Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-03-2023 00:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1163c264e49f0b89b4bad1de4f56b70c8281c3917b077b15a8c07c3500b393a1.exe

  • Size

    685KB

  • MD5

    dae30ae283a803494b5fecd32baf0740

  • SHA1

    0ebc72813ce2615910681487907e5b7590e4a72a

  • SHA256

    1163c264e49f0b89b4bad1de4f56b70c8281c3917b077b15a8c07c3500b393a1

  • SHA512

    a9ed52206b9306781b677a21117a2b63f33f95d63892dcffe98eb2d533b5ed391620c0b17b0cf1994d21cbd066d402117ac571b7f68b57ad981952f51504316c

  • SSDEEP

    12288:cMrby90OgMdhgmqt/8IY5UctXoE8dR4IkOXZ5Udd5h8vB:vyzrgt/cJu2IkOXkdpMB

Score
10/10
redlinedentsonydiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

sony

C2

193.233.20.33:4125

Attributes
  • auth_value

    1d93d1744381eeb4fcfd7c23ffe0f0b4

Extracted

Family

redline

Botnet

dent

C2

193.233.20.33:4125

Attributes
  • auth_value

    e795368557f02e28e8aef6bcb279a3b0

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 18 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1163c264e49f0b89b4bad1de4f56b70c8281c3917b077b15a8c07c3500b393a1.exe
    "C:\Users\Admin\AppData\Local\Temp\1163c264e49f0b89b4bad1de4f56b70c8281c3917b077b15a8c07c3500b393a1.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3304
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un731625.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un731625.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4604
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2694.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2694.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:816
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2407.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2407.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3768
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si452507.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si452507.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2044

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si452507.exe
    Filesize

    175KB

    MD5

    24dbe11c697570e38ebb2df364537604

    SHA1

    2b71c2cc742bb9448d5713a24b8e5c9417be9194

    SHA256

    05e5ef0a93ffafda0c3bd6586851828cb246aded161b50298466cc5f948ea69e

    SHA512

    0cae2c9e613eab844750a84a5202754f49dc85937920e745f7b57876fb192d96deb8ae2f8888c5dab9c3a42d1faf9f44226897e9c05c7d332ef3e826809acb2a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si452507.exe
    Filesize

    175KB

    MD5

    24dbe11c697570e38ebb2df364537604

    SHA1

    2b71c2cc742bb9448d5713a24b8e5c9417be9194

    SHA256

    05e5ef0a93ffafda0c3bd6586851828cb246aded161b50298466cc5f948ea69e

    SHA512

    0cae2c9e613eab844750a84a5202754f49dc85937920e745f7b57876fb192d96deb8ae2f8888c5dab9c3a42d1faf9f44226897e9c05c7d332ef3e826809acb2a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un731625.exe
    Filesize

    543KB

    MD5

    942cd649b976c7479cffa4d7e44d7631

    SHA1

    838e564fc30de6b24c8e5fbca9b0b7a16a576977

    SHA256

    5dca4be5b7e2e7a85dee6bd705dd2086cfc59ac5f9e0def708c8505bf83c5c29

    SHA512

    4b8603c3b5c5d7a26587a45a63cc2ab589e162fabcc78d65b1777d9347593cd7c7a943cb6e0e312106cb5bc14b0b800ca0b981381d1aa4d4743372a40f0e59d2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un731625.exe
    Filesize

    543KB

    MD5

    942cd649b976c7479cffa4d7e44d7631

    SHA1

    838e564fc30de6b24c8e5fbca9b0b7a16a576977

    SHA256

    5dca4be5b7e2e7a85dee6bd705dd2086cfc59ac5f9e0def708c8505bf83c5c29

    SHA512

    4b8603c3b5c5d7a26587a45a63cc2ab589e162fabcc78d65b1777d9347593cd7c7a943cb6e0e312106cb5bc14b0b800ca0b981381d1aa4d4743372a40f0e59d2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2694.exe
    Filesize

    322KB

    MD5

    0e647095aa5ae5ae3271423c99bd6a8b

    SHA1

    ebf0ae4abd9c65da2a84ddee0ccbb0237d5a0db4

    SHA256

    f46921ba96faf18e7d1a88cb52564beff34eba1fbb4a02406dbb735c980635b7

    SHA512

    ae86cd2e9504f66101ddddf262d6dddea6d75aa6df61da92e19c94978d82b7f6481247dbb9c5741f6b5fb33067f240130607748f6b2518f1b03ce289088c4811

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2694.exe
    Filesize

    322KB

    MD5

    0e647095aa5ae5ae3271423c99bd6a8b

    SHA1

    ebf0ae4abd9c65da2a84ddee0ccbb0237d5a0db4

    SHA256

    f46921ba96faf18e7d1a88cb52564beff34eba1fbb4a02406dbb735c980635b7

    SHA512

    ae86cd2e9504f66101ddddf262d6dddea6d75aa6df61da92e19c94978d82b7f6481247dbb9c5741f6b5fb33067f240130607748f6b2518f1b03ce289088c4811

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2407.exe
    Filesize

    379KB

    MD5

    703968e3d395b49b4bda2defe11255d0

    SHA1

    397739db786c67d82198016cce637d3cc22f152f

    SHA256

    45f18b13188c31829ae59b6d672ee286891c50a2f12e38d012b9e1cde2898706

    SHA512

    e8756f2f223099cfab9f34886deeb5fe7fa44c7761ac929e089ef38281e170416f296a8dc3241924a377fcd40e35a831ed73d2810252e5294808bc23ad8de572

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2407.exe
    Filesize

    379KB

    MD5

    703968e3d395b49b4bda2defe11255d0

    SHA1

    397739db786c67d82198016cce637d3cc22f152f

    SHA256

    45f18b13188c31829ae59b6d672ee286891c50a2f12e38d012b9e1cde2898706

    SHA512

    e8756f2f223099cfab9f34886deeb5fe7fa44c7761ac929e089ef38281e170416f296a8dc3241924a377fcd40e35a831ed73d2810252e5294808bc23ad8de572

    Download Submit

  • memory/816-148-0x0000000002C50000-0x0000000002C7D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/816-149-0x00000000073B0000-0x0000000007954000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/816-150-0x0000000004A80000-0x0000000004A92000-memory.dmp

    Filesize

    72KB

    Download

  • memory/816-151-0x0000000004A80000-0x0000000004A92000-memory.dmp

    Filesize

    72KB

    Download

  • memory/816-153-0x0000000004A80000-0x0000000004A92000-memory.dmp

    Filesize

    72KB

    Download

  • memory/816-155-0x0000000004A80000-0x0000000004A92000-memory.dmp

    Filesize

    72KB

    Download

  • memory/816-157-0x0000000004A80000-0x0000000004A92000-memory.dmp

    Filesize

    72KB

    Download

  • memory/816-159-0x0000000004A80000-0x0000000004A92000-memory.dmp

    Filesize

    72KB

    Download

  • memory/816-161-0x0000000004A80000-0x0000000004A92000-memory.dmp

    Filesize

    72KB

    Download

  • memory/816-163-0x0000000004A80000-0x0000000004A92000-memory.dmp

    Filesize

    72KB

    Download

  • memory/816-165-0x0000000004A80000-0x0000000004A92000-memory.dmp

    Filesize

    72KB

    Download

  • memory/816-167-0x0000000004A80000-0x0000000004A92000-memory.dmp

    Filesize

    72KB

    Download

  • memory/816-169-0x0000000004A80000-0x0000000004A92000-memory.dmp

    Filesize

    72KB

    Download

  • memory/816-171-0x0000000004A80000-0x0000000004A92000-memory.dmp

    Filesize

    72KB

    Download

  • memory/816-173-0x0000000004A80000-0x0000000004A92000-memory.dmp

    Filesize

    72KB

    Download

  • memory/816-175-0x0000000004A80000-0x0000000004A92000-memory.dmp

    Filesize

    72KB

    Download

  • memory/816-177-0x0000000004A80000-0x0000000004A92000-memory.dmp

    Filesize

    72KB

    Download

  • memory/816-178-0x0000000004A70000-0x0000000004A80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/816-179-0x0000000004A70000-0x0000000004A80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/816-180-0x0000000000400000-0x0000000002B7E000-memory.dmp

    Filesize

    39.5MB

    Download

  • memory/816-183-0x0000000004A70000-0x0000000004A80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/816-182-0x0000000000400000-0x0000000002B7E000-memory.dmp

    Filesize

    39.5MB

    Download

  • memory/816-184-0x0000000004A70000-0x0000000004A80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2044-1121-0x00000000051F0000-0x0000000005200000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2044-1120-0x00000000005E0000-0x0000000000612000-memory.dmp

    Filesize

    200KB

    Download

  • memory/3768-194-0x0000000004C30000-0x0000000004C6E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3768-405-0x00000000072C0000-0x00000000072D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3768-196-0x0000000004C30000-0x0000000004C6E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3768-198-0x0000000004C30000-0x0000000004C6E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3768-200-0x0000000004C30000-0x0000000004C6E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3768-202-0x0000000004C30000-0x0000000004C6E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3768-204-0x0000000004C30000-0x0000000004C6E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3768-206-0x0000000004C30000-0x0000000004C6E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3768-208-0x0000000004C30000-0x0000000004C6E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3768-210-0x0000000004C30000-0x0000000004C6E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3768-212-0x0000000004C30000-0x0000000004C6E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3768-214-0x0000000004C30000-0x0000000004C6E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3768-216-0x0000000004C30000-0x0000000004C6E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3768-218-0x0000000004C30000-0x0000000004C6E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3768-220-0x0000000004C30000-0x0000000004C6E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3768-222-0x0000000004C30000-0x0000000004C6E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3768-399-0x0000000002C60000-0x0000000002CAB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3768-401-0x00000000072C0000-0x00000000072D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3768-403-0x00000000072C0000-0x00000000072D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3768-192-0x0000000004C30000-0x0000000004C6E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3768-1099-0x0000000007980000-0x0000000007F98000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3768-1100-0x0000000007FA0000-0x00000000080AA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3768-1101-0x00000000080B0000-0x00000000080C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3768-1102-0x00000000072C0000-0x00000000072D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3768-1103-0x00000000080D0000-0x000000000810C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3768-1105-0x00000000083C0000-0x0000000008452000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3768-1106-0x0000000008460000-0x00000000084C6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3768-1107-0x00000000072C0000-0x00000000072D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3768-1108-0x00000000072C0000-0x00000000072D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3768-1109-0x00000000072C0000-0x00000000072D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3768-1110-0x0000000008B80000-0x0000000008BF6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/3768-1111-0x0000000008C20000-0x0000000008C70000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3768-1112-0x0000000008FA0000-0x0000000009162000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/3768-190-0x0000000004C30000-0x0000000004C6E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3768-189-0x0000000004C30000-0x0000000004C6E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3768-1113-0x0000000009170000-0x000000000969C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/3768-1114-0x00000000072C0000-0x00000000072D0000-memory.dmp

    Filesize

    64KB

    Download