Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    59s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-03-2023 21:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5998124021b02bfa3ba67005831a3604e467a96af1bd1a574efc50bd071edead.exe

  • Size

    671KB

  • MD5

    dfbac784a928bd8146076b1291096686

  • SHA1

    37fdaac51603ca852db72cd370046e45552c2b2c

  • SHA256

    5998124021b02bfa3ba67005831a3604e467a96af1bd1a574efc50bd071edead

  • SHA512

    d17cd0cfbf9ffacaea9296d1d13a946a8cbe1b796814b686d1ed77615219a18d66e462bf22cfab7ded1f9463c4b107022a8ec67140015638f6c39c0c098e970b

  • SSDEEP

    12288:SMriy90OPffflfNk0ViT0fgx9i1M2/rGn3LqIMbeVd6q:syLfhm0ViT0f/z/an3GIUeVdN

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 18 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5998124021b02bfa3ba67005831a3604e467a96af1bd1a574efc50bd071edead.exe
    "C:\Users\Admin\AppData\Local\Temp\5998124021b02bfa3ba67005831a3604e467a96af1bd1a574efc50bd071edead.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3340
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un097005.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un097005.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:532
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6793.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6793.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3276
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 1084
          4⤵
          • Program crash
          PID:2100
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9279.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9279.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5092
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 1580
          4⤵
          • Program crash
          PID:1944
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si379764.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si379764.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1864
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3276 -ip 3276
    1⤵
      PID:1668
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5092 -ip 5092
      1⤵
        PID:4404

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si379764.exe
        Filesize

        175KB

        MD5

        959ac543f3cfccc3c1af5bd59b2e85e1

        SHA1

        d57875ebaa8e54d6dcdb61c2e2bae51a4ff4198d

        SHA256

        bd8c23e92f370416532c186ab7ee3923d9902201f0ecbe158d6b900df1e0f919

        SHA512

        26ea76b112af4eac31d74f72c943dc3e19e7d7f72fa92f00b704f7e1c941c0ace77be00c63d5681ce45db7c52ae565c913cbdc569b78293c954db94dc69cfb84

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si379764.exe
        Filesize

        175KB

        MD5

        959ac543f3cfccc3c1af5bd59b2e85e1

        SHA1

        d57875ebaa8e54d6dcdb61c2e2bae51a4ff4198d

        SHA256

        bd8c23e92f370416532c186ab7ee3923d9902201f0ecbe158d6b900df1e0f919

        SHA512

        26ea76b112af4eac31d74f72c943dc3e19e7d7f72fa92f00b704f7e1c941c0ace77be00c63d5681ce45db7c52ae565c913cbdc569b78293c954db94dc69cfb84

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un097005.exe
        Filesize

        529KB

        MD5

        98f129d9ddb88c06927eb38302a0d97c

        SHA1

        4354d020ca5378d788f7ab50e5a2a95e224c2bc1

        SHA256

        3ae0a2ac9bf92d4fa6eaf82a06433d33fde647a8f32ef929da9815cb8d3782d5

        SHA512

        42dedd950e913803592503bb194b4699095a14485024519c4ebc22e8baefdf5803b7ed50739165e9c77bf64659da172558f77cfd9a1abfda0a67aac51d8a8a0c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un097005.exe
        Filesize

        529KB

        MD5

        98f129d9ddb88c06927eb38302a0d97c

        SHA1

        4354d020ca5378d788f7ab50e5a2a95e224c2bc1

        SHA256

        3ae0a2ac9bf92d4fa6eaf82a06433d33fde647a8f32ef929da9815cb8d3782d5

        SHA512

        42dedd950e913803592503bb194b4699095a14485024519c4ebc22e8baefdf5803b7ed50739165e9c77bf64659da172558f77cfd9a1abfda0a67aac51d8a8a0c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6793.exe
        Filesize

        301KB

        MD5

        93d33996027526dd045ce7f66abd621f

        SHA1

        6af4dbbf8296a552f09f8c96a5ffd426e4db4923

        SHA256

        75d5f421e046451678c0083eeb512a49390c5891b524cb1705eecb3b09d0e3cf

        SHA512

        c8e63bb9217161c5e497e6b1ec2c5f86ca311c14ff2e43c2d9269d57e3e3a09d70b938dd3b4eb0bd9217624e13b12f7865bfa3f74cbd3fd9dc186fe6e4acef0f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6793.exe
        Filesize

        301KB

        MD5

        93d33996027526dd045ce7f66abd621f

        SHA1

        6af4dbbf8296a552f09f8c96a5ffd426e4db4923

        SHA256

        75d5f421e046451678c0083eeb512a49390c5891b524cb1705eecb3b09d0e3cf

        SHA512

        c8e63bb9217161c5e497e6b1ec2c5f86ca311c14ff2e43c2d9269d57e3e3a09d70b938dd3b4eb0bd9217624e13b12f7865bfa3f74cbd3fd9dc186fe6e4acef0f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9279.exe
        Filesize

        359KB

        MD5

        80b62e2dd662d70439253b420bc10c23

        SHA1

        2817c08d9ae20ca9a396d176d1e42cdffafaadf9

        SHA256

        e92a5210608f0f5ac5e3ecbff7eb3cb54cc5073e896b1c617e4d4c9f2d71dc3d

        SHA512

        66ed7646d5bf283eb983b8fe0cf8601947c25ceabea7a5b67ed03f0cb7067cd4d53abd2c0849eb9b8ad5f1c2a6e74e0ab4fd87a19a17bccbd0e296e569c60eb3

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9279.exe
        Filesize

        359KB

        MD5

        80b62e2dd662d70439253b420bc10c23

        SHA1

        2817c08d9ae20ca9a396d176d1e42cdffafaadf9

        SHA256

        e92a5210608f0f5ac5e3ecbff7eb3cb54cc5073e896b1c617e4d4c9f2d71dc3d

        SHA512

        66ed7646d5bf283eb983b8fe0cf8601947c25ceabea7a5b67ed03f0cb7067cd4d53abd2c0849eb9b8ad5f1c2a6e74e0ab4fd87a19a17bccbd0e296e569c60eb3

        Download Submit

      • memory/1864-1122-0x0000000000040000-0x0000000000072000-memory.dmp

        Filesize

        200KB

        Download

      • memory/1864-1123-0x0000000004C30000-0x0000000004C40000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3276-162-0x0000000006050000-0x0000000006062000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3276-170-0x0000000006050000-0x0000000006062000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3276-154-0x0000000006050000-0x0000000006062000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3276-152-0x0000000006050000-0x0000000006062000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3276-156-0x0000000006050000-0x0000000006062000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3276-160-0x0000000006050000-0x0000000006062000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3276-149-0x0000000006050000-0x0000000006062000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3276-158-0x0000000006050000-0x0000000006062000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3276-166-0x0000000006050000-0x0000000006062000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3276-167-0x0000000006160000-0x0000000006170000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3276-165-0x0000000006160000-0x0000000006170000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3276-163-0x0000000003710000-0x000000000373D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/3276-169-0x0000000006160000-0x0000000006170000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3276-150-0x0000000006050000-0x0000000006062000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3276-172-0x0000000006050000-0x0000000006062000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3276-174-0x0000000006050000-0x0000000006062000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3276-176-0x0000000006050000-0x0000000006062000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3276-178-0x0000000006050000-0x0000000006062000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3276-180-0x0000000006050000-0x0000000006062000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3276-181-0x0000000000400000-0x0000000001AE3000-memory.dmp

        Filesize

        22.9MB

        Download

      • memory/3276-183-0x0000000006160000-0x0000000006170000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3276-184-0x0000000006160000-0x0000000006170000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3276-185-0x0000000006160000-0x0000000006170000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3276-186-0x0000000000400000-0x0000000001AE3000-memory.dmp

        Filesize

        22.9MB

        Download

      • memory/3276-148-0x0000000006170000-0x0000000006714000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/5092-194-0x00000000060A0000-0x00000000060DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5092-226-0x00000000060A0000-0x00000000060DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5092-196-0x00000000060A0000-0x00000000060DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5092-198-0x00000000060A0000-0x00000000060DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5092-200-0x00000000060A0000-0x00000000060DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5092-202-0x00000000060A0000-0x00000000060DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5092-204-0x00000000060A0000-0x00000000060DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5092-206-0x00000000060A0000-0x00000000060DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5092-209-0x0000000001C80000-0x0000000001CCB000-memory.dmp

        Filesize

        300KB

        Download

      • memory/5092-208-0x00000000060A0000-0x00000000060DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5092-210-0x00000000061F0000-0x0000000006200000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5092-212-0x00000000061F0000-0x0000000006200000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5092-213-0x00000000060A0000-0x00000000060DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5092-214-0x00000000061F0000-0x0000000006200000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5092-218-0x00000000060A0000-0x00000000060DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5092-216-0x00000000060A0000-0x00000000060DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5092-220-0x00000000060A0000-0x00000000060DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5092-222-0x00000000060A0000-0x00000000060DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5092-224-0x00000000060A0000-0x00000000060DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5092-192-0x00000000060A0000-0x00000000060DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5092-228-0x00000000060A0000-0x00000000060DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5092-1101-0x00000000068B0000-0x0000000006EC8000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/5092-1102-0x0000000006EE0000-0x0000000006FEA000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/5092-1103-0x0000000007020000-0x0000000007032000-memory.dmp

        Filesize

        72KB

        Download

      • memory/5092-1104-0x0000000007040000-0x000000000707C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/5092-1105-0x00000000061F0000-0x0000000006200000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5092-1106-0x0000000007330000-0x00000000073C2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/5092-1107-0x00000000073D0000-0x0000000007436000-memory.dmp

        Filesize

        408KB

        Download

      • memory/5092-1109-0x00000000061F0000-0x0000000006200000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5092-1110-0x00000000061F0000-0x0000000006200000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5092-1111-0x00000000061F0000-0x0000000006200000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5092-1112-0x0000000007AF0000-0x0000000007CB2000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/5092-1113-0x0000000007CD0000-0x00000000081FC000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/5092-191-0x00000000060A0000-0x00000000060DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5092-1114-0x0000000008430000-0x00000000084A6000-memory.dmp

        Filesize

        472KB

        Download

      • memory/5092-1115-0x00000000084C0000-0x0000000008510000-memory.dmp

        Filesize

        320KB

        Download

      • memory/5092-1116-0x00000000061F0000-0x0000000006200000-memory.dmp

        Filesize

        64KB

        Download