Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/03/2023, 08:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b27b62a66ebac584c39c3364b8335a03148ef0e05afa76b62562f7820fc9af89.exe

  • Size

    569KB

  • MD5

    0d8da5a7fab3bcf3e887e53e9b01ffb2

  • SHA1

    5e6e9548a487eb0700c188149455b2ee70bffac0

  • SHA256

    b27b62a66ebac584c39c3364b8335a03148ef0e05afa76b62562f7820fc9af89

  • SHA512

    1b99f30646b82345a14b15a6335e1307f18ae52409c0f3b6ea6a9ab2b3a2057d0693c58eaa94c94270c15e519cadac18c25943bff48734ce36544ae00ca5fca9

  • SSDEEP

    12288:LMrfy90dahimz7AuxqVgVQWL1ZOQ3F3712yGgwB:wyUsVAuxYgq6ZOQ3F37Yp

Score
10/10
redlinefuddiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

fud

C2

193.233.20.27:4123

Attributes
  • auth_value

    cddc991efd6918ad5321d80dac884b40

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 19 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b27b62a66ebac584c39c3364b8335a03148ef0e05afa76b62562f7820fc9af89.exe
    "C:\Users\Admin\AppData\Local\Temp\b27b62a66ebac584c39c3364b8335a03148ef0e05afa76b62562f7820fc9af89.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3036
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r0736zC.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r0736zC.exe
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:936
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 936 -s 1084
        3⤵
        • Program crash
        PID:4904
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w99vf62.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w99vf62.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4528
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 1376
        3⤵
        • Program crash
        PID:4584
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 936 -ip 936
    1⤵
      PID:756
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4528 -ip 4528
      1⤵
        PID:3844

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r0736zC.exe
        Filesize

        322KB

        MD5

        8141937b23cd1895e561d8e90fdeeff3

        SHA1

        6f810e9e480564f5837461f8ccdd07c951a1bece

        SHA256

        ddda10348c77cf0a1539c3a42ce4f71e2c1895ab9b77348256e0a1f01c0936b6

        SHA512

        40957cd33c4be1dab98ac0c40424c868aa3be6f6265fa28df050e5a4844ac6324acb93770bc6cb7cafedabc93fab9b9179a6e6525f6b3dd6fa9e31b4d5da5bec

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r0736zC.exe
        Filesize

        322KB

        MD5

        8141937b23cd1895e561d8e90fdeeff3

        SHA1

        6f810e9e480564f5837461f8ccdd07c951a1bece

        SHA256

        ddda10348c77cf0a1539c3a42ce4f71e2c1895ab9b77348256e0a1f01c0936b6

        SHA512

        40957cd33c4be1dab98ac0c40424c868aa3be6f6265fa28df050e5a4844ac6324acb93770bc6cb7cafedabc93fab9b9179a6e6525f6b3dd6fa9e31b4d5da5bec

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w99vf62.exe
        Filesize

        301KB

        MD5

        bd7d0997d92b4372ed4df555af7feb35

        SHA1

        98c793437da6a7593604a89fca61e9369192f417

        SHA256

        5fb3491831556672c848f6eea070fa753aabb321f3eeb9cfef28e508bcf84bcd

        SHA512

        cf2a7fa34d3aeda08d39d391a31d1c5c8bd332a5e73ee8374c72be07aa379c81e24449a6572fdb7f1fa5d17de4df556fa1ccd0a4c1163083bd7500e34fcb1b8c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w99vf62.exe
        Filesize

        301KB

        MD5

        bd7d0997d92b4372ed4df555af7feb35

        SHA1

        98c793437da6a7593604a89fca61e9369192f417

        SHA256

        5fb3491831556672c848f6eea070fa753aabb321f3eeb9cfef28e508bcf84bcd

        SHA512

        cf2a7fa34d3aeda08d39d391a31d1c5c8bd332a5e73ee8374c72be07aa379c81e24449a6572fdb7f1fa5d17de4df556fa1ccd0a4c1163083bd7500e34fcb1b8c

        Download Submit

      • memory/936-141-0x00000000005B0000-0x00000000005DD000-memory.dmp

        Filesize

        180KB

        Download

      • memory/936-143-0x0000000004C20000-0x0000000004C30000-memory.dmp

        Filesize

        64KB

        Download

      • memory/936-142-0x0000000004C20000-0x0000000004C30000-memory.dmp

        Filesize

        64KB

        Download

      • memory/936-144-0x0000000004C30000-0x00000000051D4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/936-145-0x0000000002530000-0x0000000002542000-memory.dmp

        Filesize

        72KB

        Download

      • memory/936-146-0x0000000002530000-0x0000000002542000-memory.dmp

        Filesize

        72KB

        Download

      • memory/936-148-0x0000000002530000-0x0000000002542000-memory.dmp

        Filesize

        72KB

        Download

      • memory/936-150-0x0000000002530000-0x0000000002542000-memory.dmp

        Filesize

        72KB

        Download

      • memory/936-152-0x0000000002530000-0x0000000002542000-memory.dmp

        Filesize

        72KB

        Download

      • memory/936-154-0x0000000002530000-0x0000000002542000-memory.dmp

        Filesize

        72KB

        Download

      • memory/936-156-0x0000000002530000-0x0000000002542000-memory.dmp

        Filesize

        72KB

        Download

      • memory/936-158-0x0000000002530000-0x0000000002542000-memory.dmp

        Filesize

        72KB

        Download

      • memory/936-160-0x0000000002530000-0x0000000002542000-memory.dmp

        Filesize

        72KB

        Download

      • memory/936-162-0x0000000002530000-0x0000000002542000-memory.dmp

        Filesize

        72KB

        Download

      • memory/936-164-0x0000000002530000-0x0000000002542000-memory.dmp

        Filesize

        72KB

        Download

      • memory/936-166-0x0000000002530000-0x0000000002542000-memory.dmp

        Filesize

        72KB

        Download

      • memory/936-168-0x0000000002530000-0x0000000002542000-memory.dmp

        Filesize

        72KB

        Download

      • memory/936-170-0x0000000002530000-0x0000000002542000-memory.dmp

        Filesize

        72KB

        Download

      • memory/936-172-0x0000000002530000-0x0000000002542000-memory.dmp

        Filesize

        72KB

        Download

      • memory/936-173-0x0000000000400000-0x00000000004D4000-memory.dmp

        Filesize

        848KB

        Download

      • memory/936-175-0x0000000000400000-0x00000000004D4000-memory.dmp

        Filesize

        848KB

        Download

      • memory/4528-181-0x0000000004A10000-0x0000000004A4E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4528-180-0x0000000004A10000-0x0000000004A4E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4528-183-0x0000000004A10000-0x0000000004A4E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4528-186-0x0000000001E10000-0x0000000001E5B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/4528-188-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4528-190-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4528-189-0x0000000004A10000-0x0000000004A4E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4528-185-0x0000000004A10000-0x0000000004A4E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4528-192-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4528-193-0x0000000004A10000-0x0000000004A4E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4528-195-0x0000000004A10000-0x0000000004A4E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4528-197-0x0000000004A10000-0x0000000004A4E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4528-199-0x0000000004A10000-0x0000000004A4E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4528-201-0x0000000004A10000-0x0000000004A4E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4528-203-0x0000000004A10000-0x0000000004A4E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4528-205-0x0000000004A10000-0x0000000004A4E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4528-207-0x0000000004A10000-0x0000000004A4E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4528-209-0x0000000004A10000-0x0000000004A4E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4528-211-0x0000000004A10000-0x0000000004A4E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4528-213-0x0000000004A10000-0x0000000004A4E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4528-215-0x0000000004A10000-0x0000000004A4E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4528-217-0x0000000004A10000-0x0000000004A4E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4528-1090-0x00000000051D0000-0x00000000057E8000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/4528-1091-0x0000000005850000-0x000000000595A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/4528-1092-0x0000000005990000-0x00000000059A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4528-1093-0x00000000059B0000-0x00000000059EC000-memory.dmp

        Filesize

        240KB

        Download

      • memory/4528-1094-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4528-1095-0x0000000005CA0000-0x0000000005D32000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4528-1096-0x0000000005D40000-0x0000000005DA6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4528-1098-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4528-1099-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4528-1100-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4528-1101-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4528-1102-0x0000000008C30000-0x0000000008DF2000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/4528-1103-0x0000000008E10000-0x000000000933C000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/4528-1104-0x0000000002480000-0x00000000024F6000-memory.dmp

        Filesize

        472KB

        Download

      • memory/4528-1105-0x0000000007710000-0x0000000007760000-memory.dmp

        Filesize

        320KB

        Download