Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/03/2023, 11:38

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    b0b8c16b31ce764fa95ea15d6c93c9199360ab16e1aae740353a095036dfe9b3.exe

  • Size

    536KB

  • MD5

    710d92e7ba8a761457ac239d3dc8081f

  • SHA1

    472481658c139881cfc47f3c1bfd6b69c239b8f2

  • SHA256

    b0b8c16b31ce764fa95ea15d6c93c9199360ab16e1aae740353a095036dfe9b3

  • SHA512

    207a2251b79543511c664283113c876bdb89c094eaec138f68c8b90975f8818d4b60f3308bd50548d6ab05e3969ad27d39646b97552cacd189a949c975755ff6

  • SSDEEP

    6144:Kiy+bnr+Ap0yN90QEOdI+Ix/V1FI2eGtnq4ZBDkCT4QqyT/O7O4lvRg5dz2bU7pi:uMrAy90YI9PI2eSZBDkCTHrOROz9n4

Score
10/10
redlinedownpolodiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

down

C2

193.233.20.31:4125

Attributes
  • auth_value

    12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

polo

C2

193.233.20.31:4125

Attributes
  • auth_value

    f1a1b1041a864e0f1f788d42ececa8b3

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b0b8c16b31ce764fa95ea15d6c93c9199360ab16e1aae740353a095036dfe9b3.exe
    "C:\Users\Admin\AppData\Local\Temp\b0b8c16b31ce764fa95ea15d6c93c9199360ab16e1aae740353a095036dfe9b3.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4852
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio7279.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio7279.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4876
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0522.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0522.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1232
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0612.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0612.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4528
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 1576
          4⤵
          • Program crash
          PID:1808
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si594932.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si594932.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1752
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4528 -ip 4528
    1⤵
      PID:4396
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start wuauserv
      1⤵
      • Launches sc.exe
      PID:4216

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si594932.exe
            Filesize

            175KB

            MD5

            44a26d7004f8b65e1a8bac0ccac86d6a

            SHA1

            30b583c2c04c1167703ae255b4d44b96b411c8ff

            SHA256

            37384f1bfb6d2193e4ece0ed1f6989f9ebd238e7b4582e1aedfa136cdfd07eb9

            SHA512

            17788355a5190ca17ead744cad71ebb7cfc7ceb84625310d31a469af0fbd50b2c304ce969530e99effeb0d23b0530b57a001f02fe918abc40ea68ad336fa187b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si594932.exe
            Filesize

            175KB

            MD5

            44a26d7004f8b65e1a8bac0ccac86d6a

            SHA1

            30b583c2c04c1167703ae255b4d44b96b411c8ff

            SHA256

            37384f1bfb6d2193e4ece0ed1f6989f9ebd238e7b4582e1aedfa136cdfd07eb9

            SHA512

            17788355a5190ca17ead744cad71ebb7cfc7ceb84625310d31a469af0fbd50b2c304ce969530e99effeb0d23b0530b57a001f02fe918abc40ea68ad336fa187b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio7279.exe
            Filesize

            395KB

            MD5

            3bcb168b8defb7f71a84baf9e07cc49f

            SHA1

            8b0b52a1221a4a9b1be1e0257331b6059c3ea825

            SHA256

            abc411822746e800c31ec3f0ed95de00a6cf8a26555c3f292ef977d7c5f9e61a

            SHA512

            6b8d578ce7fe07769ce81d7e0d28b1faf00bf4a0c6b8f723e3d5c64dda13da211ab42755de8d48c28c8e74265cf608de3b6778265d957fff7aa1383866f9291a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio7279.exe
            Filesize

            395KB

            MD5

            3bcb168b8defb7f71a84baf9e07cc49f

            SHA1

            8b0b52a1221a4a9b1be1e0257331b6059c3ea825

            SHA256

            abc411822746e800c31ec3f0ed95de00a6cf8a26555c3f292ef977d7c5f9e61a

            SHA512

            6b8d578ce7fe07769ce81d7e0d28b1faf00bf4a0c6b8f723e3d5c64dda13da211ab42755de8d48c28c8e74265cf608de3b6778265d957fff7aa1383866f9291a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0522.exe
            Filesize

            11KB

            MD5

            7e93bacbbc33e6652e147e7fe07572a0

            SHA1

            421a7167da01c8da4dc4d5234ca3dd84e319e762

            SHA256

            850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

            SHA512

            250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0522.exe
            Filesize

            11KB

            MD5

            7e93bacbbc33e6652e147e7fe07572a0

            SHA1

            421a7167da01c8da4dc4d5234ca3dd84e319e762

            SHA256

            850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

            SHA512

            250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0612.exe
            Filesize

            470KB

            MD5

            ff8e4113e70879393f62915a01f02e5c

            SHA1

            a725de86a9098b0ad918beb5a1d884a421d53cd5

            SHA256

            d9cc73da27b63a1c18c937ff39db5e0812b41d6026d98eaeabe6bbb239b2aedd

            SHA512

            7a80e3462d948e6d4c2ebd2ef9d856fca6ab8f50c3e2effc620b42260d453a79fee3e60e399da2c027add740cb6bee88c6840cb19cca77f095902cd72f99fa6c

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0612.exe
            Filesize

            470KB

            MD5

            ff8e4113e70879393f62915a01f02e5c

            SHA1

            a725de86a9098b0ad918beb5a1d884a421d53cd5

            SHA256

            d9cc73da27b63a1c18c937ff39db5e0812b41d6026d98eaeabe6bbb239b2aedd

            SHA512

            7a80e3462d948e6d4c2ebd2ef9d856fca6ab8f50c3e2effc620b42260d453a79fee3e60e399da2c027add740cb6bee88c6840cb19cca77f095902cd72f99fa6c

            Download Submit

          • memory/1232-147-0x00000000003A0000-0x00000000003AA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/1752-1085-0x0000000000FD0000-0x0000000001002000-memory.dmp

            Filesize

            200KB

            Download

          • memory/1752-1086-0x00000000058D0000-0x00000000058E0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4528-189-0x00000000026A0000-0x00000000026DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4528-201-0x00000000026A0000-0x00000000026DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4528-155-0x0000000002650000-0x0000000002660000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4528-156-0x0000000002650000-0x0000000002660000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4528-157-0x0000000002650000-0x0000000002660000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4528-158-0x00000000026A0000-0x00000000026DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4528-159-0x00000000026A0000-0x00000000026DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4528-161-0x00000000026A0000-0x00000000026DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4528-163-0x00000000026A0000-0x00000000026DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4528-165-0x00000000026A0000-0x00000000026DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4528-167-0x00000000026A0000-0x00000000026DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4528-169-0x00000000026A0000-0x00000000026DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4528-171-0x00000000026A0000-0x00000000026DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4528-173-0x00000000026A0000-0x00000000026DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4528-175-0x00000000026A0000-0x00000000026DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4528-177-0x00000000026A0000-0x00000000026DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4528-179-0x00000000026A0000-0x00000000026DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4528-181-0x00000000026A0000-0x00000000026DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4528-183-0x00000000026A0000-0x00000000026DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4528-185-0x00000000026A0000-0x00000000026DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4528-187-0x00000000026A0000-0x00000000026DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4528-153-0x0000000004C30000-0x00000000051D4000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/4528-191-0x00000000026A0000-0x00000000026DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4528-193-0x00000000026A0000-0x00000000026DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4528-195-0x00000000026A0000-0x00000000026DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4528-197-0x00000000026A0000-0x00000000026DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4528-199-0x00000000026A0000-0x00000000026DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4528-154-0x0000000000620000-0x000000000066B000-memory.dmp

            Filesize

            300KB

            Download

          • memory/4528-203-0x00000000026A0000-0x00000000026DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4528-205-0x00000000026A0000-0x00000000026DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4528-207-0x00000000026A0000-0x00000000026DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4528-209-0x00000000026A0000-0x00000000026DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4528-211-0x00000000026A0000-0x00000000026DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4528-213-0x00000000026A0000-0x00000000026DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4528-215-0x00000000026A0000-0x00000000026DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4528-217-0x00000000026A0000-0x00000000026DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4528-219-0x00000000026A0000-0x00000000026DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4528-221-0x00000000026A0000-0x00000000026DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/4528-1064-0x0000000005240000-0x0000000005858000-memory.dmp

            Filesize

            6.1MB

            Download

          • memory/4528-1065-0x00000000058E0000-0x00000000059EA000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/4528-1066-0x0000000005A20000-0x0000000005A32000-memory.dmp

            Filesize

            72KB

            Download

          • memory/4528-1067-0x0000000005A40000-0x0000000005A7C000-memory.dmp

            Filesize

            240KB

            Download

          • memory/4528-1068-0x0000000002650000-0x0000000002660000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4528-1069-0x0000000005D30000-0x0000000005DC2000-memory.dmp

            Filesize

            584KB

            Download

          • memory/4528-1071-0x0000000005DD0000-0x0000000005E36000-memory.dmp

            Filesize

            408KB

            Download

          • memory/4528-1072-0x0000000002650000-0x0000000002660000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4528-1073-0x0000000002650000-0x0000000002660000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4528-1074-0x0000000002650000-0x0000000002660000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4528-1075-0x0000000006730000-0x00000000068F2000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/4528-1076-0x0000000006910000-0x0000000006E3C000-memory.dmp

            Filesize

            5.2MB

            Download

          • memory/4528-1077-0x0000000006F60000-0x0000000006FD6000-memory.dmp

            Filesize

            472KB

            Download

          • memory/4528-1078-0x0000000007000000-0x0000000007050000-memory.dmp

            Filesize

            320KB

            Download

          • memory/4528-1079-0x0000000002650000-0x0000000002660000-memory.dmp

            Filesize

            64KB

            Download