Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    57s
  • max time network
    70s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    24-03-2023 23:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    779f5e201d1149c25437a965fb5cad25cbf87824d651e3a389a9ad3c5c57caaf.exe

  • Size

    555KB

  • MD5

    32d8710d9efcb3f31a3918c22c4e4c4f

  • SHA1

    2e45ac8ad669df38122600e4eba710216633927e

  • SHA256

    779f5e201d1149c25437a965fb5cad25cbf87824d651e3a389a9ad3c5c57caaf

  • SHA512

    1473601fed1143e8444b22845e33002b948465c2a598f225f06e6f7261ac165c50b11b39a44689ddcd0f719350917a9c6c672691fbf6f648ee5d155095f404d0

  • SSDEEP

    12288:pMrWy90kkF5qMmxF29k6l42dTsM7S7iNfg3J/uThPHx/mhS3N+:LyZkPkrkFdTL2GfUJ2TP/m43N+

Score
10/10
redlineborislidadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

boris

C2

193.233.20.32:4125

Attributes
  • auth_value

    766b5bdf6dbefcf7ca223351952fc38f

Extracted

Family

redline

Botnet

lida

C2

193.233.20.32:4125

Attributes
  • auth_value

    24052aa2e9b85984a98d80cf08623e8d

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\779f5e201d1149c25437a965fb5cad25cbf87824d651e3a389a9ad3c5c57caaf.exe
    "C:\Users\Admin\AppData\Local\Temp\779f5e201d1149c25437a965fb5cad25cbf87824d651e3a389a9ad3c5c57caaf.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1760
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba6246.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba6246.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2056
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h40ij56.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h40ij56.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4308
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iZGVi67.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iZGVi67.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4244
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l22SV35.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l22SV35.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1308

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l22SV35.exe
    Filesize

    175KB

    MD5

    6b06147bf5fd26306978a93fe83127a4

    SHA1

    7b14ff42f4441b985591ef5b7d4cc703f0bbcdfa

    SHA256

    11e6d45ae92fc4505f14f550d01d97a42fba91a999b900daf843251772c755e0

    SHA512

    603007d99e52da5739040fee891c193123dc5741985de1c3dde091dd07e759336ec749312e4ab95d05c1c6681f10e56b4e9aee67d633a97b6aa25c5119f4d6b4

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l22SV35.exe
    Filesize

    175KB

    MD5

    6b06147bf5fd26306978a93fe83127a4

    SHA1

    7b14ff42f4441b985591ef5b7d4cc703f0bbcdfa

    SHA256

    11e6d45ae92fc4505f14f550d01d97a42fba91a999b900daf843251772c755e0

    SHA512

    603007d99e52da5739040fee891c193123dc5741985de1c3dde091dd07e759336ec749312e4ab95d05c1c6681f10e56b4e9aee67d633a97b6aa25c5119f4d6b4

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba6246.exe
    Filesize

    413KB

    MD5

    49c0aaab5e135d802332e97622c23fe4

    SHA1

    ed763a90616046ea163b871e557a6ad5f289637d

    SHA256

    c0ea34f7f180f82835a4e8b1a51879f303d059a60f1d3a37c4eb2d46a9f6f45b

    SHA512

    2e4f6066f0878d3b37ebe7e17b7ade9024cc73c0073ed081c46389c7042bf37825b020098b576119099487fe1d2f8518568462746834fef2512a671c258d8b9b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba6246.exe
    Filesize

    413KB

    MD5

    49c0aaab5e135d802332e97622c23fe4

    SHA1

    ed763a90616046ea163b871e557a6ad5f289637d

    SHA256

    c0ea34f7f180f82835a4e8b1a51879f303d059a60f1d3a37c4eb2d46a9f6f45b

    SHA512

    2e4f6066f0878d3b37ebe7e17b7ade9024cc73c0073ed081c46389c7042bf37825b020098b576119099487fe1d2f8518568462746834fef2512a671c258d8b9b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h40ij56.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h40ij56.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iZGVi67.exe
    Filesize

    387KB

    MD5

    801b5fb41b53cb128e8e3f51cd824fc8

    SHA1

    719c3aa4a8a02801a9132307df952431c1dd1915

    SHA256

    d30d68b5303e42bfed97116e301e54be97e886e4cb353d15a452e9a0488439ed

    SHA512

    e9ddbe11d6d3f1b6e8bc4fa703fcbf6fe9e863f46c045bb0f10e377d4cfd4b4e495516231ad2cb62ec828f95c301534b1049939199502db8bdad33c5ee5dedd6

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iZGVi67.exe
    Filesize

    387KB

    MD5

    801b5fb41b53cb128e8e3f51cd824fc8

    SHA1

    719c3aa4a8a02801a9132307df952431c1dd1915

    SHA256

    d30d68b5303e42bfed97116e301e54be97e886e4cb353d15a452e9a0488439ed

    SHA512

    e9ddbe11d6d3f1b6e8bc4fa703fcbf6fe9e863f46c045bb0f10e377d4cfd4b4e495516231ad2cb62ec828f95c301534b1049939199502db8bdad33c5ee5dedd6

    Download Submit
  • memory/1308-1076-0x0000000000870000-0x00000000008A2000-memory.dmp
    Filesize

    200KB

    Download
  • memory/1308-1077-0x0000000005470000-0x0000000005480000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1308-1078-0x00000000052B0000-0x00000000052FB000-memory.dmp
    Filesize

    300KB

    Download
  • memory/4244-181-0x0000000007150000-0x000000000718F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-193-0x0000000007150000-0x000000000718F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-144-0x0000000007150000-0x0000000007194000-memory.dmp
    Filesize

    272KB

    Download
  • memory/4244-145-0x0000000007150000-0x000000000718F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-146-0x0000000007150000-0x000000000718F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-148-0x0000000007150000-0x000000000718F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-150-0x0000000007150000-0x000000000718F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-152-0x0000000007150000-0x000000000718F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-154-0x0000000007150000-0x000000000718F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-156-0x0000000007150000-0x000000000718F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-158-0x0000000007150000-0x000000000718F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-160-0x0000000007150000-0x000000000718F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-162-0x0000000007150000-0x000000000718F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-164-0x0000000007150000-0x000000000718F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-166-0x0000000007150000-0x000000000718F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-168-0x0000000007150000-0x000000000718F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-171-0x0000000007280000-0x0000000007290000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4244-170-0x0000000007150000-0x000000000718F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-172-0x0000000007280000-0x0000000007290000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4244-175-0x0000000007280000-0x0000000007290000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4244-174-0x0000000007150000-0x000000000718F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-177-0x0000000007150000-0x000000000718F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-179-0x0000000007150000-0x000000000718F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-142-0x00000000070D0000-0x0000000007116000-memory.dmp
    Filesize

    280KB

    Download
  • memory/4244-183-0x0000000007150000-0x000000000718F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-185-0x0000000007150000-0x000000000718F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-187-0x0000000007150000-0x000000000718F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-189-0x0000000007150000-0x000000000718F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-191-0x0000000007150000-0x000000000718F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-143-0x0000000007290000-0x000000000778E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/4244-195-0x0000000007150000-0x000000000718F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-197-0x0000000007150000-0x000000000718F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-199-0x0000000007150000-0x000000000718F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-201-0x0000000007150000-0x000000000718F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-203-0x0000000007150000-0x000000000718F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-205-0x0000000007150000-0x000000000718F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-207-0x0000000007150000-0x000000000718F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-209-0x0000000007150000-0x000000000718F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-211-0x0000000007150000-0x000000000718F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-1054-0x0000000007790000-0x0000000007D96000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/4244-1055-0x0000000007DA0000-0x0000000007EAA000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/4244-1056-0x0000000007240000-0x0000000007252000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4244-1057-0x0000000007280000-0x0000000007290000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4244-1058-0x0000000007EB0000-0x0000000007EEE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4244-1059-0x0000000007FF0000-0x000000000803B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/4244-1061-0x0000000008170000-0x00000000081D6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4244-1062-0x0000000008830000-0x00000000088C2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4244-1063-0x0000000008910000-0x0000000008AD2000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/4244-1064-0x0000000008AF0000-0x000000000901C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4244-1065-0x0000000007280000-0x0000000007290000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4244-1066-0x0000000007280000-0x0000000007290000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4244-141-0x0000000002D90000-0x0000000002DDB000-memory.dmp
    Filesize

    300KB

    Download
  • memory/4244-1067-0x0000000007280000-0x0000000007290000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4244-1068-0x0000000007280000-0x0000000007290000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4244-1069-0x000000000A730000-0x000000000A7A6000-memory.dmp
    Filesize

    472KB

    Download
  • memory/4244-1070-0x000000000A7C0000-0x000000000A810000-memory.dmp
    Filesize

    320KB

    Download
  • memory/4308-135-0x0000000000730000-0x000000000073A000-memory.dmp
    Filesize

    40KB

    Download