Overview

overview

10

Static

static

fba454b0f8...22.msi

windows7_x64

10

fba454b0f8...22.msi

windows10-2004_x64

8

Analysis

  • max time kernel
    117s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    16-05-2022 08:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fba454b0f86b6514c9d9e5268ed58a398d30443819ec887fbc2b02d590dc1522.msi

  • Size

    1.3MB

  • MD5

    6e31d2f2c745b340e02b2e1f9711a715

  • SHA1

    9c99809aa69805f708afb5418b68b430d4087552

  • SHA256

    fba454b0f86b6514c9d9e5268ed58a398d30443819ec887fbc2b02d590dc1522

  • SHA512

    41694c05606a8585e6fa8e4e5e0672c59ccc096be6dbf0184c4af0e03e145f98101d96d02e3f744f9710cb722906b2afb2b6f90851842cec9eb9912c32fc587c

Score
10/10
redlineinstalldiscoveryinfostealerspyware

Malware Config

Extracted

Family

redline

Botnet

Install

C2

176.10.119.117:27038

Attributes
  • auth_value

    701b6467f584b2d5c52fa31ecce6761d

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 11 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 54 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\fba454b0f86b6514c9d9e5268ed58a398d30443819ec887fbc2b02d590dc1522.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1324
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1620
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 6385C0DC2EDFD9868981DCA034BDA14D
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:548
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-af7e35db-9f25-44e8-a7f7-fdeb6ac5891e\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
        3⤵
        • Modifies file permissions
        PID:1656
      • C:\Windows\SysWOW64\EXPAND.EXE
        "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
        3⤵
        • Drops file in Windows directory
        PID:752
      • C:\Users\Admin\AppData\Local\Temp\MW-af7e35db-9f25-44e8-a7f7-fdeb6ac5891e\files\ab5sJkWggxaDJyJU.exe
        "C:\Users\Admin\AppData\Local\Temp\MW-af7e35db-9f25-44e8-a7f7-fdeb6ac5891e\files\ab5sJkWggxaDJyJU.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1948
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1532
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-af7e35db-9f25-44e8-a7f7-fdeb6ac5891e\files"
        3⤵
          PID:1676
        • C:\Windows\SysWOW64\ICACLS.EXE
          "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-af7e35db-9f25-44e8-a7f7-fdeb6ac5891e\." /SETINTEGRITYLEVEL (CI)(OI)LOW
          3⤵
          • Modifies file permissions
          PID:1736
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1788
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000568" "00000000000004B0"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:676

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    File Permissions Modification

    1
    T1222

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\MW-af7e35db-9f25-44e8-a7f7-fdeb6ac5891e\files.cab
      Filesize

      904KB

      MD5

      37ca8d45f74cbc1215726cbf74990e85

      SHA1

      8ad754ae9db24c18998d3a10525091a385a94546

      SHA256

      f7ad06b2d914343daec583f4ebaf01e0d733a629a0040a85e54f8b74e944e1e5

      SHA512

      8ffdf1c157dfc4702c1f2d13b148d0fb35439ba1e50395e58ee74de9e02e323664ca8421b55057a1910829d417a2e38424bc77848ed81ac8d4c2623682eaa007

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\MW-af7e35db-9f25-44e8-a7f7-fdeb6ac5891e\files\ab5sJkWggxaDJyJU.exe
      Filesize

      1.2MB

      MD5

      cb8cd07d32498986d817939e06ac4abb

      SHA1

      1de2ea093784a9b7ff6d1fa6d6877fdae990bd42

      SHA256

      f751501b33b4d7e35aa20d08f718e5a8ed1c0471b4da1bdd2562a3536d83d58e

      SHA512

      4c37cbd33af706f265415a309f9b32a46836430597be5a929423b4eaffc498a25c853ab7806a39f2e641ac9e95d75f8306bf48c37958b6e9291db8d80ae0ad59

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\MW-af7e35db-9f25-44e8-a7f7-fdeb6ac5891e\files\ab5sJkWggxaDJyJU.exe
      Filesize

      1.2MB

      MD5

      cb8cd07d32498986d817939e06ac4abb

      SHA1

      1de2ea093784a9b7ff6d1fa6d6877fdae990bd42

      SHA256

      f751501b33b4d7e35aa20d08f718e5a8ed1c0471b4da1bdd2562a3536d83d58e

      SHA512

      4c37cbd33af706f265415a309f9b32a46836430597be5a929423b4eaffc498a25c853ab7806a39f2e641ac9e95d75f8306bf48c37958b6e9291db8d80ae0ad59

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\MW-af7e35db-9f25-44e8-a7f7-fdeb6ac5891e\msiwrapper.ini
      Filesize

      1KB

      MD5

      670147487ccbe505cf9fea1c791d6756

      SHA1

      b9eaf86a4456ae8dd4ddae75511b2d376446b1a7

      SHA256

      30203e17d79c189f5fed316316dcf84745e289834e74e81f3dded73b5f38c883

      SHA512

      e4a741eaee0c416caf421061230affeb07f3592174b4f512223dde4b8cafa2aadaebc654eb53ec8bcb176d4326c8818aaa810bde67572262c3fec01e5254dbca

      Download Submit
    • C:\Windows\Installer\MSI5C44.tmp
      Filesize

      208KB

      MD5

      4caaa03e0b59ca60a3d34674b732b702

      SHA1

      ee80c8f4684055ac8960b9720fb108be07e1d10c

      SHA256

      d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d

      SHA512

      25888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34

      Download Submit
    • \Users\Admin\AppData\Local\Temp\MW-af7e35db-9f25-44e8-a7f7-fdeb6ac5891e\files\ab5sJkWggxaDJyJU.exe
      Filesize

      1.2MB

      MD5

      cb8cd07d32498986d817939e06ac4abb

      SHA1

      1de2ea093784a9b7ff6d1fa6d6877fdae990bd42

      SHA256

      f751501b33b4d7e35aa20d08f718e5a8ed1c0471b4da1bdd2562a3536d83d58e

      SHA512

      4c37cbd33af706f265415a309f9b32a46836430597be5a929423b4eaffc498a25c853ab7806a39f2e641ac9e95d75f8306bf48c37958b6e9291db8d80ae0ad59

      Download Submit
    • \Users\Admin\AppData\Local\Temp\MW-af7e35db-9f25-44e8-a7f7-fdeb6ac5891e\files\ab5sJkWggxaDJyJU.exe
      Filesize

      1.2MB

      MD5

      cb8cd07d32498986d817939e06ac4abb

      SHA1

      1de2ea093784a9b7ff6d1fa6d6877fdae990bd42

      SHA256

      f751501b33b4d7e35aa20d08f718e5a8ed1c0471b4da1bdd2562a3536d83d58e

      SHA512

      4c37cbd33af706f265415a309f9b32a46836430597be5a929423b4eaffc498a25c853ab7806a39f2e641ac9e95d75f8306bf48c37958b6e9291db8d80ae0ad59

      Download Submit
    • \Users\Admin\AppData\Local\Temp\MW-af7e35db-9f25-44e8-a7f7-fdeb6ac5891e\files\ab5sJkWggxaDJyJU.exe
      Filesize

      1.2MB

      MD5

      cb8cd07d32498986d817939e06ac4abb

      SHA1

      1de2ea093784a9b7ff6d1fa6d6877fdae990bd42

      SHA256

      f751501b33b4d7e35aa20d08f718e5a8ed1c0471b4da1bdd2562a3536d83d58e

      SHA512

      4c37cbd33af706f265415a309f9b32a46836430597be5a929423b4eaffc498a25c853ab7806a39f2e641ac9e95d75f8306bf48c37958b6e9291db8d80ae0ad59

      Download Submit
    • \Users\Admin\AppData\Local\Temp\MW-af7e35db-9f25-44e8-a7f7-fdeb6ac5891e\files\ab5sJkWggxaDJyJU.exe
      Filesize

      1.2MB

      MD5

      cb8cd07d32498986d817939e06ac4abb

      SHA1

      1de2ea093784a9b7ff6d1fa6d6877fdae990bd42

      SHA256

      f751501b33b4d7e35aa20d08f718e5a8ed1c0471b4da1bdd2562a3536d83d58e

      SHA512

      4c37cbd33af706f265415a309f9b32a46836430597be5a929423b4eaffc498a25c853ab7806a39f2e641ac9e95d75f8306bf48c37958b6e9291db8d80ae0ad59

      Download Submit
    • \Users\Admin\AppData\Local\Temp\MW-af7e35db-9f25-44e8-a7f7-fdeb6ac5891e\files\ab5sJkWggxaDJyJU.exe
      Filesize

      1.2MB

      MD5

      cb8cd07d32498986d817939e06ac4abb

      SHA1

      1de2ea093784a9b7ff6d1fa6d6877fdae990bd42

      SHA256

      f751501b33b4d7e35aa20d08f718e5a8ed1c0471b4da1bdd2562a3536d83d58e

      SHA512

      4c37cbd33af706f265415a309f9b32a46836430597be5a929423b4eaffc498a25c853ab7806a39f2e641ac9e95d75f8306bf48c37958b6e9291db8d80ae0ad59

      Download Submit
    • \Windows\Installer\MSI5C44.tmp
      Filesize

      208KB

      MD5

      4caaa03e0b59ca60a3d34674b732b702

      SHA1

      ee80c8f4684055ac8960b9720fb108be07e1d10c

      SHA256

      d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d

      SHA512

      25888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34

      Download Submit
    • memory/548-57-0x0000000076011000-0x0000000076013000-memory.dmp
      Filesize

      8KB

      Download
    • memory/548-56-0x0000000000000000-mapping.dmp
      Download
    • memory/752-63-0x0000000000000000-mapping.dmp
      Download
    • memory/1324-54-0x000007FEFC461000-0x000007FEFC463000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1532-78-0x0000000000400000-0x0000000000418000-memory.dmp
      Filesize

      96KB

      Download
    • memory/1532-85-0x0000000000240000-0x0000000000260000-memory.dmp
      Filesize

      128KB

      Download
    • memory/1532-80-0x0000000000400000-0x0000000000418000-memory.dmp
      Filesize

      96KB

      Download
    • memory/1532-82-0x0000000000400000-0x0000000000418000-memory.dmp
      Filesize

      96KB

      Download
    • memory/1532-76-0x0000000000400000-0x0000000000418000-memory.dmp
      Filesize

      96KB

      Download
    • memory/1656-60-0x0000000000000000-mapping.dmp
      Download
    • memory/1676-83-0x0000000000000000-mapping.dmp
      Download
    • memory/1736-84-0x0000000000000000-mapping.dmp
      Download
    • memory/1948-75-0x000000000B110000-0x000000000B22B000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/1948-74-0x0000000000420000-0x000000000055D000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/1948-73-0x0000000000420000-0x000000000055D000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/1948-70-0x0000000000000000-mapping.dmp
      Download