Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    57s
  • max time network
    114s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    27-08-2021 14:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2bc19a1a48254b0ce6a30f471c0e870ceff05ef8ab66ce5d9bb4ecae869d3b10.exe

  • Size

    1.3MB

  • MD5

    58a192c56eff7d48740607232cea9d49

  • SHA1

    6bde1b43b0eabaa2151f5126c102eb3cc5dbb693

  • SHA256

    2bc19a1a48254b0ce6a30f471c0e870ceff05ef8ab66ce5d9bb4ecae869d3b10

  • SHA512

    cf97dfe3d719f05d0bbbeaf78d8e26cfe3234480e1ef98c1888b2bd316d04777c022f78d09b64f079d07a22520e7df3dc3b5eeba21346ac1f6b1eb464f78beff

Score
10/10
redlineproliv2evasioninfostealerspywaretrojan

Malware Config

Extracted

Family

redline

Botnet

proliv2

C2

136.243.65.8:48715

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 2 IoCs
  • Turns off Windows Defender SpyNet reporting 2 TTPs
    evasion
  • UAC bypass 3 TTPs
    evasiontrojan
  • Windows security bypass 2 TTPs
    evasiontrojan
  • Nirsoft 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 10 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\2bc19a1a48254b0ce6a30f471c0e870ceff05ef8ab66ce5d9bb4ecae869d3b10.exe
    "C:\Users\Admin\AppData\Local\Temp\2bc19a1a48254b0ce6a30f471c0e870ceff05ef8ab66ce5d9bb4ecae869d3b10.exe"
    1⤵
    • Windows security modification
    • Checks whether UAC is enabled
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3156
    • C:\Users\Admin\AppData\Local\Temp\362fc185-f4d7-4119-9aa0-713fc1e2c72e\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\362fc185-f4d7-4119-9aa0-713fc1e2c72e\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\362fc185-f4d7-4119-9aa0-713fc1e2c72e\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3984
      • C:\Users\Admin\AppData\Local\Temp\362fc185-f4d7-4119-9aa0-713fc1e2c72e\AdvancedRun.exe
        "C:\Users\Admin\AppData\Local\Temp\362fc185-f4d7-4119-9aa0-713fc1e2c72e\AdvancedRun.exe" /SpecialRun 4101d8 3984
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3592
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2bc19a1a48254b0ce6a30f471c0e870ceff05ef8ab66ce5d9bb4ecae869d3b10.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3668
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2bc19a1a48254b0ce6a30f471c0e870ceff05ef8ab66ce5d9bb4ecae869d3b10.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3300
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      2⤵
        PID:1676
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe
        2⤵
          PID:2008
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4044

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Bypass User Account Control

      1
      T1088

      Defense Evasion

      Disabling Security Tools

      4
      T1089

      Modify Registry

      5
      T1112

      Bypass User Account Control

      1
      T1088

      Credential Access

      Credentials in Files

      1
      T1081

      Discovery

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        MD5

        de3a1421016396945990b7cfc699278b

        SHA1

        e79974b73347789f76acf45e3a301c14b8db621c

        SHA256

        e9895f70aa116d0e1116445a497fcad40e516fa7478bdb58114450d40789b3a4

        SHA512

        facf9ae37fb7e5bdc8e00f4d4c5b41a79e433857cb9f595ad31cff588fb4c0c316032e77b5f814886d91cce33939fd398a84678fc52a26524ad85bb566cc7722

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\362fc185-f4d7-4119-9aa0-713fc1e2c72e\AdvancedRun.exe
        MD5

        17fc12902f4769af3a9271eb4e2dacce

        SHA1

        9a4a1581cc3971579574f837e110f3bd6d529dab

        SHA256

        29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

        SHA512

        036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\362fc185-f4d7-4119-9aa0-713fc1e2c72e\AdvancedRun.exe
        MD5

        17fc12902f4769af3a9271eb4e2dacce

        SHA1

        9a4a1581cc3971579574f837e110f3bd6d529dab

        SHA256

        29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

        SHA512

        036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\362fc185-f4d7-4119-9aa0-713fc1e2c72e\AdvancedRun.exe
        MD5

        17fc12902f4769af3a9271eb4e2dacce

        SHA1

        9a4a1581cc3971579574f837e110f3bd6d529dab

        SHA256

        29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

        SHA512

        036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

        Download Submit
      • memory/3156-114-0x00000000002D0000-0x00000000002D1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3156-118-0x0000000004E10000-0x0000000004E82000-memory.dmp
        Filesize

        456KB

        Download
      • memory/3156-117-0x0000000004C70000-0x0000000004C71000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3156-122-0x0000000004C70000-0x000000000516E000-memory.dmp
        Filesize

        5.0MB

        Download
      • memory/3156-116-0x0000000005170000-0x0000000005171000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3156-119-0x0000000004F40000-0x0000000004F41000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3300-127-0x0000000000000000-mapping.dmp
        Download
      • memory/3300-154-0x00000000049D2000-0x00000000049D3000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3300-254-0x00000000049D3000-0x00000000049D4000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3300-134-0x0000000007420000-0x0000000007421000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3300-213-0x0000000009820000-0x0000000009821000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3300-212-0x000000007F230000-0x000000007F231000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3300-209-0x0000000009650000-0x0000000009651000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3300-144-0x0000000007AD0000-0x0000000007AD1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3300-199-0x00000000094E0000-0x00000000094E1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3300-151-0x00000000049D0000-0x00000000049D1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3592-124-0x0000000000000000-mapping.dmp
        Download
      • memory/3668-126-0x0000000000000000-mapping.dmp
        Download
      • memory/3668-132-0x00000000045C0000-0x00000000045C1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3668-156-0x0000000007B00000-0x0000000007B01000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3668-155-0x00000000045B2000-0x00000000045B3000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3668-683-0x0000000008F00000-0x0000000008F01000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3668-150-0x0000000007A90000-0x0000000007A91000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3668-147-0x00000000078C0000-0x00000000078C1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3668-251-0x00000000045B3000-0x00000000045B4000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3668-211-0x000000007F160000-0x000000007F161000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3668-160-0x0000000007850000-0x0000000007851000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3668-166-0x00000000081D0000-0x00000000081D1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3668-148-0x00000000045B0000-0x00000000045B1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3668-185-0x0000000008E80000-0x0000000008EB3000-memory.dmp
        Filesize

        204KB

        Download
      • memory/3984-120-0x0000000000000000-mapping.dmp
        Download
      • memory/4044-170-0x00000000093A0000-0x00000000099A6000-memory.dmp
        Filesize

        6.0MB

        Download
      • memory/4044-143-0x00000000099B0000-0x00000000099B1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4044-159-0x00000000094E0000-0x00000000094E1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4044-137-0x000000000041A68E-mapping.dmp
        Download
      • memory/4044-136-0x0000000000400000-0x0000000000420000-memory.dmp
        Filesize

        128KB

        Download
      • memory/4044-158-0x00000000094A0000-0x00000000094A1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4044-146-0x0000000009440000-0x0000000009441000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4044-357-0x000000000A9F0000-0x000000000A9F1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4044-358-0x000000000B0F0000-0x000000000B0F1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4044-448-0x000000000AF60000-0x000000000AF61000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4044-152-0x0000000009570000-0x0000000009571000-memory.dmp
        Filesize

        4KB

        Download