Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/12/2022, 12:39

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    64c8961580c51d91243226dac1d4b95a4bc9a47f580acadfaa291c3ae1b7e14a.exe

  • Size

    327KB

  • MD5

    ffdcce59d85399b04eaf9eae45a4ef00

  • SHA1

    6da8310b3fb1205e41b66010f30b72336759b5ab

  • SHA256

    64c8961580c51d91243226dac1d4b95a4bc9a47f580acadfaa291c3ae1b7e14a

  • SHA512

    2f6f76aa01bb072d66a59a6edec8543b7b0e9fab8a9e91273d103383f942c8111e4b9e65e16763810017de5c4a5b4b89aaf7cb0fb000081d3affed3929d3ff3b

  • SSDEEP

    6144:hkU4szLY+MQHUhtorwOJwL82XYosWYf67k13bwZ4Vxq:V9zs+MQ0sFV2XxsWYy7

Score
10/10
redlinesmokeloaderinstallsbackdoordiscoveryinfostealerspywaretrojan

Malware Config

Extracted

Family

redline

Botnet

installs

C2

77.73.134.57:20368

Attributes
  • auth_value

    018d84fd84774560e4827f12acc7d4af

Signatures

  • Detects Smokeloader packer 2 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 9 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\64c8961580c51d91243226dac1d4b95a4bc9a47f580acadfaa291c3ae1b7e14a.exe
    "C:\Users\Admin\AppData\Local\Temp\64c8961580c51d91243226dac1d4b95a4bc9a47f580acadfaa291c3ae1b7e14a.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:3712
  • C:\Users\Admin\AppData\Local\Temp\5544.exe
    C:\Users\Admin\AppData\Local\Temp\5544.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2112
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1852
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 156
      2⤵
      • Program crash
      PID:3784
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2112 -ip 2112
    1⤵
      PID:4556
    • C:\Users\Admin\AppData\Local\Temp\5DFF.exe
      C:\Users\Admin\AppData\Local\Temp\5DFF.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:948
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        2⤵
          PID:1984
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
          2⤵
            PID:4628
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
            2⤵
              PID:2528
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
              2⤵
                PID:1508
            • C:\Users\Admin\AppData\Local\Temp\6285.exe
              C:\Users\Admin\AppData\Local\Temp\6285.exe
              1⤵
              • Executes dropped EXE
              • Checks SCSI registry key(s)
              • Suspicious behavior: MapViewOfSection
              PID:4508
            • C:\Windows\SysWOW64\explorer.exe
              C:\Windows\SysWOW64\explorer.exe
              1⤵
                PID:716
              • C:\Windows\explorer.exe
                C:\Windows\explorer.exe
                1⤵
                  PID:3916
                • C:\Windows\SysWOW64\explorer.exe
                  C:\Windows\SysWOW64\explorer.exe
                  1⤵
                    PID:2360
                  • C:\Windows\explorer.exe
                    C:\Windows\explorer.exe
                    1⤵
                      PID:3132
                    • C:\Windows\SysWOW64\explorer.exe
                      C:\Windows\SysWOW64\explorer.exe
                      1⤵
                        PID:1404
                      • C:\Windows\SysWOW64\explorer.exe
                        C:\Windows\SysWOW64\explorer.exe
                        1⤵
                          PID:764
                        • C:\Windows\SysWOW64\explorer.exe
                          C:\Windows\SysWOW64\explorer.exe
                          1⤵
                            PID:1840
                          • C:\Windows\explorer.exe
                            C:\Windows\explorer.exe
                            1⤵
                              PID:2876
                            • C:\Windows\SysWOW64\explorer.exe
                              C:\Windows\SysWOW64\explorer.exe
                              1⤵
                                PID:4292
                              • C:\Users\Admin\AppData\Roaming\caedwhb
                                C:\Users\Admin\AppData\Roaming\caedwhb
                                1⤵
                                • Executes dropped EXE
                                • Checks SCSI registry key(s)
                                • Suspicious behavior: MapViewOfSection
                                PID:4864
                              • C:\Windows\SysWOW64\explorer.exe
                                C:\Windows\SysWOW64\explorer.exe
                                1⤵
                                  PID:864

                                Network

                                      MITRE ATT&CK Enterprise v6

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\Local\Temp\5544.exe
                                        Filesize

                                        299KB

                                        MD5

                                        1a4930e4be17123c8d8f2f57c539e493

                                        SHA1

                                        7f29d9c5a7babeb741761243a18869ab311493e4

                                        SHA256

                                        5a83268b4310b64a536daa8aa0e84bfc225d3a4f5914310daa65027ac821be72

                                        SHA512

                                        c05bcdbe1c5c994acb8c807a790e43d4e326479aab919f1e6728eec47030da321e081602e4a27a5834911346b0a3d6d6799e09d420c820e363ceb45360a27ad1

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\5544.exe
                                        Filesize

                                        299KB

                                        MD5

                                        1a4930e4be17123c8d8f2f57c539e493

                                        SHA1

                                        7f29d9c5a7babeb741761243a18869ab311493e4

                                        SHA256

                                        5a83268b4310b64a536daa8aa0e84bfc225d3a4f5914310daa65027ac821be72

                                        SHA512

                                        c05bcdbe1c5c994acb8c807a790e43d4e326479aab919f1e6728eec47030da321e081602e4a27a5834911346b0a3d6d6799e09d420c820e363ceb45360a27ad1

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\5DFF.exe
                                        Filesize

                                        67KB

                                        MD5

                                        666d8f33d37064fd5d14e2166c9bfa69

                                        SHA1

                                        3b27df9335a9b2efe9da1057e9f8312a72d1ca9d

                                        SHA256

                                        7fddf1b75f50d43214867f367223f2d241d62ae63deea334d051c0ee19d18157

                                        SHA512

                                        ac3c993f019bb402db474fda65d587ae7717725eea9b3a869acd3530543b7b94d354f19474f6b1c7fc760b5b22622328def2bef26e3900c186b16e8a3d3b90df

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\5DFF.exe
                                        Filesize

                                        67KB

                                        MD5

                                        666d8f33d37064fd5d14e2166c9bfa69

                                        SHA1

                                        3b27df9335a9b2efe9da1057e9f8312a72d1ca9d

                                        SHA256

                                        7fddf1b75f50d43214867f367223f2d241d62ae63deea334d051c0ee19d18157

                                        SHA512

                                        ac3c993f019bb402db474fda65d587ae7717725eea9b3a869acd3530543b7b94d354f19474f6b1c7fc760b5b22622328def2bef26e3900c186b16e8a3d3b90df

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\6285.exe
                                        Filesize

                                        301KB

                                        MD5

                                        240afeca981e2d598217814fa230e907

                                        SHA1

                                        0e95db74270e1fc863512fa591116119fcab7ba8

                                        SHA256

                                        821d166c3a781284bebe960f1f96813dfa453e1cde264f4274b1f14b90073bff

                                        SHA512

                                        8c438a1b666f4e2c447c90108eb280c6d578a465699cfc9eeb9f3c8476a137c962b3db73071cfde138017d18ab095beffcdef6ab8a6dde5f9f50ae4dbec34522

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\6285.exe
                                        Filesize

                                        301KB

                                        MD5

                                        240afeca981e2d598217814fa230e907

                                        SHA1

                                        0e95db74270e1fc863512fa591116119fcab7ba8

                                        SHA256

                                        821d166c3a781284bebe960f1f96813dfa453e1cde264f4274b1f14b90073bff

                                        SHA512

                                        8c438a1b666f4e2c447c90108eb280c6d578a465699cfc9eeb9f3c8476a137c962b3db73071cfde138017d18ab095beffcdef6ab8a6dde5f9f50ae4dbec34522

                                        Download Submit

                                      • C:\Users\Admin\AppData\Roaming\caedwhb
                                        Filesize

                                        327KB

                                        MD5

                                        ffdcce59d85399b04eaf9eae45a4ef00

                                        SHA1

                                        6da8310b3fb1205e41b66010f30b72336759b5ab

                                        SHA256

                                        64c8961580c51d91243226dac1d4b95a4bc9a47f580acadfaa291c3ae1b7e14a

                                        SHA512

                                        2f6f76aa01bb072d66a59a6edec8543b7b0e9fab8a9e91273d103383f942c8111e4b9e65e16763810017de5c4a5b4b89aaf7cb0fb000081d3affed3929d3ff3b

                                        Download Submit

                                      • C:\Users\Admin\AppData\Roaming\caedwhb
                                        Filesize

                                        327KB

                                        MD5

                                        ffdcce59d85399b04eaf9eae45a4ef00

                                        SHA1

                                        6da8310b3fb1205e41b66010f30b72336759b5ab

                                        SHA256

                                        64c8961580c51d91243226dac1d4b95a4bc9a47f580acadfaa291c3ae1b7e14a

                                        SHA512

                                        2f6f76aa01bb072d66a59a6edec8543b7b0e9fab8a9e91273d103383f942c8111e4b9e65e16763810017de5c4a5b4b89aaf7cb0fb000081d3affed3929d3ff3b

                                        Download Submit

                                      • memory/716-158-0x0000000000EF0000-0x0000000000EF7000-memory.dmp

                                        Filesize

                                        28KB

                                        Download

                                      • memory/716-159-0x0000000000EE0000-0x0000000000EEB000-memory.dmp

                                        Filesize

                                        44KB

                                        Download

                                      • memory/716-199-0x0000000000EF0000-0x0000000000EF7000-memory.dmp

                                        Filesize

                                        28KB

                                        Download

                                      • memory/764-204-0x0000000000B70000-0x0000000000B75000-memory.dmp

                                        Filesize

                                        20KB

                                        Download

                                      • memory/764-184-0x0000000000B70000-0x0000000000B75000-memory.dmp

                                        Filesize

                                        20KB

                                        Download

                                      • memory/764-182-0x0000000000B60000-0x0000000000B69000-memory.dmp

                                        Filesize

                                        36KB

                                        Download

                                      • memory/864-216-0x0000000000EE0000-0x0000000000EE5000-memory.dmp

                                        Filesize

                                        20KB

                                        Download

                                      • memory/864-217-0x0000000000ED0000-0x0000000000ED9000-memory.dmp

                                        Filesize

                                        36KB

                                        Download

                                      • memory/864-211-0x0000000000EE0000-0x0000000000EE5000-memory.dmp

                                        Filesize

                                        20KB

                                        Download

                                      • memory/864-212-0x0000000000ED0000-0x0000000000ED9000-memory.dmp

                                        Filesize

                                        36KB

                                        Download

                                      • memory/948-148-0x00000000001C0000-0x00000000001D6000-memory.dmp

                                        Filesize

                                        88KB

                                        Download

                                      • memory/948-156-0x00000000049D0000-0x0000000004A36000-memory.dmp

                                        Filesize

                                        408KB

                                        Download

                                      • memory/1404-178-0x0000000000480000-0x00000000004A7000-memory.dmp

                                        Filesize

                                        156KB

                                        Download

                                      • memory/1404-177-0x00000000004B0000-0x00000000004D2000-memory.dmp

                                        Filesize

                                        136KB

                                        Download

                                      • memory/1404-203-0x00000000004B0000-0x00000000004D2000-memory.dmp

                                        Filesize

                                        136KB

                                        Download

                                      • memory/1840-186-0x0000000000950000-0x000000000095B000-memory.dmp

                                        Filesize

                                        44KB

                                        Download

                                      • memory/1840-185-0x0000000000960000-0x0000000000966000-memory.dmp

                                        Filesize

                                        24KB

                                        Download

                                      • memory/1840-205-0x0000000000960000-0x0000000000966000-memory.dmp

                                        Filesize

                                        24KB

                                        Download

                                      • memory/1852-140-0x0000000000140000-0x0000000000178000-memory.dmp

                                        Filesize

                                        224KB

                                        Download

                                      • memory/1852-157-0x0000000004A90000-0x0000000004ACC000-memory.dmp

                                        Filesize

                                        240KB

                                        Download

                                      • memory/1852-189-0x0000000006DB0000-0x0000000006E00000-memory.dmp

                                        Filesize

                                        320KB

                                        Download

                                      • memory/1852-171-0x0000000005FE0000-0x0000000006584000-memory.dmp

                                        Filesize

                                        5.6MB

                                        Download

                                      • memory/1852-191-0x0000000006E80000-0x0000000006EF6000-memory.dmp

                                        Filesize

                                        472KB

                                        Download

                                      • memory/1852-149-0x0000000005070000-0x0000000005688000-memory.dmp

                                        Filesize

                                        6.1MB

                                        Download

                                      • memory/1852-150-0x0000000000F30000-0x0000000000F42000-memory.dmp

                                        Filesize

                                        72KB

                                        Download

                                      • memory/1852-167-0x0000000005990000-0x0000000005A22000-memory.dmp

                                        Filesize

                                        584KB

                                        Download

                                      • memory/1852-192-0x0000000005FB0000-0x0000000005FCE000-memory.dmp

                                        Filesize

                                        120KB

                                        Download

                                      • memory/1852-196-0x0000000006F00000-0x00000000070C2000-memory.dmp

                                        Filesize

                                        1.8MB

                                        Download

                                      • memory/1852-151-0x0000000004B60000-0x0000000004C6A000-memory.dmp

                                        Filesize

                                        1.0MB

                                        Download

                                      • memory/1852-197-0x0000000007600000-0x0000000007B2C000-memory.dmp

                                        Filesize

                                        5.2MB

                                        Download

                                      • memory/2360-165-0x0000000001610000-0x0000000001615000-memory.dmp

                                        Filesize

                                        20KB

                                        Download

                                      • memory/2360-201-0x0000000001610000-0x0000000001615000-memory.dmp

                                        Filesize

                                        20KB

                                        Download

                                      • memory/2360-166-0x0000000001600000-0x0000000001609000-memory.dmp

                                        Filesize

                                        36KB

                                        Download

                                      • memory/2876-188-0x0000000000FF0000-0x0000000000FF7000-memory.dmp

                                        Filesize

                                        28KB

                                        Download

                                      • memory/2876-190-0x0000000000FE0000-0x0000000000FED000-memory.dmp

                                        Filesize

                                        52KB

                                        Download

                                      • memory/2876-206-0x0000000000FF0000-0x0000000000FF7000-memory.dmp

                                        Filesize

                                        28KB

                                        Download

                                      • memory/3132-202-0x0000000000B00000-0x0000000000B06000-memory.dmp

                                        Filesize

                                        24KB

                                        Download

                                      • memory/3132-174-0x0000000000AF0000-0x0000000000AFC000-memory.dmp

                                        Filesize

                                        48KB

                                        Download

                                      • memory/3132-173-0x0000000000B00000-0x0000000000B06000-memory.dmp

                                        Filesize

                                        24KB

                                        Download

                                      • memory/3712-133-0x00000000005B0000-0x00000000005B9000-memory.dmp

                                        Filesize

                                        36KB

                                        Download

                                      • memory/3712-134-0x0000000000400000-0x0000000000456000-memory.dmp

                                        Filesize

                                        344KB

                                        Download

                                      • memory/3712-135-0x0000000000400000-0x0000000000456000-memory.dmp

                                        Filesize

                                        344KB

                                        Download

                                      • memory/3712-132-0x0000000000637000-0x000000000064D000-memory.dmp

                                        Filesize

                                        88KB

                                        Download

                                      • memory/3916-162-0x0000000000B10000-0x0000000000B1F000-memory.dmp

                                        Filesize

                                        60KB

                                        Download

                                      • memory/3916-200-0x0000000000B20000-0x0000000000B29000-memory.dmp

                                        Filesize

                                        36KB

                                        Download

                                      • memory/3916-161-0x0000000000B20000-0x0000000000B29000-memory.dmp

                                        Filesize

                                        36KB

                                        Download

                                      • memory/4292-207-0x0000000000F90000-0x0000000000F98000-memory.dmp

                                        Filesize

                                        32KB

                                        Download

                                      • memory/4292-195-0x0000000000F80000-0x0000000000F8B000-memory.dmp

                                        Filesize

                                        44KB

                                        Download

                                      • memory/4292-194-0x0000000000F90000-0x0000000000F98000-memory.dmp

                                        Filesize

                                        32KB

                                        Download

                                      • memory/4508-181-0x0000000000400000-0x000000000044F000-memory.dmp

                                        Filesize

                                        316KB

                                        Download

                                      • memory/4508-198-0x0000000000400000-0x000000000044F000-memory.dmp

                                        Filesize

                                        316KB

                                        Download

                                      • memory/4508-180-0x0000000000590000-0x0000000000599000-memory.dmp

                                        Filesize

                                        36KB

                                        Download

                                      • memory/4508-179-0x00000000007B7000-0x00000000007CC000-memory.dmp

                                        Filesize

                                        84KB

                                        Download

                                      • memory/4864-215-0x0000000000400000-0x0000000000456000-memory.dmp

                                        Filesize

                                        344KB

                                        Download

                                      • memory/4864-214-0x0000000000400000-0x0000000000456000-memory.dmp

                                        Filesize

                                        344KB

                                        Download

                                      • memory/4864-213-0x00000000005D7000-0x00000000005EC000-memory.dmp

                                        Filesize

                                        84KB

                                        Download