Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    180s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-03-2023 00:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c95dcc127582e2813d1cbb9ab6a0cc544bef4e21bef42b1db6977c14844efc85.exe

  • Size

    895KB

  • MD5

    92292ae32d5bc0f563806bebde590945

  • SHA1

    6cb0d54c0d1547ccfbf46ca928499a1907963f21

  • SHA256

    c95dcc127582e2813d1cbb9ab6a0cc544bef4e21bef42b1db6977c14844efc85

  • SHA512

    69c2120baddda6d3525096ade32937823a498c5a9ad9d8809f77cfd304fa4cf87f3053b2793c4a185263bbdb05d4224470cee6d3a830134df21ed0b2b18d06ab

  • SSDEEP

    24576:8ycoXlS0wPCedav90AAY74FmfJWlata8:rcoXlS0URda1774FwWla4

Score
10/10
redlinemangositodiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

mango

C2

193.233.20.28:4125

Attributes
  • auth_value

    ecf79d7f5227d998a3501c972d915d23

Extracted

Family

redline

Botnet

sito

C2

193.233.20.28:4125

Attributes
  • auth_value

    030f94d8e396dbe51ce339b815cdad17

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 18 IoCs
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c95dcc127582e2813d1cbb9ab6a0cc544bef4e21bef42b1db6977c14844efc85.exe
    "C:\Users\Admin\AppData\Local\Temp\c95dcc127582e2813d1cbb9ab6a0cc544bef4e21bef42b1db6977c14844efc85.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1704
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice8856.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice8856.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:684
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice7775.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice7775.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1088
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5461ma.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5461ma.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1696
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c34JM32.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c34JM32.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3964
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 1080
            5⤵
            • Program crash
            PID:4256
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\drjSh73.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\drjSh73.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2408
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 1324
          4⤵
          • Program crash
          PID:332
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e86vT91.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e86vT91.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3880
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3964 -ip 3964
    1⤵
      PID:3972
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2408 -ip 2408
      1⤵
        PID:2112

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e86vT91.exe
        Filesize

        175KB

        MD5

        795f3fe5687db9b19853eaf6acdc389a

        SHA1

        cd1ba862909c58a01d3a8e44c29cb71bb6b50630

        SHA256

        448bad37914cb6f2102c2c8b10cd93770e529ab4fd13e616ee99e2e184cb0e56

        SHA512

        d9fdfef28242f378cda4698e6e89ae736dc60f5e1852aa414519bf0bdfce129e6c015306c43c7f10ab7648d158761ebaeb4dd54c1a04fa6d20a2f35cbf2b6130

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e86vT91.exe
        Filesize

        175KB

        MD5

        795f3fe5687db9b19853eaf6acdc389a

        SHA1

        cd1ba862909c58a01d3a8e44c29cb71bb6b50630

        SHA256

        448bad37914cb6f2102c2c8b10cd93770e529ab4fd13e616ee99e2e184cb0e56

        SHA512

        d9fdfef28242f378cda4698e6e89ae736dc60f5e1852aa414519bf0bdfce129e6c015306c43c7f10ab7648d158761ebaeb4dd54c1a04fa6d20a2f35cbf2b6130

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice8856.exe
        Filesize

        750KB

        MD5

        1901769a47dcf2bf8bcd993395c5533a

        SHA1

        96e75919ab7edfb72c3c7a03074bb0a176574619

        SHA256

        9d4ac41c2b7e338fe462659d517ad39455ecdaa112b5caa9e83e1a1d4d56bca1

        SHA512

        9a907bd0ec2c795b73474ad4ba186f306931f3b0930c6f23053086b1722e585c54be0d059695ec1f85e6c2a7f4a6c72c8ece2871a84b1611f767b712f1c2e5ac

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice8856.exe
        Filesize

        750KB

        MD5

        1901769a47dcf2bf8bcd993395c5533a

        SHA1

        96e75919ab7edfb72c3c7a03074bb0a176574619

        SHA256

        9d4ac41c2b7e338fe462659d517ad39455ecdaa112b5caa9e83e1a1d4d56bca1

        SHA512

        9a907bd0ec2c795b73474ad4ba186f306931f3b0930c6f23053086b1722e585c54be0d059695ec1f85e6c2a7f4a6c72c8ece2871a84b1611f767b712f1c2e5ac

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\drjSh73.exe
        Filesize

        446KB

        MD5

        27ca2e288f5c5cc4dde5e2ce72390a58

        SHA1

        8d74401b74b0dc572a5bc260a7f9e53f816a9cfc

        SHA256

        ca9e92aac415536aa81075dd0d76155a4631d736a51816f94b97f916eaf6c11e

        SHA512

        d59f533240f9bf3e5f2b501e9e3426d9b7b3d85f6594f9b77bda3fd1c4332e300ccaf424aeffe47eaf311e34e2500acbbb80648145e3d253ddc0ca9ba9610a2c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\drjSh73.exe
        Filesize

        446KB

        MD5

        27ca2e288f5c5cc4dde5e2ce72390a58

        SHA1

        8d74401b74b0dc572a5bc260a7f9e53f816a9cfc

        SHA256

        ca9e92aac415536aa81075dd0d76155a4631d736a51816f94b97f916eaf6c11e

        SHA512

        d59f533240f9bf3e5f2b501e9e3426d9b7b3d85f6594f9b77bda3fd1c4332e300ccaf424aeffe47eaf311e34e2500acbbb80648145e3d253ddc0ca9ba9610a2c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice7775.exe
        Filesize

        375KB

        MD5

        27c31b2961a5a2c8ea95f12219a8f78d

        SHA1

        4bc9ebaf2a2cedad046fa157ba06bdb6924a19e9

        SHA256

        a24cb0f18b9d08014720511f617fda4b52ec4ee656461ee8c4a729424ae73406

        SHA512

        851f3bf89d2cbf3834a93125ce9133e626c67a28263d8e325a4e6983abd5c8e54a0874db3dd1401ffada42445f74e2da6c3941097e037d25b0fc69ae5ca35591

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice7775.exe
        Filesize

        375KB

        MD5

        27c31b2961a5a2c8ea95f12219a8f78d

        SHA1

        4bc9ebaf2a2cedad046fa157ba06bdb6924a19e9

        SHA256

        a24cb0f18b9d08014720511f617fda4b52ec4ee656461ee8c4a729424ae73406

        SHA512

        851f3bf89d2cbf3834a93125ce9133e626c67a28263d8e325a4e6983abd5c8e54a0874db3dd1401ffada42445f74e2da6c3941097e037d25b0fc69ae5ca35591

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5461ma.exe
        Filesize

        11KB

        MD5

        7e93bacbbc33e6652e147e7fe07572a0

        SHA1

        421a7167da01c8da4dc4d5234ca3dd84e319e762

        SHA256

        850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

        SHA512

        250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5461ma.exe
        Filesize

        11KB

        MD5

        7e93bacbbc33e6652e147e7fe07572a0

        SHA1

        421a7167da01c8da4dc4d5234ca3dd84e319e762

        SHA256

        850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

        SHA512

        250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c34JM32.exe
        Filesize

        388KB

        MD5

        acd39e3709d007c04a46ae319b2d483e

        SHA1

        41b8653c72ff0dea2bbfdd3d506b00aeccff4334

        SHA256

        d53c52a95cb7064a06bd55d8cbe635b5505169445c80b480cd8efb996c05be72

        SHA512

        ded9ec6b7f57eaa47cca3ca98fc3ce8ec0e8dcd1ecf3f90f549d0eeb9117694e6746651c146b3f9e5ac984aad42e9a89fb4ad2ce75f14fad32f1c25a75aa7976

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c34JM32.exe
        Filesize

        388KB

        MD5

        acd39e3709d007c04a46ae319b2d483e

        SHA1

        41b8653c72ff0dea2bbfdd3d506b00aeccff4334

        SHA256

        d53c52a95cb7064a06bd55d8cbe635b5505169445c80b480cd8efb996c05be72

        SHA512

        ded9ec6b7f57eaa47cca3ca98fc3ce8ec0e8dcd1ecf3f90f549d0eeb9117694e6746651c146b3f9e5ac984aad42e9a89fb4ad2ce75f14fad32f1c25a75aa7976

        Download Submit

      • memory/1696-154-0x0000000000DC0000-0x0000000000DCA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2408-240-0x00000000070F0000-0x000000000712E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2408-1114-0x0000000007F20000-0x000000000802A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/2408-1128-0x0000000009790000-0x00000000097E0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/2408-1127-0x0000000009700000-0x0000000009776000-memory.dmp

        Filesize

        472KB

        Download

      • memory/2408-1126-0x0000000007160000-0x0000000007170000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2408-1125-0x0000000008F50000-0x000000000947C000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/2408-1124-0x0000000008D70000-0x0000000008F32000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/2408-1123-0x0000000008410000-0x0000000008476000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2408-1122-0x0000000007160000-0x0000000007170000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2408-1121-0x0000000007160000-0x0000000007170000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2408-1120-0x0000000007160000-0x0000000007170000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2408-1119-0x0000000008370000-0x0000000008402000-memory.dmp

        Filesize

        584KB

        Download

      • memory/2408-1117-0x0000000008080000-0x00000000080BC000-memory.dmp

        Filesize

        240KB

        Download

      • memory/2408-1116-0x0000000007160000-0x0000000007170000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2408-1115-0x0000000008060000-0x0000000008072000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2408-1113-0x0000000007880000-0x0000000007E98000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/2408-238-0x00000000070F0000-0x000000000712E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2408-236-0x00000000070F0000-0x000000000712E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2408-234-0x00000000070F0000-0x000000000712E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2408-232-0x00000000070F0000-0x000000000712E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2408-230-0x00000000070F0000-0x000000000712E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2408-226-0x00000000070F0000-0x000000000712E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2408-228-0x00000000070F0000-0x000000000712E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2408-203-0x0000000002C10000-0x0000000002C5B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/2408-204-0x0000000007160000-0x0000000007170000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2408-206-0x00000000070F0000-0x000000000712E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2408-207-0x0000000007160000-0x0000000007170000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2408-208-0x00000000070F0000-0x000000000712E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2408-210-0x00000000070F0000-0x000000000712E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2408-205-0x0000000007160000-0x0000000007170000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2408-212-0x00000000070F0000-0x000000000712E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2408-214-0x00000000070F0000-0x000000000712E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2408-216-0x00000000070F0000-0x000000000712E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2408-218-0x00000000070F0000-0x000000000712E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2408-220-0x00000000070F0000-0x000000000712E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2408-222-0x00000000070F0000-0x000000000712E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2408-224-0x00000000070F0000-0x000000000712E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3880-1135-0x0000000000A10000-0x0000000000A42000-memory.dmp

        Filesize

        200KB

        Download

      • memory/3880-1136-0x00000000055F0000-0x0000000005600000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3964-186-0x0000000004C00000-0x0000000004C12000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3964-193-0x0000000000400000-0x0000000002B27000-memory.dmp

        Filesize

        39.2MB

        Download

      • memory/3964-182-0x0000000004C00000-0x0000000004C12000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3964-194-0x0000000007180000-0x0000000007190000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3964-180-0x0000000004C00000-0x0000000004C12000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3964-162-0x0000000007180000-0x0000000007190000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3964-192-0x0000000004C00000-0x0000000004C12000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3964-178-0x0000000004C00000-0x0000000004C12000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3964-190-0x0000000004C00000-0x0000000004C12000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3964-188-0x0000000004C00000-0x0000000004C12000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3964-164-0x0000000007180000-0x0000000007190000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3964-184-0x0000000004C00000-0x0000000004C12000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3964-195-0x0000000007180000-0x0000000007190000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3964-196-0x0000000007180000-0x0000000007190000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3964-165-0x0000000004C00000-0x0000000004C12000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3964-176-0x0000000004C00000-0x0000000004C12000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3964-174-0x0000000004C00000-0x0000000004C12000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3964-172-0x0000000004C00000-0x0000000004C12000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3964-170-0x0000000004C00000-0x0000000004C12000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3964-168-0x0000000004C00000-0x0000000004C12000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3964-166-0x0000000004C00000-0x0000000004C12000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3964-161-0x0000000002C00000-0x0000000002C2D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/3964-160-0x0000000007190000-0x0000000007734000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/3964-198-0x0000000000400000-0x0000000002B27000-memory.dmp

        Filesize

        39.2MB

        Download

      • memory/3964-163-0x0000000007180000-0x0000000007190000-memory.dmp

        Filesize

        64KB

        Download