Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    90s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-02-2023 23:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    771d87ca491233c0dbb80bfed8bd257d9cdf1bbe5c42ee45897c24b21af3d4c5.exe

  • Size

    478KB

  • MD5

    fa0ba3551284700d7f5041e47f6a68a1

  • SHA1

    18896d32228ac8409ce367a92bc0ee1bc4bdd7b1

  • SHA256

    771d87ca491233c0dbb80bfed8bd257d9cdf1bbe5c42ee45897c24b21af3d4c5

  • SHA512

    87a9d2e80c66df73be3e5c71377515874e5362d42cbe40490952f7051dbe9d7bda87c6e624ae1ae4e752ab71b7bc90db9a97c4b077c884ded81697aeaa0e3e81

  • SSDEEP

    12288:CMrHy90HDsIv0s/JZx0wpHW/e8mU2N8ZK9:5ytI3Tx09uN19

Score
10/10
redlinefusadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

fusa

C2

193.233.20.12:4132

Attributes
  • auth_value

    a08b2f01bd2af756e38c5dd60e87e697

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\771d87ca491233c0dbb80bfed8bd257d9cdf1bbe5c42ee45897c24b21af3d4c5.exe
    "C:\Users\Admin\AppData\Local\Temp\771d87ca491233c0dbb80bfed8bd257d9cdf1bbe5c42ee45897c24b21af3d4c5.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3564
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nIe66zX.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nIe66zX.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4896
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bmU52gZ.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bmU52gZ.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4936
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 1080
          4⤵
          • Program crash
          PID:1996
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dmh74gf.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dmh74gf.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:256
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lPj65bf.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lPj65bf.exe
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3348
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4936 -ip 4936
    1⤵
      PID:680

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lPj65bf.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lPj65bf.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nIe66zX.exe
      Filesize

      375KB

      MD5

      62618eb4be9ef778a8f7ccaed5c667cf

      SHA1

      c78348d0e9ef76a1c546e5474d53153830e2f8c0

      SHA256

      4422cbc4566a30e50000d516d7227201f0658974b02ef6e535337b4fd0abfc06

      SHA512

      3c9ac666eda8b7e44f65eb966171c73b708494b569866a24ec454c402aa44eac3856b00c1d20e6315b816203e491d51b60027ced0751986086c4ae94d6ceefab

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nIe66zX.exe
      Filesize

      375KB

      MD5

      62618eb4be9ef778a8f7ccaed5c667cf

      SHA1

      c78348d0e9ef76a1c546e5474d53153830e2f8c0

      SHA256

      4422cbc4566a30e50000d516d7227201f0658974b02ef6e535337b4fd0abfc06

      SHA512

      3c9ac666eda8b7e44f65eb966171c73b708494b569866a24ec454c402aa44eac3856b00c1d20e6315b816203e491d51b60027ced0751986086c4ae94d6ceefab

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bmU52gZ.exe
      Filesize

      235KB

      MD5

      ea2af715b2c17a763c05bffc5669ded5

      SHA1

      876295abbc668533e3629c38e5b4db50776f969a

      SHA256

      b639725c9da4eecd879a811d1f643a2d7cef7b15079547c075f3f380f2e83e29

      SHA512

      1f42bf7bed7a87b2da22af31b6c0f3afe844eac6949e2f9379290ff6548259431f6f55c3d5a3de2f408889e0f3cb67898e1e26050b87408a10937902df0b0c9d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bmU52gZ.exe
      Filesize

      235KB

      MD5

      ea2af715b2c17a763c05bffc5669ded5

      SHA1

      876295abbc668533e3629c38e5b4db50776f969a

      SHA256

      b639725c9da4eecd879a811d1f643a2d7cef7b15079547c075f3f380f2e83e29

      SHA512

      1f42bf7bed7a87b2da22af31b6c0f3afe844eac6949e2f9379290ff6548259431f6f55c3d5a3de2f408889e0f3cb67898e1e26050b87408a10937902df0b0c9d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dmh74gf.exe
      Filesize

      175KB

      MD5

      da6f3bef8abc85bd09f50783059964e3

      SHA1

      a0f25f60ec1896c4c920ea397f40e6ce29724322

      SHA256

      e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b

      SHA512

      4d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dmh74gf.exe
      Filesize

      175KB

      MD5

      da6f3bef8abc85bd09f50783059964e3

      SHA1

      a0f25f60ec1896c4c920ea397f40e6ce29724322

      SHA256

      e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b

      SHA512

      4d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec

      Download Submit

    • memory/256-156-0x0000000006F10000-0x00000000070D2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/256-147-0x0000000000C90000-0x0000000000CC2000-memory.dmp

      Filesize

      200KB

      Download

    • memory/256-155-0x0000000006710000-0x0000000006760000-memory.dmp

      Filesize

      320KB

      Download

    • memory/256-154-0x0000000006690000-0x0000000006706000-memory.dmp

      Filesize

      472KB

      Download

    • memory/256-144-0x0000000000000000-mapping.dmp

      Download

    • memory/256-153-0x0000000005B50000-0x0000000005BB6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/256-152-0x00000000061E0000-0x0000000006272000-memory.dmp

      Filesize

      584KB

      Download

    • memory/256-157-0x0000000007610000-0x0000000007B3C000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/256-148-0x0000000005BC0000-0x00000000061D8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/256-149-0x0000000005730000-0x000000000583A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/256-150-0x0000000005660000-0x0000000005672000-memory.dmp

      Filesize

      72KB

      Download

    • memory/256-151-0x00000000056E0000-0x000000000571C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3348-158-0x0000000000000000-mapping.dmp

      Download

    • memory/3348-161-0x0000000000D40000-0x0000000000D4A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3348-162-0x00007FFB85BD0000-0x00007FFB86691000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3348-163-0x00007FFB85BD0000-0x00007FFB86691000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4896-132-0x0000000000000000-mapping.dmp

      Download

    • memory/4936-141-0x0000000000400000-0x000000000056C000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4936-139-0x0000000000671000-0x0000000000691000-memory.dmp

      Filesize

      128KB

      Download

    • memory/4936-138-0x0000000004C80000-0x0000000005224000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4936-135-0x0000000000000000-mapping.dmp

      Download

    • memory/4936-140-0x0000000000570000-0x000000000059D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/4936-143-0x0000000000400000-0x000000000056C000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4936-142-0x0000000000671000-0x0000000000691000-memory.dmp

      Filesize

      128KB

      Download