Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/03/2023, 04:28

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    60084719af256d64adb8325032b45e661e0efc56515aeea2e61a2211276db9e3.exe

  • Size

    682KB

  • MD5

    e3bc12f3fd748b1d23db057293c58f70

  • SHA1

    d1581c6815308abd7724f17d9e0d6dde56eb709b

  • SHA256

    60084719af256d64adb8325032b45e661e0efc56515aeea2e61a2211276db9e3

  • SHA512

    aae7569d9367f294199fdae22d4e5a4937461d4fcbe5820ae3f197c80570da8d600a7494263f0aec7ad51ec05dc2accfb2954123f23cc3ff9504a62f79715b6d

  • SSDEEP

    12288:q/2+N/Arrf2R06BkiV0xyUT6AxqkOivzDLPkh6FwbyK8icKiRGy:qdAfXiCxy66AxqiDWtbyKdFy

Score
10/10
redlinedownrealdiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

down

C2

193.233.20.31:4125

Attributes
  • auth_value

    12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

real

C2

193.233.20.31:4125

Attributes
  • auth_value

    bb22a50228754849387d5f4d1611e71b

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\60084719af256d64adb8325032b45e661e0efc56515aeea2e61a2211276db9e3.exe
    "C:\Users\Admin\AppData\Local\Temp\60084719af256d64adb8325032b45e661e0efc56515aeea2e61a2211276db9e3.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:5104
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZp3587.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZp3587.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2624
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr100346.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr100346.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1048
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku298037.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku298037.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:348
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 348 -s 1836
          4⤵
          • Program crash
          PID:276
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr167156.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr167156.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4240
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 504
      2⤵
      • Program crash
      PID:3824
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 348 -ip 348
    1⤵
      PID:244
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5104 -ip 5104
      1⤵
        PID:3156

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr167156.exe
              Filesize

              175KB

              MD5

              41707338e1e2d868aa699ac0dd2e77b0

              SHA1

              36e0dfba09f9fb409faf0f9a99217d0d0c524b82

              SHA256

              8d2a5ba6ae16aa5ee13382edb585c480b6bf2db098427ffe5f8d55323ded7557

              SHA512

              80c66cbf19f6b2cc2e979b1fd1769cf45957761fa3f94b33fc194f88379b57ec9327a86ce374c6dc25334b44e4e8aa518a5d0d03ddb4f4eddfdfe8ddfc9fb6f2

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr167156.exe
              Filesize

              175KB

              MD5

              41707338e1e2d868aa699ac0dd2e77b0

              SHA1

              36e0dfba09f9fb409faf0f9a99217d0d0c524b82

              SHA256

              8d2a5ba6ae16aa5ee13382edb585c480b6bf2db098427ffe5f8d55323ded7557

              SHA512

              80c66cbf19f6b2cc2e979b1fd1769cf45957761fa3f94b33fc194f88379b57ec9327a86ce374c6dc25334b44e4e8aa518a5d0d03ddb4f4eddfdfe8ddfc9fb6f2

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZp3587.exe
              Filesize

              397KB

              MD5

              a8ccae0db5a02948535e8197e667fb10

              SHA1

              a1f316867e531616ed4e3c96df71e9e34c211482

              SHA256

              6c8e3f822c84e2babd971f531a1e9304c73a3e5a3ad67ca51b43f379339235ca

              SHA512

              66c334606ec9c9aca4af18dcdc08d9683d65db4e495e4b57606a5654e6e9c860288a1bd4ac2fb7e6f854772c7fe1aa55480fc8dc70eb217244e28541ef5f1711

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZp3587.exe
              Filesize

              397KB

              MD5

              a8ccae0db5a02948535e8197e667fb10

              SHA1

              a1f316867e531616ed4e3c96df71e9e34c211482

              SHA256

              6c8e3f822c84e2babd971f531a1e9304c73a3e5a3ad67ca51b43f379339235ca

              SHA512

              66c334606ec9c9aca4af18dcdc08d9683d65db4e495e4b57606a5654e6e9c860288a1bd4ac2fb7e6f854772c7fe1aa55480fc8dc70eb217244e28541ef5f1711

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr100346.exe
              Filesize

              11KB

              MD5

              7e93bacbbc33e6652e147e7fe07572a0

              SHA1

              421a7167da01c8da4dc4d5234ca3dd84e319e762

              SHA256

              850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

              SHA512

              250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr100346.exe
              Filesize

              11KB

              MD5

              7e93bacbbc33e6652e147e7fe07572a0

              SHA1

              421a7167da01c8da4dc4d5234ca3dd84e319e762

              SHA256

              850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

              SHA512

              250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku298037.exe
              Filesize

              357KB

              MD5

              15ce9d261b1ccf240fefd941ab94eaaf

              SHA1

              c591c4209a12f872956979098c5e9ed7092eea90

              SHA256

              bbb8736762a72a5b2753cba4e522d05138c00e72346244b03ec5fcc6b2cb08da

              SHA512

              396c09be98082493953fa7dc1f6791dd5ae3cfe9208ac9c4b6bc63a0055a2647197012d4e8c735d130fb958a721146419a65045fdbaee68f7b94a44c6f77767c

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku298037.exe
              Filesize

              357KB

              MD5

              15ce9d261b1ccf240fefd941ab94eaaf

              SHA1

              c591c4209a12f872956979098c5e9ed7092eea90

              SHA256

              bbb8736762a72a5b2753cba4e522d05138c00e72346244b03ec5fcc6b2cb08da

              SHA512

              396c09be98082493953fa7dc1f6791dd5ae3cfe9208ac9c4b6bc63a0055a2647197012d4e8c735d130fb958a721146419a65045fdbaee68f7b94a44c6f77767c

              Download Submit

            • memory/348-198-0x0000000007130000-0x000000000716E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/348-204-0x0000000007130000-0x000000000716E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/348-158-0x0000000007130000-0x000000000716E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/348-161-0x0000000007130000-0x000000000716E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/348-159-0x0000000007130000-0x000000000716E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/348-163-0x0000000007130000-0x000000000716E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/348-165-0x0000000007130000-0x000000000716E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/348-167-0x0000000007130000-0x000000000716E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/348-169-0x0000000007130000-0x000000000716E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/348-170-0x00000000072B0000-0x00000000072C0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/348-172-0x00000000072B0000-0x00000000072C0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/348-174-0x00000000072B0000-0x00000000072C0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/348-173-0x0000000007130000-0x000000000716E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/348-176-0x0000000007130000-0x000000000716E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/348-178-0x0000000007130000-0x000000000716E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/348-180-0x0000000007130000-0x000000000716E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/348-182-0x0000000007130000-0x000000000716E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/348-184-0x0000000007130000-0x000000000716E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/348-186-0x0000000007130000-0x000000000716E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/348-188-0x0000000007130000-0x000000000716E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/348-190-0x0000000007130000-0x000000000716E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/348-192-0x0000000007130000-0x000000000716E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/348-194-0x0000000007130000-0x000000000716E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/348-196-0x0000000007130000-0x000000000716E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/348-156-0x0000000002DA0000-0x0000000002DEB000-memory.dmp

              Filesize

              300KB

              Download

            • memory/348-200-0x0000000007130000-0x000000000716E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/348-202-0x0000000007130000-0x000000000716E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/348-157-0x00000000072C0000-0x0000000007864000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/348-206-0x0000000007130000-0x000000000716E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/348-208-0x0000000007130000-0x000000000716E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/348-210-0x0000000007130000-0x000000000716E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/348-212-0x0000000007130000-0x000000000716E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/348-214-0x0000000007130000-0x000000000716E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/348-216-0x0000000007130000-0x000000000716E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/348-218-0x0000000007130000-0x000000000716E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/348-220-0x0000000007130000-0x000000000716E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/348-222-0x0000000007130000-0x000000000716E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/348-1067-0x0000000007970000-0x0000000007F88000-memory.dmp

              Filesize

              6.1MB

              Download

            • memory/348-1068-0x0000000007F90000-0x000000000809A000-memory.dmp

              Filesize

              1.0MB

              Download

            • memory/348-1069-0x00000000080B0000-0x00000000080C2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/348-1070-0x00000000072B0000-0x00000000072C0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/348-1071-0x00000000080D0000-0x000000000810C000-memory.dmp

              Filesize

              240KB

              Download

            • memory/348-1074-0x00000000083C0000-0x0000000008452000-memory.dmp

              Filesize

              584KB

              Download

            • memory/348-1075-0x0000000008460000-0x00000000084C6000-memory.dmp

              Filesize

              408KB

              Download

            • memory/348-1076-0x0000000008B60000-0x0000000008BD6000-memory.dmp

              Filesize

              472KB

              Download

            • memory/348-1077-0x0000000008BF0000-0x0000000008C40000-memory.dmp

              Filesize

              320KB

              Download

            • memory/348-1078-0x00000000072B0000-0x00000000072C0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/348-1079-0x00000000072B0000-0x00000000072C0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/348-1080-0x00000000072B0000-0x00000000072C0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/348-1081-0x0000000008EE0000-0x00000000090A2000-memory.dmp

              Filesize

              1.8MB

              Download

            • memory/348-1082-0x00000000090B0000-0x00000000095DC000-memory.dmp

              Filesize

              5.2MB

              Download

            • memory/1048-148-0x0000000000630000-0x000000000063A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/4240-1089-0x0000000000E10000-0x0000000000E42000-memory.dmp

              Filesize

              200KB

              Download

            • memory/4240-1090-0x0000000005720000-0x0000000005730000-memory.dmp

              Filesize

              64KB

              Download

            • memory/5104-149-0x00000000049D0000-0x0000000004A58000-memory.dmp

              Filesize

              544KB

              Download

            • memory/5104-150-0x0000000000400000-0x0000000002BD8000-memory.dmp

              Filesize

              39.8MB

              Download