Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    117s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/03/2023, 23:24

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    a7f52eedcc6151651cc7abeedf4c65148f9965046cf5dcc26f3d79b850685ab9.exe

  • Size

    908KB

  • MD5

    aeb426f4d51b50fdc53018c226d718fc

  • SHA1

    cd53ecac0e27001286f1dcef6fe0ea8271541320

  • SHA256

    a7f52eedcc6151651cc7abeedf4c65148f9965046cf5dcc26f3d79b850685ab9

  • SHA512

    a4c12a5f957a6ab12cfad3ffdbf41fa9afdf4dd99825023047d7bf86d5d298276940a793cb28c652af204c0c17b9ac56629bb0922bf96752d49e4513ed8f2935

  • SSDEEP

    12288:aMrNy90YSODPUByVELNwxdB5usH2nKn1pulKcXT2jf92jv4/9Qf3x/x14OD:Xy/SGMB9e7ubno9Wij0vwQfZx9D

Score
10/10
redlinedownpolodiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

down

C2

193.233.20.31:4125

Attributes
  • auth_value

    12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

polo

C2

193.233.20.31:4125

Attributes
  • auth_value

    f1a1b1041a864e0f1f788d42ececa8b3

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 18 IoCs
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a7f52eedcc6151651cc7abeedf4c65148f9965046cf5dcc26f3d79b850685ab9.exe
    "C:\Users\Admin\AppData\Local\Temp\a7f52eedcc6151651cc7abeedf4c65148f9965046cf5dcc26f3d79b850685ab9.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:5036
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio6464.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio6464.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3912
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio0799.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio0799.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4904
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro6278.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro6278.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3828
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu2076.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu2076.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1012
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1012 -s 1080
            5⤵
            • Program crash
            PID:1336
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\raf92s48.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\raf92s48.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1308
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 1340
          4⤵
          • Program crash
          PID:1008
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si508515.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si508515.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4832
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1012 -ip 1012
    1⤵
      PID:3788
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1308 -ip 1308
      1⤵
        PID:2152

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si508515.exe
              Filesize

              175KB

              MD5

              44a26d7004f8b65e1a8bac0ccac86d6a

              SHA1

              30b583c2c04c1167703ae255b4d44b96b411c8ff

              SHA256

              37384f1bfb6d2193e4ece0ed1f6989f9ebd238e7b4582e1aedfa136cdfd07eb9

              SHA512

              17788355a5190ca17ead744cad71ebb7cfc7ceb84625310d31a469af0fbd50b2c304ce969530e99effeb0d23b0530b57a001f02fe918abc40ea68ad336fa187b

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si508515.exe
              Filesize

              175KB

              MD5

              44a26d7004f8b65e1a8bac0ccac86d6a

              SHA1

              30b583c2c04c1167703ae255b4d44b96b411c8ff

              SHA256

              37384f1bfb6d2193e4ece0ed1f6989f9ebd238e7b4582e1aedfa136cdfd07eb9

              SHA512

              17788355a5190ca17ead744cad71ebb7cfc7ceb84625310d31a469af0fbd50b2c304ce969530e99effeb0d23b0530b57a001f02fe918abc40ea68ad336fa187b

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio6464.exe
              Filesize

              766KB

              MD5

              6ac61d4434ebcdfbceab075e38dc223f

              SHA1

              94dbd11cf8fa97ee42e656d4d091fe7136dd6120

              SHA256

              ff2c4709c6c4f47ceb6574c924b32eb45ada8b9891c63d6250f67aa87d6d6dd6

              SHA512

              446a683bce2ec4979e66be1501f9648b6752e47e52e9cf0cce4674e0fdbf2fede6961ddab6c63abbb7d728905028c97b2f153ef70cb52b1b0fd4d5359e011a87

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio6464.exe
              Filesize

              766KB

              MD5

              6ac61d4434ebcdfbceab075e38dc223f

              SHA1

              94dbd11cf8fa97ee42e656d4d091fe7136dd6120

              SHA256

              ff2c4709c6c4f47ceb6574c924b32eb45ada8b9891c63d6250f67aa87d6d6dd6

              SHA512

              446a683bce2ec4979e66be1501f9648b6752e47e52e9cf0cce4674e0fdbf2fede6961ddab6c63abbb7d728905028c97b2f153ef70cb52b1b0fd4d5359e011a87

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\raf92s48.exe
              Filesize

              457KB

              MD5

              9b2d3ecaa914a030f7ee6b551001a321

              SHA1

              1b4b7458967a23e4ece3d4430c68f5c6c39c06d4

              SHA256

              f5a921939e8f513c2a9807e6eb4761dd47a7570e36c984e21a5d183440a187b8

              SHA512

              97102f289771eb51d791cf9968ec712d08bd3fc151b6fe7c5da0c992ee1810605d29b36a1f65d17d38aaad126b3f99795b2498ba2a50116fee8c24a34e778d29

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\raf92s48.exe
              Filesize

              457KB

              MD5

              9b2d3ecaa914a030f7ee6b551001a321

              SHA1

              1b4b7458967a23e4ece3d4430c68f5c6c39c06d4

              SHA256

              f5a921939e8f513c2a9807e6eb4761dd47a7570e36c984e21a5d183440a187b8

              SHA512

              97102f289771eb51d791cf9968ec712d08bd3fc151b6fe7c5da0c992ee1810605d29b36a1f65d17d38aaad126b3f99795b2498ba2a50116fee8c24a34e778d29

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio0799.exe
              Filesize

              380KB

              MD5

              4edd1a85ecfbffe44da50ba37518f8ba

              SHA1

              e0a204dd218139babbf72213cbb5992604d2a0d7

              SHA256

              eccb1774239952dae00055de29544a1642df96169ce2e076c420022ae82814d0

              SHA512

              26f4fe86ebceeceb4a1ade811d877d7e398870dfb0895426c1aac25fe8e48da630c7d8f35d9ec80d80be65e9de46cb4a9fc1b6c326ae208b11c78edfae0a968a

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\unio0799.exe
              Filesize

              380KB

              MD5

              4edd1a85ecfbffe44da50ba37518f8ba

              SHA1

              e0a204dd218139babbf72213cbb5992604d2a0d7

              SHA256

              eccb1774239952dae00055de29544a1642df96169ce2e076c420022ae82814d0

              SHA512

              26f4fe86ebceeceb4a1ade811d877d7e398870dfb0895426c1aac25fe8e48da630c7d8f35d9ec80d80be65e9de46cb4a9fc1b6c326ae208b11c78edfae0a968a

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro6278.exe
              Filesize

              11KB

              MD5

              7e93bacbbc33e6652e147e7fe07572a0

              SHA1

              421a7167da01c8da4dc4d5234ca3dd84e319e762

              SHA256

              850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

              SHA512

              250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pro6278.exe
              Filesize

              11KB

              MD5

              7e93bacbbc33e6652e147e7fe07572a0

              SHA1

              421a7167da01c8da4dc4d5234ca3dd84e319e762

              SHA256

              850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

              SHA512

              250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu2076.exe
              Filesize

              399KB

              MD5

              8cde0557f35730786d6da4aa7ce12c70

              SHA1

              c4e0f45bd23c69497a97ec8a76fddf2f179e6986

              SHA256

              574f95350876cc5dda22c14683ce9937ea95802602640af52c0883d4c34ddfce

              SHA512

              9f11814beba2848ea0e47e73845b5782999ba2135ec9ebbf74f5c8121482fe8c2890d5d43c622d05612b1e1beeeef18b9c7fbc4b4ce24238cb4488e248bfdcca

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu2076.exe
              Filesize

              399KB

              MD5

              8cde0557f35730786d6da4aa7ce12c70

              SHA1

              c4e0f45bd23c69497a97ec8a76fddf2f179e6986

              SHA256

              574f95350876cc5dda22c14683ce9937ea95802602640af52c0883d4c34ddfce

              SHA512

              9f11814beba2848ea0e47e73845b5782999ba2135ec9ebbf74f5c8121482fe8c2890d5d43c622d05612b1e1beeeef18b9c7fbc4b4ce24238cb4488e248bfdcca

              Download Submit

            • memory/1012-168-0x00000000029A0000-0x00000000029B2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/1012-182-0x00000000029A0000-0x00000000029B2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/1012-164-0x0000000002950000-0x0000000002960000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1012-163-0x0000000002950000-0x0000000002960000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1012-165-0x00000000029A0000-0x00000000029B2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/1012-166-0x00000000029A0000-0x00000000029B2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/1012-161-0x00000000008A0000-0x00000000008CD000-memory.dmp

              Filesize

              180KB

              Download

            • memory/1012-170-0x00000000029A0000-0x00000000029B2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/1012-172-0x00000000029A0000-0x00000000029B2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/1012-174-0x00000000029A0000-0x00000000029B2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/1012-176-0x00000000029A0000-0x00000000029B2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/1012-178-0x00000000029A0000-0x00000000029B2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/1012-180-0x00000000029A0000-0x00000000029B2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/1012-162-0x0000000002950000-0x0000000002960000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1012-184-0x00000000029A0000-0x00000000029B2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/1012-186-0x00000000029A0000-0x00000000029B2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/1012-188-0x00000000029A0000-0x00000000029B2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/1012-190-0x00000000029A0000-0x00000000029B2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/1012-192-0x00000000029A0000-0x00000000029B2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/1012-193-0x0000000000400000-0x0000000000726000-memory.dmp

              Filesize

              3.1MB

              Download

            • memory/1012-194-0x0000000002950000-0x0000000002960000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1012-195-0x0000000002950000-0x0000000002960000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1012-196-0x0000000002950000-0x0000000002960000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1012-198-0x0000000000400000-0x0000000000726000-memory.dmp

              Filesize

              3.1MB

              Download

            • memory/1012-160-0x0000000004E20000-0x00000000053C4000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/1308-205-0x00000000050B0000-0x00000000050C0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1308-1113-0x0000000005670000-0x0000000005C88000-memory.dmp

              Filesize

              6.1MB

              Download

            • memory/1308-206-0x0000000002770000-0x00000000027AE000-memory.dmp

              Filesize

              248KB

              Download

            • memory/1308-209-0x0000000002770000-0x00000000027AE000-memory.dmp

              Filesize

              248KB

              Download

            • memory/1308-211-0x0000000002770000-0x00000000027AE000-memory.dmp

              Filesize

              248KB

              Download

            • memory/1308-207-0x0000000002770000-0x00000000027AE000-memory.dmp

              Filesize

              248KB

              Download

            • memory/1308-213-0x0000000002770000-0x00000000027AE000-memory.dmp

              Filesize

              248KB

              Download

            • memory/1308-215-0x0000000002770000-0x00000000027AE000-memory.dmp

              Filesize

              248KB

              Download

            • memory/1308-217-0x0000000002770000-0x00000000027AE000-memory.dmp

              Filesize

              248KB

              Download

            • memory/1308-219-0x0000000002770000-0x00000000027AE000-memory.dmp

              Filesize

              248KB

              Download

            • memory/1308-221-0x0000000002770000-0x00000000027AE000-memory.dmp

              Filesize

              248KB

              Download

            • memory/1308-223-0x0000000002770000-0x00000000027AE000-memory.dmp

              Filesize

              248KB

              Download

            • memory/1308-225-0x0000000002770000-0x00000000027AE000-memory.dmp

              Filesize

              248KB

              Download

            • memory/1308-227-0x0000000002770000-0x00000000027AE000-memory.dmp

              Filesize

              248KB

              Download

            • memory/1308-229-0x0000000002770000-0x00000000027AE000-memory.dmp

              Filesize

              248KB

              Download

            • memory/1308-231-0x0000000002770000-0x00000000027AE000-memory.dmp

              Filesize

              248KB

              Download

            • memory/1308-233-0x0000000002770000-0x00000000027AE000-memory.dmp

              Filesize

              248KB

              Download

            • memory/1308-235-0x0000000002770000-0x00000000027AE000-memory.dmp

              Filesize

              248KB

              Download

            • memory/1308-237-0x0000000002770000-0x00000000027AE000-memory.dmp

              Filesize

              248KB

              Download

            • memory/1308-239-0x0000000002770000-0x00000000027AE000-memory.dmp

              Filesize

              248KB

              Download

            • memory/1308-553-0x00000000050B0000-0x00000000050C0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1308-204-0x00000000050B0000-0x00000000050C0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1308-1114-0x0000000005C90000-0x0000000005D9A000-memory.dmp

              Filesize

              1.0MB

              Download

            • memory/1308-1115-0x0000000002A20000-0x0000000002A32000-memory.dmp

              Filesize

              72KB

              Download

            • memory/1308-1116-0x0000000004FC0000-0x0000000004FFC000-memory.dmp

              Filesize

              240KB

              Download

            • memory/1308-1117-0x00000000050B0000-0x00000000050C0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1308-1118-0x0000000005F70000-0x0000000006002000-memory.dmp

              Filesize

              584KB

              Download

            • memory/1308-1119-0x0000000006010000-0x0000000006076000-memory.dmp

              Filesize

              408KB

              Download

            • memory/1308-1121-0x00000000050B0000-0x00000000050C0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1308-1122-0x00000000050B0000-0x00000000050C0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1308-1123-0x00000000050B0000-0x00000000050C0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1308-1124-0x0000000006810000-0x0000000006886000-memory.dmp

              Filesize

              472KB

              Download

            • memory/1308-1125-0x00000000068B0000-0x0000000006900000-memory.dmp

              Filesize

              320KB

              Download

            • memory/1308-1126-0x00000000050B0000-0x00000000050C0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1308-1127-0x0000000007BD0000-0x0000000007D92000-memory.dmp

              Filesize

              1.8MB

              Download

            • memory/1308-203-0x00000000008A0000-0x00000000008EB000-memory.dmp

              Filesize

              300KB

              Download

            • memory/1308-1128-0x0000000007DA0000-0x00000000082CC000-memory.dmp

              Filesize

              5.2MB

              Download

            • memory/3828-154-0x00000000006F0000-0x00000000006FA000-memory.dmp

              Filesize

              40KB

              Download

            • memory/4832-1134-0x0000000000DB0000-0x0000000000DE2000-memory.dmp

              Filesize

              200KB

              Download

            • memory/4832-1135-0x0000000005970000-0x0000000005980000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4832-1136-0x0000000005970000-0x0000000005980000-memory.dmp

              Filesize

              64KB

              Download