Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    101s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-03-2023 14:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    71b8c912eb7e069fc1246b652f4d10646731689529e1366500bc459c3f77ffaf.exe

  • Size

    685KB

  • MD5

    dc73bd8c870cd3e750a5944cb5b661a4

  • SHA1

    5cbd29c98c48b19f63dd11a7820adb16515feea0

  • SHA256

    71b8c912eb7e069fc1246b652f4d10646731689529e1366500bc459c3f77ffaf

  • SHA512

    44bdd4826b692944dea89880ab33a79747dd2c284630315fc6af1bb4a1174777da1fb9c65a13ccc821a5a7720c0fda4ba65fb8dc160c45b4470d083339e51ed1

  • SSDEEP

    12288:IMriy901VVwPEep6IPkJUkpVh2T/Q81SSgkMJuBoQPEF1E9PIp5gY:qyOVhep6ikrr0Q8/Mo6QPEF1uPIrt

Score
10/10
redlinenicesonydiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

sony

C2

193.233.20.33:4125

Attributes
  • auth_value

    1d93d1744381eeb4fcfd7c23ffe0f0b4

Extracted

Family

redline

Botnet

nice

C2

193.233.20.33:4125

Attributes
  • auth_value

    a7371b75699e8bc7c51fb960e8ac9e81

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\71b8c912eb7e069fc1246b652f4d10646731689529e1366500bc459c3f77ffaf.exe
    "C:\Users\Admin\AppData\Local\Temp\71b8c912eb7e069fc1246b652f4d10646731689529e1366500bc459c3f77ffaf.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1868
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un683165.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un683165.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3080
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9369.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9369.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4524
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 1084
          4⤵
          • Program crash
          PID:3908
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2253.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2253.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1432
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 1552
          4⤵
          • Program crash
          PID:1428
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si863443.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si863443.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:960
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4524 -ip 4524
    1⤵
      PID:3304
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1432 -ip 1432
      1⤵
        PID:5012

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si863443.exe
        Filesize

        175KB

        MD5

        bee0ae4b7f895cdfee1c215b1080808a

        SHA1

        b1457e9588c1df65a193bb677482cf052a0700b0

        SHA256

        c737367456a991f98b0854f994d2508993de7b9969f7d180379611c2ea4c6a23

        SHA512

        7acfd11f72d78318f9ff33569a2a60cf74696194a1d477cb60b852f29d1219a75e6f7506a3b37ef141a68d556c1514de6cf90875e3f7448361465112f71d7c8e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si863443.exe
        Filesize

        175KB

        MD5

        bee0ae4b7f895cdfee1c215b1080808a

        SHA1

        b1457e9588c1df65a193bb677482cf052a0700b0

        SHA256

        c737367456a991f98b0854f994d2508993de7b9969f7d180379611c2ea4c6a23

        SHA512

        7acfd11f72d78318f9ff33569a2a60cf74696194a1d477cb60b852f29d1219a75e6f7506a3b37ef141a68d556c1514de6cf90875e3f7448361465112f71d7c8e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un683165.exe
        Filesize

        543KB

        MD5

        354ec81ca5649e7aacb82ef7122a4d9f

        SHA1

        2587b5df3050d0d4775a157cf89cfcf44afe95a6

        SHA256

        8f4396b2b6e6197af08e79aa96edb27fae7d98d68f16955f151d0a4c4097cd6a

        SHA512

        4948b838174dadeeb91a8e5c160326739e8c54ed38a3ecdb642c4363931adcde492a918ae94d62cd66befd868fdc41e4494807e821862f775d76457e712ca13c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un683165.exe
        Filesize

        543KB

        MD5

        354ec81ca5649e7aacb82ef7122a4d9f

        SHA1

        2587b5df3050d0d4775a157cf89cfcf44afe95a6

        SHA256

        8f4396b2b6e6197af08e79aa96edb27fae7d98d68f16955f151d0a4c4097cd6a

        SHA512

        4948b838174dadeeb91a8e5c160326739e8c54ed38a3ecdb642c4363931adcde492a918ae94d62cd66befd868fdc41e4494807e821862f775d76457e712ca13c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9369.exe
        Filesize

        292KB

        MD5

        b4cfe26792b08f5fa934e718e01b06aa

        SHA1

        4c712889e400d33cb991d60bc1139b0506599117

        SHA256

        1d65c903d659b985cf7ff709d606036d9982b88c0440ce136fd1d2b7563567ee

        SHA512

        9dc962ff076e32179c0c179b7e26cbff68ba32780aed9936a7d902b5e1b9667b77e862b4ccae4c7c899466df90868bc40091035f892629dd5869afa109f860ad

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9369.exe
        Filesize

        292KB

        MD5

        b4cfe26792b08f5fa934e718e01b06aa

        SHA1

        4c712889e400d33cb991d60bc1139b0506599117

        SHA256

        1d65c903d659b985cf7ff709d606036d9982b88c0440ce136fd1d2b7563567ee

        SHA512

        9dc962ff076e32179c0c179b7e26cbff68ba32780aed9936a7d902b5e1b9667b77e862b4ccae4c7c899466df90868bc40091035f892629dd5869afa109f860ad

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2253.exe
        Filesize

        350KB

        MD5

        6a4593ebd3c0e21b3d3a8605836bd3fb

        SHA1

        c464594a0a5872627ea51455ef1bf23ccbe7e67f

        SHA256

        8d6c70678fb1097e3f401b98d0fb2a33552a97de56fc41591f034e360c7e9fb7

        SHA512

        7d2828fc218378f82ce4ff241aa01756bed849307c6a67f03216165e6887d62f94594f8026192c6c765fb300ccfe13bbe97390d1033bf37f946d18d951ae8492

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2253.exe
        Filesize

        350KB

        MD5

        6a4593ebd3c0e21b3d3a8605836bd3fb

        SHA1

        c464594a0a5872627ea51455ef1bf23ccbe7e67f

        SHA256

        8d6c70678fb1097e3f401b98d0fb2a33552a97de56fc41591f034e360c7e9fb7

        SHA512

        7d2828fc218378f82ce4ff241aa01756bed849307c6a67f03216165e6887d62f94594f8026192c6c765fb300ccfe13bbe97390d1033bf37f946d18d951ae8492

        Download Submit

      • memory/960-1123-0x00000000058D0000-0x00000000058E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/960-1122-0x0000000000D00000-0x0000000000D32000-memory.dmp

        Filesize

        200KB

        Download

      • memory/1432-1102-0x0000000005B00000-0x0000000005C0A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/1432-1104-0x0000000004D00000-0x0000000004D10000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1432-1116-0x0000000007220000-0x0000000007270000-memory.dmp

        Filesize

        320KB

        Download

      • memory/1432-1115-0x00000000071A0000-0x0000000007216000-memory.dmp

        Filesize

        472KB

        Download

      • memory/1432-1114-0x0000000004D00000-0x0000000004D10000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1432-1113-0x0000000004D00000-0x0000000004D10000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1432-1111-0x0000000004D00000-0x0000000004D10000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1432-1112-0x0000000004D00000-0x0000000004D10000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1432-1110-0x0000000006B30000-0x000000000705C000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/1432-1109-0x0000000006960000-0x0000000006B22000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/1432-1107-0x0000000006610000-0x00000000066A2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/1432-1106-0x0000000005F50000-0x0000000005FB6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1432-1105-0x0000000005C60000-0x0000000005C9C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/1432-1103-0x0000000005C40000-0x0000000005C52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1432-1101-0x0000000005460000-0x0000000005A78000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/1432-415-0x0000000004D00000-0x0000000004D10000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1432-411-0x0000000004D00000-0x0000000004D10000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1432-414-0x0000000004D00000-0x0000000004D10000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1432-410-0x0000000000AE0000-0x0000000000B2B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/1432-224-0x00000000052C0000-0x00000000052FE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/1432-222-0x00000000052C0000-0x00000000052FE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/1432-192-0x00000000052C0000-0x00000000052FE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/1432-191-0x00000000052C0000-0x00000000052FE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/1432-194-0x00000000052C0000-0x00000000052FE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/1432-196-0x00000000052C0000-0x00000000052FE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/1432-198-0x00000000052C0000-0x00000000052FE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/1432-200-0x00000000052C0000-0x00000000052FE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/1432-202-0x00000000052C0000-0x00000000052FE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/1432-204-0x00000000052C0000-0x00000000052FE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/1432-206-0x00000000052C0000-0x00000000052FE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/1432-208-0x00000000052C0000-0x00000000052FE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/1432-210-0x00000000052C0000-0x00000000052FE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/1432-212-0x00000000052C0000-0x00000000052FE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/1432-214-0x00000000052C0000-0x00000000052FE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/1432-216-0x00000000052C0000-0x00000000052FE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/1432-218-0x00000000052C0000-0x00000000052FE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/1432-220-0x00000000052C0000-0x00000000052FE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4524-176-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4524-184-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4524-154-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4524-185-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4524-174-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4524-182-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4524-181-0x0000000000400000-0x000000000070C000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/4524-172-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4524-180-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4524-158-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4524-179-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4524-178-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4524-186-0x0000000000400000-0x000000000070C000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/4524-156-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4524-152-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4524-170-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4524-168-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4524-166-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4524-164-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4524-162-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4524-160-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4524-151-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4524-150-0x0000000004ED0000-0x0000000005474000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4524-149-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4524-148-0x0000000000710000-0x000000000073D000-memory.dmp

        Filesize

        180KB

        Download