Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    84s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-03-2023 17:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e870181c81b35af7694a547d69027cdadf2c04e68b7015b322595b2b64ad2276.exe

  • Size

    696KB

  • MD5

    ca0720dbf0b6241f1d046fe2210e6889

  • SHA1

    00eea35778a8589976aca4fae0a34f859f2878f0

  • SHA256

    e870181c81b35af7694a547d69027cdadf2c04e68b7015b322595b2b64ad2276

  • SHA512

    fbd8bfb611b6e6890b0a8ba6b40fc306bb9556a99cb62353c21a4482a2c68dc0b86e23a3cfb7be6b6c9caaf8e6e38310c4c223fed098b0750630401f4f8e0ed6

  • SSDEEP

    12288:gMrZy90Qo6796rZELOaL5biLuBe7PxQ0dBJ4+fnhI9Qs6dIT71k6m:pyZoE96rZEKc5C7LzJ44hI9Qs0qq6m

Score
10/10
redlinefromrosndiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

C2

176.113.115.145:4125

Attributes
  • auth_value

    8633e283485822a4a48f0a41d5397566

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 19 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e870181c81b35af7694a547d69027cdadf2c04e68b7015b322595b2b64ad2276.exe
    "C:\Users\Admin\AppData\Local\Temp\e870181c81b35af7694a547d69027cdadf2c04e68b7015b322595b2b64ad2276.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1740
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un567746.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un567746.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1936
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7105.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7105.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2500
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 1084
          4⤵
          • Program crash
          PID:2184
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3460.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3460.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:348
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 348 -s 2020
          4⤵
          • Program crash
          PID:4212
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si535383.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si535383.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1304
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2500 -ip 2500
    1⤵
      PID:4196
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 348 -ip 348
      1⤵
        PID:4192

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si535383.exe
        Filesize

        175KB

        MD5

        5ef7eb07a350c1e65cb4d197d125bda9

        SHA1

        e6062bec6febfceb3dcd3764ade8584902a3b98c

        SHA256

        10df7a633e6075915b19f6d2c777d047c5ca4aea4c14ef82c1105df70b5bf95e

        SHA512

        32bea70c73c78d97af00ee750c861b178b5c4732b1fafa80685a075f32b0cdf125536a772d3f7cb6acab4f487954818b738d4be0e101acf419c184ada93ae582

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si535383.exe
        Filesize

        175KB

        MD5

        5ef7eb07a350c1e65cb4d197d125bda9

        SHA1

        e6062bec6febfceb3dcd3764ade8584902a3b98c

        SHA256

        10df7a633e6075915b19f6d2c777d047c5ca4aea4c14ef82c1105df70b5bf95e

        SHA512

        32bea70c73c78d97af00ee750c861b178b5c4732b1fafa80685a075f32b0cdf125536a772d3f7cb6acab4f487954818b738d4be0e101acf419c184ada93ae582

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un567746.exe
        Filesize

        554KB

        MD5

        21f13e560194ad252a0a7d597eb05191

        SHA1

        76a37e2ce44cdaf917132ada678c7876dcffb1e2

        SHA256

        f7aaa2bcef8db3603a89fdd0cf110c5f17461178ce3c8759dca61a800da6fecc

        SHA512

        dd8b77c26791205bd58a5640d9d6f06788ae326038915bbb05b585235ef1bba3cd83f26329970114b8e865a13f8b30a0452f56b9ce5a9cb20b15347591f9807c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un567746.exe
        Filesize

        554KB

        MD5

        21f13e560194ad252a0a7d597eb05191

        SHA1

        76a37e2ce44cdaf917132ada678c7876dcffb1e2

        SHA256

        f7aaa2bcef8db3603a89fdd0cf110c5f17461178ce3c8759dca61a800da6fecc

        SHA512

        dd8b77c26791205bd58a5640d9d6f06788ae326038915bbb05b585235ef1bba3cd83f26329970114b8e865a13f8b30a0452f56b9ce5a9cb20b15347591f9807c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7105.exe
        Filesize

        308KB

        MD5

        ba1b8e7feccf8e56019bc6f25e2527d7

        SHA1

        fd447ae9c5a14d0b61c5cb5bf275e74f7e9b8ef9

        SHA256

        efa13c6350c5910487526013f246ef2b21576d1ce3fb954780964185b176d48d

        SHA512

        07ae2a3133484b755477cfb7d3dcd5cf272e1871387872851f73b7fb2f6c598e4821f8a6c34402ecc721f79f860fdd5b81371470b60ca7acfb21a46045e108ec

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7105.exe
        Filesize

        308KB

        MD5

        ba1b8e7feccf8e56019bc6f25e2527d7

        SHA1

        fd447ae9c5a14d0b61c5cb5bf275e74f7e9b8ef9

        SHA256

        efa13c6350c5910487526013f246ef2b21576d1ce3fb954780964185b176d48d

        SHA512

        07ae2a3133484b755477cfb7d3dcd5cf272e1871387872851f73b7fb2f6c598e4821f8a6c34402ecc721f79f860fdd5b81371470b60ca7acfb21a46045e108ec

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3460.exe
        Filesize

        366KB

        MD5

        48f82a55ce1b8a040f8bdc9636aad1a7

        SHA1

        0589a1d1edc3ba03391a80668f646e7e043e6d9c

        SHA256

        18383a040ebbb9f469ec0ef6c48378ea319e81c7773bf3bee06ba8d525dcf503

        SHA512

        d60c0c2c497911a3130b666aeab4c052969e4e9cf5b5680d92766800d8066cc64a5c83fc08200929bbd1b627cbca5c00d36a1294322444d20eb264d1ddbb85aa

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3460.exe
        Filesize

        366KB

        MD5

        48f82a55ce1b8a040f8bdc9636aad1a7

        SHA1

        0589a1d1edc3ba03391a80668f646e7e043e6d9c

        SHA256

        18383a040ebbb9f469ec0ef6c48378ea319e81c7773bf3bee06ba8d525dcf503

        SHA512

        d60c0c2c497911a3130b666aeab4c052969e4e9cf5b5680d92766800d8066cc64a5c83fc08200929bbd1b627cbca5c00d36a1294322444d20eb264d1ddbb85aa

        Download Submit

      • memory/348-227-0x00000000052C0000-0x00000000052FF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/348-1102-0x0000000005B00000-0x0000000005B12000-memory.dmp

        Filesize

        72KB

        Download

      • memory/348-1114-0x00000000009E0000-0x00000000009F0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/348-1113-0x0000000007800000-0x0000000007D2C000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/348-1112-0x0000000007620000-0x00000000077E2000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/348-1111-0x00000000009E0000-0x00000000009F0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/348-1110-0x00000000009E0000-0x00000000009F0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/348-1108-0x0000000006740000-0x0000000006790000-memory.dmp

        Filesize

        320KB

        Download

      • memory/348-1107-0x00000000066B0000-0x0000000006726000-memory.dmp

        Filesize

        472KB

        Download

      • memory/348-1106-0x0000000005EB0000-0x0000000005F16000-memory.dmp

        Filesize

        408KB

        Download

      • memory/348-1105-0x0000000005E10000-0x0000000005EA2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/348-1104-0x00000000009E0000-0x00000000009F0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/348-1103-0x0000000005B20000-0x0000000005B5C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/348-1101-0x00000000059C0000-0x0000000005ACA000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/348-1100-0x0000000005320000-0x0000000005938000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/348-225-0x00000000052C0000-0x00000000052FF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/348-223-0x00000000052C0000-0x00000000052FF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/348-221-0x00000000052C0000-0x00000000052FF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/348-219-0x00000000052C0000-0x00000000052FF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/348-217-0x00000000052C0000-0x00000000052FF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/348-215-0x00000000052C0000-0x00000000052FF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/348-211-0x00000000009E0000-0x00000000009F0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/348-191-0x00000000052C0000-0x00000000052FF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/348-190-0x00000000052C0000-0x00000000052FF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/348-193-0x00000000052C0000-0x00000000052FF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/348-195-0x00000000052C0000-0x00000000052FF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/348-197-0x00000000052C0000-0x00000000052FF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/348-199-0x00000000052C0000-0x00000000052FF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/348-201-0x00000000052C0000-0x00000000052FF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/348-203-0x00000000052C0000-0x00000000052FF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/348-206-0x00000000007F0000-0x000000000083B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/348-205-0x00000000052C0000-0x00000000052FF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/348-208-0x00000000009E0000-0x00000000009F0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/348-210-0x00000000052C0000-0x00000000052FF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/348-209-0x00000000009E0000-0x00000000009F0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/348-213-0x00000000052C0000-0x00000000052FF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1304-1120-0x0000000000C80000-0x0000000000CB2000-memory.dmp

        Filesize

        200KB

        Download

      • memory/1304-1121-0x00000000058F0000-0x0000000005900000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2500-172-0x0000000004C90000-0x0000000004CA2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2500-148-0x0000000004D00000-0x00000000052A4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/2500-182-0x0000000004CF0000-0x0000000004D00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2500-181-0x0000000000400000-0x0000000000710000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/2500-180-0x0000000004C90000-0x0000000004CA2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2500-150-0x0000000004CF0000-0x0000000004D00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2500-178-0x0000000004C90000-0x0000000004CA2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2500-176-0x0000000004C90000-0x0000000004CA2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2500-153-0x0000000004C90000-0x0000000004CA2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2500-174-0x0000000004C90000-0x0000000004CA2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2500-152-0x0000000004CF0000-0x0000000004D00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2500-183-0x0000000004CF0000-0x0000000004D00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2500-164-0x0000000004C90000-0x0000000004CA2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2500-166-0x0000000004C90000-0x0000000004CA2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2500-168-0x0000000004C90000-0x0000000004CA2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2500-162-0x0000000004C90000-0x0000000004CA2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2500-160-0x0000000004C90000-0x0000000004CA2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2500-158-0x0000000004C90000-0x0000000004CA2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2500-156-0x0000000004C90000-0x0000000004CA2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2500-154-0x0000000004C90000-0x0000000004CA2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2500-149-0x00000000007E0000-0x000000000080D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/2500-170-0x0000000004C90000-0x0000000004CA2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2500-185-0x0000000000400000-0x0000000000710000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/2500-151-0x0000000004CF0000-0x0000000004D00000-memory.dmp

        Filesize

        64KB

        Download