Overview

overview

10

Static

static

dridex

windows10-2004_x64

10

Analysis

  • max time kernel
    114s
  • max time network
    163s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    26-01-2022 12:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    191cfad3f68bdedbad3b6840e8d93ba5bb2566717de801264684c679340df950.exe

  • Size

    444KB

  • MD5

    2cca70300e75df503f6676803b470383

  • SHA1

    7de77087c0dd09612acb8aa97025c9aa495e64f3

  • SHA256

    191cfad3f68bdedbad3b6840e8d93ba5bb2566717de801264684c679340df950

  • SHA512

    a0def3aba2baaff74eb4e98e399ad053d81929a7d8a45c954cc0aacfe86c8b411cabcdc823f543859c059c53abe874ba13d3a5cb5ba56007eb619fa55c538126

Score
10/10
redlinediscoveryinfostealerpersistencespywarestealer

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 1 IoCs
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Sets service image path in registry 2 TTPs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Windows directory 1 IoCs
  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\191cfad3f68bdedbad3b6840e8d93ba5bb2566717de801264684c679340df950.exe
    "C:\Users\Admin\AppData\Local\Temp\191cfad3f68bdedbad3b6840e8d93ba5bb2566717de801264684c679340df950.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2436
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 1096
      2⤵
      • Drops file in Windows directory
      • Program crash
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2888
  • C:\Windows\System32\WaaSMedicAgent.exe
    C:\Windows\System32\WaaSMedicAgent.exe d474b9deb8d2f6d84d145977e5d38807 6Eo/quQvI0GfXKhB/KjJeQ.0.1.0.0.0
    1⤵
    • Modifies data under HKEY_USERS
    PID:1848
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2436 -ip 2436
    1⤵
    • Suspicious use of NtCreateProcessExOtherParentProcess
    • Suspicious use of WriteProcessMemory
    PID:644
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k wusvcs -p
    1⤵
      PID:4024

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    3
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2436-130-0x0000000000510000-0x0000000000556000-memory.dmp
      Filesize

      280KB

      Download
    • memory/2436-131-0x0000000002200000-0x0000000002239000-memory.dmp
      Filesize

      228KB

      Download
    • memory/2436-132-0x0000000000400000-0x0000000000499000-memory.dmp
      Filesize

      612KB

      Download
    • memory/2436-133-0x0000000002670000-0x00000000027F3000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/2436-134-0x0000000002670000-0x00000000027F3000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/2436-135-0x0000000002670000-0x00000000027F3000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/2436-136-0x0000000004CF0000-0x0000000005294000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/2436-137-0x00000000052A0000-0x00000000058B8000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/2436-138-0x0000000002910000-0x0000000002922000-memory.dmp
      Filesize

      72KB

      Download
    • memory/2436-139-0x00000000058C0000-0x00000000059CA000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/2436-140-0x0000000002950000-0x000000000298C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/2436-141-0x0000000002670000-0x00000000027F3000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/2436-142-0x0000000005CA0000-0x0000000005D32000-memory.dmp
      Filesize

      584KB

      Download
    • memory/2436-143-0x0000000005D40000-0x0000000005DB6000-memory.dmp
      Filesize

      472KB

      Download
    • memory/2436-144-0x0000000005F40000-0x0000000005F5E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/2436-145-0x0000000005FA0000-0x0000000006006000-memory.dmp
      Filesize

      408KB

      Download
    • memory/2436-146-0x0000000006800000-0x00000000069C2000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/2436-147-0x00000000069E0000-0x0000000006F0C000-memory.dmp
      Filesize

      5.2MB

      Download