redline | 9890ae69f0a31a5656dbebce11384a70820ac49cabe9b244dfb8a5ed22617ff5

Analysis

max time kernel
150s
max time network
134s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
07-05-2023 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AdobePDFReader10.msi
Size

2.2MB
MD5

fadc9824c68402143239f764c99bb82d
SHA1

7eb72321c2c1e25b11c9d44229af22a179e27ce8
SHA256

9890ae69f0a31a5656dbebce11384a70820ac49cabe9b244dfb8a5ed22617ff5
SHA512

916b9b9836d5003193cf4f52c501a90ba16f18ca13a05325f9e11a6ee9d05b927013c09524757f33efd153c0e1d25648233e79f9a8eaa81fd69ed79282268ef6
SSDEEP

49152:NMU9FgsN+TXYr+LrUcdEL9MklhGUWhe8u/g1PQNPEUI:6gFPgYrordG9t0lepg1P2XI

Score

10^/10

redline infostealer stealer

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral1/memory/1228-89-0x000000001AF90000-0x000000001B272000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 1 IoCs

pid	Process
832	readerdc64.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Installer\6cb935.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\6cb932.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6cb932.msi	msiexec.exe
File created	C:\Windows\Installer\6cb933.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBC6D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\6cb933.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main	readerdc64.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	readerdc64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	readerdc64.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1980	msiexec.exe
1980	msiexec.exe
1228	powershell.exe
1228	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1684	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1684	msiexec.exe
Token: SeRestorePrivilege	1980	msiexec.exe
Token: SeTakeOwnershipPrivilege	1980	msiexec.exe
Token: SeSecurityPrivilege	1980	msiexec.exe
Token: SeCreateTokenPrivilege	1684	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1684	msiexec.exe
Token: SeLockMemoryPrivilege	1684	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1684	msiexec.exe
Token: SeMachineAccountPrivilege	1684	msiexec.exe
Token: SeTcbPrivilege	1684	msiexec.exe
Token: SeSecurityPrivilege	1684	msiexec.exe
Token: SeTakeOwnershipPrivilege	1684	msiexec.exe
Token: SeLoadDriverPrivilege	1684	msiexec.exe
Token: SeSystemProfilePrivilege	1684	msiexec.exe
Token: SeSystemtimePrivilege	1684	msiexec.exe
Token: SeProfSingleProcessPrivilege	1684	msiexec.exe
Token: SeIncBasePriorityPrivilege	1684	msiexec.exe
Token: SeCreatePagefilePrivilege	1684	msiexec.exe
Token: SeCreatePermanentPrivilege	1684	msiexec.exe
Token: SeBackupPrivilege	1684	msiexec.exe
Token: SeRestorePrivilege	1684	msiexec.exe
Token: SeShutdownPrivilege	1684	msiexec.exe
Token: SeDebugPrivilege	1684	msiexec.exe
Token: SeAuditPrivilege	1684	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1684	msiexec.exe
Token: SeChangeNotifyPrivilege	1684	msiexec.exe
Token: SeRemoteShutdownPrivilege	1684	msiexec.exe
Token: SeUndockPrivilege	1684	msiexec.exe
Token: SeSyncAgentPrivilege	1684	msiexec.exe
Token: SeEnableDelegationPrivilege	1684	msiexec.exe
Token: SeManageVolumePrivilege	1684	msiexec.exe
Token: SeImpersonatePrivilege	1684	msiexec.exe
Token: SeCreateGlobalPrivilege	1684	msiexec.exe
Token: SeBackupPrivilege	1160	vssvc.exe
Token: SeRestorePrivilege	1160	vssvc.exe
Token: SeAuditPrivilege	1160	vssvc.exe
Token: SeBackupPrivilege	1980	msiexec.exe
Token: SeRestorePrivilege	1980	msiexec.exe
Token: SeRestorePrivilege	1020	DrvInst.exe
Token: SeRestorePrivilege	1020	DrvInst.exe
Token: SeRestorePrivilege	1020	DrvInst.exe
Token: SeRestorePrivilege	1020	DrvInst.exe
Token: SeRestorePrivilege	1020	DrvInst.exe
Token: SeRestorePrivilege	1020	DrvInst.exe
Token: SeRestorePrivilege	1020	DrvInst.exe
Token: SeLoadDriverPrivilege	1020	DrvInst.exe
Token: SeLoadDriverPrivilege	1020	DrvInst.exe
Token: SeLoadDriverPrivilege	1020	DrvInst.exe
Token: SeRestorePrivilege	1980	msiexec.exe
Token: SeTakeOwnershipPrivilege	1980	msiexec.exe
Token: SeRestorePrivilege	1980	msiexec.exe
Token: SeTakeOwnershipPrivilege	1980	msiexec.exe
Token: SeRestorePrivilege	1980	msiexec.exe
Token: SeTakeOwnershipPrivilege	1980	msiexec.exe
Token: SeRestorePrivilege	1980	msiexec.exe
Token: SeTakeOwnershipPrivilege	1980	msiexec.exe
Token: SeRestorePrivilege	1980	msiexec.exe
Token: SeTakeOwnershipPrivilege	1980	msiexec.exe
Token: SeRestorePrivilege	1980	msiexec.exe
Token: SeTakeOwnershipPrivilege	1980	msiexec.exe
Token: SeRestorePrivilege	1980	msiexec.exe
Token: SeTakeOwnershipPrivilege	1980	msiexec.exe
Token: SeRestorePrivilege	1980	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1684	msiexec.exe
1684	msiexec.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
832	readerdc64.exe
832	readerdc64.exe
832	readerdc64.exe
832	readerdc64.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 1228	1980	msiexec.exe	32
PID 1980 wrote to memory of 1228	1980	msiexec.exe	32
PID 1980 wrote to memory of 1228	1980	msiexec.exe	32
PID 1980 wrote to memory of 832	1980	msiexec.exe	34
PID 1980 wrote to memory of 832	1980	msiexec.exe	34
PID 1980 wrote to memory of 832	1980	msiexec.exe	34
PID 1980 wrote to memory of 832	1980	msiexec.exe	34
PID 1228 wrote to memory of 316	1228	powershell.exe	36
PID 1228 wrote to memory of 316	1228	powershell.exe	36
PID 1228 wrote to memory of 316	1228	powershell.exe	36
PID 316 wrote to memory of 2024	316	csc.exe	37
PID 316 wrote to memory of 2024	316	csc.exe	37
PID 316 wrote to memory of 2024	316	csc.exe	37

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\AdobePDFReader10.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1684

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file "C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\ad.ps1"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1228
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fzzi4mlh.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:316
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF91.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCF80.tmp"
      4⤵
      PID:2024
- C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\readerdc64.exe
  "C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\readerdc64.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  PID:832

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003D4" "00000000000003C4"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\6cb934.rbs

Filesize
7KB

MD5
64d0485b3f775cbe7e0f1734e7b26e2c

SHA1
8ba61fc3e8088dc670bb7940968eaf49bc108b88

SHA256
6d2543dc5a5cf19a71faa905074c2443cecd304bf791875b4f0bd35f5ff6a1fa

SHA512
5d56786652af7566a07ae4700193e6702219d1e4443fdebf72b89db11b6af2f70b672c83ceed519bd903e61f79cc7f5305fda0e534449c87bd809c11a1df9efd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\ad.ps1

Filesize
2.2MB

MD5
4e0e85a590f4972732f1f0de81aa5507

SHA1
8e1bcab1ac25c59c1203d808f04b53b1db5fd7eb

SHA256
bde15453821fff0d2ed08a8c10885c9ab4ec1ccc6b4b23a41e9e324e4e80a195

SHA512
2b874cf59cdc7298b7fcf6712db3ec4013fcd87b7c7bb44400a789821b35bc57e3ff4e98ccfe93bc4cb420d25b2d3e6967eab2e98abf43bb16543f454cef8953

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\readerdc64.exe

Filesize
1.2MB

MD5
eb17c8572700a9b7bbfb6c1142ad443e

SHA1
74022bd63cf919ac44af0dcbe0e4c14756c34b2e

SHA256
302b598ae57ca91ba4b4b59e926f2e07a073ab9afcb98eccde02f5e84cdfef52

SHA512
e7660219d815bc40741fd6737c092c8f442ebbec4f18981fbf261a269c4e2e162dc0349f76eb7b03a78529021fdab9b84322de7683685ab5d512ac7b4a5a63b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\readerdc64.exe

Filesize
1.2MB

MD5
eb17c8572700a9b7bbfb6c1142ad443e

SHA1
74022bd63cf919ac44af0dcbe0e4c14756c34b2e

SHA256
302b598ae57ca91ba4b4b59e926f2e07a073ab9afcb98eccde02f5e84cdfef52

SHA512
e7660219d815bc40741fd6737c092c8f442ebbec4f18981fbf261a269c4e2e162dc0349f76eb7b03a78529021fdab9b84322de7683685ab5d512ac7b4a5a63b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCF91.tmp

Filesize
1KB

MD5
444cd758a8c912fdacba229f686f4039

SHA1
2f1a8ffba2df3195421de76aa7c7b1efcf9a1112

SHA256
75a3c6c9b463655d4e6c79f4bd66ddf99e7cd704a83e4099b9b91c484020389f

SHA512
d9ce4c33cc6d563036ef829f3e6b2d9270214d2a8e1ee0a67a86f8b541955f3c91ebc3d130cd20856bfb320b93aaa1c8cbb866e5b6c0799c754be130a78efa40

Download Submit
C:\Users\Admin\AppData\Local\Temp\fzzi4mlh.dll

Filesize
3KB

MD5
ccba0c5efcd897928a5189230e3c34e2

SHA1
1bd116639be837d98afeaf4621a8c90ec2eb1e37

SHA256
5c7dc4b4bc3a1b540a19edf68c600e63b5f4c827f6b5658249d88748cce06af5

SHA512
4ee1e99ccff493e588813bdfe206e90a09c030c34160a1af3e9b8099a0ca00ed3c2a321611bdc3ef556f2658e556b9994b074975804c01046f8d42cf245b93fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\fzzi4mlh.pdb

Filesize
7KB

MD5
0a806805ac077d0c610b696ad614ac01

SHA1
15019066d4f7c72d8a7ba12ab6455a760f1c5da6

SHA256
f2038a5ee0657173c296c516400eb71e6779830269dd561f734194a4a1321cda

SHA512
af532d0f1c034b1ae8882f5c7412e8ad4ba3bfcc56adaf01bd0f56eb5159de095fcc354330f8fec79739a0047f1de2ad5513bca88fe61522c02933ec08733049

Download Submit
C:\Windows\Installer\6cb932.msi

Filesize
2.2MB

MD5
fadc9824c68402143239f764c99bb82d

SHA1
7eb72321c2c1e25b11c9d44229af22a179e27ce8

SHA256
9890ae69f0a31a5656dbebce11384a70820ac49cabe9b244dfb8a5ed22617ff5

SHA512
916b9b9836d5003193cf4f52c501a90ba16f18ca13a05325f9e11a6ee9d05b927013c09524757f33efd153c0e1d25648233e79f9a8eaa81fd69ed79282268ef6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCCF80.tmp

Filesize
652B

MD5
fca6796059aacc6ebb0edaff80ff6ed9

SHA1
9dffe82daa19a5f5f597eef1288e0bd3c335d8fc

SHA256
753426c3060e44936941136c2a73cc0755a44647f7f38045831ae84d318f0c88

SHA512
4ce2add0638329352bb3a4f06a57389492413ca33766fa80f10b00a60f5b4e8b3ac5b9bd6b4d0f69500a82e1daa94ee6d01e1509e5ccf0f895af683fba9ee1bb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fzzi4mlh.0.cs

Filesize
203B

MD5
b611be9282deb44eed731f72bcbb2b82

SHA1
cc1d606d853bbabd5fef87255356a0d54381c289

SHA256
ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6

SHA512
63b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fzzi4mlh.cmdline

Filesize
309B

MD5
9bc721a8538c59a750a4e01cf4e0cf82

SHA1
ca4858295656cb3bc22861c9a904f81d7b2d436f

SHA256
76c5a7b518d56e4069dd94ef25eaa56ea58983108de77f958df2ff0ac3e6b981

SHA512
85175370e49c4ad26949636c0c68d91b37abd32c5d8ce51f8250c78ff7e4c209d8af0e55b5436a4a123c93dc42dd20fb6409874b20bd2f75bf8147562f22586c

Download Submit
memory/832-81-0x00000000012A0000-0x00000000016D9000-memory.dmp

Filesize
4.2MB

Download
memory/832-92-0x0000000000080000-0x0000000000083000-memory.dmp

Filesize
12KB

Download
memory/832-164-0x00000000012A0000-0x00000000016D9000-memory.dmp

Filesize
4.2MB

Download
memory/832-165-0x00000000012A0000-0x00000000016D9000-memory.dmp

Filesize
4.2MB

Download
memory/832-171-0x00000000012A0000-0x00000000016D9000-memory.dmp

Filesize
4.2MB

Download
memory/832-174-0x00000000012A0000-0x00000000016D9000-memory.dmp

Filesize
4.2MB

Download
memory/832-188-0x00000000012A0000-0x00000000016D9000-memory.dmp

Filesize
4.2MB

Download
memory/1228-94-0x0000000002590000-0x0000000002610000-memory.dmp

Filesize
512KB

Download
memory/1228-93-0x0000000002590000-0x0000000002610000-memory.dmp

Filesize
512KB

Download
memory/1228-90-0x00000000024A0000-0x00000000024A8000-memory.dmp

Filesize
32KB

Download
memory/1228-89-0x000000001AF90000-0x000000001B272000-memory.dmp

Filesize
2.9MB

Download
memory/1228-96-0x0000000002590000-0x0000000002610000-memory.dmp

Filesize
512KB

Download
memory/1228-111-0x000000001B600000-0x000000001B608000-memory.dmp

Filesize
32KB

Download