Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-03-2023 04:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f99ec2db853e6fe28df1373ff71ca520cfa43df324fb6e9c46f6af696ba01e46.exe

  • Size

    690KB

  • MD5

    2f697aa40cc233e35bb56d9e9c62a6ee

  • SHA1

    eacaf8c2c540cd96b5817bac936607c7a948c156

  • SHA256

    f99ec2db853e6fe28df1373ff71ca520cfa43df324fb6e9c46f6af696ba01e46

  • SHA512

    6e713d2b72e02b03ad79d4efd7441a3fcebf90c02c371505437f9c17109dec394655f317f7327d70db043cc41caf4b769b1b939dac21f5d8e06342b972b8d73d

  • SSDEEP

    12288:cMruy90DrcgvPLW55yj65hLuF9SfMiCVwxFUAIvMFwWfigO/HZ0shSr0jsw:yyZgvPLW5wufan9VwxFjIkwWagQZu04w

Score
10/10
redlinefromrosndiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

C2

176.113.115.145:4125

Attributes
  • auth_value

    8633e283485822a4a48f0a41d5397566

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 18 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f99ec2db853e6fe28df1373ff71ca520cfa43df324fb6e9c46f6af696ba01e46.exe
    "C:\Users\Admin\AppData\Local\Temp\f99ec2db853e6fe28df1373ff71ca520cfa43df324fb6e9c46f6af696ba01e46.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3832
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un356747.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un356747.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2112
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4173.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4173.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4908
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1080
          4⤵
          • Program crash
          PID:876
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2031.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2031.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1136
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 1348
          4⤵
          • Program crash
          PID:4768
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si861085.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si861085.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1968
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4908 -ip 4908
    1⤵
      PID:1556
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1136 -ip 1136
      1⤵
        PID:4664
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe start wuauserv
        1⤵
        • Launches sc.exe
        PID:736

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Modify Existing Service

      1
      T1031

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      3
      T1112

      Disabling Security Tools

      2
      T1089

      Credential Access

      Credentials in Files

      2
      T1081

      Discovery

      Query Registry

      1
      T1012

      Lateral Movement

      Collection

      Data from Local System

      2
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si861085.exe
        Filesize

        175KB

        MD5

        6e5c46343a532853efc9700a81828eac

        SHA1

        de4960054efd3de0e3cfd7007d5be517be600275

        SHA256

        db5985c3e6cf80f881a90a1670654290f8cf57c3570c5fc7709fbfd9db268440

        SHA512

        34dff02b07f423b09edb663ebcdc45eda89656ecd4252e8631840b1b44f18006aa49549d8f07bba61fa4de4992489f86e2bf4d57c44277131267a1ffb3f384ab

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si861085.exe
        Filesize

        175KB

        MD5

        6e5c46343a532853efc9700a81828eac

        SHA1

        de4960054efd3de0e3cfd7007d5be517be600275

        SHA256

        db5985c3e6cf80f881a90a1670654290f8cf57c3570c5fc7709fbfd9db268440

        SHA512

        34dff02b07f423b09edb663ebcdc45eda89656ecd4252e8631840b1b44f18006aa49549d8f07bba61fa4de4992489f86e2bf4d57c44277131267a1ffb3f384ab

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un356747.exe
        Filesize

        548KB

        MD5

        7f3720223bab75a7f7310a40db6a8a7b

        SHA1

        74389564e5b3877fbe0bf8c94903204843223630

        SHA256

        8288bea961f241273c0e3ed47a34676975939681b7e7c4b00387f91724d8dcc6

        SHA512

        b41bfeac30c10fada236a5120d862631a29930bfd57d9a54d27aad9f9f95a9c62f37b55627482f72e34c108465fcfc93e79eba100a256dd9b4156a53506d8726

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un356747.exe
        Filesize

        548KB

        MD5

        7f3720223bab75a7f7310a40db6a8a7b

        SHA1

        74389564e5b3877fbe0bf8c94903204843223630

        SHA256

        8288bea961f241273c0e3ed47a34676975939681b7e7c4b00387f91724d8dcc6

        SHA512

        b41bfeac30c10fada236a5120d862631a29930bfd57d9a54d27aad9f9f95a9c62f37b55627482f72e34c108465fcfc93e79eba100a256dd9b4156a53506d8726

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4173.exe
        Filesize

        291KB

        MD5

        f3aa9696d1652f8cbd6073b97247a7b5

        SHA1

        c6b2c2042a89697fbf2895eeab1f4f8ffe8e0a0c

        SHA256

        bced1c0d79790ea2bd4a3926950a583d14cbb320e8486e8731b248db7cde8768

        SHA512

        b70c5c1bf1b1ab50448a4dfa85eab674f5f23dbd34328c5be5fdbb1d9a461bf9c0918cd9f37a470ff1a3dcb5905c9a848657b950f2cfbc8217f3a0d54a7b08e9

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4173.exe
        Filesize

        291KB

        MD5

        f3aa9696d1652f8cbd6073b97247a7b5

        SHA1

        c6b2c2042a89697fbf2895eeab1f4f8ffe8e0a0c

        SHA256

        bced1c0d79790ea2bd4a3926950a583d14cbb320e8486e8731b248db7cde8768

        SHA512

        b70c5c1bf1b1ab50448a4dfa85eab674f5f23dbd34328c5be5fdbb1d9a461bf9c0918cd9f37a470ff1a3dcb5905c9a848657b950f2cfbc8217f3a0d54a7b08e9

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2031.exe
        Filesize

        345KB

        MD5

        7969ae763a2b2b395899d908677a998b

        SHA1

        c1ee24cd11e03efa3c0a8826d8546c2d93215c73

        SHA256

        9d4a113e64da16d6baa9c4072ee08286a1b890f8ab561707b38b31da3032ebf8

        SHA512

        cda0ba17594fdce37393d9246e80783a49ed472b53cc0d5eb2606d3fe94f087438ad0369e669d7c0566de98b1c87bb18b758afa5e30b2327c2bcd5fce8212510

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2031.exe
        Filesize

        345KB

        MD5

        7969ae763a2b2b395899d908677a998b

        SHA1

        c1ee24cd11e03efa3c0a8826d8546c2d93215c73

        SHA256

        9d4a113e64da16d6baa9c4072ee08286a1b890f8ab561707b38b31da3032ebf8

        SHA512

        cda0ba17594fdce37393d9246e80783a49ed472b53cc0d5eb2606d3fe94f087438ad0369e669d7c0566de98b1c87bb18b758afa5e30b2327c2bcd5fce8212510

        Download Submit
      • memory/1136-1102-0x0000000006E10000-0x0000000006F1A000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/1136-1101-0x00000000067F0000-0x0000000006E08000-memory.dmp
        Filesize

        6.1MB

        Download
      • memory/1136-216-0x0000000003A90000-0x0000000003ACF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/1136-214-0x0000000003A90000-0x0000000003ACF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/1136-200-0x0000000006230000-0x0000000006240000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1136-202-0x0000000003A90000-0x0000000003ACF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/1136-1115-0x0000000008430000-0x0000000008480000-memory.dmp
        Filesize

        320KB

        Download
      • memory/1136-1114-0x00000000083A0000-0x0000000008416000-memory.dmp
        Filesize

        472KB

        Download
      • memory/1136-1113-0x0000000006230000-0x0000000006240000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1136-1112-0x0000000006230000-0x0000000006240000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1136-204-0x0000000003A90000-0x0000000003ACF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/1136-1111-0x0000000006230000-0x0000000006240000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1136-1109-0x0000000007C00000-0x000000000812C000-memory.dmp
        Filesize

        5.2MB

        Download
      • memory/1136-1108-0x0000000007A30000-0x0000000007BF2000-memory.dmp
        Filesize

        1.8MB

        Download
      • memory/1136-1107-0x0000000007920000-0x00000000079B2000-memory.dmp
        Filesize

        584KB

        Download
      • memory/1136-1106-0x0000000007260000-0x00000000072C6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/1136-1105-0x0000000006230000-0x0000000006240000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1136-1104-0x0000000006F70000-0x0000000006FAC000-memory.dmp
        Filesize

        240KB

        Download
      • memory/1136-1103-0x0000000006F50000-0x0000000006F62000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1136-218-0x0000000003A90000-0x0000000003ACF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/1136-228-0x0000000003A90000-0x0000000003ACF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/1136-226-0x0000000003A90000-0x0000000003ACF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/1136-224-0x0000000003A90000-0x0000000003ACF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/1136-191-0x0000000003A90000-0x0000000003ACF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/1136-192-0x0000000003A90000-0x0000000003ACF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/1136-195-0x0000000003A90000-0x0000000003ACF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/1136-197-0x0000000006230000-0x0000000006240000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1136-194-0x0000000001A30000-0x0000000001A7B000-memory.dmp
        Filesize

        300KB

        Download
      • memory/1136-198-0x0000000003A90000-0x0000000003ACF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/1136-199-0x0000000006230000-0x0000000006240000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1136-222-0x0000000003A90000-0x0000000003ACF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/1136-1116-0x0000000006230000-0x0000000006240000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1136-220-0x0000000003A90000-0x0000000003ACF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/1136-206-0x0000000003A90000-0x0000000003ACF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/1136-208-0x0000000003A90000-0x0000000003ACF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/1136-210-0x0000000003A90000-0x0000000003ACF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/1136-212-0x0000000003A90000-0x0000000003ACF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/1968-1122-0x00000000003B0000-0x00000000003E2000-memory.dmp
        Filesize

        200KB

        Download
      • memory/1968-1123-0x0000000004FC0000-0x0000000004FD0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4908-181-0x0000000000400000-0x000000000070B000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/4908-170-0x0000000002400000-0x0000000002412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4908-148-0x0000000004EE0000-0x0000000005484000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/4908-149-0x0000000002400000-0x0000000002412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4908-154-0x0000000004ED0000-0x0000000004EE0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4908-186-0x0000000000400000-0x000000000070B000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/4908-184-0x0000000004ED0000-0x0000000004EE0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4908-150-0x00000000007E0000-0x000000000080D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/4908-183-0x0000000004ED0000-0x0000000004EE0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4908-182-0x0000000004ED0000-0x0000000004EE0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4908-155-0x0000000002400000-0x0000000002412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4908-180-0x0000000002400000-0x0000000002412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4908-178-0x0000000002400000-0x0000000002412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4908-176-0x0000000002400000-0x0000000002412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4908-174-0x0000000002400000-0x0000000002412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4908-172-0x0000000002400000-0x0000000002412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4908-168-0x0000000002400000-0x0000000002412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4908-166-0x0000000002400000-0x0000000002412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4908-164-0x0000000002400000-0x0000000002412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4908-162-0x0000000002400000-0x0000000002412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4908-160-0x0000000002400000-0x0000000002412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4908-151-0x0000000002400000-0x0000000002412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4908-158-0x0000000002400000-0x0000000002412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4908-152-0x0000000004ED0000-0x0000000004EE0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4908-156-0x0000000004ED0000-0x0000000004EE0000-memory.dmp
        Filesize

        64KB

        Download