Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/03/2023, 14:46

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    7a2099399d703af9b16dd80dbd2683e6e9abce5bea13249670a951180707f73d.exe

  • Size

    552KB

  • MD5

    55c57236aa9d475e72bdb0a412c09c1a

  • SHA1

    0605f9791122665bec0d066aef555d8d14550227

  • SHA256

    7a2099399d703af9b16dd80dbd2683e6e9abce5bea13249670a951180707f73d

  • SHA512

    fe3f6e07ec5fb742e2125d52de179cbcd10292a77c7328220d7a36d2d4f6886ae366fae0bcac998faa70d84c8add50fb9a9c5fad11ffd85552afd75a59fe48b7

  • SSDEEP

    12288:nMrGy90Rt/jP5d8Y+ng4ziaaj6GC2A50OZMQ9YOlQBX:ty6/dcg4WT6UBQ9FQd

Score
10/10
redlineborisrotikdiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

boris

C2

193.233.20.32:4125

Attributes
  • auth_value

    766b5bdf6dbefcf7ca223351952fc38f

Extracted

Family

redline

Botnet

rotik

C2

193.233.20.32:4125

Attributes
  • auth_value

    74863478ae154e921eb729354d2bb4bd

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7a2099399d703af9b16dd80dbd2683e6e9abce5bea13249670a951180707f73d.exe
    "C:\Users\Admin\AppData\Local\Temp\7a2099399d703af9b16dd80dbd2683e6e9abce5bea13249670a951180707f73d.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3516
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba2723.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba2723.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2144
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h93ev74.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h93ev74.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2212
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\icNrU09.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\icNrU09.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4804
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 1328
          4⤵
          • Program crash
          PID:5020
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l71gk86.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l71gk86.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1064
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 4804 -ip 4804
    1⤵
      PID:4760
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start wuauserv
      1⤵
      • Launches sc.exe
      PID:372

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l71gk86.exe
            Filesize

            175KB

            MD5

            efc3b1703bec9a0e79d4a9fdcedf4a20

            SHA1

            d019bfe5fbf05fde5cae0029f9580dca9677a3b2

            SHA256

            1d9b391ee239469206cf31022b982e66c2ab463d3106a38526103e1c1b8be855

            SHA512

            f36bbf81fe3bb68c8c8a1fc19dd7c79b386cfdb13b1e5d5e617c4a5ef8a38ed4c4c717f466c9293e2e1067d0f94c9d1ebc1814919e5c572dc66365fdd6009b8a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l71gk86.exe
            Filesize

            175KB

            MD5

            efc3b1703bec9a0e79d4a9fdcedf4a20

            SHA1

            d019bfe5fbf05fde5cae0029f9580dca9677a3b2

            SHA256

            1d9b391ee239469206cf31022b982e66c2ab463d3106a38526103e1c1b8be855

            SHA512

            f36bbf81fe3bb68c8c8a1fc19dd7c79b386cfdb13b1e5d5e617c4a5ef8a38ed4c4c717f466c9293e2e1067d0f94c9d1ebc1814919e5c572dc66365fdd6009b8a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba2723.exe
            Filesize

            410KB

            MD5

            aca8ceec693c7ac383481b405be148a7

            SHA1

            ecd8d7fb15b0e94c25ac889413d008667915a6b7

            SHA256

            a4d5799cf3059e20551dff6b3ac4f28402c02a878f03b2c3d262ae6b5d9049de

            SHA512

            91681b6ef0b7644788e5de84fe95ee180d283a2edb412183e1e4a13cd7a43018ccdb8d8df8a9fd4c98bc89f8394de3a4bfa0d111e7a4899bd8ce320990eb785a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba2723.exe
            Filesize

            410KB

            MD5

            aca8ceec693c7ac383481b405be148a7

            SHA1

            ecd8d7fb15b0e94c25ac889413d008667915a6b7

            SHA256

            a4d5799cf3059e20551dff6b3ac4f28402c02a878f03b2c3d262ae6b5d9049de

            SHA512

            91681b6ef0b7644788e5de84fe95ee180d283a2edb412183e1e4a13cd7a43018ccdb8d8df8a9fd4c98bc89f8394de3a4bfa0d111e7a4899bd8ce320990eb785a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h93ev74.exe
            Filesize

            11KB

            MD5

            7e93bacbbc33e6652e147e7fe07572a0

            SHA1

            421a7167da01c8da4dc4d5234ca3dd84e319e762

            SHA256

            850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

            SHA512

            250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h93ev74.exe
            Filesize

            11KB

            MD5

            7e93bacbbc33e6652e147e7fe07572a0

            SHA1

            421a7167da01c8da4dc4d5234ca3dd84e319e762

            SHA256

            850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

            SHA512

            250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\icNrU09.exe
            Filesize

            382KB

            MD5

            795ed64375928ed91d488e25819aa1b3

            SHA1

            cc58fa3cf1fbe1798ee6c625ed9a4692903ab16d

            SHA256

            49293e12f4619ce9f6e8c8058bfcd5db7303a85051cf030a1ed40841bdaa4796

            SHA512

            73bcf5824cb6a7431c4bb2cbd5b3af433915dbbf48445ac4608069833cffab48fc2400faa78498568409e96a1984f420c670641a7841621e79428379dbb2d240

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\icNrU09.exe
            Filesize

            382KB

            MD5

            795ed64375928ed91d488e25819aa1b3

            SHA1

            cc58fa3cf1fbe1798ee6c625ed9a4692903ab16d

            SHA256

            49293e12f4619ce9f6e8c8058bfcd5db7303a85051cf030a1ed40841bdaa4796

            SHA512

            73bcf5824cb6a7431c4bb2cbd5b3af433915dbbf48445ac4608069833cffab48fc2400faa78498568409e96a1984f420c670641a7841621e79428379dbb2d240

            Download Submit

          • memory/1064-1083-0x0000000000F30000-0x0000000000F62000-memory.dmp

            Filesize

            200KB

            Download

          • memory/1064-1084-0x0000000005890000-0x00000000058A0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2212-147-0x0000000000EF0000-0x0000000000EFA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/4804-188-0x0000000007270000-0x00000000072AF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4804-198-0x0000000007270000-0x00000000072AF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4804-156-0x0000000007300000-0x0000000007310000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4804-157-0x0000000007270000-0x00000000072AF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4804-158-0x0000000007270000-0x00000000072AF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4804-160-0x0000000007270000-0x00000000072AF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4804-162-0x0000000007270000-0x00000000072AF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4804-164-0x0000000007270000-0x00000000072AF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4804-166-0x0000000007270000-0x00000000072AF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4804-168-0x0000000007270000-0x00000000072AF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4804-170-0x0000000007270000-0x00000000072AF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4804-172-0x0000000007270000-0x00000000072AF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4804-174-0x0000000007270000-0x00000000072AF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4804-176-0x0000000007270000-0x00000000072AF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4804-178-0x0000000007270000-0x00000000072AF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4804-180-0x0000000007270000-0x00000000072AF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4804-182-0x0000000007270000-0x00000000072AF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4804-184-0x0000000007270000-0x00000000072AF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4804-186-0x0000000007270000-0x00000000072AF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4804-154-0x0000000002C70000-0x0000000002CBB000-memory.dmp

            Filesize

            300KB

            Download

          • memory/4804-190-0x0000000007270000-0x00000000072AF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4804-192-0x0000000007270000-0x00000000072AF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4804-194-0x0000000007270000-0x00000000072AF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4804-196-0x0000000007270000-0x00000000072AF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4804-200-0x0000000007270000-0x00000000072AF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4804-155-0x0000000007300000-0x0000000007310000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4804-202-0x0000000007270000-0x00000000072AF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4804-204-0x0000000007270000-0x00000000072AF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4804-206-0x0000000007270000-0x00000000072AF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4804-208-0x0000000007270000-0x00000000072AF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4804-210-0x0000000007270000-0x00000000072AF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4804-212-0x0000000007270000-0x00000000072AF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4804-214-0x0000000007270000-0x00000000072AF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4804-218-0x0000000007270000-0x00000000072AF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4804-216-0x0000000007270000-0x00000000072AF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4804-220-0x0000000007270000-0x00000000072AF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4804-1063-0x00000000078D0000-0x0000000007EE8000-memory.dmp

            Filesize

            6.1MB

            Download

          • memory/4804-1064-0x0000000007F70000-0x000000000807A000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/4804-1065-0x00000000080B0000-0x00000000080C2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/4804-1066-0x0000000008110000-0x000000000814C000-memory.dmp

            Filesize

            240KB

            Download

          • memory/4804-1067-0x0000000007300000-0x0000000007310000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4804-1069-0x00000000083C0000-0x0000000008426000-memory.dmp

            Filesize

            408KB

            Download

          • memory/4804-1070-0x0000000008A90000-0x0000000008B22000-memory.dmp

            Filesize

            584KB

            Download

          • memory/4804-1071-0x0000000007300000-0x0000000007310000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4804-1072-0x0000000007300000-0x0000000007310000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4804-1073-0x0000000008C80000-0x0000000008E42000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/4804-1074-0x0000000008E60000-0x000000000938C000-memory.dmp

            Filesize

            5.2MB

            Download

          • memory/4804-153-0x0000000007310000-0x00000000078B4000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/4804-1075-0x0000000007300000-0x0000000007310000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4804-1076-0x0000000009750000-0x00000000097C6000-memory.dmp

            Filesize

            472KB

            Download

          • memory/4804-1077-0x00000000097E0000-0x0000000009830000-memory.dmp

            Filesize

            320KB

            Download