Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    119s
  • max time network
    135s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    24-10-2021 10:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    691ed74715d9b01bc9eff77b50a7c08842f1eba35162a43422534f9caf8c0655.exe

  • Size

    188KB

  • MD5

    6194c217ce5e0164315ea40351e9263b

  • SHA1

    e9930a28741c5200558c00994e7e80ab4d5716db

  • SHA256

    691ed74715d9b01bc9eff77b50a7c08842f1eba35162a43422534f9caf8c0655

  • SHA512

    a1ce860e7c28dbe9500713a814b2d3711a6a6a208a55d330b46ca518f2cf9b995f81f9f6339ab875c63b87bfad6bc52962398e6c4436fd5bed230c2afa1594f4

Score
10/10
redlinediscoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

C2

141.94.188.138:46419

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\691ed74715d9b01bc9eff77b50a7c08842f1eba35162a43422534f9caf8c0655.exe
    "C:\Users\Admin\AppData\Local\Temp\691ed74715d9b01bc9eff77b50a7c08842f1eba35162a43422534f9caf8c0655.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3036
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      #cmd
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4056
      • C:\Users\Admin\AppData\Roaming\League.exe
        "C:\Users\Admin\AppData\Roaming\League.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:412

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\League.exe
    MD5

    9483fa0a80880c5eae7e58a4666b1250

    SHA1

    b373fe058d67532d4a368ec0d956c34dd20c0046

    SHA256

    e10c76d16bebc49e3f73b3e034f66676e1c640438ea081aaddea677db179b295

    SHA512

    ef3b97529ab9f77759d8f78bfe8d981c94110d9b798150324c0a733fabba2e8ae2e3b027ca1592af35d0ae0383ec7cd1ac9367d98be556d9ddb63555bfb30e3d

    Download Submit
  • C:\Users\Admin\AppData\Roaming\League.exe
    MD5

    9483fa0a80880c5eae7e58a4666b1250

    SHA1

    b373fe058d67532d4a368ec0d956c34dd20c0046

    SHA256

    e10c76d16bebc49e3f73b3e034f66676e1c640438ea081aaddea677db179b295

    SHA512

    ef3b97529ab9f77759d8f78bfe8d981c94110d9b798150324c0a733fabba2e8ae2e3b027ca1592af35d0ae0383ec7cd1ac9367d98be556d9ddb63555bfb30e3d

    Download Submit
  • memory/412-143-0x00000130EFF82000-0x00000130EFF84000-memory.dmp
    Filesize

    8KB

    Download
  • memory/412-147-0x00000130F13D0000-0x00000130F1636000-memory.dmp
    Filesize

    2.4MB

    Download
  • memory/412-146-0x00000130EFF85000-0x00000130EFF87000-memory.dmp
    Filesize

    8KB

    Download
  • memory/412-145-0x00000130EF570000-0x00000130EF89A000-memory.dmp
    Filesize

    3.2MB

    Download
  • memory/412-144-0x00000130EFF84000-0x00000130EFF85000-memory.dmp
    Filesize

    4KB

    Download
  • memory/412-136-0x0000000000000000-mapping.dmp
    Download
  • memory/412-142-0x00000130EFF80000-0x00000130EFF82000-memory.dmp
    Filesize

    8KB

    Download
  • memory/412-141-0x00000130EFF90000-0x00000130F02C7000-memory.dmp
    Filesize

    3.2MB

    Download
  • memory/412-139-0x00000130ED470000-0x00000130ED471000-memory.dmp
    Filesize

    4KB

    Download
  • memory/412-148-0x00000130F4550000-0x00000130F4551000-memory.dmp
    Filesize

    4KB

    Download
  • memory/412-149-0x00000130EF8D0000-0x00000130EF8D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3036-119-0x000000001AE50000-0x000000001AE52000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3036-115-0x00000000000A0000-0x00000000000A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4056-125-0x0000000005270000-0x0000000005271000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4056-129-0x0000000005E80000-0x0000000005E81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4056-135-0x0000000008020000-0x0000000008021000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4056-133-0x0000000007700000-0x0000000007701000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4056-132-0x0000000006130000-0x0000000006131000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4056-131-0x0000000005F80000-0x0000000005F81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4056-130-0x0000000005FA0000-0x0000000005FA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4056-134-0x0000000007920000-0x0000000007921000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4056-128-0x0000000006300000-0x0000000006301000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4056-127-0x00000000052B0000-0x00000000052B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4056-126-0x00000000051E0000-0x00000000057E6000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/4056-124-0x0000000005340000-0x0000000005341000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4056-123-0x0000000005210000-0x0000000005211000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4056-122-0x00000000057F0000-0x00000000057F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4056-118-0x000000000041A14E-mapping.dmp
    Download
  • memory/4056-117-0x0000000000400000-0x0000000000420000-memory.dmp
    Filesize

    128KB

    Download