Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-03-2023 16:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    46b0c9da84473b44b9e1d036efc8b1e6ad903498c67f0bd83c36fc09b3f15d28.exe

  • Size

    700KB

  • MD5

    1c2e7516a79ea80e0e7e77f5ffb15ad6

  • SHA1

    e45a94393f37b157cc74e84984c82211622e9b94

  • SHA256

    46b0c9da84473b44b9e1d036efc8b1e6ad903498c67f0bd83c36fc09b3f15d28

  • SHA512

    ed1c85f945877109179a201fcc747b6a801ebf146b30f03cb329b14c3a4d22470e33e6d6a80a597ef768c8d03b0c2622dd93177f524ac91384c786dbca386aa6

  • SSDEEP

    12288:RMrty90uzLEsc72gm7Exy+6Pdzkcg2ukHpMapunjewJdBRvb0KGSBoC4eS:kymsqRmA0+6Fzk9UHpXqjfJd8KvF4eS

Score
10/10
redlinesonyevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

sony

C2

193.233.20.33:4125

Attributes
  • auth_value

    1d93d1744381eeb4fcfd7c23ffe0f0b4

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\46b0c9da84473b44b9e1d036efc8b1e6ad903498c67f0bd83c36fc09b3f15d28.exe
    "C:\Users\Admin\AppData\Local\Temp\46b0c9da84473b44b9e1d036efc8b1e6ad903498c67f0bd83c36fc09b3f15d28.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1264
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un482341.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un482341.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1648
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4052.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4052.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1908
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 1028
          4⤵
          • Program crash
          PID:1440
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9261.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9261.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4572
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1908 -ip 1908
    1⤵
      PID:1436
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start wuauserv
      1⤵
      • Launches sc.exe
      PID:4100

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un482341.exe
      Filesize

      558KB

      MD5

      d2b35e6dbe38c6bce9a8db46a499b3aa

      SHA1

      984f892b089beb9c12bbf4d007b4c32a9543c35a

      SHA256

      a1fdc71aec39539ec3de6aba01078df4fd0707c3b2437fd17b2106ddc812fd17

      SHA512

      80ff7a4aa5e7762e4f878d55c5ebf64ce04008baa33dc634d1eaffc622e6f24e152c128101d1ff61616a74a1b01756d1a1f65af360ae538ef6eefa99e0d853d9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un482341.exe
      Filesize

      558KB

      MD5

      d2b35e6dbe38c6bce9a8db46a499b3aa

      SHA1

      984f892b089beb9c12bbf4d007b4c32a9543c35a

      SHA256

      a1fdc71aec39539ec3de6aba01078df4fd0707c3b2437fd17b2106ddc812fd17

      SHA512

      80ff7a4aa5e7762e4f878d55c5ebf64ce04008baa33dc634d1eaffc622e6f24e152c128101d1ff61616a74a1b01756d1a1f65af360ae538ef6eefa99e0d853d9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4052.exe
      Filesize

      308KB

      MD5

      9c244a4f69b07f075fc9e8ea88bd0fce

      SHA1

      34164ddd95941b4481d7bea71a00a62d3906a044

      SHA256

      290a34b716dd99ff8834d3e31abf77fa7c71ed131baf8454ba5a2f8acdc56f14

      SHA512

      a0574b485ca22c661c5d1c97353479efa6afad0e5ec90fa99a4989220a982ee585d195386f811110f1b4dd5986e01903d87f65491638c0bc3526c3a06b800b26

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4052.exe
      Filesize

      308KB

      MD5

      9c244a4f69b07f075fc9e8ea88bd0fce

      SHA1

      34164ddd95941b4481d7bea71a00a62d3906a044

      SHA256

      290a34b716dd99ff8834d3e31abf77fa7c71ed131baf8454ba5a2f8acdc56f14

      SHA512

      a0574b485ca22c661c5d1c97353479efa6afad0e5ec90fa99a4989220a982ee585d195386f811110f1b4dd5986e01903d87f65491638c0bc3526c3a06b800b26

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9261.exe
      Filesize

      366KB

      MD5

      8c228c1dd98a6c66659e2548d06d6e76

      SHA1

      a95b5c6c9e717327ef5067b7ad8797207b3df728

      SHA256

      bf125f925e46eaf65c27eca17c70cd8bd84e63d44aae4cd61b8e9677a34a0872

      SHA512

      18f4f2f6ae5ff2db9618924e4d353e37221409c339677e47677129bf543508d65189433c63a9ecbf22f98297b92ee88b397a39ce72b5dc8dc9052ae21d4f553f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9261.exe
      Filesize

      366KB

      MD5

      8c228c1dd98a6c66659e2548d06d6e76

      SHA1

      a95b5c6c9e717327ef5067b7ad8797207b3df728

      SHA256

      bf125f925e46eaf65c27eca17c70cd8bd84e63d44aae4cd61b8e9677a34a0872

      SHA512

      18f4f2f6ae5ff2db9618924e4d353e37221409c339677e47677129bf543508d65189433c63a9ecbf22f98297b92ee88b397a39ce72b5dc8dc9052ae21d4f553f

      Download Submit

    • memory/1908-164-0x0000000005240000-0x0000000005252000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1908-151-0x0000000002820000-0x0000000002830000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1908-152-0x0000000002820000-0x0000000002830000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1908-153-0x0000000005240000-0x0000000005252000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1908-154-0x0000000005240000-0x0000000005252000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1908-156-0x0000000005240000-0x0000000005252000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1908-158-0x0000000005240000-0x0000000005252000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1908-160-0x0000000005240000-0x0000000005252000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1908-162-0x0000000005240000-0x0000000005252000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1908-150-0x0000000002820000-0x0000000002830000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1908-166-0x0000000005240000-0x0000000005252000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1908-168-0x0000000005240000-0x0000000005252000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1908-170-0x0000000005240000-0x0000000005252000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1908-172-0x0000000005240000-0x0000000005252000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1908-174-0x0000000005240000-0x0000000005252000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1908-176-0x0000000005240000-0x0000000005252000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1908-178-0x0000000005240000-0x0000000005252000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1908-180-0x0000000005240000-0x0000000005252000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1908-181-0x0000000000400000-0x0000000000710000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1908-182-0x0000000002820000-0x0000000002830000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1908-183-0x0000000002820000-0x0000000002830000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1908-184-0x0000000002820000-0x0000000002830000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1908-186-0x0000000000400000-0x0000000000710000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1908-149-0x0000000000710000-0x000000000073D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/1908-148-0x0000000004C90000-0x0000000005234000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4572-1103-0x0000000005C60000-0x0000000005C9C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4572-220-0x0000000004BE0000-0x0000000004C1E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4572-192-0x0000000004BE0000-0x0000000004C1E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4572-459-0x0000000004C50000-0x0000000004C60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4572-198-0x0000000004BE0000-0x0000000004C1E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4572-200-0x0000000004BE0000-0x0000000004C1E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4572-202-0x0000000004BE0000-0x0000000004C1E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4572-204-0x0000000004BE0000-0x0000000004C1E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4572-206-0x0000000004BE0000-0x0000000004C1E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4572-208-0x0000000004BE0000-0x0000000004C1E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4572-210-0x0000000004BE0000-0x0000000004C1E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4572-212-0x0000000004BE0000-0x0000000004C1E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4572-214-0x0000000004BE0000-0x0000000004C1E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4572-216-0x0000000004BE0000-0x0000000004C1E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4572-218-0x0000000004BE0000-0x0000000004C1E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4572-191-0x0000000004BE0000-0x0000000004C1E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4572-222-0x0000000004BE0000-0x0000000004C1E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4572-224-0x0000000004BE0000-0x0000000004C1E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4572-457-0x00000000007F0000-0x000000000083B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4572-196-0x0000000004BE0000-0x0000000004C1E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4572-461-0x0000000004C50000-0x0000000004C60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4572-1100-0x0000000005460000-0x0000000005A78000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4572-1101-0x0000000005B00000-0x0000000005C0A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4572-1102-0x0000000005C40000-0x0000000005C52000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4572-194-0x0000000004BE0000-0x0000000004C1E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4572-1104-0x0000000004C50000-0x0000000004C60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4572-1106-0x0000000004C50000-0x0000000004C60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4572-1107-0x0000000004C50000-0x0000000004C60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4572-1108-0x0000000004C50000-0x0000000004C60000-memory.dmp

      Filesize

      64KB

      Download