Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    85s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-03-2023 11:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    788de1a9f6efcd35d02063c391999252a232894b08d83c274302b2d3aa6c946f.exe

  • Size

    539KB

  • MD5

    9684a0729afc634504b40cebfb555c5f

  • SHA1

    153135b0fa794e494b24ce02c3bbdd530e491c52

  • SHA256

    788de1a9f6efcd35d02063c391999252a232894b08d83c274302b2d3aa6c946f

  • SHA512

    08ecd83ee134e899c55361568a60b6258d9d7b52528454f60dcad23b4f601f06e842a3e9dffabaddb9cb4af0098da07ce820b8c14ff328e7cc53e05b31af5da2

  • SSDEEP

    12288:7MrOy90ZHaCfdl7U9UZQLCubzj7B4LZ/bXNR8n:xyKtfdl7Qhfj1iZzEn

Score
10/10
redlinedownherodiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

down

C2

193.233.20.31:4125

Attributes
  • auth_value

    12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

hero

C2

193.233.20.31:4125

Attributes
  • auth_value

    11f3c75a88ca461bcc8d6bf60a1193e3

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\788de1a9f6efcd35d02063c391999252a232894b08d83c274302b2d3aa6c946f.exe
    "C:\Users\Admin\AppData\Local\Temp\788de1a9f6efcd35d02063c391999252a232894b08d83c274302b2d3aa6c946f.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1300
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio0056.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio0056.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4776
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7750.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7750.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1964
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1826.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1826.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4996
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 1472
          4⤵
          • Program crash
          PID:840
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si209135.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si209135.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3156
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4996 -ip 4996
    1⤵
      PID:432

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si209135.exe
      Filesize

      175KB

      MD5

      7c11dfe7837f2079d50113de0e973682

      SHA1

      fae072addd4d56ab67d08ab82da4aac5d7223960

      SHA256

      442d9cc0073a6d45abbed64eb9891912091d444fe4dd368924d1b8cf7c59e65b

      SHA512

      06085d23ead5955185736af64754c343a796af98b68c8013ba20b19a5c52eb92066698b86633d54438fe6ad5455c3c3c4625cf03d15439ab486e22388bd8cab7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si209135.exe
      Filesize

      175KB

      MD5

      7c11dfe7837f2079d50113de0e973682

      SHA1

      fae072addd4d56ab67d08ab82da4aac5d7223960

      SHA256

      442d9cc0073a6d45abbed64eb9891912091d444fe4dd368924d1b8cf7c59e65b

      SHA512

      06085d23ead5955185736af64754c343a796af98b68c8013ba20b19a5c52eb92066698b86633d54438fe6ad5455c3c3c4625cf03d15439ab486e22388bd8cab7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio0056.exe
      Filesize

      397KB

      MD5

      ff70572b87d941c39753779be219c6cc

      SHA1

      09240879d0e76e50228c33f12942a8b56ac6c7bd

      SHA256

      99d7837930874ab25c12fd3a0a676aa9ecc24565fe42a81638a5ca949e1afddc

      SHA512

      ee8aea0e9a4df323f8e1ba6e2511203b7f99fc5c6fee5679f38adbdd862925ada89c7806ed73dd123660300a0dbc7e08b68142816e1aacdac2ad39f4b12e44dd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio0056.exe
      Filesize

      397KB

      MD5

      ff70572b87d941c39753779be219c6cc

      SHA1

      09240879d0e76e50228c33f12942a8b56ac6c7bd

      SHA256

      99d7837930874ab25c12fd3a0a676aa9ecc24565fe42a81638a5ca949e1afddc

      SHA512

      ee8aea0e9a4df323f8e1ba6e2511203b7f99fc5c6fee5679f38adbdd862925ada89c7806ed73dd123660300a0dbc7e08b68142816e1aacdac2ad39f4b12e44dd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7750.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7750.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1826.exe
      Filesize

      356KB

      MD5

      dc07ab5ac44c611d7490e0a1cc6b3803

      SHA1

      41f734056a2b050c4c08ff5ea3bf2a55c5355aae

      SHA256

      ab67ad6bb1237b1b2bec16db1911580f5d905b5f557ddb2ec3afc85cc730547c

      SHA512

      5882c00772f9ef85c7af8fe0ab2658ded3dbe7052f8515b47a802503d11796b8b8af6d17015597b2f76374e60e5186fa5383a40e6569b3b75ba535f89696fb1c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1826.exe
      Filesize

      356KB

      MD5

      dc07ab5ac44c611d7490e0a1cc6b3803

      SHA1

      41f734056a2b050c4c08ff5ea3bf2a55c5355aae

      SHA256

      ab67ad6bb1237b1b2bec16db1911580f5d905b5f557ddb2ec3afc85cc730547c

      SHA512

      5882c00772f9ef85c7af8fe0ab2658ded3dbe7052f8515b47a802503d11796b8b8af6d17015597b2f76374e60e5186fa5383a40e6569b3b75ba535f89696fb1c

      Download Submit

    • memory/1964-147-0x0000000000720000-0x000000000072A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3156-1085-0x0000000000C60000-0x0000000000C92000-memory.dmp

      Filesize

      200KB

      Download

    • memory/3156-1086-0x0000000005920000-0x0000000005930000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4996-189-0x0000000007130000-0x000000000716E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4996-201-0x0000000007130000-0x000000000716E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4996-155-0x0000000007130000-0x000000000716E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4996-157-0x00000000071F0000-0x0000000007200000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4996-156-0x0000000007130000-0x000000000716E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4996-160-0x00000000071F0000-0x0000000007200000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4996-161-0x00000000071F0000-0x0000000007200000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4996-159-0x0000000007130000-0x000000000716E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4996-163-0x0000000007130000-0x000000000716E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4996-165-0x0000000007130000-0x000000000716E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4996-167-0x0000000007130000-0x000000000716E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4996-169-0x0000000007130000-0x000000000716E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4996-171-0x0000000007130000-0x000000000716E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4996-173-0x0000000007130000-0x000000000716E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4996-175-0x0000000007130000-0x000000000716E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4996-177-0x0000000007130000-0x000000000716E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4996-179-0x0000000007130000-0x000000000716E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4996-181-0x0000000007130000-0x000000000716E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4996-183-0x0000000007130000-0x000000000716E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4996-185-0x0000000007130000-0x000000000716E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4996-187-0x0000000007130000-0x000000000716E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4996-153-0x0000000002CB0000-0x0000000002CFB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4996-191-0x0000000007130000-0x000000000716E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4996-193-0x0000000007130000-0x000000000716E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4996-195-0x0000000007130000-0x000000000716E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4996-197-0x0000000007130000-0x000000000716E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4996-199-0x0000000007130000-0x000000000716E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4996-154-0x0000000007200000-0x00000000077A4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4996-203-0x0000000007130000-0x000000000716E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4996-205-0x0000000007130000-0x000000000716E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4996-207-0x0000000007130000-0x000000000716E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4996-209-0x0000000007130000-0x000000000716E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4996-211-0x0000000007130000-0x000000000716E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4996-213-0x0000000007130000-0x000000000716E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4996-215-0x0000000007130000-0x000000000716E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4996-217-0x0000000007130000-0x000000000716E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4996-219-0x0000000007130000-0x000000000716E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4996-221-0x0000000007130000-0x000000000716E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4996-1064-0x00000000077B0000-0x0000000007DC8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4996-1065-0x0000000007E30000-0x0000000007F3A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4996-1066-0x0000000007F70000-0x0000000007F82000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4996-1067-0x0000000007F90000-0x0000000007FCC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4996-1068-0x00000000071F0000-0x0000000007200000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4996-1070-0x00000000071F0000-0x0000000007200000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4996-1071-0x00000000071F0000-0x0000000007200000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4996-1072-0x00000000071F0000-0x0000000007200000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4996-1073-0x0000000008280000-0x0000000008312000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4996-1074-0x0000000008320000-0x0000000008386000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4996-1075-0x0000000009F30000-0x000000000A0F2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/4996-1076-0x000000000A110000-0x000000000A63C000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/4996-1077-0x00000000071F0000-0x0000000007200000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4996-1078-0x000000000A750000-0x000000000A7C6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4996-1079-0x0000000004AC0000-0x0000000004B10000-memory.dmp

      Filesize

      320KB

      Download