Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    48s
  • max time network
    141s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    31-03-2023 19:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6d0539ca7847e68365a0cc6559b4498522abc74af8b508fd72a6f7ed46741437.exe

  • Size

    533KB

  • MD5

    5ea25d0fb1c378c1ed9363cb006e7b37

  • SHA1

    b68a61b3ca1043fefd6c1fd9767566d0872d65d1

  • SHA256

    6d0539ca7847e68365a0cc6559b4498522abc74af8b508fd72a6f7ed46741437

  • SHA512

    033ff2059dbdeb00aa8620720bd66e198d9078339215f633f8dd2540530fa4131033dd15bfe65c8efed13f74a52dd01b9082dc57bc87ae239b962b87cb55c8fd

  • SSDEEP

    12288:WMrYy90R82+jc2eDMVQzCTInHAFLGEGOburaSiEycE/S8Q:ay2+QPMVQzkeifbrSilc2lQ

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6d0539ca7847e68365a0cc6559b4498522abc74af8b508fd72a6f7ed46741437.exe
    "C:\Users\Admin\AppData\Local\Temp\6d0539ca7847e68365a0cc6559b4498522abc74af8b508fd72a6f7ed46741437.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2572
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziQd5799.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziQd5799.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3012
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr635052.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr635052.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4064
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku845070.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku845070.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3444
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr079651.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr079651.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr079651.exe
    Filesize

    175KB

    MD5

    b3826e545279ebbd30cc5bbb3a9fd3f0

    SHA1

    e4f8f631d3c5420891f942ccf798b970098898cc

    SHA256

    362e82759fb1597bd3e504e9348ea1883bb89427411212abe1c90853d597601c

    SHA512

    0075cbbac983e501fec61694d10f7f7572f0fc63ab4964812d5bb8f5a4182f0d700ecb75641846c330ffa3d26be67a0fd858d561aa2bdd7ba53a6c09bb6fa633

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr079651.exe
    Filesize

    175KB

    MD5

    b3826e545279ebbd30cc5bbb3a9fd3f0

    SHA1

    e4f8f631d3c5420891f942ccf798b970098898cc

    SHA256

    362e82759fb1597bd3e504e9348ea1883bb89427411212abe1c90853d597601c

    SHA512

    0075cbbac983e501fec61694d10f7f7572f0fc63ab4964812d5bb8f5a4182f0d700ecb75641846c330ffa3d26be67a0fd858d561aa2bdd7ba53a6c09bb6fa633

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziQd5799.exe
    Filesize

    391KB

    MD5

    966db888c737048a3b94f4f3ba611adf

    SHA1

    6764bbe581c694d1091cabcc045e0cd563c6fda4

    SHA256

    3b14d0c66b1dfc197426847bdf0fdebc41a94178a15ade8cc032300d89dadb52

    SHA512

    452ad1e4142fee83364ec885975f4f4bc8c9b6d86d446c905f45ea38f630eea281d4cd0e746fe5336a9f6e2743441c3106d3542e9e39fc0b98c34bd74bc418a9

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziQd5799.exe
    Filesize

    391KB

    MD5

    966db888c737048a3b94f4f3ba611adf

    SHA1

    6764bbe581c694d1091cabcc045e0cd563c6fda4

    SHA256

    3b14d0c66b1dfc197426847bdf0fdebc41a94178a15ade8cc032300d89dadb52

    SHA512

    452ad1e4142fee83364ec885975f4f4bc8c9b6d86d446c905f45ea38f630eea281d4cd0e746fe5336a9f6e2743441c3106d3542e9e39fc0b98c34bd74bc418a9

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr635052.exe
    Filesize

    11KB

    MD5

    b1012939445665048847458f18e14b06

    SHA1

    09fddb3f24f89d154dac1acda18a8582b439765e

    SHA256

    e135361042ba8f18b123c3797892db31a74ae696747214968cc22b27c1d362e8

    SHA512

    3a441f9e06d1cecfe439369013c24cef115ff261b2e94af8270ae0e9d1910bc9f329cdceb82eed3141a14dc6f6b1a9a7efe0a6ce4e7f861f1d683d9dc6bc0b08

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr635052.exe
    Filesize

    11KB

    MD5

    b1012939445665048847458f18e14b06

    SHA1

    09fddb3f24f89d154dac1acda18a8582b439765e

    SHA256

    e135361042ba8f18b123c3797892db31a74ae696747214968cc22b27c1d362e8

    SHA512

    3a441f9e06d1cecfe439369013c24cef115ff261b2e94af8270ae0e9d1910bc9f329cdceb82eed3141a14dc6f6b1a9a7efe0a6ce4e7f861f1d683d9dc6bc0b08

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku845070.exe
    Filesize

    318KB

    MD5

    221061fdddeef5fc266a4476d50c34fc

    SHA1

    e42041f27eacc744ca3a483a764e08cdf5322058

    SHA256

    a8ba9853d3df05560fc9323ce0d439abebd999cc19d830089105915cff1a5bfd

    SHA512

    558e19cc472715de0930600716c0e2a8efdef23d200719af9646a8341f22f4a131bb89d5b6566dbf72013465e734eab3a11ed80a163abf92c3ddaef113534ad5

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku845070.exe
    Filesize

    318KB

    MD5

    221061fdddeef5fc266a4476d50c34fc

    SHA1

    e42041f27eacc744ca3a483a764e08cdf5322058

    SHA256

    a8ba9853d3df05560fc9323ce0d439abebd999cc19d830089105915cff1a5bfd

    SHA512

    558e19cc472715de0930600716c0e2a8efdef23d200719af9646a8341f22f4a131bb89d5b6566dbf72013465e734eab3a11ed80a163abf92c3ddaef113534ad5

    Download Submit
  • memory/3444-141-0x0000000001E90000-0x0000000001EDB000-memory.dmp
    Filesize

    300KB

    Download
  • memory/3444-142-0x0000000004970000-0x00000000049B6000-memory.dmp
    Filesize

    280KB

    Download
  • memory/3444-143-0x0000000004AF0000-0x0000000004FEE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3444-144-0x0000000004A20000-0x0000000004A64000-memory.dmp
    Filesize

    272KB

    Download
  • memory/3444-147-0x0000000004AE0000-0x0000000004AF0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3444-146-0x0000000004AE0000-0x0000000004AF0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3444-145-0x0000000004AE0000-0x0000000004AF0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3444-149-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3444-157-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3444-155-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3444-153-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3444-159-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3444-163-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3444-161-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3444-151-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3444-165-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3444-167-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3444-169-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3444-148-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3444-171-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3444-173-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3444-177-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3444-183-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3444-193-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3444-205-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3444-211-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3444-209-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3444-207-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3444-203-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3444-201-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3444-199-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3444-197-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3444-195-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3444-191-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3444-189-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3444-187-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3444-185-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3444-181-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3444-179-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3444-175-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3444-1054-0x0000000004FF0000-0x00000000055F6000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/3444-1055-0x0000000005660000-0x000000000576A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/3444-1056-0x00000000057A0000-0x00000000057B2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/3444-1057-0x0000000004AE0000-0x0000000004AF0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3444-1058-0x00000000057C0000-0x00000000057FE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/3444-1059-0x0000000005910000-0x000000000595B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/3444-1061-0x0000000004AE0000-0x0000000004AF0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3444-1063-0x0000000004AE0000-0x0000000004AF0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3444-1062-0x0000000004AE0000-0x0000000004AF0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3444-1064-0x0000000005AA0000-0x0000000005B06000-memory.dmp
    Filesize

    408KB

    Download
  • memory/3444-1065-0x0000000006160000-0x00000000061F2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/3444-1066-0x00000000063A0000-0x0000000006562000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/3444-1067-0x0000000004AE0000-0x0000000004AF0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3444-1068-0x0000000006570000-0x0000000006A9C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/3444-1070-0x0000000006BC0000-0x0000000006C36000-memory.dmp
    Filesize

    472KB

    Download
  • memory/3444-1071-0x0000000006C50000-0x0000000006CA0000-memory.dmp
    Filesize

    320KB

    Download
  • memory/3652-1077-0x0000000000620000-0x0000000000652000-memory.dmp
    Filesize

    200KB

    Download
  • memory/3652-1078-0x0000000004F30000-0x0000000004F7B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/3652-1079-0x00000000051B0000-0x00000000051C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4064-135-0x0000000000840000-0x000000000084A000-memory.dmp
    Filesize

    40KB

    Download