Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-03-2023 23:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    db77bffc81af60c9fc47eb4f30d741d35090178fc9394abfe140de4efff675fe.exe

  • Size

    701KB

  • MD5

    0d17143e6351fcc3836467c0f7712da1

  • SHA1

    f41eb3d0d29e7345cfbbf49a287d5e1be7c38624

  • SHA256

    db77bffc81af60c9fc47eb4f30d741d35090178fc9394abfe140de4efff675fe

  • SHA512

    51d803d58cf126dbf8d4629e3286833a0b6e24736a90db88556784a10e8b2edd000550a65553a6e32a85c4667d790ca17b9ecc3241e3f86ae347082a4b1140bf

  • SSDEEP

    12288:qMr9y90DUCLLXPOe1d87r0NEhlTFluMCUv8GWK:HyE7nXPNMdhl5lSQ8zK

Score
10/10
redlinefromrosndiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

C2

176.113.115.145:4125

Attributes
  • auth_value

    8633e283485822a4a48f0a41d5397566

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\db77bffc81af60c9fc47eb4f30d741d35090178fc9394abfe140de4efff675fe.exe
    "C:\Users\Admin\AppData\Local\Temp\db77bffc81af60c9fc47eb4f30d741d35090178fc9394abfe140de4efff675fe.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3480
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un177774.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un177774.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3452
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0780.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0780.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4816
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 1084
          4⤵
          • Program crash
          PID:1960
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9173.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9173.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4284
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 1952
          4⤵
          • Program crash
          PID:3312
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si280498.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si280498.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2480
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4816 -ip 4816
    1⤵
      PID:2312
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4284 -ip 4284
      1⤵
        PID:3460
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe start wuauserv
        1⤵
        • Launches sc.exe
        PID:1984

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si280498.exe
        Filesize

        175KB

        MD5

        04a86c37eb16f8cb6a41395a64cc5f30

        SHA1

        ce9634423381119a3bce3ceae09083a4c618e643

        SHA256

        5dde47354b8e8de30533eb2517ed11164489026fc235915cf5670d321700e5c1

        SHA512

        8e6eb031fe9fd480fc38d1a0c11e8601e3a0bd43022e21deade9f3e5f686019d335b4d6d8f2a2f95ac748b59206e31e3c0f4bfcccc90c96f10e7bbd7745dcad2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si280498.exe
        Filesize

        175KB

        MD5

        04a86c37eb16f8cb6a41395a64cc5f30

        SHA1

        ce9634423381119a3bce3ceae09083a4c618e643

        SHA256

        5dde47354b8e8de30533eb2517ed11164489026fc235915cf5670d321700e5c1

        SHA512

        8e6eb031fe9fd480fc38d1a0c11e8601e3a0bd43022e21deade9f3e5f686019d335b4d6d8f2a2f95ac748b59206e31e3c0f4bfcccc90c96f10e7bbd7745dcad2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un177774.exe
        Filesize

        558KB

        MD5

        e6b5c0f693c579468225dfc63083679e

        SHA1

        bb5f534c19e44cb39fd6328e7de3c5917b08f3b0

        SHA256

        0158616901f896061667fd60d46037e15995fd230d1bc621229280c326140ea0

        SHA512

        b237e656abca08b0579304b15e2042dcead862da921368b5515f1aa6d220c495e7a8d250df2cedf8ed0a171a8c962d6b6a9811e00950e6eeed15dfc9f5c74550

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un177774.exe
        Filesize

        558KB

        MD5

        e6b5c0f693c579468225dfc63083679e

        SHA1

        bb5f534c19e44cb39fd6328e7de3c5917b08f3b0

        SHA256

        0158616901f896061667fd60d46037e15995fd230d1bc621229280c326140ea0

        SHA512

        b237e656abca08b0579304b15e2042dcead862da921368b5515f1aa6d220c495e7a8d250df2cedf8ed0a171a8c962d6b6a9811e00950e6eeed15dfc9f5c74550

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0780.exe
        Filesize

        307KB

        MD5

        7bd21de43aaf90399c39d2a0de7b3ad5

        SHA1

        a82c052600d917c8bb9771778f8ba2f07aa6c188

        SHA256

        c95b01f60f82de1db9e76aa39bc6526544fcfc8cefca45b29eda22270775b1a1

        SHA512

        e199832f49e9451fe5534479bb89e9d8f86fe79ebc0377dab81edcc41c6a7c2b8b0a2e4a0583cf3c1b655ef706e4a3d87fde0cf66d202e79cb85a6f5671da94f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0780.exe
        Filesize

        307KB

        MD5

        7bd21de43aaf90399c39d2a0de7b3ad5

        SHA1

        a82c052600d917c8bb9771778f8ba2f07aa6c188

        SHA256

        c95b01f60f82de1db9e76aa39bc6526544fcfc8cefca45b29eda22270775b1a1

        SHA512

        e199832f49e9451fe5534479bb89e9d8f86fe79ebc0377dab81edcc41c6a7c2b8b0a2e4a0583cf3c1b655ef706e4a3d87fde0cf66d202e79cb85a6f5671da94f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9173.exe
        Filesize

        365KB

        MD5

        f21dd7b51e2c3deed66002a508f9333e

        SHA1

        72f5e3a2117134117966d92178d0c1f4b517fd36

        SHA256

        fecf11ee99100fb8155322ebe62fb38b630cfd75d93637ef20fca123aeb14c8f

        SHA512

        9b74cb52f18279d21389339e7b23aecc8f1c02b8fef7541e35354f977ebeaa07862bfb5994ef74adb84ec7d82c471ed078aada75e1d119821ff136f1e1ae2f15

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9173.exe
        Filesize

        365KB

        MD5

        f21dd7b51e2c3deed66002a508f9333e

        SHA1

        72f5e3a2117134117966d92178d0c1f4b517fd36

        SHA256

        fecf11ee99100fb8155322ebe62fb38b630cfd75d93637ef20fca123aeb14c8f

        SHA512

        9b74cb52f18279d21389339e7b23aecc8f1c02b8fef7541e35354f977ebeaa07862bfb5994ef74adb84ec7d82c471ed078aada75e1d119821ff136f1e1ae2f15

        Download Submit

      • memory/2480-1123-0x00000000056D0000-0x00000000056E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2480-1122-0x00000000056D0000-0x00000000056E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2480-1121-0x0000000000E60000-0x0000000000E92000-memory.dmp

        Filesize

        200KB

        Download

      • memory/4284-1102-0x0000000005B00000-0x0000000005C0A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/4284-1105-0x0000000004D60000-0x0000000004D70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4284-1115-0x0000000004D60000-0x0000000004D70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4284-1114-0x0000000006AD0000-0x0000000006FFC000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/4284-1113-0x00000000068F0000-0x0000000006AB2000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/4284-1112-0x0000000004D60000-0x0000000004D70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4284-1111-0x0000000004D60000-0x0000000004D70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4284-1109-0x0000000006880000-0x00000000068D0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/4284-1108-0x00000000067F0000-0x0000000006866000-memory.dmp

        Filesize

        472KB

        Download

      • memory/4284-1107-0x0000000005FF0000-0x0000000006056000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4284-1106-0x0000000005F50000-0x0000000005FE2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4284-1104-0x0000000005C60000-0x0000000005C9C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/4284-1103-0x0000000005C40000-0x0000000005C52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4284-1101-0x0000000005460000-0x0000000005A78000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/4284-248-0x0000000004D60000-0x0000000004D70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4284-245-0x0000000004D60000-0x0000000004D70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4284-243-0x0000000004D60000-0x0000000004D70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4284-241-0x0000000000840000-0x000000000088B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/4284-224-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4284-222-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4284-192-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4284-191-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4284-194-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4284-196-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4284-198-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4284-200-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4284-202-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4284-204-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4284-206-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4284-208-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4284-210-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4284-212-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4284-214-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4284-216-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4284-218-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4284-220-0x0000000004CC0000-0x0000000004CFF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4816-175-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4816-184-0x0000000004F30000-0x0000000004F40000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4816-157-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4816-185-0x0000000004F30000-0x0000000004F40000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4816-176-0x0000000004F30000-0x0000000004F40000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4816-183-0x0000000004F30000-0x0000000004F40000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4816-181-0x0000000000400000-0x000000000070F000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/4816-173-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4816-179-0x0000000004F30000-0x0000000004F40000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4816-180-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4816-161-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4816-178-0x0000000004F30000-0x0000000004F40000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4816-186-0x0000000000400000-0x000000000070F000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/4816-159-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4816-155-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4816-171-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4816-169-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4816-167-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4816-165-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4816-163-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4816-153-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4816-151-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4816-150-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4816-149-0x0000000004F40000-0x00000000054E4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4816-148-0x0000000000810000-0x000000000083D000-memory.dmp

        Filesize

        180KB

        Download