Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    137s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-03-2023 17:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ec7d6f98d98ac8fdef1828ea651435df2fe0dd689b6df55066c031e24aae2d77.exe

  • Size

    696KB

  • MD5

    c830169b7a5776a24314e1abb71f4668

  • SHA1

    cb8d017262df4ceb906333bc448409256375d95c

  • SHA256

    ec7d6f98d98ac8fdef1828ea651435df2fe0dd689b6df55066c031e24aae2d77

  • SHA512

    1fdd16e8fc8826c7de5fc903a98874081f0a394359fcb42a62be8eed80ab82e4695100514369688063ceff55772de7e6d0c47adcb1afa701fd952c0eb36328bb

  • SSDEEP

    12288:kMrGy90KX7uAAh9YQptPGcASqaPmpFPROMTe43bwRnhwxN8AUgyjSf:Ky/0pXTxOpFpZTXyhw8Ahr

Score
10/10
redlinefromrosndiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

C2

176.113.115.145:4125

Attributes
  • auth_value

    8633e283485822a4a48f0a41d5397566

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 18 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ec7d6f98d98ac8fdef1828ea651435df2fe0dd689b6df55066c031e24aae2d77.exe
    "C:\Users\Admin\AppData\Local\Temp\ec7d6f98d98ac8fdef1828ea651435df2fe0dd689b6df55066c031e24aae2d77.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1228
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un164597.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un164597.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4768
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5436.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5436.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2348
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 1088
          4⤵
          • Program crash
          PID:732
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8655.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8655.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5040
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 1220
          4⤵
          • Program crash
          PID:2496
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si159343.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si159343.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2028
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2348 -ip 2348
    1⤵
      PID:4300
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5040 -ip 5040
      1⤵
        PID:812
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe start wuauserv
        1⤵
        • Launches sc.exe
        PID:3328

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si159343.exe
        Filesize

        175KB

        MD5

        d59f4ef6b181aa918d0a44569a462e52

        SHA1

        f94d8432187c57f1dd2da252bb5ba78087a35047

        SHA256

        e62ddee13e8cbeb00187b9aba9da3a57503ac65257f392b191f73b8445af4a86

        SHA512

        a7edb8a89b6916d57ada8051cb344cdf6abaced4b7064dd42f9483d92469df46192e6500a7d100dff86fa95f4fe563e3c7cfc492ee45e683fbac517bc172b26a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si159343.exe
        Filesize

        175KB

        MD5

        d59f4ef6b181aa918d0a44569a462e52

        SHA1

        f94d8432187c57f1dd2da252bb5ba78087a35047

        SHA256

        e62ddee13e8cbeb00187b9aba9da3a57503ac65257f392b191f73b8445af4a86

        SHA512

        a7edb8a89b6916d57ada8051cb344cdf6abaced4b7064dd42f9483d92469df46192e6500a7d100dff86fa95f4fe563e3c7cfc492ee45e683fbac517bc172b26a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un164597.exe
        Filesize

        553KB

        MD5

        8fe80fe2b684d5421d6ff284eec0c80d

        SHA1

        b5afd3543f45d2ef546bbc3d334fecbb3d7e3a79

        SHA256

        8bfb8dabd4967c09d80cb0e599dbdf580510359358395fa6560f014aa9fd7bda

        SHA512

        dc77ed74b2d0353a9470c621d41990b6ace85a05f2c318670c9809d6b6220674fe4982c869f7a8e793a2381e00552f79486da1547c230b9f504c5743609e15ba

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un164597.exe
        Filesize

        553KB

        MD5

        8fe80fe2b684d5421d6ff284eec0c80d

        SHA1

        b5afd3543f45d2ef546bbc3d334fecbb3d7e3a79

        SHA256

        8bfb8dabd4967c09d80cb0e599dbdf580510359358395fa6560f014aa9fd7bda

        SHA512

        dc77ed74b2d0353a9470c621d41990b6ace85a05f2c318670c9809d6b6220674fe4982c869f7a8e793a2381e00552f79486da1547c230b9f504c5743609e15ba

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5436.exe
        Filesize

        308KB

        MD5

        eb6324e295259268d703d7c814d57be1

        SHA1

        4c6887fc8374f630ab998b133c5e5858c1e1f565

        SHA256

        7802740c4eb6f5183610619a657ba40841981d8907c8beae4f2d439fcec2f944

        SHA512

        4467e20be69d32097d02d882f2366bdef1bab51af30dda32fe526d981c122398510fc82a30b7dd4cb9b7e27053513eec378c7e5f1272af4ba7e4bea01fe2ca2e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5436.exe
        Filesize

        308KB

        MD5

        eb6324e295259268d703d7c814d57be1

        SHA1

        4c6887fc8374f630ab998b133c5e5858c1e1f565

        SHA256

        7802740c4eb6f5183610619a657ba40841981d8907c8beae4f2d439fcec2f944

        SHA512

        4467e20be69d32097d02d882f2366bdef1bab51af30dda32fe526d981c122398510fc82a30b7dd4cb9b7e27053513eec378c7e5f1272af4ba7e4bea01fe2ca2e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8655.exe
        Filesize

        366KB

        MD5

        acef194ba1eb342a2c5b4ee3033a6a97

        SHA1

        46e1acbedad9d6790657bce8a78529bc7e95bbb9

        SHA256

        556bcb33f2f71092ddd1ae77e06791e3a5224c2c36156cbc17469c6a0ce82304

        SHA512

        62cdae4a602701c0ebf6a94e18c41344e30a5005fff19e9b9f6d955734f5036fe328cee428a0cd5dc69707b81eee216bb360b0c48f6501c488c3e1c808e06e70

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8655.exe
        Filesize

        366KB

        MD5

        acef194ba1eb342a2c5b4ee3033a6a97

        SHA1

        46e1acbedad9d6790657bce8a78529bc7e95bbb9

        SHA256

        556bcb33f2f71092ddd1ae77e06791e3a5224c2c36156cbc17469c6a0ce82304

        SHA512

        62cdae4a602701c0ebf6a94e18c41344e30a5005fff19e9b9f6d955734f5036fe328cee428a0cd5dc69707b81eee216bb360b0c48f6501c488c3e1c808e06e70

        Download Submit

      • memory/2028-1121-0x0000000000220000-0x0000000000252000-memory.dmp

        Filesize

        200KB

        Download

      • memory/2028-1122-0x0000000004E60000-0x0000000004E70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2348-157-0x0000000002780000-0x0000000002792000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2348-167-0x0000000002780000-0x0000000002792000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2348-150-0x0000000004E40000-0x0000000004E50000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2348-152-0x0000000002780000-0x0000000002792000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2348-153-0x0000000002780000-0x0000000002792000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2348-155-0x0000000002780000-0x0000000002792000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2348-149-0x0000000000710000-0x000000000073D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/2348-161-0x0000000002780000-0x0000000002792000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2348-159-0x0000000002780000-0x0000000002792000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2348-163-0x0000000002780000-0x0000000002792000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2348-165-0x0000000002780000-0x0000000002792000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2348-151-0x0000000004E40000-0x0000000004E50000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2348-169-0x0000000002780000-0x0000000002792000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2348-171-0x0000000002780000-0x0000000002792000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2348-173-0x0000000002780000-0x0000000002792000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2348-175-0x0000000002780000-0x0000000002792000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2348-177-0x0000000002780000-0x0000000002792000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2348-179-0x0000000002780000-0x0000000002792000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2348-180-0x0000000000400000-0x0000000000710000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/2348-181-0x0000000004E40000-0x0000000004E50000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2348-182-0x0000000004E40000-0x0000000004E50000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2348-183-0x0000000004E40000-0x0000000004E50000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2348-185-0x0000000000400000-0x0000000000710000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/2348-148-0x0000000004E50000-0x00000000053F4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/5040-191-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5040-225-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5040-194-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5040-196-0x0000000004DF0000-0x0000000004E00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5040-198-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5040-199-0x0000000004DF0000-0x0000000004E00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5040-201-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5040-197-0x0000000004DF0000-0x0000000004E00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5040-203-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5040-205-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5040-207-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5040-209-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5040-211-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5040-213-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5040-215-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5040-217-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5040-219-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5040-221-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5040-223-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5040-193-0x00000000007F0000-0x000000000083B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/5040-227-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5040-1100-0x00000000054B0000-0x0000000005AC8000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/5040-1101-0x0000000005B00000-0x0000000005C0A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/5040-1102-0x0000000005C40000-0x0000000005C52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/5040-1103-0x0000000005C60000-0x0000000005C9C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/5040-1104-0x0000000004DF0000-0x0000000004E00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5040-1105-0x0000000005F50000-0x0000000005FB6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/5040-1106-0x0000000006600000-0x0000000006692000-memory.dmp

        Filesize

        584KB

        Download

      • memory/5040-1108-0x0000000004DF0000-0x0000000004E00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5040-1109-0x0000000004DF0000-0x0000000004E00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5040-1110-0x0000000004DF0000-0x0000000004E00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5040-1111-0x0000000006850000-0x0000000006A12000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/5040-1112-0x0000000006A30000-0x0000000006F5C000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/5040-190-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5040-1113-0x0000000002790000-0x0000000002806000-memory.dmp

        Filesize

        472KB

        Download

      • memory/5040-1114-0x0000000008210000-0x0000000008260000-memory.dmp

        Filesize

        320KB

        Download

      • memory/5040-1115-0x0000000004DF0000-0x0000000004E00000-memory.dmp

        Filesize

        64KB

        Download