Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    90s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-03-2023 07:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a40a12683d2e2019ebae237f860f219de7d62ef444fedb03754b0683eb1e47fb.exe

  • Size

    683KB

  • MD5

    f1b1e51677bed410b910429d38f5ced9

  • SHA1

    f482d3ac2fa31eb8d21b07027839de8d013f17ab

  • SHA256

    a40a12683d2e2019ebae237f860f219de7d62ef444fedb03754b0683eb1e47fb

  • SHA512

    7b8675dd97ba514237a405c33cde29a04ab633dd6cede615df5537c0be3d7c9f3ac22a156afa7cb33d367a28ac382d13a1983e32a6c71066ddefc7f845279338

  • SSDEEP

    12288:gMrQy908sc/4TTzzvV9MgJktmX5wlStJUgDmNL3x7in4:Ay7smCzzd9MgUcwcBmNLS4

Score
10/10
redlinefromrosndiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

C2

176.113.115.145:4125

Attributes
  • auth_value

    8633e283485822a4a48f0a41d5397566

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 19 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a40a12683d2e2019ebae237f860f219de7d62ef444fedb03754b0683eb1e47fb.exe
    "C:\Users\Admin\AppData\Local\Temp\a40a12683d2e2019ebae237f860f219de7d62ef444fedb03754b0683eb1e47fb.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4924
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un706269.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un706269.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:824
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5186.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5186.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1128
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 1080
          4⤵
          • Program crash
          PID:2100
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0375.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0375.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3672
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 1328
          4⤵
          • Program crash
          PID:3476
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si478004.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si478004.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3524
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1128 -ip 1128
    1⤵
      PID:1804
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3672 -ip 3672
      1⤵
        PID:1300

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Modify Existing Service

      1
      T1031

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      3
      T1112

      Disabling Security Tools

      2
      T1089

      Credential Access

      Credentials in Files

      2
      T1081

      Discovery

      Query Registry

      1
      T1012

      Lateral Movement

      Collection

      Data from Local System

      2
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si478004.exe
        Filesize

        175KB

        MD5

        b85a6347e6aa74f2b95d6d84d7007e39

        SHA1

        7e9c6ef3258c12c8c91ffbf860fd2c858cc86427

        SHA256

        40082db7ab7a41296d261c9a1df50daf11dbda7ad26f9ea06c48d75de4ff397f

        SHA512

        28d4c45b7c6d36dc984d15a94f43bd5f7c01efc9a8c608243f8c0bc40568450e37230ad8c6060b2332ad40ff23d7c9639957b9416c5c1584d15bb99e60301666

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si478004.exe
        Filesize

        175KB

        MD5

        b85a6347e6aa74f2b95d6d84d7007e39

        SHA1

        7e9c6ef3258c12c8c91ffbf860fd2c858cc86427

        SHA256

        40082db7ab7a41296d261c9a1df50daf11dbda7ad26f9ea06c48d75de4ff397f

        SHA512

        28d4c45b7c6d36dc984d15a94f43bd5f7c01efc9a8c608243f8c0bc40568450e37230ad8c6060b2332ad40ff23d7c9639957b9416c5c1584d15bb99e60301666

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un706269.exe
        Filesize

        541KB

        MD5

        ca6e65fca51ce6197e4a894ca11b0863

        SHA1

        5d352330c1fe06d76636f11afc32c811ec26448d

        SHA256

        1cab2a58c995570892f7c428fc14944058fc0752f55a18946843f005a2f51371

        SHA512

        4ed820f7fc52f15a85c17b9149da4b3061ed09fb011f1951db2de4863d2f21b4c140165da08f80cf71cf8ded5fe5ede5d791eb3ba5c6ac64ceeca1388947ba5a

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un706269.exe
        Filesize

        541KB

        MD5

        ca6e65fca51ce6197e4a894ca11b0863

        SHA1

        5d352330c1fe06d76636f11afc32c811ec26448d

        SHA256

        1cab2a58c995570892f7c428fc14944058fc0752f55a18946843f005a2f51371

        SHA512

        4ed820f7fc52f15a85c17b9149da4b3061ed09fb011f1951db2de4863d2f21b4c140165da08f80cf71cf8ded5fe5ede5d791eb3ba5c6ac64ceeca1388947ba5a

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5186.exe
        Filesize

        321KB

        MD5

        87001064912e563f72c4d6ba13ee8514

        SHA1

        172371ab269376489a9e88e20c77ad4a3f112965

        SHA256

        551ba959833f2e7ea4979040d2d04819e2ca262ef6913c93028e7452a76a5e40

        SHA512

        b934da388578422e2b5d828870dc9afc46a4eccda0f7acf3a76064f4c3a9f5b3e26b511fcde0da3132e190ac811fb6d1c81866b8bdc178bc999b199404ae4208

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5186.exe
        Filesize

        321KB

        MD5

        87001064912e563f72c4d6ba13ee8514

        SHA1

        172371ab269376489a9e88e20c77ad4a3f112965

        SHA256

        551ba959833f2e7ea4979040d2d04819e2ca262ef6913c93028e7452a76a5e40

        SHA512

        b934da388578422e2b5d828870dc9afc46a4eccda0f7acf3a76064f4c3a9f5b3e26b511fcde0da3132e190ac811fb6d1c81866b8bdc178bc999b199404ae4208

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0375.exe
        Filesize

        380KB

        MD5

        2cd4026a90c789830c9a1677f2668f3d

        SHA1

        590b37f1fd834ae9f9df67bc0da6e1db672af5ca

        SHA256

        0239d7e6aa73005edad8dde61cfc815f23b4ea510f012a51a05ed3405ec4887c

        SHA512

        0b56935f252a4c0a14b8f6e8da8b1d51728e1cc3a5d2289b5b1fff71da4bc084dfa8af6bd763c09d5898bc26371fb9ccc23f63bfb4ecf80758b41f23eaa509d8

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0375.exe
        Filesize

        380KB

        MD5

        2cd4026a90c789830c9a1677f2668f3d

        SHA1

        590b37f1fd834ae9f9df67bc0da6e1db672af5ca

        SHA256

        0239d7e6aa73005edad8dde61cfc815f23b4ea510f012a51a05ed3405ec4887c

        SHA512

        0b56935f252a4c0a14b8f6e8da8b1d51728e1cc3a5d2289b5b1fff71da4bc084dfa8af6bd763c09d5898bc26371fb9ccc23f63bfb4ecf80758b41f23eaa509d8

        Download Submit
      • memory/1128-148-0x0000000002C50000-0x0000000002C7D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/1128-149-0x00000000071D0000-0x0000000007774000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/1128-150-0x0000000004C90000-0x0000000004CA2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1128-151-0x0000000004C90000-0x0000000004CA2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1128-153-0x0000000004C90000-0x0000000004CA2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1128-155-0x0000000004C90000-0x0000000004CA2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1128-157-0x0000000004C90000-0x0000000004CA2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1128-159-0x0000000004C90000-0x0000000004CA2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1128-161-0x0000000004C90000-0x0000000004CA2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1128-163-0x0000000004C90000-0x0000000004CA2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1128-165-0x0000000004C90000-0x0000000004CA2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1128-167-0x0000000004C90000-0x0000000004CA2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1128-169-0x0000000004C90000-0x0000000004CA2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1128-171-0x0000000004C90000-0x0000000004CA2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1128-173-0x0000000004C90000-0x0000000004CA2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1128-175-0x0000000004C90000-0x0000000004CA2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1128-177-0x0000000004C90000-0x0000000004CA2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1128-178-0x00000000071C0000-0x00000000071D0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1128-179-0x00000000071C0000-0x00000000071D0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1128-180-0x00000000071C0000-0x00000000071D0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1128-181-0x0000000000400000-0x0000000002B7E000-memory.dmp
        Filesize

        39.5MB

        Download
      • memory/1128-183-0x00000000071C0000-0x00000000071D0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1128-184-0x00000000071C0000-0x00000000071D0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1128-185-0x00000000071C0000-0x00000000071D0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1128-186-0x0000000000400000-0x0000000002B7E000-memory.dmp
        Filesize

        39.5MB

        Download
      • memory/3524-1122-0x0000000000920000-0x0000000000952000-memory.dmp
        Filesize

        200KB

        Download
      • memory/3524-1123-0x0000000005580000-0x0000000005590000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3672-194-0x00000000076F0000-0x000000000772F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/3672-226-0x00000000076F0000-0x000000000772F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/3672-197-0x00000000070F0000-0x0000000007100000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3672-198-0x00000000076F0000-0x000000000772F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/3672-196-0x0000000002C60000-0x0000000002CAB000-memory.dmp
        Filesize

        300KB

        Download
      • memory/3672-199-0x00000000070F0000-0x0000000007100000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3672-201-0x00000000070F0000-0x0000000007100000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3672-202-0x00000000076F0000-0x000000000772F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/3672-204-0x00000000076F0000-0x000000000772F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/3672-206-0x00000000076F0000-0x000000000772F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/3672-208-0x00000000076F0000-0x000000000772F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/3672-210-0x00000000076F0000-0x000000000772F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/3672-212-0x00000000076F0000-0x000000000772F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/3672-214-0x00000000076F0000-0x000000000772F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/3672-216-0x00000000076F0000-0x000000000772F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/3672-218-0x00000000076F0000-0x000000000772F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/3672-220-0x00000000076F0000-0x000000000772F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/3672-222-0x00000000076F0000-0x000000000772F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/3672-224-0x00000000076F0000-0x000000000772F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/3672-192-0x00000000076F0000-0x000000000772F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/3672-228-0x00000000076F0000-0x000000000772F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/3672-1101-0x00000000078D0000-0x0000000007EE8000-memory.dmp
        Filesize

        6.1MB

        Download
      • memory/3672-1102-0x0000000007F70000-0x000000000807A000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/3672-1103-0x00000000080B0000-0x00000000080C2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/3672-1104-0x00000000080D0000-0x000000000810C000-memory.dmp
        Filesize

        240KB

        Download
      • memory/3672-1105-0x00000000070F0000-0x0000000007100000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3672-1107-0x00000000083C0000-0x0000000008426000-memory.dmp
        Filesize

        408KB

        Download
      • memory/3672-1108-0x0000000008A90000-0x0000000008B22000-memory.dmp
        Filesize

        584KB

        Download
      • memory/3672-1109-0x0000000008C60000-0x0000000008CD6000-memory.dmp
        Filesize

        472KB

        Download
      • memory/3672-1110-0x0000000008CF0000-0x0000000008D40000-memory.dmp
        Filesize

        320KB

        Download
      • memory/3672-1111-0x0000000008D70000-0x0000000008F32000-memory.dmp
        Filesize

        1.8MB

        Download
      • memory/3672-1112-0x0000000008F40000-0x000000000946C000-memory.dmp
        Filesize

        5.2MB

        Download
      • memory/3672-1113-0x00000000070F0000-0x0000000007100000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3672-191-0x00000000076F0000-0x000000000772F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/3672-1114-0x00000000070F0000-0x0000000007100000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3672-1115-0x00000000070F0000-0x0000000007100000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3672-1116-0x00000000070F0000-0x0000000007100000-memory.dmp
        Filesize

        64KB

        Download