Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-03-2023 18:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    22aad8200df966b05049403755b8524efaf7c19126f5afdcedb5862760b7d5c9.exe

  • Size

    699KB

  • MD5

    70b972f95326d1931cde6530f2a78abe

  • SHA1

    5a2986c331234b4f368dad82d6d97632f1ef0891

  • SHA256

    22aad8200df966b05049403755b8524efaf7c19126f5afdcedb5862760b7d5c9

  • SHA512

    daf5cf375ef46c5261ed210b143c4a340d722cf105d194576dc5bc947d6094429f6fbe3f06e15510f165b428f615561e2d7674f09437513ece090b3e5073de57

  • SSDEEP

    12288:7MrPy90gMctzsYkNbKqCi4SeEn2kOyreRs4kED9OHsmQmpErMCNwP1HLZ+atQLH2:gyZgYG/C5w5O1aBE5OMmArMCNA1rZ0n2

Score
10/10
redlinefromrosndiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

C2

176.113.115.145:4125

Attributes
  • auth_value

    8633e283485822a4a48f0a41d5397566

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 18 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\22aad8200df966b05049403755b8524efaf7c19126f5afdcedb5862760b7d5c9.exe
    "C:\Users\Admin\AppData\Local\Temp\22aad8200df966b05049403755b8524efaf7c19126f5afdcedb5862760b7d5c9.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1912
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un020942.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un020942.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1352
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4132.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4132.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4224
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 1084
          4⤵
          • Program crash
          PID:3880
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2856.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2856.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3192
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 1328
          4⤵
          • Program crash
          PID:3348
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si129740.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si129740.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3828
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4224 -ip 4224
    1⤵
      PID:472
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3192 -ip 3192
      1⤵
        PID:3476

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si129740.exe
        Filesize

        175KB

        MD5

        0400d62f578728fca4a449e2e814b1dc

        SHA1

        c4d0b4c59013332638e415ab385da565d42b33c5

        SHA256

        0d918ffe02771570b2d49675a44ae4ce4d8362a4ab6b3b788a3c38e82ec1a672

        SHA512

        f0d21054569d0479b3697bb8bd07794d1a2aff2b8bf0abe1ed2f593a05b460eb0419bc85ab57ab6b126b8251fb7a6a286722955e3e0504be7c2665d3d697a2cf

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si129740.exe
        Filesize

        175KB

        MD5

        0400d62f578728fca4a449e2e814b1dc

        SHA1

        c4d0b4c59013332638e415ab385da565d42b33c5

        SHA256

        0d918ffe02771570b2d49675a44ae4ce4d8362a4ab6b3b788a3c38e82ec1a672

        SHA512

        f0d21054569d0479b3697bb8bd07794d1a2aff2b8bf0abe1ed2f593a05b460eb0419bc85ab57ab6b126b8251fb7a6a286722955e3e0504be7c2665d3d697a2cf

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un020942.exe
        Filesize

        557KB

        MD5

        64b1a989c808b55bfb8baecedf02132e

        SHA1

        96137021a656782074d2937c2345baf2a4e625a2

        SHA256

        1a830bbb4a0fa5fd4862d3ece845194b796992cf1e08672c07158c922b386e4a

        SHA512

        fd72d19e5bf5c5020f036b36d99617720d9e237e953e2758072f479955bc6bb1bdbf2b79507dae513ba767017f6fa9e04e38328cd3e44f6eb3560a0956a5d653

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un020942.exe
        Filesize

        557KB

        MD5

        64b1a989c808b55bfb8baecedf02132e

        SHA1

        96137021a656782074d2937c2345baf2a4e625a2

        SHA256

        1a830bbb4a0fa5fd4862d3ece845194b796992cf1e08672c07158c922b386e4a

        SHA512

        fd72d19e5bf5c5020f036b36d99617720d9e237e953e2758072f479955bc6bb1bdbf2b79507dae513ba767017f6fa9e04e38328cd3e44f6eb3560a0956a5d653

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4132.exe
        Filesize

        307KB

        MD5

        d4ef79b1fb644e6bede9c062fd5a1b7c

        SHA1

        bae3900e0e474c21871aeb73723680f900313a33

        SHA256

        64a30611181a99a21ad0e0ba7ffa06b1df93adfe3011793bb9512f8ff838198d

        SHA512

        140a314dc0b674bb4446bf92c59975819879b2e05ca384a2f5a99a9b2ff82823dc7c609a4494212011ac2c4586f494560cf14b037182c9a4ffb51f2786554d8c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4132.exe
        Filesize

        307KB

        MD5

        d4ef79b1fb644e6bede9c062fd5a1b7c

        SHA1

        bae3900e0e474c21871aeb73723680f900313a33

        SHA256

        64a30611181a99a21ad0e0ba7ffa06b1df93adfe3011793bb9512f8ff838198d

        SHA512

        140a314dc0b674bb4446bf92c59975819879b2e05ca384a2f5a99a9b2ff82823dc7c609a4494212011ac2c4586f494560cf14b037182c9a4ffb51f2786554d8c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2856.exe
        Filesize

        366KB

        MD5

        1238bc315bbebcfafbc1669a7a638ee5

        SHA1

        03d8663d494005257d00fb047fa84063f57730d4

        SHA256

        59e66ed519ab6af50fd6822020b385643e9639441763c5a5c34285fbf9680f3b

        SHA512

        00803ccfe74f1a6a4a82d261417efa14625f3af4bfb11ac49f89f7ba0daeb766487137c2bee6ab15ebd8a74d78cf8d553f21034d20978d85d1982b63a8eb4dfd

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2856.exe
        Filesize

        366KB

        MD5

        1238bc315bbebcfafbc1669a7a638ee5

        SHA1

        03d8663d494005257d00fb047fa84063f57730d4

        SHA256

        59e66ed519ab6af50fd6822020b385643e9639441763c5a5c34285fbf9680f3b

        SHA512

        00803ccfe74f1a6a4a82d261417efa14625f3af4bfb11ac49f89f7ba0daeb766487137c2bee6ab15ebd8a74d78cf8d553f21034d20978d85d1982b63a8eb4dfd

        Download Submit

      • memory/3192-1102-0x0000000005B50000-0x0000000005C5A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/3192-1103-0x0000000004E50000-0x0000000004E62000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3192-222-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3192-220-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3192-218-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3192-208-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3192-1116-0x0000000008340000-0x0000000008390000-memory.dmp

        Filesize

        320KB

        Download

      • memory/3192-1115-0x00000000024C0000-0x0000000002536000-memory.dmp

        Filesize

        472KB

        Download

      • memory/3192-1114-0x0000000006B30000-0x000000000705C000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/3192-1113-0x0000000006960000-0x0000000006B22000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/3192-1112-0x0000000004E70000-0x0000000004E80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3192-1111-0x0000000004E70000-0x0000000004E80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3192-1110-0x0000000004E70000-0x0000000004E80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3192-210-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3192-1109-0x0000000004E70000-0x0000000004E80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3192-1107-0x0000000006610000-0x00000000066A2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/3192-1106-0x0000000005F50000-0x0000000005FB6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3192-1105-0x0000000005C60000-0x0000000005C9C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/3192-1104-0x0000000004E70000-0x0000000004E80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3192-224-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3192-1101-0x0000000005530000-0x0000000005B48000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/3192-338-0x0000000004E70000-0x0000000004E80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3192-337-0x0000000004E70000-0x0000000004E80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3192-191-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3192-192-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3192-212-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3192-196-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3192-198-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3192-200-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3192-202-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3192-204-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3192-206-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3192-335-0x0000000004E70000-0x0000000004E80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3192-334-0x0000000000720000-0x000000000076B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/3192-194-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3192-214-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3192-216-0x0000000004CE0000-0x0000000004D1F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3828-1122-0x0000000000820000-0x0000000000852000-memory.dmp

        Filesize

        200KB

        Download

      • memory/3828-1123-0x0000000005110000-0x0000000005120000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3828-1128-0x0000000005110000-0x0000000005120000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4224-183-0x0000000002500000-0x0000000002510000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4224-178-0x0000000002500000-0x0000000002510000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4224-163-0x0000000002510000-0x0000000002522000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4224-151-0x0000000002510000-0x0000000002522000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4224-153-0x0000000002510000-0x0000000002522000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4224-186-0x0000000000400000-0x0000000000710000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/4224-150-0x0000000002510000-0x0000000002522000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4224-185-0x0000000002500000-0x0000000002510000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4224-184-0x0000000002500000-0x0000000002510000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4224-155-0x0000000002510000-0x0000000002522000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4224-181-0x0000000000400000-0x0000000000710000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/4224-180-0x0000000002500000-0x0000000002510000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4224-179-0x0000000002500000-0x0000000002510000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4224-177-0x0000000002510000-0x0000000002522000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4224-175-0x0000000002510000-0x0000000002522000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4224-173-0x0000000002510000-0x0000000002522000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4224-171-0x0000000002510000-0x0000000002522000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4224-169-0x0000000002510000-0x0000000002522000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4224-167-0x0000000002510000-0x0000000002522000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4224-165-0x0000000002510000-0x0000000002522000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4224-149-0x0000000004D60000-0x0000000005304000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4224-148-0x00000000007E0000-0x000000000080D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/4224-161-0x0000000002510000-0x0000000002522000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4224-159-0x0000000002510000-0x0000000002522000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4224-157-0x0000000002510000-0x0000000002522000-memory.dmp

        Filesize

        72KB

        Download