Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    62s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-03-2023 10:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    56c7e43bb5f27b5979b267a4cf2daa03ef361894646fcfac97c5516eb2f89eb9.exe

  • Size

    699KB

  • MD5

    de167ed7859a2f9e5a745868adcd5cb8

  • SHA1

    d950e5047f789306dad9f7bdebad29b11094dc7f

  • SHA256

    56c7e43bb5f27b5979b267a4cf2daa03ef361894646fcfac97c5516eb2f89eb9

  • SHA512

    1a208ae899b78d85238a20f9e79bb7403af9a658d2a9814b211afc6d6820a3443b288a14c34b8b41bf9123abb7867063b4a53e6d77854eab4fa3b7d525283223

  • SSDEEP

    12288:TMrHy90uP0iGibmCxLlfY1uO4HflKMnVWrT3m6UvGjuyxv9gXpLiG8:EyFiy7vvOiNvVhRGjBv9OS

Score
10/10
redlinemuserosndiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

muse

C2

176.113.115.145:4125

Attributes
  • auth_value

    b91988a63a24940038d9262827a5320c

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 19 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\56c7e43bb5f27b5979b267a4cf2daa03ef361894646fcfac97c5516eb2f89eb9.exe
    "C:\Users\Admin\AppData\Local\Temp\56c7e43bb5f27b5979b267a4cf2daa03ef361894646fcfac97c5516eb2f89eb9.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un946620.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un946620.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4560
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4118.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4118.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3904
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 1012
          4⤵
          • Program crash
          PID:4508
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4591.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4591.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:936
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 936 -s 1112
          4⤵
          • Program crash
          PID:4652
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si194672.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si194672.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1604
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3904 -ip 3904
    1⤵
      PID:5052
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 936 -ip 936
      1⤵
        PID:3404

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si194672.exe
        Filesize

        175KB

        MD5

        ff14d4d71bd7bbe365fe6a8f39c0522f

        SHA1

        f42a49b87d5a48e5913b6bb831657c9dea079395

        SHA256

        2f02eef299d6f5947336198ce7a0558302a38e2e0e3d10221455609c0249dbd7

        SHA512

        09ed5ae0f22722a427fc6e08272676e31c2b2ca7eaf18b005fe71f9076a4d5afde6da368425bcfe89a8e39453577878f06e33740a5633aea268fa0fa9d867cde

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si194672.exe
        Filesize

        175KB

        MD5

        ff14d4d71bd7bbe365fe6a8f39c0522f

        SHA1

        f42a49b87d5a48e5913b6bb831657c9dea079395

        SHA256

        2f02eef299d6f5947336198ce7a0558302a38e2e0e3d10221455609c0249dbd7

        SHA512

        09ed5ae0f22722a427fc6e08272676e31c2b2ca7eaf18b005fe71f9076a4d5afde6da368425bcfe89a8e39453577878f06e33740a5633aea268fa0fa9d867cde

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un946620.exe
        Filesize

        557KB

        MD5

        a795fde3cc2d42421ba4a36429ed2929

        SHA1

        5bfd94e10610a9d0e842b71f65381f073030d521

        SHA256

        5fb617d18c83251898a9616da2f92932d261bd3a0692bf14114290169664baec

        SHA512

        969ec8d6fca5617826dd6fe5af960d22b40e5040687b4d4d848fc58331a1ec1b52a29a1d3b4dc764fbee373c0b23392611e5381072b79227b67670f4f1808948

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un946620.exe
        Filesize

        557KB

        MD5

        a795fde3cc2d42421ba4a36429ed2929

        SHA1

        5bfd94e10610a9d0e842b71f65381f073030d521

        SHA256

        5fb617d18c83251898a9616da2f92932d261bd3a0692bf14114290169664baec

        SHA512

        969ec8d6fca5617826dd6fe5af960d22b40e5040687b4d4d848fc58331a1ec1b52a29a1d3b4dc764fbee373c0b23392611e5381072b79227b67670f4f1808948

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4118.exe
        Filesize

        322KB

        MD5

        43796749d54ddfcc3fe6e9026b1a947e

        SHA1

        fe4042353085a05968f5ed82d17c68f61e655bca

        SHA256

        0c1dcebfe612214276921577273d629745aff3f163a8a829c11e611bd170b677

        SHA512

        228e4663797a4bfbc083e728a7420e7df42a867d49d5212b40a20e63b075391141fddac28189f94941a155cb796ad84eff1814c6108da4a17e4f7cdb95b3daf8

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4118.exe
        Filesize

        322KB

        MD5

        43796749d54ddfcc3fe6e9026b1a947e

        SHA1

        fe4042353085a05968f5ed82d17c68f61e655bca

        SHA256

        0c1dcebfe612214276921577273d629745aff3f163a8a829c11e611bd170b677

        SHA512

        228e4663797a4bfbc083e728a7420e7df42a867d49d5212b40a20e63b075391141fddac28189f94941a155cb796ad84eff1814c6108da4a17e4f7cdb95b3daf8

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4591.exe
        Filesize

        406KB

        MD5

        2705926067ba698a4bf441dd24454310

        SHA1

        fa963c67c40ff5c7ed79ca17a1ac59050fba030a

        SHA256

        60110320dea96c20d93f33609cb7666fc8cfdf2fa263d87f05eaf9da09922bfa

        SHA512

        875d14b41465e48135584f5ec08ab7a52b9da53dfdd77c65c194097158d2da45320ba06db2a9f1ebeb4c55f02664429b4e38e17071daa3f468bb6798034d831b

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4591.exe
        Filesize

        406KB

        MD5

        2705926067ba698a4bf441dd24454310

        SHA1

        fa963c67c40ff5c7ed79ca17a1ac59050fba030a

        SHA256

        60110320dea96c20d93f33609cb7666fc8cfdf2fa263d87f05eaf9da09922bfa

        SHA512

        875d14b41465e48135584f5ec08ab7a52b9da53dfdd77c65c194097158d2da45320ba06db2a9f1ebeb4c55f02664429b4e38e17071daa3f468bb6798034d831b

        Download Submit
      • memory/936-1102-0x0000000007F80000-0x000000000808A000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/936-1101-0x00000000078F0000-0x0000000007F08000-memory.dmp
        Filesize

        6.1MB

        Download
      • memory/936-218-0x0000000007230000-0x0000000007240000-memory.dmp
        Filesize

        64KB

        Download
      • memory/936-219-0x00000000071A0000-0x00000000071DF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/936-204-0x00000000071A0000-0x00000000071DF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/936-206-0x00000000071A0000-0x00000000071DF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/936-1115-0x0000000009760000-0x00000000097D6000-memory.dmp
        Filesize

        472KB

        Download
      • memory/936-1114-0x0000000007230000-0x0000000007240000-memory.dmp
        Filesize

        64KB

        Download
      • memory/936-1113-0x0000000008EB0000-0x00000000093DC000-memory.dmp
        Filesize

        5.2MB

        Download
      • memory/936-1112-0x0000000008CD0000-0x0000000008E92000-memory.dmp
        Filesize

        1.8MB

        Download
      • memory/936-208-0x00000000071A0000-0x00000000071DF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/936-1111-0x0000000008A90000-0x0000000008B22000-memory.dmp
        Filesize

        584KB

        Download
      • memory/936-1110-0x0000000007230000-0x0000000007240000-memory.dmp
        Filesize

        64KB

        Download
      • memory/936-1109-0x0000000007230000-0x0000000007240000-memory.dmp
        Filesize

        64KB

        Download
      • memory/936-1108-0x0000000007230000-0x0000000007240000-memory.dmp
        Filesize

        64KB

        Download
      • memory/936-1107-0x00000000083D0000-0x0000000008436000-memory.dmp
        Filesize

        408KB

        Download
      • memory/936-1105-0x0000000007230000-0x0000000007240000-memory.dmp
        Filesize

        64KB

        Download
      • memory/936-1104-0x00000000080E0000-0x000000000811C000-memory.dmp
        Filesize

        240KB

        Download
      • memory/936-1103-0x00000000080C0000-0x00000000080D2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/936-215-0x0000000007230000-0x0000000007240000-memory.dmp
        Filesize

        64KB

        Download
      • memory/936-228-0x00000000071A0000-0x00000000071DF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/936-226-0x00000000071A0000-0x00000000071DF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/936-224-0x00000000071A0000-0x00000000071DF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/936-191-0x00000000071A0000-0x00000000071DF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/936-192-0x00000000071A0000-0x00000000071DF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/936-194-0x00000000071A0000-0x00000000071DF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/936-196-0x00000000071A0000-0x00000000071DF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/936-198-0x00000000071A0000-0x00000000071DF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/936-200-0x00000000071A0000-0x00000000071DF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/936-202-0x00000000071A0000-0x00000000071DF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/936-220-0x0000000007230000-0x0000000007240000-memory.dmp
        Filesize

        64KB

        Download
      • memory/936-1116-0x00000000097F0000-0x0000000009840000-memory.dmp
        Filesize

        320KB

        Download
      • memory/936-222-0x00000000071A0000-0x00000000071DF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/936-210-0x00000000071A0000-0x00000000071DF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/936-212-0x00000000071A0000-0x00000000071DF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/936-213-0x0000000002BA0000-0x0000000002BEB000-memory.dmp
        Filesize

        300KB

        Download
      • memory/936-216-0x00000000071A0000-0x00000000071DF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/1604-1122-0x00000000005F0000-0x0000000000622000-memory.dmp
        Filesize

        200KB

        Download
      • memory/1604-1123-0x00000000051F0000-0x0000000005200000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3904-181-0x0000000000400000-0x0000000002B7E000-memory.dmp
        Filesize

        39.5MB

        Download
      • memory/3904-172-0x0000000004AD0000-0x0000000004AE2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/3904-148-0x0000000002C50000-0x0000000002C7D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/3904-152-0x0000000004AD0000-0x0000000004AE2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/3904-151-0x0000000004AD0000-0x0000000004AE2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/3904-186-0x0000000000400000-0x0000000002B7E000-memory.dmp
        Filesize

        39.5MB

        Download
      • memory/3904-184-0x00000000074D0000-0x00000000074E0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3904-150-0x00000000074E0000-0x0000000007A84000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/3904-185-0x00000000074D0000-0x00000000074E0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3904-182-0x00000000074D0000-0x00000000074E0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3904-154-0x0000000004AD0000-0x0000000004AE2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/3904-180-0x00000000074D0000-0x00000000074E0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3904-179-0x00000000074D0000-0x00000000074E0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3904-178-0x0000000004AD0000-0x0000000004AE2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/3904-176-0x0000000004AD0000-0x0000000004AE2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/3904-174-0x0000000004AD0000-0x0000000004AE2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/3904-170-0x0000000004AD0000-0x0000000004AE2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/3904-168-0x0000000004AD0000-0x0000000004AE2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/3904-166-0x0000000004AD0000-0x0000000004AE2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/3904-164-0x0000000004AD0000-0x0000000004AE2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/3904-162-0x0000000004AD0000-0x0000000004AE2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/3904-149-0x00000000074D0000-0x00000000074E0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3904-160-0x0000000004AD0000-0x0000000004AE2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/3904-158-0x0000000004AD0000-0x0000000004AE2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/3904-156-0x0000000004AD0000-0x0000000004AE2000-memory.dmp
        Filesize

        72KB

        Download