Overview

overview

10

Static

static

1

Adobe Acro...ix.exe

windows7-x64

10

Adobe Acro...ix.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    114s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-02-2023 00:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Adobe Acrobat DC OCR Fix.exe

  • Size

    109.7MB

  • MD5

    36e21b27644c07b5e815c9eb2a819e6e

  • SHA1

    e51a64704ca5862af9fb1c61f73bf9cb55dfaee4

  • SHA256

    d79fa6a863bb63a7df878d66fcdbd17a31bd69f6d05190f9ffa7b0fb38b2799d

  • SHA512

    cbc043aebf7ac712eb4f5da908d2e00eb67df4759f313329bea4276a5b092e5a40ce01989ded11427f7318883e0f9d34de371d9b206b21e5c3ed36ef5b89066d

  • SSDEEP

    3145728:G4HZnnw/hW6RbeNV9Y1tncbdm+fxd57f/W:dZnw/MKu/Y1BcJ9xdZHW

Score
10/10
redlinetpbinfostealerspyware

Malware Config

Extracted

Family

redline

Botnet

TPB

C2

amrican-sport-live-stream.cc:4581

Attributes
  • auth_value

    9af3f668d2aa93965a3f83753e8ccb3f

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 6 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 16 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Adobe Acrobat DC OCR Fix.exe
    "C:\Users\Admin\AppData\Local\Temp\Adobe Acrobat DC OCR Fix.exe"
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2120
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Adobe Acrobat DC OCR Fix\Adobe Acrobat DC OCR Fix 1.0.0\install\Adobe Acrobat DC OCR Fix.msi" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\Adobe Acrobat DC OCR Fix.exe" SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1676270759 "
      2⤵
      • Enumerates connected drives
      • Suspicious use of FindShellTrayWindow
      PID:4220
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4564
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 0882D102EAB82D9F9AF05DBEC449926D C
      2⤵
      • Loads dropped DLL
      PID:1548
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:4872
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 68AC88027D19A9BEF61E32C247E3D532
        2⤵
        • Loads dropped DLL
        PID:3236
      • C:\Users\Admin\AppData\Roaming\WindowsActiveServices\PatchFix.exe
        "C:\Users\Admin\AppData\Roaming\WindowsActiveServices\PatchFix.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4612
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          3⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:1208
          • C:\Users\Admin\AppData\Roaming\WindowsServices\WindowsServices.exe
            "C:\Users\Admin\AppData\Roaming\WindowsServices\WindowsServices.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:3924
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
              C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:4576
      • C:\Windows\Installer\MSI2764.tmp
        "C:\Windows\Installer\MSI2764.tmp" "C:\Program Files (x86)\Adobe Acrobat DC OCR Fix\Adobe Acrobat DC OCR Fix\Adobe Acrobat DC OCR Fix.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:3976
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:4436
    • C:\Program Files (x86)\Adobe Acrobat DC OCR Fix\Adobe Acrobat DC OCR Fix\Adobe Acrobat DC OCR Fix.exe
      "C:\Program Files (x86)\Adobe Acrobat DC OCR Fix\Adobe Acrobat DC OCR Fix\Adobe Acrobat DC OCR Fix.exe"
      1⤵
      • Executes dropped EXE
      PID:4764

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Adobe Acrobat DC OCR Fix\Adobe Acrobat DC OCR Fix\Adobe Acrobat DC OCR Fix.exe
      Filesize

      78.9MB

      MD5

      c79bd426892455c5940558ed35d1c31d

      SHA1

      c20cc903f5448ed529fdc432f76f292bb129da3f

      SHA256

      80b49468a65d7d697a82dfd8c1666c030b98b86d9b1ffe6e686dd44e2cb526ef

      SHA512

      281adf9b580a75be96d01da9944d8984154ab5a3ce270173ce2ba4daec427374787f80e333a745d942c5eb8a0ae9d7682e36ab83558ac996bc178b82ee68321d

      Download Submit

    • C:\Program Files (x86)\Adobe Acrobat DC OCR Fix\Adobe Acrobat DC OCR Fix\Adobe Acrobat DC OCR Fix.exe
      Filesize

      78.9MB

      MD5

      c79bd426892455c5940558ed35d1c31d

      SHA1

      c20cc903f5448ed529fdc432f76f292bb129da3f

      SHA256

      80b49468a65d7d697a82dfd8c1666c030b98b86d9b1ffe6e686dd44e2cb526ef

      SHA512

      281adf9b580a75be96d01da9944d8984154ab5a3ce270173ce2ba4daec427374787f80e333a745d942c5eb8a0ae9d7682e36ab83558ac996bc178b82ee68321d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSI9AEE.tmp
      Filesize

      378KB

      MD5

      0981d5c068a9c33f4e8110f81ffbb92e

      SHA1

      badb871adf6f24aba6923b9b21b211cea2aeca77

      SHA256

      b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

      SHA512

      59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSI9AEE.tmp
      Filesize

      378KB

      MD5

      0981d5c068a9c33f4e8110f81ffbb92e

      SHA1

      badb871adf6f24aba6923b9b21b211cea2aeca77

      SHA256

      b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

      SHA512

      59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Adobe Acrobat DC OCR Fix\Adobe Acrobat DC OCR Fix 1.0.0\install\Adobe Acrobat DC OCR Fix.msi
      Filesize

      1.5MB

      MD5

      ad90c85e5ffeb58971681af0b8f957e7

      SHA1

      5da0606d3bfee71dd6b715bdb5bb6f01390309f2

      SHA256

      61230bdd7f8e5b5bb1238a4769c313195034e62041b39a35efec046a4911002e

      SHA512

      efbc9e56424740297f80a2ffa285736bf37c65b1d8397afa8b6c294558a313e3a706de4448067e67bac12ebb30e19b2b0fbc60ea22868cdd278b43bdade915f4

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Adobe Acrobat DC OCR Fix\Adobe Acrobat DC OCR Fix 1.0.0\install\Adobe Acrobat DC OCR Fix1.cab
      Filesize

      106.1MB

      MD5

      37e49cb56995f022efb42b4257c06226

      SHA1

      db8c5e5cddea5d176f6d3449c3efb9682f7929ec

      SHA256

      4393dd38e12e603822f948f3372e33231657170459470ab5a1eccd74b6ff8e0d

      SHA512

      4f3847ad181597408e07c71b194a53a47911565e2ba50867ca4157ff00b74ec0dcc90b2b4a01956ed18420fc4513b310925ca601a7bd4906b4c023ee74198f49

      Download Submit

    • C:\Users\Admin\AppData\Roaming\WindowsActiveServices\PatchFix.exe
      Filesize

      410KB

      MD5

      49fe4d0ff69682f4ed74f16cf6257cc6

      SHA1

      9b9780a98637bfd2938fde3a4e22c3d20602acb4

      SHA256

      0a7dfe1887ddf815a120858594159c63ae7b218690c94ce30c32752c74398bb8

      SHA512

      840b33b5e1d1277892b6b5cfb31aa6972a0d4518c3fa61ebd74678f5593d7a9de7c99fe3ac9d6df259bf532bd354620bd889290c826d058376824063b76b0bc1

      Download Submit

    • C:\Users\Admin\AppData\Roaming\WindowsActiveServices\PatchFix.exe
      Filesize

      410KB

      MD5

      49fe4d0ff69682f4ed74f16cf6257cc6

      SHA1

      9b9780a98637bfd2938fde3a4e22c3d20602acb4

      SHA256

      0a7dfe1887ddf815a120858594159c63ae7b218690c94ce30c32752c74398bb8

      SHA512

      840b33b5e1d1277892b6b5cfb31aa6972a0d4518c3fa61ebd74678f5593d7a9de7c99fe3ac9d6df259bf532bd354620bd889290c826d058376824063b76b0bc1

      Download Submit

    • C:\Users\Admin\AppData\Roaming\WindowsServices\WindowsServices.exe
      Filesize

      1.2MB

      MD5

      b27e75867100b7f34b35cf147b7ce92e

      SHA1

      e1b51e321d8a5595cc0382198a6ab34c98924194

      SHA256

      7304e4710381b20058acc561ff7a36df7e2ce614e8d8e045452bbfaec9f1ab6e

      SHA512

      b71ba509772548d94d7a31685527f454ffc12380fa1537ef133140ece9f67d9070d21497b5694adbe405c528bb83266409053f754a437cde9caf361797318773

      Download Submit

    • C:\Users\Admin\AppData\Roaming\WindowsServices\WindowsServices.exe
      Filesize

      1.2MB

      MD5

      b27e75867100b7f34b35cf147b7ce92e

      SHA1

      e1b51e321d8a5595cc0382198a6ab34c98924194

      SHA256

      7304e4710381b20058acc561ff7a36df7e2ce614e8d8e045452bbfaec9f1ab6e

      SHA512

      b71ba509772548d94d7a31685527f454ffc12380fa1537ef133140ece9f67d9070d21497b5694adbe405c528bb83266409053f754a437cde9caf361797318773

      Download Submit

    • C:\Windows\Installer\MSI2764.tmp
      Filesize

      381KB

      MD5

      88a4962643af83785b80ea15fe74e860

      SHA1

      d061c3d6cc1286626f76443591594580bac7c0c6

      SHA256

      c8e5d349d9f6f3b5f20e5d5a0c5315c882d2afcedb21abe66cff00c1a57fd91e

      SHA512

      015de66204dfff71f284ec0df58107e6a6ec20326cd75183a8aa49d7095184b85f78503a3a16e86d999b4720e0c2380d661395416b4be2e6346fc8488065a9c8

      Download Submit

    • C:\Windows\Installer\MSI4E2.tmp
      Filesize

      378KB

      MD5

      0981d5c068a9c33f4e8110f81ffbb92e

      SHA1

      badb871adf6f24aba6923b9b21b211cea2aeca77

      SHA256

      b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

      SHA512

      59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

      Download Submit

    • C:\Windows\Installer\MSI4E2.tmp
      Filesize

      378KB

      MD5

      0981d5c068a9c33f4e8110f81ffbb92e

      SHA1

      badb871adf6f24aba6923b9b21b211cea2aeca77

      SHA256

      b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

      SHA512

      59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

      Download Submit

    • C:\Windows\Installer\MSI56F.tmp
      Filesize

      378KB

      MD5

      0981d5c068a9c33f4e8110f81ffbb92e

      SHA1

      badb871adf6f24aba6923b9b21b211cea2aeca77

      SHA256

      b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

      SHA512

      59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

      Download Submit

    • C:\Windows\Installer\MSI56F.tmp
      Filesize

      378KB

      MD5

      0981d5c068a9c33f4e8110f81ffbb92e

      SHA1

      badb871adf6f24aba6923b9b21b211cea2aeca77

      SHA256

      b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

      SHA512

      59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

      Download Submit

    • C:\Windows\Installer\MSI5DE.tmp
      Filesize

      378KB

      MD5

      0981d5c068a9c33f4e8110f81ffbb92e

      SHA1

      badb871adf6f24aba6923b9b21b211cea2aeca77

      SHA256

      b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

      SHA512

      59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

      Download Submit

    • C:\Windows\Installer\MSI5DE.tmp
      Filesize

      378KB

      MD5

      0981d5c068a9c33f4e8110f81ffbb92e

      SHA1

      badb871adf6f24aba6923b9b21b211cea2aeca77

      SHA256

      b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

      SHA512

      59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

      Download Submit

    • C:\Windows\Installer\MSI60E.tmp
      Filesize

      378KB

      MD5

      0981d5c068a9c33f4e8110f81ffbb92e

      SHA1

      badb871adf6f24aba6923b9b21b211cea2aeca77

      SHA256

      b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

      SHA512

      59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

      Download Submit

    • C:\Windows\Installer\MSI60E.tmp
      Filesize

      378KB

      MD5

      0981d5c068a9c33f4e8110f81ffbb92e

      SHA1

      badb871adf6f24aba6923b9b21b211cea2aeca77

      SHA256

      b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

      SHA512

      59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

      Download Submit

    • C:\Windows\Installer\MSI62E.tmp
      Filesize

      567KB

      MD5

      5f1b243813a203c66ba735139d8ce0c7

      SHA1

      c60a57668d348a61e4e2f12115afb9f9024162ba

      SHA256

      52d5b228221cd5276e4ee2a038e0ce0cf494d5af9c23ac45dcbfadc3115c8cb2

      SHA512

      083c6d1af44847db4b6fb90349234128141a838d1d438d5c24f5063539a8087f0814d06cfa162aeace20e162292f64c7635b4a0e81b2ca972706cfbc484adfb5

      Download Submit

    • C:\Windows\Installer\MSI62E.tmp
      Filesize

      567KB

      MD5

      5f1b243813a203c66ba735139d8ce0c7

      SHA1

      c60a57668d348a61e4e2f12115afb9f9024162ba

      SHA256

      52d5b228221cd5276e4ee2a038e0ce0cf494d5af9c23ac45dcbfadc3115c8cb2

      SHA512

      083c6d1af44847db4b6fb90349234128141a838d1d438d5c24f5063539a8087f0814d06cfa162aeace20e162292f64c7635b4a0e81b2ca972706cfbc484adfb5

      Download Submit

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      23.0MB

      MD5

      964a525a526897a5b3af9f6423491d1f

      SHA1

      d17cc44cbb63a60eebddb28a43b78c29f6da34fb

      SHA256

      30036fa002b29aba01326402deaa8b6bdec44451a771e7ce20b28329f59d20db

      SHA512

      49686f5bde40cfad18510200b8db77a1e4438bb0f6dfbbc3825e2a49ab1a5ce5a4577ffd0305dd0a1ec585aa8c31f34cb3c64f60d1bea1c773acaa706477cd89

      Download Submit

    • \??\Volume{d26ecb05-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{b05d00d5-9aad-4d73-b57d-a28cbcbe0b16}_OnDiskSnapshotProp
      Filesize

      5KB

      MD5

      597e642cb616c0fa8925bea45c0c1315

      SHA1

      816c118d7ff5137c7374334dc07255f0d5a89e82

      SHA256

      f69cb4106e5e1ff70286d154f5e0ac0044884bb4b8e83c33f05a3fce4115f27b

      SHA512

      dc68464e54f40f5e3ec91263e369c6d06fdb7bce61ab29cafec05ffacf89c890083de07411fca653fa70058e7b91c1d968e3ffaa51b51421ab9c33f55ef647ad

      Download Submit

    • memory/1208-158-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1208-159-0x0000000005380000-0x000000000541C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/3924-170-0x0000000004E60000-0x0000000004E82000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3924-169-0x00000000000E0000-0x0000000000222000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/4576-177-0x0000000008C40000-0x0000000008E02000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/4576-180-0x00000000066F0000-0x0000000006740000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4576-179-0x0000000006670000-0x00000000066E6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4576-173-0x00000000058C0000-0x0000000005ED8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4576-178-0x0000000009720000-0x0000000009C4C000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/4576-176-0x0000000005370000-0x00000000053AC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4576-172-0x0000000000400000-0x000000000045A000-memory.dmp

      Filesize

      360KB

      Download

    • memory/4576-175-0x0000000005310000-0x0000000005322000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4576-174-0x00000000053F0000-0x00000000054FA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4612-154-0x0000000036EC0000-0x0000000036F26000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4612-153-0x0000000000850000-0x00000000008BC000-memory.dmp

      Filesize

      432KB

      Download

    • memory/4612-155-0x00000000376D0000-0x0000000037762000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4612-156-0x0000000037D20000-0x00000000382C4000-memory.dmp

      Filesize

      5.6MB

      Download