Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-03-2023 12:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1f650f68a9630be3e67b5f1ecb2f1e3f22c916a77a1401cd7340ae5c74e625e5.exe

  • Size

    812KB

  • MD5

    b4c7009f6ba3b0749611f5878c8a8372

  • SHA1

    f7c6fb4d787966f01cfd5a835011bcf3a498518d

  • SHA256

    1f650f68a9630be3e67b5f1ecb2f1e3f22c916a77a1401cd7340ae5c74e625e5

  • SHA512

    a0ae38bdae3bfa344c94636451a3d0bd6b3e96e1c6a5fd00298466e4b0aa272303db6d24dbbf413ff249cb5f88a0895796db951300cefe4dfb3e5d796429ca63

  • SSDEEP

    12288:VMrYy90Xtr+g7MgGaBOP97RtpbneBzVm5GLgnKNUcxHsEWezMeVuZsjEY0T3ebH2:1yGqgpW97TpiSPKNUyMElz78Zy/7i7

Score
10/10
redlinedezikmangodiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

mango

C2

193.233.20.28:4125

Attributes
  • auth_value

    ecf79d7f5227d998a3501c972d915d23

Extracted

Family

redline

Botnet

dezik

C2

193.56.146.220:4174

Attributes
  • auth_value

    d39f21dca8edc10800b036ab83f4d75e

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 18 IoCs
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1f650f68a9630be3e67b5f1ecb2f1e3f22c916a77a1401cd7340ae5c74e625e5.exe
    "C:\Users\Admin\AppData\Local\Temp\1f650f68a9630be3e67b5f1ecb2f1e3f22c916a77a1401cd7340ae5c74e625e5.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4044
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nice5081.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nice5081.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1508
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nice3208.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nice3208.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4348
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0105PY.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0105PY.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4408
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c73ef26.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c73ef26.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4460
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 1088
            5⤵
            • Program crash
            PID:4400
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dgFei13.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dgFei13.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5076
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 1884
          4⤵
          • Program crash
          PID:1120
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e96zq10.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e96zq10.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3516
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4460 -ip 4460
    1⤵
      PID:2008
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5076 -ip 5076
      1⤵
        PID:4740

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e96zq10.exe
        Filesize

        175KB

        MD5

        92f2a148b8f701e50e2f838f73d4d7b7

        SHA1

        324d8546e35d4f4285cac15b21620299ba5cb023

        SHA256

        9ad66388140ef3b4a7c2918eb3c9083dd80396949f385dd6d17c28f97cf14f04

        SHA512

        3300c7606f872e75deaff924ee77fcd975e515a0dbca907ddd16b25910f250c6b8c46c6cabda3ac4780a8dce5fb9a70bd0c4c184f649cd5375fb6278b2a0ea6c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e96zq10.exe
        Filesize

        175KB

        MD5

        92f2a148b8f701e50e2f838f73d4d7b7

        SHA1

        324d8546e35d4f4285cac15b21620299ba5cb023

        SHA256

        9ad66388140ef3b4a7c2918eb3c9083dd80396949f385dd6d17c28f97cf14f04

        SHA512

        3300c7606f872e75deaff924ee77fcd975e515a0dbca907ddd16b25910f250c6b8c46c6cabda3ac4780a8dce5fb9a70bd0c4c184f649cd5375fb6278b2a0ea6c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nice5081.exe
        Filesize

        667KB

        MD5

        18ff10bb7bb9e872c60d41500312efd8

        SHA1

        c3dc9299a7219f072f0a754b54c37bb2a26a9e9f

        SHA256

        eb6bc41707d3241727450e8dcc8503301147ce642967f183451e27cafb7ad4d3

        SHA512

        57d437ab05b4163984f4e840ed75508a4a8a73e981214fae0db90e3456f5e123674c7a90f90f23e0aa15f20b562bfac60bf8d09c54ae0f6094fe25e26f5b36f0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nice5081.exe
        Filesize

        667KB

        MD5

        18ff10bb7bb9e872c60d41500312efd8

        SHA1

        c3dc9299a7219f072f0a754b54c37bb2a26a9e9f

        SHA256

        eb6bc41707d3241727450e8dcc8503301147ce642967f183451e27cafb7ad4d3

        SHA512

        57d437ab05b4163984f4e840ed75508a4a8a73e981214fae0db90e3456f5e123674c7a90f90f23e0aa15f20b562bfac60bf8d09c54ae0f6094fe25e26f5b36f0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dgFei13.exe
        Filesize

        308KB

        MD5

        0738589e558063c99bb4f6c8ba3f0728

        SHA1

        4feb70bf06264e7cc59d4906449dd1d0bc494d55

        SHA256

        06edea7f4ed5045825b7ec37298db0e3e73fc13c58688ff817f8e2d97342ddaf

        SHA512

        b2403cb3859af3975b2176931c998c3a8ba4e6df7e1f5da8d3619ffc97422ff8489be53c632fde43ec31f0cb30945f0e24c460e4da1404bec54c49b13c8aac53

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dgFei13.exe
        Filesize

        308KB

        MD5

        0738589e558063c99bb4f6c8ba3f0728

        SHA1

        4feb70bf06264e7cc59d4906449dd1d0bc494d55

        SHA256

        06edea7f4ed5045825b7ec37298db0e3e73fc13c58688ff817f8e2d97342ddaf

        SHA512

        b2403cb3859af3975b2176931c998c3a8ba4e6df7e1f5da8d3619ffc97422ff8489be53c632fde43ec31f0cb30945f0e24c460e4da1404bec54c49b13c8aac53

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nice3208.exe
        Filesize

        334KB

        MD5

        4514fd43d11054b745d2b2ba26d8fad5

        SHA1

        e7574b33eeb14beeae31a7df01780ef2740d3956

        SHA256

        a7d296c231763bdceafe1f001f432f5d2b5d2a13418f27eeb71750662bf8d374

        SHA512

        288492d257772e8d63ed40a84cab0045578bae0e3ec4ea196c6b495926ef63b354e81957ed61009f1e9be48db645a7e76d4ab298028d3c99c98ba0e8014ede1c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nice3208.exe
        Filesize

        334KB

        MD5

        4514fd43d11054b745d2b2ba26d8fad5

        SHA1

        e7574b33eeb14beeae31a7df01780ef2740d3956

        SHA256

        a7d296c231763bdceafe1f001f432f5d2b5d2a13418f27eeb71750662bf8d374

        SHA512

        288492d257772e8d63ed40a84cab0045578bae0e3ec4ea196c6b495926ef63b354e81957ed61009f1e9be48db645a7e76d4ab298028d3c99c98ba0e8014ede1c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0105PY.exe
        Filesize

        11KB

        MD5

        7e93bacbbc33e6652e147e7fe07572a0

        SHA1

        421a7167da01c8da4dc4d5234ca3dd84e319e762

        SHA256

        850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

        SHA512

        250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0105PY.exe
        Filesize

        11KB

        MD5

        7e93bacbbc33e6652e147e7fe07572a0

        SHA1

        421a7167da01c8da4dc4d5234ca3dd84e319e762

        SHA256

        850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

        SHA512

        250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c73ef26.exe
        Filesize

        251KB

        MD5

        10c1300db1f5414b855bd0e8a27d3698

        SHA1

        6b1b47e589f6aa7be627567b5595ac414f30b495

        SHA256

        293333085ae37904a599690d6195302bc26d0cb51548509492cd3d7f43e5f14c

        SHA512

        948bf9f91ea8b696f1bdfff2f434cd9bb568c2212ce94dce4665d93f12aca8a88c90835489f1b123a160ae91c6762af206afde7f3ce3e8d321bbd3bcbef19996

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c73ef26.exe
        Filesize

        251KB

        MD5

        10c1300db1f5414b855bd0e8a27d3698

        SHA1

        6b1b47e589f6aa7be627567b5595ac414f30b495

        SHA256

        293333085ae37904a599690d6195302bc26d0cb51548509492cd3d7f43e5f14c

        SHA512

        948bf9f91ea8b696f1bdfff2f434cd9bb568c2212ce94dce4665d93f12aca8a88c90835489f1b123a160ae91c6762af206afde7f3ce3e8d321bbd3bcbef19996

        Download Submit

      • memory/3516-1133-0x0000000000D10000-0x0000000000D42000-memory.dmp

        Filesize

        200KB

        Download

      • memory/3516-1134-0x0000000005950000-0x0000000005960000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4408-154-0x0000000000FB0000-0x0000000000FBA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4460-166-0x0000000004BF0000-0x0000000004C00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4460-180-0x00000000025B0000-0x00000000025C2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4460-168-0x0000000004BF0000-0x0000000004C00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4460-162-0x00000000025B0000-0x00000000025C2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4460-170-0x0000000004BF0000-0x0000000004C00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4460-169-0x00000000025B0000-0x00000000025C2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4460-165-0x00000000025B0000-0x00000000025C2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4460-172-0x00000000025B0000-0x00000000025C2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4460-174-0x00000000025B0000-0x00000000025C2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4460-176-0x00000000025B0000-0x00000000025C2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4460-178-0x00000000025B0000-0x00000000025C2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4460-163-0x00000000025B0000-0x00000000025C2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4460-182-0x00000000025B0000-0x00000000025C2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4460-184-0x00000000025B0000-0x00000000025C2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4460-186-0x00000000025B0000-0x00000000025C2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4460-188-0x00000000025B0000-0x00000000025C2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4460-190-0x00000000025B0000-0x00000000025C2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4460-192-0x00000000025B0000-0x00000000025C2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4460-193-0x0000000000400000-0x00000000004BF000-memory.dmp

        Filesize

        764KB

        Download

      • memory/4460-194-0x0000000004BF0000-0x0000000004C00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4460-195-0x0000000004BF0000-0x0000000004C00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4460-197-0x0000000000400000-0x00000000004BF000-memory.dmp

        Filesize

        764KB

        Download

      • memory/4460-161-0x0000000004C00000-0x00000000051A4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4460-160-0x0000000000640000-0x000000000066D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/5076-203-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5076-205-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5076-206-0x0000000004A70000-0x0000000004AAE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/5076-207-0x0000000004A70000-0x0000000004AAE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/5076-209-0x0000000004A70000-0x0000000004AAE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/5076-211-0x0000000004A70000-0x0000000004AAE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/5076-213-0x0000000004A70000-0x0000000004AAE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/5076-215-0x0000000004A70000-0x0000000004AAE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/5076-217-0x0000000004A70000-0x0000000004AAE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/5076-219-0x0000000004A70000-0x0000000004AAE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/5076-221-0x0000000004A70000-0x0000000004AAE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/5076-223-0x0000000004A70000-0x0000000004AAE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/5076-225-0x0000000004A70000-0x0000000004AAE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/5076-227-0x0000000004A70000-0x0000000004AAE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/5076-229-0x0000000004A70000-0x0000000004AAE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/5076-233-0x0000000004A70000-0x0000000004AAE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/5076-231-0x0000000004A70000-0x0000000004AAE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/5076-235-0x0000000004A70000-0x0000000004AAE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/5076-237-0x0000000004A70000-0x0000000004AAE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/5076-239-0x0000000004A70000-0x0000000004AAE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/5076-1112-0x0000000005260000-0x0000000005878000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/5076-1113-0x00000000058B0000-0x00000000059BA000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/5076-1114-0x00000000059F0000-0x0000000005A02000-memory.dmp

        Filesize

        72KB

        Download

      • memory/5076-1115-0x0000000005A10000-0x0000000005A4C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/5076-1116-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5076-1117-0x0000000005D00000-0x0000000005D66000-memory.dmp

        Filesize

        408KB

        Download

      • memory/5076-1118-0x00000000063D0000-0x0000000006462000-memory.dmp

        Filesize

        584KB

        Download

      • memory/5076-1120-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5076-1122-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5076-1121-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5076-1123-0x00000000065C0000-0x0000000006782000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/5076-1124-0x00000000067B0000-0x0000000006CDC000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/5076-1125-0x0000000007140000-0x00000000071B6000-memory.dmp

        Filesize

        472KB

        Download

      • memory/5076-204-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5076-202-0x00000000005A0000-0x00000000005EB000-memory.dmp

        Filesize

        300KB

        Download

      • memory/5076-1126-0x00000000071E0000-0x0000000007230000-memory.dmp

        Filesize

        320KB

        Download

      • memory/5076-1127-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

        Filesize

        64KB

        Download