Overview

overview

10

Static

static

dridex

windows10-2004_x64

10

Analysis

  • max time kernel
    156s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    28-01-2022 13:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b79524c98bfa18999ed070b243ada769bb7295419d510042eb25eba37c2c227c.exe

  • Size

    658KB

  • MD5

    203824aed18427599c09b9a602f99d51

  • SHA1

    6c031395edbd173fed660845ab7334caf552d173

  • SHA256

    b79524c98bfa18999ed070b243ada769bb7295419d510042eb25eba37c2c227c

  • SHA512

    e46dbab02f28158566c5e122f645822b23bce18c22d21f647722eb641d94339c4e50aa30b50fb630fb0ac7a82ef3d9a07b9374f7fce534a3a6cd961d22b6ed14

Score
10/10
redlinediscoveryinfostealerpersistencespywarestealer

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 2 IoCs
  • Sets service image path in registry 2 TTPs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b79524c98bfa18999ed070b243ada769bb7295419d510042eb25eba37c2c227c.exe
    "C:\Users\Admin\AppData\Local\Temp\b79524c98bfa18999ed070b243ada769bb7295419d510042eb25eba37c2c227c.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1500
  • C:\Windows\System32\WaaSMedicAgent.exe
    C:\Windows\System32\WaaSMedicAgent.exe 38694023962b74f233e49e5c3312d83e xorpv0a6MUWbGFSXMdI1yQ.0.1.0.0.0
    1⤵
    • Modifies data under HKEY_USERS
    PID:3624
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
    1⤵
      PID:3460

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    2
    T1081

    Discovery

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1500-130-0x0000000000770000-0x00000000007B4000-memory.dmp
      Filesize

      272KB

      Download
    • memory/1500-131-0x0000000000420000-0x00000000004A4000-memory.dmp
      Filesize

      528KB

      Download
    • memory/1500-132-0x0000000000410000-0x0000000000411000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1500-133-0x0000000076E70000-0x0000000077085000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/1500-134-0x0000000000420000-0x00000000004A4000-memory.dmp
      Filesize

      528KB

      Download
    • memory/1500-135-0x0000000073570000-0x00000000735F9000-memory.dmp
      Filesize

      548KB

      Download
    • memory/1500-137-0x0000000005020000-0x0000000005021000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1500-136-0x00000000761A0000-0x0000000076753000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1500-138-0x0000000005650000-0x0000000005C68000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/1500-139-0x0000000005080000-0x0000000005092000-memory.dmp
      Filesize

      72KB

      Download
    • memory/1500-140-0x00000000051B0000-0x00000000052BA000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/1500-141-0x00000000050E0000-0x000000000511C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/1500-142-0x0000000005C70000-0x0000000005E32000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/1500-143-0x000000006ED80000-0x000000006EDCC000-memory.dmp
      Filesize

      304KB

      Download
    • memory/1500-144-0x00000000063F0000-0x0000000006994000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/1500-145-0x0000000000A80000-0x0000000000B12000-memory.dmp
      Filesize

      584KB

      Download
    • memory/1500-146-0x0000000000B20000-0x0000000000B86000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1500-147-0x0000000005380000-0x00000000053F6000-memory.dmp
      Filesize

      472KB

      Download
    • memory/1500-148-0x0000000005350000-0x000000000536E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/1500-149-0x0000000007980000-0x0000000007EAC000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/1500-150-0x0000000006B30000-0x0000000006B80000-memory.dmp
      Filesize

      320KB

      Download