Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    82s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-03-2023 15:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ccfada537e712ca1015d89d184790f79724647ebe703fe311373afdcb66fa50f.exe

  • Size

    685KB

  • MD5

    a6bf1cf519b195f78832f04b97f3468f

  • SHA1

    0bb5cc3cd94195364feb18ea8af9c371ed6c496d

  • SHA256

    ccfada537e712ca1015d89d184790f79724647ebe703fe311373afdcb66fa50f

  • SHA512

    3467c8e859cd33a40f1866ceed36ac45e366a0c3cdbeddde642dd2a09714ef032da1baa9272e452f7ee1b8e72116a6a87617fd56434498f63127439be92cc1d0

  • SSDEEP

    12288:QMrcy90OxSL5m1PJcUdR0DKwJ/key0fNL3vGnK+/pzkxJv7BayAEis44zcKJ:cyY0ZJcaR+Kwbyi3WIFIyAEisbwKJ

Score
10/10
redlinenicesonydiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

sony

C2

193.233.20.33:4125

Attributes
  • auth_value

    1d93d1744381eeb4fcfd7c23ffe0f0b4

Extracted

Family

redline

Botnet

nice

C2

193.233.20.33:4125

Attributes
  • auth_value

    a7371b75699e8bc7c51fb960e8ac9e81

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 18 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ccfada537e712ca1015d89d184790f79724647ebe703fe311373afdcb66fa50f.exe
    "C:\Users\Admin\AppData\Local\Temp\ccfada537e712ca1015d89d184790f79724647ebe703fe311373afdcb66fa50f.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4452
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un883037.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un883037.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4764
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3453.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3453.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4508
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 1084
          4⤵
          • Program crash
          PID:392
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2844.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2844.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3572
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 1716
          4⤵
          • Program crash
          PID:2860
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si603400.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si603400.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5000
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4508 -ip 4508
    1⤵
      PID:3896
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3572 -ip 3572
      1⤵
        PID:452

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si603400.exe
        Filesize

        175KB

        MD5

        f9e28c0e86ddb4eae2025d22d8fa2230

        SHA1

        fef9139d4ea3c43a95c3b4271c248d760ab5acc8

        SHA256

        a990426c3e541e74c08b6dff16801e03a69a401eb6d6ec4392d5c755fc317f0b

        SHA512

        f15db86dc64eeefa027271ef687833a5985da44c5646dab63f24cc73c602fe1f7ddd6eb394e766c98bbd28ef50fc68d108f2a7307a98b5d17348b669f393fe63

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si603400.exe
        Filesize

        175KB

        MD5

        f9e28c0e86ddb4eae2025d22d8fa2230

        SHA1

        fef9139d4ea3c43a95c3b4271c248d760ab5acc8

        SHA256

        a990426c3e541e74c08b6dff16801e03a69a401eb6d6ec4392d5c755fc317f0b

        SHA512

        f15db86dc64eeefa027271ef687833a5985da44c5646dab63f24cc73c602fe1f7ddd6eb394e766c98bbd28ef50fc68d108f2a7307a98b5d17348b669f393fe63

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un883037.exe
        Filesize

        543KB

        MD5

        f8e55d556812f8e2ee3e08f4070160e5

        SHA1

        c3ba7971b84d60d0b75e14887848242c3c4df9b2

        SHA256

        3120d40c837c1b3114f25c9423599eec793edbadd9ece82e2be35443ec65d760

        SHA512

        acf65133d5ddfe91c73247cdc9c8c3762df62be12eabe10903aa07aa3188a53b7ed0f1ae96a787c242ed2d1b614b6ac1d28ba842f9c81dcd5056a5d444290092

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un883037.exe
        Filesize

        543KB

        MD5

        f8e55d556812f8e2ee3e08f4070160e5

        SHA1

        c3ba7971b84d60d0b75e14887848242c3c4df9b2

        SHA256

        3120d40c837c1b3114f25c9423599eec793edbadd9ece82e2be35443ec65d760

        SHA512

        acf65133d5ddfe91c73247cdc9c8c3762df62be12eabe10903aa07aa3188a53b7ed0f1ae96a787c242ed2d1b614b6ac1d28ba842f9c81dcd5056a5d444290092

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3453.exe
        Filesize

        292KB

        MD5

        238b606af02aa57c0dcfdb08ad14f906

        SHA1

        30ef8792e6a26e2bb0288e6e7326699c8523c9d5

        SHA256

        32e42094fe6d8d1f85768382050f81f476fbe5c545d8b2ccb8eaa5cd61c2124b

        SHA512

        366d3860d3694605fc5ca06ff1840fa1b79b6ecfb4e61a566cb0ed9a28301bb0bb58429c9faade17845136242f8b32c8c7478c2a34fefd60a71530654c2aaee6

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3453.exe
        Filesize

        292KB

        MD5

        238b606af02aa57c0dcfdb08ad14f906

        SHA1

        30ef8792e6a26e2bb0288e6e7326699c8523c9d5

        SHA256

        32e42094fe6d8d1f85768382050f81f476fbe5c545d8b2ccb8eaa5cd61c2124b

        SHA512

        366d3860d3694605fc5ca06ff1840fa1b79b6ecfb4e61a566cb0ed9a28301bb0bb58429c9faade17845136242f8b32c8c7478c2a34fefd60a71530654c2aaee6

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2844.exe
        Filesize

        350KB

        MD5

        53116aa7a3200ab6c9863a22bd1ce78b

        SHA1

        38a1bc1eec53764a4088e25579c26d81aa74a75d

        SHA256

        1f595da3c71e6b36284c4483730d20a31d98183490114b86ebcd3e54c021cf17

        SHA512

        114d4b4267afc61005489c38faa95350b8985246642b92447b2b5e15982005fdbc11af28fa709e882669fc08f374b68b34bacfe624ce0c5e73c88d5b19ede0fe

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2844.exe
        Filesize

        350KB

        MD5

        53116aa7a3200ab6c9863a22bd1ce78b

        SHA1

        38a1bc1eec53764a4088e25579c26d81aa74a75d

        SHA256

        1f595da3c71e6b36284c4483730d20a31d98183490114b86ebcd3e54c021cf17

        SHA512

        114d4b4267afc61005489c38faa95350b8985246642b92447b2b5e15982005fdbc11af28fa709e882669fc08f374b68b34bacfe624ce0c5e73c88d5b19ede0fe

        Download Submit

      • memory/3572-227-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3572-1102-0x0000000005C40000-0x0000000005C52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3572-1116-0x0000000004E20000-0x0000000004E30000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3572-1114-0x0000000007220000-0x0000000007270000-memory.dmp

        Filesize

        320KB

        Download

      • memory/3572-1113-0x0000000007190000-0x0000000007206000-memory.dmp

        Filesize

        472KB

        Download

      • memory/3572-1112-0x00000000068F0000-0x0000000006E1C000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/3572-1111-0x0000000006710000-0x00000000068D2000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/3572-1110-0x0000000004E20000-0x0000000004E30000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3572-1109-0x0000000004E20000-0x0000000004E30000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3572-1108-0x0000000004E20000-0x0000000004E30000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3572-1106-0x0000000005FF0000-0x0000000006056000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3572-1105-0x0000000005F50000-0x0000000005FE2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/3572-1104-0x0000000004E20000-0x0000000004E30000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3572-1103-0x0000000005C60000-0x0000000005C9C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/3572-1101-0x0000000005B00000-0x0000000005C0A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/3572-1100-0x00000000054E0000-0x0000000005AF8000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/3572-225-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3572-223-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3572-221-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3572-219-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3572-217-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3572-215-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3572-191-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3572-190-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3572-193-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3572-195-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3572-197-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3572-198-0x0000000002100000-0x000000000214B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/3572-200-0x0000000004E20000-0x0000000004E30000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3572-202-0x0000000004E20000-0x0000000004E30000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3572-204-0x0000000004E20000-0x0000000004E30000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3572-205-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3572-201-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3572-207-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3572-209-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3572-211-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3572-213-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4508-173-0x0000000002960000-0x0000000002972000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4508-185-0x0000000000400000-0x000000000070C000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/4508-171-0x0000000002960000-0x0000000002972000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4508-169-0x0000000002960000-0x0000000002972000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4508-182-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4508-181-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4508-150-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4508-180-0x0000000000400000-0x000000000070C000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/4508-179-0x0000000002960000-0x0000000002972000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4508-153-0x0000000002960000-0x0000000002972000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4508-177-0x0000000002960000-0x0000000002972000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4508-175-0x0000000002960000-0x0000000002972000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4508-151-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4508-152-0x0000000002960000-0x0000000002972000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4508-183-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4508-167-0x0000000002960000-0x0000000002972000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4508-165-0x0000000002960000-0x0000000002972000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4508-163-0x0000000002960000-0x0000000002972000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4508-161-0x0000000002960000-0x0000000002972000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4508-159-0x0000000002960000-0x0000000002972000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4508-157-0x0000000002960000-0x0000000002972000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4508-155-0x0000000002960000-0x0000000002972000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4508-148-0x00000000007E0000-0x000000000080D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/4508-149-0x0000000004FC0000-0x0000000005564000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/5000-1121-0x0000000000750000-0x0000000000782000-memory.dmp

        Filesize

        200KB

        Download

      • memory/5000-1122-0x0000000005080000-0x0000000005090000-memory.dmp

        Filesize

        64KB

        Download