Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    53s
  • max time network
    71s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    27-03-2023 15:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d2ee3b2f6d18c655d8474ae68713adfc758dff11cddcda0a85d2b1146ead2cf9.exe

  • Size

    700KB

  • MD5

    3e2c1e5b60d9e69e193c61e22d65cef2

  • SHA1

    8e6eb24a364ccba7fad6dc19a82b10293c08682a

  • SHA256

    d2ee3b2f6d18c655d8474ae68713adfc758dff11cddcda0a85d2b1146ead2cf9

  • SHA512

    41b1787556460cf826d543c90257950e461560bdc08dd5d6c35f812a0ad97a63020e4d23a59019cf5284ad64498d5830c6274b7dee6c948eeaa10237dbcda567

  • SSDEEP

    12288:jMreOy90uAh6SsKBCRBVPp7Abq3HyUGuqpLXY2aBmCBzU0o+D9fBRveRmEu+DBC:6yUh6SZCb6SHyfCxzdFfWBC

Score
10/10
redlinenicesonydiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

sony

C2

193.233.20.33:4125

Attributes
  • auth_value

    1d93d1744381eeb4fcfd7c23ffe0f0b4

Extracted

Family

redline

Botnet

nice

C2

193.233.20.33:4125

Attributes
  • auth_value

    a7371b75699e8bc7c51fb960e8ac9e81

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d2ee3b2f6d18c655d8474ae68713adfc758dff11cddcda0a85d2b1146ead2cf9.exe
    "C:\Users\Admin\AppData\Local\Temp\d2ee3b2f6d18c655d8474ae68713adfc758dff11cddcda0a85d2b1146ead2cf9.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:376
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un308578.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un308578.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3840
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8054.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8054.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4924
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5689.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5689.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4820
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si514138.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si514138.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3076

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si514138.exe
    Filesize

    175KB

    MD5

    400a1a97b07b7253f1af74f8be31ef82

    SHA1

    1d79c8bc28e1e383d2e712114eb637fed9c586a2

    SHA256

    21ba1f33a15874e4ae1633b0234ba3b1e50c6146aa8dbbffb790cc9ed68c4b26

    SHA512

    4db7c0ab585136cb040d60752e457da025dc9f01262fb200a7798831a62d26421f180c21b1972b6dc570a5301314df2675f1204bdaab6cccf7e2cf771677b701

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si514138.exe
    Filesize

    175KB

    MD5

    400a1a97b07b7253f1af74f8be31ef82

    SHA1

    1d79c8bc28e1e383d2e712114eb637fed9c586a2

    SHA256

    21ba1f33a15874e4ae1633b0234ba3b1e50c6146aa8dbbffb790cc9ed68c4b26

    SHA512

    4db7c0ab585136cb040d60752e457da025dc9f01262fb200a7798831a62d26421f180c21b1972b6dc570a5301314df2675f1204bdaab6cccf7e2cf771677b701

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un308578.exe
    Filesize

    558KB

    MD5

    4d2ca20f26d141dac8f550cf89796058

    SHA1

    7caa60fca4c28e2459264c209d235c2035fc7e63

    SHA256

    d4944b046924816bbdd7fce5edf79980dfe3eecca9450311820a04663d39a1bf

    SHA512

    d3b4b28664edb7712521ea913a78e338fdc4aa18e758801f653bf64e026440d7593e5c9cb22617405b1b888946bd12c3785e60ce19edb637ea5db77e005af578

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un308578.exe
    Filesize

    558KB

    MD5

    4d2ca20f26d141dac8f550cf89796058

    SHA1

    7caa60fca4c28e2459264c209d235c2035fc7e63

    SHA256

    d4944b046924816bbdd7fce5edf79980dfe3eecca9450311820a04663d39a1bf

    SHA512

    d3b4b28664edb7712521ea913a78e338fdc4aa18e758801f653bf64e026440d7593e5c9cb22617405b1b888946bd12c3785e60ce19edb637ea5db77e005af578

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8054.exe
    Filesize

    308KB

    MD5

    9721912b866f5af4059f3eb8a952584c

    SHA1

    954570bc42026db20c58d348bbba2c2355c71aea

    SHA256

    57a86b63ecb1c616c8bbc91c0b00bdd940e9d3f3f7603c4c1254a981210fd62a

    SHA512

    24bf86bc93271e7ec519de1e0862d51860246cacb436c1da61259840c1431a531c664a97d3ac6fcefbe7f655d9eb2ebabd57dc94b95ed1a56d13e93c31fc5250

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8054.exe
    Filesize

    308KB

    MD5

    9721912b866f5af4059f3eb8a952584c

    SHA1

    954570bc42026db20c58d348bbba2c2355c71aea

    SHA256

    57a86b63ecb1c616c8bbc91c0b00bdd940e9d3f3f7603c4c1254a981210fd62a

    SHA512

    24bf86bc93271e7ec519de1e0862d51860246cacb436c1da61259840c1431a531c664a97d3ac6fcefbe7f655d9eb2ebabd57dc94b95ed1a56d13e93c31fc5250

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5689.exe
    Filesize

    366KB

    MD5

    3128a6864c116600b13f6615ab6c7555

    SHA1

    ec037cdabe8e942dd92176af5d3c5137f57ef250

    SHA256

    ca9cf2082c983bf831f10566a8318bb6b467c09ca11617e2991e55d84f2bbaad

    SHA512

    540a289c1fec7dbc60e6d315b22642960dba593e210271b265dac958981edf7aa83fc0e5eb80fc646c7017c1c36e1854beec1a52f6ac1296d15af51a7abb79ef

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5689.exe
    Filesize

    366KB

    MD5

    3128a6864c116600b13f6615ab6c7555

    SHA1

    ec037cdabe8e942dd92176af5d3c5137f57ef250

    SHA256

    ca9cf2082c983bf831f10566a8318bb6b467c09ca11617e2991e55d84f2bbaad

    SHA512

    540a289c1fec7dbc60e6d315b22642960dba593e210271b265dac958981edf7aa83fc0e5eb80fc646c7017c1c36e1854beec1a52f6ac1296d15af51a7abb79ef

    Download Submit

  • memory/3076-1113-0x0000000004940000-0x0000000004950000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3076-1112-0x0000000004B40000-0x0000000004B8B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3076-1111-0x0000000000100000-0x0000000000132000-memory.dmp

    Filesize

    200KB

    Download

  • memory/4820-1091-0x00000000053F0000-0x00000000054FA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4820-1094-0x00000000056A0000-0x00000000056EB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4820-1105-0x0000000006AF0000-0x000000000701C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4820-1104-0x0000000006920000-0x0000000006AE2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4820-1103-0x00000000068C0000-0x0000000006910000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4820-1102-0x00000000066E0000-0x0000000006756000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4820-1101-0x0000000002330000-0x0000000002340000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4820-1100-0x0000000002330000-0x0000000002340000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4820-1099-0x0000000002330000-0x0000000002340000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4820-1097-0x00000000058D0000-0x0000000005936000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4820-1096-0x0000000005830000-0x00000000058C2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4820-1095-0x0000000002330000-0x0000000002340000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4820-1093-0x0000000005550000-0x000000000558E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4820-1092-0x0000000005530000-0x0000000005542000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4820-1090-0x00000000059A0000-0x0000000005FA6000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4820-217-0x0000000005210000-0x000000000524E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4820-215-0x0000000005210000-0x000000000524E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4820-213-0x0000000005210000-0x000000000524E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4820-211-0x0000000005210000-0x000000000524E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4820-209-0x0000000005210000-0x000000000524E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4820-207-0x0000000005210000-0x000000000524E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4820-178-0x00000000024E0000-0x0000000002526000-memory.dmp

    Filesize

    280KB

    Download

  • memory/4820-179-0x0000000005210000-0x0000000005254000-memory.dmp

    Filesize

    272KB

    Download

  • memory/4820-181-0x0000000005210000-0x000000000524E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4820-180-0x0000000005210000-0x000000000524E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4820-183-0x0000000005210000-0x000000000524E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4820-185-0x0000000005210000-0x000000000524E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4820-188-0x0000000000920000-0x000000000096B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4820-187-0x0000000005210000-0x000000000524E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4820-190-0x0000000002330000-0x0000000002340000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4820-192-0x0000000002330000-0x0000000002340000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4820-191-0x0000000005210000-0x000000000524E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4820-195-0x0000000005210000-0x000000000524E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4820-194-0x0000000002330000-0x0000000002340000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4820-197-0x0000000005210000-0x000000000524E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4820-199-0x0000000005210000-0x000000000524E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4820-201-0x0000000005210000-0x000000000524E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4820-203-0x0000000005210000-0x000000000524E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4820-205-0x0000000005210000-0x000000000524E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4924-160-0x0000000004C40000-0x0000000004C52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4924-173-0x0000000000400000-0x0000000000710000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/4924-158-0x0000000004C40000-0x0000000004C52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4924-156-0x0000000004C40000-0x0000000004C52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4924-170-0x0000000004E10000-0x0000000004E20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4924-169-0x0000000000400000-0x0000000000710000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/4924-168-0x0000000004C40000-0x0000000004C52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4924-138-0x0000000004E10000-0x0000000004E20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4924-166-0x0000000004C40000-0x0000000004C52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4924-164-0x0000000004C40000-0x0000000004C52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4924-142-0x0000000004C40000-0x0000000004C52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4924-162-0x0000000004C40000-0x0000000004C52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4924-134-0x00000000026A0000-0x00000000026BA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4924-141-0x0000000004C40000-0x0000000004C52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4924-171-0x0000000004E10000-0x0000000004E20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4924-154-0x0000000004C40000-0x0000000004C52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4924-152-0x0000000004C40000-0x0000000004C52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4924-150-0x0000000004C40000-0x0000000004C52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4924-148-0x0000000004C40000-0x0000000004C52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4924-146-0x0000000004C40000-0x0000000004C52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4924-144-0x0000000004C40000-0x0000000004C52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4924-140-0x0000000004C40000-0x0000000004C58000-memory.dmp

    Filesize

    96KB

    Download

  • memory/4924-139-0x0000000004E10000-0x0000000004E20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4924-136-0x0000000004E10000-0x0000000004E20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4924-137-0x0000000004E20000-0x000000000531E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/4924-135-0x00000000007E0000-0x000000000080D000-memory.dmp

    Filesize

    180KB

    Download