redline | 9890ae69f0a31a5656dbebce11384a70820ac49cabe9b244dfb8a5ed22617ff5

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
07-05-2023 08:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fadc9824c68402143239f764c99bb82d.msi
Size

2.2MB
MD5

fadc9824c68402143239f764c99bb82d
SHA1

7eb72321c2c1e25b11c9d44229af22a179e27ce8
SHA256

9890ae69f0a31a5656dbebce11384a70820ac49cabe9b244dfb8a5ed22617ff5
SHA512

916b9b9836d5003193cf4f52c501a90ba16f18ca13a05325f9e11a6ee9d05b927013c09524757f33efd153c0e1d25648233e79f9a8eaa81fd69ed79282268ef6
SSDEEP

49152:NMU9FgsN+TXYr+LrUcdEL9MklhGUWhe8u/g1PQNPEUI:6gFPgYrordG9t0lepg1P2XI

Score

10^/10

redline infostealer stealer

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral1/memory/1800-89-0x000000001B150000-0x000000001B432000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 1 IoCs

pid	Process
1752	readerdc64.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\6cb378.msi	msiexec.exe
File created	C:\Windows\Installer\6cb379.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB5AA.tmp	msiexec.exe
File created	C:\Windows\Installer\6cb37b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6cb379.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\6cb378.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main	readerdc64.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	readerdc64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	readerdc64.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1592	msiexec.exe
1592	msiexec.exe
1800	powershell.exe
1800	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1684	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1684	msiexec.exe
Token: SeRestorePrivilege	1592	msiexec.exe
Token: SeTakeOwnershipPrivilege	1592	msiexec.exe
Token: SeSecurityPrivilege	1592	msiexec.exe
Token: SeCreateTokenPrivilege	1684	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1684	msiexec.exe
Token: SeLockMemoryPrivilege	1684	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1684	msiexec.exe
Token: SeMachineAccountPrivilege	1684	msiexec.exe
Token: SeTcbPrivilege	1684	msiexec.exe
Token: SeSecurityPrivilege	1684	msiexec.exe
Token: SeTakeOwnershipPrivilege	1684	msiexec.exe
Token: SeLoadDriverPrivilege	1684	msiexec.exe
Token: SeSystemProfilePrivilege	1684	msiexec.exe
Token: SeSystemtimePrivilege	1684	msiexec.exe
Token: SeProfSingleProcessPrivilege	1684	msiexec.exe
Token: SeIncBasePriorityPrivilege	1684	msiexec.exe
Token: SeCreatePagefilePrivilege	1684	msiexec.exe
Token: SeCreatePermanentPrivilege	1684	msiexec.exe
Token: SeBackupPrivilege	1684	msiexec.exe
Token: SeRestorePrivilege	1684	msiexec.exe
Token: SeShutdownPrivilege	1684	msiexec.exe
Token: SeDebugPrivilege	1684	msiexec.exe
Token: SeAuditPrivilege	1684	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1684	msiexec.exe
Token: SeChangeNotifyPrivilege	1684	msiexec.exe
Token: SeRemoteShutdownPrivilege	1684	msiexec.exe
Token: SeUndockPrivilege	1684	msiexec.exe
Token: SeSyncAgentPrivilege	1684	msiexec.exe
Token: SeEnableDelegationPrivilege	1684	msiexec.exe
Token: SeManageVolumePrivilege	1684	msiexec.exe
Token: SeImpersonatePrivilege	1684	msiexec.exe
Token: SeCreateGlobalPrivilege	1684	msiexec.exe
Token: SeBackupPrivilege	1740	vssvc.exe
Token: SeRestorePrivilege	1740	vssvc.exe
Token: SeAuditPrivilege	1740	vssvc.exe
Token: SeBackupPrivilege	1592	msiexec.exe
Token: SeRestorePrivilege	1592	msiexec.exe
Token: SeRestorePrivilege	608	DrvInst.exe
Token: SeRestorePrivilege	608	DrvInst.exe
Token: SeRestorePrivilege	608	DrvInst.exe
Token: SeRestorePrivilege	608	DrvInst.exe
Token: SeRestorePrivilege	608	DrvInst.exe
Token: SeRestorePrivilege	608	DrvInst.exe
Token: SeRestorePrivilege	608	DrvInst.exe
Token: SeLoadDriverPrivilege	608	DrvInst.exe
Token: SeLoadDriverPrivilege	608	DrvInst.exe
Token: SeLoadDriverPrivilege	608	DrvInst.exe
Token: SeRestorePrivilege	1592	msiexec.exe
Token: SeTakeOwnershipPrivilege	1592	msiexec.exe
Token: SeRestorePrivilege	1592	msiexec.exe
Token: SeTakeOwnershipPrivilege	1592	msiexec.exe
Token: SeRestorePrivilege	1592	msiexec.exe
Token: SeTakeOwnershipPrivilege	1592	msiexec.exe
Token: SeRestorePrivilege	1592	msiexec.exe
Token: SeTakeOwnershipPrivilege	1592	msiexec.exe
Token: SeRestorePrivilege	1592	msiexec.exe
Token: SeTakeOwnershipPrivilege	1592	msiexec.exe
Token: SeRestorePrivilege	1592	msiexec.exe
Token: SeTakeOwnershipPrivilege	1592	msiexec.exe
Token: SeRestorePrivilege	1592	msiexec.exe
Token: SeTakeOwnershipPrivilege	1592	msiexec.exe
Token: SeRestorePrivilege	1592	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1684	msiexec.exe
1684	msiexec.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1752	readerdc64.exe
1752	readerdc64.exe
1752	readerdc64.exe
1752	readerdc64.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1592 wrote to memory of 1800	1592	msiexec.exe	31
PID 1592 wrote to memory of 1800	1592	msiexec.exe	31
PID 1592 wrote to memory of 1800	1592	msiexec.exe	31
PID 1592 wrote to memory of 1752	1592	msiexec.exe	33
PID 1592 wrote to memory of 1752	1592	msiexec.exe	33
PID 1592 wrote to memory of 1752	1592	msiexec.exe	33
PID 1592 wrote to memory of 1752	1592	msiexec.exe	33
PID 1800 wrote to memory of 1556	1800	powershell.exe	35
PID 1800 wrote to memory of 1556	1800	powershell.exe	35
PID 1800 wrote to memory of 1556	1800	powershell.exe	35
PID 1556 wrote to memory of 1992	1556	csc.exe	36
PID 1556 wrote to memory of 1992	1556	csc.exe	36
PID 1556 wrote to memory of 1992	1556	csc.exe	36

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\fadc9824c68402143239f764c99bb82d.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1684

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file "C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\ad.ps1"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\6eybcdc_.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1556
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC1EA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC1E9.tmp"
      4⤵
      PID:1992
- C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\readerdc64.exe
  "C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\readerdc64.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  PID:1752

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003B8" "0000000000000334"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\6cb37a.rbs

Filesize
7KB

MD5
87c8eec751fd76dedeb7097596de4111

SHA1
8cea7c8052901327ca45d3ca96fe2d1ebc9ae4fe

SHA256
f23b1203d9f2dab1d74aefb0e9128059fbbe470b89ce661c18f2962a72d705ba

SHA512
551c03fa3a6e106943800e07b6a4746fcc73ae50b24757afd4c04b363b41a58ff2b5a19a38a51172cf60254741b1a240d394e1b46984a2967a87c1a10d1865d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\6eybcdc_.dll

Filesize
3KB

MD5
13e8d83263229cf982c12a9be6ddf777

SHA1
03df9cd099bb04629a74eaa4d910130ec0210764

SHA256
ae0db6e61573f4d3c7fc366388a5583ca6ea00afef78c409603dd0343c37fd6c

SHA512
2e7fdf61dd981de0faaadbc7a0384227d6aada50c98d6e5cf842c91c720799deeed90e81500cb1ce5b893592af8dc3e34fe5cadc1343fe9bbc3aec58bb9d72eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\6eybcdc_.pdb

Filesize
7KB

MD5
2d57e29d4593de235af4b269b7fbfcb1

SHA1
447506bd06ddb9fcf2e3aa42b62a9041c33d1526

SHA256
2865e3c33b2b864a14b8c01e7ba672f72de018702a34f6e094c1f71afa4dd3cc

SHA512
8b600829d6dacf00b48b5fb177cd40c28ec6b83e389878b0b3a8fe4615d047c00f83d38c36aac933b06d0bd49ad678a5326907172850f419e8df5a67ff4a0abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\ad.ps1

Filesize
2.2MB

MD5
4e0e85a590f4972732f1f0de81aa5507

SHA1
8e1bcab1ac25c59c1203d808f04b53b1db5fd7eb

SHA256
bde15453821fff0d2ed08a8c10885c9ab4ec1ccc6b4b23a41e9e324e4e80a195

SHA512
2b874cf59cdc7298b7fcf6712db3ec4013fcd87b7c7bb44400a789821b35bc57e3ff4e98ccfe93bc4cb420d25b2d3e6967eab2e98abf43bb16543f454cef8953

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\readerdc64.exe

Filesize
1.2MB

MD5
eb17c8572700a9b7bbfb6c1142ad443e

SHA1
74022bd63cf919ac44af0dcbe0e4c14756c34b2e

SHA256
302b598ae57ca91ba4b4b59e926f2e07a073ab9afcb98eccde02f5e84cdfef52

SHA512
e7660219d815bc40741fd6737c092c8f442ebbec4f18981fbf261a269c4e2e162dc0349f76eb7b03a78529021fdab9b84322de7683685ab5d512ac7b4a5a63b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\readerdc64.exe

Filesize
1.2MB

MD5
eb17c8572700a9b7bbfb6c1142ad443e

SHA1
74022bd63cf919ac44af0dcbe0e4c14756c34b2e

SHA256
302b598ae57ca91ba4b4b59e926f2e07a073ab9afcb98eccde02f5e84cdfef52

SHA512
e7660219d815bc40741fd6737c092c8f442ebbec4f18981fbf261a269c4e2e162dc0349f76eb7b03a78529021fdab9b84322de7683685ab5d512ac7b4a5a63b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC1EA.tmp

Filesize
1KB

MD5
96ac3f2614b2594ec8129a4d92d66ef8

SHA1
79e81a71c858ddecafd18624368241e1422d57ed

SHA256
5396203e02ea1d60acce354a810df56959a1f211149d274c32b3e22c656ed549

SHA512
9e2542aa53d729df660cdfe974eac12b06aa2c5aa1f96c83012486c058c5de5e15155d493111d8ec10051aa7770ab62290d2332d6b03f6ba1ba9a440a9e58171

Download Submit
C:\Windows\Installer\6cb378.msi

Filesize
2.2MB

MD5
fadc9824c68402143239f764c99bb82d

SHA1
7eb72321c2c1e25b11c9d44229af22a179e27ce8

SHA256
9890ae69f0a31a5656dbebce11384a70820ac49cabe9b244dfb8a5ed22617ff5

SHA512
916b9b9836d5003193cf4f52c501a90ba16f18ca13a05325f9e11a6ee9d05b927013c09524757f33efd153c0e1d25648233e79f9a8eaa81fd69ed79282268ef6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\6eybcdc_.0.cs

Filesize
203B

MD5
b611be9282deb44eed731f72bcbb2b82

SHA1
cc1d606d853bbabd5fef87255356a0d54381c289

SHA256
ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6

SHA512
63b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\6eybcdc_.cmdline

Filesize
309B

MD5
e3cea5fc93389676eca2d69b116a7a49

SHA1
dcf2ff392b1311f1556134fe251217e270aaab10

SHA256
5379020f7c08418cc660707feca66dc4661d4c637dbd366fa2b9eb058ccda21a

SHA512
c88bb709ec3761c8e722fccfa3c003952d0fdea81d4758e9de59f6868a76b461b49f85845578f2f8edde93e2f7c9e2d8d0fc8974b364141d4a9b0f7714be9795

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCC1E9.tmp

Filesize
652B

MD5
f56ac4103dbd585b662348ab0e892c76

SHA1
bd3237c007c0156121a526f6a6e63c6aadb3225c

SHA256
cb217ff62a3148d34f53ec2c370bed00cdc74210b93f652ee25639a620d23f52

SHA512
b6056f2b045d0102d94421291912fc82abf7f23245f5aea6e9eb3e7f61cfdbd3ee49708601293c7cac99afad70c1e2186e5190e092e94a4a3894519b8d71a333

Download Submit
memory/1752-163-0x00000000002A0000-0x00000000006D9000-memory.dmp

Filesize
4.2MB

Download
memory/1752-168-0x00000000002A0000-0x00000000006D9000-memory.dmp

Filesize
4.2MB

Download
memory/1752-92-0x00000000000F0000-0x00000000000F3000-memory.dmp

Filesize
12KB

Download
memory/1752-178-0x00000000002A0000-0x00000000006D9000-memory.dmp

Filesize
4.2MB

Download
memory/1752-80-0x00000000002A0000-0x00000000006D9000-memory.dmp

Filesize
4.2MB

Download
memory/1800-89-0x000000001B150000-0x000000001B432000-memory.dmp

Filesize
2.9MB

Download
memory/1800-110-0x000000001B600000-0x000000001B608000-memory.dmp

Filesize
32KB

Download
memory/1800-94-0x00000000026B0000-0x0000000002730000-memory.dmp

Filesize
512KB

Download
memory/1800-95-0x00000000026B0000-0x0000000002730000-memory.dmp

Filesize
512KB

Download
memory/1800-93-0x00000000026B0000-0x0000000002730000-memory.dmp

Filesize
512KB

Download
memory/1800-90-0x0000000002650000-0x0000000002658000-memory.dmp

Filesize
32KB

Download