Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    76s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-03-2023 11:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    40a5d2004a3e94bed03f0d0b05e1f37dda638fbfbd865f3a87e96be66538fc76.exe

  • Size

    539KB

  • MD5

    938f04b86a72fde9b48bfc63771a2bf3

  • SHA1

    7c12e47f94ab6572d311b20c7ed4eed9e65e6685

  • SHA256

    40a5d2004a3e94bed03f0d0b05e1f37dda638fbfbd865f3a87e96be66538fc76

  • SHA512

    4bbd8b2acf2915cf9049c601b9b0c48eb827b5376cc887838b06daf73322fb3075d56015e8ed91b5bc0813071df20667525618672ef72fb155de09dd6994576f

  • SSDEEP

    12288:UMrRy90V/CJdr6xHLuUNjzPgssYaEG3W3XDMgeGi:ly5zCruOjzPc5RWHnI

Score
10/10
redlinedowngogadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

down

C2

193.233.20.31:4125

Attributes
  • auth_value

    12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

goga

C2

193.233.20.31:4125

Attributes
  • auth_value

    d23290cf37dcc5419576040359a72599

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\40a5d2004a3e94bed03f0d0b05e1f37dda638fbfbd865f3a87e96be66538fc76.exe
    "C:\Users\Admin\AppData\Local\Temp\40a5d2004a3e94bed03f0d0b05e1f37dda638fbfbd865f3a87e96be66538fc76.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1776
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba2862.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba2862.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2364
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h75cW96.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h75cW96.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4960
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iffbJ25.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iffbJ25.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2144
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 1348
          4⤵
          • Program crash
          PID:2952
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l53VG69.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l53VG69.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2720
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2144 -ip 2144
    1⤵
      PID:4596

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    3
    T1112

    Disabling Security Tools

    2
    T1089

    Credential Access

    Credentials in Files

    2
    T1081

    Discovery

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l53VG69.exe
      Filesize

      175KB

      MD5

      834e79ce5b49bb7bc25edd39928edd0d

      SHA1

      9e4f3409d2c6b8227a915cbe02c6c5d743ef2abb

      SHA256

      3ecc77ed05720896aabce3b251ccc35d2fe651c21132d1d5dd09e7ac5d0615fe

      SHA512

      b7cebd169f45874eb23779661358e094085e85ba421007ef2f569e38a7174235d6c0326d8eef25c629483916852519d871dfe0135b85ed1113345948b18ed637

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l53VG69.exe
      Filesize

      175KB

      MD5

      834e79ce5b49bb7bc25edd39928edd0d

      SHA1

      9e4f3409d2c6b8227a915cbe02c6c5d743ef2abb

      SHA256

      3ecc77ed05720896aabce3b251ccc35d2fe651c21132d1d5dd09e7ac5d0615fe

      SHA512

      b7cebd169f45874eb23779661358e094085e85ba421007ef2f569e38a7174235d6c0326d8eef25c629483916852519d871dfe0135b85ed1113345948b18ed637

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba2862.exe
      Filesize

      397KB

      MD5

      21b4294df9441dbc0767507e55351c7b

      SHA1

      9b78f043287f36e4812ac282c637edb9a74536c8

      SHA256

      5b988f12e7fbfcd2001f881364a9344666558c674f37ff5859ffad69eac3a129

      SHA512

      96978ed2ad998280d8189df228b6c050bf790bc5ff71d396f145521bee616b7d938f40c14fa6e25912fc6e081244486f16862a3b4e90734b1cd015f48dd0f777

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba2862.exe
      Filesize

      397KB

      MD5

      21b4294df9441dbc0767507e55351c7b

      SHA1

      9b78f043287f36e4812ac282c637edb9a74536c8

      SHA256

      5b988f12e7fbfcd2001f881364a9344666558c674f37ff5859ffad69eac3a129

      SHA512

      96978ed2ad998280d8189df228b6c050bf790bc5ff71d396f145521bee616b7d938f40c14fa6e25912fc6e081244486f16862a3b4e90734b1cd015f48dd0f777

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h75cW96.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h75cW96.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iffbJ25.exe
      Filesize

      356KB

      MD5

      3544c4a2326ed1c72da34b01146fe0e8

      SHA1

      cc682758102e7b8db408db26929cc4cb563c664e

      SHA256

      aa598715b0852d39b9603b0816418d02e1998b830e0e2d023f18e9b49fe07270

      SHA512

      51a6647e90d836ab17dca8e12e235e325fa5ca42a722f1e99ebbed67f03ad207c37affa3c93472ce988679035b329238055d62997442f064e7b4a95f3fe472ee

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iffbJ25.exe
      Filesize

      356KB

      MD5

      3544c4a2326ed1c72da34b01146fe0e8

      SHA1

      cc682758102e7b8db408db26929cc4cb563c664e

      SHA256

      aa598715b0852d39b9603b0816418d02e1998b830e0e2d023f18e9b49fe07270

      SHA512

      51a6647e90d836ab17dca8e12e235e325fa5ca42a722f1e99ebbed67f03ad207c37affa3c93472ce988679035b329238055d62997442f064e7b4a95f3fe472ee

      Download Submit
    • memory/2144-153-0x0000000002C60000-0x0000000002CAB000-memory.dmp
      Filesize

      300KB

      Download
    • memory/2144-154-0x0000000007140000-0x00000000076E4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/2144-155-0x00000000076F0000-0x000000000772E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2144-156-0x00000000076F0000-0x000000000772E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2144-158-0x00000000076F0000-0x000000000772E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2144-160-0x00000000076F0000-0x000000000772E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2144-162-0x00000000076F0000-0x000000000772E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2144-164-0x00000000076F0000-0x000000000772E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2144-166-0x00000000076F0000-0x000000000772E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2144-168-0x00000000076F0000-0x000000000772E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2144-170-0x00000000076F0000-0x000000000772E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2144-172-0x00000000076F0000-0x000000000772E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2144-175-0x0000000007130000-0x0000000007140000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2144-174-0x00000000076F0000-0x000000000772E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2144-176-0x0000000007130000-0x0000000007140000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2144-181-0x00000000076F0000-0x000000000772E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2144-183-0x00000000076F0000-0x000000000772E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2144-179-0x0000000007130000-0x0000000007140000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2144-178-0x00000000076F0000-0x000000000772E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2144-185-0x00000000076F0000-0x000000000772E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2144-187-0x00000000076F0000-0x000000000772E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2144-189-0x00000000076F0000-0x000000000772E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2144-191-0x00000000076F0000-0x000000000772E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2144-193-0x00000000076F0000-0x000000000772E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2144-195-0x00000000076F0000-0x000000000772E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2144-197-0x00000000076F0000-0x000000000772E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2144-199-0x00000000076F0000-0x000000000772E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2144-201-0x00000000076F0000-0x000000000772E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2144-203-0x00000000076F0000-0x000000000772E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2144-205-0x00000000076F0000-0x000000000772E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2144-207-0x00000000076F0000-0x000000000772E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2144-209-0x00000000076F0000-0x000000000772E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2144-211-0x00000000076F0000-0x000000000772E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2144-213-0x00000000076F0000-0x000000000772E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2144-215-0x00000000076F0000-0x000000000772E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2144-217-0x00000000076F0000-0x000000000772E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2144-219-0x00000000076F0000-0x000000000772E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2144-221-0x00000000076F0000-0x000000000772E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2144-1064-0x00000000078D0000-0x0000000007EE8000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/2144-1065-0x0000000007F70000-0x000000000807A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/2144-1066-0x00000000080B0000-0x00000000080C2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/2144-1067-0x00000000080D0000-0x000000000810C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/2144-1068-0x0000000007130000-0x0000000007140000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2144-1070-0x00000000083C0000-0x0000000008452000-memory.dmp
      Filesize

      584KB

      Download
    • memory/2144-1071-0x0000000008460000-0x00000000084C6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/2144-1072-0x0000000007130000-0x0000000007140000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2144-1073-0x0000000007130000-0x0000000007140000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2144-1074-0x0000000007130000-0x0000000007140000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2144-1075-0x0000000008B60000-0x0000000008BD6000-memory.dmp
      Filesize

      472KB

      Download
    • memory/2144-1076-0x0000000008BF0000-0x0000000008C40000-memory.dmp
      Filesize

      320KB

      Download
    • memory/2144-1077-0x0000000008C70000-0x0000000008E32000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/2144-1078-0x0000000008E40000-0x000000000936C000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/2144-1079-0x0000000007130000-0x0000000007140000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2720-1085-0x0000000000900000-0x0000000000932000-memory.dmp
      Filesize

      200KB

      Download
    • memory/2720-1086-0x0000000005260000-0x0000000005270000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2720-1087-0x0000000005260000-0x0000000005270000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4960-147-0x0000000000FF0000-0x0000000000FFA000-memory.dmp
      Filesize

      40KB

      Download