Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    85s
  • max time network
    93s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-03-2023 20:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    129a54a8611b59eac1f1f2b06f98cad7ab091f27abbeacedfe853d44ebf4935d.exe

  • Size

    533KB

  • MD5

    0b1df7f9259bfd4df96a28c5abbdcffb

  • SHA1

    c0746878aa00ea36b0474733a3294f99be4aa1b0

  • SHA256

    129a54a8611b59eac1f1f2b06f98cad7ab091f27abbeacedfe853d44ebf4935d

  • SHA512

    5f0a41e028bd33ebc52ee9994cb7c3d5ef1377bdb86271d8e91d267f5f4c08f731ea11de22b771d4a0a82d02a2d5e08442f574d075727f463280cec027bbae2a

  • SSDEEP

    12288:MMriy90NAfu/ZPpD6IH6c6n3LqCG1h6PE1:2ysAfu/ZPpDdH6/n3GC5C

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\129a54a8611b59eac1f1f2b06f98cad7ab091f27abbeacedfe853d44ebf4935d.exe
    "C:\Users\Admin\AppData\Local\Temp\129a54a8611b59eac1f1f2b06f98cad7ab091f27abbeacedfe853d44ebf4935d.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4892
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYX4928.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYX4928.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4240
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr895522.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr895522.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1120
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku823799.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku823799.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1340
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1340 -s 1376
          4⤵
          • Program crash
          PID:4648
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr418907.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr418907.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:996
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1340 -ip 1340
    1⤵
      PID:3756

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    3
    T1112

    Disabling Security Tools

    2
    T1089

    Credential Access

    Credentials in Files

    2
    T1081

    Discovery

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr418907.exe
      Filesize

      175KB

      MD5

      efa370cacd287d7a84a64bd56208475c

      SHA1

      4ad8d948901b05d2be16fc6b93a5d1dbddf97612

      SHA256

      d211e6eb8810f4f9b16f2c1ca8f03622394d20128f389ce9b20e58d9bde71ae8

      SHA512

      f854249da4bed654dfe84aa013975a8eb74a0082334213d5a8487f442d1b4cd2185aa3b1d30c1fae250d3d9b96a2283148e977e0e1e77701353706276982c2d6

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr418907.exe
      Filesize

      175KB

      MD5

      efa370cacd287d7a84a64bd56208475c

      SHA1

      4ad8d948901b05d2be16fc6b93a5d1dbddf97612

      SHA256

      d211e6eb8810f4f9b16f2c1ca8f03622394d20128f389ce9b20e58d9bde71ae8

      SHA512

      f854249da4bed654dfe84aa013975a8eb74a0082334213d5a8487f442d1b4cd2185aa3b1d30c1fae250d3d9b96a2283148e977e0e1e77701353706276982c2d6

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYX4928.exe
      Filesize

      391KB

      MD5

      3f7af7360ecf3438332a10872dff697f

      SHA1

      9ab8a2733ca83d36abaf17ec9f187bc643d4f2cd

      SHA256

      7d0ea3bc3354d2620f80ba9379332d56a810cc72c70a2e30dd9de9c14d03bb4c

      SHA512

      c6d1508d7540ea850488827186c7b3f9d1eae6577296668b0a2c9f5d950d32e61cbf18cb363775521aba4ca6464884dcd4abadc8fefb39e9199162b0376a1699

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYX4928.exe
      Filesize

      391KB

      MD5

      3f7af7360ecf3438332a10872dff697f

      SHA1

      9ab8a2733ca83d36abaf17ec9f187bc643d4f2cd

      SHA256

      7d0ea3bc3354d2620f80ba9379332d56a810cc72c70a2e30dd9de9c14d03bb4c

      SHA512

      c6d1508d7540ea850488827186c7b3f9d1eae6577296668b0a2c9f5d950d32e61cbf18cb363775521aba4ca6464884dcd4abadc8fefb39e9199162b0376a1699

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr895522.exe
      Filesize

      11KB

      MD5

      7d2cfcff3ca68fcc3095f17a1c88dab2

      SHA1

      40d0d506888ee124c6165f52680604988fe6a403

      SHA256

      41164d42beb746ade5ed1304a5c48494b3f59c440644cc15940e9dec33d9e3b9

      SHA512

      4e8cb9ed743e39b1ab652e882304e4fe9806437d6f4cb36443b455bd3f0340cc9b3109bc16f3bcb3226db4835f1a29c81d72baf1e6daaf39182d133d6beeabff

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr895522.exe
      Filesize

      11KB

      MD5

      7d2cfcff3ca68fcc3095f17a1c88dab2

      SHA1

      40d0d506888ee124c6165f52680604988fe6a403

      SHA256

      41164d42beb746ade5ed1304a5c48494b3f59c440644cc15940e9dec33d9e3b9

      SHA512

      4e8cb9ed743e39b1ab652e882304e4fe9806437d6f4cb36443b455bd3f0340cc9b3109bc16f3bcb3226db4835f1a29c81d72baf1e6daaf39182d133d6beeabff

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku823799.exe
      Filesize

      359KB

      MD5

      fb0354f0ad3acadfef438e33873bc553

      SHA1

      837956e0a72c7f4b4fdeb44561fe251acbd1f7d4

      SHA256

      f872bab6cb7cda69180ccf50228775d15aaaa11b26323c7504a7bd62aabd5369

      SHA512

      fb6471f507a2141cbe8c5805228aed01adfc717ed8b5bc6da3cfe394cd6d43609f243a0a4bacfb6ca1315145282d15a61cc21edfb71dc8c1eebbeac636fd7098

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku823799.exe
      Filesize

      359KB

      MD5

      fb0354f0ad3acadfef438e33873bc553

      SHA1

      837956e0a72c7f4b4fdeb44561fe251acbd1f7d4

      SHA256

      f872bab6cb7cda69180ccf50228775d15aaaa11b26323c7504a7bd62aabd5369

      SHA512

      fb6471f507a2141cbe8c5805228aed01adfc717ed8b5bc6da3cfe394cd6d43609f243a0a4bacfb6ca1315145282d15a61cc21edfb71dc8c1eebbeac636fd7098

      Download Submit
    • memory/996-1086-0x0000000000E40000-0x0000000000E72000-memory.dmp
      Filesize

      200KB

      Download
    • memory/996-1087-0x00000000057A0000-0x00000000057B0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/996-1088-0x00000000057A0000-0x00000000057B0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1120-147-0x00000000003E0000-0x00000000003EA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1340-189-0x00000000060D0000-0x000000000610F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1340-203-0x00000000060D0000-0x000000000610F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1340-155-0x0000000006220000-0x0000000006230000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1340-157-0x0000000006220000-0x0000000006230000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1340-158-0x00000000060D0000-0x000000000610F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1340-159-0x00000000060D0000-0x000000000610F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1340-161-0x00000000060D0000-0x000000000610F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1340-163-0x00000000060D0000-0x000000000610F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1340-165-0x00000000060D0000-0x000000000610F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1340-167-0x00000000060D0000-0x000000000610F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1340-169-0x00000000060D0000-0x000000000610F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1340-171-0x00000000060D0000-0x000000000610F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1340-173-0x00000000060D0000-0x000000000610F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1340-175-0x00000000060D0000-0x000000000610F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1340-177-0x00000000060D0000-0x000000000610F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1340-179-0x00000000060D0000-0x000000000610F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1340-181-0x00000000060D0000-0x000000000610F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1340-183-0x00000000060D0000-0x000000000610F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1340-185-0x00000000060D0000-0x000000000610F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1340-187-0x00000000060D0000-0x000000000610F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1340-154-0x0000000003780000-0x00000000037CB000-memory.dmp
      Filesize

      300KB

      Download
    • memory/1340-191-0x00000000060D0000-0x000000000610F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1340-193-0x00000000060D0000-0x000000000610F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1340-195-0x00000000060D0000-0x000000000610F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1340-197-0x00000000060D0000-0x000000000610F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1340-199-0x00000000060D0000-0x000000000610F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1340-201-0x00000000060D0000-0x000000000610F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1340-156-0x0000000006220000-0x0000000006230000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1340-205-0x00000000060D0000-0x000000000610F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1340-207-0x00000000060D0000-0x000000000610F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1340-209-0x00000000060D0000-0x000000000610F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1340-211-0x00000000060D0000-0x000000000610F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1340-213-0x00000000060D0000-0x000000000610F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1340-215-0x00000000060D0000-0x000000000610F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1340-217-0x00000000060D0000-0x000000000610F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1340-219-0x00000000060D0000-0x000000000610F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1340-221-0x00000000060D0000-0x000000000610F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1340-1064-0x00000000068E0000-0x0000000006EF8000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/1340-1065-0x0000000006F00000-0x000000000700A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/1340-1066-0x0000000007020000-0x0000000007032000-memory.dmp
      Filesize

      72KB

      Download
    • memory/1340-1067-0x0000000007040000-0x000000000707C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/1340-1068-0x0000000006220000-0x0000000006230000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1340-1070-0x0000000006220000-0x0000000006230000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1340-1071-0x0000000006220000-0x0000000006230000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1340-1072-0x0000000006220000-0x0000000006230000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1340-1073-0x0000000006220000-0x0000000006230000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1340-1074-0x0000000007470000-0x0000000007502000-memory.dmp
      Filesize

      584KB

      Download
    • memory/1340-1075-0x0000000007510000-0x0000000007576000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1340-153-0x0000000006230000-0x00000000067D4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/1340-1077-0x0000000007FB0000-0x0000000008026000-memory.dmp
      Filesize

      472KB

      Download
    • memory/1340-1078-0x0000000008050000-0x00000000080A0000-memory.dmp
      Filesize

      320KB

      Download
    • memory/1340-1079-0x00000000080D0000-0x0000000008292000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/1340-1080-0x00000000082A0000-0x00000000087CC000-memory.dmp
      Filesize

      5.2MB

      Download