Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    72s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-03-2023 18:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d11ea61e51e509137b62493ca86a050ea2342c8d969e56abb909f9d154fb5828.exe

  • Size

    672KB

  • MD5

    dd0f9f383e5398fcc11cc5eb4357ad80

  • SHA1

    238dbce37288a0692a2bb92dc47062e326cf83f6

  • SHA256

    d11ea61e51e509137b62493ca86a050ea2342c8d969e56abb909f9d154fb5828

  • SHA512

    0db8f7344c6e653666c45482d3c9732712ef8ce5a0fe59c6924facddeeaf88957d6ef90ee0b3f8677494ec18e20e703b31b6a00196d59e7cde2e30cde06de03d

  • SSDEEP

    12288:QMrWy90pdCDS8PpgZpFMc2r4QWd6eSDw/OYASkMESsmxPz:WyMUSEp6n6eH3kvr2Pz

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 19 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d11ea61e51e509137b62493ca86a050ea2342c8d969e56abb909f9d154fb5828.exe
    "C:\Users\Admin\AppData\Local\Temp\d11ea61e51e509137b62493ca86a050ea2342c8d969e56abb909f9d154fb5828.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4956
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un559539.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un559539.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1408
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1188.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1188.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1604
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 1080
          4⤵
          • Program crash
          PID:3988
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1690.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1690.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2164
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 1700
          4⤵
          • Program crash
          PID:1404
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si547951.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si547951.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3436
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1604 -ip 1604
    1⤵
      PID:1360
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 2164 -ip 2164
      1⤵
        PID:3244

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Modify Existing Service

      1
      T1031

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      3
      T1112

      Disabling Security Tools

      2
      T1089

      Credential Access

      Credentials in Files

      2
      T1081

      Discovery

      Query Registry

      1
      T1012

      Lateral Movement

      Collection

      Data from Local System

      2
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si547951.exe
        Filesize

        175KB

        MD5

        49429eb1fd50ce7861164fbe92a75de9

        SHA1

        432c443d438ffa5303c629dd04667b6a72247f35

        SHA256

        bd4d44de3b5be1c3ef857fb119c7835590721b3168b81e6ea335783d759b1517

        SHA512

        f88f528a94687990e19dbce01bbe374e277ceca6b1213729e22585ff4c511aafab91a36266f974c2d6fbfe3aa00d5dc66e5bb1ac80ae91d60f68493291611383

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si547951.exe
        Filesize

        175KB

        MD5

        49429eb1fd50ce7861164fbe92a75de9

        SHA1

        432c443d438ffa5303c629dd04667b6a72247f35

        SHA256

        bd4d44de3b5be1c3ef857fb119c7835590721b3168b81e6ea335783d759b1517

        SHA512

        f88f528a94687990e19dbce01bbe374e277ceca6b1213729e22585ff4c511aafab91a36266f974c2d6fbfe3aa00d5dc66e5bb1ac80ae91d60f68493291611383

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un559539.exe
        Filesize

        530KB

        MD5

        0c63cd1abe55ecdd301f015ab021e698

        SHA1

        33ff2887731ccf0b60c117cda7587ec47d17cfe7

        SHA256

        e0546c55adf1b7230752480ca14608f85294b14eb43da897c5340ef42969ebc4

        SHA512

        3fe231163fc614d079a7e397a3c1e04944330002b73b2767ec604aec9cf553419558a321023cda23edd5149c56b1dfeb3023ff1d6aa0f40b750a526ec4edd32d

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un559539.exe
        Filesize

        530KB

        MD5

        0c63cd1abe55ecdd301f015ab021e698

        SHA1

        33ff2887731ccf0b60c117cda7587ec47d17cfe7

        SHA256

        e0546c55adf1b7230752480ca14608f85294b14eb43da897c5340ef42969ebc4

        SHA512

        3fe231163fc614d079a7e397a3c1e04944330002b73b2767ec604aec9cf553419558a321023cda23edd5149c56b1dfeb3023ff1d6aa0f40b750a526ec4edd32d

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1188.exe
        Filesize

        259KB

        MD5

        6839cf40af1495a846cc9660a99c0f30

        SHA1

        ff3a3b473439d2f6e9311252a92f0ea484aae7ad

        SHA256

        d9cdaa6e8521484977f411e391d2b9bbf408c92ab33def3597af9dd17a64c3ce

        SHA512

        10fce8aea141780589c63a7578b0b368787d8401d0bc8001728b066d769d33b63025b4a20576dee966aa17a00af471bb771cb44122aa4a9df24a0f717a55beb5

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1188.exe
        Filesize

        259KB

        MD5

        6839cf40af1495a846cc9660a99c0f30

        SHA1

        ff3a3b473439d2f6e9311252a92f0ea484aae7ad

        SHA256

        d9cdaa6e8521484977f411e391d2b9bbf408c92ab33def3597af9dd17a64c3ce

        SHA512

        10fce8aea141780589c63a7578b0b368787d8401d0bc8001728b066d769d33b63025b4a20576dee966aa17a00af471bb771cb44122aa4a9df24a0f717a55beb5

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1690.exe
        Filesize

        318KB

        MD5

        5e678a094565afc8cbd297dd9e06c54b

        SHA1

        f54f9b60f11d6d63b51aba65c3164138f875dfa0

        SHA256

        5828c8f018bc8b16de6e35bff92ae3d609905b21b93a2e94d56624cb4e140155

        SHA512

        b119274e66ee7459be9602659e6083afe72396911118b15fa6dc06f748fe6f3cda9aba0a061b444456c5b0e40442c0c9befb74d5cd2635d4ab269bfc5ca7ba4c

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1690.exe
        Filesize

        318KB

        MD5

        5e678a094565afc8cbd297dd9e06c54b

        SHA1

        f54f9b60f11d6d63b51aba65c3164138f875dfa0

        SHA256

        5828c8f018bc8b16de6e35bff92ae3d609905b21b93a2e94d56624cb4e140155

        SHA512

        b119274e66ee7459be9602659e6083afe72396911118b15fa6dc06f748fe6f3cda9aba0a061b444456c5b0e40442c0c9befb74d5cd2635d4ab269bfc5ca7ba4c

        Download Submit
      • memory/1604-148-0x0000000000500000-0x000000000052D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/1604-149-0x0000000004B10000-0x0000000004B20000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1604-150-0x0000000004B20000-0x00000000050C4000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/1604-151-0x0000000002420000-0x0000000002432000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1604-152-0x0000000002420000-0x0000000002432000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1604-154-0x0000000002420000-0x0000000002432000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1604-156-0x0000000002420000-0x0000000002432000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1604-158-0x0000000002420000-0x0000000002432000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1604-160-0x0000000002420000-0x0000000002432000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1604-162-0x0000000002420000-0x0000000002432000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1604-164-0x0000000002420000-0x0000000002432000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1604-166-0x0000000002420000-0x0000000002432000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1604-168-0x0000000002420000-0x0000000002432000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1604-170-0x0000000002420000-0x0000000002432000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1604-172-0x0000000002420000-0x0000000002432000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1604-174-0x0000000002420000-0x0000000002432000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1604-176-0x0000000002420000-0x0000000002432000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1604-178-0x0000000002420000-0x0000000002432000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1604-179-0x0000000004B10000-0x0000000004B20000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1604-180-0x0000000004B10000-0x0000000004B20000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1604-181-0x0000000000400000-0x00000000004B1000-memory.dmp
        Filesize

        708KB

        Download
      • memory/1604-182-0x0000000004B10000-0x0000000004B20000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1604-184-0x0000000004B10000-0x0000000004B20000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1604-185-0x0000000004B10000-0x0000000004B20000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1604-186-0x0000000000400000-0x00000000004B1000-memory.dmp
        Filesize

        708KB

        Download
      • memory/2164-191-0x0000000002680000-0x00000000026BF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/2164-192-0x0000000002680000-0x00000000026BF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/2164-194-0x0000000002680000-0x00000000026BF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/2164-196-0x0000000002680000-0x00000000026BF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/2164-198-0x0000000002680000-0x00000000026BF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/2164-200-0x0000000002680000-0x00000000026BF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/2164-202-0x0000000002680000-0x00000000026BF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/2164-204-0x0000000002680000-0x00000000026BF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/2164-206-0x0000000002680000-0x00000000026BF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/2164-208-0x0000000002680000-0x00000000026BF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/2164-210-0x0000000002680000-0x00000000026BF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/2164-212-0x0000000002680000-0x00000000026BF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/2164-214-0x0000000002680000-0x00000000026BF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/2164-218-0x0000000002680000-0x00000000026BF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/2164-216-0x0000000002680000-0x00000000026BF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/2164-222-0x0000000002680000-0x00000000026BF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/2164-224-0x0000000002680000-0x00000000026BF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/2164-220-0x0000000002680000-0x00000000026BF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/2164-306-0x0000000000670000-0x00000000006BB000-memory.dmp
        Filesize

        300KB

        Download
      • memory/2164-308-0x0000000004C10000-0x0000000004C20000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2164-310-0x0000000004C10000-0x0000000004C20000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2164-312-0x0000000004C10000-0x0000000004C20000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2164-1101-0x00000000052D0000-0x00000000058E8000-memory.dmp
        Filesize

        6.1MB

        Download
      • memory/2164-1102-0x00000000058F0000-0x00000000059FA000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/2164-1103-0x0000000004BF0000-0x0000000004C02000-memory.dmp
        Filesize

        72KB

        Download
      • memory/2164-1104-0x0000000005A00000-0x0000000005A3C000-memory.dmp
        Filesize

        240KB

        Download
      • memory/2164-1105-0x0000000004C10000-0x0000000004C20000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2164-1106-0x0000000005CF0000-0x0000000005D82000-memory.dmp
        Filesize

        584KB

        Download
      • memory/2164-1107-0x0000000005D90000-0x0000000005DF6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/2164-1109-0x00000000065B0000-0x0000000006626000-memory.dmp
        Filesize

        472KB

        Download
      • memory/2164-1110-0x0000000006630000-0x0000000006680000-memory.dmp
        Filesize

        320KB

        Download
      • memory/2164-1111-0x0000000004C10000-0x0000000004C20000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2164-1112-0x0000000004C10000-0x0000000004C20000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2164-1113-0x0000000004C10000-0x0000000004C20000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2164-1114-0x00000000066C0000-0x0000000006882000-memory.dmp
        Filesize

        1.8MB

        Download
      • memory/2164-1115-0x0000000006890000-0x0000000006DBC000-memory.dmp
        Filesize

        5.2MB

        Download
      • memory/2164-1116-0x0000000004C10000-0x0000000004C20000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3436-1122-0x0000000000D70000-0x0000000000DA2000-memory.dmp
        Filesize

        200KB

        Download
      • memory/3436-1123-0x00000000055E0000-0x00000000055F0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3436-1124-0x00000000055E0000-0x00000000055F0000-memory.dmp
        Filesize

        64KB

        Download