Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    61s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-03-2023 13:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4cc059bdd240bac7d2eb64b7aebf8c4ce81ac100fa699352d6706308b1df8257.exe

  • Size

    685KB

  • MD5

    2e89edb5513ac823e69c023af7e2ad9e

  • SHA1

    bed12b15e687f4873b840af32112bdf2423667b9

  • SHA256

    4cc059bdd240bac7d2eb64b7aebf8c4ce81ac100fa699352d6706308b1df8257

  • SHA512

    74580022765856abc37533e0b988958ffcdd1ef84c9fad42d65e611263b76360be73e0683ee40f713075f7dad92e7494f9296cdf135fa92343196f873765c46c

  • SSDEEP

    12288:GMrMy908Muej/Y52o3wzSkU4We2JWHn3tlaE331wBBCIEnn3g2BpIZdZeL:2yVMuejPInWWnJWXJmLCIEn1BMfeL

Score
10/10
redlinenicesonydiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

sony

C2

193.233.20.33:4125

Attributes
  • auth_value

    1d93d1744381eeb4fcfd7c23ffe0f0b4

Extracted

Family

redline

Botnet

nice

C2

193.233.20.33:4125

Attributes
  • auth_value

    a7371b75699e8bc7c51fb960e8ac9e81

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 18 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4cc059bdd240bac7d2eb64b7aebf8c4ce81ac100fa699352d6706308b1df8257.exe
    "C:\Users\Admin\AppData\Local\Temp\4cc059bdd240bac7d2eb64b7aebf8c4ce81ac100fa699352d6706308b1df8257.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3808
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un582699.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un582699.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4268
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6025.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6025.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4532
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 1088
          4⤵
          • Program crash
          PID:1756
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2123.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2123.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:232
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 1692
          4⤵
          • Program crash
          PID:1516
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si971541.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si971541.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3516
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4532 -ip 4532
    1⤵
      PID:4308
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 232 -ip 232
      1⤵
        PID:1612

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si971541.exe
        Filesize

        175KB

        MD5

        cf37592f554e23533225b4f211b779ea

        SHA1

        51441ca080c3fcf66fb3e733de77704d23cd3666

        SHA256

        6bbff2969cc61fb1e3098210e36a9ee32ffa864b54ffb14a3f6b955081ecd2cc

        SHA512

        0437356ea002909951a4e2282c2a6d22d97eb339518bcc51d911eba21db82e9c430883b11261361e770180bdd6b2366341cb83178058a022feef7ebdbe1aed26

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si971541.exe
        Filesize

        175KB

        MD5

        cf37592f554e23533225b4f211b779ea

        SHA1

        51441ca080c3fcf66fb3e733de77704d23cd3666

        SHA256

        6bbff2969cc61fb1e3098210e36a9ee32ffa864b54ffb14a3f6b955081ecd2cc

        SHA512

        0437356ea002909951a4e2282c2a6d22d97eb339518bcc51d911eba21db82e9c430883b11261361e770180bdd6b2366341cb83178058a022feef7ebdbe1aed26

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un582699.exe
        Filesize

        543KB

        MD5

        8c728d6903b85bf4409fb2f28b7872b8

        SHA1

        db681aa8722596b2a852b44e4cafea256e619fe3

        SHA256

        ff1fd4da02a5ae1590ccc15deba82237689af6effd4cb87dcbdacabb9ccf6c85

        SHA512

        0b6e1982c88508eb26f8ec08f92bb0fd93729dd94587e86566fcb84d256d603096260a241aacbdbefc865ff9111219d3a9bce067c728dbafea247f95cc9dfad6

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un582699.exe
        Filesize

        543KB

        MD5

        8c728d6903b85bf4409fb2f28b7872b8

        SHA1

        db681aa8722596b2a852b44e4cafea256e619fe3

        SHA256

        ff1fd4da02a5ae1590ccc15deba82237689af6effd4cb87dcbdacabb9ccf6c85

        SHA512

        0b6e1982c88508eb26f8ec08f92bb0fd93729dd94587e86566fcb84d256d603096260a241aacbdbefc865ff9111219d3a9bce067c728dbafea247f95cc9dfad6

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6025.exe
        Filesize

        292KB

        MD5

        e6b1b2abd9b3e58ba2a4e974d5900b3f

        SHA1

        5768b4b06333556ad0bf2106a232317e16bcdd58

        SHA256

        fe9f7234efbab2c0bc5c8de715f9dcc8ba4731f95675df57104ab22c5af674a0

        SHA512

        f0dabf22340bba27b5a8bbe6ff87b8b1020d0666f9e7058f2a3c6375f694d1bb07ca1aa2d565e9d349dcacb39ac88f17ea264f1ece148f50864b1b6b3cabb592

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6025.exe
        Filesize

        292KB

        MD5

        e6b1b2abd9b3e58ba2a4e974d5900b3f

        SHA1

        5768b4b06333556ad0bf2106a232317e16bcdd58

        SHA256

        fe9f7234efbab2c0bc5c8de715f9dcc8ba4731f95675df57104ab22c5af674a0

        SHA512

        f0dabf22340bba27b5a8bbe6ff87b8b1020d0666f9e7058f2a3c6375f694d1bb07ca1aa2d565e9d349dcacb39ac88f17ea264f1ece148f50864b1b6b3cabb592

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2123.exe
        Filesize

        350KB

        MD5

        9fc53d88ff2982c5eb857a70d0505f88

        SHA1

        e838ee332ae4253f2d9fa28943186e8ab4c6c456

        SHA256

        1374f0b17d8424848dd8c661442df5b4d69a83a5a2f4cf0cd41c7eac86d32abf

        SHA512

        497c5613d342ee40b52b041273fc9b20af0df06a81ae11185c11a14fcf1464325e1beb5635ab7434f87a6b7b2988c952c85287b39a9ebd8e4108b019e5d98165

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2123.exe
        Filesize

        350KB

        MD5

        9fc53d88ff2982c5eb857a70d0505f88

        SHA1

        e838ee332ae4253f2d9fa28943186e8ab4c6c456

        SHA256

        1374f0b17d8424848dd8c661442df5b4d69a83a5a2f4cf0cd41c7eac86d32abf

        SHA512

        497c5613d342ee40b52b041273fc9b20af0df06a81ae11185c11a14fcf1464325e1beb5635ab7434f87a6b7b2988c952c85287b39a9ebd8e4108b019e5d98165

        Download Submit

      • memory/232-1099-0x00000000028B0000-0x00000000028C2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/232-1100-0x00000000028D0000-0x000000000290C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/232-1112-0x0000000004F50000-0x0000000004F60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/232-1111-0x0000000006EA0000-0x0000000006EF0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/232-1110-0x0000000006E00000-0x0000000006E76000-memory.dmp

        Filesize

        472KB

        Download

      • memory/232-1109-0x00000000067B0000-0x0000000006CDC000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/232-1108-0x00000000065D0000-0x0000000006792000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/232-1106-0x0000000004F50000-0x0000000004F60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/232-1107-0x0000000004F50000-0x0000000004F60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/232-1105-0x0000000004F50000-0x0000000004F60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/232-1103-0x0000000005EB0000-0x0000000005F16000-memory.dmp

        Filesize

        408KB

        Download

      • memory/232-1102-0x0000000005E10000-0x0000000005EA2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/232-1101-0x0000000004F50000-0x0000000004F60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/232-1098-0x0000000005B30000-0x0000000005C3A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/232-1097-0x0000000005510000-0x0000000005B28000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/232-224-0x0000000002660000-0x000000000269E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/232-222-0x0000000002660000-0x000000000269E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/232-220-0x0000000002660000-0x000000000269E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/232-218-0x0000000002660000-0x000000000269E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/232-187-0x00000000007F0000-0x000000000083B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/232-188-0x0000000004F50000-0x0000000004F60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/232-189-0x0000000004F50000-0x0000000004F60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/232-190-0x0000000004F50000-0x0000000004F60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/232-191-0x0000000002660000-0x000000000269E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/232-192-0x0000000002660000-0x000000000269E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/232-194-0x0000000002660000-0x000000000269E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/232-196-0x0000000002660000-0x000000000269E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/232-198-0x0000000002660000-0x000000000269E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/232-200-0x0000000002660000-0x000000000269E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/232-202-0x0000000002660000-0x000000000269E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/232-204-0x0000000002660000-0x000000000269E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/232-206-0x0000000002660000-0x000000000269E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/232-208-0x0000000002660000-0x000000000269E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/232-210-0x0000000002660000-0x000000000269E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/232-212-0x0000000002660000-0x000000000269E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/232-214-0x0000000002660000-0x000000000269E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/232-216-0x0000000002660000-0x000000000269E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3516-1118-0x0000000000270000-0x00000000002A2000-memory.dmp

        Filesize

        200KB

        Download

      • memory/3516-1119-0x0000000004E90000-0x0000000004EA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4532-171-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4532-165-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4532-179-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4532-177-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4532-150-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4532-152-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4532-175-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4532-173-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4532-151-0x0000000004ED0000-0x0000000005474000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4532-169-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4532-167-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4532-180-0x0000000000400000-0x000000000070C000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/4532-163-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4532-161-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4532-159-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4532-157-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4532-155-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4532-149-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4532-148-0x0000000000710000-0x000000000073D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/4532-182-0x0000000000400000-0x000000000070C000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/4532-153-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download