Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-03-2023 19:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ce199a1cec1ae39771dc3a95634d086b72cd4ab3eaf3df37ca758d0b83f81e02.exe

  • Size

    533KB

  • MD5

    90f99e02739701514735cf4849c78094

  • SHA1

    3505073610b9123ca03348b67e5717d746508d05

  • SHA256

    ce199a1cec1ae39771dc3a95634d086b72cd4ab3eaf3df37ca758d0b83f81e02

  • SHA512

    59cf050ef93685bc9e612a9ae07c280d888e277e52082181ae6b246ca5adf792302cf6a4fd7f46a8f94ff1cd7a210914f38f526dfb9eaa461cb1120b2667ceba

  • SSDEEP

    12288:6Mr8y90ccvVv0bsuoVRQ6jyOuBObhryEuDLPmzQlhky:iy6iQRV6eyOlbiq0Qy

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ce199a1cec1ae39771dc3a95634d086b72cd4ab3eaf3df37ca758d0b83f81e02.exe
    "C:\Users\Admin\AppData\Local\Temp\ce199a1cec1ae39771dc3a95634d086b72cd4ab3eaf3df37ca758d0b83f81e02.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4452
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zihR7136.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zihR7136.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:628
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr693418.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr693418.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1268
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku906496.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku906496.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4644
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 1332
          4⤵
          • Program crash
          PID:3484
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr231693.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr231693.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3456
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4644 -ip 4644
    1⤵
      PID:512

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    3
    T1112

    Disabling Security Tools

    2
    T1089

    Credential Access

    Credentials in Files

    2
    T1081

    Discovery

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr231693.exe
      Filesize

      175KB

      MD5

      9770df88484fb6ea91fdadf5c7f3efb5

      SHA1

      4923f243fba5b8c3a41d7e27b9840527d778be35

      SHA256

      274b57cd281fe6632d0152574b6e35e9a7f2ee00e624faba7e4f555f8c445ea3

      SHA512

      40f1ab4fe210cdd66481873af927025ea5a40473f93a51613786d500b753dfe57774ca408709ebafb4f3f32763699fa414a8a8d4f2ce53f33aff0628fef09aa6

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr231693.exe
      Filesize

      175KB

      MD5

      9770df88484fb6ea91fdadf5c7f3efb5

      SHA1

      4923f243fba5b8c3a41d7e27b9840527d778be35

      SHA256

      274b57cd281fe6632d0152574b6e35e9a7f2ee00e624faba7e4f555f8c445ea3

      SHA512

      40f1ab4fe210cdd66481873af927025ea5a40473f93a51613786d500b753dfe57774ca408709ebafb4f3f32763699fa414a8a8d4f2ce53f33aff0628fef09aa6

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zihR7136.exe
      Filesize

      391KB

      MD5

      5ad66aa6830420455307b1c107c930ab

      SHA1

      3f14fc9cf527ccd882acef2beeeeeb0feb9e46af

      SHA256

      c721f08443a0ae589598623519718841577f9a7a3c61cdbad4effc3026dba352

      SHA512

      dafae83fc477f8a75871997a1c2bafec8db39b49fb9775443620cfa6564ab28b59a28c6663734319a529869c4941ccfb648d95f7b6d61aa972045c10d28943e3

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zihR7136.exe
      Filesize

      391KB

      MD5

      5ad66aa6830420455307b1c107c930ab

      SHA1

      3f14fc9cf527ccd882acef2beeeeeb0feb9e46af

      SHA256

      c721f08443a0ae589598623519718841577f9a7a3c61cdbad4effc3026dba352

      SHA512

      dafae83fc477f8a75871997a1c2bafec8db39b49fb9775443620cfa6564ab28b59a28c6663734319a529869c4941ccfb648d95f7b6d61aa972045c10d28943e3

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr693418.exe
      Filesize

      11KB

      MD5

      a4051cea1b9a4b9a175aa5316e4f248b

      SHA1

      fa488793db62e5ff4bc64ea795e8b2801a1e58f5

      SHA256

      5e63a27875ab5b1913146f0299afe4c78c104d02e85d5ec9e40726cbafe79ab9

      SHA512

      1af75c592870cb6515aa99e8e0b594d0416e41b9b48f4904dc9e780c9ec242d924666d4eee2eb8b1a7300a1fd04d2af75ee71520ca3278fbbc16cb9c3ed5a8ee

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr693418.exe
      Filesize

      11KB

      MD5

      a4051cea1b9a4b9a175aa5316e4f248b

      SHA1

      fa488793db62e5ff4bc64ea795e8b2801a1e58f5

      SHA256

      5e63a27875ab5b1913146f0299afe4c78c104d02e85d5ec9e40726cbafe79ab9

      SHA512

      1af75c592870cb6515aa99e8e0b594d0416e41b9b48f4904dc9e780c9ec242d924666d4eee2eb8b1a7300a1fd04d2af75ee71520ca3278fbbc16cb9c3ed5a8ee

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku906496.exe
      Filesize

      318KB

      MD5

      619d494729231f45f4186a40eed8079c

      SHA1

      a2f230d524abad4c393991952fc38a25e3b8f17d

      SHA256

      f6b7b515cb3534083a5a21e285670f39dac6af2a3f8f67c3eced58231261e51c

      SHA512

      0bbdd74c6c9868346bd61220d913cb6aee5a128c8eab7fd8ab73dfdb82526fe502028edfdd45c7ef8f5788b018cbb96211bcf2e4cc828ae750cbe6dd6b0c2a9a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku906496.exe
      Filesize

      318KB

      MD5

      619d494729231f45f4186a40eed8079c

      SHA1

      a2f230d524abad4c393991952fc38a25e3b8f17d

      SHA256

      f6b7b515cb3534083a5a21e285670f39dac6af2a3f8f67c3eced58231261e51c

      SHA512

      0bbdd74c6c9868346bd61220d913cb6aee5a128c8eab7fd8ab73dfdb82526fe502028edfdd45c7ef8f5788b018cbb96211bcf2e4cc828ae750cbe6dd6b0c2a9a

      Download Submit
    • memory/1268-147-0x0000000000390000-0x000000000039A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3456-1086-0x0000000000960000-0x0000000000992000-memory.dmp
      Filesize

      200KB

      Download
    • memory/3456-1087-0x0000000005530000-0x0000000005540000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4644-191-0x00000000050A0000-0x00000000050DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4644-201-0x00000000050A0000-0x00000000050DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4644-155-0x0000000002300000-0x0000000002310000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4644-156-0x0000000002300000-0x0000000002310000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4644-157-0x0000000004AB0000-0x0000000005054000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/4644-158-0x00000000050A0000-0x00000000050DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4644-161-0x00000000050A0000-0x00000000050DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4644-159-0x00000000050A0000-0x00000000050DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4644-163-0x00000000050A0000-0x00000000050DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4644-165-0x00000000050A0000-0x00000000050DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4644-167-0x00000000050A0000-0x00000000050DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4644-169-0x00000000050A0000-0x00000000050DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4644-171-0x00000000050A0000-0x00000000050DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4644-173-0x00000000050A0000-0x00000000050DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4644-175-0x00000000050A0000-0x00000000050DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4644-177-0x00000000050A0000-0x00000000050DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4644-179-0x00000000050A0000-0x00000000050DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4644-181-0x00000000050A0000-0x00000000050DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4644-183-0x00000000050A0000-0x00000000050DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4644-185-0x00000000050A0000-0x00000000050DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4644-187-0x00000000050A0000-0x00000000050DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4644-153-0x0000000000630000-0x000000000067B000-memory.dmp
      Filesize

      300KB

      Download
    • memory/4644-189-0x00000000050A0000-0x00000000050DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4644-193-0x00000000050A0000-0x00000000050DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4644-195-0x00000000050A0000-0x00000000050DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4644-197-0x00000000050A0000-0x00000000050DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4644-199-0x00000000050A0000-0x00000000050DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4644-154-0x0000000002300000-0x0000000002310000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4644-203-0x00000000050A0000-0x00000000050DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4644-205-0x00000000050A0000-0x00000000050DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4644-207-0x00000000050A0000-0x00000000050DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4644-209-0x00000000050A0000-0x00000000050DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4644-211-0x00000000050A0000-0x00000000050DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4644-213-0x00000000050A0000-0x00000000050DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4644-215-0x00000000050A0000-0x00000000050DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4644-217-0x00000000050A0000-0x00000000050DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4644-219-0x00000000050A0000-0x00000000050DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4644-221-0x00000000050A0000-0x00000000050DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4644-1064-0x00000000050E0000-0x00000000056F8000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/4644-1065-0x0000000005760000-0x000000000586A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/4644-1066-0x00000000058A0000-0x00000000058B2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/4644-1067-0x0000000002300000-0x0000000002310000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4644-1068-0x00000000058C0000-0x00000000058FC000-memory.dmp
      Filesize

      240KB

      Download
    • memory/4644-1070-0x0000000002300000-0x0000000002310000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4644-1071-0x0000000002300000-0x0000000002310000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4644-1072-0x0000000002300000-0x0000000002310000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4644-1073-0x0000000005BB0000-0x0000000005C16000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4644-1074-0x00000000063C0000-0x0000000006452000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4644-1075-0x00000000064A0000-0x0000000006516000-memory.dmp
      Filesize

      472KB

      Download
    • memory/4644-1076-0x0000000006520000-0x0000000006570000-memory.dmp
      Filesize

      320KB

      Download
    • memory/4644-1077-0x0000000006590000-0x0000000006752000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/4644-1078-0x0000000006770000-0x0000000006C9C000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/4644-1079-0x0000000002300000-0x0000000002310000-memory.dmp
      Filesize

      64KB

      Download