Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    109s
  • max time network
    111s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-03-2023 05:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a157b759090ef11b0dc821ce234b348b6735d209fe33c6c38e4bc7b555580d65.exe

  • Size

    684KB

  • MD5

    57c853ca43fdd7b44c258b43cd4fba91

  • SHA1

    54b799c84d4c2a66cfda9d294d6c0700b4cad69d

  • SHA256

    a157b759090ef11b0dc821ce234b348b6735d209fe33c6c38e4bc7b555580d65

  • SHA512

    c1750af0eb53c76185e7077d24d3c53ae96b1405b43399eabde92528731c2be94a3f906e48bd9e8c007534234e7bd533288598a82362a38e7ef06745b6988fee

  • SSDEEP

    12288:0MrCy90njy8LzWyCxwRd7fKLgUxH9Q4iW5zaslAa:eySy2aRxwf7+F7znJz

Score
10/10
redlinefromrosndiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

C2

176.113.115.145:4125

Attributes
  • auth_value

    8633e283485822a4a48f0a41d5397566

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 19 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a157b759090ef11b0dc821ce234b348b6735d209fe33c6c38e4bc7b555580d65.exe
    "C:\Users\Admin\AppData\Local\Temp\a157b759090ef11b0dc821ce234b348b6735d209fe33c6c38e4bc7b555580d65.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3744
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un426011.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un426011.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4544
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5504.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5504.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4436
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 1080
          4⤵
          • Program crash
          PID:736
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0973.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0973.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:460
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 460 -s 1636
          4⤵
          • Program crash
          PID:4192
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si491219.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si491219.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2692
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4436 -ip 4436
    1⤵
      PID:3060
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 460 -ip 460
      1⤵
        PID:4432

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Modify Existing Service

      1
      T1031

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      3
      T1112

      Disabling Security Tools

      2
      T1089

      Credential Access

      Credentials in Files

      2
      T1081

      Discovery

      Query Registry

      1
      T1012

      Lateral Movement

      Collection

      Data from Local System

      2
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si491219.exe
        Filesize

        175KB

        MD5

        8c72c86f2c2ab7a0ca3a4678d882c7db

        SHA1

        71e886ef7a3eb0c809f4f81f56bdbe534a7158be

        SHA256

        b2d9a0c3293af216ba25c7a2e3b8be82f0bdbba9f3f6aee2a31d158fa703a389

        SHA512

        3970ecd1aecc90f8373949856c56633b2df7ad91729a639a37a3982fbe3040f12c116bd37b2a98767277f661471da490c2d49ab291e528c23e0baa1c9f82f36f

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si491219.exe
        Filesize

        175KB

        MD5

        8c72c86f2c2ab7a0ca3a4678d882c7db

        SHA1

        71e886ef7a3eb0c809f4f81f56bdbe534a7158be

        SHA256

        b2d9a0c3293af216ba25c7a2e3b8be82f0bdbba9f3f6aee2a31d158fa703a389

        SHA512

        3970ecd1aecc90f8373949856c56633b2df7ad91729a639a37a3982fbe3040f12c116bd37b2a98767277f661471da490c2d49ab291e528c23e0baa1c9f82f36f

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un426011.exe
        Filesize

        542KB

        MD5

        93c7d513dc0c98cef5e9f32a99bd8013

        SHA1

        174e4b6f4156f6f1ca1fb29107c3471db7039793

        SHA256

        127500d1f3af24a75569f66ef51e5d819e5f7e928f558a99d20baadce4cadf7f

        SHA512

        ee533bb342cbf6d77a73d89fd95b9599f0deba104337d5dae0afde26c9437b4cca6034d07826f88d79f66e7a57eb918ff57e0252bac3e9219137abeb6f67e093

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un426011.exe
        Filesize

        542KB

        MD5

        93c7d513dc0c98cef5e9f32a99bd8013

        SHA1

        174e4b6f4156f6f1ca1fb29107c3471db7039793

        SHA256

        127500d1f3af24a75569f66ef51e5d819e5f7e928f558a99d20baadce4cadf7f

        SHA512

        ee533bb342cbf6d77a73d89fd95b9599f0deba104337d5dae0afde26c9437b4cca6034d07826f88d79f66e7a57eb918ff57e0252bac3e9219137abeb6f67e093

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5504.exe
        Filesize

        322KB

        MD5

        79b2aec328fd998b6af06c88d388bd9b

        SHA1

        fab4b02caa58dfcc898edf8647c657f997bb021e

        SHA256

        3a7424bc828d203c5f5abebe5977d5b712bb793a249515c2488357676e60920e

        SHA512

        c9341d6a223b6c245c154d6e346c8a80a9f17f404b583a26a9c159913fc1f7bb7b51150c46e2bbb0bba1505cdae22aa5dfdbde365fa7b8793783b2a3d223378a

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5504.exe
        Filesize

        322KB

        MD5

        79b2aec328fd998b6af06c88d388bd9b

        SHA1

        fab4b02caa58dfcc898edf8647c657f997bb021e

        SHA256

        3a7424bc828d203c5f5abebe5977d5b712bb793a249515c2488357676e60920e

        SHA512

        c9341d6a223b6c245c154d6e346c8a80a9f17f404b583a26a9c159913fc1f7bb7b51150c46e2bbb0bba1505cdae22aa5dfdbde365fa7b8793783b2a3d223378a

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0973.exe
        Filesize

        379KB

        MD5

        0dbe8595e2076d3ae50aa0e58c3430b9

        SHA1

        dbf4752a5ebc286e79e3a9b2086601ef90babc3b

        SHA256

        cab7ecc17f8a1bf52e769e9d32a41eced49d79784742678e98eae75425353813

        SHA512

        976752b335016b06799ab7aa3faf99da50afb270e97372de02debe206bea42906487830d9e454f407ea1cdd7fdab1fa76adfca1f5e85cbed1e3c77a46ca1707d

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0973.exe
        Filesize

        379KB

        MD5

        0dbe8595e2076d3ae50aa0e58c3430b9

        SHA1

        dbf4752a5ebc286e79e3a9b2086601ef90babc3b

        SHA256

        cab7ecc17f8a1bf52e769e9d32a41eced49d79784742678e98eae75425353813

        SHA512

        976752b335016b06799ab7aa3faf99da50afb270e97372de02debe206bea42906487830d9e454f407ea1cdd7fdab1fa76adfca1f5e85cbed1e3c77a46ca1707d

        Download Submit
      • memory/460-223-0x0000000007730000-0x000000000776F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/460-1102-0x0000000007F70000-0x0000000007F82000-memory.dmp
        Filesize

        72KB

        Download
      • memory/460-1115-0x0000000007030000-0x0000000007040000-memory.dmp
        Filesize

        64KB

        Download
      • memory/460-1114-0x0000000008F40000-0x000000000946C000-memory.dmp
        Filesize

        5.2MB

        Download
      • memory/460-1113-0x0000000008D70000-0x0000000008F32000-memory.dmp
        Filesize

        1.8MB

        Download
      • memory/460-1112-0x0000000008BB0000-0x0000000008C00000-memory.dmp
        Filesize

        320KB

        Download
      • memory/460-1111-0x0000000008B20000-0x0000000008B96000-memory.dmp
        Filesize

        472KB

        Download
      • memory/460-1110-0x0000000007030000-0x0000000007040000-memory.dmp
        Filesize

        64KB

        Download
      • memory/460-1109-0x0000000007030000-0x0000000007040000-memory.dmp
        Filesize

        64KB

        Download
      • memory/460-1108-0x0000000007030000-0x0000000007040000-memory.dmp
        Filesize

        64KB

        Download
      • memory/460-1107-0x0000000008930000-0x00000000089C2000-memory.dmp
        Filesize

        584KB

        Download
      • memory/460-1106-0x0000000008280000-0x00000000082E6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/460-1104-0x0000000007030000-0x0000000007040000-memory.dmp
        Filesize

        64KB

        Download
      • memory/460-1103-0x0000000007F90000-0x0000000007FCC000-memory.dmp
        Filesize

        240KB

        Download
      • memory/460-1101-0x0000000007E30000-0x0000000007F3A000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/460-1100-0x0000000007790000-0x0000000007DA8000-memory.dmp
        Filesize

        6.1MB

        Download
      • memory/460-225-0x0000000007730000-0x000000000776F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/460-227-0x0000000007730000-0x000000000776F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/460-221-0x0000000007730000-0x000000000776F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/460-219-0x0000000007730000-0x000000000776F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/460-217-0x0000000007730000-0x000000000776F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/460-212-0x0000000007030000-0x0000000007040000-memory.dmp
        Filesize

        64KB

        Download
      • memory/460-215-0x0000000007730000-0x000000000776F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/460-191-0x0000000007730000-0x000000000776F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/460-192-0x0000000007730000-0x000000000776F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/460-194-0x0000000007730000-0x000000000776F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/460-196-0x0000000007730000-0x000000000776F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/460-198-0x0000000007730000-0x000000000776F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/460-200-0x0000000007730000-0x000000000776F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/460-202-0x0000000007730000-0x000000000776F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/460-204-0x0000000007730000-0x000000000776F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/460-206-0x0000000007730000-0x000000000776F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/460-209-0x0000000007730000-0x000000000776F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/460-208-0x0000000002BB0000-0x0000000002BFB000-memory.dmp
        Filesize

        300KB

        Download
      • memory/460-210-0x0000000007030000-0x0000000007040000-memory.dmp
        Filesize

        64KB

        Download
      • memory/460-213-0x0000000007730000-0x000000000776F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/2692-1121-0x0000000000B90000-0x0000000000BC2000-memory.dmp
        Filesize

        200KB

        Download
      • memory/2692-1122-0x00000000057C0000-0x00000000057D0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4436-174-0x00000000049D0000-0x00000000049E2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4436-181-0x0000000000400000-0x0000000002B7E000-memory.dmp
        Filesize

        39.5MB

        Download
      • memory/4436-170-0x00000000049D0000-0x00000000049E2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4436-183-0x0000000002E30000-0x0000000002E40000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4436-168-0x00000000049D0000-0x00000000049E2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4436-150-0x0000000002E30000-0x0000000002E40000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4436-180-0x00000000049D0000-0x00000000049E2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4436-166-0x00000000049D0000-0x00000000049E2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4436-153-0x00000000049D0000-0x00000000049E2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4436-176-0x00000000049D0000-0x00000000049E2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4436-151-0x0000000002E30000-0x0000000002E40000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4436-172-0x00000000049D0000-0x00000000049E2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4436-182-0x0000000002E30000-0x0000000002E40000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4436-185-0x0000000002E30000-0x0000000002E40000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4436-178-0x00000000049D0000-0x00000000049E2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4436-164-0x00000000049D0000-0x00000000049E2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4436-162-0x00000000049D0000-0x00000000049E2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4436-160-0x00000000049D0000-0x00000000049E2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4436-158-0x00000000049D0000-0x00000000049E2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4436-156-0x00000000049D0000-0x00000000049E2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4436-154-0x00000000049D0000-0x00000000049E2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4436-149-0x0000000002C50000-0x0000000002C7D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/4436-148-0x00000000071F0000-0x0000000007794000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/4436-186-0x0000000000400000-0x0000000002B7E000-memory.dmp
        Filesize

        39.5MB

        Download
      • memory/4436-152-0x0000000002E30000-0x0000000002E40000-memory.dmp
        Filesize

        64KB

        Download