Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/03/2023, 21:31

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    b55943d8174cde460b0092fc748afaf47aa653f8c47263fe45041ee46bcab5d1.exe

  • Size

    700KB

  • MD5

    fa9f2b86cf9c24e9835b89da7d8ff9a7

  • SHA1

    a95927430f442822964978c39acc289e2897a8bb

  • SHA256

    b55943d8174cde460b0092fc748afaf47aa653f8c47263fe45041ee46bcab5d1

  • SHA512

    be09cab83c3f41160f18fff03d5b007f46b83898d5c445cae5adc6ad40bed2267c50bab7c70e8c142f26359bd9e2f6887e68f099be3b3bdc5fbfad11fa165ad0

  • SSDEEP

    12288:pMr4y903QYLFfxr1b5KrQPouZxQ+GJPiZWleuSIyYcG:dyylxhb5AbM4qZWlehpG

Score
10/10
redlinefromrosndiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

C2

176.113.115.145:4125

Attributes
  • auth_value

    8633e283485822a4a48f0a41d5397566

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 19 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b55943d8174cde460b0092fc748afaf47aa653f8c47263fe45041ee46bcab5d1.exe
    "C:\Users\Admin\AppData\Local\Temp\b55943d8174cde460b0092fc748afaf47aa653f8c47263fe45041ee46bcab5d1.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3524
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un358908.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un358908.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3096
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9059.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9059.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2968
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 1080
          4⤵
          • Program crash
          PID:4840
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0845.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0845.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2624
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 1340
          4⤵
          • Program crash
          PID:2996
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si683045.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si683045.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2848
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2968 -ip 2968
    1⤵
      PID:2680
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2624 -ip 2624
      1⤵
        PID:2008

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si683045.exe
              Filesize

              175KB

              MD5

              0e10dd14f4b8a67d3a220b64dc574066

              SHA1

              c2bfef9dd5f27178f12b7ab14ba190826cd4ab50

              SHA256

              6fc1b68da04f5b7511ecfe6836da8412e8e0d3a5a4d61eebe574b8d0a75930ab

              SHA512

              1c060833ef9925be8212fb3bd3df91031d02e67c6857b47836d5cd729277b8df244a4f9856e13c4e3de99391420fa78bb38e55f5abeae3af58266074aa7b5fb6

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si683045.exe
              Filesize

              175KB

              MD5

              0e10dd14f4b8a67d3a220b64dc574066

              SHA1

              c2bfef9dd5f27178f12b7ab14ba190826cd4ab50

              SHA256

              6fc1b68da04f5b7511ecfe6836da8412e8e0d3a5a4d61eebe574b8d0a75930ab

              SHA512

              1c060833ef9925be8212fb3bd3df91031d02e67c6857b47836d5cd729277b8df244a4f9856e13c4e3de99391420fa78bb38e55f5abeae3af58266074aa7b5fb6

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un358908.exe
              Filesize

              558KB

              MD5

              f17b1ba13bb8ced3a4d81ab1864153e4

              SHA1

              376d1d592303243e524160947af1b9b104ac7276

              SHA256

              dad42d36703bfa7200490225eeee0ab865d0402be0fd08ab5ac94f245cc0742f

              SHA512

              d2c38c94f628fd48561a582db0ef0952b2198c3cfedbdf872950305cd2a6cb74bc21a6b9b729c09653ce367246864f7c2da21aa3268008c228c0558fbe6e2240

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un358908.exe
              Filesize

              558KB

              MD5

              f17b1ba13bb8ced3a4d81ab1864153e4

              SHA1

              376d1d592303243e524160947af1b9b104ac7276

              SHA256

              dad42d36703bfa7200490225eeee0ab865d0402be0fd08ab5ac94f245cc0742f

              SHA512

              d2c38c94f628fd48561a582db0ef0952b2198c3cfedbdf872950305cd2a6cb74bc21a6b9b729c09653ce367246864f7c2da21aa3268008c228c0558fbe6e2240

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9059.exe
              Filesize

              307KB

              MD5

              e22740343267f377832c91ab495cc109

              SHA1

              0d6f760748b983b6a8cfb7cda4f219cb1db2a2be

              SHA256

              3ed893274368e996db400f6a070594f1cb1e4a4c8c2ff5099e73d916f5e954a6

              SHA512

              136a926767d427b9abb69f5fe7f66d1f8a320280acfe246375176e95e9202621448f7605da94ab0ffef3d830a939cf536a3084068084b11f31b1538d22835109

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9059.exe
              Filesize

              307KB

              MD5

              e22740343267f377832c91ab495cc109

              SHA1

              0d6f760748b983b6a8cfb7cda4f219cb1db2a2be

              SHA256

              3ed893274368e996db400f6a070594f1cb1e4a4c8c2ff5099e73d916f5e954a6

              SHA512

              136a926767d427b9abb69f5fe7f66d1f8a320280acfe246375176e95e9202621448f7605da94ab0ffef3d830a939cf536a3084068084b11f31b1538d22835109

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0845.exe
              Filesize

              365KB

              MD5

              1fabb6317e91566e855a82a5b6680dd5

              SHA1

              5ac2c5baabcdda9c431c27ee8c101ad7b066934d

              SHA256

              3b3c0afeb8f9138bfb7f94d0423e75b8fac391626614f4ed1061b48c5fdd1a0d

              SHA512

              8491745335c78a195825a2972e9fae8afe31b048ee1c7563bd66597defadff009118b49b1dd89fc1c64ebb6b09959654f911bbc5c989c6ff00979626854c3478

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0845.exe
              Filesize

              365KB

              MD5

              1fabb6317e91566e855a82a5b6680dd5

              SHA1

              5ac2c5baabcdda9c431c27ee8c101ad7b066934d

              SHA256

              3b3c0afeb8f9138bfb7f94d0423e75b8fac391626614f4ed1061b48c5fdd1a0d

              SHA512

              8491745335c78a195825a2972e9fae8afe31b048ee1c7563bd66597defadff009118b49b1dd89fc1c64ebb6b09959654f911bbc5c989c6ff00979626854c3478

              Download Submit

            • memory/2624-487-0x0000000004D70000-0x0000000004D80000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2624-1102-0x0000000005B00000-0x0000000005C0A000-memory.dmp

              Filesize

              1.0MB

              Download

            • memory/2624-1115-0x0000000006AD0000-0x0000000006FFC000-memory.dmp

              Filesize

              5.2MB

              Download

            • memory/2624-1114-0x0000000006900000-0x0000000006AC2000-memory.dmp

              Filesize

              1.8MB

              Download

            • memory/2624-1113-0x0000000004D70000-0x0000000004D80000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2624-1112-0x0000000004D70000-0x0000000004D80000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2624-1111-0x0000000004D70000-0x0000000004D80000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2624-1110-0x0000000006780000-0x00000000067D0000-memory.dmp

              Filesize

              320KB

              Download

            • memory/2624-1109-0x00000000066F0000-0x0000000006766000-memory.dmp

              Filesize

              472KB

              Download

            • memory/2624-1108-0x0000000005FF0000-0x0000000006056000-memory.dmp

              Filesize

              408KB

              Download

            • memory/2624-1106-0x0000000005F50000-0x0000000005FE2000-memory.dmp

              Filesize

              584KB

              Download

            • memory/2624-1105-0x0000000004D70000-0x0000000004D80000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2624-1104-0x0000000005C60000-0x0000000005C9C000-memory.dmp

              Filesize

              240KB

              Download

            • memory/2624-1103-0x0000000005C40000-0x0000000005C52000-memory.dmp

              Filesize

              72KB

              Download

            • memory/2624-1101-0x0000000005470000-0x0000000005A88000-memory.dmp

              Filesize

              6.1MB

              Download

            • memory/2624-491-0x0000000004D70000-0x0000000004D80000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2624-489-0x0000000004D70000-0x0000000004D80000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2624-225-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

              Filesize

              252KB

              Download

            • memory/2624-223-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

              Filesize

              252KB

              Download

            • memory/2624-221-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

              Filesize

              252KB

              Download

            • memory/2624-219-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

              Filesize

              252KB

              Download

            • memory/2624-217-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

              Filesize

              252KB

              Download

            • memory/2624-215-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

              Filesize

              252KB

              Download

            • memory/2624-191-0x00000000007F0000-0x000000000083B000-memory.dmp

              Filesize

              300KB

              Download

            • memory/2624-193-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

              Filesize

              252KB

              Download

            • memory/2624-192-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

              Filesize

              252KB

              Download

            • memory/2624-195-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

              Filesize

              252KB

              Download

            • memory/2624-197-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

              Filesize

              252KB

              Download

            • memory/2624-199-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

              Filesize

              252KB

              Download

            • memory/2624-201-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

              Filesize

              252KB

              Download

            • memory/2624-203-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

              Filesize

              252KB

              Download

            • memory/2624-205-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

              Filesize

              252KB

              Download

            • memory/2624-207-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

              Filesize

              252KB

              Download

            • memory/2624-209-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

              Filesize

              252KB

              Download

            • memory/2624-211-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

              Filesize

              252KB

              Download

            • memory/2624-213-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

              Filesize

              252KB

              Download

            • memory/2848-1121-0x0000000000530000-0x0000000000562000-memory.dmp

              Filesize

              200KB

              Download

            • memory/2848-1122-0x0000000005110000-0x0000000005120000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2968-174-0x0000000002530000-0x0000000002542000-memory.dmp

              Filesize

              72KB

              Download

            • memory/2968-149-0x00000000007E0000-0x000000000080D000-memory.dmp

              Filesize

              180KB

              Download

            • memory/2968-183-0x0000000004E70000-0x0000000004E80000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2968-182-0x0000000004E70000-0x0000000004E80000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2968-181-0x0000000000400000-0x000000000070F000-memory.dmp

              Filesize

              3.1MB

              Download

            • memory/2968-150-0x0000000004E70000-0x0000000004E80000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2968-180-0x0000000002530000-0x0000000002542000-memory.dmp

              Filesize

              72KB

              Download

            • memory/2968-178-0x0000000002530000-0x0000000002542000-memory.dmp

              Filesize

              72KB

              Download

            • memory/2968-153-0x0000000002530000-0x0000000002542000-memory.dmp

              Filesize

              72KB

              Download

            • memory/2968-176-0x0000000002530000-0x0000000002542000-memory.dmp

              Filesize

              72KB

              Download

            • memory/2968-151-0x0000000004E70000-0x0000000004E80000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2968-172-0x0000000002530000-0x0000000002542000-memory.dmp

              Filesize

              72KB

              Download

            • memory/2968-184-0x0000000004E70000-0x0000000004E80000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2968-166-0x0000000002530000-0x0000000002542000-memory.dmp

              Filesize

              72KB

              Download

            • memory/2968-170-0x0000000002530000-0x0000000002542000-memory.dmp

              Filesize

              72KB

              Download

            • memory/2968-164-0x0000000002530000-0x0000000002542000-memory.dmp

              Filesize

              72KB

              Download

            • memory/2968-162-0x0000000002530000-0x0000000002542000-memory.dmp

              Filesize

              72KB

              Download

            • memory/2968-160-0x0000000002530000-0x0000000002542000-memory.dmp

              Filesize

              72KB

              Download

            • memory/2968-158-0x0000000002530000-0x0000000002542000-memory.dmp

              Filesize

              72KB

              Download

            • memory/2968-156-0x0000000002530000-0x0000000002542000-memory.dmp

              Filesize

              72KB

              Download

            • memory/2968-154-0x0000000002530000-0x0000000002542000-memory.dmp

              Filesize

              72KB

              Download

            • memory/2968-168-0x0000000002530000-0x0000000002542000-memory.dmp

              Filesize

              72KB

              Download

            • memory/2968-148-0x0000000004E80000-0x0000000005424000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/2968-186-0x0000000000400000-0x000000000070F000-memory.dmp

              Filesize

              3.1MB

              Download

            • memory/2968-152-0x0000000004E70000-0x0000000004E80000-memory.dmp

              Filesize

              64KB

              Download