Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    68s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-03-2023 00:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    62b15797b62e0ad2466719c1d52a7c418b9348bd01ffce79c7836d4e22fa4711.exe

  • Size

    700KB

  • MD5

    d901336f71f1b1dd47cb93737e6505a0

  • SHA1

    503fd7043794c77cc44a87165245cf19bb06f6af

  • SHA256

    62b15797b62e0ad2466719c1d52a7c418b9348bd01ffce79c7836d4e22fa4711

  • SHA512

    12319c8fa74c70b6275bc479eb9ad817ac8347a398a5460c2b3c67d2ac3550626b6d7e75e7da6fcf749c701b8640f7eeaf12e279d95f93c8d45085077f628619

  • SSDEEP

    12288:iMr6y90jdp5B/KM21Gqq1Ay9D5ScAg4NkNPq1DgTQLhe4mFywPkbjqz:wyedpf1f1og4QqkOGpkbOz

Score
10/10
redlinefromrosndiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

C2

176.113.115.145:4125

Attributes
  • auth_value

    8633e283485822a4a48f0a41d5397566

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 19 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\62b15797b62e0ad2466719c1d52a7c418b9348bd01ffce79c7836d4e22fa4711.exe
    "C:\Users\Admin\AppData\Local\Temp\62b15797b62e0ad2466719c1d52a7c418b9348bd01ffce79c7836d4e22fa4711.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4456
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un900808.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un900808.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:5116
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5127.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5127.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:380
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 380 -s 1080
          4⤵
          • Program crash
          PID:228
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0814.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0814.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:956
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 1332
          4⤵
          • Program crash
          PID:2072
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si656936.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si656936.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3668
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 380 -ip 380
    1⤵
      PID:980
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 956 -ip 956
      1⤵
        PID:2108

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si656936.exe
        Filesize

        175KB

        MD5

        c068a04500cfcf9eea13a9deca760768

        SHA1

        39e7e5b1284b8ba083ba86278a3b2792b12fe80a

        SHA256

        794655cbe4137c82b407cefcfc29e5eafe419370ff29c3b4748498af13afd532

        SHA512

        e2ea81095338979abedd7afe5ff46c3dab8b446184c13d4c2e59b67e7a2de4d978017f49ed472f0a6a33d58affa729df6f1fdfa57c2ff324153fc05473db1cfb

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si656936.exe
        Filesize

        175KB

        MD5

        c068a04500cfcf9eea13a9deca760768

        SHA1

        39e7e5b1284b8ba083ba86278a3b2792b12fe80a

        SHA256

        794655cbe4137c82b407cefcfc29e5eafe419370ff29c3b4748498af13afd532

        SHA512

        e2ea81095338979abedd7afe5ff46c3dab8b446184c13d4c2e59b67e7a2de4d978017f49ed472f0a6a33d58affa729df6f1fdfa57c2ff324153fc05473db1cfb

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un900808.exe
        Filesize

        558KB

        MD5

        baede30076c23ed22ed134c9e7a1bad2

        SHA1

        b75f2000a6074d4c0345b0ccebacd80f7c02eabc

        SHA256

        4e24d889282c62859a24490f672e2a408b71818cdecc0724cf5fe68ea4432f78

        SHA512

        1bb2eccccf2d4ccee74bfa4eb05c53229916eddbfa07ce71e4fd04b4ea1ae089196330f5a2d2236a4e7dc144444dcc723d4a6c8cece1424e30f5104b48941010

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un900808.exe
        Filesize

        558KB

        MD5

        baede30076c23ed22ed134c9e7a1bad2

        SHA1

        b75f2000a6074d4c0345b0ccebacd80f7c02eabc

        SHA256

        4e24d889282c62859a24490f672e2a408b71818cdecc0724cf5fe68ea4432f78

        SHA512

        1bb2eccccf2d4ccee74bfa4eb05c53229916eddbfa07ce71e4fd04b4ea1ae089196330f5a2d2236a4e7dc144444dcc723d4a6c8cece1424e30f5104b48941010

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5127.exe
        Filesize

        307KB

        MD5

        0739e760e28de216b5c116d0ae33992b

        SHA1

        df0e97f4b55966280b6c79334244845251a4c12b

        SHA256

        88461f25030338f3a3e7d54fed59714af24781b62fe4359bb92b022eb2ef35da

        SHA512

        8ca817add986c60c418a76578c3ccdd07049f882f9bdd3fa1c7f9875322f8ccc26082b095c4b478fee4d77676a04056213a30e501f903cda0a1721c24afd0340

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5127.exe
        Filesize

        307KB

        MD5

        0739e760e28de216b5c116d0ae33992b

        SHA1

        df0e97f4b55966280b6c79334244845251a4c12b

        SHA256

        88461f25030338f3a3e7d54fed59714af24781b62fe4359bb92b022eb2ef35da

        SHA512

        8ca817add986c60c418a76578c3ccdd07049f882f9bdd3fa1c7f9875322f8ccc26082b095c4b478fee4d77676a04056213a30e501f903cda0a1721c24afd0340

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0814.exe
        Filesize

        365KB

        MD5

        382ab14c3bf4ff2a683ba3408f52d64b

        SHA1

        e9c072c6fc5844341651b54d969044c13e2e09cc

        SHA256

        d7b2d8c44a70c9f318e25a136b10267eabedbbd663a790c1799a4ca6fb459eba

        SHA512

        ac5b704790d1ff6fb6a9a8665780051736a994a706dbfca0c894f4ef606a3cc29d1b07c11cea27ad8b934eef42bc6e41029cd71475089ef68abe3eb66b62ab96

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0814.exe
        Filesize

        365KB

        MD5

        382ab14c3bf4ff2a683ba3408f52d64b

        SHA1

        e9c072c6fc5844341651b54d969044c13e2e09cc

        SHA256

        d7b2d8c44a70c9f318e25a136b10267eabedbbd663a790c1799a4ca6fb459eba

        SHA512

        ac5b704790d1ff6fb6a9a8665780051736a994a706dbfca0c894f4ef606a3cc29d1b07c11cea27ad8b934eef42bc6e41029cd71475089ef68abe3eb66b62ab96

        Download Submit

      • memory/380-148-0x0000000004EB0000-0x0000000005454000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/380-149-0x0000000002810000-0x0000000002822000-memory.dmp

        Filesize

        72KB

        Download

      • memory/380-150-0x0000000002810000-0x0000000002822000-memory.dmp

        Filesize

        72KB

        Download

      • memory/380-152-0x0000000002810000-0x0000000002822000-memory.dmp

        Filesize

        72KB

        Download

      • memory/380-154-0x0000000002810000-0x0000000002822000-memory.dmp

        Filesize

        72KB

        Download

      • memory/380-156-0x0000000002810000-0x0000000002822000-memory.dmp

        Filesize

        72KB

        Download

      • memory/380-158-0x0000000002810000-0x0000000002822000-memory.dmp

        Filesize

        72KB

        Download

      • memory/380-160-0x0000000002810000-0x0000000002822000-memory.dmp

        Filesize

        72KB

        Download

      • memory/380-162-0x0000000002810000-0x0000000002822000-memory.dmp

        Filesize

        72KB

        Download

      • memory/380-164-0x0000000002810000-0x0000000002822000-memory.dmp

        Filesize

        72KB

        Download

      • memory/380-167-0x0000000000710000-0x000000000073D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/380-171-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/380-169-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/380-170-0x0000000002810000-0x0000000002822000-memory.dmp

        Filesize

        72KB

        Download

      • memory/380-166-0x0000000002810000-0x0000000002822000-memory.dmp

        Filesize

        72KB

        Download

      • memory/380-172-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/380-174-0x0000000002810000-0x0000000002822000-memory.dmp

        Filesize

        72KB

        Download

      • memory/380-176-0x0000000002810000-0x0000000002822000-memory.dmp

        Filesize

        72KB

        Download

      • memory/380-178-0x0000000002810000-0x0000000002822000-memory.dmp

        Filesize

        72KB

        Download

      • memory/380-180-0x0000000002810000-0x0000000002822000-memory.dmp

        Filesize

        72KB

        Download

      • memory/380-181-0x0000000000400000-0x000000000070F000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/380-182-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/380-183-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/380-184-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/380-186-0x0000000000400000-0x000000000070F000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/956-196-0x00000000052A0000-0x00000000052DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/956-316-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/956-194-0x00000000052A0000-0x00000000052DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/956-191-0x00000000052A0000-0x00000000052DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/956-198-0x00000000052A0000-0x00000000052DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/956-200-0x00000000052A0000-0x00000000052DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/956-202-0x00000000052A0000-0x00000000052DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/956-204-0x00000000052A0000-0x00000000052DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/956-206-0x00000000052A0000-0x00000000052DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/956-208-0x00000000052A0000-0x00000000052DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/956-210-0x00000000052A0000-0x00000000052DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/956-212-0x00000000052A0000-0x00000000052DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/956-214-0x00000000052A0000-0x00000000052DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/956-216-0x00000000052A0000-0x00000000052DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/956-218-0x00000000052A0000-0x00000000052DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/956-220-0x00000000052A0000-0x00000000052DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/956-222-0x00000000052A0000-0x00000000052DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/956-224-0x00000000052A0000-0x00000000052DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/956-315-0x00000000007F0000-0x000000000083B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/956-192-0x00000000052A0000-0x00000000052DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/956-317-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/956-319-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/956-1101-0x0000000005460000-0x0000000005A78000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/956-1102-0x0000000005B00000-0x0000000005C0A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/956-1103-0x0000000005C40000-0x0000000005C52000-memory.dmp

        Filesize

        72KB

        Download

      • memory/956-1104-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/956-1105-0x0000000005C60000-0x0000000005C9C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/956-1106-0x0000000005F50000-0x0000000005FB6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/956-1107-0x0000000006610000-0x00000000066A2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/956-1108-0x00000000066F0000-0x0000000006766000-memory.dmp

        Filesize

        472KB

        Download

      • memory/956-1109-0x0000000006780000-0x00000000067D0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/956-1111-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/956-1112-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/956-1113-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/956-1114-0x0000000006A30000-0x0000000006BF2000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/956-1115-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/956-1116-0x0000000006C10000-0x000000000713C000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/3668-1122-0x0000000000030000-0x0000000000062000-memory.dmp

        Filesize

        200KB

        Download

      • memory/3668-1123-0x0000000004C00000-0x0000000004C10000-memory.dmp

        Filesize

        64KB

        Download