Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    83s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-03-2023 20:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dc999cf17943726fb30b1333f3c7f5743b20c930bf517a8d38e90e035b7d8cad.exe

  • Size

    533KB

  • MD5

    a73c9862220decafbdd70c75aebc088c

  • SHA1

    6371770bc6e86bc9d2c3c29a7f2d5e62763fc4a2

  • SHA256

    dc999cf17943726fb30b1333f3c7f5743b20c930bf517a8d38e90e035b7d8cad

  • SHA512

    8439100e55265afc2606d773f6a3800fc799b3e23024b43a084d270147de39a11628919649263bdd6255f775a9a61d767af1e9aa1bdd3006501bdc76369b69a4

  • SSDEEP

    12288:wMrcy90jkkXMk+aLlx8WKyh63LqaUpgZBJLHTl:8y2mk+ap163Gae0THZ

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 34 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dc999cf17943726fb30b1333f3c7f5743b20c930bf517a8d38e90e035b7d8cad.exe
    "C:\Users\Admin\AppData\Local\Temp\dc999cf17943726fb30b1333f3c7f5743b20c930bf517a8d38e90e035b7d8cad.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1564
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziek3323.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziek3323.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4716
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr669170.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr669170.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:772
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku423093.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku423093.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2072
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 1320
          4⤵
          • Program crash
          PID:3344
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr705172.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr705172.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4180
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2072 -ip 2072
    1⤵
      PID:3384

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    3
    T1112

    Disabling Security Tools

    2
    T1089

    Credential Access

    Credentials in Files

    2
    T1081

    Discovery

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr705172.exe
      Filesize

      175KB

      MD5

      35eb3c5a7220feab3dca3fe4aec04713

      SHA1

      29a18d4513d31d0c28690388cc2819236be9c498

      SHA256

      638fcf5f14c943d2c43845033ac73c8cb902321369cabbf4ec9fd9f300cc7aae

      SHA512

      16be2316689c3415950b78ef921a488d8e31c1406aa9ead1a4066088a8180c9c78d869017c97cf7ea89b471c9c11e0fb30a5f0d50a0d4d95476cba3092cdf96d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr705172.exe
      Filesize

      175KB

      MD5

      35eb3c5a7220feab3dca3fe4aec04713

      SHA1

      29a18d4513d31d0c28690388cc2819236be9c498

      SHA256

      638fcf5f14c943d2c43845033ac73c8cb902321369cabbf4ec9fd9f300cc7aae

      SHA512

      16be2316689c3415950b78ef921a488d8e31c1406aa9ead1a4066088a8180c9c78d869017c97cf7ea89b471c9c11e0fb30a5f0d50a0d4d95476cba3092cdf96d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziek3323.exe
      Filesize

      391KB

      MD5

      721b34d98087bf3ea8fda6c5c2877b2f

      SHA1

      2adcc268f18fae4636b5c4f6f6771a89b2b78aea

      SHA256

      09c7b20c0db6a1c89d2e7577875dd45528ee7578d6a3824c9d6fd43ae7960255

      SHA512

      08be26c6454442702f70dd1ef37de6d0afba38fcad0bf859571fe7fe01abe38c5fc31e33c44372ef59a712d184805e7b6316bbf4c704d6024fcd8b9872e22b88

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziek3323.exe
      Filesize

      391KB

      MD5

      721b34d98087bf3ea8fda6c5c2877b2f

      SHA1

      2adcc268f18fae4636b5c4f6f6771a89b2b78aea

      SHA256

      09c7b20c0db6a1c89d2e7577875dd45528ee7578d6a3824c9d6fd43ae7960255

      SHA512

      08be26c6454442702f70dd1ef37de6d0afba38fcad0bf859571fe7fe01abe38c5fc31e33c44372ef59a712d184805e7b6316bbf4c704d6024fcd8b9872e22b88

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr669170.exe
      Filesize

      11KB

      MD5

      360e3fa69dbe40b04ea77d605b4db873

      SHA1

      cb401fc0949a6f6d577eb81c3d2357cbc8eea933

      SHA256

      285bba60aa2ef8f467c94b134d4cec61b0d7ecc188377a4acdcd57a227afb512

      SHA512

      ca6828e26851738b77746c21f6f0271abaf5953dd23533b12e90b5f27931a7d370d7f3b9f5d2386e48ce6bbca8d908174f0ad976f780698f85d63a029e9081ad

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr669170.exe
      Filesize

      11KB

      MD5

      360e3fa69dbe40b04ea77d605b4db873

      SHA1

      cb401fc0949a6f6d577eb81c3d2357cbc8eea933

      SHA256

      285bba60aa2ef8f467c94b134d4cec61b0d7ecc188377a4acdcd57a227afb512

      SHA512

      ca6828e26851738b77746c21f6f0271abaf5953dd23533b12e90b5f27931a7d370d7f3b9f5d2386e48ce6bbca8d908174f0ad976f780698f85d63a029e9081ad

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku423093.exe
      Filesize

      359KB

      MD5

      6f9f946bbce06e4da45a45862b83c5a2

      SHA1

      a05914f220aa47b603ff1e36959f7150c787494f

      SHA256

      8155a3b3778da39c701ad6d43d7c47d1436c3fc81a58f5f2d1fed5162a77b6fd

      SHA512

      e9bfc17e5a96291c0ac27423a5e639c36237bfff760f35187266dd96a8d320c324075a0c2932ae510a35c7b49bda925b998072abb78aea8a6c0e8509f60c5e30

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku423093.exe
      Filesize

      359KB

      MD5

      6f9f946bbce06e4da45a45862b83c5a2

      SHA1

      a05914f220aa47b603ff1e36959f7150c787494f

      SHA256

      8155a3b3778da39c701ad6d43d7c47d1436c3fc81a58f5f2d1fed5162a77b6fd

      SHA512

      e9bfc17e5a96291c0ac27423a5e639c36237bfff760f35187266dd96a8d320c324075a0c2932ae510a35c7b49bda925b998072abb78aea8a6c0e8509f60c5e30

      Download Submit
    • memory/772-147-0x00000000007D0000-0x00000000007DA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2072-153-0x0000000001C50000-0x0000000001C9B000-memory.dmp
      Filesize

      300KB

      Download
    • memory/2072-154-0x0000000006170000-0x0000000006714000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/2072-155-0x0000000003C90000-0x0000000003CCF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2072-156-0x0000000003C90000-0x0000000003CCF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2072-158-0x0000000003C90000-0x0000000003CCF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2072-160-0x0000000003C90000-0x0000000003CCF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2072-162-0x0000000003C90000-0x0000000003CCF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2072-164-0x0000000003C90000-0x0000000003CCF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2072-166-0x0000000003C90000-0x0000000003CCF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2072-168-0x0000000003CD0000-0x0000000003CE0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2072-169-0x0000000003C90000-0x0000000003CCF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2072-170-0x0000000003CD0000-0x0000000003CE0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2072-173-0x0000000003CD0000-0x0000000003CE0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2072-172-0x0000000003C90000-0x0000000003CCF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2072-175-0x0000000003C90000-0x0000000003CCF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2072-177-0x0000000003C90000-0x0000000003CCF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2072-179-0x0000000003C90000-0x0000000003CCF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2072-181-0x0000000003C90000-0x0000000003CCF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2072-183-0x0000000003C90000-0x0000000003CCF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2072-185-0x0000000003C90000-0x0000000003CCF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2072-187-0x0000000003C90000-0x0000000003CCF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2072-189-0x0000000003C90000-0x0000000003CCF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2072-191-0x0000000003C90000-0x0000000003CCF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2072-193-0x0000000003C90000-0x0000000003CCF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2072-195-0x0000000003C90000-0x0000000003CCF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2072-197-0x0000000003C90000-0x0000000003CCF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2072-199-0x0000000003C90000-0x0000000003CCF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2072-201-0x0000000003C90000-0x0000000003CCF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2072-203-0x0000000003C90000-0x0000000003CCF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2072-205-0x0000000003C90000-0x0000000003CCF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2072-207-0x0000000003C90000-0x0000000003CCF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2072-209-0x0000000003C90000-0x0000000003CCF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2072-211-0x0000000003C90000-0x0000000003CCF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2072-213-0x0000000003C90000-0x0000000003CCF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2072-215-0x0000000003C90000-0x0000000003CCF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2072-217-0x0000000003C90000-0x0000000003CCF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2072-219-0x0000000003C90000-0x0000000003CCF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2072-221-0x0000000003C90000-0x0000000003CCF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2072-1064-0x0000000006860000-0x0000000006E78000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/2072-1065-0x0000000006EE0000-0x0000000006FEA000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/2072-1066-0x0000000007020000-0x0000000007032000-memory.dmp
      Filesize

      72KB

      Download
    • memory/2072-1067-0x0000000007080000-0x00000000070BC000-memory.dmp
      Filesize

      240KB

      Download
    • memory/2072-1068-0x0000000003CD0000-0x0000000003CE0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2072-1070-0x0000000007330000-0x0000000007396000-memory.dmp
      Filesize

      408KB

      Download
    • memory/2072-1071-0x0000000003CD0000-0x0000000003CE0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2072-1072-0x0000000003CD0000-0x0000000003CE0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2072-1073-0x0000000003CD0000-0x0000000003CE0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2072-1074-0x00000000079F0000-0x0000000007A82000-memory.dmp
      Filesize

      584KB

      Download
    • memory/2072-1075-0x0000000007C00000-0x0000000007DC2000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/2072-1076-0x0000000007DD0000-0x00000000082FC000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/2072-1077-0x0000000008420000-0x0000000008496000-memory.dmp
      Filesize

      472KB

      Download
    • memory/2072-1078-0x00000000084C0000-0x0000000008510000-memory.dmp
      Filesize

      320KB

      Download
    • memory/2072-1079-0x0000000003CD0000-0x0000000003CE0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4180-1085-0x00000000002E0000-0x0000000000312000-memory.dmp
      Filesize

      200KB

      Download
    • memory/4180-1086-0x0000000004E90000-0x0000000004EA0000-memory.dmp
      Filesize

      64KB

      Download