Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-03-2023 12:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e8c38dc6c8db691bbad8f437b329621e180f1ee5f5064ed9e17397e35329e537.exe

  • Size

    687KB

  • MD5

    169f7ff06f1f36edb25bb8b53cca8df5

  • SHA1

    d60ae6893be4625544c2e7ca5998a3d349bb3f02

  • SHA256

    e8c38dc6c8db691bbad8f437b329621e180f1ee5f5064ed9e17397e35329e537

  • SHA512

    ed58c93ce7ba7786b85be7b4647250d01432afb2121d82c2af2978de1dd4858c69bf5eee741e3ff8b5b665696dc73d4b9e4928bbd12859110ba79f441a99dda4

  • SSDEEP

    12288:2MrOy90cHmmJGV7idUwEth04SeEaB57WgjrbQDhdZ0DYYgmxc+lm7:MyamJEsUNXpSeEaB5Cg3b8j+D8mxc+w7

Score
10/10
redlinenicesonydiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

sony

C2

193.233.20.33:4125

Attributes
  • auth_value

    1d93d1744381eeb4fcfd7c23ffe0f0b4

Extracted

Family

redline

Botnet

nice

C2

193.233.20.33:4125

Attributes
  • auth_value

    a7371b75699e8bc7c51fb960e8ac9e81

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e8c38dc6c8db691bbad8f437b329621e180f1ee5f5064ed9e17397e35329e537.exe
    "C:\Users\Admin\AppData\Local\Temp\e8c38dc6c8db691bbad8f437b329621e180f1ee5f5064ed9e17397e35329e537.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4508
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un323993.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un323993.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2064
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1971.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1971.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4040
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 1084
          4⤵
          • Program crash
          PID:932
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2036.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2036.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4940
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 1704
          4⤵
          • Program crash
          PID:1568
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si726809.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si726809.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2480
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4040 -ip 4040
    1⤵
      PID:3284
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4940 -ip 4940
      1⤵
        PID:3988

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si726809.exe
        Filesize

        175KB

        MD5

        a38e497dbffbaf23b2ef49b3c7b35274

        SHA1

        9b6a60b41d7038aae18a30db86e0e6bcc93065d1

        SHA256

        ada6a527f534d83b5d262890c43a16572f1b8bc47d7ddb3385608bd92a130615

        SHA512

        d090df5ce15c15bb96b91857a39d9ccbca2a7afc5f116e915072465835c21de270b61ad1b08a9cd11044c95d3b0c8513c857f219cf1486c74b08fe54e92442c2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si726809.exe
        Filesize

        175KB

        MD5

        a38e497dbffbaf23b2ef49b3c7b35274

        SHA1

        9b6a60b41d7038aae18a30db86e0e6bcc93065d1

        SHA256

        ada6a527f534d83b5d262890c43a16572f1b8bc47d7ddb3385608bd92a130615

        SHA512

        d090df5ce15c15bb96b91857a39d9ccbca2a7afc5f116e915072465835c21de270b61ad1b08a9cd11044c95d3b0c8513c857f219cf1486c74b08fe54e92442c2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un323993.exe
        Filesize

        545KB

        MD5

        3bb032c4ceb502ad18340a63c291e4b4

        SHA1

        53b87a5415947305a63d166311e21df07cfa49ee

        SHA256

        5e2fb7dd65b535946926c875cadb3d2a21e9e1cc492f9960b5c80d81169eb48a

        SHA512

        bda02b6e52babfd2c09b0d53521341829da9203f834ec1c272a363c68aee171824c629460e26df9cd343054dceee275c7da673c9bf3171acefb1e4c2f394da21

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un323993.exe
        Filesize

        545KB

        MD5

        3bb032c4ceb502ad18340a63c291e4b4

        SHA1

        53b87a5415947305a63d166311e21df07cfa49ee

        SHA256

        5e2fb7dd65b535946926c875cadb3d2a21e9e1cc492f9960b5c80d81169eb48a

        SHA512

        bda02b6e52babfd2c09b0d53521341829da9203f834ec1c272a363c68aee171824c629460e26df9cd343054dceee275c7da673c9bf3171acefb1e4c2f394da21

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1971.exe
        Filesize

        300KB

        MD5

        7604d2a3c1801a1d74cb8845dfe3e37c

        SHA1

        76830b0e24b0d7c0db86e1f835d7c67f0b4ed291

        SHA256

        69a4cefdb16dc9931ebd50dde2d0417ec1003fee16de2b37372aa8c818c93ed6

        SHA512

        ca996ce008c4a1bd2a0d097d237f7d40e213b544602baad4a1999a34152afbb865f7a069446befaf8b88cbd93be395bd70f11553d0ae67df8b30bddec4a71273

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1971.exe
        Filesize

        300KB

        MD5

        7604d2a3c1801a1d74cb8845dfe3e37c

        SHA1

        76830b0e24b0d7c0db86e1f835d7c67f0b4ed291

        SHA256

        69a4cefdb16dc9931ebd50dde2d0417ec1003fee16de2b37372aa8c818c93ed6

        SHA512

        ca996ce008c4a1bd2a0d097d237f7d40e213b544602baad4a1999a34152afbb865f7a069446befaf8b88cbd93be395bd70f11553d0ae67df8b30bddec4a71273

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2036.exe
        Filesize

        359KB

        MD5

        b6a4efecdb160d0a24b2c7dcb03ab3f5

        SHA1

        0107325d9260977c64c358db583d1abec6efe8f1

        SHA256

        2f6716ed2a6897873a5cf9cece9308ebb469f9467dfbfc6dcfae57882d94ef17

        SHA512

        fb400cb61c11c4d967ec2b74b339039218358c0f40c882bf158dedd29cd455073acc11a3473ab4e54ff5a97599ccb80374b0d179103be595562129741d0ae243

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2036.exe
        Filesize

        359KB

        MD5

        b6a4efecdb160d0a24b2c7dcb03ab3f5

        SHA1

        0107325d9260977c64c358db583d1abec6efe8f1

        SHA256

        2f6716ed2a6897873a5cf9cece9308ebb469f9467dfbfc6dcfae57882d94ef17

        SHA512

        fb400cb61c11c4d967ec2b74b339039218358c0f40c882bf158dedd29cd455073acc11a3473ab4e54ff5a97599ccb80374b0d179103be595562129741d0ae243

        Download Submit

      • memory/2480-1122-0x0000000000120000-0x0000000000152000-memory.dmp

        Filesize

        200KB

        Download

      • memory/2480-1123-0x0000000004A50000-0x0000000004A60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4040-156-0x0000000002720000-0x0000000002732000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4040-170-0x0000000002720000-0x0000000002732000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4040-151-0x00000000028D0000-0x00000000028E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4040-152-0x00000000028D0000-0x00000000028E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4040-153-0x0000000002720000-0x0000000002732000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4040-154-0x0000000002720000-0x0000000002732000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4040-149-0x00000000007D0000-0x00000000007FD000-memory.dmp

        Filesize

        180KB

        Download

      • memory/4040-158-0x0000000002720000-0x0000000002732000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4040-160-0x0000000002720000-0x0000000002732000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4040-162-0x0000000002720000-0x0000000002732000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4040-164-0x0000000002720000-0x0000000002732000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4040-166-0x0000000002720000-0x0000000002732000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4040-168-0x0000000002720000-0x0000000002732000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4040-150-0x00000000028D0000-0x00000000028E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4040-172-0x0000000002720000-0x0000000002732000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4040-174-0x0000000002720000-0x0000000002732000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4040-176-0x0000000002720000-0x0000000002732000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4040-178-0x0000000002720000-0x0000000002732000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4040-180-0x0000000002720000-0x0000000002732000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4040-181-0x0000000000400000-0x000000000070E000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/4040-182-0x00000000028D0000-0x00000000028E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4040-183-0x00000000028D0000-0x00000000028E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4040-184-0x00000000028D0000-0x00000000028E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4040-186-0x0000000000400000-0x000000000070E000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/4040-148-0x0000000004D80000-0x0000000005324000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4940-194-0x00000000027F0000-0x000000000282E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4940-356-0x0000000004E30000-0x0000000004E40000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4940-196-0x00000000027F0000-0x000000000282E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4940-198-0x00000000027F0000-0x000000000282E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4940-200-0x00000000027F0000-0x000000000282E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4940-202-0x00000000027F0000-0x000000000282E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4940-204-0x00000000027F0000-0x000000000282E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4940-206-0x00000000027F0000-0x000000000282E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4940-208-0x00000000027F0000-0x000000000282E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4940-210-0x00000000027F0000-0x000000000282E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4940-212-0x00000000027F0000-0x000000000282E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4940-214-0x00000000027F0000-0x000000000282E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4940-216-0x00000000027F0000-0x000000000282E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4940-218-0x00000000027F0000-0x000000000282E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4940-220-0x00000000027F0000-0x000000000282E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4940-222-0x00000000027F0000-0x000000000282E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4940-224-0x00000000027F0000-0x000000000282E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4940-350-0x00000000009D0000-0x0000000000A1B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/4940-351-0x0000000004E30000-0x0000000004E40000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4940-192-0x00000000027F0000-0x000000000282E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4940-354-0x0000000004E30000-0x0000000004E40000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4940-1101-0x00000000054F0000-0x0000000005B08000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/4940-1102-0x0000000005B10000-0x0000000005C1A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/4940-1103-0x0000000005C40000-0x0000000005C52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4940-1104-0x0000000004E30000-0x0000000004E40000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4940-1105-0x0000000005C60000-0x0000000005C9C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/4940-1106-0x0000000005F50000-0x0000000005FB6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4940-1107-0x0000000006610000-0x00000000066A2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4940-1109-0x0000000004E30000-0x0000000004E40000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4940-1110-0x0000000004E30000-0x0000000004E40000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4940-1111-0x0000000004E30000-0x0000000004E40000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4940-1112-0x0000000007AD0000-0x0000000007C92000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/4940-1113-0x0000000007CA0000-0x00000000081CC000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/4940-191-0x00000000027F0000-0x000000000282E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4940-1114-0x0000000004E30000-0x0000000004E40000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4940-1115-0x00000000085F0000-0x0000000008666000-memory.dmp

        Filesize

        472KB

        Download

      • memory/4940-1116-0x0000000008670000-0x00000000086C0000-memory.dmp

        Filesize

        320KB

        Download