Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-03-2023 00:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    832c7b4977951dd48f323b03b8761712dbc9a1dc0d67b85508c6ebb24a5c7815.exe

  • Size

    690KB

  • MD5

    8aa1d94b74a86eaa809756ca4d3863be

  • SHA1

    2b6ee59b8ce62ec6147d84a4de3cc22ca9255f31

  • SHA256

    832c7b4977951dd48f323b03b8761712dbc9a1dc0d67b85508c6ebb24a5c7815

  • SHA512

    438c21694b576f9f7cee59d9610ee71394db5843af7b699627ccb392cf751d517ac28ac631b1099fd424337c8ed29b44a6f523b3c2696a2fca8deffcc704e3c1

  • SSDEEP

    12288:TMrgy90stdF3CpFVA054Lk5Oqdq3KYmnFxp837RkLpRsq8e+81CNB:XyfXQA05r5Dqizp837Rk8q8eb1QB

Score
10/10
redlinerosndiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 19 IoCs
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\832c7b4977951dd48f323b03b8761712dbc9a1dc0d67b85508c6ebb24a5c7815.exe
    "C:\Users\Admin\AppData\Local\Temp\832c7b4977951dd48f323b03b8761712dbc9a1dc0d67b85508c6ebb24a5c7815.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1660
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un890303.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un890303.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2360
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2295.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2295.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1852
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 1096
          4⤵
          • Program crash
          PID:1628
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7693.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7693.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4320
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1852 -ip 1852
    1⤵
      PID:1572

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un890303.exe
      Filesize

      548KB

      MD5

      b37e393e99e497b58cf5dd7ac941d33c

      SHA1

      39b1eff1544dc71475f20f6e98901e187bc339c3

      SHA256

      9eeb4b1122fb4f901e31f6b8fdb74a3675a12ea723c9df13dadeafc8175ce2f9

      SHA512

      3d14c8f20617032f69d9776cde61c2de255e3f046b3e44cc2e9ce783a8fb1ad672ee2f6a32532050f4d84bc34678990cdc915b02ed0c54a5c2b44be8a5dca2b0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un890303.exe
      Filesize

      548KB

      MD5

      b37e393e99e497b58cf5dd7ac941d33c

      SHA1

      39b1eff1544dc71475f20f6e98901e187bc339c3

      SHA256

      9eeb4b1122fb4f901e31f6b8fdb74a3675a12ea723c9df13dadeafc8175ce2f9

      SHA512

      3d14c8f20617032f69d9776cde61c2de255e3f046b3e44cc2e9ce783a8fb1ad672ee2f6a32532050f4d84bc34678990cdc915b02ed0c54a5c2b44be8a5dca2b0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2295.exe
      Filesize

      291KB

      MD5

      89b28cdff6e1cce40e9137abd1613ebc

      SHA1

      ba7ec22a9de57a52dbeea36dadd67e937a439ad4

      SHA256

      68f02ebbfd48fe7bdaf1b0cd946e5434c6388d6023d6017f1a34ac2d1d661284

      SHA512

      70ebfd243df0260d33e811fd9464f0d836f3cb2aa74f9b78bb1c2eaaa45ef80d039efd18b0cf85bb667b4f2d875b27c96b9c5b1cd84b4d1db72e0d71e7f53ea6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2295.exe
      Filesize

      291KB

      MD5

      89b28cdff6e1cce40e9137abd1613ebc

      SHA1

      ba7ec22a9de57a52dbeea36dadd67e937a439ad4

      SHA256

      68f02ebbfd48fe7bdaf1b0cd946e5434c6388d6023d6017f1a34ac2d1d661284

      SHA512

      70ebfd243df0260d33e811fd9464f0d836f3cb2aa74f9b78bb1c2eaaa45ef80d039efd18b0cf85bb667b4f2d875b27c96b9c5b1cd84b4d1db72e0d71e7f53ea6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7693.exe
      Filesize

      350KB

      MD5

      b6c3eaecac4fbe4ecbf85926f66d6d1f

      SHA1

      03b9eee841687288453c60853d0ad2b7579f9dec

      SHA256

      7e4fa8d832b74314b56f3ba1939ef9deae315c220e98a1fe7c7c56626153bc05

      SHA512

      066065b2e26fd1f8ce9a7af10205186e3096b128c50af9b7178f7f1ec527e784560d78b6cc3849b6f47ed02a798271eda1a9ae8a41a60ca0bb9ec549b603d2e3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7693.exe
      Filesize

      350KB

      MD5

      b6c3eaecac4fbe4ecbf85926f66d6d1f

      SHA1

      03b9eee841687288453c60853d0ad2b7579f9dec

      SHA256

      7e4fa8d832b74314b56f3ba1939ef9deae315c220e98a1fe7c7c56626153bc05

      SHA512

      066065b2e26fd1f8ce9a7af10205186e3096b128c50af9b7178f7f1ec527e784560d78b6cc3849b6f47ed02a798271eda1a9ae8a41a60ca0bb9ec549b603d2e3

      Download Submit

    • memory/1852-149-0x0000000004ED0000-0x0000000005474000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1852-150-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1852-148-0x00000000007F0000-0x000000000081D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/1852-151-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1852-152-0x0000000002720000-0x0000000002732000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1852-153-0x0000000002720000-0x0000000002732000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1852-155-0x0000000002720000-0x0000000002732000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1852-157-0x0000000002720000-0x0000000002732000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1852-159-0x0000000002720000-0x0000000002732000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1852-161-0x0000000002720000-0x0000000002732000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1852-163-0x0000000002720000-0x0000000002732000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1852-165-0x0000000002720000-0x0000000002732000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1852-167-0x0000000002720000-0x0000000002732000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1852-169-0x0000000002720000-0x0000000002732000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1852-171-0x0000000002720000-0x0000000002732000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1852-173-0x0000000002720000-0x0000000002732000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1852-175-0x0000000002720000-0x0000000002732000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1852-177-0x0000000002720000-0x0000000002732000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1852-179-0x0000000002720000-0x0000000002732000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1852-180-0x0000000000400000-0x000000000070B000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/1852-181-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1852-182-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1852-184-0x0000000000400000-0x000000000070B000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/4320-189-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4320-190-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4320-192-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4320-194-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4320-196-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4320-198-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4320-200-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4320-202-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4320-204-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4320-206-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4320-210-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4320-208-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4320-212-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4320-214-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4320-216-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4320-218-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4320-220-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4320-222-0x0000000004CD0000-0x0000000004D0F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4320-343-0x0000000004E20000-0x0000000004E30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4320-341-0x0000000000810000-0x000000000085B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4320-345-0x0000000004E20000-0x0000000004E30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4320-347-0x0000000004E20000-0x0000000004E30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4320-1099-0x00000000053E0000-0x00000000059F8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4320-1100-0x0000000005A00000-0x0000000005B0A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4320-1101-0x0000000005B10000-0x0000000005B22000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4320-1102-0x0000000005B30000-0x0000000005B6C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4320-1103-0x0000000004E20000-0x0000000004E30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4320-1105-0x0000000005E10000-0x0000000005E76000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4320-1106-0x00000000065C0000-0x0000000006652000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4320-1107-0x00000000066B0000-0x0000000006726000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4320-1108-0x0000000006740000-0x0000000006790000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4320-1109-0x00000000067C0000-0x0000000006982000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/4320-1111-0x0000000006990000-0x0000000006EBC000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/4320-1112-0x0000000004E20000-0x0000000004E30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4320-1110-0x0000000004E20000-0x0000000004E30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4320-1113-0x0000000004E20000-0x0000000004E30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4320-1114-0x0000000004E20000-0x0000000004E30000-memory.dmp

      Filesize

      64KB

      Download