Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-03-2023 03:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7f03eb3b45faca426854d7bd2bd747edc59373f9fe6e609a53b79fb8a81dcc20.exe

  • Size

    689KB

  • MD5

    679832fee75ba157dc54a23641ec741e

  • SHA1

    cb8594cb8d3e2b5a20e065bb04b6859e2534f076

  • SHA256

    7f03eb3b45faca426854d7bd2bd747edc59373f9fe6e609a53b79fb8a81dcc20

  • SHA512

    8bf2213b226878f91702181de07b710731a2fc0192b5f7a26307274aef85549226f37bb37c71c9709a449b5bb2b75583435af02e610358554d8295fb328a8e97

  • SSDEEP

    12288:1Mrsy90XWPivKiqYLm1ys65hLujDK34uSll4+KvmFa1fig4/PgOVSmjaA6:Ry6wYSczfajDKIuElGya1agbOVxad

Score
10/10
redlinefromrosndiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

C2

176.113.115.145:4125

Attributes
  • auth_value

    8633e283485822a4a48f0a41d5397566

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 18 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7f03eb3b45faca426854d7bd2bd747edc59373f9fe6e609a53b79fb8a81dcc20.exe
    "C:\Users\Admin\AppData\Local\Temp\7f03eb3b45faca426854d7bd2bd747edc59373f9fe6e609a53b79fb8a81dcc20.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4264
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un266883.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un266883.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2128
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4725.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4725.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3744
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 1080
          4⤵
          • Program crash
          PID:1624
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4922.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4922.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1392
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 1348
          4⤵
          • Program crash
          PID:3100
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si636661.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si636661.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1844
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3744 -ip 3744
    1⤵
      PID:2716
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1392 -ip 1392
      1⤵
        PID:1756

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si636661.exe
        Filesize

        175KB

        MD5

        a05b4e3e79a7193e0c2b1ac4f608a6b3

        SHA1

        f7baaf9eee23a8526c23531ea99385577ef6d32b

        SHA256

        5ee947657f1559bda79c26e0d5764bcae90c985ad8e369892a2c9b1076ca5f9c

        SHA512

        7e53bfd3190aa295b232d594aef8fc1736bf6fee1dbf9b3d2b8bf5fc8964b10ba17080c539bccbb81ce8bf08f94ea2a7c0fc2dc513fadc0cdfc198e64cbdfb0b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si636661.exe
        Filesize

        175KB

        MD5

        a05b4e3e79a7193e0c2b1ac4f608a6b3

        SHA1

        f7baaf9eee23a8526c23531ea99385577ef6d32b

        SHA256

        5ee947657f1559bda79c26e0d5764bcae90c985ad8e369892a2c9b1076ca5f9c

        SHA512

        7e53bfd3190aa295b232d594aef8fc1736bf6fee1dbf9b3d2b8bf5fc8964b10ba17080c539bccbb81ce8bf08f94ea2a7c0fc2dc513fadc0cdfc198e64cbdfb0b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un266883.exe
        Filesize

        548KB

        MD5

        301ed3f4e685bef1b54138fe9174ff2e

        SHA1

        340722137cbdc2ed40e972a64826e92ee5966e50

        SHA256

        c776dd944f5ab947b903d01d1f6e14e614dd5815deb936855193a61880b3898b

        SHA512

        a05d2f517f509fcd7ce9aa0ec220b171b7322486f99f5535fb385d8d28a277a7a60408ca4745b3360a51deeddadff2c3009ff3e7ba857a8bacdc0fb6b32719af

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un266883.exe
        Filesize

        548KB

        MD5

        301ed3f4e685bef1b54138fe9174ff2e

        SHA1

        340722137cbdc2ed40e972a64826e92ee5966e50

        SHA256

        c776dd944f5ab947b903d01d1f6e14e614dd5815deb936855193a61880b3898b

        SHA512

        a05d2f517f509fcd7ce9aa0ec220b171b7322486f99f5535fb385d8d28a277a7a60408ca4745b3360a51deeddadff2c3009ff3e7ba857a8bacdc0fb6b32719af

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4725.exe
        Filesize

        291KB

        MD5

        ade708e165ae4f308e4237304fe31444

        SHA1

        e2b4650c6c2e0135f9c4b0bac5581c2ad688867f

        SHA256

        5fc89caa3f779df331887419a85b49dc0894bded6e8e71723937b9c697bade34

        SHA512

        480191bd86fb8df54a7a672604d2d334636b76ce6a6d27523224de9a02eb03476f77c3056d638ea1b15832b778a3b44eaac7710180316d179cda063a5453e669

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4725.exe
        Filesize

        291KB

        MD5

        ade708e165ae4f308e4237304fe31444

        SHA1

        e2b4650c6c2e0135f9c4b0bac5581c2ad688867f

        SHA256

        5fc89caa3f779df331887419a85b49dc0894bded6e8e71723937b9c697bade34

        SHA512

        480191bd86fb8df54a7a672604d2d334636b76ce6a6d27523224de9a02eb03476f77c3056d638ea1b15832b778a3b44eaac7710180316d179cda063a5453e669

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4922.exe
        Filesize

        345KB

        MD5

        a39ab8276ec46891cb2d9249f2e75fea

        SHA1

        7e1073f28488b5bc59c2c734c61a811df0db0e69

        SHA256

        d00ca09f0807e88e215deb83c5e89502e8fd4ba76e54452355225775485d6665

        SHA512

        0d4a10ecad056542a04476b910126966c5fe8579a2c96102911e9623a4dfcaac4e479e84fcb681c4a45625a2cfbee8a9f363461e334a9d99bef073dc98d79658

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4922.exe
        Filesize

        345KB

        MD5

        a39ab8276ec46891cb2d9249f2e75fea

        SHA1

        7e1073f28488b5bc59c2c734c61a811df0db0e69

        SHA256

        d00ca09f0807e88e215deb83c5e89502e8fd4ba76e54452355225775485d6665

        SHA512

        0d4a10ecad056542a04476b910126966c5fe8579a2c96102911e9623a4dfcaac4e479e84fcb681c4a45625a2cfbee8a9f363461e334a9d99bef073dc98d79658

        Download Submit

      • memory/1392-227-0x0000000006050000-0x000000000608F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1392-1102-0x0000000006E10000-0x0000000006E22000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1392-1115-0x0000000007E10000-0x000000000833C000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/1392-1114-0x0000000007C40000-0x0000000007E02000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/1392-1113-0x00000000060B0000-0x00000000060C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1392-1112-0x0000000007BC0000-0x0000000007C10000-memory.dmp

        Filesize

        320KB

        Download

      • memory/1392-1111-0x0000000007B20000-0x0000000007B96000-memory.dmp

        Filesize

        472KB

        Download

      • memory/1392-1110-0x00000000060B0000-0x00000000060C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1392-1109-0x00000000060B0000-0x00000000060C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1392-1108-0x00000000060B0000-0x00000000060C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1392-1106-0x00000000071C0000-0x0000000007226000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1392-1105-0x0000000007120000-0x00000000071B2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/1392-1104-0x00000000060B0000-0x00000000060C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1392-1103-0x0000000006E30000-0x0000000006E6C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/1392-1101-0x0000000006CD0000-0x0000000006DDA000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/1392-1100-0x0000000006670000-0x0000000006C88000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/1392-225-0x0000000006050000-0x000000000608F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1392-223-0x0000000006050000-0x000000000608F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1392-221-0x0000000006050000-0x000000000608F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1392-219-0x0000000006050000-0x000000000608F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1392-217-0x0000000006050000-0x000000000608F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1392-215-0x0000000006050000-0x000000000608F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1392-190-0x0000000006050000-0x000000000608F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1392-193-0x0000000006050000-0x000000000608F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1392-191-0x0000000006050000-0x000000000608F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1392-195-0x0000000006050000-0x000000000608F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1392-197-0x0000000006050000-0x000000000608F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1392-198-0x0000000001B00000-0x0000000001B4B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/1392-199-0x00000000060B0000-0x00000000060C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1392-201-0x00000000060B0000-0x00000000060C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1392-202-0x0000000006050000-0x000000000608F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1392-203-0x00000000060B0000-0x00000000060C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1392-205-0x0000000006050000-0x000000000608F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1392-207-0x0000000006050000-0x000000000608F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1392-211-0x0000000006050000-0x000000000608F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1392-209-0x0000000006050000-0x000000000608F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1392-213-0x0000000006050000-0x000000000608F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1844-1121-0x0000000000130000-0x0000000000162000-memory.dmp

        Filesize

        200KB

        Download

      • memory/1844-1122-0x0000000004D60000-0x0000000004D70000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3744-173-0x0000000002780000-0x0000000002792000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3744-148-0x0000000004E20000-0x00000000053C4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/3744-182-0x00000000026A0000-0x00000000026B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3744-181-0x00000000026A0000-0x00000000026B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3744-150-0x00000000026A0000-0x00000000026B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3744-180-0x0000000000400000-0x000000000070B000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/3744-179-0x0000000002780000-0x0000000002792000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3744-153-0x0000000002780000-0x0000000002792000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3744-177-0x0000000002780000-0x0000000002792000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3744-175-0x0000000002780000-0x0000000002792000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3744-152-0x0000000002780000-0x0000000002792000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3744-183-0x00000000026A0000-0x00000000026B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3744-165-0x0000000002780000-0x0000000002792000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3744-167-0x0000000002780000-0x0000000002792000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3744-169-0x0000000002780000-0x0000000002792000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3744-163-0x0000000002780000-0x0000000002792000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3744-161-0x0000000002780000-0x0000000002792000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3744-159-0x0000000002780000-0x0000000002792000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3744-157-0x0000000002780000-0x0000000002792000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3744-155-0x0000000002780000-0x0000000002792000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3744-149-0x00000000007E0000-0x000000000080D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/3744-171-0x0000000002780000-0x0000000002792000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3744-185-0x0000000000400000-0x000000000070B000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/3744-151-0x00000000026A0000-0x00000000026B0000-memory.dmp

        Filesize

        64KB

        Download