Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    128s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-03-2023 13:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    77558655bd894f570f958a9df8636b6e0f83468ef15814571d7cb85759bc5a11.exe

  • Size

    685KB

  • MD5

    207e62fda4c2b75179461d0ef15badef

  • SHA1

    2f54e2dc2997a73ea23ef33b568df4cac79939c4

  • SHA256

    77558655bd894f570f958a9df8636b6e0f83468ef15814571d7cb85759bc5a11

  • SHA512

    682792739253f08d8ceba03ee8f9155a9d3c6a5da36ea00f7b7fced00eeda24c5b8cd0b7e66fc78dba1a2485f61800064dea5fcf18915cbd776a53f2df046158

  • SSDEEP

    12288:6Mriy90hz8/u2l5MlpOTzFi6vXpneGO/TmRmRDT9K+d+lBM2aYRD:8yMyXMlGhBeGeSYR3gph5

Score
10/10
redlinenicesonydiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

sony

C2

193.233.20.33:4125

Attributes
  • auth_value

    1d93d1744381eeb4fcfd7c23ffe0f0b4

Extracted

Family

redline

Botnet

nice

C2

193.233.20.33:4125

Attributes
  • auth_value

    a7371b75699e8bc7c51fb960e8ac9e81

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 19 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\77558655bd894f570f958a9df8636b6e0f83468ef15814571d7cb85759bc5a11.exe
    "C:\Users\Admin\AppData\Local\Temp\77558655bd894f570f958a9df8636b6e0f83468ef15814571d7cb85759bc5a11.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1756
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un758614.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un758614.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3360
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4040.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4040.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1292
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 1088
          4⤵
          • Program crash
          PID:4284
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2948.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2948.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:544
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 1348
          4⤵
          • Program crash
          PID:3312
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si964137.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si964137.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3768
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1292 -ip 1292
    1⤵
      PID:4680
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 544 -ip 544
      1⤵
        PID:1660

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si964137.exe
        Filesize

        175KB

        MD5

        bd56585b15b11fa5d1bec6299b189baf

        SHA1

        031022ed0cae09573a11f0c37bf8d8c8bb75f9b9

        SHA256

        d810f948f8c8058cba5b9e4e7ed825b724e4cd4e874200a04013ad57b2f78e57

        SHA512

        30b145c9f8a6ae9d7dade18ff7a14313d6d905bb22733f185202263fbd8a132603109b48617514291cb8f03be613fd202f18e027fcad4ddd4e6efae3ebc02607

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si964137.exe
        Filesize

        175KB

        MD5

        bd56585b15b11fa5d1bec6299b189baf

        SHA1

        031022ed0cae09573a11f0c37bf8d8c8bb75f9b9

        SHA256

        d810f948f8c8058cba5b9e4e7ed825b724e4cd4e874200a04013ad57b2f78e57

        SHA512

        30b145c9f8a6ae9d7dade18ff7a14313d6d905bb22733f185202263fbd8a132603109b48617514291cb8f03be613fd202f18e027fcad4ddd4e6efae3ebc02607

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un758614.exe
        Filesize

        543KB

        MD5

        56fa7d4f5e8942efdd7e5442f1112ec9

        SHA1

        5bf1eb8fac66754312ab2ab236d6e5b4bb0bd2c8

        SHA256

        3b41c806278163d4c90dd9574c27a6d70c47831ad0ef0bb9e2073c0908a619ba

        SHA512

        9dd8dfabd55cc5fe361db465a7f03aec4569484c3d3a01a336c011213635ed6bdc4bd88ab11b77e8e13a1821c0b7189fab65d06aae29a111c0e365e2bb46d62b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un758614.exe
        Filesize

        543KB

        MD5

        56fa7d4f5e8942efdd7e5442f1112ec9

        SHA1

        5bf1eb8fac66754312ab2ab236d6e5b4bb0bd2c8

        SHA256

        3b41c806278163d4c90dd9574c27a6d70c47831ad0ef0bb9e2073c0908a619ba

        SHA512

        9dd8dfabd55cc5fe361db465a7f03aec4569484c3d3a01a336c011213635ed6bdc4bd88ab11b77e8e13a1821c0b7189fab65d06aae29a111c0e365e2bb46d62b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4040.exe
        Filesize

        292KB

        MD5

        21678b117b23b1b2fda796d5ff647f41

        SHA1

        46823263d523028daaa3442f88a9d407a7939332

        SHA256

        93c53fa8ae7d0916f10e5cf958ba23c904f10993e345af7622a38b02521a2eb4

        SHA512

        e71e7393aeac89c3781f349ee5e3c13dcd16e78e6f28f7e68c6234e6275f099f1b2f3f7d4021dbf4b951fd32942cec2783c4e6c343bf62248c4a254152dbd489

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4040.exe
        Filesize

        292KB

        MD5

        21678b117b23b1b2fda796d5ff647f41

        SHA1

        46823263d523028daaa3442f88a9d407a7939332

        SHA256

        93c53fa8ae7d0916f10e5cf958ba23c904f10993e345af7622a38b02521a2eb4

        SHA512

        e71e7393aeac89c3781f349ee5e3c13dcd16e78e6f28f7e68c6234e6275f099f1b2f3f7d4021dbf4b951fd32942cec2783c4e6c343bf62248c4a254152dbd489

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2948.exe
        Filesize

        350KB

        MD5

        0010030ef8fdb9c1c8b934634241b99c

        SHA1

        f2cfbbab7f01efb53cab45ed6abe003d6269a706

        SHA256

        d48a5bb1494a202838a20d11de2997f54bbc148748f5918d8aec3594b07220bd

        SHA512

        4439fc166518f43997e41c0bd64ecf8a66b36d404562b2bf1a1a3dfc15476e6959f0656260e5ca6ae69b4401aa8a752bf3deef6a89099940a98040983a3edea0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2948.exe
        Filesize

        350KB

        MD5

        0010030ef8fdb9c1c8b934634241b99c

        SHA1

        f2cfbbab7f01efb53cab45ed6abe003d6269a706

        SHA256

        d48a5bb1494a202838a20d11de2997f54bbc148748f5918d8aec3594b07220bd

        SHA512

        4439fc166518f43997e41c0bd64ecf8a66b36d404562b2bf1a1a3dfc15476e6959f0656260e5ca6ae69b4401aa8a752bf3deef6a89099940a98040983a3edea0

        Download Submit

      • memory/544-1102-0x0000000005B00000-0x0000000005C0A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/544-226-0x00000000029C0000-0x00000000029FE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/544-203-0x00000000029C0000-0x00000000029FE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/544-202-0x0000000002A20000-0x0000000002A30000-memory.dmp

        Filesize

        64KB

        Download

      • memory/544-1115-0x0000000006C20000-0x000000000714C000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/544-1114-0x0000000006A50000-0x0000000006C12000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/544-1113-0x0000000002A20000-0x0000000002A30000-memory.dmp

        Filesize

        64KB

        Download

      • memory/544-1112-0x0000000002A20000-0x0000000002A30000-memory.dmp

        Filesize

        64KB

        Download

      • memory/544-1111-0x0000000002A20000-0x0000000002A30000-memory.dmp

        Filesize

        64KB

        Download

      • memory/544-1109-0x0000000006790000-0x00000000067E0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/544-205-0x0000000002A20000-0x0000000002A30000-memory.dmp

        Filesize

        64KB

        Download

      • memory/544-1108-0x0000000006710000-0x0000000006786000-memory.dmp

        Filesize

        472KB

        Download

      • memory/544-1107-0x0000000005FF0000-0x0000000006056000-memory.dmp

        Filesize

        408KB

        Download

      • memory/544-1106-0x0000000005F50000-0x0000000005FE2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/544-1105-0x0000000002A20000-0x0000000002A30000-memory.dmp

        Filesize

        64KB

        Download

      • memory/544-1104-0x0000000005C60000-0x0000000005C9C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/544-1103-0x0000000005C40000-0x0000000005C52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/544-1101-0x0000000005460000-0x0000000005A78000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/544-228-0x00000000029C0000-0x00000000029FE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/544-214-0x00000000029C0000-0x00000000029FE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/544-224-0x00000000029C0000-0x00000000029FE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/544-222-0x00000000029C0000-0x00000000029FE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/544-220-0x00000000029C0000-0x00000000029FE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/544-192-0x00000000029C0000-0x00000000029FE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/544-191-0x00000000029C0000-0x00000000029FE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/544-194-0x00000000029C0000-0x00000000029FE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/544-196-0x00000000029C0000-0x00000000029FE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/544-199-0x0000000002380000-0x00000000023CB000-memory.dmp

        Filesize

        300KB

        Download

      • memory/544-198-0x00000000029C0000-0x00000000029FE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/544-200-0x0000000002A20000-0x0000000002A30000-memory.dmp

        Filesize

        64KB

        Download

      • memory/544-218-0x00000000029C0000-0x00000000029FE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/544-1117-0x0000000002A20000-0x0000000002A30000-memory.dmp

        Filesize

        64KB

        Download

      • memory/544-216-0x00000000029C0000-0x00000000029FE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/544-206-0x00000000029C0000-0x00000000029FE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/544-208-0x00000000029C0000-0x00000000029FE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/544-210-0x00000000029C0000-0x00000000029FE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/544-212-0x00000000029C0000-0x00000000029FE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/1292-181-0x0000000000400000-0x000000000070C000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/1292-172-0x0000000002820000-0x0000000002832000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1292-148-0x0000000000860000-0x000000000088D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/1292-151-0x0000000002820000-0x0000000002832000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1292-152-0x0000000002820000-0x0000000002832000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1292-186-0x0000000000400000-0x000000000070C000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/1292-184-0x0000000004E90000-0x0000000004EA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1292-183-0x0000000004E90000-0x0000000004EA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1292-182-0x0000000004E90000-0x0000000004EA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1292-150-0x0000000004EA0000-0x0000000005444000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/1292-154-0x0000000002820000-0x0000000002832000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1292-180-0x0000000004E90000-0x0000000004EA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1292-179-0x0000000004E90000-0x0000000004EA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1292-178-0x0000000002820000-0x0000000002832000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1292-176-0x0000000002820000-0x0000000002832000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1292-174-0x0000000002820000-0x0000000002832000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1292-170-0x0000000002820000-0x0000000002832000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1292-168-0x0000000002820000-0x0000000002832000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1292-166-0x0000000002820000-0x0000000002832000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1292-164-0x0000000002820000-0x0000000002832000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1292-162-0x0000000002820000-0x0000000002832000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1292-160-0x0000000002820000-0x0000000002832000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1292-158-0x0000000002820000-0x0000000002832000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1292-149-0x0000000004E90000-0x0000000004EA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1292-156-0x0000000002820000-0x0000000002832000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3768-1122-0x00000000001F0000-0x0000000000222000-memory.dmp

        Filesize

        200KB

        Download

      • memory/3768-1123-0x0000000004AF0000-0x0000000004B00000-memory.dmp

        Filesize

        64KB

        Download