Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    72s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-03-2023 17:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e70eb8961d0716e02a549f92abe4437fed11d46b054f94845555ea2757b9dbcd.exe

  • Size

    671KB

  • MD5

    14d854d16f6d596500fab92a885dff20

  • SHA1

    b62762750b38b86e5b3415d8ced0a1b966e221b2

  • SHA256

    e70eb8961d0716e02a549f92abe4437fed11d46b054f94845555ea2757b9dbcd

  • SHA512

    74b9fbdbcb079ca59422df366b2f6f18b830099629c1703994f79503aed271b32f0bbf37ddec9bf3ef244de24e93e367f2e605dcfbb3ec4649847e02ad84a655

  • SSDEEP

    12288:sMrWy90A3Q3R2GbRCUVDdmIJiRJjomEG+YvTOJpEtJwqA:KyMBjRCcDdLJiRJjobccStJwD

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 18 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e70eb8961d0716e02a549f92abe4437fed11d46b054f94845555ea2757b9dbcd.exe
    "C:\Users\Admin\AppData\Local\Temp\e70eb8961d0716e02a549f92abe4437fed11d46b054f94845555ea2757b9dbcd.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:5040
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un432846.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un432846.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:892
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4433.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4433.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1752
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 1080
          4⤵
          • Program crash
          PID:116
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7093.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7093.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4664
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 1732
          4⤵
          • Program crash
          PID:2152
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si477040.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si477040.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3372
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1752 -ip 1752
    1⤵
      PID:1352
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4664 -ip 4664
      1⤵
        PID:3632

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si477040.exe
        Filesize

        175KB

        MD5

        8ddcff817b94ab4eebbd5f3754701b15

        SHA1

        4641d83c9bfea20b52dd40a9974b6438919fb49a

        SHA256

        4a961dadbe857982a7a186df8ce219ea42e6d5a95634421d99da7f3b33e7bb8c

        SHA512

        6a15e0b8e46cc52288eb9e1896d26d2fff1dac4b189e97c403e937e3d45e632bcafca63d3fb06247e9c133bf7edaedcc40ec247181bc59c157fae228a6b469f4

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si477040.exe
        Filesize

        175KB

        MD5

        8ddcff817b94ab4eebbd5f3754701b15

        SHA1

        4641d83c9bfea20b52dd40a9974b6438919fb49a

        SHA256

        4a961dadbe857982a7a186df8ce219ea42e6d5a95634421d99da7f3b33e7bb8c

        SHA512

        6a15e0b8e46cc52288eb9e1896d26d2fff1dac4b189e97c403e937e3d45e632bcafca63d3fb06247e9c133bf7edaedcc40ec247181bc59c157fae228a6b469f4

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un432846.exe
        Filesize

        530KB

        MD5

        4949f8b1774e16c8edd1edbb7910d4b2

        SHA1

        aa4f62315b1e74d828032e39c9284dce167363c7

        SHA256

        dc44d7cf493e08058f9c6f3d6b58ae530822ba1c24e07e5d899eb4b0e22d5340

        SHA512

        0d65edb5bb1fb7ea8ef0d393392fa9505afe1ff9ece01fa1b00abf4b5e92c869daba889b16a0a96763ccd74d9c5584e8dd351d09ab0d34e2e20b7632938c3292

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un432846.exe
        Filesize

        530KB

        MD5

        4949f8b1774e16c8edd1edbb7910d4b2

        SHA1

        aa4f62315b1e74d828032e39c9284dce167363c7

        SHA256

        dc44d7cf493e08058f9c6f3d6b58ae530822ba1c24e07e5d899eb4b0e22d5340

        SHA512

        0d65edb5bb1fb7ea8ef0d393392fa9505afe1ff9ece01fa1b00abf4b5e92c869daba889b16a0a96763ccd74d9c5584e8dd351d09ab0d34e2e20b7632938c3292

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4433.exe
        Filesize

        259KB

        MD5

        33d7bfbbad029b6e054559fca98da9fb

        SHA1

        307bbc6b34d8f6789af075d5c7e646fc3e421909

        SHA256

        344aef1b6531bdf699d14fec9b72f7c2f873da68b1aecd02716dd82dc1748fee

        SHA512

        61e97542ec1e5fa8eeb90d28c5081a0140e81236173b392c01877af9c1288c6192fa2c8ab1f0c48add582d44ed496e2bb151f4f6582e84cf268d8127b8bb9551

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4433.exe
        Filesize

        259KB

        MD5

        33d7bfbbad029b6e054559fca98da9fb

        SHA1

        307bbc6b34d8f6789af075d5c7e646fc3e421909

        SHA256

        344aef1b6531bdf699d14fec9b72f7c2f873da68b1aecd02716dd82dc1748fee

        SHA512

        61e97542ec1e5fa8eeb90d28c5081a0140e81236173b392c01877af9c1288c6192fa2c8ab1f0c48add582d44ed496e2bb151f4f6582e84cf268d8127b8bb9551

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7093.exe
        Filesize

        318KB

        MD5

        7355e76d4e7c1e7f48ab6590bc0f68a1

        SHA1

        9fb5e4aff105825d0e23b29b702f446f00303772

        SHA256

        8e4cec9e62253ca164cd098296a78f6287dadbd6c2fa2d7ded413a73464e795d

        SHA512

        e2e7381b30048103160a223b2381f04de95cd3e14d804c8636633dec44d1fe598023480b9e8995350533c646a4d57847b3a6e07e445962a1d5549e86fef642fc

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7093.exe
        Filesize

        318KB

        MD5

        7355e76d4e7c1e7f48ab6590bc0f68a1

        SHA1

        9fb5e4aff105825d0e23b29b702f446f00303772

        SHA256

        8e4cec9e62253ca164cd098296a78f6287dadbd6c2fa2d7ded413a73464e795d

        SHA512

        e2e7381b30048103160a223b2381f04de95cd3e14d804c8636633dec44d1fe598023480b9e8995350533c646a4d57847b3a6e07e445962a1d5549e86fef642fc

        Download Submit
      • memory/1752-165-0x0000000004A20000-0x0000000004A32000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1752-171-0x0000000004A20000-0x0000000004A32000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1752-151-0x0000000004A20000-0x0000000004A32000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1752-150-0x0000000004A20000-0x0000000004A32000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1752-153-0x0000000004A20000-0x0000000004A32000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1752-155-0x0000000004A20000-0x0000000004A32000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1752-157-0x0000000004A20000-0x0000000004A32000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1752-159-0x0000000004A20000-0x0000000004A32000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1752-161-0x0000000004A20000-0x0000000004A32000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1752-163-0x0000000004A20000-0x0000000004A32000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1752-148-0x00000000020F0000-0x000000000211D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/1752-167-0x0000000004A20000-0x0000000004A32000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1752-169-0x0000000004A20000-0x0000000004A32000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1752-149-0x0000000004AE0000-0x0000000005084000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/1752-173-0x0000000004A20000-0x0000000004A32000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1752-175-0x0000000004A20000-0x0000000004A32000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1752-177-0x0000000004A20000-0x0000000004A32000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1752-178-0x0000000004AD0000-0x0000000004AE0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1752-179-0x0000000004AD0000-0x0000000004AE0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1752-180-0x0000000004AD0000-0x0000000004AE0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1752-181-0x0000000000400000-0x00000000004B1000-memory.dmp
        Filesize

        708KB

        Download
      • memory/1752-183-0x0000000004AD0000-0x0000000004AE0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1752-184-0x0000000004AD0000-0x0000000004AE0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1752-185-0x0000000004AD0000-0x0000000004AE0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1752-186-0x0000000000400000-0x00000000004B1000-memory.dmp
        Filesize

        708KB

        Download
      • memory/3372-1121-0x0000000000CA0000-0x0000000000CD2000-memory.dmp
        Filesize

        200KB

        Download
      • memory/3372-1123-0x0000000005580000-0x0000000005590000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3372-1122-0x0000000005580000-0x0000000005590000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4664-194-0x0000000004A60000-0x0000000004A9F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/4664-196-0x0000000004A60000-0x0000000004A9F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/4664-198-0x0000000004A60000-0x0000000004A9F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/4664-200-0x0000000004A60000-0x0000000004A9F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/4664-202-0x0000000004A60000-0x0000000004A9F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/4664-204-0x0000000004A60000-0x0000000004A9F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/4664-206-0x0000000004A60000-0x0000000004A9F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/4664-208-0x0000000004A60000-0x0000000004A9F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/4664-210-0x0000000004A60000-0x0000000004A9F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/4664-212-0x0000000004A60000-0x0000000004A9F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/4664-214-0x0000000004A60000-0x0000000004A9F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/4664-216-0x0000000004A60000-0x0000000004A9F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/4664-218-0x0000000004A60000-0x0000000004A9F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/4664-220-0x0000000004A60000-0x0000000004A9F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/4664-222-0x0000000004A60000-0x0000000004A9F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/4664-224-0x0000000004A60000-0x0000000004A9F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/4664-253-0x00000000020F0000-0x000000000213B000-memory.dmp
        Filesize

        300KB

        Download
      • memory/4664-254-0x0000000004AF0000-0x0000000004B00000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4664-256-0x0000000004AF0000-0x0000000004B00000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4664-1100-0x00000000050C0000-0x00000000056D8000-memory.dmp
        Filesize

        6.1MB

        Download
      • memory/4664-1101-0x0000000005760000-0x000000000586A000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/4664-1102-0x00000000058A0000-0x00000000058B2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4664-1103-0x00000000058C0000-0x00000000058FC000-memory.dmp
        Filesize

        240KB

        Download
      • memory/4664-1104-0x0000000004AF0000-0x0000000004B00000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4664-1105-0x0000000005BB0000-0x0000000005C42000-memory.dmp
        Filesize

        584KB

        Download
      • memory/4664-1106-0x0000000005C50000-0x0000000005CB6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/4664-1108-0x0000000004AF0000-0x0000000004B00000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4664-1109-0x0000000004AF0000-0x0000000004B00000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4664-1110-0x0000000004AF0000-0x0000000004B00000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4664-1111-0x0000000006460000-0x00000000064D6000-memory.dmp
        Filesize

        472KB

        Download
      • memory/4664-1112-0x00000000064E0000-0x0000000006530000-memory.dmp
        Filesize

        320KB

        Download
      • memory/4664-191-0x0000000004A60000-0x0000000004A9F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/4664-192-0x0000000004A60000-0x0000000004A9F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/4664-1113-0x0000000004AF0000-0x0000000004B00000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4664-1114-0x00000000066A0000-0x0000000006862000-memory.dmp
        Filesize

        1.8MB

        Download
      • memory/4664-1115-0x0000000006880000-0x0000000006DAC000-memory.dmp
        Filesize

        5.2MB

        Download