Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    60s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-03-2023 20:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f87fbf259ef3df7e4b9eb2204b2762bf456a0d9042ff2e66a446453c31a65188.exe

  • Size

    533KB

  • MD5

    0bc297058f44de208a490d4f4d25e218

  • SHA1

    797cd49eb07f7b6002456390def729844fa573c5

  • SHA256

    f87fbf259ef3df7e4b9eb2204b2762bf456a0d9042ff2e66a446453c31a65188

  • SHA512

    2f4a14e72ce3d2f8f64b5099195d17a3e3c2a6a4993cc2c5fc8b691546086837910e96bedaeb59bb211a24bda9d20d35cf2e7f09cc2c70a8f27dacbe7129cbb8

  • SSDEEP

    12288:vMrly90qGbMh+i71m2sl/Gxt6L3rPn3LqcFqvM9ej1vLE:WyiMhj1m2sluxt2n3GcFhGvLE

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f87fbf259ef3df7e4b9eb2204b2762bf456a0d9042ff2e66a446453c31a65188.exe
    "C:\Users\Admin\AppData\Local\Temp\f87fbf259ef3df7e4b9eb2204b2762bf456a0d9042ff2e66a446453c31a65188.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4168
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipj0448.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipj0448.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3508
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr513777.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr513777.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2540
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku985487.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku985487.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4856
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 236
          4⤵
          • Program crash
          PID:3760
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr515750.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr515750.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5024
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4856 -ip 4856
    1⤵
      PID:464

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    3
    T1112

    Disabling Security Tools

    2
    T1089

    Credential Access

    Credentials in Files

    2
    T1081

    Discovery

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr515750.exe
      Filesize

      175KB

      MD5

      fe30bb4753087a9cfa58a00b5d95467b

      SHA1

      dd6619ccfe3d4fcc0a9731949a830ea6ea04efbd

      SHA256

      abfdd664ee89ef6335224a8dabf52ec71a4e486a2e9ce15da9d7676febd87bb5

      SHA512

      d97781a94081c409c6d674b63e6bcf5d1cb73aa6a104e62c872b8b05fd29e5775c826af088a578c77a7d2f713312bec2aba67dcffa77636991b526acd494eea2

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr515750.exe
      Filesize

      175KB

      MD5

      fe30bb4753087a9cfa58a00b5d95467b

      SHA1

      dd6619ccfe3d4fcc0a9731949a830ea6ea04efbd

      SHA256

      abfdd664ee89ef6335224a8dabf52ec71a4e486a2e9ce15da9d7676febd87bb5

      SHA512

      d97781a94081c409c6d674b63e6bcf5d1cb73aa6a104e62c872b8b05fd29e5775c826af088a578c77a7d2f713312bec2aba67dcffa77636991b526acd494eea2

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipj0448.exe
      Filesize

      392KB

      MD5

      151609a2d807923d49a4b7fe6d0a81a0

      SHA1

      f8aa5b8d61e0c19d3067e65ccee7454d94db8ab7

      SHA256

      c202bbe83ce665a729edf1a9fe78fea0f3ec08c53915c7a7c125896712ac0444

      SHA512

      7967efe56070f0505656ef0754dac1373b64042fc883a6a174204e18d669cc931f04ee519474a1f52801dbf0617841b2af076d29387c8f21073e38c930d09911

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipj0448.exe
      Filesize

      392KB

      MD5

      151609a2d807923d49a4b7fe6d0a81a0

      SHA1

      f8aa5b8d61e0c19d3067e65ccee7454d94db8ab7

      SHA256

      c202bbe83ce665a729edf1a9fe78fea0f3ec08c53915c7a7c125896712ac0444

      SHA512

      7967efe56070f0505656ef0754dac1373b64042fc883a6a174204e18d669cc931f04ee519474a1f52801dbf0617841b2af076d29387c8f21073e38c930d09911

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr513777.exe
      Filesize

      11KB

      MD5

      1aa707fed5a8592527423bab6d1fdcc8

      SHA1

      13ac8609ecbe1bdab59ab69567a31af9e788882a

      SHA256

      ab1f8cf30dae527528990a04117c8d09c5103a083f6d375929f3ccf3e53add15

      SHA512

      1bde684a930f3721da8ead17d7ecbdc6a25f19d1443bd9b5228a2d2a04ede76a672475f262ec086236a5075a3bdf30d340e3b3bf717644f183d3df190431320b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr513777.exe
      Filesize

      11KB

      MD5

      1aa707fed5a8592527423bab6d1fdcc8

      SHA1

      13ac8609ecbe1bdab59ab69567a31af9e788882a

      SHA256

      ab1f8cf30dae527528990a04117c8d09c5103a083f6d375929f3ccf3e53add15

      SHA512

      1bde684a930f3721da8ead17d7ecbdc6a25f19d1443bd9b5228a2d2a04ede76a672475f262ec086236a5075a3bdf30d340e3b3bf717644f183d3df190431320b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku985487.exe
      Filesize

      359KB

      MD5

      7e97a9123cc709936384fc64bba5f954

      SHA1

      f18bddc3a572d39334330a6ef183a3f279588975

      SHA256

      ec9207f8421a3b7545de08caf41768a866ba342bc49f52e610bc24818b2f6744

      SHA512

      d5d1f663ca4c1b2eff8761bbce3d138755a5b7175bc25c9ae58a3804d13852f583ded0d65e4bfd15f3f1b104febeea3bf928329ebb1e388c0cd35f1cfa093f3a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku985487.exe
      Filesize

      359KB

      MD5

      7e97a9123cc709936384fc64bba5f954

      SHA1

      f18bddc3a572d39334330a6ef183a3f279588975

      SHA256

      ec9207f8421a3b7545de08caf41768a866ba342bc49f52e610bc24818b2f6744

      SHA512

      d5d1f663ca4c1b2eff8761bbce3d138755a5b7175bc25c9ae58a3804d13852f583ded0d65e4bfd15f3f1b104febeea3bf928329ebb1e388c0cd35f1cfa093f3a

      Download Submit
    • memory/2540-147-0x0000000000AD0000-0x0000000000ADA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4856-153-0x0000000003730000-0x000000000377B000-memory.dmp
      Filesize

      300KB

      Download
    • memory/4856-154-0x00000000060E0000-0x00000000060F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4856-155-0x00000000060E0000-0x00000000060F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4856-156-0x00000000060E0000-0x00000000060F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4856-157-0x00000000060F0000-0x0000000006694000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/4856-158-0x00000000060A0000-0x00000000060DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4856-159-0x00000000060A0000-0x00000000060DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4856-161-0x00000000060A0000-0x00000000060DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4856-163-0x00000000060A0000-0x00000000060DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4856-165-0x00000000060A0000-0x00000000060DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4856-167-0x00000000060A0000-0x00000000060DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4856-169-0x00000000060A0000-0x00000000060DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4856-171-0x00000000060A0000-0x00000000060DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4856-173-0x00000000060A0000-0x00000000060DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4856-175-0x00000000060A0000-0x00000000060DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4856-177-0x00000000060A0000-0x00000000060DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4856-179-0x00000000060A0000-0x00000000060DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4856-181-0x00000000060A0000-0x00000000060DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4856-183-0x00000000060A0000-0x00000000060DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4856-185-0x00000000060A0000-0x00000000060DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4856-187-0x00000000060A0000-0x00000000060DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4856-189-0x00000000060A0000-0x00000000060DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4856-193-0x00000000060A0000-0x00000000060DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4856-191-0x00000000060A0000-0x00000000060DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4856-195-0x00000000060A0000-0x00000000060DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4856-197-0x00000000060A0000-0x00000000060DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4856-199-0x00000000060A0000-0x00000000060DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4856-201-0x00000000060A0000-0x00000000060DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4856-203-0x00000000060A0000-0x00000000060DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4856-205-0x00000000060A0000-0x00000000060DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4856-207-0x00000000060A0000-0x00000000060DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4856-209-0x00000000060A0000-0x00000000060DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4856-211-0x00000000060A0000-0x00000000060DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4856-213-0x00000000060A0000-0x00000000060DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4856-215-0x00000000060A0000-0x00000000060DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4856-217-0x00000000060A0000-0x00000000060DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4856-219-0x00000000060A0000-0x00000000060DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4856-221-0x00000000060A0000-0x00000000060DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4856-1064-0x0000000006840000-0x0000000006E58000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/4856-1065-0x0000000006EE0000-0x0000000006FEA000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/4856-1066-0x0000000007020000-0x0000000007032000-memory.dmp
      Filesize

      72KB

      Download
    • memory/4856-1067-0x0000000007040000-0x000000000707C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/4856-1068-0x00000000060E0000-0x00000000060F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4856-1070-0x00000000060E0000-0x00000000060F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4856-1071-0x00000000060E0000-0x00000000060F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4856-1072-0x0000000007330000-0x0000000007396000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4856-1073-0x0000000007A00000-0x0000000007A92000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4856-1074-0x0000000007AF0000-0x0000000007CB2000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/4856-1075-0x0000000007CC0000-0x00000000081EC000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/4856-1076-0x0000000008440000-0x00000000084B6000-memory.dmp
      Filesize

      472KB

      Download
    • memory/4856-1077-0x00000000084C0000-0x0000000008510000-memory.dmp
      Filesize

      320KB

      Download
    • memory/4856-1078-0x00000000060E0000-0x00000000060F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/5024-1085-0x0000000000630000-0x0000000000662000-memory.dmp
      Filesize

      200KB

      Download
    • memory/5024-1086-0x0000000004F10000-0x0000000004F20000-memory.dmp
      Filesize

      64KB

      Download