Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    57s
  • max time network
    143s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    27-03-2023 13:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b139bf395d5c373932c1872f41d41b020de6cbf24a2759764fee1390b4a9364b.exe

  • Size

    685KB

  • MD5

    d1d35a226df67adfb0360fa722879bff

  • SHA1

    f213ca0ca8221e4d22601560ef8251b2726aba04

  • SHA256

    b139bf395d5c373932c1872f41d41b020de6cbf24a2759764fee1390b4a9364b

  • SHA512

    bf4420e84691fd48f7a3dad996509de97120b83e27c8f69de8c171acd51149ea3f774a060f5682fb9ec7c1b0e2d4b5ce7ce2f778d6014ef7be710b37bd8026ff

  • SSDEEP

    12288:vMrGy90pL6pQrf5Kjd0Twn/zjonLImFG8CCzBbiCE+pL60yNfp5OcTVw73h7zX:JyaL6pTeEn/zjusmU8rRiCExnjRVw7Z

Score
10/10
redlinenicesonydiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

sony

C2

193.233.20.33:4125

Attributes
  • auth_value

    1d93d1744381eeb4fcfd7c23ffe0f0b4

Extracted

Family

redline

Botnet

nice

C2

193.233.20.33:4125

Attributes
  • auth_value

    a7371b75699e8bc7c51fb960e8ac9e81

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 21 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b139bf395d5c373932c1872f41d41b020de6cbf24a2759764fee1390b4a9364b.exe
    "C:\Users\Admin\AppData\Local\Temp\b139bf395d5c373932c1872f41d41b020de6cbf24a2759764fee1390b4a9364b.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4616
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un316638.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un316638.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4960
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7588.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7588.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2068
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7720.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7720.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1944
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si436066.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si436066.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4584

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si436066.exe
    Filesize

    175KB

    MD5

    4f50d3a334d401b76acfc6a37a1a4671

    SHA1

    214db8870ee01d6d468dd6bca15e42bc55aa13f6

    SHA256

    a20d6d530f8bf2893e29734edffbad228018ad074cf6385371e9fcd604336cc6

    SHA512

    29d21c4ea96bf5855fac5c043e677be27dbc8c3418e6e0de207250e07f23ccae0aa1c50a99e20aa32468c4df7dddc89d50a2f58d4d6f1c9239821d4f389a6d46

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si436066.exe
    Filesize

    175KB

    MD5

    4f50d3a334d401b76acfc6a37a1a4671

    SHA1

    214db8870ee01d6d468dd6bca15e42bc55aa13f6

    SHA256

    a20d6d530f8bf2893e29734edffbad228018ad074cf6385371e9fcd604336cc6

    SHA512

    29d21c4ea96bf5855fac5c043e677be27dbc8c3418e6e0de207250e07f23ccae0aa1c50a99e20aa32468c4df7dddc89d50a2f58d4d6f1c9239821d4f389a6d46

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un316638.exe
    Filesize

    543KB

    MD5

    79d92cbf8a50b451c698d4d263768bb1

    SHA1

    38d8dd009261230205fbd9d14b16caa6f60c68e4

    SHA256

    8444ce1e3790f07cd59156e447ad20c84c247e73dba82b801e89317b881dcd4b

    SHA512

    e7b18ab1aaf305a89c59dd5c58f7e69900be60f3ca6444bd3fe32f1a59f1a0057e49246919a02c5d46d66fa0926e750cc7cbc47b00fc151b14bb07a911c16890

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un316638.exe
    Filesize

    543KB

    MD5

    79d92cbf8a50b451c698d4d263768bb1

    SHA1

    38d8dd009261230205fbd9d14b16caa6f60c68e4

    SHA256

    8444ce1e3790f07cd59156e447ad20c84c247e73dba82b801e89317b881dcd4b

    SHA512

    e7b18ab1aaf305a89c59dd5c58f7e69900be60f3ca6444bd3fe32f1a59f1a0057e49246919a02c5d46d66fa0926e750cc7cbc47b00fc151b14bb07a911c16890

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7588.exe
    Filesize

    292KB

    MD5

    7602663ce39bce11b703c07568d8f554

    SHA1

    00237a1490173b6db904d49a0e5377b4c1246f32

    SHA256

    9360dca87958e2269e89792036f9699664bebc502e345c3ae9f8dc9800fb4784

    SHA512

    f130859460e663aa075cb2b613ba81a1f2458740ab62f5498bcea1202ece62edd0cd113a00a092524377fa729ef4015e416c7df1218e4099a79898d5cb7e2cb3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7588.exe
    Filesize

    292KB

    MD5

    7602663ce39bce11b703c07568d8f554

    SHA1

    00237a1490173b6db904d49a0e5377b4c1246f32

    SHA256

    9360dca87958e2269e89792036f9699664bebc502e345c3ae9f8dc9800fb4784

    SHA512

    f130859460e663aa075cb2b613ba81a1f2458740ab62f5498bcea1202ece62edd0cd113a00a092524377fa729ef4015e416c7df1218e4099a79898d5cb7e2cb3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7720.exe
    Filesize

    350KB

    MD5

    c4b645b6c62f8cb12ef1752bb114fac0

    SHA1

    28354da73f3f5879db153fd7cb1f45e742e8feef

    SHA256

    517447dec8f49b7bfe702e078875afe8a7415bc1c279aaae44833d54613d43ef

    SHA512

    2f452c69339fe25bfb11685a501f47fc2bc88b624522952dc74313e275e28d23d31460c6d961721ffa6f6c32fd72aa9b6c8d8246bfec478ec323d11e50348f67

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7720.exe
    Filesize

    350KB

    MD5

    c4b645b6c62f8cb12ef1752bb114fac0

    SHA1

    28354da73f3f5879db153fd7cb1f45e742e8feef

    SHA256

    517447dec8f49b7bfe702e078875afe8a7415bc1c279aaae44833d54613d43ef

    SHA512

    2f452c69339fe25bfb11685a501f47fc2bc88b624522952dc74313e275e28d23d31460c6d961721ffa6f6c32fd72aa9b6c8d8246bfec478ec323d11e50348f67

    Download Submit

  • memory/1944-1088-0x0000000005370000-0x0000000005976000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/1944-215-0x00000000051F0000-0x000000000522E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1944-1104-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1944-1103-0x00000000068B0000-0x0000000006DDC000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/1944-1102-0x00000000066E0000-0x00000000068A2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/1944-190-0x00000000051F0000-0x000000000522E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1944-1101-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1944-1100-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1944-1099-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1944-1097-0x0000000006640000-0x0000000006690000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1944-186-0x00000000051F0000-0x000000000522E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1944-1096-0x00000000065B0000-0x0000000006626000-memory.dmp

    Filesize

    472KB

    Download

  • memory/1944-1095-0x0000000005EE0000-0x0000000005F46000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1944-1094-0x0000000005E40000-0x0000000005ED2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1944-1093-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1944-1092-0x0000000005CB0000-0x0000000005CFB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1944-1091-0x0000000005B60000-0x0000000005B9E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1944-1090-0x0000000005B40000-0x0000000005B52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1944-1089-0x0000000005A00000-0x0000000005B0A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1944-199-0x00000000051F0000-0x000000000522E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1944-213-0x00000000051F0000-0x000000000522E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1944-211-0x00000000051F0000-0x000000000522E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1944-209-0x00000000051F0000-0x000000000522E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1944-207-0x00000000051F0000-0x000000000522E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1944-205-0x00000000051F0000-0x000000000522E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1944-176-0x0000000004C40000-0x0000000004C86000-memory.dmp

    Filesize

    280KB

    Download

  • memory/1944-177-0x00000000051F0000-0x0000000005234000-memory.dmp

    Filesize

    272KB

    Download

  • memory/1944-179-0x00000000051F0000-0x000000000522E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1944-178-0x00000000051F0000-0x000000000522E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1944-191-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1944-183-0x00000000051F0000-0x000000000522E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1944-185-0x00000000007F0000-0x000000000083B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1944-187-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1944-189-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1944-181-0x00000000051F0000-0x000000000522E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1944-203-0x00000000051F0000-0x000000000522E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1944-201-0x00000000051F0000-0x000000000522E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1944-193-0x00000000051F0000-0x000000000522E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1944-195-0x00000000051F0000-0x000000000522E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1944-197-0x00000000051F0000-0x000000000522E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2068-166-0x0000000000400000-0x000000000070C000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2068-151-0x0000000004C40000-0x0000000004C52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2068-141-0x0000000004C40000-0x0000000004C52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2068-135-0x0000000004C40000-0x0000000004C58000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2068-136-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2068-171-0x0000000000400000-0x000000000070C000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2068-169-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2068-168-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2068-167-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2068-133-0x00000000001D0000-0x00000000001FD000-memory.dmp

    Filesize

    180KB

    Download

  • memory/2068-137-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2068-165-0x0000000004C40000-0x0000000004C52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2068-163-0x0000000004C40000-0x0000000004C52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2068-161-0x0000000004C40000-0x0000000004C52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2068-159-0x0000000004C40000-0x0000000004C52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2068-157-0x0000000004C40000-0x0000000004C52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2068-155-0x0000000004C40000-0x0000000004C52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2068-153-0x0000000004C40000-0x0000000004C52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2068-149-0x0000000004C40000-0x0000000004C52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2068-147-0x0000000004C40000-0x0000000004C52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2068-145-0x0000000004C40000-0x0000000004C52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2068-143-0x0000000004C40000-0x0000000004C52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2068-139-0x0000000004C40000-0x0000000004C52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2068-138-0x0000000004C40000-0x0000000004C52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2068-134-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2068-132-0x0000000004DF0000-0x00000000052EE000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/2068-131-0x0000000002380000-0x000000000239A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4584-1110-0x0000000000710000-0x0000000000742000-memory.dmp

    Filesize

    200KB

    Download

  • memory/4584-1111-0x0000000005010000-0x000000000505B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4584-1112-0x00000000053A0000-0x00000000053B0000-memory.dmp

    Filesize

    64KB

    Download