Analysis
-
max time kernel
148s -
max time network
145s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
27-01-2022 17:49
General
-
Target
22c4e23b27ee13f042f198725d4e5e370f9ec986c0b02f2da6a144758e25b90f.msi
-
Size
7.0MB
-
MD5
8f8f140fc190448aa8b9b1e3ae118039
-
SHA1
37c537bb09d0b2738bf78a83d6ee6d7e78febe17
-
SHA256
22c4e23b27ee13f042f198725d4e5e370f9ec986c0b02f2da6a144758e25b90f
-
SHA512
c058ddf5a3259cab006d711a4caa6dc244ef1e95d9a2dcdac4c8a07d95c92b77245c3f74b76f497907f9f9fc92d932522bc9ba6cd4682e6e068adaabf0d43680
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
-
Core1 .NET packer 1 IoCs
Detects packer/loader used by .NET malware.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 11 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Drops file in Windows directory 17 IoCs
-
Modifies data under HKEY_USERS 43 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\22c4e23b27ee13f042f198725d4e5e370f9ec986c0b02f2da6a144758e25b90f.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding 24DC4389D01B7D15E8745F274D050381 C2⤵
- Loads dropped DLL
-
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding 57D09FA5DF86F3C1678512D9F169DF1C2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svshost.exe"C:\Users\Admin\AppData\Roaming\svshost.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\svsrhost.exe"C:\Users\Admin\AppData\Roaming\svsrhost.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot14" "" "" "60919e20f" "0000000000000000" "00000000000004B0" "00000000000005AC"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\05f7d4a7-c7ab-417a-abc1-344cf704c4cb\Repository.iniMD5
57ce22cfa93818352b424fa6aa91f233
SHA1435dfd782c04a3c08f0d191b4464a233d2f7563d
SHA2562d2944595d6f69ef942f1c7deb530f9b37ad746f938bd9f1bde5efb6e52317ec
SHA512f9870cb09ccab1d8dfa4938cda23addc7a8f9bc6eecee9b0843716cc774cb21895ac2040ced86929369b1170038ef5af05103b6b7279f42d41655701516c6848
-
C:\Users\Admin\AppData\Local\Temp\MSI6D65.tmpMD5
8636e27b4e9fe2e7d4ef7f77fe3ba1d2
SHA1f1c7c604ad423ae6885a4df033440056a937e9c2
SHA2565080ab5f709a25411f372c9d9d4fbcedb95d6a39334533815ab4eb975a43c74c
SHA512dc509d0d1d279380b0c7b44dfc45d22d4ea22188672add296bde316efb4d7a7e0942944e072920df029e6f47fa6f251147179d67a5d747172fa2c3482208cd2e
-
C:\Users\Admin\AppData\Local\Temp\MSIB616.tmpMD5
8636e27b4e9fe2e7d4ef7f77fe3ba1d2
SHA1f1c7c604ad423ae6885a4df033440056a937e9c2
SHA2565080ab5f709a25411f372c9d9d4fbcedb95d6a39334533815ab4eb975a43c74c
SHA512dc509d0d1d279380b0c7b44dfc45d22d4ea22188672add296bde316efb4d7a7e0942944e072920df029e6f47fa6f251147179d67a5d747172fa2c3482208cd2e
-
C:\Users\Admin\AppData\Local\Temp\MSIB76E.tmpMD5
8636e27b4e9fe2e7d4ef7f77fe3ba1d2
SHA1f1c7c604ad423ae6885a4df033440056a937e9c2
SHA2565080ab5f709a25411f372c9d9d4fbcedb95d6a39334533815ab4eb975a43c74c
SHA512dc509d0d1d279380b0c7b44dfc45d22d4ea22188672add296bde316efb4d7a7e0942944e072920df029e6f47fa6f251147179d67a5d747172fa2c3482208cd2e
-
C:\Users\Admin\AppData\Roaming\svshost.exeMD5
9a49cb2d63d6b7404e1f35864ac7761d
SHA1769dc89bb7b0e1e03c75c93026e41075129ea4a2
SHA256c8871d5d807ef7b86425d249662a75dc0a17e4dc9bb368e66001ed55e38a26ef
SHA5126abe57661fcae48f3db21751375fa2a2263938626c3543a1ce3a7fc81cbf583f3feb4af6a707393c9fbe7efe6461d5fcb266cb7ecffd568c2fe9449113635f14
-
C:\Users\Admin\AppData\Roaming\svshost.exeMD5
be60b4ef9bd397d9dcfbf18cc1ef3d78
SHA14fb36072539fd92267ff003fdb734afaa6620ce6
SHA256a957b938a02878771183a2ab0bff4146ca9ebe1f566b98e6f19df582efd27923
SHA512d49d147c3dd092e8a37f18b1993c141b04a44a29d93bd62444f30cd1887edaeb82c6cd002f3aa10b789545001352a402700df0f6d9d371f4b52efe6d0f9812f3
-
C:\Users\Admin\AppData\Roaming\svsrhost.exeMD5
a69016c93584cad35fc4da71a7a3e356
SHA1f37abbbb5733170929048c1721f285d40271a2d4
SHA25686b9c440cc4c13332f03d8b06dbf681a16978dae0c9bb4f795f21f9ea928552f
SHA512639417f601386e25f32de5099548fe0b8638d832d8d2df8c9e55dba42f6917b653d122f0d2eb15d7df358afc82cc4559e8e7be43f586e2c783a301880bdba355
-
C:\Users\Admin\AppData\Roaming\svsrhost.exeMD5
859eca5fcc507e0cd9ddfc246600de76
SHA15135ec9486d9f865435519997f712e72123c7adc
SHA25675b73cac579f08434c05fab66b19e9812dc97d690197cab4cfae75fa0f976c1b
SHA51278831d071c7252aa857bac5a50edd5783703c4518d6e59d1359f452f7fed113d06a93512977a08c466e7337591113b6d0c8c6fbba63789ca9c96767e85e760cc
-
C:\Windows\Installer\MSI315D.tmpMD5
8636e27b4e9fe2e7d4ef7f77fe3ba1d2
SHA1f1c7c604ad423ae6885a4df033440056a937e9c2
SHA2565080ab5f709a25411f372c9d9d4fbcedb95d6a39334533815ab4eb975a43c74c
SHA512dc509d0d1d279380b0c7b44dfc45d22d4ea22188672add296bde316efb4d7a7e0942944e072920df029e6f47fa6f251147179d67a5d747172fa2c3482208cd2e
-
C:\Windows\Installer\MSI343B.tmpMD5
8636e27b4e9fe2e7d4ef7f77fe3ba1d2
SHA1f1c7c604ad423ae6885a4df033440056a937e9c2
SHA2565080ab5f709a25411f372c9d9d4fbcedb95d6a39334533815ab4eb975a43c74c
SHA512dc509d0d1d279380b0c7b44dfc45d22d4ea22188672add296bde316efb4d7a7e0942944e072920df029e6f47fa6f251147179d67a5d747172fa2c3482208cd2e
-
C:\Windows\Installer\MSI34F8.tmpMD5
8636e27b4e9fe2e7d4ef7f77fe3ba1d2
SHA1f1c7c604ad423ae6885a4df033440056a937e9c2
SHA2565080ab5f709a25411f372c9d9d4fbcedb95d6a39334533815ab4eb975a43c74c
SHA512dc509d0d1d279380b0c7b44dfc45d22d4ea22188672add296bde316efb4d7a7e0942944e072920df029e6f47fa6f251147179d67a5d747172fa2c3482208cd2e
-
C:\Windows\Installer\MSI3631.tmpMD5
8636e27b4e9fe2e7d4ef7f77fe3ba1d2
SHA1f1c7c604ad423ae6885a4df033440056a937e9c2
SHA2565080ab5f709a25411f372c9d9d4fbcedb95d6a39334533815ab4eb975a43c74c
SHA512dc509d0d1d279380b0c7b44dfc45d22d4ea22188672add296bde316efb4d7a7e0942944e072920df029e6f47fa6f251147179d67a5d747172fa2c3482208cd2e
-
C:\Windows\Installer\MSI53F0.tmpMD5
8636e27b4e9fe2e7d4ef7f77fe3ba1d2
SHA1f1c7c604ad423ae6885a4df033440056a937e9c2
SHA2565080ab5f709a25411f372c9d9d4fbcedb95d6a39334533815ab4eb975a43c74c
SHA512dc509d0d1d279380b0c7b44dfc45d22d4ea22188672add296bde316efb4d7a7e0942944e072920df029e6f47fa6f251147179d67a5d747172fa2c3482208cd2e
-
C:\Windows\Installer\MSI5596.tmpMD5
8636e27b4e9fe2e7d4ef7f77fe3ba1d2
SHA1f1c7c604ad423ae6885a4df033440056a937e9c2
SHA2565080ab5f709a25411f372c9d9d4fbcedb95d6a39334533815ab4eb975a43c74c
SHA512dc509d0d1d279380b0c7b44dfc45d22d4ea22188672add296bde316efb4d7a7e0942944e072920df029e6f47fa6f251147179d67a5d747172fa2c3482208cd2e
-
C:\Windows\Installer\MSI6928.tmpMD5
8636e27b4e9fe2e7d4ef7f77fe3ba1d2
SHA1f1c7c604ad423ae6885a4df033440056a937e9c2
SHA2565080ab5f709a25411f372c9d9d4fbcedb95d6a39334533815ab4eb975a43c74c
SHA512dc509d0d1d279380b0c7b44dfc45d22d4ea22188672add296bde316efb4d7a7e0942944e072920df029e6f47fa6f251147179d67a5d747172fa2c3482208cd2e
-
\Users\Admin\AppData\Local\Temp\MSI6D65.tmpMD5
8636e27b4e9fe2e7d4ef7f77fe3ba1d2
SHA1f1c7c604ad423ae6885a4df033440056a937e9c2
SHA2565080ab5f709a25411f372c9d9d4fbcedb95d6a39334533815ab4eb975a43c74c
SHA512dc509d0d1d279380b0c7b44dfc45d22d4ea22188672add296bde316efb4d7a7e0942944e072920df029e6f47fa6f251147179d67a5d747172fa2c3482208cd2e
-
\Users\Admin\AppData\Local\Temp\MSIB616.tmpMD5
8636e27b4e9fe2e7d4ef7f77fe3ba1d2
SHA1f1c7c604ad423ae6885a4df033440056a937e9c2
SHA2565080ab5f709a25411f372c9d9d4fbcedb95d6a39334533815ab4eb975a43c74c
SHA512dc509d0d1d279380b0c7b44dfc45d22d4ea22188672add296bde316efb4d7a7e0942944e072920df029e6f47fa6f251147179d67a5d747172fa2c3482208cd2e
-
\Users\Admin\AppData\Local\Temp\MSIB76E.tmpMD5
8636e27b4e9fe2e7d4ef7f77fe3ba1d2
SHA1f1c7c604ad423ae6885a4df033440056a937e9c2
SHA2565080ab5f709a25411f372c9d9d4fbcedb95d6a39334533815ab4eb975a43c74c
SHA512dc509d0d1d279380b0c7b44dfc45d22d4ea22188672add296bde316efb4d7a7e0942944e072920df029e6f47fa6f251147179d67a5d747172fa2c3482208cd2e
-
\Users\Admin\AppData\Roaming\svsrhost.exeMD5
b6327ffd2ff14452e0799c9171470bb6
SHA1f8200e0a01be1ac6ef97c785b0b9583a32af4293
SHA25676a27b09ced2b93ac9abd8950b4183d7d8754cf36c735b1720d3e13d4f1a1d8c
SHA512d6be164ed3a3f6f0a528598e2f6a89ca8444a65aec65fdeb49cdfe14a8ad586b0e4518266e5ad2859248bfb69f77ee5ef2d2c3f9f84fc5bb777e9fa862217859
-
\Windows\Installer\MSI315D.tmpMD5
8636e27b4e9fe2e7d4ef7f77fe3ba1d2
SHA1f1c7c604ad423ae6885a4df033440056a937e9c2
SHA2565080ab5f709a25411f372c9d9d4fbcedb95d6a39334533815ab4eb975a43c74c
SHA512dc509d0d1d279380b0c7b44dfc45d22d4ea22188672add296bde316efb4d7a7e0942944e072920df029e6f47fa6f251147179d67a5d747172fa2c3482208cd2e
-
\Windows\Installer\MSI343B.tmpMD5
8636e27b4e9fe2e7d4ef7f77fe3ba1d2
SHA1f1c7c604ad423ae6885a4df033440056a937e9c2
SHA2565080ab5f709a25411f372c9d9d4fbcedb95d6a39334533815ab4eb975a43c74c
SHA512dc509d0d1d279380b0c7b44dfc45d22d4ea22188672add296bde316efb4d7a7e0942944e072920df029e6f47fa6f251147179d67a5d747172fa2c3482208cd2e
-
\Windows\Installer\MSI34F8.tmpMD5
8636e27b4e9fe2e7d4ef7f77fe3ba1d2
SHA1f1c7c604ad423ae6885a4df033440056a937e9c2
SHA2565080ab5f709a25411f372c9d9d4fbcedb95d6a39334533815ab4eb975a43c74c
SHA512dc509d0d1d279380b0c7b44dfc45d22d4ea22188672add296bde316efb4d7a7e0942944e072920df029e6f47fa6f251147179d67a5d747172fa2c3482208cd2e
-
\Windows\Installer\MSI3631.tmpMD5
8636e27b4e9fe2e7d4ef7f77fe3ba1d2
SHA1f1c7c604ad423ae6885a4df033440056a937e9c2
SHA2565080ab5f709a25411f372c9d9d4fbcedb95d6a39334533815ab4eb975a43c74c
SHA512dc509d0d1d279380b0c7b44dfc45d22d4ea22188672add296bde316efb4d7a7e0942944e072920df029e6f47fa6f251147179d67a5d747172fa2c3482208cd2e
-
\Windows\Installer\MSI53F0.tmpMD5
8636e27b4e9fe2e7d4ef7f77fe3ba1d2
SHA1f1c7c604ad423ae6885a4df033440056a937e9c2
SHA2565080ab5f709a25411f372c9d9d4fbcedb95d6a39334533815ab4eb975a43c74c
SHA512dc509d0d1d279380b0c7b44dfc45d22d4ea22188672add296bde316efb4d7a7e0942944e072920df029e6f47fa6f251147179d67a5d747172fa2c3482208cd2e
-
\Windows\Installer\MSI5596.tmpMD5
8636e27b4e9fe2e7d4ef7f77fe3ba1d2
SHA1f1c7c604ad423ae6885a4df033440056a937e9c2
SHA2565080ab5f709a25411f372c9d9d4fbcedb95d6a39334533815ab4eb975a43c74c
SHA512dc509d0d1d279380b0c7b44dfc45d22d4ea22188672add296bde316efb4d7a7e0942944e072920df029e6f47fa6f251147179d67a5d747172fa2c3482208cd2e
-
\Windows\Installer\MSI6928.tmpMD5
8636e27b4e9fe2e7d4ef7f77fe3ba1d2
SHA1f1c7c604ad423ae6885a4df033440056a937e9c2
SHA2565080ab5f709a25411f372c9d9d4fbcedb95d6a39334533815ab4eb975a43c74c
SHA512dc509d0d1d279380b0c7b44dfc45d22d4ea22188672add296bde316efb4d7a7e0942944e072920df029e6f47fa6f251147179d67a5d747172fa2c3482208cd2e
-
memory/112-114-0x000000006F550000-0x000000006F59F000-memory.dmpFilesize
316KB
-
memory/112-107-0x0000000073AE0000-0x0000000073AF7000-memory.dmpFilesize
92KB
-
memory/112-84-0x0000000076D50000-0x0000000076D97000-memory.dmpFilesize
284KB
-
memory/112-83-0x00000000763B0000-0x000000007645C000-memory.dmpFilesize
688KB
-
memory/112-127-0x000000006DF20000-0x000000006E0B0000-memory.dmpFilesize
1.6MB
-
memory/112-126-0x0000000073B00000-0x0000000073B16000-memory.dmpFilesize
88KB
-
memory/112-81-0x0000000000100000-0x0000000000101000-memory.dmpFilesize
4KB
-
memory/112-80-0x0000000000640000-0x0000000000685000-memory.dmpFilesize
276KB
-
memory/112-79-0x0000000000150000-0x000000000056D000-memory.dmpFilesize
4.1MB
-
memory/112-77-0x0000000074BA0000-0x0000000074BEA000-memory.dmpFilesize
296KB
-
memory/112-90-0x0000000075B10000-0x0000000075C6C000-memory.dmpFilesize
1.4MB
-
memory/112-96-0x0000000000150000-0x000000000056D000-memory.dmpFilesize
4.1MB
-
memory/112-97-0x0000000000150000-0x000000000056D000-memory.dmpFilesize
4.1MB
-
memory/112-98-0x0000000076940000-0x00000000769CF000-memory.dmpFilesize
572KB
-
memory/112-125-0x000000006F450000-0x000000006F488000-memory.dmpFilesize
224KB
-
memory/112-124-0x000000006F3F0000-0x000000006F407000-memory.dmpFilesize
92KB
-
memory/112-123-0x0000000074AF0000-0x0000000074AFB000-memory.dmpFilesize
44KB
-
memory/112-122-0x0000000075ED0000-0x0000000075FED000-memory.dmpFilesize
1.1MB
-
memory/112-121-0x00000000761C0000-0x00000000761CC000-memory.dmpFilesize
48KB
-
memory/112-105-0x0000000005170000-0x0000000005171000-memory.dmpFilesize
4KB
-
memory/112-106-0x0000000074EC0000-0x0000000075B0A000-memory.dmpFilesize
12.3MB
-
memory/112-85-0x0000000076500000-0x0000000076557000-memory.dmpFilesize
348KB
-
memory/112-108-0x00000000761F0000-0x0000000076225000-memory.dmpFilesize
212KB
-
memory/112-109-0x000000006F720000-0x000000006F73C000-memory.dmpFilesize
112KB
-
memory/112-110-0x000000006F610000-0x000000006F625000-memory.dmpFilesize
84KB
-
memory/112-111-0x000000006F630000-0x000000006F682000-memory.dmpFilesize
328KB
-
memory/112-112-0x000000006F600000-0x000000006F60D000-memory.dmpFilesize
52KB
-
memory/112-113-0x0000000076920000-0x0000000076939000-memory.dmpFilesize
100KB
-
memory/112-74-0x0000000074EC1000-0x0000000074EC3000-memory.dmpFilesize
8KB
-
memory/112-115-0x000000006F5A0000-0x000000006F5F8000-memory.dmpFilesize
352KB
-
memory/112-116-0x0000000074E50000-0x0000000074E5C000-memory.dmpFilesize
48KB
-
memory/112-118-0x0000000075C70000-0x0000000075C97000-memory.dmpFilesize
156KB
-
memory/112-119-0x000000006F740000-0x000000006F784000-memory.dmpFilesize
272KB
-
memory/112-120-0x000000006F410000-0x000000006F44D000-memory.dmpFilesize
244KB
-
memory/1056-54-0x000007FEFBAB1000-0x000007FEFBAB3000-memory.dmpFilesize
8KB
-
memory/1320-104-0x0000000000860000-0x0000000000866000-memory.dmpFilesize
24KB
-
memory/1320-103-0x000000001ABE0000-0x000000001AC1E000-memory.dmpFilesize
248KB
-
memory/1320-102-0x000000001AB90000-0x000000001ABE0000-memory.dmpFilesize
320KB
-
memory/1320-101-0x0000000002280000-0x0000000002282000-memory.dmpFilesize
8KB
-
memory/1320-100-0x0000000002040000-0x00000000020A8000-memory.dmpFilesize
416KB
-
memory/1320-91-0x000000013F5D0000-0x000000013F610000-memory.dmpFilesize
256KB