Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-03-2023 15:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8c385e80a6ad98382186087494179bef1d013e7f1ee1de473a3eec0304b4ba46.exe

  • Size

    685KB

  • MD5

    10801c7fd51bae4dabeb275ef884946d

  • SHA1

    68da32701e487cd4abb8a7457d395ab0a31204e1

  • SHA256

    8c385e80a6ad98382186087494179bef1d013e7f1ee1de473a3eec0304b4ba46

  • SHA512

    b3b11e478d3cbf45d059eae610aed6b55bc30bc5ddc30ca0e51c523ebc07438d184a39879873bd4e1b00c419a16edea526a4ab4f18c89ae9bc51642fb27223c2

  • SSDEEP

    12288:RMr4y90DwBu/ecnpzLqdIBasOMSMu3OHw/VL3vHnQuggrEsp8BlwzEZJIKefft:xyW/3ntkIBZS73nR3fQJBHwzEZult

Score
10/10
redlinenicesonydiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

sony

C2

193.233.20.33:4125

Attributes
  • auth_value

    1d93d1744381eeb4fcfd7c23ffe0f0b4

Extracted

Family

redline

Botnet

nice

C2

193.233.20.33:4125

Attributes
  • auth_value

    a7371b75699e8bc7c51fb960e8ac9e81

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8c385e80a6ad98382186087494179bef1d013e7f1ee1de473a3eec0304b4ba46.exe
    "C:\Users\Admin\AppData\Local\Temp\8c385e80a6ad98382186087494179bef1d013e7f1ee1de473a3eec0304b4ba46.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2320
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un946582.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un946582.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1136
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1937.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1937.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4504
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 1084
          4⤵
          • Program crash
          PID:3996
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3709.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3709.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3876
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 1772
          4⤵
          • Program crash
          PID:3988
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si489882.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si489882.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4524
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4504 -ip 4504
    1⤵
      PID:3328
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3876 -ip 3876
      1⤵
        PID:4528
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe start wuauserv
        1⤵
        • Launches sc.exe
        PID:3640

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si489882.exe
        Filesize

        175KB

        MD5

        161334e0bc0372e48f4ebf3a56acc244

        SHA1

        1f255d8a0c2012e191cd0e849d92c2292b369128

        SHA256

        a53a49bf3d00f3cefe627709460cfa36576dfd3c57648411059e4dfafd2b4984

        SHA512

        30e557efd3ae1d4e41df7282cc81718bb2448582d1b491adaeb7292881c5ba8a58238a8ccd7b971360421bec40b04b18e8f7c37f3558fa36107cc5d6e2f4313f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si489882.exe
        Filesize

        175KB

        MD5

        161334e0bc0372e48f4ebf3a56acc244

        SHA1

        1f255d8a0c2012e191cd0e849d92c2292b369128

        SHA256

        a53a49bf3d00f3cefe627709460cfa36576dfd3c57648411059e4dfafd2b4984

        SHA512

        30e557efd3ae1d4e41df7282cc81718bb2448582d1b491adaeb7292881c5ba8a58238a8ccd7b971360421bec40b04b18e8f7c37f3558fa36107cc5d6e2f4313f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un946582.exe
        Filesize

        543KB

        MD5

        38dc73cb3099269c2ff368e21a0a6d11

        SHA1

        5f61849c262fe7e9e42d8d097d10f86c78ed32f6

        SHA256

        e3cd863c065079bec08b129b45b51f5e56c4d4e3a5ab541d4b30c305c0c78980

        SHA512

        e5d2ac6c74f3184712df86d50a1451a3e75f4614c871e919de64807512be858768bc74eff057d534fdb9880a4e8665fa7c655382e64074c426d8c7214e66f551

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un946582.exe
        Filesize

        543KB

        MD5

        38dc73cb3099269c2ff368e21a0a6d11

        SHA1

        5f61849c262fe7e9e42d8d097d10f86c78ed32f6

        SHA256

        e3cd863c065079bec08b129b45b51f5e56c4d4e3a5ab541d4b30c305c0c78980

        SHA512

        e5d2ac6c74f3184712df86d50a1451a3e75f4614c871e919de64807512be858768bc74eff057d534fdb9880a4e8665fa7c655382e64074c426d8c7214e66f551

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1937.exe
        Filesize

        292KB

        MD5

        28da5447c2df6479b65abac75848faeb

        SHA1

        954fec98f3138c73bdb278bba467c8cdf8d1b13f

        SHA256

        840596e5bf2377b095df152c47d9368c9a127e92d6c9cc49755c796a0b026fb1

        SHA512

        ce28ee9fae82598bd9d3d5897fc1935d9d4c0854911339a3a5afbb2af507c51c12bc00b801666da9813a4a9464d9dd493db91926c38f4f8b8f4eac79582a5410

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1937.exe
        Filesize

        292KB

        MD5

        28da5447c2df6479b65abac75848faeb

        SHA1

        954fec98f3138c73bdb278bba467c8cdf8d1b13f

        SHA256

        840596e5bf2377b095df152c47d9368c9a127e92d6c9cc49755c796a0b026fb1

        SHA512

        ce28ee9fae82598bd9d3d5897fc1935d9d4c0854911339a3a5afbb2af507c51c12bc00b801666da9813a4a9464d9dd493db91926c38f4f8b8f4eac79582a5410

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3709.exe
        Filesize

        350KB

        MD5

        82539e649193631ac2327c840ec3d49c

        SHA1

        2b5bb1a88ce60020585d68faab6e20706d3efa31

        SHA256

        547b1392315c381d811866547180824055772b8a97d8ebafa0b0abab547d3b1d

        SHA512

        edf6bd1329ddfa32fdd1ad6304d2ee69809861e75dc05771007b39fa9db3472c90546dae1564d719c6c7e2baf003ebaf4f4516deb0f967e1eddc4ac8121668cd

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3709.exe
        Filesize

        350KB

        MD5

        82539e649193631ac2327c840ec3d49c

        SHA1

        2b5bb1a88ce60020585d68faab6e20706d3efa31

        SHA256

        547b1392315c381d811866547180824055772b8a97d8ebafa0b0abab547d3b1d

        SHA512

        edf6bd1329ddfa32fdd1ad6304d2ee69809861e75dc05771007b39fa9db3472c90546dae1564d719c6c7e2baf003ebaf4f4516deb0f967e1eddc4ac8121668cd

        Download Submit

      • memory/3876-1102-0x00000000059C0000-0x0000000005ACA000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/3876-414-0x00000000023A0000-0x00000000023B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3876-204-0x00000000052A0000-0x00000000052DE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3876-206-0x00000000052A0000-0x00000000052DE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3876-1115-0x00000000023A0000-0x00000000023B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3876-1114-0x00000000023A0000-0x00000000023B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3876-1113-0x00000000023A0000-0x00000000023B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3876-1112-0x0000000006FA0000-0x0000000006FF0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/3876-1111-0x0000000006F20000-0x0000000006F96000-memory.dmp

        Filesize

        472KB

        Download

      • memory/3876-1109-0x00000000067A0000-0x0000000006CCC000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/3876-208-0x00000000052A0000-0x00000000052DE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3876-1108-0x00000000065D0000-0x0000000006792000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/3876-1107-0x00000000064C0000-0x0000000006552000-memory.dmp

        Filesize

        584KB

        Download

      • memory/3876-1106-0x0000000005E10000-0x0000000005E76000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3876-1105-0x0000000005B20000-0x0000000005B5C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/3876-1104-0x00000000023A0000-0x00000000023B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3876-1103-0x0000000005B00000-0x0000000005B12000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3876-1101-0x0000000005320000-0x0000000005938000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/3876-417-0x00000000023A0000-0x00000000023B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3876-218-0x00000000052A0000-0x00000000052DE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3876-416-0x00000000023A0000-0x00000000023B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3876-411-0x0000000000860000-0x00000000008AB000-memory.dmp

        Filesize

        300KB

        Download

      • memory/3876-224-0x00000000052A0000-0x00000000052DE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3876-192-0x00000000052A0000-0x00000000052DE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3876-191-0x00000000052A0000-0x00000000052DE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3876-194-0x00000000052A0000-0x00000000052DE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3876-198-0x00000000052A0000-0x00000000052DE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3876-200-0x00000000052A0000-0x00000000052DE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3876-196-0x00000000052A0000-0x00000000052DE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3876-202-0x00000000052A0000-0x00000000052DE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3876-222-0x00000000052A0000-0x00000000052DE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3876-1116-0x00000000023A0000-0x00000000023B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3876-220-0x00000000052A0000-0x00000000052DE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3876-210-0x00000000052A0000-0x00000000052DE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3876-212-0x00000000052A0000-0x00000000052DE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3876-214-0x00000000052A0000-0x00000000052DE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3876-216-0x00000000052A0000-0x00000000052DE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4504-181-0x0000000000400000-0x000000000070C000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/4504-170-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4504-148-0x0000000004EE0000-0x0000000005484000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4504-151-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4504-152-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4504-186-0x0000000000400000-0x000000000070C000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/4504-184-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4504-183-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4504-182-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4504-150-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4504-153-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4504-180-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4504-178-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4504-176-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4504-174-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4504-172-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4504-168-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4504-166-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4504-164-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4504-162-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4504-160-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4504-158-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4504-156-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4504-149-0x00000000007E0000-0x000000000080D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/4504-154-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4524-1122-0x0000000000DC0000-0x0000000000DF2000-memory.dmp

        Filesize

        200KB

        Download

      • memory/4524-1123-0x0000000005A00000-0x0000000005A10000-memory.dmp

        Filesize

        64KB

        Download