Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    127s
  • max time network
    174s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 22:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cc6573c4ad6f0700c00a02ed4bc305107eecd995f1612be99f07f318017efec8.exe

  • Size

    226KB

  • MD5

    cdd4c17bc79e0e111d637b515d7b20df

  • SHA1

    6b644f1606f5a2af380ca1dc720c7eb2fd21b1fc

  • SHA256

    cc6573c4ad6f0700c00a02ed4bc305107eecd995f1612be99f07f318017efec8

  • SHA512

    d7f4ffad5cca735d073e0b4dff54635a62170015a109e18ff227f864654d9f0c7fed76ed3019fd1badc7eedd9046b9bc526d96a20c554e5f6e2480d886eb31ed

  • SSDEEP

    6144:gpKes0N5fHjkaBQXjwwyJ4jmuv7nM12pzn:Xes0NtjNBNL4jV7n5

Score
10/10
amadeyredlinepopscollectiondiscoveryinfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.50

C2

193.56.146.194/h49vlBP/index.php

Extracted

Family

redline

Botnet

pops

C2

31.41.244.14:4694

Attributes
  • auth_value

    c377eb074ac3f12f85b0ff38d543b16d

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detect Amadey credential stealer module 2 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 3 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
    collection
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cc6573c4ad6f0700c00a02ed4bc305107eecd995f1612be99f07f318017efec8.exe
    "C:\Users\Admin\AppData\Local\Temp\cc6573c4ad6f0700c00a02ed4bc305107eecd995f1612be99f07f318017efec8.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3588
    • C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
      "C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1316
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe" /F
        3⤵
        • Creates scheduled task(s)
        PID:3756
      • C:\Users\Admin\AppData\Local\Temp\1000141001\laba.exe
        "C:\Users\Admin\AppData\Local\Temp\1000141001\laba.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3836
      • C:\Users\Admin\AppData\Local\Temp\1000142001\linda5.exe
        "C:\Users\Admin\AppData\Local\Temp\1000142001\linda5.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:4476
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\System32\regsvr32.exe" /u 3dZVP.i6 /s
          4⤵
          • Loads dropped DLL
          PID:2136
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll, Main
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • outlook_win_path
        PID:4520
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 1284
      2⤵
      • Program crash
      PID:2960
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3588 -ip 3588
    1⤵
      PID:4004
    • C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
      C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
      1⤵
      • Executes dropped EXE
      PID:552
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 416
        2⤵
        • Program crash
        PID:2316
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 552 -ip 552
      1⤵
        PID:1728

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Credentials in Files

      3
      T1081

      Discovery

      Query Registry

      2
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Data from Local System

      3
      T1005

      Email Collection

      1
      T1114

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\1000141001\laba.exe
        Filesize

        137KB

        MD5

        9299834655f07e6896b1ff0b9e92c7b4

        SHA1

        acba1e9262b4aebf020758e30326afdc99c714ad

        SHA256

        fe105a23e4bee42b0401669d6ce9d34dbc7816a6cbef7c7108e11adc3c339257

        SHA512

        7ab23ac1eedb82044946bb9e6afb308580d434be45f3ebd18c5fc90cd98281738e4f50e75a3506315785e60d93e90cc4facc285fe7760985dfe0fd47771bc650

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\1000141001\laba.exe
        Filesize

        137KB

        MD5

        9299834655f07e6896b1ff0b9e92c7b4

        SHA1

        acba1e9262b4aebf020758e30326afdc99c714ad

        SHA256

        fe105a23e4bee42b0401669d6ce9d34dbc7816a6cbef7c7108e11adc3c339257

        SHA512

        7ab23ac1eedb82044946bb9e6afb308580d434be45f3ebd18c5fc90cd98281738e4f50e75a3506315785e60d93e90cc4facc285fe7760985dfe0fd47771bc650

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\1000142001\linda5.exe
        Filesize

        1.5MB

        MD5

        52c8c983f1e3b56b898b0f0cc42cf054

        SHA1

        e5d59471700b884f37d384e14a33ca9ba4d6f4e8

        SHA256

        09256476bf582af3d0033de7d558262e196a1f7192ce25a1e436d24d94a2ba3a

        SHA512

        aa73e15a564725c94ac5019f59386b41e3f6bfd84c1e895d8b523e500439a95a3369c6a2b9a545a6693d7c70b0d76483f2cab61ae96522ae7d4a47dd0af48c21

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\1000142001\linda5.exe
        Filesize

        1.5MB

        MD5

        52c8c983f1e3b56b898b0f0cc42cf054

        SHA1

        e5d59471700b884f37d384e14a33ca9ba4d6f4e8

        SHA256

        09256476bf582af3d0033de7d558262e196a1f7192ce25a1e436d24d94a2ba3a

        SHA512

        aa73e15a564725c94ac5019f59386b41e3f6bfd84c1e895d8b523e500439a95a3369c6a2b9a545a6693d7c70b0d76483f2cab61ae96522ae7d4a47dd0af48c21

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\3dZVP.i6
        Filesize

        1.8MB

        MD5

        831de3b17ad30d66472856f09bd52692

        SHA1

        ca7d0a23ca25885062e2434213beb2ff0ca0b345

        SHA256

        7b1f2b718cc34d584619c00077efdc305104952bf626546d5f51c30b62e970e5

        SHA512

        97402d713c386ad74335e4694a750ef45d7f13d7d95b99af3e096e21a7ef33d19c228dab80313c5e28c88cdf7b3ed642a69797b9b02df5459a1c9601f569dcf1

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\3dZvp.i6
        Filesize

        1.8MB

        MD5

        831de3b17ad30d66472856f09bd52692

        SHA1

        ca7d0a23ca25885062e2434213beb2ff0ca0b345

        SHA256

        7b1f2b718cc34d584619c00077efdc305104952bf626546d5f51c30b62e970e5

        SHA512

        97402d713c386ad74335e4694a750ef45d7f13d7d95b99af3e096e21a7ef33d19c228dab80313c5e28c88cdf7b3ed642a69797b9b02df5459a1c9601f569dcf1

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
        Filesize

        226KB

        MD5

        cdd4c17bc79e0e111d637b515d7b20df

        SHA1

        6b644f1606f5a2af380ca1dc720c7eb2fd21b1fc

        SHA256

        cc6573c4ad6f0700c00a02ed4bc305107eecd995f1612be99f07f318017efec8

        SHA512

        d7f4ffad5cca735d073e0b4dff54635a62170015a109e18ff227f864654d9f0c7fed76ed3019fd1badc7eedd9046b9bc526d96a20c554e5f6e2480d886eb31ed

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
        Filesize

        226KB

        MD5

        cdd4c17bc79e0e111d637b515d7b20df

        SHA1

        6b644f1606f5a2af380ca1dc720c7eb2fd21b1fc

        SHA256

        cc6573c4ad6f0700c00a02ed4bc305107eecd995f1612be99f07f318017efec8

        SHA512

        d7f4ffad5cca735d073e0b4dff54635a62170015a109e18ff227f864654d9f0c7fed76ed3019fd1badc7eedd9046b9bc526d96a20c554e5f6e2480d886eb31ed

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
        Filesize

        226KB

        MD5

        cdd4c17bc79e0e111d637b515d7b20df

        SHA1

        6b644f1606f5a2af380ca1dc720c7eb2fd21b1fc

        SHA256

        cc6573c4ad6f0700c00a02ed4bc305107eecd995f1612be99f07f318017efec8

        SHA512

        d7f4ffad5cca735d073e0b4dff54635a62170015a109e18ff227f864654d9f0c7fed76ed3019fd1badc7eedd9046b9bc526d96a20c554e5f6e2480d886eb31ed

        Download Submit
      • C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll
        Filesize

        126KB

        MD5

        674cec24e36e0dfaec6290db96dda86e

        SHA1

        581e3a7a541cc04641e751fc850d92e07236681f

        SHA256

        de81531468982b689451e85d249214d0aa484e2ffedfd32c58d43cf879f29ded

        SHA512

        6d9898169073c240fe454bd45065fd7dc8458f1d323925b57eb58fa4305bb0d5631bbceb61835593b225e887e0867186ef637c440460279378cb29e832066029

        Download Submit
      • C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll
        Filesize

        126KB

        MD5

        674cec24e36e0dfaec6290db96dda86e

        SHA1

        581e3a7a541cc04641e751fc850d92e07236681f

        SHA256

        de81531468982b689451e85d249214d0aa484e2ffedfd32c58d43cf879f29ded

        SHA512

        6d9898169073c240fe454bd45065fd7dc8458f1d323925b57eb58fa4305bb0d5631bbceb61835593b225e887e0867186ef637c440460279378cb29e832066029

        Download Submit
      • memory/552-176-0x00000000008E0000-0x00000000008FF000-memory.dmp
        Filesize

        124KB

        Download
      • memory/552-177-0x0000000000400000-0x000000000071A000-memory.dmp
        Filesize

        3.1MB

        Download
      • memory/1316-143-0x0000000000400000-0x000000000071A000-memory.dmp
        Filesize

        3.1MB

        Download
      • memory/1316-139-0x0000000002210000-0x000000000224E000-memory.dmp
        Filesize

        248KB

        Download
      • memory/1316-135-0x0000000000000000-mapping.dmp
        Download
      • memory/1316-138-0x000000000098C000-0x00000000009AB000-memory.dmp
        Filesize

        124KB

        Download
      • memory/1316-140-0x0000000000400000-0x000000000071A000-memory.dmp
        Filesize

        3.1MB

        Download
      • memory/2136-158-0x0000000002F90000-0x00000000030E9000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2136-167-0x00000000031F0000-0x00000000032EE000-memory.dmp
        Filesize

        1016KB

        Download
      • memory/2136-164-0x00000000033C0000-0x0000000003471000-memory.dmp
        Filesize

        708KB

        Download
      • memory/2136-159-0x00000000031F0000-0x00000000032EE000-memory.dmp
        Filesize

        1016KB

        Download
      • memory/2136-163-0x00000000032F0000-0x00000000033B5000-memory.dmp
        Filesize

        788KB

        Download
      • memory/2136-155-0x0000000000000000-mapping.dmp
        Download
      • memory/3588-133-0x0000000002450000-0x000000000248E000-memory.dmp
        Filesize

        248KB

        Download
      • memory/3588-142-0x0000000000400000-0x000000000071A000-memory.dmp
        Filesize

        3.1MB

        Download
      • memory/3588-132-0x000000000089E000-0x00000000008BD000-memory.dmp
        Filesize

        124KB

        Download
      • memory/3588-134-0x0000000000400000-0x000000000071A000-memory.dmp
        Filesize

        3.1MB

        Download
      • memory/3756-141-0x0000000000000000-mapping.dmp
        Download
      • memory/3836-149-0x0000000005560000-0x000000000566A000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/3836-147-0x0000000000AE0000-0x0000000000B08000-memory.dmp
        Filesize

        160KB

        Download
      • memory/3836-144-0x0000000000000000-mapping.dmp
        Download
      • memory/3836-151-0x00000000054F0000-0x000000000552C000-memory.dmp
        Filesize

        240KB

        Download
      • memory/3836-150-0x0000000005490000-0x00000000054A2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/3836-168-0x0000000006200000-0x0000000006266000-memory.dmp
        Filesize

        408KB

        Download
      • memory/3836-169-0x0000000006A20000-0x0000000006FC4000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/3836-170-0x0000000006550000-0x00000000065E2000-memory.dmp
        Filesize

        584KB

        Download
      • memory/3836-171-0x0000000006FD0000-0x0000000007192000-memory.dmp
        Filesize

        1.8MB

        Download
      • memory/3836-172-0x00000000076D0000-0x0000000007BFC000-memory.dmp
        Filesize

        5.2MB

        Download
      • memory/3836-173-0x0000000006880000-0x00000000068F6000-memory.dmp
        Filesize

        472KB

        Download
      • memory/3836-174-0x0000000006900000-0x0000000006950000-memory.dmp
        Filesize

        320KB

        Download
      • memory/3836-148-0x0000000005A30000-0x0000000006048000-memory.dmp
        Filesize

        6.1MB

        Download
      • memory/4476-152-0x0000000000000000-mapping.dmp
        Download
      • memory/4520-160-0x0000000000000000-mapping.dmp
        Download