Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    87s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/03/2023, 13:28

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    d62906d98cb4da493ecf57496a75754251b1e722d3ad183d3429c5c88347a8cb.exe

  • Size

    688KB

  • MD5

    b254d548f860743b8ded8174f3ecdb1a

  • SHA1

    d2da541eb0d3beb63780b9063839067c4e98492f

  • SHA256

    d62906d98cb4da493ecf57496a75754251b1e722d3ad183d3429c5c88347a8cb

  • SHA512

    274f23a984f98b29b7323b4eb88e5c05c41887dccc9ead07306c545e37ed37f0176a25f80d0bd3438f67dd5f0b071bf3e766cee354afa89714d32ba1ceb45095

  • SSDEEP

    12288:0MrWy90oEr4rlDJtLIN7npqWnrne+wJhTqIO3XyWePP0aRkdrUnE:iyvErEtLIW4neDmzCPsxdrv

Score
10/10
redlineborisfirmudiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

boris

C2

193.233.20.32:4125

Attributes
  • auth_value

    766b5bdf6dbefcf7ca223351952fc38f

Extracted

Family

redline

Botnet

firmu

C2

193.233.20.32:4125

Attributes
  • auth_value

    9f3e5e35e4a3a38fc36c5a851728aa33

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 18 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d62906d98cb4da493ecf57496a75754251b1e722d3ad183d3429c5c88347a8cb.exe
    "C:\Users\Admin\AppData\Local\Temp\d62906d98cb4da493ecf57496a75754251b1e722d3ad183d3429c5c88347a8cb.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:432
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un444316.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un444316.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:316
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6546.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6546.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4396
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 1084
          4⤵
          • Program crash
          PID:4652
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7886.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7886.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1440
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 1764
          4⤵
          • Program crash
          PID:3440
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si432157.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si432157.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3180
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4396 -ip 4396
    1⤵
      PID:636
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1440 -ip 1440
      1⤵
        PID:4720

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si432157.exe
              Filesize

              175KB

              MD5

              6b780eb9c71d7b15142e05f33765678b

              SHA1

              1b853b28e715a7c7a8e4a39567e7b22697265741

              SHA256

              2067ab13d0198979bf52e0b0e37bc9187cb178517620826424fc3c9f41c06d76

              SHA512

              a149005b933b4a7739cf723ee1fec219e8eb2019fbe5300a807383aae83c46e60d0fcd8f3b1f5cb8d85556ade4567db91ecdaa4fdbbc87350d5cb7b1f4274314

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si432157.exe
              Filesize

              175KB

              MD5

              6b780eb9c71d7b15142e05f33765678b

              SHA1

              1b853b28e715a7c7a8e4a39567e7b22697265741

              SHA256

              2067ab13d0198979bf52e0b0e37bc9187cb178517620826424fc3c9f41c06d76

              SHA512

              a149005b933b4a7739cf723ee1fec219e8eb2019fbe5300a807383aae83c46e60d0fcd8f3b1f5cb8d85556ade4567db91ecdaa4fdbbc87350d5cb7b1f4274314

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un444316.exe
              Filesize

              546KB

              MD5

              c4097b97d4bf533f0a0131d0fbd4a1e4

              SHA1

              bbb71c7be94944eb8f7c3f7f02cfb6b686b12dcd

              SHA256

              59a222b70df72cd20d795b417aefda0cdaa7d51aeb594bc962e79d5fb5fd69a4

              SHA512

              0152ff2ba22c002a256bafef887ac061284759a6d10615a930e9275c9febed30d94508f97565c035a33db042e9e07b84993560945e9aae10b3670406b4018bbb

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un444316.exe
              Filesize

              546KB

              MD5

              c4097b97d4bf533f0a0131d0fbd4a1e4

              SHA1

              bbb71c7be94944eb8f7c3f7f02cfb6b686b12dcd

              SHA256

              59a222b70df72cd20d795b417aefda0cdaa7d51aeb594bc962e79d5fb5fd69a4

              SHA512

              0152ff2ba22c002a256bafef887ac061284759a6d10615a930e9275c9febed30d94508f97565c035a33db042e9e07b84993560945e9aae10b3670406b4018bbb

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6546.exe
              Filesize

              325KB

              MD5

              afe5fd3de54c9af89d738f9b9a480d42

              SHA1

              3834bce01d35eed96aa04c556e92ae95665f68eb

              SHA256

              648803c70a4fefe90529fc22d22f28df2d9df21da79899abcb89eea8568dd6c6

              SHA512

              be7d05e918a141c4b0ff7d53163210991cff1b2541e8e1497edf371f9eacb41613440ce4a429626d9d0113a838b1c74dfdcbe925e84b1b066970c91c17070ae7

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6546.exe
              Filesize

              325KB

              MD5

              afe5fd3de54c9af89d738f9b9a480d42

              SHA1

              3834bce01d35eed96aa04c556e92ae95665f68eb

              SHA256

              648803c70a4fefe90529fc22d22f28df2d9df21da79899abcb89eea8568dd6c6

              SHA512

              be7d05e918a141c4b0ff7d53163210991cff1b2541e8e1497edf371f9eacb41613440ce4a429626d9d0113a838b1c74dfdcbe925e84b1b066970c91c17070ae7

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7886.exe
              Filesize

              382KB

              MD5

              9dea52c8b87458eb7fc48f393bdbd831

              SHA1

              f4162b84bde3d68a087bb4da82435c2028dc0d4e

              SHA256

              63c241596e383680cb5c72acde5c3a56869243e1c64fd92e1fdf633a5e26d897

              SHA512

              2f2accd6b1935c09ddb3f815a014681a9514c4d3417d1a8e9373954d99e1d9f7f2257a5d47cbad3cd5801afb34298f5b3ebc33e79b9b61709000c73706728f4c

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7886.exe
              Filesize

              382KB

              MD5

              9dea52c8b87458eb7fc48f393bdbd831

              SHA1

              f4162b84bde3d68a087bb4da82435c2028dc0d4e

              SHA256

              63c241596e383680cb5c72acde5c3a56869243e1c64fd92e1fdf633a5e26d897

              SHA512

              2f2accd6b1935c09ddb3f815a014681a9514c4d3417d1a8e9373954d99e1d9f7f2257a5d47cbad3cd5801afb34298f5b3ebc33e79b9b61709000c73706728f4c

              Download Submit

            • memory/1440-1102-0x0000000008000000-0x000000000810A000-memory.dmp

              Filesize

              1.0MB

              Download

            • memory/1440-1103-0x00000000073C0000-0x00000000073D2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/1440-1116-0x0000000007420000-0x0000000007430000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1440-1115-0x0000000007420000-0x0000000007430000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1440-1112-0x0000000007420000-0x0000000007430000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1440-1114-0x0000000007420000-0x0000000007430000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1440-1113-0x0000000008F80000-0x00000000094AC000-memory.dmp

              Filesize

              5.2MB

              Download

            • memory/1440-1111-0x0000000008DA0000-0x0000000008F62000-memory.dmp

              Filesize

              1.8MB

              Download

            • memory/1440-1110-0x0000000008BF0000-0x0000000008C40000-memory.dmp

              Filesize

              320KB

              Download

            • memory/1440-1109-0x0000000008B60000-0x0000000008BD6000-memory.dmp

              Filesize

              472KB

              Download

            • memory/1440-1108-0x0000000008A90000-0x0000000008B22000-memory.dmp

              Filesize

              584KB

              Download

            • memory/1440-1107-0x00000000083C0000-0x0000000008426000-memory.dmp

              Filesize

              408KB

              Download

            • memory/1440-1105-0x00000000073E0000-0x000000000741C000-memory.dmp

              Filesize

              240KB

              Download

            • memory/1440-1104-0x0000000007420000-0x0000000007430000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1440-206-0x0000000007420000-0x0000000007430000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1440-1101-0x00000000079E0000-0x0000000007FF8000-memory.dmp

              Filesize

              6.1MB

              Download

            • memory/1440-228-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

              Filesize

              252KB

              Download

            • memory/1440-226-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

              Filesize

              252KB

              Download

            • memory/1440-224-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

              Filesize

              252KB

              Download

            • memory/1440-222-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

              Filesize

              252KB

              Download

            • memory/1440-205-0x0000000002C60000-0x0000000002CAB000-memory.dmp

              Filesize

              300KB

              Download

            • memory/1440-218-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

              Filesize

              252KB

              Download

            • memory/1440-216-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

              Filesize

              252KB

              Download

            • memory/1440-191-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

              Filesize

              252KB

              Download

            • memory/1440-194-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

              Filesize

              252KB

              Download

            • memory/1440-192-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

              Filesize

              252KB

              Download

            • memory/1440-196-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

              Filesize

              252KB

              Download

            • memory/1440-198-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

              Filesize

              252KB

              Download

            • memory/1440-200-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

              Filesize

              252KB

              Download

            • memory/1440-202-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

              Filesize

              252KB

              Download

            • memory/1440-214-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

              Filesize

              252KB

              Download

            • memory/1440-210-0x0000000007420000-0x0000000007430000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1440-220-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

              Filesize

              252KB

              Download

            • memory/1440-204-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

              Filesize

              252KB

              Download

            • memory/1440-209-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

              Filesize

              252KB

              Download

            • memory/1440-208-0x0000000007420000-0x0000000007430000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1440-212-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

              Filesize

              252KB

              Download

            • memory/3180-1122-0x0000000000A10000-0x0000000000A42000-memory.dmp

              Filesize

              200KB

              Download

            • memory/3180-1123-0x0000000005600000-0x0000000005610000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4396-157-0x0000000004970000-0x0000000004982000-memory.dmp

              Filesize

              72KB

              Download

            • memory/4396-149-0x00000000073E0000-0x0000000007984000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/4396-185-0x00000000073D0000-0x00000000073E0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4396-184-0x00000000073D0000-0x00000000073E0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4396-183-0x00000000073D0000-0x00000000073E0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4396-181-0x0000000000400000-0x0000000002B7E000-memory.dmp

              Filesize

              39.5MB

              Download

            • memory/4396-180-0x00000000073D0000-0x00000000073E0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4396-150-0x0000000004970000-0x0000000004982000-memory.dmp

              Filesize

              72KB

              Download

            • memory/4396-179-0x00000000073D0000-0x00000000073E0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4396-155-0x0000000004970000-0x0000000004982000-memory.dmp

              Filesize

              72KB

              Download

            • memory/4396-178-0x00000000073D0000-0x00000000073E0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4396-186-0x0000000000400000-0x0000000002B7E000-memory.dmp

              Filesize

              39.5MB

              Download

            • memory/4396-175-0x0000000004970000-0x0000000004982000-memory.dmp

              Filesize

              72KB

              Download

            • memory/4396-169-0x0000000004970000-0x0000000004982000-memory.dmp

              Filesize

              72KB

              Download

            • memory/4396-173-0x0000000004970000-0x0000000004982000-memory.dmp

              Filesize

              72KB

              Download

            • memory/4396-167-0x0000000004970000-0x0000000004982000-memory.dmp

              Filesize

              72KB

              Download

            • memory/4396-165-0x0000000004970000-0x0000000004982000-memory.dmp

              Filesize

              72KB

              Download

            • memory/4396-163-0x0000000004970000-0x0000000004982000-memory.dmp

              Filesize

              72KB

              Download

            • memory/4396-161-0x0000000004970000-0x0000000004982000-memory.dmp

              Filesize

              72KB

              Download

            • memory/4396-159-0x0000000004970000-0x0000000004982000-memory.dmp

              Filesize

              72KB

              Download

            • memory/4396-177-0x0000000004970000-0x0000000004982000-memory.dmp

              Filesize

              72KB

              Download

            • memory/4396-171-0x0000000004970000-0x0000000004982000-memory.dmp

              Filesize

              72KB

              Download

            • memory/4396-148-0x0000000002B80000-0x0000000002BAD000-memory.dmp

              Filesize

              180KB

              Download

            • memory/4396-153-0x0000000004970000-0x0000000004982000-memory.dmp

              Filesize

              72KB

              Download

            • memory/4396-151-0x0000000004970000-0x0000000004982000-memory.dmp

              Filesize

              72KB

              Download