0000000005E10000-0x0000000005E76000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1760-10237-0x0000000007AD0000-0x000000000814A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1760-10238-0x0000000006970000-0x000000000698A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1760-10235-0x00000000064E0000-0x00000000064FE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1760-10240-0x0000000005050000-0x0000000005060000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1760-10241-0x0000000005050000-0x0000000005060000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1760-10242-0x0000000005050000-0x0000000005060000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1760-10234-0x0000000005F80000-0x0000000005FE6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1760-10229-0x0000000005050000-0x0000000005060000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1760-10228-0x0000000005050000-0x0000000005060000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1760-10236-0x0000000005050000-0x0000000005060000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1760-10220-0x0000000004F10000-0x0000000004F46000-memory.dmp

    Filesize

    216KB

    Download

  • memory/3868-10282-0x0000000007C70000-0x0000000007C7A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3868-10286-0x0000000007E30000-0x0000000007E4A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3868-10257-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3868-10288-0x0000000007E10000-0x0000000007E18000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3868-10285-0x0000000006740000-0x000000000674E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3868-10284-0x0000000007EB0000-0x0000000007F46000-memory.dmp

    Filesize

    600KB

    Download

  • memory/3868-10283-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3868-10261-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3868-10269-0x0000000006E90000-0x0000000006EC2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/3868-10271-0x000000006DF10000-0x000000006DF5C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3868-10270-0x000000007FDF0000-0x000000007FE00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3868-10281-0x0000000006E70000-0x0000000006E8E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3900-10250-0x0000000000400000-0x0000000000432000-memory.dmp

    Filesize

    200KB

    Download

  • memory/3900-10267-0x0000000005250000-0x0000000005260000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3900-10266-0x0000000004F00000-0x0000000004F3C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3900-10265-0x0000000004EA0000-0x0000000004EB2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3900-10262-0x0000000005400000-0x0000000005A18000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3900-10287-0x00000000062D0000-0x0000000006874000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3900-10264-0x0000000004F70000-0x000000000507A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3900-10289-0x0000000005E00000-0x0000000005E92000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3900-10291-0x0000000005250000-0x0000000005260000-memory.dmp

    Filesize

    64KB

    Download