Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    128s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-02-2023 13:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1eedec8c0566aeeca66054494aaa06b1e7c99ce1ebfaf5e698d73a2421706d7e.exe

  • Size

    859KB

  • MD5

    004072e8f50474e0714f5eca5f9f5d68

  • SHA1

    b86bc97446ed5c88702507dd15bc15f1f249c551

  • SHA256

    1eedec8c0566aeeca66054494aaa06b1e7c99ce1ebfaf5e698d73a2421706d7e

  • SHA512

    2be970735772cbdc00d4a37022d2b2c81c2bab682cc30a9aaedb16306fd5028da18b94eb67e9df74b9e27839b33846630064479ac060482784a22d214639a07c

  • SSDEEP

    24576:2yNoYjpxJ6YCbeRDpW5HcUIHLeCvTTTGShxw1Y9TD:FNoYjpxPbDpW58ZeCvTd/w1

Score
10/10
redlinecr10ndubkadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

dubka

C2

193.233.20.13:4136

Attributes
  • auth_value

    e5a9421183a033f283b2f23139b471f0

Extracted

Family

redline

Botnet

cr10n

C2

176.113.115.17:4132

Attributes
  • auth_value

    6016c19179aa1044c369adb0ec1f363b

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1eedec8c0566aeeca66054494aaa06b1e7c99ce1ebfaf5e698d73a2421706d7e.exe
    "C:\Users\Admin\AppData\Local\Temp\1eedec8c0566aeeca66054494aaa06b1e7c99ce1ebfaf5e698d73a2421706d7e.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:5000
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dmK4533.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dmK4533.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:5084
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dKQ2326.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dKQ2326.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1540
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mFl12qi.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mFl12qi.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2648
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 1080
            5⤵
            • Program crash
            PID:724
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nzI80Ww.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nzI80Ww.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1100
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oEO57rz.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oEO57rz.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3888
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3888 -s 1332
          4⤵
          • Program crash
          PID:4188
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pyv99JO.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pyv99JO.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4228
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2648 -ip 2648
    1⤵
      PID:3336
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3888 -ip 3888
      1⤵
        PID:1692
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe start wuauserv
        1⤵
        • Launches sc.exe
        PID:3984

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dmK4533.exe
        Filesize

        714KB

        MD5

        b09eeedb72f3a80a57981fab401a7670

        SHA1

        32ac21593bd65cdaa91e4dd97d8dfd697114d7c3

        SHA256

        e2d3f37ef699f3cd069f44e1a072b030b1c344592d2a94a4f2a16790aa712de5

        SHA512

        3c7cd6970736e618afceb6796b65fcde456e4027f55120c2d69d262be765e763cf571cd8a9d1c7d6f4a9c0c0c77f435e1baa2e06501cc8980bf4feb6ec6d2e77

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dmK4533.exe
        Filesize

        714KB

        MD5

        b09eeedb72f3a80a57981fab401a7670

        SHA1

        32ac21593bd65cdaa91e4dd97d8dfd697114d7c3

        SHA256

        e2d3f37ef699f3cd069f44e1a072b030b1c344592d2a94a4f2a16790aa712de5

        SHA512

        3c7cd6970736e618afceb6796b65fcde456e4027f55120c2d69d262be765e763cf571cd8a9d1c7d6f4a9c0c0c77f435e1baa2e06501cc8980bf4feb6ec6d2e77

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pyv99JO.exe
        Filesize

        175KB

        MD5

        ce5ef6aac94fdb2af40da676f6cab58f

        SHA1

        c393f24b1550955a686ee39067f20813415af95f

        SHA256

        ce360295ca7fcc1a1c2b47a604305c67ab41358770edbd769a6a44aa635c2fd0

        SHA512

        2cc98869cba6a962129c57fb7e3ff0b64623c94903bfbf9a2648e191b633fbe73f8e7b9d8fea348e30cc88bc44d27454fd880c81a55a6b795170fa804e6cda65

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pyv99JO.exe
        Filesize

        175KB

        MD5

        ce5ef6aac94fdb2af40da676f6cab58f

        SHA1

        c393f24b1550955a686ee39067f20813415af95f

        SHA256

        ce360295ca7fcc1a1c2b47a604305c67ab41358770edbd769a6a44aa635c2fd0

        SHA512

        2cc98869cba6a962129c57fb7e3ff0b64623c94903bfbf9a2648e191b633fbe73f8e7b9d8fea348e30cc88bc44d27454fd880c81a55a6b795170fa804e6cda65

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dKQ2326.exe
        Filesize

        379KB

        MD5

        732b137967c4d97aec0a785bda0fb68d

        SHA1

        4245f1dd66721331d7973e192127ccae8bb0be57

        SHA256

        d837b41a25fca31ebee3b54dabda3f7d35001fdca1a9a9ce5bd43bb5d1c7e6cc

        SHA512

        825715a5f1ce0f5697b66ebf59836221c960f7327bf7366b8e87d510186dc022dc89d967f77474b4ffd17decd3700a035236fc8736d6f04e78107d9aebba1043

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dKQ2326.exe
        Filesize

        379KB

        MD5

        732b137967c4d97aec0a785bda0fb68d

        SHA1

        4245f1dd66721331d7973e192127ccae8bb0be57

        SHA256

        d837b41a25fca31ebee3b54dabda3f7d35001fdca1a9a9ce5bd43bb5d1c7e6cc

        SHA512

        825715a5f1ce0f5697b66ebf59836221c960f7327bf7366b8e87d510186dc022dc89d967f77474b4ffd17decd3700a035236fc8736d6f04e78107d9aebba1043

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oEO57rz.exe
        Filesize

        303KB

        MD5

        b1066b2760a3572e0b4f01dfdd3d5210

        SHA1

        275e5a3a693fbb902de1f990935a4aa60ccaa922

        SHA256

        966089b0d2a5c7e5da8310197c86d4dad426d8ef11e67227bdbeb2799b038a29

        SHA512

        57c3062653d055934b0948545812d2e91029cbe00d9f470e7fd74ececcd9cd74bc60a0c19a66f78e5a3266f314e66ae5103eed0a25432ceb6bebccea00f9686e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oEO57rz.exe
        Filesize

        303KB

        MD5

        b1066b2760a3572e0b4f01dfdd3d5210

        SHA1

        275e5a3a693fbb902de1f990935a4aa60ccaa922

        SHA256

        966089b0d2a5c7e5da8310197c86d4dad426d8ef11e67227bdbeb2799b038a29

        SHA512

        57c3062653d055934b0948545812d2e91029cbe00d9f470e7fd74ececcd9cd74bc60a0c19a66f78e5a3266f314e66ae5103eed0a25432ceb6bebccea00f9686e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mFl12qi.exe
        Filesize

        245KB

        MD5

        d23b6e7f93be0600ef70b88eba0b02e9

        SHA1

        7c173033fa51159637ce720cb649aee8cc1b5e1a

        SHA256

        31cde2aab228129ca55f961c3eeb3e774cf25888f4efd33565193fe483e36f12

        SHA512

        f66e8ef13b54109de28bbc92cdca91047283f12bb54a07ded4dd605bee956bde27ad36c45944ba7f2d890a063e15957c1b3c8d376658aec6404896c187c55f98

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mFl12qi.exe
        Filesize

        245KB

        MD5

        d23b6e7f93be0600ef70b88eba0b02e9

        SHA1

        7c173033fa51159637ce720cb649aee8cc1b5e1a

        SHA256

        31cde2aab228129ca55f961c3eeb3e774cf25888f4efd33565193fe483e36f12

        SHA512

        f66e8ef13b54109de28bbc92cdca91047283f12bb54a07ded4dd605bee956bde27ad36c45944ba7f2d890a063e15957c1b3c8d376658aec6404896c187c55f98

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nzI80Ww.exe
        Filesize

        175KB

        MD5

        dd0c9e110c68ce1fa5308979ef718f7b

        SHA1

        473deb8069f0841d47b74b7f414dacc6f96eca78

        SHA256

        dc28c9d9ab3f30222ed59f3991c5981bec40604e725ece488d8599eef917a7b3

        SHA512

        29bd76da816b13b31c938a3f8699d2f5942a24c9ef61fddcac490e0a30f82c1a4a76ca9a6866a8d2c8e57566f66b3aea31e7f70646d3ebef63c63a06f8fe2236

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nzI80Ww.exe
        Filesize

        175KB

        MD5

        dd0c9e110c68ce1fa5308979ef718f7b

        SHA1

        473deb8069f0841d47b74b7f414dacc6f96eca78

        SHA256

        dc28c9d9ab3f30222ed59f3991c5981bec40604e725ece488d8599eef917a7b3

        SHA512

        29bd76da816b13b31c938a3f8699d2f5942a24c9ef61fddcac490e0a30f82c1a4a76ca9a6866a8d2c8e57566f66b3aea31e7f70646d3ebef63c63a06f8fe2236

        Download Submit

      • memory/1100-159-0x0000000006C10000-0x0000000006C60000-memory.dmp

        Filesize

        320KB

        Download

      • memory/1100-160-0x0000000006F30000-0x00000000070F2000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/1100-158-0x0000000006B90000-0x0000000006C06000-memory.dmp

        Filesize

        472KB

        Download

      • memory/1100-148-0x0000000000000000-mapping.dmp

        Download

      • memory/1100-161-0x0000000007630000-0x0000000007B5C000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/1100-157-0x0000000006050000-0x00000000060B6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1100-151-0x0000000000A70000-0x0000000000AA2000-memory.dmp

        Filesize

        200KB

        Download

      • memory/1100-152-0x0000000005990000-0x0000000005FA8000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/1100-153-0x0000000005510000-0x000000000561A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/1100-154-0x0000000005440000-0x0000000005452000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1100-155-0x00000000054A0000-0x00000000054DC000-memory.dmp

        Filesize

        240KB

        Download

      • memory/1100-156-0x0000000005FB0000-0x0000000006042000-memory.dmp

        Filesize

        584KB

        Download

      • memory/1540-135-0x0000000000000000-mapping.dmp

        Download

      • memory/2648-142-0x0000000000570000-0x000000000059D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/2648-147-0x0000000000400000-0x000000000056F000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/2648-146-0x0000000000611000-0x0000000000631000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2648-145-0x0000000000611000-0x0000000000631000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2648-144-0x0000000004BE0000-0x0000000005184000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/2648-138-0x0000000000000000-mapping.dmp

        Download

      • memory/2648-143-0x0000000000400000-0x000000000056F000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/2648-141-0x0000000000611000-0x0000000000631000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3888-166-0x0000000000580000-0x00000000005CB000-memory.dmp

        Filesize

        300KB

        Download

      • memory/3888-165-0x0000000000811000-0x000000000083F000-memory.dmp

        Filesize

        184KB

        Download

      • memory/3888-167-0x0000000000400000-0x000000000057D000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/3888-168-0x0000000000811000-0x000000000083F000-memory.dmp

        Filesize

        184KB

        Download

      • memory/3888-169-0x0000000000811000-0x000000000083F000-memory.dmp

        Filesize

        184KB

        Download

      • memory/3888-170-0x0000000000400000-0x000000000057D000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/3888-162-0x0000000000000000-mapping.dmp

        Download

      • memory/4228-171-0x0000000000000000-mapping.dmp

        Download

      • memory/4228-174-0x0000000000C40000-0x0000000000C72000-memory.dmp

        Filesize

        200KB

        Download

      • memory/5084-132-0x0000000000000000-mapping.dmp

        Download