Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-03-2023 18:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    72736c6fde8d6ec3ff75cbc12671db1694ef9b77aa58ad7d9c9c744154eca969.exe

  • Size

    700KB

  • MD5

    5323916590f6d2996a5aa2eca8d4ffab

  • SHA1

    b3be78789c18dc0ac41b39474b5756818c26281a

  • SHA256

    72736c6fde8d6ec3ff75cbc12671db1694ef9b77aa58ad7d9c9c744154eca969

  • SHA512

    40351b2aaa72e65bec1e5325ef4715cad61b8598cc788c434b957df9fa36bdaa3101ea966d707eaf0482659cb8612226db24b9359816ff8d10e6dabaf7eb67aa

  • SSDEEP

    12288:6Mruy90xoMzlpW2k8WR5ujJxuQbDXanC3F81ei2EZNwPghLA3M7Y9IFqNk8:Uywzl8/5ulUQbDKnC2xBZNAgxcM7Y9Gk

Score
10/10
redlinefromrosndiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

C2

176.113.115.145:4125

Attributes
  • auth_value

    8633e283485822a4a48f0a41d5397566

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 18 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\72736c6fde8d6ec3ff75cbc12671db1694ef9b77aa58ad7d9c9c744154eca969.exe
    "C:\Users\Admin\AppData\Local\Temp\72736c6fde8d6ec3ff75cbc12671db1694ef9b77aa58ad7d9c9c744154eca969.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1444
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un591297.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un591297.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1468
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6055.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6055.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1240
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1240 -s 1084
          4⤵
          • Program crash
          PID:396
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5700.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5700.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4080
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1328
          4⤵
          • Program crash
          PID:5000
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si699205.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si699205.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3432
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1240 -ip 1240
    1⤵
      PID:4356
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4080 -ip 4080
      1⤵
        PID:5084

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si699205.exe
        Filesize

        175KB

        MD5

        aa48b3139148b781a463fc31f85e524d

        SHA1

        c1a1d3ceb9c2900f6d326dc9286fba33c3c62613

        SHA256

        c516d90850e747376f89ea5ee4c28bf8492c683b1842df4deead2c5f3131bced

        SHA512

        49718be1745c83384b2b77933f983630b9d58de051db31faad7f1f1b01991310a4f08c916e8ec06b63ecd093c84d723441ff0b09f67c015b1892e53a2a5ef0a0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si699205.exe
        Filesize

        175KB

        MD5

        aa48b3139148b781a463fc31f85e524d

        SHA1

        c1a1d3ceb9c2900f6d326dc9286fba33c3c62613

        SHA256

        c516d90850e747376f89ea5ee4c28bf8492c683b1842df4deead2c5f3131bced

        SHA512

        49718be1745c83384b2b77933f983630b9d58de051db31faad7f1f1b01991310a4f08c916e8ec06b63ecd093c84d723441ff0b09f67c015b1892e53a2a5ef0a0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un591297.exe
        Filesize

        558KB

        MD5

        a4ff460c93ef82b563eaedd34fda4e3a

        SHA1

        654ae9f11fca4ab08c365e32bad250bc4ccae85f

        SHA256

        e8d9284fd6e9e87213b54ae02453f388cc6d6fda19a86772986ca030f4a0670a

        SHA512

        7d97f1ed6f4eb73ff65f6326475b22d5b17bd15b5838a20cb0f82e94661896dde4e05aaf2961aa21cb695f65e22e1b83e36bc5eb9d72c9aa104f19868772f89b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un591297.exe
        Filesize

        558KB

        MD5

        a4ff460c93ef82b563eaedd34fda4e3a

        SHA1

        654ae9f11fca4ab08c365e32bad250bc4ccae85f

        SHA256

        e8d9284fd6e9e87213b54ae02453f388cc6d6fda19a86772986ca030f4a0670a

        SHA512

        7d97f1ed6f4eb73ff65f6326475b22d5b17bd15b5838a20cb0f82e94661896dde4e05aaf2961aa21cb695f65e22e1b83e36bc5eb9d72c9aa104f19868772f89b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6055.exe
        Filesize

        307KB

        MD5

        877ff81b5e2eb817c8a60af3c5bf5d1a

        SHA1

        220aea98931da761cd8c0e753dae26ab12c93875

        SHA256

        b0bc365068984301b5fc4c720af07615801eff13dbce9f3b8c0a97811c04ca39

        SHA512

        cdbe788854397550b580cd313a6c3fe7332f98c497205006e041717ea46a31f88280dcf06213715bf8cd25f1959c119b90de74610871a8c578b108330fbb76d2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6055.exe
        Filesize

        307KB

        MD5

        877ff81b5e2eb817c8a60af3c5bf5d1a

        SHA1

        220aea98931da761cd8c0e753dae26ab12c93875

        SHA256

        b0bc365068984301b5fc4c720af07615801eff13dbce9f3b8c0a97811c04ca39

        SHA512

        cdbe788854397550b580cd313a6c3fe7332f98c497205006e041717ea46a31f88280dcf06213715bf8cd25f1959c119b90de74610871a8c578b108330fbb76d2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5700.exe
        Filesize

        366KB

        MD5

        25526b7310af385e9af6021721941205

        SHA1

        0261c40d0429580c3bd5b1de3f53643bfa672ee2

        SHA256

        b02a42b95bb5ff08d1657072b37e2302433754e0cd4cc773b1c4dbb7d6c2fddd

        SHA512

        e9897b785c86c96bed6078ade61cfd26541ce562efe9425b32ebf5e1292bcbed408d512a8b0eee29d4e70b0aa1567254b65a2e9b595d174cf9660ddc6102f51c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5700.exe
        Filesize

        366KB

        MD5

        25526b7310af385e9af6021721941205

        SHA1

        0261c40d0429580c3bd5b1de3f53643bfa672ee2

        SHA256

        b02a42b95bb5ff08d1657072b37e2302433754e0cd4cc773b1c4dbb7d6c2fddd

        SHA512

        e9897b785c86c96bed6078ade61cfd26541ce562efe9425b32ebf5e1292bcbed408d512a8b0eee29d4e70b0aa1567254b65a2e9b595d174cf9660ddc6102f51c

        Download Submit

      • memory/1240-148-0x0000000004DA0000-0x0000000005344000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/1240-149-0x0000000000710000-0x000000000073D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/1240-150-0x0000000004D90000-0x0000000004DA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1240-151-0x0000000004D90000-0x0000000004DA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1240-152-0x0000000004C70000-0x0000000004C82000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1240-153-0x0000000004C70000-0x0000000004C82000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1240-155-0x0000000004C70000-0x0000000004C82000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1240-157-0x0000000004C70000-0x0000000004C82000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1240-159-0x0000000004C70000-0x0000000004C82000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1240-161-0x0000000004C70000-0x0000000004C82000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1240-163-0x0000000004C70000-0x0000000004C82000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1240-165-0x0000000004C70000-0x0000000004C82000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1240-167-0x0000000004C70000-0x0000000004C82000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1240-169-0x0000000004C70000-0x0000000004C82000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1240-171-0x0000000004C70000-0x0000000004C82000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1240-173-0x0000000004C70000-0x0000000004C82000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1240-175-0x0000000004C70000-0x0000000004C82000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1240-177-0x0000000004C70000-0x0000000004C82000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1240-179-0x0000000004C70000-0x0000000004C82000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1240-180-0x0000000000400000-0x0000000000710000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/1240-181-0x0000000004D90000-0x0000000004DA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1240-183-0x0000000000400000-0x0000000000710000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/3432-1119-0x0000000000960000-0x0000000000992000-memory.dmp

        Filesize

        200KB

        Download

      • memory/3432-1121-0x0000000005250000-0x0000000005260000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3432-1120-0x0000000005250000-0x0000000005260000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4080-193-0x0000000002970000-0x00000000029AF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4080-225-0x0000000002970000-0x00000000029AF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4080-195-0x0000000002970000-0x00000000029AF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4080-197-0x0000000002970000-0x00000000029AF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4080-199-0x0000000002970000-0x00000000029AF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4080-201-0x0000000002970000-0x00000000029AF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4080-203-0x0000000002970000-0x00000000029AF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4080-205-0x0000000002970000-0x00000000029AF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4080-208-0x00000000007F0000-0x000000000083B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/4080-207-0x0000000002970000-0x00000000029AF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4080-211-0x0000000002A00000-0x0000000002A10000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4080-212-0x0000000002970000-0x00000000029AF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4080-210-0x0000000002A00000-0x0000000002A10000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4080-214-0x0000000002A00000-0x0000000002A10000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4080-215-0x0000000002970000-0x00000000029AF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4080-217-0x0000000002970000-0x00000000029AF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4080-219-0x0000000002970000-0x00000000029AF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4080-221-0x0000000002970000-0x00000000029AF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4080-223-0x0000000002970000-0x00000000029AF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4080-191-0x0000000002970000-0x00000000029AF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4080-1098-0x0000000005460000-0x0000000005A78000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/4080-1099-0x0000000005B00000-0x0000000005C0A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/4080-1100-0x0000000005C40000-0x0000000005C52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4080-1101-0x0000000005C60000-0x0000000005C9C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/4080-1102-0x0000000002A00000-0x0000000002A10000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4080-1103-0x0000000005F50000-0x0000000005FB6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4080-1104-0x0000000006610000-0x00000000066A2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4080-1106-0x0000000002A00000-0x0000000002A10000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4080-1107-0x0000000002A00000-0x0000000002A10000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4080-1108-0x0000000002A00000-0x0000000002A10000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4080-1109-0x0000000006810000-0x0000000006886000-memory.dmp

        Filesize

        472KB

        Download

      • memory/4080-1110-0x0000000006890000-0x00000000068E0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/4080-188-0x0000000002970000-0x00000000029AF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4080-189-0x0000000002970000-0x00000000029AF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4080-1111-0x0000000002A00000-0x0000000002A10000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4080-1112-0x0000000006BB0000-0x0000000006D72000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/4080-1113-0x0000000006D80000-0x00000000072AC000-memory.dmp

        Filesize

        5.2MB

        Download