Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-03-2023 18:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3f6c8596465d748bf6da7af9281735899b1241019a4e6babfc3362d848979fbb.exe

  • Size

    672KB

  • MD5

    f22fb5de03403c045006c0d56ae050b5

  • SHA1

    346e2f503019e7daf9f9a5840f46920d27633af5

  • SHA256

    3f6c8596465d748bf6da7af9281735899b1241019a4e6babfc3362d848979fbb

  • SHA512

    2857907112c730360bbec634fdb780dc0490f7c1416d5c1f59b988f7541ce2fe23695d099de886472b9077f8b50937dd52cba96d368ec30e57358e0485e4e2ce

  • SSDEEP

    12288:GMriy90NCCcvUSaom4hmBmN/XNsKRomEQ+Y+IwcpvJqbFZk:oyz13F1sooBhiVcbFK

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 18 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3f6c8596465d748bf6da7af9281735899b1241019a4e6babfc3362d848979fbb.exe
    "C:\Users\Admin\AppData\Local\Temp\3f6c8596465d748bf6da7af9281735899b1241019a4e6babfc3362d848979fbb.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3772
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un864771.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un864771.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:928
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9965.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9965.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1980
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 1084
          4⤵
          • Program crash
          PID:2272
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2573.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2573.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1176
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 1792
          4⤵
          • Program crash
          PID:3528
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si003009.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si003009.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1516
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1980 -ip 1980
    1⤵
      PID:548
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1176 -ip 1176
      1⤵
        PID:2416

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si003009.exe
        Filesize

        175KB

        MD5

        1d9b3e6244d47b0e217535ca018aa62a

        SHA1

        f2a7b6a102362d816917410c950600ec6e8db5ab

        SHA256

        831830652fc9616663df1c32515b9dac07312d52f8cc7ccff5e07757435f8589

        SHA512

        9846ba3e671544b9282dd676d4daea317fe808d346de8a64579d770c737c2bafd06983e316ae4dad8cbb303e356668fd442687df4940c90f0d0fc376e4ae7fd2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si003009.exe
        Filesize

        175KB

        MD5

        1d9b3e6244d47b0e217535ca018aa62a

        SHA1

        f2a7b6a102362d816917410c950600ec6e8db5ab

        SHA256

        831830652fc9616663df1c32515b9dac07312d52f8cc7ccff5e07757435f8589

        SHA512

        9846ba3e671544b9282dd676d4daea317fe808d346de8a64579d770c737c2bafd06983e316ae4dad8cbb303e356668fd442687df4940c90f0d0fc376e4ae7fd2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un864771.exe
        Filesize

        530KB

        MD5

        1237d686f24cfe3d73c122d102597843

        SHA1

        d37c238036d038d11b7e545d35e61961dd4e327c

        SHA256

        94e4e93734121cb23e26964b4b9d13d799959e1632db24239cd02bb533549fbe

        SHA512

        77b9ca256c59295095179acc7d33516b699a7884e5e951c91e965bbc71c86cd455da92d0b76bfd8f9407d99ca1a2416261efeaa0913dd02a8e2d1eb802250d74

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un864771.exe
        Filesize

        530KB

        MD5

        1237d686f24cfe3d73c122d102597843

        SHA1

        d37c238036d038d11b7e545d35e61961dd4e327c

        SHA256

        94e4e93734121cb23e26964b4b9d13d799959e1632db24239cd02bb533549fbe

        SHA512

        77b9ca256c59295095179acc7d33516b699a7884e5e951c91e965bbc71c86cd455da92d0b76bfd8f9407d99ca1a2416261efeaa0913dd02a8e2d1eb802250d74

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9965.exe
        Filesize

        259KB

        MD5

        b8101718f534fd13a7b857f565d60182

        SHA1

        60c335e55b412ac040a1a016e4f83253ceaab118

        SHA256

        3f7ca2e18266aa3fd8cf6e8e3aa79850e20fa30b4fcfb7507519af42a60c769f

        SHA512

        3489270cb569dfcc55f58ba23cc9ea20b716a2916880ff07d2387dc12336b6aba4b8c6961a461da142f3086d5ac25b6fef6e08fb515b73e575262945ca65a205

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9965.exe
        Filesize

        259KB

        MD5

        b8101718f534fd13a7b857f565d60182

        SHA1

        60c335e55b412ac040a1a016e4f83253ceaab118

        SHA256

        3f7ca2e18266aa3fd8cf6e8e3aa79850e20fa30b4fcfb7507519af42a60c769f

        SHA512

        3489270cb569dfcc55f58ba23cc9ea20b716a2916880ff07d2387dc12336b6aba4b8c6961a461da142f3086d5ac25b6fef6e08fb515b73e575262945ca65a205

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2573.exe
        Filesize

        318KB

        MD5

        d40c7d8bbf38c401a370200a9ab4bfbe

        SHA1

        fdcfd4489b11e6b5261542eb6bf3021d2b00ec15

        SHA256

        4085141f078ef52e2eae666686e71dd6a1d459156061702acd9edefc73566366

        SHA512

        2525da36605398bb103438ed563f34fc9839826e3c4a86abcc96bd7aaa823bed0ce0e3fbb6d7483b7a22c36e639c73b20e8229bc8e208e22e73270c0dfcfefb5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2573.exe
        Filesize

        318KB

        MD5

        d40c7d8bbf38c401a370200a9ab4bfbe

        SHA1

        fdcfd4489b11e6b5261542eb6bf3021d2b00ec15

        SHA256

        4085141f078ef52e2eae666686e71dd6a1d459156061702acd9edefc73566366

        SHA512

        2525da36605398bb103438ed563f34fc9839826e3c4a86abcc96bd7aaa823bed0ce0e3fbb6d7483b7a22c36e639c73b20e8229bc8e208e22e73270c0dfcfefb5

        Download Submit

      • memory/1176-1102-0x00000000058A0000-0x00000000059AA000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/1176-1103-0x00000000059E0000-0x00000000059F2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1176-218-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1176-216-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1176-214-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1176-202-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1176-1116-0x0000000007B30000-0x000000000805C000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/1176-1115-0x0000000007960000-0x0000000007B22000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/1176-1114-0x0000000006630000-0x0000000006680000-memory.dmp

        Filesize

        320KB

        Download

      • memory/1176-1113-0x0000000006590000-0x0000000006606000-memory.dmp

        Filesize

        472KB

        Download

      • memory/1176-1112-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1176-1111-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1176-1110-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1176-206-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1176-1109-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1176-1107-0x0000000005D90000-0x0000000005DF6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1176-1106-0x0000000005CF0000-0x0000000005D82000-memory.dmp

        Filesize

        584KB

        Download

      • memory/1176-1105-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1176-1104-0x0000000005A00000-0x0000000005A3C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/1176-220-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1176-1101-0x0000000005270000-0x0000000005888000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/1176-228-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1176-226-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1176-191-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1176-194-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1176-208-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1176-196-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1176-199-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1176-198-0x0000000002150000-0x000000000219B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/1176-200-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1176-204-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1176-203-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1176-224-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1176-222-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1176-192-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1176-210-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1176-212-0x0000000004AA0000-0x0000000004ADF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/1516-1122-0x0000000000D00000-0x0000000000D32000-memory.dmp

        Filesize

        200KB

        Download

      • memory/1516-1123-0x0000000005650000-0x0000000005660000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1516-1124-0x0000000005650000-0x0000000005660000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1980-182-0x0000000002730000-0x0000000002740000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1980-176-0x00000000024E0000-0x00000000024F2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1980-160-0x00000000024E0000-0x00000000024F2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1980-152-0x0000000002730000-0x0000000002740000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1980-151-0x0000000002730000-0x0000000002740000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1980-186-0x0000000000400000-0x00000000004B1000-memory.dmp

        Filesize

        708KB

        Download

      • memory/1980-150-0x0000000002730000-0x0000000002740000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1980-184-0x0000000002730000-0x0000000002740000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1980-183-0x0000000002730000-0x0000000002740000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1980-153-0x00000000024E0000-0x00000000024F2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1980-181-0x0000000000400000-0x00000000004B1000-memory.dmp

        Filesize

        708KB

        Download

      • memory/1980-180-0x00000000024E0000-0x00000000024F2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1980-178-0x00000000024E0000-0x00000000024F2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1980-174-0x00000000024E0000-0x00000000024F2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1980-172-0x00000000024E0000-0x00000000024F2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1980-170-0x00000000024E0000-0x00000000024F2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1980-168-0x00000000024E0000-0x00000000024F2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1980-166-0x00000000024E0000-0x00000000024F2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1980-162-0x00000000024E0000-0x00000000024F2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1980-164-0x00000000024E0000-0x00000000024F2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1980-149-0x0000000004D80000-0x0000000005324000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/1980-148-0x0000000000610000-0x000000000063D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/1980-158-0x00000000024E0000-0x00000000024F2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1980-156-0x00000000024E0000-0x00000000024F2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1980-154-0x00000000024E0000-0x00000000024F2000-memory.dmp

        Filesize

        72KB

        Download