Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-03-2023 01:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0f2045b0ac8dbc2ef5e13a30afcd57e596ad90ccd9b1b50bc15d05b4605117d5.exe

  • Size

    690KB

  • MD5

    1b526aa866efbabb700696996b1cdf2f

  • SHA1

    63e8ef3c8ef7b574c4b9927bb990c88f65bc4fd7

  • SHA256

    0f2045b0ac8dbc2ef5e13a30afcd57e596ad90ccd9b1b50bc15d05b4605117d5

  • SHA512

    1b53d59ca4005f6b1367b45b8b0ccf90a7637dee40e729f99b4014a89d638860ac6b7dae08e5d8c4c5e6d9805ffd8c07e80b6f3d1e63a0d9cad172e62a1060ba

  • SSDEEP

    12288:JMr4y9054ntlSgKm4tHdGMSP2sVCawyZAvlFS0figh5wzt2zhyr9VdW:Jyntl1deAMSTRBZA3S0ag3ot8w9VdW

Score
10/10
redlinefromrosndiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

C2

176.113.115.145:4125

Attributes
  • auth_value

    8633e283485822a4a48f0a41d5397566

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0f2045b0ac8dbc2ef5e13a30afcd57e596ad90ccd9b1b50bc15d05b4605117d5.exe
    "C:\Users\Admin\AppData\Local\Temp\0f2045b0ac8dbc2ef5e13a30afcd57e596ad90ccd9b1b50bc15d05b4605117d5.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4640
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un918430.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un918430.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:5060
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2762.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2762.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3628
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 1084
          4⤵
          • Program crash
          PID:4796
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0627.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0627.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2604
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 1912
          4⤵
          • Program crash
          PID:3980
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si130030.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si130030.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2664
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3628 -ip 3628
    1⤵
      PID:4192
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2604 -ip 2604
      1⤵
        PID:5004
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe start wuauserv
        1⤵
        • Launches sc.exe
        PID:3716

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si130030.exe
        Filesize

        175KB

        MD5

        28df937a19df623ece89b6b8eba69440

        SHA1

        56fa01bb45a48bfacb2f56a6d5038dc7098e472e

        SHA256

        261c11c27377273bed4713d9c611e73a5087b8d825b0acf165743708e6cece62

        SHA512

        d44a7d91f94117782ceb79f61fd1cbeeabf0141fc749a0f6e32402f675fb3657dda6a797b4a53f1c39561ba49bf3a76399b617011eb49f34c4951ad14140329c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si130030.exe
        Filesize

        175KB

        MD5

        28df937a19df623ece89b6b8eba69440

        SHA1

        56fa01bb45a48bfacb2f56a6d5038dc7098e472e

        SHA256

        261c11c27377273bed4713d9c611e73a5087b8d825b0acf165743708e6cece62

        SHA512

        d44a7d91f94117782ceb79f61fd1cbeeabf0141fc749a0f6e32402f675fb3657dda6a797b4a53f1c39561ba49bf3a76399b617011eb49f34c4951ad14140329c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un918430.exe
        Filesize

        548KB

        MD5

        106d4110682e85298d226c9e6eb4c852

        SHA1

        00c087b3794ecaa42e71d1cabc47b3818adb59ca

        SHA256

        10b91c6c4437f0effd70104c31057babede50832f30aaa7009c8c8bed86ded7e

        SHA512

        1b5a4af554561cfe725d34afb2bd9ba0e845b77e2ae2110679a97237f50b4d4bd3cf09fc76d635d7aa8663ad5d23a0d8edf51bc614fb4388b2d2530d7745d4e5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un918430.exe
        Filesize

        548KB

        MD5

        106d4110682e85298d226c9e6eb4c852

        SHA1

        00c087b3794ecaa42e71d1cabc47b3818adb59ca

        SHA256

        10b91c6c4437f0effd70104c31057babede50832f30aaa7009c8c8bed86ded7e

        SHA512

        1b5a4af554561cfe725d34afb2bd9ba0e845b77e2ae2110679a97237f50b4d4bd3cf09fc76d635d7aa8663ad5d23a0d8edf51bc614fb4388b2d2530d7745d4e5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2762.exe
        Filesize

        291KB

        MD5

        a6d0c9e8b7a7224c1a1a4c99f0fd6668

        SHA1

        2f8211a6c716f42c47a379a15c5bf4cf8d2d6b46

        SHA256

        defe26fc44ec10d26fd85e5eed56e3032c329ccbba89e6a849ab97aa1ab72807

        SHA512

        1bbb810caec1f2b7211a42b08523bbbb866630eac265b572d852dd06c4c0b883e3cfb3fe5de04e2d0eebf6b09386df505642972bdf0cf9054cf9c049757dce25

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2762.exe
        Filesize

        291KB

        MD5

        a6d0c9e8b7a7224c1a1a4c99f0fd6668

        SHA1

        2f8211a6c716f42c47a379a15c5bf4cf8d2d6b46

        SHA256

        defe26fc44ec10d26fd85e5eed56e3032c329ccbba89e6a849ab97aa1ab72807

        SHA512

        1bbb810caec1f2b7211a42b08523bbbb866630eac265b572d852dd06c4c0b883e3cfb3fe5de04e2d0eebf6b09386df505642972bdf0cf9054cf9c049757dce25

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0627.exe
        Filesize

        345KB

        MD5

        e1091d8b10e1dd1505883724a0990736

        SHA1

        d1804ccd46cacd1c247fd7cd59f4ba31748ef1cb

        SHA256

        bac957dd3d46d9e75aaade10e549c1f33c9a2eb381fcfea77b03a4a3e50b1dc0

        SHA512

        7a176a10470a402066695fac97002f35dd4d7b2b55b78631f938bf16e89e75f33edde0a15fe62fdd3612454963d2abd135d68fce1738ad6c7bda44e02a1ad280

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0627.exe
        Filesize

        345KB

        MD5

        e1091d8b10e1dd1505883724a0990736

        SHA1

        d1804ccd46cacd1c247fd7cd59f4ba31748ef1cb

        SHA256

        bac957dd3d46d9e75aaade10e549c1f33c9a2eb381fcfea77b03a4a3e50b1dc0

        SHA512

        7a176a10470a402066695fac97002f35dd4d7b2b55b78631f938bf16e89e75f33edde0a15fe62fdd3612454963d2abd135d68fce1738ad6c7bda44e02a1ad280

        Download Submit

      • memory/2604-1102-0x0000000006D60000-0x0000000006E6A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/2604-1101-0x0000000006740000-0x0000000006D58000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/2604-220-0x0000000005FE0000-0x000000000601F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2604-218-0x0000000005FE0000-0x000000000601F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2604-204-0x0000000005FE0000-0x000000000601F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2604-206-0x0000000005FE0000-0x000000000601F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2604-1115-0x0000000007D80000-0x0000000007F42000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/2604-1114-0x0000000006180000-0x0000000006190000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2604-1113-0x0000000007BB0000-0x0000000007C00000-memory.dmp

        Filesize

        320KB

        Download

      • memory/2604-1112-0x0000000007B30000-0x0000000007BA6000-memory.dmp

        Filesize

        472KB

        Download

      • memory/2604-208-0x0000000005FE0000-0x000000000601F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2604-1111-0x0000000006180000-0x0000000006190000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2604-1110-0x0000000006180000-0x0000000006190000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2604-1109-0x0000000006180000-0x0000000006190000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2604-1107-0x00000000071C0000-0x0000000007226000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2604-1106-0x0000000007120000-0x00000000071B2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/2604-1105-0x0000000006180000-0x0000000006190000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2604-1104-0x0000000006140000-0x000000000617C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/2604-1103-0x0000000006120000-0x0000000006132000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2604-222-0x0000000005FE0000-0x000000000601F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2604-230-0x0000000006180000-0x0000000006190000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2604-229-0x0000000006180000-0x0000000006190000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2604-227-0x0000000006180000-0x0000000006190000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2604-191-0x0000000005FE0000-0x000000000601F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2604-192-0x0000000005FE0000-0x000000000601F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2604-194-0x0000000005FE0000-0x000000000601F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2604-196-0x0000000005FE0000-0x000000000601F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2604-198-0x0000000005FE0000-0x000000000601F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2604-200-0x0000000005FE0000-0x000000000601F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2604-202-0x0000000005FE0000-0x000000000601F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2604-224-0x0000000005FE0000-0x000000000601F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2604-1116-0x0000000007F50000-0x000000000847C000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/2604-226-0x0000000001C00000-0x0000000001C4B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/2604-210-0x0000000005FE0000-0x000000000601F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2604-212-0x0000000005FE0000-0x000000000601F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2604-214-0x0000000005FE0000-0x000000000601F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2604-216-0x0000000005FE0000-0x000000000601F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2664-1122-0x00000000007E0000-0x0000000000812000-memory.dmp

        Filesize

        200KB

        Download

      • memory/2664-1123-0x00000000050D0000-0x00000000050E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3628-181-0x0000000000400000-0x000000000070B000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/3628-173-0x0000000002750000-0x0000000002762000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3628-148-0x0000000000810000-0x000000000083D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/3628-151-0x0000000002750000-0x0000000002762000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3628-155-0x0000000002750000-0x0000000002762000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3628-186-0x0000000000400000-0x000000000070B000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/3628-184-0x0000000005030000-0x0000000005040000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3628-150-0x0000000002750000-0x0000000002762000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3628-183-0x0000000005030000-0x0000000005040000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3628-182-0x0000000005030000-0x0000000005040000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3628-153-0x0000000002750000-0x0000000002762000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3628-180-0x0000000005030000-0x0000000005040000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3628-179-0x0000000005030000-0x0000000005040000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3628-178-0x0000000005030000-0x0000000005040000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3628-177-0x0000000002750000-0x0000000002762000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3628-175-0x0000000002750000-0x0000000002762000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3628-171-0x0000000002750000-0x0000000002762000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3628-169-0x0000000002750000-0x0000000002762000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3628-167-0x0000000002750000-0x0000000002762000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3628-165-0x0000000002750000-0x0000000002762000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3628-163-0x0000000002750000-0x0000000002762000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3628-149-0x0000000005040000-0x00000000055E4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/3628-161-0x0000000002750000-0x0000000002762000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3628-159-0x0000000002750000-0x0000000002762000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3628-157-0x0000000002750000-0x0000000002762000-memory.dmp

        Filesize

        72KB

        Download