Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    114s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/03/2023, 08:36

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    d40dc56977b97eddb4c2cef604225363b07d7562c02cab7a8befff8eab6b99cd.exe

  • Size

    545KB

  • MD5

    e0874295a560216250fbd195ed9ed308

  • SHA1

    14171a0dd4c21f84fec6076a9a2d1ce46778f266

  • SHA256

    d40dc56977b97eddb4c2cef604225363b07d7562c02cab7a8befff8eab6b99cd

  • SHA512

    6c54cc4a8ca4a4497eefe3d5b52f18f83b7b0eded5065828dd34ba8e98f4f808c37768b5ba1b127151b882efc7f6e23010934be3bc9770dbd6154fc37e24ad02

  • SSDEEP

    12288:5MrAy90gYx/HzNs/xAgRmOC97UbGxFA3X:VyNs/zBOC97USxFA3X

Score
10/10
redlinedownlowndiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

down

C2

193.233.20.31:4125

Attributes
  • auth_value

    12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

lown

C2

193.233.20.31:4125

Attributes
  • auth_value

    4cf836e062bcdc2a4fdbf410f5747ec7

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d40dc56977b97eddb4c2cef604225363b07d7562c02cab7a8befff8eab6b99cd.exe
    "C:\Users\Admin\AppData\Local\Temp\d40dc56977b97eddb4c2cef604225363b07d7562c02cab7a8befff8eab6b99cd.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1528
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba7011.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba7011.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1360
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h54ie34.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h54ie34.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3308
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iUAGk11.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iUAGk11.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:248
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 248 -s 1592
          4⤵
          • Program crash
          PID:1408
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l10nX73.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l10nX73.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2732
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 248 -ip 248
    1⤵
      PID:4624

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l10nX73.exe
            Filesize

            175KB

            MD5

            50809fe16d7c482c1f4a2ea19fdcbc0a

            SHA1

            11b6f69c06a724da15183b16039c5cbc86016158

            SHA256

            09917b67829de37b5d6be8115c8f8321f436554f426a24e079257a8368051cb1

            SHA512

            c35170e5eb6dabda9fd2d289153df829957ca8e9665178529a1ba36395155bb34f489372993ec694d10bea490c86cef2ae152e2df480288aca8e796ba135261f

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l10nX73.exe
            Filesize

            175KB

            MD5

            50809fe16d7c482c1f4a2ea19fdcbc0a

            SHA1

            11b6f69c06a724da15183b16039c5cbc86016158

            SHA256

            09917b67829de37b5d6be8115c8f8321f436554f426a24e079257a8368051cb1

            SHA512

            c35170e5eb6dabda9fd2d289153df829957ca8e9665178529a1ba36395155bb34f489372993ec694d10bea490c86cef2ae152e2df480288aca8e796ba135261f

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba7011.exe
            Filesize

            403KB

            MD5

            1a32193a6fce59647d2d4c09e31057cf

            SHA1

            052a0a7eed82b3d59f4cbdb9e244da63d3a93346

            SHA256

            7980ede553b6011c12c0a842a86571baa0e3ec77939fd5760e29434bc480e8d5

            SHA512

            418fb4dcec83815783a275dd77a5c2b58cb8daa779174059cfc93557ce5e29fd28f06526f9a2c0cf73dc401ffe278addeca2a01054a561e1314d382067cc0189

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba7011.exe
            Filesize

            403KB

            MD5

            1a32193a6fce59647d2d4c09e31057cf

            SHA1

            052a0a7eed82b3d59f4cbdb9e244da63d3a93346

            SHA256

            7980ede553b6011c12c0a842a86571baa0e3ec77939fd5760e29434bc480e8d5

            SHA512

            418fb4dcec83815783a275dd77a5c2b58cb8daa779174059cfc93557ce5e29fd28f06526f9a2c0cf73dc401ffe278addeca2a01054a561e1314d382067cc0189

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h54ie34.exe
            Filesize

            11KB

            MD5

            7e93bacbbc33e6652e147e7fe07572a0

            SHA1

            421a7167da01c8da4dc4d5234ca3dd84e319e762

            SHA256

            850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

            SHA512

            250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h54ie34.exe
            Filesize

            11KB

            MD5

            7e93bacbbc33e6652e147e7fe07572a0

            SHA1

            421a7167da01c8da4dc4d5234ca3dd84e319e762

            SHA256

            850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

            SHA512

            250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iUAGk11.exe
            Filesize

            351KB

            MD5

            260f863f5949e5f31372524c8028a5c7

            SHA1

            5c0b57c4450797c74f841a8842cae89d0802bd6e

            SHA256

            2360671d5a44b94113f589d1680a4b7fd1c4fea32558fa3defb65b6060811934

            SHA512

            206a4e64512c7e9bd9c875ddd82d7c887bf4bdeca31ad4a35ed6399397865786fe068a2dcb5db41bcca1307ef4b169aaf2043c060c41a60616b90bb8ce73acb6

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iUAGk11.exe
            Filesize

            351KB

            MD5

            260f863f5949e5f31372524c8028a5c7

            SHA1

            5c0b57c4450797c74f841a8842cae89d0802bd6e

            SHA256

            2360671d5a44b94113f589d1680a4b7fd1c4fea32558fa3defb65b6060811934

            SHA512

            206a4e64512c7e9bd9c875ddd82d7c887bf4bdeca31ad4a35ed6399397865786fe068a2dcb5db41bcca1307ef4b169aaf2043c060c41a60616b90bb8ce73acb6

            Download Submit

          • memory/248-153-0x0000000004F30000-0x00000000054D4000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/248-154-0x0000000002280000-0x00000000022CB000-memory.dmp

            Filesize

            300KB

            Download

          • memory/248-155-0x0000000004F20000-0x0000000004F30000-memory.dmp

            Filesize

            64KB

            Download

          • memory/248-156-0x0000000004F20000-0x0000000004F30000-memory.dmp

            Filesize

            64KB

            Download

          • memory/248-157-0x0000000004F20000-0x0000000004F30000-memory.dmp

            Filesize

            64KB

            Download

          • memory/248-158-0x00000000028A0000-0x00000000028DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/248-159-0x00000000028A0000-0x00000000028DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/248-161-0x00000000028A0000-0x00000000028DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/248-163-0x00000000028A0000-0x00000000028DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/248-167-0x00000000028A0000-0x00000000028DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/248-165-0x00000000028A0000-0x00000000028DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/248-169-0x00000000028A0000-0x00000000028DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/248-171-0x00000000028A0000-0x00000000028DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/248-173-0x00000000028A0000-0x00000000028DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/248-175-0x00000000028A0000-0x00000000028DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/248-177-0x00000000028A0000-0x00000000028DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/248-179-0x00000000028A0000-0x00000000028DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/248-181-0x00000000028A0000-0x00000000028DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/248-183-0x00000000028A0000-0x00000000028DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/248-185-0x00000000028A0000-0x00000000028DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/248-187-0x00000000028A0000-0x00000000028DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/248-189-0x00000000028A0000-0x00000000028DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/248-191-0x00000000028A0000-0x00000000028DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/248-193-0x00000000028A0000-0x00000000028DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/248-195-0x00000000028A0000-0x00000000028DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/248-197-0x00000000028A0000-0x00000000028DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/248-199-0x00000000028A0000-0x00000000028DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/248-201-0x00000000028A0000-0x00000000028DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/248-203-0x00000000028A0000-0x00000000028DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/248-205-0x00000000028A0000-0x00000000028DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/248-207-0x00000000028A0000-0x00000000028DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/248-209-0x00000000028A0000-0x00000000028DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/248-211-0x00000000028A0000-0x00000000028DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/248-213-0x00000000028A0000-0x00000000028DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/248-215-0x00000000028A0000-0x00000000028DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/248-217-0x00000000028A0000-0x00000000028DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/248-219-0x00000000028A0000-0x00000000028DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/248-221-0x00000000028A0000-0x00000000028DE000-memory.dmp

            Filesize

            248KB

            Download

          • memory/248-1064-0x00000000054E0000-0x0000000005AF8000-memory.dmp

            Filesize

            6.1MB

            Download

          • memory/248-1065-0x0000000005B00000-0x0000000005C0A000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/248-1066-0x0000000005C40000-0x0000000005C52000-memory.dmp

            Filesize

            72KB

            Download

          • memory/248-1067-0x0000000004F20000-0x0000000004F30000-memory.dmp

            Filesize

            64KB

            Download

          • memory/248-1068-0x0000000005C60000-0x0000000005C9C000-memory.dmp

            Filesize

            240KB

            Download

          • memory/248-1070-0x0000000005F50000-0x0000000005FE2000-memory.dmp

            Filesize

            584KB

            Download

          • memory/248-1071-0x0000000005FF0000-0x0000000006056000-memory.dmp

            Filesize

            408KB

            Download

          • memory/248-1072-0x0000000004F20000-0x0000000004F30000-memory.dmp

            Filesize

            64KB

            Download

          • memory/248-1073-0x0000000004F20000-0x0000000004F30000-memory.dmp

            Filesize

            64KB

            Download

          • memory/248-1074-0x0000000008D90000-0x0000000008E06000-memory.dmp

            Filesize

            472KB

            Download

          • memory/248-1075-0x0000000008E30000-0x0000000008E80000-memory.dmp

            Filesize

            320KB

            Download

          • memory/248-1076-0x0000000008E80000-0x0000000009042000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/248-1077-0x0000000009060000-0x000000000958C000-memory.dmp

            Filesize

            5.2MB

            Download

          • memory/2732-1084-0x0000000000910000-0x0000000000942000-memory.dmp

            Filesize

            200KB

            Download

          • memory/2732-1085-0x00000000051C0000-0x00000000051D0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3308-147-0x0000000000AB0000-0x0000000000ABA000-memory.dmp

            Filesize

            40KB

            Download