Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    52s
  • max time network
    64s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    23-03-2023 21:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f0d6aec76010c49bf33f299bb77155954fd8df37564a483e3a6a9b3241ae1edd.exe

  • Size

    544KB

  • MD5

    f9fe275acc460b02a20019f8bb915563

  • SHA1

    13fcb7927efd324cab503df13880ce2eba05d8fb

  • SHA256

    f0d6aec76010c49bf33f299bb77155954fd8df37564a483e3a6a9b3241ae1edd

  • SHA512

    deee894a58b1ada51f29dc78d48efe833c60a2a7d654d61189d1e7e86d20534c2923ec8a1237b0a5746fed467b2994ffedb1396ad6b977db20425fbb170c3ccd

  • SSDEEP

    12288:VMrCy90mnK0RR1lZc2x9rRqgU9MLawIfUq4vyBxf9tGk:jyvDNZ19rv4MeavyBd

Score
10/10
redlinedownlowndiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

down

C2

193.233.20.31:4125

Attributes
  • auth_value

    12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

lown

C2

193.233.20.31:4125

Attributes
  • auth_value

    4cf836e062bcdc2a4fdbf410f5747ec7

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f0d6aec76010c49bf33f299bb77155954fd8df37564a483e3a6a9b3241ae1edd.exe
    "C:\Users\Admin\AppData\Local\Temp\f0d6aec76010c49bf33f299bb77155954fd8df37564a483e3a6a9b3241ae1edd.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2276
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba4769.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba4769.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2516
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h97ML22.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h97ML22.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2896
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iJyax14.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iJyax14.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4248
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l97kI50.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l97kI50.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1904

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l97kI50.exe
    Filesize

    175KB

    MD5

    50809fe16d7c482c1f4a2ea19fdcbc0a

    SHA1

    11b6f69c06a724da15183b16039c5cbc86016158

    SHA256

    09917b67829de37b5d6be8115c8f8321f436554f426a24e079257a8368051cb1

    SHA512

    c35170e5eb6dabda9fd2d289153df829957ca8e9665178529a1ba36395155bb34f489372993ec694d10bea490c86cef2ae152e2df480288aca8e796ba135261f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l97kI50.exe
    Filesize

    175KB

    MD5

    50809fe16d7c482c1f4a2ea19fdcbc0a

    SHA1

    11b6f69c06a724da15183b16039c5cbc86016158

    SHA256

    09917b67829de37b5d6be8115c8f8321f436554f426a24e079257a8368051cb1

    SHA512

    c35170e5eb6dabda9fd2d289153df829957ca8e9665178529a1ba36395155bb34f489372993ec694d10bea490c86cef2ae152e2df480288aca8e796ba135261f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba4769.exe
    Filesize

    402KB

    MD5

    5edd110b6951dc46b6262486ffb6ad91

    SHA1

    2d97eab3685221a78ef4213ff89495bfd08834ac

    SHA256

    c757e92a4c111bf3d4b47902feb5d7b17fd7e6b6cbae14fb28071fef1c45e668

    SHA512

    4009a954b827bd8d8d6858e1fecff8cbd3ea3ef38960a4f79ab4e59f46a79c2ccb5928d5ff1ea7a0b30bd278c41fb0fb1fbe84d71d116c20d4b3c8ddf14e4c34

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba4769.exe
    Filesize

    402KB

    MD5

    5edd110b6951dc46b6262486ffb6ad91

    SHA1

    2d97eab3685221a78ef4213ff89495bfd08834ac

    SHA256

    c757e92a4c111bf3d4b47902feb5d7b17fd7e6b6cbae14fb28071fef1c45e668

    SHA512

    4009a954b827bd8d8d6858e1fecff8cbd3ea3ef38960a4f79ab4e59f46a79c2ccb5928d5ff1ea7a0b30bd278c41fb0fb1fbe84d71d116c20d4b3c8ddf14e4c34

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h97ML22.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h97ML22.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iJyax14.exe
    Filesize

    349KB

    MD5

    56f442f24851ac612f0976cf98939a9e

    SHA1

    08bc9aa9241a7a5ae954bd11ef7631f6e9dadd56

    SHA256

    8efc21030a42d3c1da3dd0426d65ad54646950b3aefd227fa60f2998e33b4176

    SHA512

    c4260a605dd7752bb06a6abeba4a42bd96a819dac47db3e6c99ca2a2ed5dcd2d6c001ec5464bc161cc75a549f000b0937b58ad0040e8621be3063d72c63474f2

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iJyax14.exe
    Filesize

    349KB

    MD5

    56f442f24851ac612f0976cf98939a9e

    SHA1

    08bc9aa9241a7a5ae954bd11ef7631f6e9dadd56

    SHA256

    8efc21030a42d3c1da3dd0426d65ad54646950b3aefd227fa60f2998e33b4176

    SHA512

    c4260a605dd7752bb06a6abeba4a42bd96a819dac47db3e6c99ca2a2ed5dcd2d6c001ec5464bc161cc75a549f000b0937b58ad0040e8621be3063d72c63474f2

    Download Submit
  • memory/1904-1073-0x00000000008F0000-0x0000000000922000-memory.dmp
    Filesize

    200KB

    Download
  • memory/1904-1074-0x0000000005330000-0x000000000537B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/1904-1075-0x0000000005180000-0x0000000005190000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2896-135-0x0000000000FC0000-0x0000000000FCA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4248-172-0x0000000002730000-0x000000000276E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4248-190-0x0000000002730000-0x000000000276E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4248-144-0x0000000002730000-0x0000000002774000-memory.dmp
    Filesize

    272KB

    Download
  • memory/4248-145-0x0000000004F70000-0x0000000004F80000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4248-146-0x0000000004F70000-0x0000000004F80000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4248-147-0x0000000002730000-0x000000000276E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4248-148-0x0000000002730000-0x000000000276E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4248-152-0x0000000002730000-0x000000000276E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4248-150-0x0000000002730000-0x000000000276E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4248-154-0x0000000002730000-0x000000000276E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4248-156-0x0000000002730000-0x000000000276E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4248-158-0x0000000002730000-0x000000000276E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4248-160-0x0000000002730000-0x000000000276E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4248-162-0x0000000002730000-0x000000000276E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4248-164-0x0000000002730000-0x000000000276E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4248-166-0x0000000002730000-0x000000000276E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4248-168-0x0000000002730000-0x000000000276E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4248-174-0x0000000002730000-0x000000000276E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4248-178-0x0000000002730000-0x000000000276E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4248-176-0x0000000002730000-0x000000000276E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4248-142-0x0000000002390000-0x00000000023D6000-memory.dmp
    Filesize

    280KB

    Download
  • memory/4248-170-0x0000000002730000-0x000000000276E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4248-180-0x0000000002730000-0x000000000276E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4248-182-0x0000000002730000-0x000000000276E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4248-192-0x0000000002730000-0x000000000276E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4248-143-0x0000000004F80000-0x000000000547E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/4248-188-0x0000000002730000-0x000000000276E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4248-194-0x0000000002730000-0x000000000276E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4248-198-0x0000000002730000-0x000000000276E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4248-204-0x0000000002730000-0x000000000276E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4248-202-0x0000000002730000-0x000000000276E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4248-200-0x0000000002730000-0x000000000276E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4248-196-0x0000000002730000-0x000000000276E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4248-206-0x0000000002730000-0x000000000276E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4248-186-0x0000000002730000-0x000000000276E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4248-184-0x0000000002730000-0x000000000276E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4248-208-0x0000000002730000-0x000000000276E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4248-210-0x0000000002730000-0x000000000276E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4248-1053-0x0000000005480000-0x0000000005A86000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/4248-1054-0x0000000004E00000-0x0000000004F0A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/4248-1055-0x0000000002A80000-0x0000000002A92000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4248-1057-0x0000000004F10000-0x0000000004F4E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4248-1056-0x0000000004F70000-0x0000000004F80000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4248-1058-0x0000000005B90000-0x0000000005BDB000-memory.dmp
    Filesize

    300KB

    Download
  • memory/4248-1060-0x0000000005D00000-0x0000000005D92000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4248-1061-0x0000000005DA0000-0x0000000005E06000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4248-1062-0x0000000004F70000-0x0000000004F80000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4248-141-0x00000000007F0000-0x000000000083B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/4248-1063-0x00000000064A0000-0x0000000006662000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/4248-1064-0x0000000006690000-0x0000000006BBC000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4248-1065-0x0000000006F30000-0x0000000006FA6000-memory.dmp
    Filesize

    472KB

    Download
  • memory/4248-1066-0x0000000006FB0000-0x0000000007000000-memory.dmp
    Filesize

    320KB

    Download