redline | 9fb4b0494ce8e71c1af8bc538895731ea6da666d8efe405182baa3328aff9966

Analysis

max time kernel
151s
max time network
156s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05/05/2023, 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IContratoQK.msi
Size

6.9MB
MD5

923ec566997f9c002d9cf7397c79eb4a
SHA1

2bea51e5e6ab96a4669e34a903e30a4b97580e46
SHA256

9fb4b0494ce8e71c1af8bc538895731ea6da666d8efe405182baa3328aff9966
SHA512

79b1f04d66d1a2b237d57c2f341dbec2e2c41df8089ef38f1f402e6b77d91224a620b6c6c424742d7f7460f5fe60aaaaaed3e3020376d514eb49df2b56eb6e35
SSDEEP

196608:vSc73CzEFE2cseSF2fFpuUaMo8zcdKmGZA+:KI3CzSE2BXFBUaw9/

Score

10^/10

redline infostealer stealer

Malware Config

Signatures

Detects Redline Stealer samples 8 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral1/files/0x0008000000012310-82.dat	redline_stealer
behavioral1/memory/1788-85-0x0000000003350000-0x0000000003989000-memory.dmp	redline_stealer
behavioral1/files/0x0008000000012310-83.dat	redline_stealer
behavioral1/memory/1788-88-0x0000000003350000-0x0000000003989000-memory.dmp	redline_stealer
behavioral1/memory/1788-216-0x0000000003350000-0x0000000003989000-memory.dmp	redline_stealer
behavioral1/memory/1788-279-0x0000000003350000-0x0000000003989000-memory.dmp	redline_stealer
behavioral1/memory/1788-298-0x0000000003350000-0x0000000003989000-memory.dmp	redline_stealer
behavioral1/memory/1788-299-0x0000000003350000-0x0000000003989000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 1 IoCs

pid	Process
1788	Glys.exe

Loads dropped DLL 3 IoCs

pid	Process
808	MsiExec.exe
808	MsiExec.exe
1788	Glys.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI1834.tmp	msiexec.exe
File created	C:\Windows\Installer\6c1596.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF25D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\6c1596.ipi	msiexec.exe
File created	C:\Windows\Installer\6c1594.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6c1594.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1630.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Glys.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Glys.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Glys.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Glys.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Glys.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Glys.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1252	msiexec.exe
1252	msiexec.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1560	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1560	msiexec.exe
Token: SeRestorePrivilege	1252	msiexec.exe
Token: SeTakeOwnershipPrivilege	1252	msiexec.exe
Token: SeSecurityPrivilege	1252	msiexec.exe
Token: SeCreateTokenPrivilege	1560	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1560	msiexec.exe
Token: SeLockMemoryPrivilege	1560	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1560	msiexec.exe
Token: SeMachineAccountPrivilege	1560	msiexec.exe
Token: SeTcbPrivilege	1560	msiexec.exe
Token: SeSecurityPrivilege	1560	msiexec.exe
Token: SeTakeOwnershipPrivilege	1560	msiexec.exe
Token: SeLoadDriverPrivilege	1560	msiexec.exe
Token: SeSystemProfilePrivilege	1560	msiexec.exe
Token: SeSystemtimePrivilege	1560	msiexec.exe
Token: SeProfSingleProcessPrivilege	1560	msiexec.exe
Token: SeIncBasePriorityPrivilege	1560	msiexec.exe
Token: SeCreatePagefilePrivilege	1560	msiexec.exe
Token: SeCreatePermanentPrivilege	1560	msiexec.exe
Token: SeBackupPrivilege	1560	msiexec.exe
Token: SeRestorePrivilege	1560	msiexec.exe
Token: SeShutdownPrivilege	1560	msiexec.exe
Token: SeDebugPrivilege	1560	msiexec.exe
Token: SeAuditPrivilege	1560	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1560	msiexec.exe
Token: SeChangeNotifyPrivilege	1560	msiexec.exe
Token: SeRemoteShutdownPrivilege	1560	msiexec.exe
Token: SeUndockPrivilege	1560	msiexec.exe
Token: SeSyncAgentPrivilege	1560	msiexec.exe
Token: SeEnableDelegationPrivilege	1560	msiexec.exe
Token: SeManageVolumePrivilege	1560	msiexec.exe
Token: SeImpersonatePrivilege	1560	msiexec.exe
Token: SeCreateGlobalPrivilege	1560	msiexec.exe
Token: SeRestorePrivilege	1252	msiexec.exe
Token: SeTakeOwnershipPrivilege	1252	msiexec.exe
Token: SeRestorePrivilege	1252	msiexec.exe
Token: SeTakeOwnershipPrivilege	1252	msiexec.exe
Token: SeRestorePrivilege	1252	msiexec.exe
Token: SeTakeOwnershipPrivilege	1252	msiexec.exe
Token: SeRestorePrivilege	1252	msiexec.exe
Token: SeTakeOwnershipPrivilege	1252	msiexec.exe
Token: SeRestorePrivilege	1252	msiexec.exe
Token: SeTakeOwnershipPrivilege	1252	msiexec.exe
Token: SeRestorePrivilege	1252	msiexec.exe
Token: SeTakeOwnershipPrivilege	1252	msiexec.exe
Token: SeRestorePrivilege	1252	msiexec.exe
Token: SeTakeOwnershipPrivilege	1252	msiexec.exe
Token: SeRestorePrivilege	1252	msiexec.exe
Token: SeTakeOwnershipPrivilege	1252	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1560	msiexec.exe
1560	msiexec.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 808	1252	msiexec.exe	29
PID 1252 wrote to memory of 808	1252	msiexec.exe	29
PID 1252 wrote to memory of 808	1252	msiexec.exe	29
PID 1252 wrote to memory of 808	1252	msiexec.exe	29
PID 1252 wrote to memory of 808	1252	msiexec.exe	29
PID 1252 wrote to memory of 808	1252	msiexec.exe	29
PID 1252 wrote to memory of 808	1252	msiexec.exe	29
PID 1252 wrote to memory of 1788	1252	msiexec.exe	30
PID 1252 wrote to memory of 1788	1252	msiexec.exe	30
PID 1252 wrote to memory of 1788	1252	msiexec.exe	30
PID 1252 wrote to memory of 1788	1252	msiexec.exe	30

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\IContratoQK.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1560

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 763C42B227205FD0D0D49F43A5248971
  2⤵
  - Loads dropped DLL
  PID:808
- C:\Users\Admin\Desktop\Quiz Press\Glys.exe
  "C:\Users\Admin\Desktop\Quiz Press\Glys.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system certificate store
  PID:1788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\6c1597.rbs

Filesize
2KB

MD5
d0a508c91d144b54b7b0852150902f80

SHA1
ad523050856490be29e8c32a2478752ec7621d22

SHA256
20e36118b64ca24f3dad208be14447b9e2d9826d9e187ff4ce5510661e43347e

SHA512
a8ee820875ca1988f6d22eb307ca0aa1cb484b1585c6398b8f07c3666af387c22c7a63d6097175a9c83ab2194773e0e679dcd8b51ae1e5628970991eceda2591

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
c24ee168284b22e37ac28ee395af8835

SHA1
2d215c1a50b54ecd9e6f5e2fd48097c5fe223f4c

SHA256
f4669a397ac57be9dd61abab4569ce3fd57aae44d76568c8dd5df1216ca0a61a

SHA512
74a01171fd50e2e61c06cf0534d09ccacf82b826bce4fe0fbd2e8d5aabea35bf075f2f909177e4f5f2604ac5a8f17185720d18fad27330492387393010cab661

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab931E.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar95B5.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\Desktop\Quiz Press\Appearance Pak.dll

Filesize
6.2MB

MD5
d18a59943631dc69a000a12bc98bf74a

SHA1
9cf5e9646678e23cb35dfe502072abbc01bbc7ad

SHA256
8c807ed34e5469717b018547509faaaf458ce95bb09128b09b6eb2dbb233f212

SHA512
ae74e1d42688da04b6faab491dad3595dba39daedd8382d39d37297ea0a6477eed12907f745690c376c2b9a80a2748b9c9d1263dfe1c3cb60e599a50b692c2f1

Download Submit
C:\Users\Admin\Desktop\Quiz Press\Glys.exe

Filesize
11.5MB

MD5
a6f635fe42eecac68f9ca5ba3da1f3df

SHA1
aa7c90dee2ffc84fc2f4cd741651fa88c3db0c1c

SHA256
f7a6dc8bffe41e4aecc20de117d84cc192f8855c332e24a36ff5428d3efad8ad

SHA512
3df5c52eafef70d7c5deb6800d00450e34e8846f0f550bcff7cc84ccb21e27977de6d17f1696dacd19c522364cbe266628e43b8df29a221d174556b6bb399b4d

Download Submit
C:\Users\Admin\Desktop\Quiz Press\Glys.exe

Filesize
11.5MB

MD5
a6f635fe42eecac68f9ca5ba3da1f3df

SHA1
aa7c90dee2ffc84fc2f4cd741651fa88c3db0c1c

SHA256
f7a6dc8bffe41e4aecc20de117d84cc192f8855c332e24a36ff5428d3efad8ad

SHA512
3df5c52eafef70d7c5deb6800d00450e34e8846f0f550bcff7cc84ccb21e27977de6d17f1696dacd19c522364cbe266628e43b8df29a221d174556b6bb399b4d

Download Submit
C:\Windows\Installer\MSI1630.tmp

Filesize
91KB

MD5
9f1e5d66c2889018daef4aef604eebc4

SHA1
b80294261c8a1635e16e14f55a3d76889ff2c857

SHA256
02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

SHA512
8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

Download Submit
C:\Windows\Installer\MSI1834.tmp

Filesize
91KB

MD5
9f1e5d66c2889018daef4aef604eebc4

SHA1
b80294261c8a1635e16e14f55a3d76889ff2c857

SHA256
02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

SHA512
8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

Download Submit
\Users\Admin\Desktop\Quiz Press\Appearance Pak.dll

Filesize
6.2MB

MD5
d18a59943631dc69a000a12bc98bf74a

SHA1
9cf5e9646678e23cb35dfe502072abbc01bbc7ad

SHA256
8c807ed34e5469717b018547509faaaf458ce95bb09128b09b6eb2dbb233f212

SHA512
ae74e1d42688da04b6faab491dad3595dba39daedd8382d39d37297ea0a6477eed12907f745690c376c2b9a80a2748b9c9d1263dfe1c3cb60e599a50b692c2f1

Download Submit
\Windows\Installer\MSI1630.tmp

Filesize
91KB

MD5
9f1e5d66c2889018daef4aef604eebc4

SHA1
b80294261c8a1635e16e14f55a3d76889ff2c857

SHA256
02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

SHA512
8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

Download Submit
\Windows\Installer\MSI1834.tmp

Filesize
91KB

MD5
9f1e5d66c2889018daef4aef604eebc4

SHA1
b80294261c8a1635e16e14f55a3d76889ff2c857

SHA256
02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222

SHA512
8f8cbba79d2b6541e8b603a4a395cb938d77c358563bd745449bfee107ee64b88254a79ca5dd72fa05798a75c1464e7cca52556829f258009a3d33c9c3c5d39b

Download Submit
memory/1788-88-0x0000000003350000-0x0000000003989000-memory.dmp

Filesize
6.2MB

Download
memory/1788-85-0x0000000003350000-0x0000000003989000-memory.dmp

Filesize
6.2MB

Download
memory/1788-84-0x0000000002400000-0x0000000002910000-memory.dmp

Filesize
5.1MB

Download
memory/1788-216-0x0000000003350000-0x0000000003989000-memory.dmp

Filesize
6.2MB

Download
memory/1788-279-0x0000000003350000-0x0000000003989000-memory.dmp

Filesize
6.2MB

Download
memory/1788-298-0x0000000003350000-0x0000000003989000-memory.dmp

Filesize
6.2MB

Download
memory/1788-299-0x0000000003350000-0x0000000003989000-memory.dmp

Filesize
6.2MB

Download
memory/1788-87-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download