Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    149s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    28-03-2023 06:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c6ffaa4b0f1a04783af172cfce6b2e8f33eff2c6047f72e92f6dabe0f468d12f.exe

  • Size

    683KB

  • MD5

    f9e6a1b791616892ecd75a400bb86038

  • SHA1

    05e13f89a7a46f4bbe4e6ebfd2d78ebe04474cec

  • SHA256

    c6ffaa4b0f1a04783af172cfce6b2e8f33eff2c6047f72e92f6dabe0f468d12f

  • SHA512

    2c48bab6e355a3cabfcce6e0461b1f144208a6837a46d28ecef6e19c0f95cd7d6804c99973956ca54ebaba4c198be5166beddeff809c9ad513b1db1ba961a6b2

  • SSDEEP

    12288:DMr6y90wUkLSX8YeeUbOynAcDdp0bNoBmdzlwVu47WA+glq:tyNUh7UbbnAchpZB0zlwVp/A

Score
10/10
redlinefromrosndiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

C2

176.113.115.145:4125

Attributes
  • auth_value

    8633e283485822a4a48f0a41d5397566

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c6ffaa4b0f1a04783af172cfce6b2e8f33eff2c6047f72e92f6dabe0f468d12f.exe
    "C:\Users\Admin\AppData\Local\Temp\c6ffaa4b0f1a04783af172cfce6b2e8f33eff2c6047f72e92f6dabe0f468d12f.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:5044
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un855119.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un855119.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2120
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5062.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5062.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4248
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3750.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3750.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2856
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si691537.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si691537.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4176

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si691537.exe
    Filesize

    175KB

    MD5

    667d0cd239f24bfd6fac1beb0e92df4b

    SHA1

    e856eed05d86abc7f77a3697e1344a7269e7ca34

    SHA256

    6098bf46feecbe5b48cba241d23896fef734f030de08934c5876e75fb68487c0

    SHA512

    8883926ded416e9b59493465e371d85c265ceb814d43d7f4a77753660fe5e8185c42b4f31f2e09a6689e4245ca94b04a391f05b55ceace9ec8e0af23778347ef

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si691537.exe
    Filesize

    175KB

    MD5

    667d0cd239f24bfd6fac1beb0e92df4b

    SHA1

    e856eed05d86abc7f77a3697e1344a7269e7ca34

    SHA256

    6098bf46feecbe5b48cba241d23896fef734f030de08934c5876e75fb68487c0

    SHA512

    8883926ded416e9b59493465e371d85c265ceb814d43d7f4a77753660fe5e8185c42b4f31f2e09a6689e4245ca94b04a391f05b55ceace9ec8e0af23778347ef

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un855119.exe
    Filesize

    541KB

    MD5

    3f4c7258e19b38895df8bae549149417

    SHA1

    ac041e3135253313da54ebb632a75ac8b3f44605

    SHA256

    3e053ef923d212a73877ca6e03fec0150d69bd153133dca9d5ee1d1d3246565a

    SHA512

    43182f3d861664752bbe1b751755be606613469881cc1888077d6ec3c5bb15025149da289aef53d9d0bb386c665ee11eb6f143483e22973b1eea074f91ae6ca5

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un855119.exe
    Filesize

    541KB

    MD5

    3f4c7258e19b38895df8bae549149417

    SHA1

    ac041e3135253313da54ebb632a75ac8b3f44605

    SHA256

    3e053ef923d212a73877ca6e03fec0150d69bd153133dca9d5ee1d1d3246565a

    SHA512

    43182f3d861664752bbe1b751755be606613469881cc1888077d6ec3c5bb15025149da289aef53d9d0bb386c665ee11eb6f143483e22973b1eea074f91ae6ca5

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5062.exe
    Filesize

    322KB

    MD5

    286e97d97c937f28f0f7417dc90cd037

    SHA1

    43d17d5f8977b5473bd241aee511692b0a1bcc49

    SHA256

    3a2c7cdf372dae95e29477927de7b9a034fdad1dd23d61698b30068cff8256d6

    SHA512

    475c570e3b2497a978f2bf1bda53773d2b9674d7b21691ce6cb6d8d5b1fe70926f3f709f898801cb71cfdfba570fb07b4107054da2ef1f150b4b4253dcce388c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5062.exe
    Filesize

    322KB

    MD5

    286e97d97c937f28f0f7417dc90cd037

    SHA1

    43d17d5f8977b5473bd241aee511692b0a1bcc49

    SHA256

    3a2c7cdf372dae95e29477927de7b9a034fdad1dd23d61698b30068cff8256d6

    SHA512

    475c570e3b2497a978f2bf1bda53773d2b9674d7b21691ce6cb6d8d5b1fe70926f3f709f898801cb71cfdfba570fb07b4107054da2ef1f150b4b4253dcce388c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3750.exe
    Filesize

    379KB

    MD5

    33bebec9132ae2846f56a3df400e6b3e

    SHA1

    da1570269ba722e92fe6145cbcd813625358aed3

    SHA256

    6ae1a75fd54571e3c479ac7347cadf9e3e5dc5257b01fbbe827b8b0e1425b8bc

    SHA512

    fa1e4e3cac8a32e3f728faefb0ab42e2114f168e68789478225f5c343728b4315d6dfc3df1c1d58faff401016e814c224d5c55173c26f3d93b8e26812fd648a9

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3750.exe
    Filesize

    379KB

    MD5

    33bebec9132ae2846f56a3df400e6b3e

    SHA1

    da1570269ba722e92fe6145cbcd813625358aed3

    SHA256

    6ae1a75fd54571e3c479ac7347cadf9e3e5dc5257b01fbbe827b8b0e1425b8bc

    SHA512

    fa1e4e3cac8a32e3f728faefb0ab42e2114f168e68789478225f5c343728b4315d6dfc3df1c1d58faff401016e814c224d5c55173c26f3d93b8e26812fd648a9

    Download Submit
  • memory/2856-1092-0x00000000079A0000-0x00000000079B2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2856-1093-0x00000000079C0000-0x00000000079FE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2856-1106-0x0000000004960000-0x0000000004970000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2856-1105-0x0000000009570000-0x00000000095C0000-memory.dmp
    Filesize

    320KB

    Download
  • memory/2856-1104-0x00000000094E0000-0x0000000009556000-memory.dmp
    Filesize

    472KB

    Download
  • memory/2856-1103-0x0000000008E80000-0x00000000093AC000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/2856-1102-0x0000000008C90000-0x0000000008E52000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/2856-1101-0x0000000004960000-0x0000000004970000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2856-1100-0x0000000004960000-0x0000000004970000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2856-1099-0x0000000004960000-0x0000000004970000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2856-1098-0x0000000008970000-0x0000000008A02000-memory.dmp
    Filesize

    584KB

    Download
  • memory/2856-1097-0x0000000007CA0000-0x0000000007D06000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2856-1095-0x0000000004960000-0x0000000004970000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2856-191-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2856-1094-0x0000000007B10000-0x0000000007B5B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/2856-1091-0x0000000007860000-0x000000000796A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/2856-1090-0x0000000007DF0000-0x00000000083F6000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/2856-215-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2856-217-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2856-213-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2856-211-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2856-209-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2856-207-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2856-178-0x0000000002E20000-0x0000000002E66000-memory.dmp
    Filesize

    280KB

    Download
  • memory/2856-193-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2856-180-0x0000000002C60000-0x0000000002CAB000-memory.dmp
    Filesize

    300KB

    Download
  • memory/2856-181-0x0000000004960000-0x0000000004970000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2856-183-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2856-182-0x0000000004960000-0x0000000004970000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2856-185-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2856-187-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2856-184-0x0000000004960000-0x0000000004970000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2856-205-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2856-189-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2856-179-0x0000000004AA0000-0x0000000004AE4000-memory.dmp
    Filesize

    272KB

    Download
  • memory/2856-195-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2856-197-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2856-199-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2856-201-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2856-203-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4176-1112-0x0000000000310000-0x0000000000342000-memory.dmp
    Filesize

    200KB

    Download
  • memory/4176-1114-0x0000000004B50000-0x0000000004B60000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4176-1113-0x0000000004D50000-0x0000000004D9B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/4248-173-0x0000000000400000-0x0000000002B7E000-memory.dmp
    Filesize

    39.5MB

    Download
  • memory/4248-151-0x0000000004AA0000-0x0000000004AB2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4248-170-0x0000000000400000-0x0000000002B7E000-memory.dmp
    Filesize

    39.5MB

    Download
  • memory/4248-169-0x0000000004AA0000-0x0000000004AB2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4248-167-0x0000000004AA0000-0x0000000004AB2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4248-165-0x0000000004AA0000-0x0000000004AB2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4248-137-0x0000000007260000-0x0000000007270000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4248-153-0x0000000004AA0000-0x0000000004AB2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4248-163-0x0000000004AA0000-0x0000000004AB2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4248-159-0x0000000004AA0000-0x0000000004AB2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4248-138-0x0000000007260000-0x0000000007270000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4248-161-0x0000000004AA0000-0x0000000004AB2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4248-140-0x0000000007270000-0x000000000776E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/4248-171-0x0000000007260000-0x0000000007270000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4248-149-0x0000000004AA0000-0x0000000004AB2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4248-147-0x0000000004AA0000-0x0000000004AB2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4248-143-0x0000000004AA0000-0x0000000004AB2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4248-145-0x0000000004AA0000-0x0000000004AB2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4248-142-0x0000000004AA0000-0x0000000004AB2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4248-141-0x0000000004AA0000-0x0000000004AB8000-memory.dmp
    Filesize

    96KB

    Download
  • memory/4248-136-0x00000000001D0000-0x00000000001FD000-memory.dmp
    Filesize

    180KB

    Download
  • memory/4248-135-0x0000000002F90000-0x0000000002FAA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/4248-155-0x0000000004AA0000-0x0000000004AB2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4248-139-0x0000000007260000-0x0000000007270000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4248-157-0x0000000004AA0000-0x0000000004AB2000-memory.dmp
    Filesize

    72KB

    Download