redline | ba3a59b3ecd24ead1ca238ef12ce987103f88aec7f30becffbad873338ff9eb1

Analysis

max time kernel
93s
max time network
93s
platform
windows10_x64
resource
win10v20201028
submitted
11-01-2021 15:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup Crypto Bot.msi
Size

1.1MB
MD5

5b222388d5696dd34a1dd9eb2e477e63
SHA1

877b72f0aff67981bf96d28515afb843cc500cae
SHA256

ba3a59b3ecd24ead1ca238ef12ce987103f88aec7f30becffbad873338ff9eb1
SHA512

db6dbf5b505beaf559323301807668baf378a4b91eda98b99728ad500dd9bcfcdbab1824d788ab8bcafed80922ee99b713c424c4ceddcb5bab497b9a5fc1a10a

Score

10^/10

redline infostealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2084-23-0x0000000000400000-0x0000000000426000-memory.dmp	family_redline
behavioral2/memory/2084-24-0x000000000041F52A-mapping.dmp	family_redline

Executes dropped EXE 2 IoCs

Processes:

Setup.exeSetup.exe

pid process

400 Setup.exe
2084 Setup.exe
Loads dropped DLL 2 IoCs

Processes:

MsiExec.exe

pid process

4052 MsiExec.exe
4052 MsiExec.exe

pid	process
400	Setup.exe
2084	Setup.exe

pid	process
4052	MsiExec.exe
4052	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Setup.exe

description pid process target process

PID 400 set thread context of 2084 400 Setup.exe Setup.exe

description	pid	process	target process
PID 400 set thread context of 2084	400	Setup.exe	Setup.exe

Drops file in Windows directory 11 IoCs

Processes:

msiexec.exeexpand.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\f74ac82.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{B021B2A4-391B-47C5-9031-28CD2C474FDF}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9CC0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9C51.tmp	msiexec.exe
File created	C:\Windows\Installer\f74ac82.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAE85.tmp	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

2824 msiexec.exe
2824 msiexec.exe

pid	process
2824	msiexec.exe
2824	msiexec.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exesrtasks.exeSetup.exe

description	pid	process
Token: SeShutdownPrivilege	1048	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1048	msiexec.exe
Token: SeSecurityPrivilege	2824	msiexec.exe
Token: SeCreateTokenPrivilege	1048	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1048	msiexec.exe
Token: SeLockMemoryPrivilege	1048	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1048	msiexec.exe
Token: SeMachineAccountPrivilege	1048	msiexec.exe
Token: SeTcbPrivilege	1048	msiexec.exe
Token: SeSecurityPrivilege	1048	msiexec.exe
Token: SeTakeOwnershipPrivilege	1048	msiexec.exe
Token: SeLoadDriverPrivilege	1048	msiexec.exe
Token: SeSystemProfilePrivilege	1048	msiexec.exe
Token: SeSystemtimePrivilege	1048	msiexec.exe
Token: SeProfSingleProcessPrivilege	1048	msiexec.exe
Token: SeIncBasePriorityPrivilege	1048	msiexec.exe
Token: SeCreatePagefilePrivilege	1048	msiexec.exe
Token: SeCreatePermanentPrivilege	1048	msiexec.exe
Token: SeBackupPrivilege	1048	msiexec.exe
Token: SeRestorePrivilege	1048	msiexec.exe
Token: SeShutdownPrivilege	1048	msiexec.exe
Token: SeDebugPrivilege	1048	msiexec.exe
Token: SeAuditPrivilege	1048	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1048	msiexec.exe
Token: SeChangeNotifyPrivilege	1048	msiexec.exe
Token: SeRemoteShutdownPrivilege	1048	msiexec.exe
Token: SeUndockPrivilege	1048	msiexec.exe
Token: SeSyncAgentPrivilege	1048	msiexec.exe
Token: SeEnableDelegationPrivilege	1048	msiexec.exe
Token: SeManageVolumePrivilege	1048	msiexec.exe
Token: SeImpersonatePrivilege	1048	msiexec.exe
Token: SeCreateGlobalPrivilege	1048	msiexec.exe
Token: SeBackupPrivilege	2596	vssvc.exe
Token: SeRestorePrivilege	2596	vssvc.exe
Token: SeAuditPrivilege	2596	vssvc.exe
Token: SeBackupPrivilege	2824	msiexec.exe
Token: SeRestorePrivilege	2824	msiexec.exe
Token: SeRestorePrivilege	2824	msiexec.exe
Token: SeTakeOwnershipPrivilege	2824	msiexec.exe
Token: SeRestorePrivilege	2824	msiexec.exe
Token: SeTakeOwnershipPrivilege	2824	msiexec.exe
Token: SeBackupPrivilege	3120	srtasks.exe
Token: SeRestorePrivilege	3120	srtasks.exe
Token: SeSecurityPrivilege	3120	srtasks.exe
Token: SeTakeOwnershipPrivilege	3120	srtasks.exe
Token: SeBackupPrivilege	3120	srtasks.exe
Token: SeRestorePrivilege	3120	srtasks.exe
Token: SeSecurityPrivilege	3120	srtasks.exe
Token: SeTakeOwnershipPrivilege	3120	srtasks.exe
Token: SeRestorePrivilege	2824	msiexec.exe
Token: SeTakeOwnershipPrivilege	2824	msiexec.exe
Token: SeRestorePrivilege	2824	msiexec.exe
Token: SeTakeOwnershipPrivilege	2824	msiexec.exe
Token: SeDebugPrivilege	2084	Setup.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

1048 msiexec.exe
1048 msiexec.exe

pid	process
1048	msiexec.exe
1048	msiexec.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

msiexec.exeMsiExec.exeSetup.exe

description	pid	process	target process
PID 2824 wrote to memory of 3120	2824	msiexec.exe	srtasks.exe
PID 2824 wrote to memory of 3120	2824	msiexec.exe	srtasks.exe
PID 2824 wrote to memory of 4052	2824	msiexec.exe	MsiExec.exe
PID 2824 wrote to memory of 4052	2824	msiexec.exe	MsiExec.exe
PID 2824 wrote to memory of 4052	2824	msiexec.exe	MsiExec.exe
PID 4052 wrote to memory of 3996	4052	MsiExec.exe	expand.exe
PID 4052 wrote to memory of 3996	4052	MsiExec.exe	expand.exe
PID 4052 wrote to memory of 3996	4052	MsiExec.exe	expand.exe
PID 4052 wrote to memory of 400	4052	MsiExec.exe	Setup.exe
PID 4052 wrote to memory of 400	4052	MsiExec.exe	Setup.exe
PID 4052 wrote to memory of 400	4052	MsiExec.exe	Setup.exe
PID 400 wrote to memory of 2084	400	Setup.exe	Setup.exe
PID 400 wrote to memory of 2084	400	Setup.exe	Setup.exe
PID 400 wrote to memory of 2084	400	Setup.exe	Setup.exe
PID 400 wrote to memory of 2084	400	Setup.exe	Setup.exe
PID 400 wrote to memory of 2084	400	Setup.exe	Setup.exe
PID 400 wrote to memory of 2084	400	Setup.exe	Setup.exe
PID 400 wrote to memory of 2084	400	Setup.exe	Setup.exe
PID 400 wrote to memory of 2084	400	Setup.exe	Setup.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Setup Crypto Bot.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1048

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2824

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3120

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding ECB7F40FB10E742AF55096B935E56D31
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4052

C:\Windows\SysWOW64\expand.exe
"C:\Windows\System32\expand.exe" -R files.cab -F:* files
3⤵
- Drops file in Windows directory
PID:3996

C:\Users\Admin\AppData\Local\Temp\MW-4bdccba2-2e51-40d8-b41d-fffe8ba3a7ed\files\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\MW-4bdccba2-2e51-40d8-b41d-fffe8ba3a7ed\files\Setup.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:400

C:\Users\Admin\AppData\Local\Temp\MW-4bdccba2-2e51-40d8-b41d-fffe8ba3a7ed\files\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\MW-4bdccba2-2e51-40d8-b41d-fffe8ba3a7ed\files\Setup.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2084

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2596

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:1584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Setup.exe.log

MD5
90acfd72f14a512712b1a7380c0faf60

SHA1
40ba4accb8faa75887e84fb8e38d598dc8cf0f12

SHA256
20806822f0c130b340504132c1461b589261fbbc518e468f4f90733ab514cb86

SHA512
29dbf85e14e60868574cb4dc9bda83d3c229fb956733d8d2557f2475ee0e690ac9c2e72f31e02284996da6906ba2dbfa382a29b04c15a2406571d8ee19ad16b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-4bdccba2-2e51-40d8-b41d-fffe8ba3a7ed\files.cab

MD5
06b715e266a09d3ef2de069f4c50add4

SHA1
c4a60721aa977b8f4ba036a614e2427158749042

SHA256
f26fe1c60a7ba7236666609ebdf397dd3ab265ac3b3e9e29c560c3ca42ac3563

SHA512
309b0b49d977697202c3d303b7f05ae4fd5744e721239a2667259a51db7fe524117321dc60d993f429edc2b4720dc5fe6316c28f95d2a555f64b4036ba1d85e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-4bdccba2-2e51-40d8-b41d-fffe8ba3a7ed\files\Setup.exe

MD5
e26037b5d85242c22b0360d19f4dca48

SHA1
3a76fd483cf554bb4e4979e8f2bdfef4667f4daa

SHA256
1432df02340298b46ef42cff5bd0a923fe095c553f85d404f6914b76ca850c5f

SHA512
f64a8944a09b141f6254b897391a02c23e73b6fdb8863c23b1d8d8ee8ad6e3ea40fa719940dad843075109f366c6133d1b306de498a1ce64ca4854d6e1e71ad6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-4bdccba2-2e51-40d8-b41d-fffe8ba3a7ed\files\Setup.exe

MD5
e26037b5d85242c22b0360d19f4dca48

SHA1
3a76fd483cf554bb4e4979e8f2bdfef4667f4daa

SHA256
1432df02340298b46ef42cff5bd0a923fe095c553f85d404f6914b76ca850c5f

SHA512
f64a8944a09b141f6254b897391a02c23e73b6fdb8863c23b1d8d8ee8ad6e3ea40fa719940dad843075109f366c6133d1b306de498a1ce64ca4854d6e1e71ad6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-4bdccba2-2e51-40d8-b41d-fffe8ba3a7ed\files\Setup.exe

MD5
e26037b5d85242c22b0360d19f4dca48

SHA1
3a76fd483cf554bb4e4979e8f2bdfef4667f4daa

SHA256
1432df02340298b46ef42cff5bd0a923fe095c553f85d404f6914b76ca850c5f

SHA512
f64a8944a09b141f6254b897391a02c23e73b6fdb8863c23b1d8d8ee8ad6e3ea40fa719940dad843075109f366c6133d1b306de498a1ce64ca4854d6e1e71ad6

Download Submit
C:\Windows\Installer\MSI9CC0.tmp

MD5
469d8a27c6637a765a5f29ba451d736a

SHA1
4320ec9aebdab7d50b4be0f72b1b996d5fbe55d3

SHA256
f2172cfc44b0194a62036e3185291a0ebbb509a7b22364cf7ecb721d74f519cc

SHA512
7bc888a54e54e766d573c5836492788f0ff878813058f43f9565e2aa68d6c59c54fab175476cae46c45681efa3885c1e0406434d133f839e0308ee5094dbf2eb

Download Submit
C:\Windows\Installer\MSIAE85.tmp

MD5
469d8a27c6637a765a5f29ba451d736a

SHA1
4320ec9aebdab7d50b4be0f72b1b996d5fbe55d3

SHA256
f2172cfc44b0194a62036e3185291a0ebbb509a7b22364cf7ecb721d74f519cc

SHA512
7bc888a54e54e766d573c5836492788f0ff878813058f43f9565e2aa68d6c59c54fab175476cae46c45681efa3885c1e0406434d133f839e0308ee5094dbf2eb

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5
1aef0972f1f398281a79ba2b89690fbf

SHA1
e4f4c4ebb1076c8d80674cbaf3bfcfd75a95217e

SHA256
d9a0ed2733035201bf305f0e127fc8a4d64b113c4764f6b22c88d788731c4a68

SHA512
d7ec3e3c03f8d5748484abb661d6d6877d39bfd777f7f108d84d2c7f7781e7eaf2159c219b92f51188739e69b2ebb4139ac0713708cb46705ac025d1b4710a8b

Download Submit
\??\Volume{0e932f02-0000-0000-0000-500600000000}\System Volume Information\SPP\OnlineMetadataCache\{c84247cb-e468-4aef-8216-b21c49f45727}_OnDiskSnapshotProp

MD5
457ca5fadbedd52dfc63c39cb8845e1c

SHA1
df486f3a371d189c71e507a2f4dae724e6022820

SHA256
5d47a4976e74260b07327a2ada8a9017056e3806f31f82c58057176b72f0f366

SHA512
ff41bb818f143545df2bb4e9d027fbe030b2592ecd2e3d0cbd27e6a3fd747abb99956314b4c96a06aaa6e63e6d95703baf3c8588e893f086f2d3cbf3a5533de7

Download Submit
\Windows\Installer\MSI9CC0.tmp

MD5
469d8a27c6637a765a5f29ba451d736a

SHA1
4320ec9aebdab7d50b4be0f72b1b996d5fbe55d3

SHA256
f2172cfc44b0194a62036e3185291a0ebbb509a7b22364cf7ecb721d74f519cc

SHA512
7bc888a54e54e766d573c5836492788f0ff878813058f43f9565e2aa68d6c59c54fab175476cae46c45681efa3885c1e0406434d133f839e0308ee5094dbf2eb

Download Submit
\Windows\Installer\MSIAE85.tmp

MD5
469d8a27c6637a765a5f29ba451d736a

SHA1
4320ec9aebdab7d50b4be0f72b1b996d5fbe55d3

SHA256
f2172cfc44b0194a62036e3185291a0ebbb509a7b22364cf7ecb721d74f519cc

SHA512
7bc888a54e54e766d573c5836492788f0ff878813058f43f9565e2aa68d6c59c54fab175476cae46c45681efa3885c1e0406434d133f839e0308ee5094dbf2eb

Download Submit
memory/400-19-0x0000000007200000-0x0000000007201000-memory.dmp

Filesize
4KB

Download
memory/400-13-0x0000000071B80000-0x000000007226E000-memory.dmp

Filesize
6.9MB

Download
memory/400-16-0x0000000007230000-0x0000000007231000-memory.dmp

Filesize
4KB

Download
memory/400-17-0x00000000077D0000-0x00000000077D1000-memory.dmp

Filesize
4KB

Download
memory/400-18-0x0000000007370000-0x0000000007371000-memory.dmp

Filesize
4KB

Download
memory/400-11-0x0000000000000000-mapping.dmp

Download
memory/400-20-0x00000000074D0000-0x00000000074D1000-memory.dmp

Filesize
4KB

Download
memory/400-21-0x00000000047F0000-0x0000000004802000-memory.dmp

Filesize
72KB

Download
memory/400-22-0x0000000005290000-0x0000000005344000-memory.dmp

Filesize
720KB

Download
memory/400-14-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1048-35-0x000001C0F0B60000-0x000001C0F0B64000-memory.dmp

Filesize
16KB

Download
memory/2084-24-0x000000000041F52A-mapping.dmp

Download
memory/2084-23-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2084-27-0x0000000071B80000-0x000000007226E000-memory.dmp

Filesize
6.9MB

Download
memory/2084-30-0x0000000005C50000-0x0000000005C51000-memory.dmp

Filesize
4KB

Download
memory/2084-31-0x00000000056D0000-0x00000000056D1000-memory.dmp

Filesize
4KB

Download
memory/2084-34-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/2084-36-0x0000000005770000-0x0000000005771000-memory.dmp

Filesize
4KB

Download
memory/2084-37-0x00000000059E0000-0x00000000059E1000-memory.dmp

Filesize
4KB

Download
memory/3120-2-0x0000000000000000-mapping.dmp

Download
memory/3996-8-0x0000000000000000-mapping.dmp

Download
memory/4052-3-0x0000000000000000-mapping.dmp

Download