Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    54s
  • max time network
    56s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    31-03-2023 19:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8807822c72d919011fd90506de21d022406567fa332565147a02e9c01cfed9c9.exe

  • Size

    533KB

  • MD5

    50310ccd15e336d27645279541d37f54

  • SHA1

    59543396098ceea2e4df5fa7315d313a019c2acd

  • SHA256

    8807822c72d919011fd90506de21d022406567fa332565147a02e9c01cfed9c9

  • SHA512

    e7669e30765aa9fbfac9b8ff8029ce5a3a514dd5a2f52e9ed1e41ffcb8e74d1aff474403371b9e8dc2caf32b9a29f597fe0773c72ca09f2e6e5da7ac5e889eb8

  • SSDEEP

    12288:zMryy90PAp8omGF8aWczwlcw2XNJObQri4QJMl:lyhJW8ccwxb93il

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8807822c72d919011fd90506de21d022406567fa332565147a02e9c01cfed9c9.exe
    "C:\Users\Admin\AppData\Local\Temp\8807822c72d919011fd90506de21d022406567fa332565147a02e9c01cfed9c9.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3980
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixL0043.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixL0043.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3776
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr085301.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr085301.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3088
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku450778.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku450778.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4392
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr758531.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr758531.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4300

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr758531.exe
    Filesize

    175KB

    MD5

    7f0d8feae38a42f66e349efe590b0c2b

    SHA1

    abd0e59a56b74dad0aed9126b48d616731323a51

    SHA256

    816bda5336520d9fa191372b4ef09800a310149c7c63ee1329a6f5febcd0acc6

    SHA512

    4c1fa015cc6b7c47828ae877c27a451ff622588adcf4ae3a26ab3ace53f397e1f6127e56dcf3cb9f9e999ee148312064028f780c39cb5122927865b838d8fe36

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr758531.exe
    Filesize

    175KB

    MD5

    7f0d8feae38a42f66e349efe590b0c2b

    SHA1

    abd0e59a56b74dad0aed9126b48d616731323a51

    SHA256

    816bda5336520d9fa191372b4ef09800a310149c7c63ee1329a6f5febcd0acc6

    SHA512

    4c1fa015cc6b7c47828ae877c27a451ff622588adcf4ae3a26ab3ace53f397e1f6127e56dcf3cb9f9e999ee148312064028f780c39cb5122927865b838d8fe36

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixL0043.exe
    Filesize

    391KB

    MD5

    3cddc19dbe594be341725e92b376f71a

    SHA1

    52ed20e348156cb0abd8beb17f61d332be0f1237

    SHA256

    b189539cec827e7011ffc0d93c11839664289dc93476390211267b9520d6fe8d

    SHA512

    87087a665488c2035c00211abff4dc27e3a855593ee3410d2a089aa8acee98831c4601ed560de9be2a469264faf1204ea4c8c20dd4c4bb104ce6fbe25f7b17a3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixL0043.exe
    Filesize

    391KB

    MD5

    3cddc19dbe594be341725e92b376f71a

    SHA1

    52ed20e348156cb0abd8beb17f61d332be0f1237

    SHA256

    b189539cec827e7011ffc0d93c11839664289dc93476390211267b9520d6fe8d

    SHA512

    87087a665488c2035c00211abff4dc27e3a855593ee3410d2a089aa8acee98831c4601ed560de9be2a469264faf1204ea4c8c20dd4c4bb104ce6fbe25f7b17a3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr085301.exe
    Filesize

    11KB

    MD5

    8c8064612e3dd3bf83495f4689fe1130

    SHA1

    d856d07c4d9809f1dc27cbd21f83d112474408bd

    SHA256

    2d071ccee39d1906bb9ad3599bab14f9c7c4038d31739f1b0860b0a8141b547b

    SHA512

    1e50a6d5f0d416e337388224d185da68bbf4a64075a1fa6e1491414e3c326b35a0e2a3972cda6c553ac884fbc0df1581ac7b9a9ce898fe6f38e38d6e50f85eb9

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr085301.exe
    Filesize

    11KB

    MD5

    8c8064612e3dd3bf83495f4689fe1130

    SHA1

    d856d07c4d9809f1dc27cbd21f83d112474408bd

    SHA256

    2d071ccee39d1906bb9ad3599bab14f9c7c4038d31739f1b0860b0a8141b547b

    SHA512

    1e50a6d5f0d416e337388224d185da68bbf4a64075a1fa6e1491414e3c326b35a0e2a3972cda6c553ac884fbc0df1581ac7b9a9ce898fe6f38e38d6e50f85eb9

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku450778.exe
    Filesize

    318KB

    MD5

    579a5501fc48fa19fc8df1815ff31ffb

    SHA1

    ac7790c79bfe898c9440aebd0092cd848ae0262c

    SHA256

    9649dc48ce2cf1f6010173001baa5fad12452e0d51bac785c0cb9696864ad90c

    SHA512

    9f37d08afe99c4c3e769096bc19a688da3e2f0124b1e2a45c882855356a8902b5512eb11cbbd74d29d9d9e9e96718c21e98cd65a9661c9b85cc7073b22c7fbe3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku450778.exe
    Filesize

    318KB

    MD5

    579a5501fc48fa19fc8df1815ff31ffb

    SHA1

    ac7790c79bfe898c9440aebd0092cd848ae0262c

    SHA256

    9649dc48ce2cf1f6010173001baa5fad12452e0d51bac785c0cb9696864ad90c

    SHA512

    9f37d08afe99c4c3e769096bc19a688da3e2f0124b1e2a45c882855356a8902b5512eb11cbbd74d29d9d9e9e96718c21e98cd65a9661c9b85cc7073b22c7fbe3

    Download Submit
  • memory/3088-133-0x00000000004D0000-0x00000000004DA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4300-1074-0x0000000000EA0000-0x0000000000ED2000-memory.dmp
    Filesize

    200KB

    Download
  • memory/4300-1076-0x0000000005730000-0x0000000005740000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4300-1075-0x00000000058E0000-0x000000000592B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/4392-181-0x0000000004A40000-0x0000000004A7F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4392-189-0x0000000004A40000-0x0000000004A7F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4392-143-0x0000000004B30000-0x0000000004B40000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4392-144-0x0000000004B30000-0x0000000004B40000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4392-145-0x0000000004B30000-0x0000000004B40000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4392-146-0x0000000004A40000-0x0000000004A7F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4392-147-0x0000000004A40000-0x0000000004A7F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4392-149-0x0000000004A40000-0x0000000004A7F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4392-151-0x0000000004A40000-0x0000000004A7F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4392-153-0x0000000004A40000-0x0000000004A7F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4392-155-0x0000000004A40000-0x0000000004A7F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4392-157-0x0000000004A40000-0x0000000004A7F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4392-159-0x0000000004A40000-0x0000000004A7F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4392-161-0x0000000004A40000-0x0000000004A7F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4392-163-0x0000000004A40000-0x0000000004A7F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4392-165-0x0000000004A40000-0x0000000004A7F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4392-167-0x0000000004A40000-0x0000000004A7F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4392-171-0x0000000004A40000-0x0000000004A7F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4392-169-0x0000000004A40000-0x0000000004A7F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4392-173-0x0000000004A40000-0x0000000004A7F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4392-175-0x0000000004A40000-0x0000000004A7F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4392-177-0x0000000004A40000-0x0000000004A7F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4392-141-0x0000000004A40000-0x0000000004A84000-memory.dmp
    Filesize

    272KB

    Download
  • memory/4392-183-0x0000000004A40000-0x0000000004A7F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4392-179-0x0000000004A40000-0x0000000004A7F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4392-185-0x0000000004A40000-0x0000000004A7F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4392-187-0x0000000004A40000-0x0000000004A7F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4392-142-0x00000000006D0000-0x000000000071B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/4392-191-0x0000000004A40000-0x0000000004A7F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4392-193-0x0000000004A40000-0x0000000004A7F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4392-197-0x0000000004A40000-0x0000000004A7F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4392-195-0x0000000004A40000-0x0000000004A7F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4392-201-0x0000000004A40000-0x0000000004A7F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4392-203-0x0000000004A40000-0x0000000004A7F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4392-199-0x0000000004A40000-0x0000000004A7F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4392-205-0x0000000004A40000-0x0000000004A7F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4392-207-0x0000000004A40000-0x0000000004A7F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4392-209-0x0000000004A40000-0x0000000004A7F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4392-1052-0x0000000005140000-0x0000000005746000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/4392-1053-0x00000000057A0000-0x00000000058AA000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/4392-1054-0x00000000058E0000-0x00000000058F2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4392-1055-0x0000000004B30000-0x0000000004B40000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4392-1056-0x0000000005940000-0x000000000597E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4392-1057-0x0000000005A80000-0x0000000005ACB000-memory.dmp
    Filesize

    300KB

    Download
  • memory/4392-1059-0x0000000005BE0000-0x0000000005C72000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4392-1060-0x0000000005C80000-0x0000000005CE6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4392-1061-0x0000000004B30000-0x0000000004B40000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4392-1062-0x0000000004B30000-0x0000000004B40000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4392-1064-0x0000000006480000-0x0000000006642000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/4392-1063-0x0000000004B30000-0x0000000004B40000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4392-1065-0x0000000006650000-0x0000000006B7C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4392-140-0x0000000004B40000-0x000000000503E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/4392-139-0x0000000002160000-0x00000000021A6000-memory.dmp
    Filesize

    280KB

    Download
  • memory/4392-1066-0x0000000004B30000-0x0000000004B40000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4392-1067-0x0000000006DF0000-0x0000000006E66000-memory.dmp
    Filesize

    472KB

    Download
  • memory/4392-1068-0x0000000006E80000-0x0000000006ED0000-memory.dmp
    Filesize

    320KB

    Download