Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    61s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-03-2023 20:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    10c3c26570389422f135ed5e037ecbf7036b229de20b274c52b70d926a9cb1b7.exe

  • Size

    533KB

  • MD5

    cf91b8e4785d01340b515232a0783c38

  • SHA1

    579865b06fe7d63c0c980d12c847148058ed79be

  • SHA256

    10c3c26570389422f135ed5e037ecbf7036b229de20b274c52b70d926a9cb1b7

  • SHA512

    f04d96a82e1cf7254c5b78203b0b6febf9a35b5d0835ff079e4108e4e84aed37f3b5c3cbc03a2f89cb26748d376a642d55323c68c5682b3bed809786ca218d64

  • SSDEEP

    12288:wMruy90hiigaaI2oo0xsFowIN3LqTIWWgfCXsRk:OyYgaBZxCopN3GsBl

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\10c3c26570389422f135ed5e037ecbf7036b229de20b274c52b70d926a9cb1b7.exe
    "C:\Users\Admin\AppData\Local\Temp\10c3c26570389422f135ed5e037ecbf7036b229de20b274c52b70d926a9cb1b7.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2680
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziGy8433.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziGy8433.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1984
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr288992.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr288992.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4756
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku350220.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku350220.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4144
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 1876
          4⤵
          • Program crash
          PID:4104
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr566332.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr566332.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4056
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4144 -ip 4144
    1⤵
      PID:2580

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    3
    T1112

    Disabling Security Tools

    2
    T1089

    Credential Access

    Credentials in Files

    2
    T1081

    Discovery

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr566332.exe
      Filesize

      175KB

      MD5

      fc97b52caf1e887f51b8e21b2459e60a

      SHA1

      0ea50b3738376ea7a1b0ded18aeec3b0c50b7cdc

      SHA256

      b28067989bae8f240fb97ca57ac27cd0250c595f3846751f5eb8d5530d1e33e8

      SHA512

      37a1ed29b18ef352d022ee9c5e94ccafe8eb6e17b1f78ad0945c86152407f15ce2eebf51a09b3fd3ba30c73a9e3bb52444569f7dbf77ad4162099fb4c33e9254

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr566332.exe
      Filesize

      175KB

      MD5

      fc97b52caf1e887f51b8e21b2459e60a

      SHA1

      0ea50b3738376ea7a1b0ded18aeec3b0c50b7cdc

      SHA256

      b28067989bae8f240fb97ca57ac27cd0250c595f3846751f5eb8d5530d1e33e8

      SHA512

      37a1ed29b18ef352d022ee9c5e94ccafe8eb6e17b1f78ad0945c86152407f15ce2eebf51a09b3fd3ba30c73a9e3bb52444569f7dbf77ad4162099fb4c33e9254

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziGy8433.exe
      Filesize

      391KB

      MD5

      87f102eb4c0bf6b1989c1481c01fdcb8

      SHA1

      23ff912f45e4e66c2f5ed1c7dfdd545f89147155

      SHA256

      e1c52ff6c1d7b9ed09d1996ac35c0e402dc68f5f276f8f3284a104d592931dcb

      SHA512

      bf5b3cf12c8d7fe1ad163760a4a558b42b77397bf6b0fb683d7e829954e59aca22ff1d82e1ac20b445bc12b0c774a67d59caf0cd561aa83ba6860faeeb6ec378

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziGy8433.exe
      Filesize

      391KB

      MD5

      87f102eb4c0bf6b1989c1481c01fdcb8

      SHA1

      23ff912f45e4e66c2f5ed1c7dfdd545f89147155

      SHA256

      e1c52ff6c1d7b9ed09d1996ac35c0e402dc68f5f276f8f3284a104d592931dcb

      SHA512

      bf5b3cf12c8d7fe1ad163760a4a558b42b77397bf6b0fb683d7e829954e59aca22ff1d82e1ac20b445bc12b0c774a67d59caf0cd561aa83ba6860faeeb6ec378

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr288992.exe
      Filesize

      11KB

      MD5

      8ae9a28dc8e090b3f455032427e65a99

      SHA1

      07f120d19ec3522a9ff8ec35237d748cda1b8450

      SHA256

      34a987981c8737cd20c925ab2ed8df0e4977acfcf12d5432c3118cd9af7f2a05

      SHA512

      a192629f7f4e1136b7703c20ef3b23091f3d79e5732d870518b51167bf08ae654b64617b3ba08265c6b159de1a6fbfb0f4579292fbd07acd65144fa4c3653fd5

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr288992.exe
      Filesize

      11KB

      MD5

      8ae9a28dc8e090b3f455032427e65a99

      SHA1

      07f120d19ec3522a9ff8ec35237d748cda1b8450

      SHA256

      34a987981c8737cd20c925ab2ed8df0e4977acfcf12d5432c3118cd9af7f2a05

      SHA512

      a192629f7f4e1136b7703c20ef3b23091f3d79e5732d870518b51167bf08ae654b64617b3ba08265c6b159de1a6fbfb0f4579292fbd07acd65144fa4c3653fd5

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku350220.exe
      Filesize

      359KB

      MD5

      bfc7546ba4e58b5ec95ca937c3e1e2fc

      SHA1

      ac1180a1aeb7fc3f19942cd4e2687f4be45a0c8e

      SHA256

      0dbfc9a2b15906a0b0fac7f7cfe9c8c6d4c6a838ffbfd86902e302876d5ea86e

      SHA512

      f6e91eeb6f17f2e81f844719ef207ec689bc77495c8381f621262e525f2cb181d349c52c3f7dda393d06e98f463a19272212f7b29ff3f2241f563a8d11f88149

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku350220.exe
      Filesize

      359KB

      MD5

      bfc7546ba4e58b5ec95ca937c3e1e2fc

      SHA1

      ac1180a1aeb7fc3f19942cd4e2687f4be45a0c8e

      SHA256

      0dbfc9a2b15906a0b0fac7f7cfe9c8c6d4c6a838ffbfd86902e302876d5ea86e

      SHA512

      f6e91eeb6f17f2e81f844719ef207ec689bc77495c8381f621262e525f2cb181d349c52c3f7dda393d06e98f463a19272212f7b29ff3f2241f563a8d11f88149

      Download Submit
    • memory/4056-1085-0x0000000000CD0000-0x0000000000D02000-memory.dmp
      Filesize

      200KB

      Download
    • memory/4056-1086-0x0000000005930000-0x0000000005940000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4144-188-0x00000000066F0000-0x000000000672F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4144-198-0x00000000066F0000-0x000000000672F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4144-155-0x0000000003CB0000-0x0000000003CC0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4144-156-0x0000000003CB0000-0x0000000003CC0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4144-157-0x00000000066F0000-0x000000000672F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4144-158-0x00000000066F0000-0x000000000672F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4144-160-0x00000000066F0000-0x000000000672F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4144-162-0x00000000066F0000-0x000000000672F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4144-164-0x00000000066F0000-0x000000000672F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4144-166-0x00000000066F0000-0x000000000672F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4144-168-0x00000000066F0000-0x000000000672F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4144-170-0x00000000066F0000-0x000000000672F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4144-174-0x00000000066F0000-0x000000000672F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4144-172-0x00000000066F0000-0x000000000672F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4144-176-0x00000000066F0000-0x000000000672F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4144-178-0x00000000066F0000-0x000000000672F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4144-180-0x00000000066F0000-0x000000000672F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4144-182-0x00000000066F0000-0x000000000672F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4144-184-0x00000000066F0000-0x000000000672F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4144-186-0x00000000066F0000-0x000000000672F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4144-153-0x0000000001C90000-0x0000000001CDB000-memory.dmp
      Filesize

      300KB

      Download
    • memory/4144-190-0x00000000066F0000-0x000000000672F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4144-192-0x00000000066F0000-0x000000000672F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4144-194-0x00000000066F0000-0x000000000672F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4144-196-0x00000000066F0000-0x000000000672F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4144-154-0x0000000006140000-0x00000000066E4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/4144-200-0x00000000066F0000-0x000000000672F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4144-202-0x00000000066F0000-0x000000000672F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4144-204-0x00000000066F0000-0x000000000672F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4144-206-0x00000000066F0000-0x000000000672F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4144-208-0x00000000066F0000-0x000000000672F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4144-210-0x00000000066F0000-0x000000000672F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4144-212-0x00000000066F0000-0x000000000672F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4144-214-0x00000000066F0000-0x000000000672F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4144-216-0x00000000066F0000-0x000000000672F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4144-218-0x00000000066F0000-0x000000000672F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4144-220-0x00000000066F0000-0x000000000672F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4144-1063-0x0000000006730000-0x0000000006D48000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/4144-1064-0x0000000006DA0000-0x0000000006EAA000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/4144-1065-0x0000000006EE0000-0x0000000006EF2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/4144-1066-0x0000000003CB0000-0x0000000003CC0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4144-1067-0x0000000006F00000-0x0000000006F3C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/4144-1069-0x0000000003CB0000-0x0000000003CC0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4144-1070-0x0000000003CB0000-0x0000000003CC0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4144-1071-0x0000000003CB0000-0x0000000003CC0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4144-1073-0x00000000071F0000-0x0000000007282000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4144-1074-0x0000000007290000-0x00000000072F6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4144-1075-0x0000000007BF0000-0x0000000007C66000-memory.dmp
      Filesize

      472KB

      Download
    • memory/4144-1076-0x0000000007C70000-0x0000000007CC0000-memory.dmp
      Filesize

      320KB

      Download
    • memory/4144-1077-0x0000000007E20000-0x0000000007FE2000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/4144-1078-0x0000000008000000-0x000000000852C000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/4756-147-0x00000000004B0000-0x00000000004BA000-memory.dmp
      Filesize

      40KB

      Download