Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-03-2023 16:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cc657687e676032fd2a2d43b492bb5e6e22846264639162ff5d3f4004e456da1.exe

  • Size

    1.0MB

  • MD5

    ca17e863b36476b5457b4dd8fa2cf66a

  • SHA1

    32881688cef9a29ac46eb6770440b03a12043b7c

  • SHA256

    cc657687e676032fd2a2d43b492bb5e6e22846264639162ff5d3f4004e456da1

  • SHA512

    0017256a3151ff8aff4658ca3429b7826047c4a6564fdc717589e54ff4b78ea7f6f251f21b467f16707ea76dfcb39a040af003c9466920f19b55207c643465ec

  • SSDEEP

    24576:tyqQnAAjm6XPpvqM0DLbaLiQCnA6ZkytBFeXyfNUy6:IqQnpjHPpiM0DLmLTC1ZkytSXyuy

Score
10/10
redlinesonyevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

sony

C2

193.233.20.33:4125

Attributes
  • auth_value

    1d93d1744381eeb4fcfd7c23ffe0f0b4

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 18 IoCs
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cc657687e676032fd2a2d43b492bb5e6e22846264639162ff5d3f4004e456da1.exe
    "C:\Users\Admin\AppData\Local\Temp\cc657687e676032fd2a2d43b492bb5e6e22846264639162ff5d3f4004e456da1.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2352
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina8509.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina8509.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2848
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina9056.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina9056.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1344
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina7122.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina7122.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:2344
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu812408.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu812408.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1512
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor6520.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor6520.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4324
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 1084
              6⤵
              • Program crash
              PID:3280
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dwR01s82.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dwR01s82.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:4048
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4324 -ip 4324
    1⤵
      PID:5092

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina8509.exe
      Filesize

      857KB

      MD5

      aa191f1b4fa05e2b6c8bd8ed8fefa970

      SHA1

      d45cb31252ffcf1cc03e79ea9770436622220c42

      SHA256

      4704bb49b790bd079564d7177d62ca256cdd44b106e0b9aee739090b6e0fc9aa

      SHA512

      5117cd1d1c719ede607293b7c78c15a2e1713ad0e6d5e3be24ff145634a4cc99ab80da8cc30d344c5a3a3cf19c868609465320cc9a7aa11eb70223c31f162e7b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina8509.exe
      Filesize

      857KB

      MD5

      aa191f1b4fa05e2b6c8bd8ed8fefa970

      SHA1

      d45cb31252ffcf1cc03e79ea9770436622220c42

      SHA256

      4704bb49b790bd079564d7177d62ca256cdd44b106e0b9aee739090b6e0fc9aa

      SHA512

      5117cd1d1c719ede607293b7c78c15a2e1713ad0e6d5e3be24ff145634a4cc99ab80da8cc30d344c5a3a3cf19c868609465320cc9a7aa11eb70223c31f162e7b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina9056.exe
      Filesize

      715KB

      MD5

      4385abf9641435e419dadc221be2b730

      SHA1

      0eee2cf8393f9180ea51610ae4cf74b9e6ae7409

      SHA256

      a87b331ae48673aa97717e5087c7aa997ece818f726d163d98f1b47c1751d251

      SHA512

      cfd09fc9adde408373b81ea8b41067bd1c24bd181512c902d0e094d1b7ffc044a49710cb46a01d22e8530f9ced6e6c4d2fc8ce831821023f611cea09839a8b49

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina9056.exe
      Filesize

      715KB

      MD5

      4385abf9641435e419dadc221be2b730

      SHA1

      0eee2cf8393f9180ea51610ae4cf74b9e6ae7409

      SHA256

      a87b331ae48673aa97717e5087c7aa997ece818f726d163d98f1b47c1751d251

      SHA512

      cfd09fc9adde408373b81ea8b41067bd1c24bd181512c902d0e094d1b7ffc044a49710cb46a01d22e8530f9ced6e6c4d2fc8ce831821023f611cea09839a8b49

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dwR01s82.exe
      Filesize

      366KB

      MD5

      5b7911a0021435e850111582acd48c62

      SHA1

      2a9bbddc39befa3943de6a5da41f4c63b0675fe4

      SHA256

      89f28327f089adc73acedf993ae4e567662b806b2e98c725ce71f81e55c74067

      SHA512

      3a84b1c2567431a84cb6aa538aa754cbaa3bdb6fe2df4dd8e225fdc1a8801f3dd820bdf23cab7a2588b99c83bae4e6582ddb6f4d71a3865f1325016363a83ec3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dwR01s82.exe
      Filesize

      366KB

      MD5

      5b7911a0021435e850111582acd48c62

      SHA1

      2a9bbddc39befa3943de6a5da41f4c63b0675fe4

      SHA256

      89f28327f089adc73acedf993ae4e567662b806b2e98c725ce71f81e55c74067

      SHA512

      3a84b1c2567431a84cb6aa538aa754cbaa3bdb6fe2df4dd8e225fdc1a8801f3dd820bdf23cab7a2588b99c83bae4e6582ddb6f4d71a3865f1325016363a83ec3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina7122.exe
      Filesize

      354KB

      MD5

      5eb6b3de1bfd2f3bc9f5218bc0ee626f

      SHA1

      c5f96045ee919860fc9417038e73f26b5a43d37d

      SHA256

      17a9af45419c79672bf22b0b3a469ad01e83edb77f06c4fd1a6556c75d171a9a

      SHA512

      859ba9a4a5e70cf29e329a13e784dd1d23fd915deb7205c41ed0454542a0d17ec2c6fa3c1bea281829e4643f276c6bb078df2004d2b41be0fe6005dd2516c78c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina7122.exe
      Filesize

      354KB

      MD5

      5eb6b3de1bfd2f3bc9f5218bc0ee626f

      SHA1

      c5f96045ee919860fc9417038e73f26b5a43d37d

      SHA256

      17a9af45419c79672bf22b0b3a469ad01e83edb77f06c4fd1a6556c75d171a9a

      SHA512

      859ba9a4a5e70cf29e329a13e784dd1d23fd915deb7205c41ed0454542a0d17ec2c6fa3c1bea281829e4643f276c6bb078df2004d2b41be0fe6005dd2516c78c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu812408.exe
      Filesize

      12KB

      MD5

      ad75ca6ec8b6a9087ed85a88c0e04fea

      SHA1

      8e2a78c537bf1d8fd0d487837bd0baf9bbefe1d8

      SHA256

      5b101583de60ad2876b768b8254ee40a792b649487fba6fcc2f3bbeb96d520eb

      SHA512

      53b984c7605f4baf323849a50b7c7fe312161eb88eb10f0bb92a3e817b839c03bbb32e723daa8cfefdb6ff94ce9753b79eff67aeb77cc325a6cbb86204908823

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu812408.exe
      Filesize

      12KB

      MD5

      ad75ca6ec8b6a9087ed85a88c0e04fea

      SHA1

      8e2a78c537bf1d8fd0d487837bd0baf9bbefe1d8

      SHA256

      5b101583de60ad2876b768b8254ee40a792b649487fba6fcc2f3bbeb96d520eb

      SHA512

      53b984c7605f4baf323849a50b7c7fe312161eb88eb10f0bb92a3e817b839c03bbb32e723daa8cfefdb6ff94ce9753b79eff67aeb77cc325a6cbb86204908823

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor6520.exe
      Filesize

      308KB

      MD5

      21ea3bf265e8fe22329426fb942bf698

      SHA1

      1a54fca23c6ed87cfe5918677080cde6756b5889

      SHA256

      ef00afd047d92d701e6c75f7e35329980685079340518221bbd48fce11455875

      SHA512

      46354ac497ca32d0da189aa965dd00d0102d563cb215ee8083a9fbd6ad55c8fc9145d812d30739e503e353c4b5e4a4d66b6063f7e99625cf4b542b941d46bce4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor6520.exe
      Filesize

      308KB

      MD5

      21ea3bf265e8fe22329426fb942bf698

      SHA1

      1a54fca23c6ed87cfe5918677080cde6756b5889

      SHA256

      ef00afd047d92d701e6c75f7e35329980685079340518221bbd48fce11455875

      SHA512

      46354ac497ca32d0da189aa965dd00d0102d563cb215ee8083a9fbd6ad55c8fc9145d812d30739e503e353c4b5e4a4d66b6063f7e99625cf4b542b941d46bce4

      Download Submit

    • memory/1512-161-0x00000000009C0000-0x00000000009CA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4048-244-0x0000000002870000-0x00000000028AE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4048-232-0x0000000002870000-0x00000000028AE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4048-1123-0x0000000004F00000-0x0000000004F10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4048-1122-0x0000000005C60000-0x0000000005C9C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4048-1126-0x0000000004F00000-0x0000000004F10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4048-1121-0x0000000005C40000-0x0000000005C52000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4048-1120-0x0000000005B00000-0x0000000005C0A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4048-1119-0x00000000054C0000-0x0000000005AD8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4048-246-0x0000000002870000-0x00000000028AE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4048-218-0x0000000002870000-0x00000000028AE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4048-242-0x0000000002870000-0x00000000028AE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4048-240-0x0000000002870000-0x00000000028AE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4048-238-0x0000000002870000-0x00000000028AE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4048-236-0x0000000002870000-0x00000000028AE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4048-234-0x0000000002870000-0x00000000028AE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4048-1125-0x0000000004F00000-0x0000000004F10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4048-230-0x0000000002870000-0x00000000028AE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4048-228-0x0000000002870000-0x00000000028AE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4048-226-0x0000000002870000-0x00000000028AE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4048-224-0x0000000002870000-0x00000000028AE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4048-222-0x0000000002870000-0x00000000028AE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4048-220-0x0000000002870000-0x00000000028AE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4048-1127-0x0000000004F00000-0x0000000004F10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4048-1128-0x0000000004F00000-0x0000000004F10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4048-209-0x0000000000980000-0x00000000009CB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4048-211-0x0000000002870000-0x00000000028AE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4048-212-0x0000000004F00000-0x0000000004F10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4048-210-0x0000000004F00000-0x0000000004F10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4048-214-0x0000000004F00000-0x0000000004F10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4048-213-0x0000000002870000-0x00000000028AE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4048-216-0x0000000002870000-0x00000000028AE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4324-174-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4324-204-0x0000000000400000-0x0000000000710000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/4324-202-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4324-201-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4324-200-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4324-199-0x0000000000400000-0x0000000000710000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/4324-198-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4324-196-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4324-194-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4324-192-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4324-190-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4324-188-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4324-186-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4324-184-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4324-182-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4324-180-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4324-178-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4324-176-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4324-172-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4324-171-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4324-168-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4324-169-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4324-170-0x0000000004EC0000-0x0000000005464000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4324-167-0x0000000000910000-0x000000000093D000-memory.dmp

      Filesize

      180KB

      Download