Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-03-2023 05:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3a9b524746f8836b66ae64183f154610b6ab0093e3ca25b7686d9137bed31e71.exe

  • Size

    712KB

  • MD5

    d2407946817d48fde12d4a37cd68fd39

  • SHA1

    48fdced508c678b0737a8c0f039185ea78aa7802

  • SHA256

    3a9b524746f8836b66ae64183f154610b6ab0093e3ca25b7686d9137bed31e71

  • SHA512

    67ee4103f3482c1e48e42af009d8fb0c91f5f091f69edb158634d04ea6a3f8e9b3c7586bb7543d9eec568293d1f97c699ae1360ee643f80ceec8ecf67deaeed9

  • SSDEEP

    12288:cMr/y909rVrS79JiNnG6q1oBTdDpRzr07NCzRO5pgIUVdmJMv7/PtfigMZ/N2rM6:jykrc77ixTq1I1TbmJMDPtagcorMH8H

Score
10/10
redlinefromrosndiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

C2

176.113.115.145:4125

Attributes
  • auth_value

    8633e283485822a4a48f0a41d5397566

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 19 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a9b524746f8836b66ae64183f154610b6ab0093e3ca25b7686d9137bed31e71.exe
    "C:\Users\Admin\AppData\Local\Temp\3a9b524746f8836b66ae64183f154610b6ab0093e3ca25b7686d9137bed31e71.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1244
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un094566.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un094566.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4480
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6834.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6834.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2024
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 1080
          4⤵
          • Program crash
          PID:4236
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7920.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7920.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2332
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 1352
          4⤵
          • Program crash
          PID:1304
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si661013.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si661013.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3708
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2024 -ip 2024
    1⤵
      PID:4444
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2332 -ip 2332
      1⤵
        PID:2488
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe start wuauserv
        1⤵
        • Launches sc.exe
        PID:2152

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si661013.exe
        Filesize

        175KB

        MD5

        afdfde1f75fbe2dcc12c579b844461f4

        SHA1

        4b96a66372a83b4b656ec3f8abe99ee2a17bc4cd

        SHA256

        cccec693d8661681acb074521fd2982f137651a82e8444fc2949657dee98148c

        SHA512

        db91d0eeb029a201057a14ec3d88bc1f8829a44fd6f0cf4f10999824ce2aea9ccfa577b0aa8c1254585cc40b5e35eca62e6400cb9f8d71f6a056dfeef74b70fc

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si661013.exe
        Filesize

        175KB

        MD5

        afdfde1f75fbe2dcc12c579b844461f4

        SHA1

        4b96a66372a83b4b656ec3f8abe99ee2a17bc4cd

        SHA256

        cccec693d8661681acb074521fd2982f137651a82e8444fc2949657dee98148c

        SHA512

        db91d0eeb029a201057a14ec3d88bc1f8829a44fd6f0cf4f10999824ce2aea9ccfa577b0aa8c1254585cc40b5e35eca62e6400cb9f8d71f6a056dfeef74b70fc

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un094566.exe
        Filesize

        570KB

        MD5

        9a99a2c5c5e5cb32052c72289417c5be

        SHA1

        31f8cf427f6917ba38aa8e6290607743bae70d39

        SHA256

        354771d5353c29146a09630644ee40de362705fe345bfa0fa19fe184fcac8dd7

        SHA512

        a673604b6b52a8d73b78768bde7be95093e2eda263f04e9d59891e1b0e2e797bf151e1b45c3a8d8772bc4394f5cd65a21258a8f20fa89acf5cbc0798efb0b208

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un094566.exe
        Filesize

        570KB

        MD5

        9a99a2c5c5e5cb32052c72289417c5be

        SHA1

        31f8cf427f6917ba38aa8e6290607743bae70d39

        SHA256

        354771d5353c29146a09630644ee40de362705fe345bfa0fa19fe184fcac8dd7

        SHA512

        a673604b6b52a8d73b78768bde7be95093e2eda263f04e9d59891e1b0e2e797bf151e1b45c3a8d8772bc4394f5cd65a21258a8f20fa89acf5cbc0798efb0b208

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6834.exe
        Filesize

        322KB

        MD5

        d370697907586196e7b10d79e2946d1e

        SHA1

        28af16483e9dd5081f12cbf36d71098ca1ec3406

        SHA256

        ae18e9b45d4030540f5bb3cfb5e7bb79042706fcbebb4c31ffe44226407b5899

        SHA512

        4b396e11962dd0e0f22ff56a1c43a9348d2373a7767cb4fd99d7ca68c870f86935c215d476058ba911b46d99f42377773069069443b0e921bf8668d813ac9bee

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6834.exe
        Filesize

        322KB

        MD5

        d370697907586196e7b10d79e2946d1e

        SHA1

        28af16483e9dd5081f12cbf36d71098ca1ec3406

        SHA256

        ae18e9b45d4030540f5bb3cfb5e7bb79042706fcbebb4c31ffe44226407b5899

        SHA512

        4b396e11962dd0e0f22ff56a1c43a9348d2373a7767cb4fd99d7ca68c870f86935c215d476058ba911b46d99f42377773069069443b0e921bf8668d813ac9bee

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7920.exe
        Filesize

        345KB

        MD5

        db38f108cd011c662a224ea03b01506d

        SHA1

        013b599a5140e66bf78871f017cb81fefc1710ab

        SHA256

        56c68c5acd27c36f2056ec1e0179041521fa7961f3799fb519ab3e4fd5f4a714

        SHA512

        0898685046f786289311c9da2cd433840f431fa1eb492bcd8c94741547e53f9f6f891a6d59e09a566a8b1c141b7caaf0860416d619eab3f8e0b5232f7c29b0f1

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7920.exe
        Filesize

        345KB

        MD5

        db38f108cd011c662a224ea03b01506d

        SHA1

        013b599a5140e66bf78871f017cb81fefc1710ab

        SHA256

        56c68c5acd27c36f2056ec1e0179041521fa7961f3799fb519ab3e4fd5f4a714

        SHA512

        0898685046f786289311c9da2cd433840f431fa1eb492bcd8c94741547e53f9f6f891a6d59e09a566a8b1c141b7caaf0860416d619eab3f8e0b5232f7c29b0f1

        Download Submit

      • memory/2024-148-0x00000000074E0000-0x0000000007A84000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/2024-149-0x0000000004EE0000-0x0000000004EF2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2024-150-0x0000000004EE0000-0x0000000004EF2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2024-153-0x0000000002C70000-0x0000000002C9D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/2024-152-0x0000000004EE0000-0x0000000004EF2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2024-155-0x00000000074D0000-0x00000000074E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2024-158-0x00000000074D0000-0x00000000074E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2024-157-0x0000000004EE0000-0x0000000004EF2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2024-156-0x00000000074D0000-0x00000000074E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2024-160-0x0000000004EE0000-0x0000000004EF2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2024-162-0x0000000004EE0000-0x0000000004EF2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2024-164-0x0000000004EE0000-0x0000000004EF2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2024-166-0x0000000004EE0000-0x0000000004EF2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2024-168-0x0000000004EE0000-0x0000000004EF2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2024-170-0x0000000004EE0000-0x0000000004EF2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2024-172-0x0000000004EE0000-0x0000000004EF2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2024-174-0x0000000004EE0000-0x0000000004EF2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2024-176-0x0000000004EE0000-0x0000000004EF2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2024-178-0x0000000004EE0000-0x0000000004EF2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2024-180-0x0000000004EE0000-0x0000000004EF2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2024-181-0x0000000000400000-0x0000000002B7E000-memory.dmp

        Filesize

        39.5MB

        Download

      • memory/2024-182-0x00000000074D0000-0x00000000074E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2024-184-0x00000000074D0000-0x00000000074E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2024-185-0x00000000074D0000-0x00000000074E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2024-186-0x0000000000400000-0x0000000002B7E000-memory.dmp

        Filesize

        39.5MB

        Download

      • memory/2332-195-0x0000000003A80000-0x0000000003ABF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2332-439-0x0000000006260000-0x0000000006270000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2332-193-0x0000000003A80000-0x0000000003ABF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2332-191-0x0000000003450000-0x000000000349B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/2332-197-0x0000000003A80000-0x0000000003ABF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2332-199-0x0000000003A80000-0x0000000003ABF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2332-201-0x0000000003A80000-0x0000000003ABF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2332-203-0x0000000003A80000-0x0000000003ABF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2332-205-0x0000000003A80000-0x0000000003ABF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2332-207-0x0000000003A80000-0x0000000003ABF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2332-209-0x0000000003A80000-0x0000000003ABF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2332-211-0x0000000003A80000-0x0000000003ABF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2332-213-0x0000000003A80000-0x0000000003ABF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2332-215-0x0000000003A80000-0x0000000003ABF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2332-217-0x0000000003A80000-0x0000000003ABF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2332-219-0x0000000003A80000-0x0000000003ABF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2332-221-0x0000000003A80000-0x0000000003ABF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2332-223-0x0000000003A80000-0x0000000003ABF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2332-225-0x0000000003A80000-0x0000000003ABF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2332-192-0x0000000003A80000-0x0000000003ABF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2332-440-0x0000000006260000-0x0000000006270000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2332-443-0x0000000006260000-0x0000000006270000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2332-1101-0x0000000006820000-0x0000000006E38000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/2332-1102-0x0000000006E40000-0x0000000006F4A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/2332-1103-0x0000000006F50000-0x0000000006F62000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2332-1104-0x0000000006F70000-0x0000000006FAC000-memory.dmp

        Filesize

        240KB

        Download

      • memory/2332-1105-0x0000000006260000-0x0000000006270000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2332-1107-0x0000000007260000-0x00000000072F2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/2332-1108-0x0000000007300000-0x0000000007366000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2332-1109-0x0000000007B20000-0x0000000007CE2000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/2332-1110-0x0000000007D00000-0x000000000822C000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/2332-1111-0x0000000006260000-0x0000000006270000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2332-1112-0x0000000006260000-0x0000000006270000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2332-1113-0x0000000006260000-0x0000000006270000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2332-1114-0x0000000008360000-0x00000000083D6000-memory.dmp

        Filesize

        472KB

        Download

      • memory/2332-1115-0x00000000083F0000-0x0000000008440000-memory.dmp

        Filesize

        320KB

        Download

      • memory/2332-1116-0x0000000006260000-0x0000000006270000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3708-1122-0x0000000000100000-0x0000000000132000-memory.dmp

        Filesize

        200KB

        Download

      • memory/3708-1123-0x0000000004D20000-0x0000000004D30000-memory.dmp

        Filesize

        64KB

        Download