Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    132s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-03-2023 16:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fde528eec6d64f19624454cf02656aa3c0424db382a136a1ffdf13932ee5b673.exe

  • Size

    695KB

  • MD5

    e072355f65fa486935d36ed7e17fa0fc

  • SHA1

    8f39768069be32fd81df27ceffeb6e60690e04e0

  • SHA256

    fde528eec6d64f19624454cf02656aa3c0424db382a136a1ffdf13932ee5b673

  • SHA512

    aa908a7e7db240713b870ce972213ce8435cebf4fb675b83d1f99925aa54d27a441b1e1bba32e8638865e3ab084032f4f5f925690a97bd47b012b863ae9f5246

  • SSDEEP

    12288:nMrry90+xqfOI09AoqSDRxIufWnzpybHPOnhFYusZtDFVT:Ay3kxeJRTkuH0hFLsnF1

Score
10/10
redlinefromrosndiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

C2

176.113.115.145:4125

Attributes
  • auth_value

    8633e283485822a4a48f0a41d5397566

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 18 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fde528eec6d64f19624454cf02656aa3c0424db382a136a1ffdf13932ee5b673.exe
    "C:\Users\Admin\AppData\Local\Temp\fde528eec6d64f19624454cf02656aa3c0424db382a136a1ffdf13932ee5b673.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4824
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un114856.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un114856.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:5116
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5082.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5082.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1088
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 1084
          4⤵
          • Program crash
          PID:4504
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7760.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7760.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3432
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3432 -s 1992
          4⤵
          • Program crash
          PID:4240
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si733753.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si733753.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2988
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1088 -ip 1088
    1⤵
      PID:5016
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3432 -ip 3432
      1⤵
        PID:3088

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si733753.exe
        Filesize

        175KB

        MD5

        80c7fc13cc8f864b6d933bd1d561de5d

        SHA1

        b9034786b61a9dbff3741959d61f921daad327f8

        SHA256

        5ea83bad51fd47da11209d64987de666898af2971c0b1fcafe3febd7c37ef743

        SHA512

        6c7815215787f261bb688cced206d397794cabdec1ea31d116e08469c26fbd256a3a64d1a1618052eeeaf3ab4e9eb5c267d706e6652ad6b161735d0c699a2479

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si733753.exe
        Filesize

        175KB

        MD5

        80c7fc13cc8f864b6d933bd1d561de5d

        SHA1

        b9034786b61a9dbff3741959d61f921daad327f8

        SHA256

        5ea83bad51fd47da11209d64987de666898af2971c0b1fcafe3febd7c37ef743

        SHA512

        6c7815215787f261bb688cced206d397794cabdec1ea31d116e08469c26fbd256a3a64d1a1618052eeeaf3ab4e9eb5c267d706e6652ad6b161735d0c699a2479

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un114856.exe
        Filesize

        553KB

        MD5

        05c6db982bc923e2a3f5cef11750daf9

        SHA1

        91b91e263431e493e0507cce7c92a4c58e357205

        SHA256

        1cbbed7e16a3dc3b0f83ec699c1bbfcc842648ae049f840d0cba04586f147d3b

        SHA512

        3dba6dda5b083550017ac8f3be079aba154a72568d0361a03443e30b7d5d807a297efec36400020aa526b71ba5f369d7746b5efa3a14df48b25afe675175b28c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un114856.exe
        Filesize

        553KB

        MD5

        05c6db982bc923e2a3f5cef11750daf9

        SHA1

        91b91e263431e493e0507cce7c92a4c58e357205

        SHA256

        1cbbed7e16a3dc3b0f83ec699c1bbfcc842648ae049f840d0cba04586f147d3b

        SHA512

        3dba6dda5b083550017ac8f3be079aba154a72568d0361a03443e30b7d5d807a297efec36400020aa526b71ba5f369d7746b5efa3a14df48b25afe675175b28c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5082.exe
        Filesize

        308KB

        MD5

        3d088b81af204b0a36e1c41a91341051

        SHA1

        bd02da1aa79f19708203cc18468f5099e1aa195c

        SHA256

        62559f6340d110f6a8cb59eec624595bc88e13aa29c2026738d10bc1bd165263

        SHA512

        40546085e89a95692b694a8123e0982d4f0d1ec6e75c3683a49848ea991d8b5541f639fd97f854b7220a075be5dc82beb8a98bdc6cd48ad852df1472815fd3db

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5082.exe
        Filesize

        308KB

        MD5

        3d088b81af204b0a36e1c41a91341051

        SHA1

        bd02da1aa79f19708203cc18468f5099e1aa195c

        SHA256

        62559f6340d110f6a8cb59eec624595bc88e13aa29c2026738d10bc1bd165263

        SHA512

        40546085e89a95692b694a8123e0982d4f0d1ec6e75c3683a49848ea991d8b5541f639fd97f854b7220a075be5dc82beb8a98bdc6cd48ad852df1472815fd3db

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7760.exe
        Filesize

        366KB

        MD5

        a90a65d99aa2d088605e9f9b183e807c

        SHA1

        acbb08b70626e0d3227192b524cf4ece865a0276

        SHA256

        9de3fc015999c0dee93d6d7e4b51d572b9437048a6c2b0796ff2625c5816d822

        SHA512

        f53f720afe322a2c29fdbd2c45fb21f6e8f84bec63965a34e665f23f0a9243677e0e1649ac2b385e8217e92047c2d895f685b6c17e0d84fd6816549dd82c93ff

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7760.exe
        Filesize

        366KB

        MD5

        a90a65d99aa2d088605e9f9b183e807c

        SHA1

        acbb08b70626e0d3227192b524cf4ece865a0276

        SHA256

        9de3fc015999c0dee93d6d7e4b51d572b9437048a6c2b0796ff2625c5816d822

        SHA512

        f53f720afe322a2c29fdbd2c45fb21f6e8f84bec63965a34e665f23f0a9243677e0e1649ac2b385e8217e92047c2d895f685b6c17e0d84fd6816549dd82c93ff

        Download Submit

      • memory/1088-148-0x0000000004E60000-0x0000000005404000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/1088-149-0x00000000007E0000-0x000000000080D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/1088-150-0x0000000004E50000-0x0000000004E60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1088-151-0x0000000004E50000-0x0000000004E60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1088-152-0x0000000004C70000-0x0000000004C82000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1088-153-0x0000000004C70000-0x0000000004C82000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1088-155-0x0000000004C70000-0x0000000004C82000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1088-157-0x0000000004C70000-0x0000000004C82000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1088-159-0x0000000004C70000-0x0000000004C82000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1088-161-0x0000000004C70000-0x0000000004C82000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1088-163-0x0000000004C70000-0x0000000004C82000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1088-165-0x0000000004C70000-0x0000000004C82000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1088-167-0x0000000004C70000-0x0000000004C82000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1088-169-0x0000000004C70000-0x0000000004C82000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1088-171-0x0000000004C70000-0x0000000004C82000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1088-173-0x0000000004C70000-0x0000000004C82000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1088-175-0x0000000004C70000-0x0000000004C82000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1088-177-0x0000000004C70000-0x0000000004C82000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1088-179-0x0000000004C70000-0x0000000004C82000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1088-180-0x0000000000400000-0x0000000000710000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/1088-181-0x0000000004E50000-0x0000000004E60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1088-182-0x0000000004E50000-0x0000000004E60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1088-183-0x0000000004E50000-0x0000000004E60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1088-185-0x0000000000400000-0x0000000000710000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/2988-1129-0x0000000000FE0000-0x0000000001012000-memory.dmp

        Filesize

        200KB

        Download

      • memory/2988-1130-0x00000000058B0000-0x00000000058C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3432-191-0x0000000002790000-0x00000000027CF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3432-392-0x0000000000720000-0x000000000076B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/3432-195-0x0000000002790000-0x00000000027CF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3432-197-0x0000000002790000-0x00000000027CF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3432-199-0x0000000002790000-0x00000000027CF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3432-201-0x0000000002790000-0x00000000027CF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3432-203-0x0000000002790000-0x00000000027CF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3432-205-0x0000000002790000-0x00000000027CF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3432-207-0x0000000002790000-0x00000000027CF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3432-209-0x0000000002790000-0x00000000027CF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3432-211-0x0000000002790000-0x00000000027CF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3432-213-0x0000000002790000-0x00000000027CF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3432-215-0x0000000002790000-0x00000000027CF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3432-217-0x0000000002790000-0x00000000027CF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3432-219-0x0000000002790000-0x00000000027CF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3432-221-0x0000000002790000-0x00000000027CF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3432-223-0x0000000002790000-0x00000000027CF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3432-193-0x0000000002790000-0x00000000027CF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3432-394-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3432-396-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3432-1099-0x00000000054A0000-0x0000000005AB8000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/3432-1100-0x0000000005B00000-0x0000000005C0A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/3432-1101-0x0000000005C40000-0x0000000005C52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3432-1102-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3432-1103-0x0000000005C60000-0x0000000005C9C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/3432-1105-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3432-1106-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3432-1107-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3432-1108-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3432-1118-0x00000000022C0000-0x0000000002352000-memory.dmp

        Filesize

        584KB

        Download

      • memory/3432-1119-0x0000000004DE0000-0x0000000004E46000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3432-1120-0x00000000065C0000-0x0000000006636000-memory.dmp

        Filesize

        472KB

        Download

      • memory/3432-190-0x0000000002790000-0x00000000027CF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3432-1121-0x0000000006640000-0x0000000006690000-memory.dmp

        Filesize

        320KB

        Download

      • memory/3432-1122-0x0000000007640000-0x0000000007802000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/3432-1123-0x0000000007810000-0x0000000007D3C000-memory.dmp

        Filesize

        5.2MB

        Download