Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    161s
  • max time network
    187s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/02/2023, 18:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d7b28740395b2996afdbb7b5a3059dd1c088416c6924723b4b8e8b7b3630aad2.exe

  • Size

    550KB

  • MD5

    93e512d649541ddbe2c36f5525e7ef35

  • SHA1

    9cab0c043753c4ffa2190b795121f42c3caa647c

  • SHA256

    d7b28740395b2996afdbb7b5a3059dd1c088416c6924723b4b8e8b7b3630aad2

  • SHA512

    5bd9acd32a4b2570b5649939d14801319a3999a31118ddd1d91232571881e9933fddd756a34a85ef2126478e3ec6d538628f5556329d519e7548e4c2b4173066

  • SSDEEP

    12288:6Mrcy905KEqHfFls0g0uBuqQMwVel8p8/zYq3:SyGsFlrg4wsE8A

Score
10/10
redlinefusanocryptdiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

fusa

C2

193.233.20.12:4132

Attributes
  • auth_value

    a08b2f01bd2af756e38c5dd60e87e697

Extracted

Family

redline

Botnet

nocrypt

C2

176.113.115.17:4132

Attributes
  • auth_value

    4fc7cda1ab5883a6197f20f517ce2a8c

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d7b28740395b2996afdbb7b5a3059dd1c088416c6924723b4b8e8b7b3630aad2.exe
    "C:\Users\Admin\AppData\Local\Temp\d7b28740395b2996afdbb7b5a3059dd1c088416c6924723b4b8e8b7b3630aad2.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1256
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dQr72.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dQr72.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3216
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aEK02.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aEK02.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4384
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bxy26du.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bxy26du.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4988
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cgx23.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cgx23.exe
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:216
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 1084
        3⤵
        • Program crash
        PID:2776
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 216 -ip 216
    1⤵
      PID:1820

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cgx23.exe
      Filesize

      427KB

      MD5

      eab6b7b7be201cbd96e0428afdd6fd0e

      SHA1

      8a4666f183d392c8ace2ea31f7c027d2647c93a2

      SHA256

      16fc123bea8b5ebc150d0700a8ca1146431f791fae8349efadef8932447d8f2c

      SHA512

      f1138f8e8110ac2682d3b341bea6831d3e26d29510ee0c61d2f26d549d31a8549ae7d628bd3a8a61926e8a6667321f8f73e138334109b2c652bb6de38f3bf1b9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cgx23.exe
      Filesize

      427KB

      MD5

      eab6b7b7be201cbd96e0428afdd6fd0e

      SHA1

      8a4666f183d392c8ace2ea31f7c027d2647c93a2

      SHA256

      16fc123bea8b5ebc150d0700a8ca1146431f791fae8349efadef8932447d8f2c

      SHA512

      f1138f8e8110ac2682d3b341bea6831d3e26d29510ee0c61d2f26d549d31a8549ae7d628bd3a8a61926e8a6667321f8f73e138334109b2c652bb6de38f3bf1b9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dQr72.exe
      Filesize

      202KB

      MD5

      e22b664a50559198160070817421ace4

      SHA1

      2d94319710517f951453d731045f4e856685e0d4

      SHA256

      9ebee00bb875e6e597713cc98af5f2189ccef7915ecf38662782b716e8b1b823

      SHA512

      c3d20d814872d767bf9c7c0b181f1c2afbfe80e0b16aada00cbd958235958299055641563c5427597aba264cfb6de21fef00c9db28dda0131666204ae9ed96e7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dQr72.exe
      Filesize

      202KB

      MD5

      e22b664a50559198160070817421ace4

      SHA1

      2d94319710517f951453d731045f4e856685e0d4

      SHA256

      9ebee00bb875e6e597713cc98af5f2189ccef7915ecf38662782b716e8b1b823

      SHA512

      c3d20d814872d767bf9c7c0b181f1c2afbfe80e0b16aada00cbd958235958299055641563c5427597aba264cfb6de21fef00c9db28dda0131666204ae9ed96e7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aEK02.exe
      Filesize

      175KB

      MD5

      da6f3bef8abc85bd09f50783059964e3

      SHA1

      a0f25f60ec1896c4c920ea397f40e6ce29724322

      SHA256

      e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b

      SHA512

      4d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aEK02.exe
      Filesize

      175KB

      MD5

      da6f3bef8abc85bd09f50783059964e3

      SHA1

      a0f25f60ec1896c4c920ea397f40e6ce29724322

      SHA256

      e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b

      SHA512

      4d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bxy26du.exe
      Filesize

      175KB

      MD5

      30132c45c2305b287d96a3ad8158e9e3

      SHA1

      c89477868792dbfc6abeb3016e4fcc542b01bea1

      SHA256

      0cca99711baf600eb030bbfcf279faf74c564084e733df3d9e98bea3e4e2f45f

      SHA512

      1f6ccbaf0787c9bc61f568c4398374426961fc73ed7ea38c75e27d7025a9df6f93ea111297a6a02acdeea52845067e222e681f278dc7278d834fbbb6be98b74e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bxy26du.exe
      Filesize

      175KB

      MD5

      30132c45c2305b287d96a3ad8158e9e3

      SHA1

      c89477868792dbfc6abeb3016e4fcc542b01bea1

      SHA256

      0cca99711baf600eb030bbfcf279faf74c564084e733df3d9e98bea3e4e2f45f

      SHA512

      1f6ccbaf0787c9bc61f568c4398374426961fc73ed7ea38c75e27d7025a9df6f93ea111297a6a02acdeea52845067e222e681f278dc7278d834fbbb6be98b74e

      Download Submit

    • memory/216-159-0x0000000000400000-0x00000000004D1000-memory.dmp

      Filesize

      836KB

      Download

    • memory/216-157-0x0000000000684000-0x00000000006A4000-memory.dmp

      Filesize

      128KB

      Download

    • memory/216-158-0x0000000002110000-0x000000000213D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/4384-146-0x0000000006FB0000-0x0000000007172000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/4384-143-0x0000000005AA0000-0x0000000005B32000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4384-147-0x00000000076B0000-0x0000000007BDC000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/4384-148-0x0000000006F30000-0x0000000006FA6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4384-149-0x0000000007180000-0x00000000071D0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4384-144-0x0000000006830000-0x0000000006DD4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4384-145-0x0000000006280000-0x00000000062E6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4384-138-0x0000000000D30000-0x0000000000D62000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4384-142-0x0000000005760000-0x000000000579C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4384-141-0x0000000005700000-0x0000000005712000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4384-140-0x00000000057D0000-0x00000000058DA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4384-139-0x0000000005C60000-0x0000000006278000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4988-153-0x0000000000740000-0x0000000000772000-memory.dmp

      Filesize

      200KB

      Download