Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    117s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-03-2023 21:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    66a71698ab8455fe424345c33cd9f9c2c0f1b93a5fb7f65f11f0da0fe4506600.exe

  • Size

    700KB

  • MD5

    019183d00d5ded2a8efcd2c78d51d0d4

  • SHA1

    1e8fdbcddba0a3bd86763a6855da268bf2bbd604

  • SHA256

    66a71698ab8455fe424345c33cd9f9c2c0f1b93a5fb7f65f11f0da0fe4506600

  • SHA512

    6ae10b9b5b7b01ca4fb9debfcaca163e533e507c002cce1c3c18e07363521e37bcd478b9a37474779c7d063bc46ecf19cb1e6f7d2e9a51c5d31c725ed2c107aa

  • SSDEEP

    12288:7Mr+y90Yxiw+7CJ9uQQCf9DGqcAHucbNgflIRaAXFUhV+IoM:5yaauQQCTHucGfC0AXFUTZoM

Score
10/10
redlinefromrosndiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

C2

176.113.115.145:4125

Attributes
  • auth_value

    8633e283485822a4a48f0a41d5397566

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 18 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\66a71698ab8455fe424345c33cd9f9c2c0f1b93a5fb7f65f11f0da0fe4506600.exe
    "C:\Users\Admin\AppData\Local\Temp\66a71698ab8455fe424345c33cd9f9c2c0f1b93a5fb7f65f11f0da0fe4506600.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2320
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un285604.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un285604.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4788
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7259.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7259.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3000
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 1028
          4⤵
          • Program crash
          PID:4676
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1074.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1074.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1336
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 1328
          4⤵
          • Program crash
          PID:1900
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si598851.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si598851.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4464
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3000 -ip 3000
    1⤵
      PID:2572
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1336 -ip 1336
      1⤵
        PID:1620
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe start wuauserv
        1⤵
        • Launches sc.exe
        PID:896

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si598851.exe
        Filesize

        175KB

        MD5

        a5c90ba8bb641ad252a59c4c75c4c2ad

        SHA1

        941e7b7561dc28d52c72036069b87949934f6e90

        SHA256

        b2fb8c2cba891eb0a56e5fdacf61b25c3f96885de5a65392f26041a68b2aad3b

        SHA512

        3255fff24746109341d3d7c7953ae78cc99cf8dfff5583980c6cbebc291f6fa760fcbbb8c6486c569a9ac72b2922f1357af538aa5bb8f147471770b021eb07f5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si598851.exe
        Filesize

        175KB

        MD5

        a5c90ba8bb641ad252a59c4c75c4c2ad

        SHA1

        941e7b7561dc28d52c72036069b87949934f6e90

        SHA256

        b2fb8c2cba891eb0a56e5fdacf61b25c3f96885de5a65392f26041a68b2aad3b

        SHA512

        3255fff24746109341d3d7c7953ae78cc99cf8dfff5583980c6cbebc291f6fa760fcbbb8c6486c569a9ac72b2922f1357af538aa5bb8f147471770b021eb07f5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un285604.exe
        Filesize

        558KB

        MD5

        8f13fde7df4630656739531648146e7f

        SHA1

        a7f49cccfd0f37f33bb34909366a545a87fd5d61

        SHA256

        daebec228f9dfe6a2e0ed8888f25afaaf79c45695a1faceb3b5e72de0a966102

        SHA512

        b563f32d4d83ecda86b18bbc436b35d76d04f48a434388f0bafe65d7a56deb04a9fa4b0b080f67fde9788edda6756daf2ee5344cd8064e03d11582f21b762087

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un285604.exe
        Filesize

        558KB

        MD5

        8f13fde7df4630656739531648146e7f

        SHA1

        a7f49cccfd0f37f33bb34909366a545a87fd5d61

        SHA256

        daebec228f9dfe6a2e0ed8888f25afaaf79c45695a1faceb3b5e72de0a966102

        SHA512

        b563f32d4d83ecda86b18bbc436b35d76d04f48a434388f0bafe65d7a56deb04a9fa4b0b080f67fde9788edda6756daf2ee5344cd8064e03d11582f21b762087

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7259.exe
        Filesize

        307KB

        MD5

        0b5fa7f05ce219cbab177262ffb9b1e0

        SHA1

        5b69aa066ab61214ef1288206376d529812188a0

        SHA256

        b90c3dbe2858e4188162ad8ee2c75b4e11764881c948d78e89070ebfc4dd0fed

        SHA512

        e56cdf5cc51e92934e5d6539c6284d57c44a0756b7236acfe507d8f6546867103fd67f83e1bf022f2779be2e040222f8ae5f161f5ff34cdf640503d6482793f9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7259.exe
        Filesize

        307KB

        MD5

        0b5fa7f05ce219cbab177262ffb9b1e0

        SHA1

        5b69aa066ab61214ef1288206376d529812188a0

        SHA256

        b90c3dbe2858e4188162ad8ee2c75b4e11764881c948d78e89070ebfc4dd0fed

        SHA512

        e56cdf5cc51e92934e5d6539c6284d57c44a0756b7236acfe507d8f6546867103fd67f83e1bf022f2779be2e040222f8ae5f161f5ff34cdf640503d6482793f9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1074.exe
        Filesize

        365KB

        MD5

        5d2b0a714b755974fbbd4ba8ceaf2730

        SHA1

        85a33379b67baa218f4784b61071246d6d78d1c4

        SHA256

        f83d3a98f8a3295b0dc03033982d14d45ae36aa1241fbb7fefe63b2fec942249

        SHA512

        79ae7723f6586a5a6365bdeea3ff2163e1f0d22e2181725634bd2d7ec838bb41581f865b9e30838f5be8c4ff5ed65325196d7655bd4d2608860c836e61f90141

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1074.exe
        Filesize

        365KB

        MD5

        5d2b0a714b755974fbbd4ba8ceaf2730

        SHA1

        85a33379b67baa218f4784b61071246d6d78d1c4

        SHA256

        f83d3a98f8a3295b0dc03033982d14d45ae36aa1241fbb7fefe63b2fec942249

        SHA512

        79ae7723f6586a5a6365bdeea3ff2163e1f0d22e2181725634bd2d7ec838bb41581f865b9e30838f5be8c4ff5ed65325196d7655bd4d2608860c836e61f90141

        Download Submit

      • memory/1336-227-0x00000000028B0000-0x00000000028EF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1336-1102-0x0000000004F50000-0x0000000004F62000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1336-1115-0x0000000006C20000-0x000000000714C000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/1336-1114-0x0000000006A50000-0x0000000006C12000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/1336-1113-0x0000000004F70000-0x0000000004F80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1336-1111-0x0000000004F70000-0x0000000004F80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1336-1112-0x0000000004F70000-0x0000000004F80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1336-1110-0x0000000004F70000-0x0000000004F80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1336-1108-0x0000000006780000-0x00000000067D0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/1336-1107-0x00000000066F0000-0x0000000006766000-memory.dmp

        Filesize

        472KB

        Download

      • memory/1336-1106-0x0000000006620000-0x00000000066B2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/1336-1105-0x0000000005F50000-0x0000000005FB6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1336-1104-0x0000000004F70000-0x0000000004F80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1336-1103-0x0000000005C60000-0x0000000005C9C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/1336-1101-0x0000000005B50000-0x0000000005C5A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/1336-1100-0x0000000005530000-0x0000000005B48000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/1336-225-0x00000000028B0000-0x00000000028EF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1336-223-0x00000000028B0000-0x00000000028EF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1336-221-0x00000000028B0000-0x00000000028EF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1336-219-0x00000000028B0000-0x00000000028EF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1336-217-0x00000000028B0000-0x00000000028EF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1336-215-0x00000000028B0000-0x00000000028EF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1336-190-0x0000000000870000-0x00000000008BB000-memory.dmp

        Filesize

        300KB

        Download

      • memory/1336-192-0x0000000004F70000-0x0000000004F80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1336-191-0x0000000004F70000-0x0000000004F80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1336-193-0x0000000004F70000-0x0000000004F80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1336-194-0x00000000028B0000-0x00000000028EF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1336-195-0x00000000028B0000-0x00000000028EF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1336-197-0x00000000028B0000-0x00000000028EF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1336-199-0x00000000028B0000-0x00000000028EF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1336-201-0x00000000028B0000-0x00000000028EF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1336-203-0x00000000028B0000-0x00000000028EF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1336-205-0x00000000028B0000-0x00000000028EF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1336-207-0x00000000028B0000-0x00000000028EF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1336-209-0x00000000028B0000-0x00000000028EF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1336-211-0x00000000028B0000-0x00000000028EF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1336-213-0x00000000028B0000-0x00000000028EF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3000-173-0x0000000002490000-0x00000000024A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3000-185-0x0000000000400000-0x000000000070F000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/3000-171-0x0000000002490000-0x00000000024A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3000-169-0x0000000002490000-0x00000000024A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3000-182-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3000-181-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3000-150-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3000-180-0x0000000000400000-0x000000000070F000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/3000-179-0x0000000002490000-0x00000000024A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3000-153-0x0000000002490000-0x00000000024A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3000-177-0x0000000002490000-0x00000000024A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3000-175-0x0000000002490000-0x00000000024A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3000-151-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3000-152-0x0000000002490000-0x00000000024A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3000-183-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3000-167-0x0000000002490000-0x00000000024A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3000-165-0x0000000002490000-0x00000000024A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3000-163-0x0000000002490000-0x00000000024A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3000-161-0x0000000002490000-0x00000000024A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3000-159-0x0000000002490000-0x00000000024A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3000-155-0x0000000002490000-0x00000000024A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3000-157-0x0000000002490000-0x00000000024A2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3000-149-0x0000000004DF0000-0x0000000005394000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/3000-148-0x0000000000710000-0x000000000073D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/4464-1121-0x0000000000D40000-0x0000000000D72000-memory.dmp

        Filesize

        200KB

        Download

      • memory/4464-1122-0x0000000005690000-0x00000000056A0000-memory.dmp

        Filesize

        64KB

        Download