Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    82s
  • max time network
    147s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    29-09-2021 11:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c5e23e7b15649c2d49b797eba7d7b83c76d661603e1b4bde412185eac2b81982.exe

  • Size

    309KB

  • MD5

    8baa6c1cadfa0a5b7a956e6c55d3d9d0

  • SHA1

    c219a61f1dad6eddc14f3fdb009eae8d76b58c85

  • SHA256

    c5e23e7b15649c2d49b797eba7d7b83c76d661603e1b4bde412185eac2b81982

  • SHA512

    56f2c867d8534beb520b92ee24debff7db17440e2ce6ac90aecf13607121c1d7ecfd6f97953a3f604d0794e491bda42988a4c76e01f8128756eacca6a3ac8f8c

Score
10/10
redlineabobadiscoveryevasioninfostealerspywarestealerthemidatrojan

Malware Config

Extracted

Family

redline

Botnet

aboba

C2

65.108.1.219:28593

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 2 IoCs
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 3 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Modifies data under HKEY_USERS 52 IoCs
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c5e23e7b15649c2d49b797eba7d7b83c76d661603e1b4bde412185eac2b81982.exe
    "C:\Users\Admin\AppData\Local\Temp\c5e23e7b15649c2d49b797eba7d7b83c76d661603e1b4bde412185eac2b81982.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:992
    • C:\Users\Admin\AppData\Local\Temp\filename.exe
      "C:\Users\Admin\AppData\Local\Temp\filename.exe"
      2⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Drops startup file
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of WriteProcessMemory
      PID:2512
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\ProgramData\UpSys.exe /SW:0 powershell.exe $(Get-Acl C:\ProgramData\Microsoft\Windows\SystemData | Set-Acl C:\ProgramData\Data); $(Get-Acl C:\ProgramData\Microsoft\Windows\SystemData | Set-Acl C:\ProgramData\Systemd); $(New-Item -Path C:\ProgramData -Name checks.txt -ItemType file -Value 1); $(exit)
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1016
        • C:\ProgramData\UpSys.exe
          "C:\ProgramData\UpSys.exe" /SW:0 powershell.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1304
          • C:\ProgramData\UpSys.exe
            "C:\ProgramData\UpSys.exe" /SW:0 powershell.exe
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:364
            • C:\ProgramData\UpSys.exe
              "C:\ProgramData\UpSys.exe" /TI/ /SW:0 powershell.exe
              6⤵
              • Executes dropped EXE
              • Modifies data under HKEY_USERS
              • Suspicious use of WriteProcessMemory
              PID:1280
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
                7⤵
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1572
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 2512 -s 1176
        3⤵
        • Suspicious use of NtCreateProcessExOtherParentProcess
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1800

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Systemd\CPU.zip
    MD5

    c83e742c2d59317c991a11f88ac04f79

    SHA1

    9fc460bce2135d4f8ca4457404113f24a986972f

    SHA256

    cde604e24c0032a5e7ba07c9301605880ee16a8172075dff373eb7d432508ade

    SHA512

    1b0024cb6e44c7486f7639010a93f3dd67c4f278e785b9c7e1751f1118c694773f23c14e6f65c985f42501556345d7f8a8e7dd5cb523919d31ebf9d516c4ceab

    Download Submit
  • C:\ProgramData\UpSys.exe
    MD5

    efe5769e37ba37cf4607cb9918639932

    SHA1

    f24ca204af2237a714e8b41d54043da7bbe5393b

    SHA256

    5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2

    SHA512

    33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

    Download Submit
  • C:\ProgramData\UpSys.exe
    MD5

    efe5769e37ba37cf4607cb9918639932

    SHA1

    f24ca204af2237a714e8b41d54043da7bbe5393b

    SHA256

    5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2

    SHA512

    33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

    Download Submit
  • C:\ProgramData\UpSys.exe
    MD5

    efe5769e37ba37cf4607cb9918639932

    SHA1

    f24ca204af2237a714e8b41d54043da7bbe5393b

    SHA256

    5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2

    SHA512

    33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

    Download Submit
  • C:\ProgramData\UpSys.exe
    MD5

    efe5769e37ba37cf4607cb9918639932

    SHA1

    f24ca204af2237a714e8b41d54043da7bbe5393b

    SHA256

    5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2

    SHA512

    33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\filename.exe
    MD5

    ab40d2395f7abeee43552ae6a750044d

    SHA1

    6d6a406e51934998567bb3318633a8f281dda509

    SHA256

    bcc26c979a4d7b0afec88bdf7c864e965db3041616acea4cda1874ba476e74e0

    SHA512

    b6efdc8da501db4c355333460baf551bb8f536b777505198ed55bf82c5131972269ecfd5285458e77d4df4d3366771c73687be039620c5258835fc782fe459b6

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\filename.exe
    MD5

    ab40d2395f7abeee43552ae6a750044d

    SHA1

    6d6a406e51934998567bb3318633a8f281dda509

    SHA256

    bcc26c979a4d7b0afec88bdf7c864e965db3041616acea4cda1874ba476e74e0

    SHA512

    b6efdc8da501db4c355333460baf551bb8f536b777505198ed55bf82c5131972269ecfd5285458e77d4df4d3366771c73687be039620c5258835fc782fe459b6

    Download Submit
  • memory/992-124-0x0000000005AE0000-0x0000000005AE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/992-130-0x0000000007680000-0x0000000007681000-memory.dmp
    Filesize

    4KB

    Download
  • memory/992-123-0x0000000005AB0000-0x0000000005AB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/992-114-0x0000000000880000-0x00000000009CA000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/992-125-0x0000000004F84000-0x0000000004F86000-memory.dmp
    Filesize

    8KB

    Download
  • memory/992-126-0x0000000005BF0000-0x0000000005BF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/992-127-0x0000000005C70000-0x0000000005C71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/992-128-0x0000000006E90000-0x0000000006E91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/992-129-0x0000000007060000-0x0000000007061000-memory.dmp
    Filesize

    4KB

    Download
  • memory/992-119-0x0000000004F83000-0x0000000004F84000-memory.dmp
    Filesize

    4KB

    Download
  • memory/992-131-0x0000000007720000-0x0000000007721000-memory.dmp
    Filesize

    4KB

    Download
  • memory/992-132-0x0000000006430000-0x0000000006431000-memory.dmp
    Filesize

    4KB

    Download
  • memory/992-133-0x0000000007A00000-0x0000000007A01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/992-115-0x0000000000400000-0x000000000087E000-memory.dmp
    Filesize

    4.5MB

    Download
  • memory/992-121-0x0000000002A00000-0x0000000002A1E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/992-120-0x0000000004F90000-0x0000000004F91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/992-116-0x0000000000DE0000-0x0000000000DFF000-memory.dmp
    Filesize

    124KB

    Download
  • memory/992-122-0x0000000005490000-0x0000000005491000-memory.dmp
    Filesize

    4KB

    Download
  • memory/992-118-0x0000000004F82000-0x0000000004F83000-memory.dmp
    Filesize

    4KB

    Download
  • memory/992-117-0x0000000004F80000-0x0000000004F81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1016-138-0x0000000000000000-mapping.dmp
    Download
  • memory/1016-147-0x00000269680B0000-0x00000269680B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1016-143-0x0000026967D80000-0x0000026967D81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1016-160-0x000002694F6D0000-0x000002694F6D2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1016-161-0x000002694F6D3000-0x000002694F6D5000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1016-182-0x000002694F6D6000-0x000002694F6D8000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1304-153-0x0000000000000000-mapping.dmp
    Download
  • memory/1572-183-0x0000000000000000-mapping.dmp
    Download
  • memory/1572-205-0x000001B1C0B70000-0x000001B1C0B71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1572-217-0x000001B1C0A60000-0x000001B1C0A62000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1572-218-0x000001B1C0A63000-0x000001B1C0A65000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2512-137-0x00007FF72D210000-0x00007FF72DE86000-memory.dmp
    Filesize

    12.5MB

    Download
  • memory/2512-134-0x0000000000000000-mapping.dmp
    Download