Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    114s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-03-2023 12:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d89ee7efa5beab298636e8f675f3b22953031701390cc1a98697ea42648216d2.exe

  • Size

    687KB

  • MD5

    a7f8b3d1653c57a35b9e8239d455f08d

  • SHA1

    0f5540938081fb43bbd8256497d57a79830d64c2

  • SHA256

    d89ee7efa5beab298636e8f675f3b22953031701390cc1a98697ea42648216d2

  • SHA512

    9a0966d62cd7e1442e2a4ecc63648c908402116f82b3805b83684338c2293ad79c4bc7cca78bde7488e4c6b6295ca614002b2de56e5406be882a8f841cf50e0b

  • SSDEEP

    12288:9Mriy90415RtsxLDrfwhMTUz2QnQzGTq7d/wCMRFQfZfUCbZVZu2:PyDg5TS2Qd21DxDVZu2

Score
10/10
redlinenicesonydiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

sony

C2

193.233.20.33:4125

Attributes
  • auth_value

    1d93d1744381eeb4fcfd7c23ffe0f0b4

Extracted

Family

redline

Botnet

nice

C2

193.233.20.33:4125

Attributes
  • auth_value

    a7371b75699e8bc7c51fb960e8ac9e81

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 19 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d89ee7efa5beab298636e8f675f3b22953031701390cc1a98697ea42648216d2.exe
    "C:\Users\Admin\AppData\Local\Temp\d89ee7efa5beab298636e8f675f3b22953031701390cc1a98697ea42648216d2.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2548
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un660077.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un660077.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3268
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6682.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6682.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:624
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 1028
          4⤵
          • Program crash
          PID:4740
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7873.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7873.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1320
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 1328
          4⤵
          • Program crash
          PID:4516
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si457772.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si457772.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4476
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 624 -ip 624
    1⤵
      PID:2428
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1320 -ip 1320
      1⤵
        PID:3464

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si457772.exe
        Filesize

        175KB

        MD5

        4a0e50b4084cac58f092337ae6cf3b61

        SHA1

        9f122495abc7834fc923fdecceb375739339402a

        SHA256

        262aecf6979654d27813d7da0e48465084c93d11399bc6b7f148990dcde363f0

        SHA512

        fec9da5d5983fd7e86591c74fa2595a435b16d2819f0e648cdbae254620e9d59d9f43489970c433e98c6345f6d161a66b728aaae175a75f9a54d87c13ab00185

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si457772.exe
        Filesize

        175KB

        MD5

        4a0e50b4084cac58f092337ae6cf3b61

        SHA1

        9f122495abc7834fc923fdecceb375739339402a

        SHA256

        262aecf6979654d27813d7da0e48465084c93d11399bc6b7f148990dcde363f0

        SHA512

        fec9da5d5983fd7e86591c74fa2595a435b16d2819f0e648cdbae254620e9d59d9f43489970c433e98c6345f6d161a66b728aaae175a75f9a54d87c13ab00185

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un660077.exe
        Filesize

        545KB

        MD5

        fce3fcf9932f2d86f0afdef35d91ca4d

        SHA1

        79fdeb3977f2ed2d22ab667e2515f88c0dc53cc7

        SHA256

        01c4eef5faa100a4d17929bd643d6411ad8f7ce400968e535d49e5862c851575

        SHA512

        708c366db906904874ff3331929903819ff3d4f2ba70997a49110b7e3f22318344108e424fc910ee9ade334a2a0596cd68ed081381eee16c98d1f13c05b531f0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un660077.exe
        Filesize

        545KB

        MD5

        fce3fcf9932f2d86f0afdef35d91ca4d

        SHA1

        79fdeb3977f2ed2d22ab667e2515f88c0dc53cc7

        SHA256

        01c4eef5faa100a4d17929bd643d6411ad8f7ce400968e535d49e5862c851575

        SHA512

        708c366db906904874ff3331929903819ff3d4f2ba70997a49110b7e3f22318344108e424fc910ee9ade334a2a0596cd68ed081381eee16c98d1f13c05b531f0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6682.exe
        Filesize

        300KB

        MD5

        da567c48ea3e9bcdd78164520c085404

        SHA1

        f279ec714fd5802d1d7c9e882018c89c8e4bf344

        SHA256

        9a650babbe3ac65fd5162016a5fb2a254b5ff0d6015a099c16d25430d0dbea9d

        SHA512

        bebf3c8a3b0da0f3ec918dff0684858f21da533aa9e2be7d03971b1a0d5eb0c588d9f4290e87b9919cc1881918362f3542a0e3ba487ddaf4c1b046d6591ec332

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6682.exe
        Filesize

        300KB

        MD5

        da567c48ea3e9bcdd78164520c085404

        SHA1

        f279ec714fd5802d1d7c9e882018c89c8e4bf344

        SHA256

        9a650babbe3ac65fd5162016a5fb2a254b5ff0d6015a099c16d25430d0dbea9d

        SHA512

        bebf3c8a3b0da0f3ec918dff0684858f21da533aa9e2be7d03971b1a0d5eb0c588d9f4290e87b9919cc1881918362f3542a0e3ba487ddaf4c1b046d6591ec332

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7873.exe
        Filesize

        359KB

        MD5

        304ae93ed5446b6d97a9f40b0222d026

        SHA1

        4838abb33c232cb5a954032c5f7c67e6d34c6df4

        SHA256

        70f0d3efb38fea2d55a7bfca51cd84e0d7b843495d52583e943e077f17110d8a

        SHA512

        0ca20c098362cc7a5eedad819582456925131316602a42ac084bc5af479e817503f3171ccbe5e6901be1581ab9e48bd971f1ba54253cd4cce67349b28b73ebcd

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7873.exe
        Filesize

        359KB

        MD5

        304ae93ed5446b6d97a9f40b0222d026

        SHA1

        4838abb33c232cb5a954032c5f7c67e6d34c6df4

        SHA256

        70f0d3efb38fea2d55a7bfca51cd84e0d7b843495d52583e943e077f17110d8a

        SHA512

        0ca20c098362cc7a5eedad819582456925131316602a42ac084bc5af479e817503f3171ccbe5e6901be1581ab9e48bd971f1ba54253cd4cce67349b28b73ebcd

        Download Submit

      • memory/624-148-0x0000000000980000-0x00000000009AD000-memory.dmp

        Filesize

        180KB

        Download

      • memory/624-150-0x00000000028B0000-0x00000000028C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/624-149-0x0000000004D60000-0x0000000005304000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/624-151-0x00000000028B0000-0x00000000028C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/624-152-0x0000000002830000-0x0000000002842000-memory.dmp

        Filesize

        72KB

        Download

      • memory/624-153-0x0000000002830000-0x0000000002842000-memory.dmp

        Filesize

        72KB

        Download

      • memory/624-155-0x0000000002830000-0x0000000002842000-memory.dmp

        Filesize

        72KB

        Download

      • memory/624-157-0x0000000002830000-0x0000000002842000-memory.dmp

        Filesize

        72KB

        Download

      • memory/624-159-0x0000000002830000-0x0000000002842000-memory.dmp

        Filesize

        72KB

        Download

      • memory/624-161-0x0000000002830000-0x0000000002842000-memory.dmp

        Filesize

        72KB

        Download

      • memory/624-163-0x0000000002830000-0x0000000002842000-memory.dmp

        Filesize

        72KB

        Download

      • memory/624-165-0x0000000002830000-0x0000000002842000-memory.dmp

        Filesize

        72KB

        Download

      • memory/624-167-0x0000000002830000-0x0000000002842000-memory.dmp

        Filesize

        72KB

        Download

      • memory/624-169-0x0000000002830000-0x0000000002842000-memory.dmp

        Filesize

        72KB

        Download

      • memory/624-171-0x0000000002830000-0x0000000002842000-memory.dmp

        Filesize

        72KB

        Download

      • memory/624-173-0x0000000002830000-0x0000000002842000-memory.dmp

        Filesize

        72KB

        Download

      • memory/624-175-0x0000000002830000-0x0000000002842000-memory.dmp

        Filesize

        72KB

        Download

      • memory/624-177-0x0000000002830000-0x0000000002842000-memory.dmp

        Filesize

        72KB

        Download

      • memory/624-179-0x0000000002830000-0x0000000002842000-memory.dmp

        Filesize

        72KB

        Download

      • memory/624-180-0x0000000000400000-0x000000000070E000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/624-181-0x00000000028B0000-0x00000000028C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/624-182-0x00000000028B0000-0x00000000028C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/624-183-0x00000000028B0000-0x00000000028C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/624-185-0x0000000000400000-0x000000000070E000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/1320-190-0x0000000002760000-0x000000000279E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/1320-191-0x0000000002760000-0x000000000279E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/1320-193-0x0000000002760000-0x000000000279E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/1320-195-0x0000000002760000-0x000000000279E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/1320-197-0x0000000002760000-0x000000000279E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/1320-199-0x0000000002760000-0x000000000279E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/1320-201-0x0000000002760000-0x000000000279E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/1320-203-0x0000000002760000-0x000000000279E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/1320-205-0x0000000002760000-0x000000000279E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/1320-207-0x0000000002760000-0x000000000279E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/1320-209-0x0000000002760000-0x000000000279E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/1320-211-0x0000000002760000-0x000000000279E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/1320-213-0x0000000002760000-0x000000000279E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/1320-215-0x0000000002760000-0x000000000279E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/1320-217-0x0000000002760000-0x000000000279E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/1320-218-0x0000000000C70000-0x0000000000CBB000-memory.dmp

        Filesize

        300KB

        Download

      • memory/1320-219-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1320-221-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1320-223-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1320-222-0x0000000002760000-0x000000000279E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/1320-225-0x0000000002760000-0x000000000279E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/1320-227-0x0000000002760000-0x000000000279E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/1320-1100-0x0000000005460000-0x0000000005A78000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/1320-1101-0x0000000005A80000-0x0000000005B8A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/1320-1102-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1320-1103-0x0000000004E10000-0x0000000004E22000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1320-1104-0x0000000004E30000-0x0000000004E6C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/1320-1106-0x0000000005E10000-0x0000000005E76000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1320-1107-0x00000000064E0000-0x0000000006572000-memory.dmp

        Filesize

        584KB

        Download

      • memory/1320-1108-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1320-1109-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1320-1110-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1320-1111-0x00000000066F0000-0x0000000006766000-memory.dmp

        Filesize

        472KB

        Download

      • memory/1320-1112-0x0000000006780000-0x00000000067D0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/1320-1113-0x0000000006900000-0x0000000006AC2000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/1320-1114-0x0000000006AD0000-0x0000000006FFC000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/1320-1115-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4476-1121-0x0000000000590000-0x00000000005C2000-memory.dmp

        Filesize

        200KB

        Download

      • memory/4476-1122-0x00000000051B0000-0x00000000051C0000-memory.dmp

        Filesize

        64KB

        Download