Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    60s
  • max time network
    82s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/03/2023, 15:30

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    dd0c7e97e325c16559776c821df9ba6dbcd926e94f112a098903b787f0b889e1.exe

  • Size

    685KB

  • MD5

    2099b0cbff7871ad9f2f50e3987794f6

  • SHA1

    bd61b3898e1a42f7227a442e3cb7e939b124f045

  • SHA256

    dd0c7e97e325c16559776c821df9ba6dbcd926e94f112a098903b787f0b889e1

  • SHA512

    acb6d339e04e2580fb99d6a73b54115456b791e9ae5493a6262c2b54865d9a81adc3d85bb51f452e17dce4a872d63ad68399a982ad3b2adde1e1f0050aae22ee

  • SSDEEP

    12288:+Mr2y9068efCXyIDO6aS1qJxkiY/qsXmQLYB77qEBSCHE6ytxPP9J:EyNvmgIqWNdMF7BgCHE6ytxP1J

Score
10/10
redlinenicesonydiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

sony

C2

193.233.20.33:4125

Attributes
  • auth_value

    1d93d1744381eeb4fcfd7c23ffe0f0b4

Extracted

Family

redline

Botnet

nice

C2

193.233.20.33:4125

Attributes
  • auth_value

    a7371b75699e8bc7c51fb960e8ac9e81

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 18 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dd0c7e97e325c16559776c821df9ba6dbcd926e94f112a098903b787f0b889e1.exe
    "C:\Users\Admin\AppData\Local\Temp\dd0c7e97e325c16559776c821df9ba6dbcd926e94f112a098903b787f0b889e1.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3924
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un123559.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un123559.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4124
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8211.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8211.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2108
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 1084
          4⤵
          • Program crash
          PID:112
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5716.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5716.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4068
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 2044
          4⤵
          • Program crash
          PID:4924
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si699242.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si699242.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5096
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2108 -ip 2108
    1⤵
      PID:212
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4068 -ip 4068
      1⤵
        PID:1980

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si699242.exe
        Filesize

        175KB

        MD5

        b86b6091c5d5f792c9ea439a9b497341

        SHA1

        3b9560a27ace45b1901a16009d6c78b9790506ca

        SHA256

        838b6e65abfc91f766f2cebd7b9d30b9333f820571c72b61966d2f6d344494dc

        SHA512

        ac3b52e57e1649a4a5f6b68c3ca6557f7b161205606cabdc38c8408b287b62edd296086a5b9c0154fc95950c19171fcbb62a13844632e581dbb80234bb8a5275

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si699242.exe
        Filesize

        175KB

        MD5

        b86b6091c5d5f792c9ea439a9b497341

        SHA1

        3b9560a27ace45b1901a16009d6c78b9790506ca

        SHA256

        838b6e65abfc91f766f2cebd7b9d30b9333f820571c72b61966d2f6d344494dc

        SHA512

        ac3b52e57e1649a4a5f6b68c3ca6557f7b161205606cabdc38c8408b287b62edd296086a5b9c0154fc95950c19171fcbb62a13844632e581dbb80234bb8a5275

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un123559.exe
        Filesize

        543KB

        MD5

        d6abe0c4a567b520aeef8bb410e6891d

        SHA1

        d91f93fee71aee7dcc4c7ef6f81427854e2a3a72

        SHA256

        21bcf9f32b635cc1ab2d791e0133d9418f65fd033c60ad9f3eb2a2cfa81a143a

        SHA512

        68db79cdd94b19a59b774327319da9c58f135568b7464054d0e5f8c7d960352e2e7fbe340174092902af0538317b0b80d8b51f244f2a0d867f1bf4007e666302

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un123559.exe
        Filesize

        543KB

        MD5

        d6abe0c4a567b520aeef8bb410e6891d

        SHA1

        d91f93fee71aee7dcc4c7ef6f81427854e2a3a72

        SHA256

        21bcf9f32b635cc1ab2d791e0133d9418f65fd033c60ad9f3eb2a2cfa81a143a

        SHA512

        68db79cdd94b19a59b774327319da9c58f135568b7464054d0e5f8c7d960352e2e7fbe340174092902af0538317b0b80d8b51f244f2a0d867f1bf4007e666302

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8211.exe
        Filesize

        292KB

        MD5

        437192d69386586d86d79f4c99b0bc69

        SHA1

        693f0b08e7df57f6072ad75a8fbc9cf4440a896a

        SHA256

        68b82357917d1853343c262ee5b2d0d998e3daa110b6771425c595e3c3e6fdd7

        SHA512

        06b80c37ba99309314c27fc2fc77090a557039210ecaf9a7d88d57178798d4eeec2d3580cbe35876214351290ca4360df7feb11b79ac88fc96969228285c3be8

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8211.exe
        Filesize

        292KB

        MD5

        437192d69386586d86d79f4c99b0bc69

        SHA1

        693f0b08e7df57f6072ad75a8fbc9cf4440a896a

        SHA256

        68b82357917d1853343c262ee5b2d0d998e3daa110b6771425c595e3c3e6fdd7

        SHA512

        06b80c37ba99309314c27fc2fc77090a557039210ecaf9a7d88d57178798d4eeec2d3580cbe35876214351290ca4360df7feb11b79ac88fc96969228285c3be8

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5716.exe
        Filesize

        350KB

        MD5

        c200cd55bc92bba25cfa366756ed6cc5

        SHA1

        c88c2856ea18c08e309e5f4577f3124f3f259686

        SHA256

        096d5909de42c926f88e67a56d8a4699da1a0a6c6d317140bae98a7e9bc7aeb9

        SHA512

        e1f5962d828523ebf1f512921f580d5e85eadf1f35fbfdfe7d448cd235295573644512dd805d0eb6365317cfcee42ad8a6b77fa1145c1d96bf6e534e4e273604

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5716.exe
        Filesize

        350KB

        MD5

        c200cd55bc92bba25cfa366756ed6cc5

        SHA1

        c88c2856ea18c08e309e5f4577f3124f3f259686

        SHA256

        096d5909de42c926f88e67a56d8a4699da1a0a6c6d317140bae98a7e9bc7aeb9

        SHA512

        e1f5962d828523ebf1f512921f580d5e85eadf1f35fbfdfe7d448cd235295573644512dd805d0eb6365317cfcee42ad8a6b77fa1145c1d96bf6e534e4e273604

        Download Submit

      • memory/2108-148-0x0000000004DD0000-0x0000000005374000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/2108-150-0x0000000002260000-0x0000000002270000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2108-149-0x00000000007E0000-0x000000000080D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/2108-151-0x0000000002260000-0x0000000002270000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2108-152-0x0000000005380000-0x0000000005392000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2108-153-0x0000000005380000-0x0000000005392000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2108-155-0x0000000005380000-0x0000000005392000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2108-157-0x0000000005380000-0x0000000005392000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2108-159-0x0000000005380000-0x0000000005392000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2108-161-0x0000000005380000-0x0000000005392000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2108-163-0x0000000005380000-0x0000000005392000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2108-165-0x0000000005380000-0x0000000005392000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2108-167-0x0000000005380000-0x0000000005392000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2108-177-0x0000000005380000-0x0000000005392000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2108-179-0x0000000005380000-0x0000000005392000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2108-175-0x0000000005380000-0x0000000005392000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2108-173-0x0000000005380000-0x0000000005392000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2108-171-0x0000000005380000-0x0000000005392000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2108-169-0x0000000005380000-0x0000000005392000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2108-180-0x0000000000400000-0x000000000070C000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/2108-181-0x0000000002260000-0x0000000002270000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2108-182-0x0000000002260000-0x0000000002270000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2108-183-0x0000000002260000-0x0000000002270000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2108-185-0x0000000000400000-0x000000000070C000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/4068-191-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4068-190-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4068-193-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4068-195-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4068-197-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4068-199-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4068-201-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4068-203-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4068-205-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4068-207-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4068-209-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4068-211-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4068-212-0x0000000000770000-0x00000000007BB000-memory.dmp

        Filesize

        300KB

        Download

      • memory/4068-215-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4068-216-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4068-214-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4068-219-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4068-221-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4068-217-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4068-223-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4068-225-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4068-227-0x0000000004CC0000-0x0000000004CFE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4068-1100-0x0000000005460000-0x0000000005A78000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/4068-1101-0x0000000005B00000-0x0000000005C0A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/4068-1102-0x0000000005C40000-0x0000000005C52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4068-1103-0x0000000005C60000-0x0000000005C9C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/4068-1104-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4068-1105-0x0000000005F50000-0x0000000005FE2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4068-1106-0x0000000005FF0000-0x0000000006056000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4068-1108-0x00000000067F0000-0x0000000006866000-memory.dmp

        Filesize

        472KB

        Download

      • memory/4068-1109-0x0000000006880000-0x00000000068D0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/4068-1110-0x0000000006A30000-0x0000000006BF2000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/4068-1111-0x0000000006C10000-0x000000000713C000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/4068-1112-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4068-1113-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4068-1114-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4068-1115-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5096-1121-0x0000000000880000-0x00000000008B2000-memory.dmp

        Filesize

        200KB

        Download

      • memory/5096-1122-0x0000000005450000-0x0000000005460000-memory.dmp

        Filesize

        64KB

        Download