Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    84s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/03/2023, 22:56

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    076baf1e2e91ecf3c4d939176ee07f48daa011eb889f9d201fa6a2b4b6ec9fde.exe

  • Size

    673KB

  • MD5

    27759028fa5043281fd931f40d064e4b

  • SHA1

    dde27b366be795b23952e039b6e6d494dddc762e

  • SHA256

    076baf1e2e91ecf3c4d939176ee07f48daa011eb889f9d201fa6a2b4b6ec9fde

  • SHA512

    eee77c499616af97f3670126e9db64c1ac661f80695ab60bca52a950f687a920809915a1e1e61cfae3a9a689c25462655d6808ca4e213330f02e7fcb644e9beb

  • SSDEEP

    12288:LMriy90R7WN32Up/iKyE0MsLu3Da0UDN6buWah3SnfCxErj4w:FyS7WN3f/itED53D+DNyuNDxEvH

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 19 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\076baf1e2e91ecf3c4d939176ee07f48daa011eb889f9d201fa6a2b4b6ec9fde.exe
    "C:\Users\Admin\AppData\Local\Temp\076baf1e2e91ecf3c4d939176ee07f48daa011eb889f9d201fa6a2b4b6ec9fde.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1804
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un832115.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un832115.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2032
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4861.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4861.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:404
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 1084
          4⤵
          • Program crash
          PID:4508
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5013.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5013.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:804
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 1940
          4⤵
          • Program crash
          PID:1684
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si285004.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si285004.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4596
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 404 -ip 404
    1⤵
      PID:3628
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 804 -ip 804
      1⤵
        PID:2596

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si285004.exe
              Filesize

              175KB

              MD5

              f42f2f96a4094dcf29b88a2743b2ed81

              SHA1

              438931eccaf24e0e6d6f646c846d7efed0420df9

              SHA256

              5ff447c28f9a6f94a20cac407e2f8a683002a84eb81b1c0bdbd00096ba7a7982

              SHA512

              14df0486856256ca1b26cd7a36e38ec0cdfb1ad7ccabbd43492f8c81052006d281d16f916281ed84d154c499fce40f8286326aa863a39532bac6556c5a1849dd

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si285004.exe
              Filesize

              175KB

              MD5

              f42f2f96a4094dcf29b88a2743b2ed81

              SHA1

              438931eccaf24e0e6d6f646c846d7efed0420df9

              SHA256

              5ff447c28f9a6f94a20cac407e2f8a683002a84eb81b1c0bdbd00096ba7a7982

              SHA512

              14df0486856256ca1b26cd7a36e38ec0cdfb1ad7ccabbd43492f8c81052006d281d16f916281ed84d154c499fce40f8286326aa863a39532bac6556c5a1849dd

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un832115.exe
              Filesize

              531KB

              MD5

              554958f46da8bb840ef8ed45f974ae56

              SHA1

              8b253a90b0950898a3b58aaf85bd263c33342629

              SHA256

              8cf698e81a03126c14699c3a89cec627802625f98cda45f7519227efc4193b24

              SHA512

              54d5afa09b61eeb0efcf1e8cebe928ca0e59510c63f00e47d1ddbe470292c59bd26d86a59712211396cd3d691f19b495950dc32ab72dee46ea42bf27e7d2bc21

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un832115.exe
              Filesize

              531KB

              MD5

              554958f46da8bb840ef8ed45f974ae56

              SHA1

              8b253a90b0950898a3b58aaf85bd263c33342629

              SHA256

              8cf698e81a03126c14699c3a89cec627802625f98cda45f7519227efc4193b24

              SHA512

              54d5afa09b61eeb0efcf1e8cebe928ca0e59510c63f00e47d1ddbe470292c59bd26d86a59712211396cd3d691f19b495950dc32ab72dee46ea42bf27e7d2bc21

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4861.exe
              Filesize

              260KB

              MD5

              fbe3131249d6499f6295164c2243d01f

              SHA1

              13cd08597b5fa70271c4eaa945ab834de5edf2cf

              SHA256

              2f8e82e3c831942e331116060bb2e0c2e229e30e68cc5d28783e282f72734236

              SHA512

              bd93361999162f94e8f869aefc90b19887ab32dcd370634eec661db029236d63a938ae2b2bf105c841fd43585810a0b3209c5b3cf51770af208012df675edb38

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4861.exe
              Filesize

              260KB

              MD5

              fbe3131249d6499f6295164c2243d01f

              SHA1

              13cd08597b5fa70271c4eaa945ab834de5edf2cf

              SHA256

              2f8e82e3c831942e331116060bb2e0c2e229e30e68cc5d28783e282f72734236

              SHA512

              bd93361999162f94e8f869aefc90b19887ab32dcd370634eec661db029236d63a938ae2b2bf105c841fd43585810a0b3209c5b3cf51770af208012df675edb38

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5013.exe
              Filesize

              319KB

              MD5

              1a4528af2c956c59d5b1225005bb8b87

              SHA1

              7c884000f69c87dd11d678ff3595b3985620ccdc

              SHA256

              f47c6e7bdfca658309ed72001c1075885e66c59a4e8e14de9970a6f91788d3be

              SHA512

              10ff606fbde3d11af4ce200be04cc884c92d2f85a8f1412c1a284f6766549f2e089baa5ed9cb537036fa501efee0780455de843e1c07d48e628b33ac6fda7386

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5013.exe
              Filesize

              319KB

              MD5

              1a4528af2c956c59d5b1225005bb8b87

              SHA1

              7c884000f69c87dd11d678ff3595b3985620ccdc

              SHA256

              f47c6e7bdfca658309ed72001c1075885e66c59a4e8e14de9970a6f91788d3be

              SHA512

              10ff606fbde3d11af4ce200be04cc884c92d2f85a8f1412c1a284f6766549f2e089baa5ed9cb537036fa501efee0780455de843e1c07d48e628b33ac6fda7386

              Download Submit

            • memory/404-148-0x0000000002100000-0x000000000212D000-memory.dmp

              Filesize

              180KB

              Download

            • memory/404-149-0x0000000004B50000-0x0000000004B60000-memory.dmp

              Filesize

              64KB

              Download

            • memory/404-150-0x0000000004B60000-0x0000000005104000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/404-151-0x0000000004A20000-0x0000000004A32000-memory.dmp

              Filesize

              72KB

              Download

            • memory/404-154-0x0000000004A20000-0x0000000004A32000-memory.dmp

              Filesize

              72KB

              Download

            • memory/404-152-0x0000000004A20000-0x0000000004A32000-memory.dmp

              Filesize

              72KB

              Download

            • memory/404-156-0x0000000004A20000-0x0000000004A32000-memory.dmp

              Filesize

              72KB

              Download

            • memory/404-158-0x0000000004A20000-0x0000000004A32000-memory.dmp

              Filesize

              72KB

              Download

            • memory/404-160-0x0000000004A20000-0x0000000004A32000-memory.dmp

              Filesize

              72KB

              Download

            • memory/404-162-0x0000000004A20000-0x0000000004A32000-memory.dmp

              Filesize

              72KB

              Download

            • memory/404-164-0x0000000004A20000-0x0000000004A32000-memory.dmp

              Filesize

              72KB

              Download

            • memory/404-166-0x0000000004A20000-0x0000000004A32000-memory.dmp

              Filesize

              72KB

              Download

            • memory/404-168-0x0000000004A20000-0x0000000004A32000-memory.dmp

              Filesize

              72KB

              Download

            • memory/404-170-0x0000000004A20000-0x0000000004A32000-memory.dmp

              Filesize

              72KB

              Download

            • memory/404-172-0x0000000004A20000-0x0000000004A32000-memory.dmp

              Filesize

              72KB

              Download

            • memory/404-174-0x0000000004A20000-0x0000000004A32000-memory.dmp

              Filesize

              72KB

              Download

            • memory/404-176-0x0000000004A20000-0x0000000004A32000-memory.dmp

              Filesize

              72KB

              Download

            • memory/404-178-0x0000000004A20000-0x0000000004A32000-memory.dmp

              Filesize

              72KB

              Download

            • memory/404-179-0x0000000004B50000-0x0000000004B60000-memory.dmp

              Filesize

              64KB

              Download

            • memory/404-180-0x0000000004B50000-0x0000000004B60000-memory.dmp

              Filesize

              64KB

              Download

            • memory/404-181-0x0000000000400000-0x00000000004B1000-memory.dmp

              Filesize

              708KB

              Download

            • memory/404-182-0x0000000004B50000-0x0000000004B60000-memory.dmp

              Filesize

              64KB

              Download

            • memory/404-185-0x0000000004B50000-0x0000000004B60000-memory.dmp

              Filesize

              64KB

              Download

            • memory/404-184-0x0000000004B50000-0x0000000004B60000-memory.dmp

              Filesize

              64KB

              Download

            • memory/404-186-0x0000000000400000-0x00000000004B1000-memory.dmp

              Filesize

              708KB

              Download

            • memory/804-191-0x0000000004A80000-0x0000000004ABF000-memory.dmp

              Filesize

              252KB

              Download

            • memory/804-192-0x0000000004A80000-0x0000000004ABF000-memory.dmp

              Filesize

              252KB

              Download

            • memory/804-194-0x0000000004A80000-0x0000000004ABF000-memory.dmp

              Filesize

              252KB

              Download

            • memory/804-196-0x0000000004A80000-0x0000000004ABF000-memory.dmp

              Filesize

              252KB

              Download

            • memory/804-198-0x0000000004A80000-0x0000000004ABF000-memory.dmp

              Filesize

              252KB

              Download

            • memory/804-200-0x0000000004A80000-0x0000000004ABF000-memory.dmp

              Filesize

              252KB

              Download

            • memory/804-202-0x0000000004A80000-0x0000000004ABF000-memory.dmp

              Filesize

              252KB

              Download

            • memory/804-204-0x0000000004A80000-0x0000000004ABF000-memory.dmp

              Filesize

              252KB

              Download

            • memory/804-206-0x0000000004A80000-0x0000000004ABF000-memory.dmp

              Filesize

              252KB

              Download

            • memory/804-208-0x0000000004A80000-0x0000000004ABF000-memory.dmp

              Filesize

              252KB

              Download

            • memory/804-210-0x0000000004A80000-0x0000000004ABF000-memory.dmp

              Filesize

              252KB

              Download

            • memory/804-212-0x0000000004A80000-0x0000000004ABF000-memory.dmp

              Filesize

              252KB

              Download

            • memory/804-214-0x0000000004A80000-0x0000000004ABF000-memory.dmp

              Filesize

              252KB

              Download

            • memory/804-215-0x0000000000770000-0x00000000007BB000-memory.dmp

              Filesize

              300KB

              Download

            • memory/804-216-0x0000000004AF0000-0x0000000004B00000-memory.dmp

              Filesize

              64KB

              Download

            • memory/804-219-0x0000000004A80000-0x0000000004ABF000-memory.dmp

              Filesize

              252KB

              Download

            • memory/804-218-0x0000000004AF0000-0x0000000004B00000-memory.dmp

              Filesize

              64KB

              Download

            • memory/804-220-0x0000000004AF0000-0x0000000004B00000-memory.dmp

              Filesize

              64KB

              Download

            • memory/804-222-0x0000000004A80000-0x0000000004ABF000-memory.dmp

              Filesize

              252KB

              Download

            • memory/804-224-0x0000000004A80000-0x0000000004ABF000-memory.dmp

              Filesize

              252KB

              Download

            • memory/804-226-0x0000000004A80000-0x0000000004ABF000-memory.dmp

              Filesize

              252KB

              Download

            • memory/804-228-0x0000000004A80000-0x0000000004ABF000-memory.dmp

              Filesize

              252KB

              Download

            • memory/804-1101-0x0000000005200000-0x0000000005818000-memory.dmp

              Filesize

              6.1MB

              Download

            • memory/804-1102-0x00000000058A0000-0x00000000059AA000-memory.dmp

              Filesize

              1.0MB

              Download

            • memory/804-1103-0x00000000059E0000-0x00000000059F2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/804-1104-0x0000000004AF0000-0x0000000004B00000-memory.dmp

              Filesize

              64KB

              Download

            • memory/804-1105-0x0000000005A00000-0x0000000005A3C000-memory.dmp

              Filesize

              240KB

              Download

            • memory/804-1107-0x0000000005CF0000-0x0000000005D82000-memory.dmp

              Filesize

              584KB

              Download

            • memory/804-1108-0x0000000005D90000-0x0000000005DF6000-memory.dmp

              Filesize

              408KB

              Download

            • memory/804-1109-0x0000000004AF0000-0x0000000004B00000-memory.dmp

              Filesize

              64KB

              Download

            • memory/804-1110-0x0000000004AF0000-0x0000000004B00000-memory.dmp

              Filesize

              64KB

              Download

            • memory/804-1111-0x0000000004AF0000-0x0000000004B00000-memory.dmp

              Filesize

              64KB

              Download

            • memory/804-1112-0x0000000006600000-0x00000000067C2000-memory.dmp

              Filesize

              1.8MB

              Download

            • memory/804-1113-0x00000000067D0000-0x0000000006CFC000-memory.dmp

              Filesize

              5.2MB

              Download

            • memory/804-1114-0x0000000006E20000-0x0000000006E96000-memory.dmp

              Filesize

              472KB

              Download

            • memory/804-1115-0x0000000006EC0000-0x0000000006F10000-memory.dmp

              Filesize

              320KB

              Download

            • memory/804-1116-0x0000000004AF0000-0x0000000004B00000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4596-1122-0x0000000000780000-0x00000000007B2000-memory.dmp

              Filesize

              200KB

              Download

            • memory/4596-1123-0x0000000005340000-0x0000000005350000-memory.dmp

              Filesize

              64KB

              Download