Overview

overview

10

Static

static

dridex

windows10-2004_x64

10

Analysis

  • max time kernel
    162s
  • max time network
    175s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    29-01-2022 08:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3fa6d241e015a444757a8ef0d3e4ad24134655bb92169217b3702504b5f5b00e.exe

  • Size

    458KB

  • MD5

    a03ee84873f31ecee95290104f4e678f

  • SHA1

    af01efe138ae278621b49724ece9b0bac60b1f10

  • SHA256

    3fa6d241e015a444757a8ef0d3e4ad24134655bb92169217b3702504b5f5b00e

  • SHA512

    278d7f253a9ee40344fd0e2459b6e4b6edbaeb512a29e33653ec53242820498429a449b3293728ab17243744b82311a65572987822a64716361011e556c93b87

Score
10/10
redlinediscoveryinfostealerpersistencespywarestealer

Malware Config

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 4 IoCs
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Sets service image path in registry 2 TTPs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Windows directory 1 IoCs
  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3fa6d241e015a444757a8ef0d3e4ad24134655bb92169217b3702504b5f5b00e.exe
    "C:\Users\Admin\AppData\Local\Temp\3fa6d241e015a444757a8ef0d3e4ad24134655bb92169217b3702504b5f5b00e.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1832
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 1524
      2⤵
      • Drops file in Windows directory
      • Program crash
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1952
  • C:\Windows\System32\WaaSMedicAgent.exe
    C:\Windows\System32\WaaSMedicAgent.exe 3360a024ee8731b602a9a9f798c4a613 m1LUVBdGck63P0D30X+vRQ.0.1.0.0.0
    1⤵
    • Modifies data under HKEY_USERS
    PID:2308
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1832 -ip 1832
    1⤵
    • Suspicious use of NtCreateProcessExOtherParentProcess
    • Suspicious use of WriteProcessMemory
    PID:2632
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
    1⤵
      PID:764

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    3
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1832-130-0x0000000000610000-0x000000000063B000-memory.dmp
      Filesize

      172KB

      Download
    • memory/1832-131-0x0000000000640000-0x0000000000679000-memory.dmp
      Filesize

      228KB

      Download
    • memory/1832-132-0x0000000000400000-0x000000000047A000-memory.dmp
      Filesize

      488KB

      Download
    • memory/1832-133-0x0000000002280000-0x00000000023C0000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/1832-134-0x0000000002280000-0x00000000023C0000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/1832-135-0x0000000002280000-0x00000000023C0000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/1832-136-0x0000000004D50000-0x00000000052F4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/1832-137-0x0000000005300000-0x0000000005918000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/1832-138-0x0000000002710000-0x0000000002722000-memory.dmp
      Filesize

      72KB

      Download
    • memory/1832-139-0x0000000005920000-0x0000000005A2A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/1832-140-0x0000000002280000-0x00000000023C0000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/1832-141-0x0000000002860000-0x000000000289C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/1832-142-0x0000000005CB0000-0x0000000005D16000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1832-143-0x00000000060D0000-0x0000000006146000-memory.dmp
      Filesize

      472KB

      Download
    • memory/1832-144-0x00000000061B0000-0x0000000006242000-memory.dmp
      Filesize

      584KB

      Download
    • memory/1832-145-0x00000000063B0000-0x00000000063CE000-memory.dmp
      Filesize

      120KB

      Download
    • memory/1832-146-0x0000000006460000-0x0000000006622000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/1832-147-0x0000000006630000-0x0000000006B5C000-memory.dmp
      Filesize

      5.2MB

      Download