Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    84s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-03-2023 20:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3116e2c2d9b9c46c824a3eeafb6a8b6838202d26022836c8b82c03484dd7deff.exe

  • Size

    533KB

  • MD5

    903f2cac40f0a99a881598d021f04181

  • SHA1

    93f180a370e84b8fd8802dc0eaec6de87f32b4a7

  • SHA256

    3116e2c2d9b9c46c824a3eeafb6a8b6838202d26022836c8b82c03484dd7deff

  • SHA512

    99beeef0abeb925c32b49d162263dbdb5c0219c7170da78148d665731df82a6aff1fc5a9ee4096e9a035c7c41f3a50d47a66d129ca998e68a20aed568df267f0

  • SSDEEP

    12288:PMriy90WeLgl/uwiyCfR9p3LqjgAzSnWIP8s:ZyyaRbCZ9p3Gj1sJUs

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3116e2c2d9b9c46c824a3eeafb6a8b6838202d26022836c8b82c03484dd7deff.exe
    "C:\Users\Admin\AppData\Local\Temp\3116e2c2d9b9c46c824a3eeafb6a8b6838202d26022836c8b82c03484dd7deff.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2564
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziGk5115.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziGk5115.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4780
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr492634.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr492634.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1828
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku457488.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku457488.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4496
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 1356
          4⤵
          • Program crash
          PID:3596
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr152029.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr152029.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1752
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4496 -ip 4496
    1⤵
      PID:4148

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    3
    T1112

    Disabling Security Tools

    2
    T1089

    Credential Access

    Credentials in Files

    2
    T1081

    Discovery

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr152029.exe
      Filesize

      175KB

      MD5

      b7d2d1a5a0cd2ab1ee11383e3df5438f

      SHA1

      3381868fe3e0f2324ae91f38cb2a0185309f1ea4

      SHA256

      61016f59f2e80d28ff0a1bbd57ae644c9f4743014bb0795ceffe7072cd08731b

      SHA512

      17f245f11431c64fdc91be590eb9070705793391a25179f8fbf09b5b7e7fb6c154826fe96ff11de6d4c448ce1fad791147acc28f090edab21cac47bfb5e7f5f3

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr152029.exe
      Filesize

      175KB

      MD5

      b7d2d1a5a0cd2ab1ee11383e3df5438f

      SHA1

      3381868fe3e0f2324ae91f38cb2a0185309f1ea4

      SHA256

      61016f59f2e80d28ff0a1bbd57ae644c9f4743014bb0795ceffe7072cd08731b

      SHA512

      17f245f11431c64fdc91be590eb9070705793391a25179f8fbf09b5b7e7fb6c154826fe96ff11de6d4c448ce1fad791147acc28f090edab21cac47bfb5e7f5f3

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziGk5115.exe
      Filesize

      391KB

      MD5

      286d00fb8774d77afe60a360e7f4e638

      SHA1

      7a973b498926bd4ede517655cb99f300f5448613

      SHA256

      583bc816d0fc868a5ff89191c8596f4320d5c0745ae36aa877e33a23355723b1

      SHA512

      82b865e0276661fc757b441e1630d843bf973dcab65d0ea9aae6b90315f2a0e58d12b09cf6980afcb2e7f911550398025a528426be73115d66baf499bc8d7a27

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziGk5115.exe
      Filesize

      391KB

      MD5

      286d00fb8774d77afe60a360e7f4e638

      SHA1

      7a973b498926bd4ede517655cb99f300f5448613

      SHA256

      583bc816d0fc868a5ff89191c8596f4320d5c0745ae36aa877e33a23355723b1

      SHA512

      82b865e0276661fc757b441e1630d843bf973dcab65d0ea9aae6b90315f2a0e58d12b09cf6980afcb2e7f911550398025a528426be73115d66baf499bc8d7a27

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr492634.exe
      Filesize

      11KB

      MD5

      3caf74acb68fcc62c6dcc0dd5420869e

      SHA1

      dbc6b3a729425c24d73516cd0274339b9f1bb25e

      SHA256

      378104be760b6a5d2adbbd549c9490780cf44e88c6a668cddaee10b2407fedfb

      SHA512

      dc852a47eeb26c4396061f3bb725955657cb4d7d1a911fb6b23aebf1902803090e05bcd32bd0ab45ee6401403a0b15572e56ec03e46d83148276a2ba5539c666

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr492634.exe
      Filesize

      11KB

      MD5

      3caf74acb68fcc62c6dcc0dd5420869e

      SHA1

      dbc6b3a729425c24d73516cd0274339b9f1bb25e

      SHA256

      378104be760b6a5d2adbbd549c9490780cf44e88c6a668cddaee10b2407fedfb

      SHA512

      dc852a47eeb26c4396061f3bb725955657cb4d7d1a911fb6b23aebf1902803090e05bcd32bd0ab45ee6401403a0b15572e56ec03e46d83148276a2ba5539c666

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku457488.exe
      Filesize

      359KB

      MD5

      9043eaa2b512bb2be5f17eb770a0f8a1

      SHA1

      4dd199f5dabda70b804d0ebb36752e15a2c3d0ba

      SHA256

      c2e1703e3bc04b0354f429885401bedfdc56f9f65cb9727a804e5850397f0813

      SHA512

      9270acb905231ba870631c427c00ef0ee0fe924e306753ce4caa4dcef5d8b97c7a02849586b312efbd326887edc5f6dd67d5d7d1159a729a7fa804b7a2aff8a0

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku457488.exe
      Filesize

      359KB

      MD5

      9043eaa2b512bb2be5f17eb770a0f8a1

      SHA1

      4dd199f5dabda70b804d0ebb36752e15a2c3d0ba

      SHA256

      c2e1703e3bc04b0354f429885401bedfdc56f9f65cb9727a804e5850397f0813

      SHA512

      9270acb905231ba870631c427c00ef0ee0fe924e306753ce4caa4dcef5d8b97c7a02849586b312efbd326887edc5f6dd67d5d7d1159a729a7fa804b7a2aff8a0

      Download Submit
    • memory/1752-1087-0x0000000000860000-0x0000000000892000-memory.dmp
      Filesize

      200KB

      Download
    • memory/1752-1088-0x00000000051C0000-0x00000000051D0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1752-1089-0x00000000051C0000-0x00000000051D0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1828-147-0x0000000000A10000-0x0000000000A1A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4496-189-0x0000000003B50000-0x0000000003B8F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4496-199-0x0000000003B50000-0x0000000003B8F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4496-157-0x0000000006170000-0x0000000006180000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4496-155-0x0000000006170000-0x0000000006180000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4496-158-0x0000000003B50000-0x0000000003B8F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4496-159-0x0000000003B50000-0x0000000003B8F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4496-161-0x0000000003B50000-0x0000000003B8F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4496-165-0x0000000003B50000-0x0000000003B8F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4496-163-0x0000000003B50000-0x0000000003B8F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4496-167-0x0000000003B50000-0x0000000003B8F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4496-169-0x0000000003B50000-0x0000000003B8F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4496-171-0x0000000003B50000-0x0000000003B8F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4496-173-0x0000000003B50000-0x0000000003B8F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4496-175-0x0000000003B50000-0x0000000003B8F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4496-177-0x0000000003B50000-0x0000000003B8F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4496-179-0x0000000003B50000-0x0000000003B8F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4496-181-0x0000000003B50000-0x0000000003B8F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4496-183-0x0000000003B50000-0x0000000003B8F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4496-185-0x0000000003B50000-0x0000000003B8F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4496-187-0x0000000003B50000-0x0000000003B8F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4496-154-0x0000000006170000-0x0000000006180000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4496-191-0x0000000003B50000-0x0000000003B8F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4496-193-0x0000000003B50000-0x0000000003B8F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4496-197-0x0000000003B50000-0x0000000003B8F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4496-195-0x0000000003B50000-0x0000000003B8F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4496-156-0x0000000006180000-0x0000000006724000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/4496-201-0x0000000003B50000-0x0000000003B8F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4496-203-0x0000000003B50000-0x0000000003B8F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4496-205-0x0000000003B50000-0x0000000003B8F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4496-209-0x0000000003B50000-0x0000000003B8F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4496-211-0x0000000003B50000-0x0000000003B8F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4496-207-0x0000000003B50000-0x0000000003B8F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4496-213-0x0000000003B50000-0x0000000003B8F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4496-215-0x0000000003B50000-0x0000000003B8F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4496-217-0x0000000003B50000-0x0000000003B8F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4496-219-0x0000000003B50000-0x0000000003B8F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4496-221-0x0000000003B50000-0x0000000003B8F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4496-1065-0x0000000006170000-0x0000000006180000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4496-1066-0x0000000006170000-0x0000000006180000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4496-1068-0x0000000006730000-0x0000000006D48000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/4496-1069-0x0000000006DA0000-0x0000000006EAA000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/4496-1070-0x0000000006EE0000-0x0000000006EF2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/4496-1071-0x0000000006F00000-0x0000000006F3C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/4496-1072-0x0000000006170000-0x0000000006180000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4496-1074-0x0000000007470000-0x0000000007502000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4496-1075-0x0000000007510000-0x0000000007576000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4496-1076-0x00000000079B0000-0x0000000007B72000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/4496-153-0x0000000001C90000-0x0000000001CDB000-memory.dmp
      Filesize

      300KB

      Download
    • memory/4496-1077-0x0000000006170000-0x0000000006180000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4496-1078-0x0000000007B80000-0x00000000080AC000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/4496-1080-0x0000000008580000-0x00000000085F6000-memory.dmp
      Filesize

      472KB

      Download
    • memory/4496-1081-0x0000000008600000-0x0000000008650000-memory.dmp
      Filesize

      320KB

      Download