Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    148s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    31-03-2023 19:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6a48f69d87ab194f14fcbfc3e79218ca08959908f44d7bee8c3065d01c4d674c.exe

  • Size

    672KB

  • MD5

    a55a1adc7874b397d14d42d8454eaaf9

  • SHA1

    ba93148e18ae61d1538bdd4c840ea1a818577bbc

  • SHA256

    6a48f69d87ab194f14fcbfc3e79218ca08959908f44d7bee8c3065d01c4d674c

  • SHA512

    027f2ddb48ec59bb971bc7358a0d977868bffbdd7703ff5c5184939b96b31697c7f015917de67a3744227119cec133b7713b2a77adba0497d9ee3e56e805dc13

  • SSDEEP

    12288:+Mrjy90Ze+k1L4aypxQjVM/vWibV4yphkTOblrYma5hO7Ez:ZyP+k1L4aaQjVcZlhlbejx

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 23 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6a48f69d87ab194f14fcbfc3e79218ca08959908f44d7bee8c3065d01c4d674c.exe
    "C:\Users\Admin\AppData\Local\Temp\6a48f69d87ab194f14fcbfc3e79218ca08959908f44d7bee8c3065d01c4d674c.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2140
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un644027.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un644027.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2368
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4431.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4431.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2540
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3012.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3012.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3960
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si829254.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si829254.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4728

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si829254.exe
    Filesize

    175KB

    MD5

    a0575e970adb4f6a825c5c71fc52fc58

    SHA1

    e066063833492a04323fec98bc5127e7d9218e88

    SHA256

    42196df2819241e9e0087dc70d4fd70b7e85b43cd228ee531456f6a5c6806527

    SHA512

    a7150e6e5b21b333b03bac913d36c6ccdbdb7c98262a760aae33ee55b84aaf3b1e422ca2933f87baac869f66b5e8d51f0921795255fe6f97f94af5d57721d3fe

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si829254.exe
    Filesize

    175KB

    MD5

    a0575e970adb4f6a825c5c71fc52fc58

    SHA1

    e066063833492a04323fec98bc5127e7d9218e88

    SHA256

    42196df2819241e9e0087dc70d4fd70b7e85b43cd228ee531456f6a5c6806527

    SHA512

    a7150e6e5b21b333b03bac913d36c6ccdbdb7c98262a760aae33ee55b84aaf3b1e422ca2933f87baac869f66b5e8d51f0921795255fe6f97f94af5d57721d3fe

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un644027.exe
    Filesize

    530KB

    MD5

    148355f605dfcf02b37b87e118b23dd7

    SHA1

    221bd70677640ee618bf00a7fee0be35046252c3

    SHA256

    bcf822a4e03bfe5eb080bfba042e5bfe92ebb74762c4f5faa94c0acddb7a5ad3

    SHA512

    1e34cb1d8394e2e9c4e4f1516440ed28a857f0aa960145cc40c7ff39330ee14e6bd716161bb55c1f0e4b895a665053c1214976a27411cbd8db20cd49f55369c7

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un644027.exe
    Filesize

    530KB

    MD5

    148355f605dfcf02b37b87e118b23dd7

    SHA1

    221bd70677640ee618bf00a7fee0be35046252c3

    SHA256

    bcf822a4e03bfe5eb080bfba042e5bfe92ebb74762c4f5faa94c0acddb7a5ad3

    SHA512

    1e34cb1d8394e2e9c4e4f1516440ed28a857f0aa960145cc40c7ff39330ee14e6bd716161bb55c1f0e4b895a665053c1214976a27411cbd8db20cd49f55369c7

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4431.exe
    Filesize

    260KB

    MD5

    8ec818c055d8294f1d8599f7aaf93d98

    SHA1

    9fa1065a2280fe4f32d634bcd1434983a37d1c5b

    SHA256

    24eff3cb215a75d73d49ccd87f0e05010b604e9a025f675ff87574cab2a3ada1

    SHA512

    b96f17c5f3d55df9e7b2e67c4df9fafedccee87c1a53e452a6f59d32871709aef4160a4520857631f5520b36da835214fd3026b4e710ce2e3c775fc66e80e1c7

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4431.exe
    Filesize

    260KB

    MD5

    8ec818c055d8294f1d8599f7aaf93d98

    SHA1

    9fa1065a2280fe4f32d634bcd1434983a37d1c5b

    SHA256

    24eff3cb215a75d73d49ccd87f0e05010b604e9a025f675ff87574cab2a3ada1

    SHA512

    b96f17c5f3d55df9e7b2e67c4df9fafedccee87c1a53e452a6f59d32871709aef4160a4520857631f5520b36da835214fd3026b4e710ce2e3c775fc66e80e1c7

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3012.exe
    Filesize

    318KB

    MD5

    40c6e391ec35af4cbeec5aded1377d4b

    SHA1

    51d2b3949c0dccac34809fef2f01a2305b105d8e

    SHA256

    185f0a485c3c2972a628cb8526a8b042e0604efe1752969298e89224733b8f78

    SHA512

    61f9e55406b0c31375d2774c24c2cdadba2b94862af86335e2280fac65fd351ec97e34fe5f07b5feff558c24235600c981330208b912a64973d3e7028e578eed

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3012.exe
    Filesize

    318KB

    MD5

    40c6e391ec35af4cbeec5aded1377d4b

    SHA1

    51d2b3949c0dccac34809fef2f01a2305b105d8e

    SHA256

    185f0a485c3c2972a628cb8526a8b042e0604efe1752969298e89224733b8f78

    SHA512

    61f9e55406b0c31375d2774c24c2cdadba2b94862af86335e2280fac65fd351ec97e34fe5f07b5feff558c24235600c981330208b912a64973d3e7028e578eed

    Download Submit
  • memory/2540-136-0x00000000001D0000-0x00000000001FD000-memory.dmp
    Filesize

    180KB

    Download
  • memory/2540-137-0x0000000000860000-0x000000000087A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/2540-138-0x0000000004AC0000-0x0000000004FBE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2540-139-0x0000000002230000-0x0000000002248000-memory.dmp
    Filesize

    96KB

    Download
  • memory/2540-140-0x0000000002230000-0x0000000002242000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2540-141-0x0000000002230000-0x0000000002242000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2540-143-0x0000000002230000-0x0000000002242000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2540-145-0x0000000002230000-0x0000000002242000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2540-151-0x0000000002230000-0x0000000002242000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2540-153-0x0000000002230000-0x0000000002242000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2540-149-0x0000000002230000-0x0000000002242000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2540-155-0x0000000002230000-0x0000000002242000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2540-157-0x0000000002230000-0x0000000002242000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2540-159-0x0000000002230000-0x0000000002242000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2540-161-0x0000000002230000-0x0000000002242000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2540-167-0x0000000002230000-0x0000000002242000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2540-165-0x0000000002230000-0x0000000002242000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2540-163-0x0000000002230000-0x0000000002242000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2540-147-0x0000000002230000-0x0000000002242000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2540-168-0x0000000004AB0000-0x0000000004AC0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2540-169-0x0000000004AB0000-0x0000000004AC0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2540-170-0x0000000004AB0000-0x0000000004AC0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2540-171-0x0000000000400000-0x00000000004B1000-memory.dmp
    Filesize

    708KB

    Download
  • memory/2540-173-0x0000000000400000-0x00000000004B1000-memory.dmp
    Filesize

    708KB

    Download
  • memory/3960-182-0x00000000024D0000-0x000000000250F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3960-399-0x0000000004B60000-0x0000000004B70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3960-180-0x00000000024D0000-0x0000000002514000-memory.dmp
    Filesize

    272KB

    Download
  • memory/3960-181-0x00000000024D0000-0x000000000250F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3960-178-0x0000000000590000-0x00000000005DB000-memory.dmp
    Filesize

    300KB

    Download
  • memory/3960-184-0x00000000024D0000-0x000000000250F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3960-186-0x00000000024D0000-0x000000000250F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3960-188-0x00000000024D0000-0x000000000250F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3960-190-0x00000000024D0000-0x000000000250F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3960-194-0x00000000024D0000-0x000000000250F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3960-192-0x00000000024D0000-0x000000000250F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3960-196-0x00000000024D0000-0x000000000250F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3960-198-0x00000000024D0000-0x000000000250F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3960-200-0x00000000024D0000-0x000000000250F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3960-202-0x00000000024D0000-0x000000000250F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3960-204-0x00000000024D0000-0x000000000250F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3960-206-0x00000000024D0000-0x000000000250F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3960-208-0x00000000024D0000-0x000000000250F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3960-210-0x00000000024D0000-0x000000000250F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3960-212-0x00000000024D0000-0x000000000250F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3960-214-0x00000000024D0000-0x000000000250F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/3960-179-0x0000000000780000-0x00000000007C6000-memory.dmp
    Filesize

    280KB

    Download
  • memory/3960-402-0x0000000004B60000-0x0000000004B70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3960-404-0x0000000004B60000-0x0000000004B70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3960-1090-0x0000000005070000-0x0000000005676000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/3960-1091-0x0000000005680000-0x000000000578A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/3960-1092-0x00000000057A0000-0x00000000057B2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/3960-1093-0x00000000057C0000-0x00000000057FE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/3960-1094-0x0000000005910000-0x000000000595B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/3960-1095-0x0000000004B60000-0x0000000004B70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3960-1097-0x0000000005AA0000-0x0000000005B32000-memory.dmp
    Filesize

    584KB

    Download
  • memory/3960-1098-0x0000000005B40000-0x0000000005BA6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/3960-1100-0x00000000062A0000-0x00000000062F0000-memory.dmp
    Filesize

    320KB

    Download
  • memory/3960-1099-0x0000000006200000-0x0000000006276000-memory.dmp
    Filesize

    472KB

    Download
  • memory/3960-1101-0x0000000006320000-0x00000000064E2000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/3960-1102-0x0000000006500000-0x0000000006A2C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/3960-1104-0x0000000004B60000-0x0000000004B70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3960-1105-0x0000000004B60000-0x0000000004B70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3960-1103-0x0000000004B60000-0x0000000004B70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3960-1106-0x0000000004B60000-0x0000000004B70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4728-1112-0x0000000000CD0000-0x0000000000D02000-memory.dmp
    Filesize

    200KB

    Download
  • memory/4728-1113-0x0000000005710000-0x000000000575B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/4728-1114-0x0000000005890000-0x00000000058A0000-memory.dmp
    Filesize

    64KB

    Download