Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    86s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-03-2023 04:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1ff818afbee71bdb5230531f4d928b8f9be672a1f0d479ab7b4ecd306f02cf7a.exe

  • Size

    689KB

  • MD5

    eb56b11b90ea8b0e66fcec2794a9d0cf

  • SHA1

    bf5a1922f76ac2c4b9003e5e6be9ae1b75717b1c

  • SHA256

    1ff818afbee71bdb5230531f4d928b8f9be672a1f0d479ab7b4ecd306f02cf7a

  • SHA512

    9bee32f99b35be4827b527890e6a4b3430dff1c04392c2d7459acb11b313f80a1cf3138757cb5e567dc93c0668ce58bdc9da10d3611482ffeaf522bbafc6a503

  • SSDEEP

    12288:0MrOy90a2IfAVaohfnGDoIy465hLuglD5aMSKx3Hr+9Ph4EtgWvSFi4figTo6HTQ:yyr2qIlJ3fa+aLw3HKbtFui4agToyjE

Score
10/10
redlinefromrosndiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

C2

176.113.115.145:4125

Attributes
  • auth_value

    8633e283485822a4a48f0a41d5397566

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 18 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1ff818afbee71bdb5230531f4d928b8f9be672a1f0d479ab7b4ecd306f02cf7a.exe
    "C:\Users\Admin\AppData\Local\Temp\1ff818afbee71bdb5230531f4d928b8f9be672a1f0d479ab7b4ecd306f02cf7a.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2680
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un775790.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un775790.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:372
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4738.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4738.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1952
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 1080
          4⤵
          • Program crash
          PID:1516
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6644.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6644.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2632
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 1664
          4⤵
          • Program crash
          PID:4560
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si290295.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si290295.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3532
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1952 -ip 1952
    1⤵
      PID:4732
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2632 -ip 2632
      1⤵
        PID:3184

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Modify Existing Service

      1
      T1031

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      3
      T1112

      Disabling Security Tools

      2
      T1089

      Credential Access

      Credentials in Files

      2
      T1081

      Discovery

      Query Registry

      1
      T1012

      Lateral Movement

      Collection

      Data from Local System

      2
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si290295.exe
        Filesize

        175KB

        MD5

        fe9723ef751b39fac1e9fbda23d2010a

        SHA1

        7fc3a417d4b1ae7fa6a3164ae0f74cec48df1842

        SHA256

        cb3cabc32e4e6cd072a67bd3b78eb72f1b0d2e6c8f42caf60c907a4316782ac6

        SHA512

        6dd76de9b12f55ec156e4fd5f46d41a765d3d04ef0a673ae454b41d5419002aba9169807a81e1b93f32f7d2367c0683c5774a1548612130459604325acf7f1a8

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si290295.exe
        Filesize

        175KB

        MD5

        fe9723ef751b39fac1e9fbda23d2010a

        SHA1

        7fc3a417d4b1ae7fa6a3164ae0f74cec48df1842

        SHA256

        cb3cabc32e4e6cd072a67bd3b78eb72f1b0d2e6c8f42caf60c907a4316782ac6

        SHA512

        6dd76de9b12f55ec156e4fd5f46d41a765d3d04ef0a673ae454b41d5419002aba9169807a81e1b93f32f7d2367c0683c5774a1548612130459604325acf7f1a8

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un775790.exe
        Filesize

        548KB

        MD5

        bdf037a7d8ea332fb5c8812684130961

        SHA1

        d42bfcaff5213ed3626ce1d12a958616bb2984b6

        SHA256

        6b0895091af0d4e374563a2952d456c7ae9ad3ff8b028609932eff2b506f5042

        SHA512

        bc3bde842fc6cfc0d1ed640b4ab1dce95dbf5bb0d0d20d08e7be5d2ddf3c2a1e6b187d94543f6a33940df950217d790f6cf93fa3c8ce5e8b53bce70eaaf4185b

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un775790.exe
        Filesize

        548KB

        MD5

        bdf037a7d8ea332fb5c8812684130961

        SHA1

        d42bfcaff5213ed3626ce1d12a958616bb2984b6

        SHA256

        6b0895091af0d4e374563a2952d456c7ae9ad3ff8b028609932eff2b506f5042

        SHA512

        bc3bde842fc6cfc0d1ed640b4ab1dce95dbf5bb0d0d20d08e7be5d2ddf3c2a1e6b187d94543f6a33940df950217d790f6cf93fa3c8ce5e8b53bce70eaaf4185b

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4738.exe
        Filesize

        291KB

        MD5

        360255f1a7b80d488c689fea5d8762c0

        SHA1

        d6cc94e529d11c7069741d0b86108e6227a7c4fa

        SHA256

        3aec35fbfdfc27a8b97c47d88f0ab3b6fbecc5a6aa6fa3a57309384553ec712e

        SHA512

        2bfc41c564dbb32f3d2324f17d66ec1f709a63262dbe4bb515f77c315ecf06d00361974685be185ce5047e7497f57cbbf84ce3239360f26b753071fd65b5f72b

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4738.exe
        Filesize

        291KB

        MD5

        360255f1a7b80d488c689fea5d8762c0

        SHA1

        d6cc94e529d11c7069741d0b86108e6227a7c4fa

        SHA256

        3aec35fbfdfc27a8b97c47d88f0ab3b6fbecc5a6aa6fa3a57309384553ec712e

        SHA512

        2bfc41c564dbb32f3d2324f17d66ec1f709a63262dbe4bb515f77c315ecf06d00361974685be185ce5047e7497f57cbbf84ce3239360f26b753071fd65b5f72b

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6644.exe
        Filesize

        345KB

        MD5

        7dc1b26e36b333c0f0e7340b44604f3c

        SHA1

        0da561149f468420e43cae79e11eebc32877e1fb

        SHA256

        e067fcf79a1c0c0ebfb4cd5851b8a8971591e02408fac5f10fa3ae5300269a97

        SHA512

        9ad8b7f1b4445b2c1283abfc4b83f38bc3e8200dc1ffdacca35f5857b45c050ac97cf06767b97920856f424caf3ebe9bf23b3d579c147d8673baac139ee8ae4d

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6644.exe
        Filesize

        345KB

        MD5

        7dc1b26e36b333c0f0e7340b44604f3c

        SHA1

        0da561149f468420e43cae79e11eebc32877e1fb

        SHA256

        e067fcf79a1c0c0ebfb4cd5851b8a8971591e02408fac5f10fa3ae5300269a97

        SHA512

        9ad8b7f1b4445b2c1283abfc4b83f38bc3e8200dc1ffdacca35f5857b45c050ac97cf06767b97920856f424caf3ebe9bf23b3d579c147d8673baac139ee8ae4d

        Download Submit
      • memory/1952-148-0x0000000004E30000-0x00000000053D4000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/1952-149-0x0000000002500000-0x0000000002512000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1952-150-0x0000000002500000-0x0000000002512000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1952-152-0x0000000002500000-0x0000000002512000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1952-154-0x0000000002500000-0x0000000002512000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1952-158-0x0000000002500000-0x0000000002512000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1952-156-0x0000000002500000-0x0000000002512000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1952-160-0x0000000002500000-0x0000000002512000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1952-164-0x0000000002500000-0x0000000002512000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1952-166-0x0000000002500000-0x0000000002512000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1952-162-0x0000000002500000-0x0000000002512000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1952-176-0x0000000002500000-0x0000000002512000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1952-174-0x0000000002500000-0x0000000002512000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1952-172-0x0000000002500000-0x0000000002512000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1952-170-0x0000000002500000-0x0000000002512000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1952-168-0x0000000002500000-0x0000000002512000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1952-178-0x0000000004E20000-0x0000000004E30000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1952-177-0x0000000000710000-0x000000000073D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/1952-180-0x0000000004E20000-0x0000000004E30000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1952-179-0x0000000004E20000-0x0000000004E30000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1952-181-0x0000000000400000-0x000000000070B000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/1952-183-0x0000000004E20000-0x0000000004E30000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1952-184-0x0000000004E20000-0x0000000004E30000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1952-185-0x0000000004E20000-0x0000000004E30000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1952-186-0x0000000000400000-0x000000000070B000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/2632-191-0x0000000003AA0000-0x0000000003ADF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/2632-192-0x0000000003AA0000-0x0000000003ADF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/2632-194-0x0000000003AA0000-0x0000000003ADF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/2632-196-0x0000000003AA0000-0x0000000003ADF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/2632-198-0x0000000003AA0000-0x0000000003ADF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/2632-200-0x0000000003AA0000-0x0000000003ADF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/2632-202-0x0000000003AA0000-0x0000000003ADF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/2632-204-0x0000000003AA0000-0x0000000003ADF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/2632-206-0x0000000003AA0000-0x0000000003ADF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/2632-208-0x0000000003AA0000-0x0000000003ADF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/2632-210-0x0000000003AA0000-0x0000000003ADF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/2632-212-0x0000000003AA0000-0x0000000003ADF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/2632-214-0x0000000003AA0000-0x0000000003ADF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/2632-216-0x0000000003AA0000-0x0000000003ADF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/2632-218-0x0000000003AA0000-0x0000000003ADF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/2632-220-0x0000000003AA0000-0x0000000003ADF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/2632-222-0x0000000003AA0000-0x0000000003ADF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/2632-224-0x0000000003AA0000-0x0000000003ADF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/2632-227-0x0000000001B80000-0x0000000001BCB000-memory.dmp
        Filesize

        300KB

        Download
      • memory/2632-229-0x0000000006230000-0x0000000006240000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2632-233-0x0000000006230000-0x0000000006240000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2632-231-0x0000000006230000-0x0000000006240000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2632-1101-0x00000000067F0000-0x0000000006E08000-memory.dmp
        Filesize

        6.1MB

        Download
      • memory/2632-1102-0x0000000006E10000-0x0000000006F1A000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/2632-1103-0x0000000003CD0000-0x0000000003CE2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/2632-1104-0x0000000006140000-0x000000000617C000-memory.dmp
        Filesize

        240KB

        Download
      • memory/2632-1105-0x0000000006230000-0x0000000006240000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2632-1107-0x0000000007120000-0x00000000071B2000-memory.dmp
        Filesize

        584KB

        Download
      • memory/2632-1108-0x00000000071C0000-0x0000000007226000-memory.dmp
        Filesize

        408KB

        Download
      • memory/2632-1109-0x0000000006230000-0x0000000006240000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2632-1110-0x0000000006230000-0x0000000006240000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2632-1111-0x0000000006230000-0x0000000006240000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2632-1112-0x00000000079E0000-0x0000000007A56000-memory.dmp
        Filesize

        472KB

        Download
      • memory/2632-1113-0x0000000007A80000-0x0000000007AD0000-memory.dmp
        Filesize

        320KB

        Download
      • memory/2632-1114-0x0000000007B10000-0x0000000007CD2000-memory.dmp
        Filesize

        1.8MB

        Download
      • memory/2632-1115-0x0000000006230000-0x0000000006240000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2632-1116-0x0000000007CE0000-0x000000000820C000-memory.dmp
        Filesize

        5.2MB

        Download
      • memory/3532-1122-0x0000000000FC0000-0x0000000000FF2000-memory.dmp
        Filesize

        200KB

        Download
      • memory/3532-1123-0x0000000005890000-0x00000000058A0000-memory.dmp
        Filesize

        64KB

        Download