Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    87s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-04-2023 13:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    95b2242287e89f4cf17569fc7b0645be8a3c26bc4dac84e39657bfb984f14f32.exe

  • Size

    659KB

  • MD5

    e8db902e73ef89a32af27d90f7c85036

  • SHA1

    add72b2ecbb83f5120fb4ff75a7c59debfb917b2

  • SHA256

    95b2242287e89f4cf17569fc7b0645be8a3c26bc4dac84e39657bfb984f14f32

  • SHA512

    23fa4d3d467b8ecbd8c65b2958c6122fbfbf48d6c1c34e96ac213c60543a37d442772b7b423cc8fcdd48b7a9d5c3d8b89367a010b96afbddb5b7036e8905a902

  • SSDEEP

    12288:bMryy90pSqfL5Kk2O+B8XulUAXxbKjoQoqBijir/FCSIi3:tyySj5+XulpkEQDf9gi3

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 21 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\95b2242287e89f4cf17569fc7b0645be8a3c26bc4dac84e39657bfb984f14f32.exe
    "C:\Users\Admin\AppData\Local\Temp\95b2242287e89f4cf17569fc7b0645be8a3c26bc4dac84e39657bfb984f14f32.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4524
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un367715.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un367715.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1504
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0394.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0394.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5056
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 1076
          4⤵
          • Program crash
          PID:5000
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4142.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4142.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4420
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 1348
          4⤵
          • Program crash
          PID:1572
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si738352.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si738352.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4968
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5056 -ip 5056
    1⤵
      PID:3112
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4420 -ip 4420
      1⤵
        PID:1640

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si738352.exe
        Filesize

        175KB

        MD5

        d0dea9899398159ad2e7a8a392c9482d

        SHA1

        3ffb068db0c9faa26129c4c315ff7c436c5dded6

        SHA256

        0e787d722bf3055e07b3327c9cf042435ac6c6f6dbf0d5c08ec5267d4d4d8a7f

        SHA512

        2a6389d0af2f2b8cb1c34daf8eabb4cccaee3dfc4003b6d47c81d18bb2f151194afbe6b016fd7c50895e37d860837bb23882d8312fd4a3acff1bd072d2835249

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si738352.exe
        Filesize

        175KB

        MD5

        d0dea9899398159ad2e7a8a392c9482d

        SHA1

        3ffb068db0c9faa26129c4c315ff7c436c5dded6

        SHA256

        0e787d722bf3055e07b3327c9cf042435ac6c6f6dbf0d5c08ec5267d4d4d8a7f

        SHA512

        2a6389d0af2f2b8cb1c34daf8eabb4cccaee3dfc4003b6d47c81d18bb2f151194afbe6b016fd7c50895e37d860837bb23882d8312fd4a3acff1bd072d2835249

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un367715.exe
        Filesize

        517KB

        MD5

        e672fefd10484a9c22cf0d5fb8e61fbb

        SHA1

        a4d88f2255957ceaf69a716e4fda828f5967903f

        SHA256

        b12d62d0a75335d70e65a625a36da9e253784cde371b97f6537925ad796fa267

        SHA512

        7799834357960e179e573756c45fa26c5e3952a2f5f493e29b52188c4433816847d4adbca61a655e58a060792bcdd42c757a66e3068b125cb0631925ff0df4a3

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un367715.exe
        Filesize

        517KB

        MD5

        e672fefd10484a9c22cf0d5fb8e61fbb

        SHA1

        a4d88f2255957ceaf69a716e4fda828f5967903f

        SHA256

        b12d62d0a75335d70e65a625a36da9e253784cde371b97f6537925ad796fa267

        SHA512

        7799834357960e179e573756c45fa26c5e3952a2f5f493e29b52188c4433816847d4adbca61a655e58a060792bcdd42c757a66e3068b125cb0631925ff0df4a3

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0394.exe
        Filesize

        295KB

        MD5

        18d71cf6ffab85748fb91cec330a7e96

        SHA1

        f19c3a5ebfe735ec1220c8ef86493dc37feb5520

        SHA256

        f97a512a903b0d6bf044fc9b35a0ce79896b2f493e6b9995f8cbd232497d0cee

        SHA512

        6f9e0f4f4066d98ac151031e4240728fd4fef902c80093b303227fea281be2d4eafd38ad018c5b73b5e3dab8ee9b52697d617c9a416559ae0474a6283a20d649

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0394.exe
        Filesize

        295KB

        MD5

        18d71cf6ffab85748fb91cec330a7e96

        SHA1

        f19c3a5ebfe735ec1220c8ef86493dc37feb5520

        SHA256

        f97a512a903b0d6bf044fc9b35a0ce79896b2f493e6b9995f8cbd232497d0cee

        SHA512

        6f9e0f4f4066d98ac151031e4240728fd4fef902c80093b303227fea281be2d4eafd38ad018c5b73b5e3dab8ee9b52697d617c9a416559ae0474a6283a20d649

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4142.exe
        Filesize

        354KB

        MD5

        f7734a7e11c47cdcdf483d5984bd1b36

        SHA1

        b15d24c1ed03cafa498620a1352d2ce0a80f30d3

        SHA256

        cb6b586ab0c55f4cde87a05063a74562599e1f1b6c334a34c5ebfd13f1007b67

        SHA512

        5bcd32bbb85a50cbcdbaa8f4561df653af6e67bfbe9f78d0071aab4e1b90ca9cbb321644104360504d3fa90635fcd33e28a20322abed16ebb93e0402bbce3ada

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4142.exe
        Filesize

        354KB

        MD5

        f7734a7e11c47cdcdf483d5984bd1b36

        SHA1

        b15d24c1ed03cafa498620a1352d2ce0a80f30d3

        SHA256

        cb6b586ab0c55f4cde87a05063a74562599e1f1b6c334a34c5ebfd13f1007b67

        SHA512

        5bcd32bbb85a50cbcdbaa8f4561df653af6e67bfbe9f78d0071aab4e1b90ca9cbb321644104360504d3fa90635fcd33e28a20322abed16ebb93e0402bbce3ada

        Download Submit

      • memory/4420-1099-0x0000000007F70000-0x0000000007F82000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4420-1100-0x0000000007F90000-0x0000000007FCC000-memory.dmp

        Filesize

        240KB

        Download

      • memory/4420-1111-0x00000000099D0000-0x0000000009A20000-memory.dmp

        Filesize

        320KB

        Download

      • memory/4420-1110-0x0000000009930000-0x00000000099A6000-memory.dmp

        Filesize

        472KB

        Download

      • memory/4420-1109-0x0000000009320000-0x000000000984C000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/4420-1108-0x0000000009110000-0x00000000092D2000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/4420-1107-0x0000000008320000-0x0000000008386000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4420-1106-0x00000000049C0000-0x00000000049D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4420-1105-0x00000000049C0000-0x00000000049D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4420-1104-0x00000000049C0000-0x00000000049D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4420-1103-0x0000000008280000-0x0000000008312000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4420-1101-0x00000000049C0000-0x00000000049D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4420-1098-0x0000000007E30000-0x0000000007F3A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/4420-1097-0x0000000007790000-0x0000000007DA8000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/4420-224-0x00000000076F0000-0x000000000772F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4420-222-0x00000000076F0000-0x000000000772F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4420-220-0x00000000076F0000-0x000000000772F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4420-218-0x00000000076F0000-0x000000000772F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4420-216-0x00000000076F0000-0x000000000772F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4420-188-0x00000000076F0000-0x000000000772F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4420-187-0x00000000076F0000-0x000000000772F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4420-190-0x00000000076F0000-0x000000000772F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4420-192-0x00000000076F0000-0x000000000772F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4420-194-0x00000000076F0000-0x000000000772F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4420-196-0x00000000076F0000-0x000000000772F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4420-198-0x00000000076F0000-0x000000000772F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4420-202-0x00000000076F0000-0x000000000772F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4420-200-0x00000000076F0000-0x000000000772F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4420-204-0x00000000076F0000-0x000000000772F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4420-206-0x00000000076F0000-0x000000000772F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4420-208-0x00000000047E0000-0x000000000482B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/4420-211-0x00000000049C0000-0x00000000049D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4420-212-0x00000000049C0000-0x00000000049D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4420-210-0x00000000076F0000-0x000000000772F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4420-209-0x00000000049C0000-0x00000000049D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4420-214-0x00000000076F0000-0x000000000772F000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4968-1117-0x0000000000E60000-0x0000000000E92000-memory.dmp

        Filesize

        200KB

        Download

      • memory/4968-1119-0x0000000005A40000-0x0000000005A50000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4968-1118-0x0000000005A40000-0x0000000005A50000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5056-167-0x00000000049C0000-0x00000000049D2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/5056-163-0x00000000049C0000-0x00000000049D2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/5056-177-0x00000000049C0000-0x00000000049D2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/5056-175-0x00000000049C0000-0x00000000049D2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/5056-150-0x00000000073C0000-0x00000000073D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5056-153-0x00000000049C0000-0x00000000049D2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/5056-173-0x00000000049C0000-0x00000000049D2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/5056-171-0x00000000049C0000-0x00000000049D2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/5056-169-0x00000000049C0000-0x00000000049D2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/5056-151-0x00000000073D0000-0x0000000007974000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/5056-165-0x00000000049C0000-0x00000000049D2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/5056-179-0x00000000049C0000-0x00000000049D2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/5056-161-0x00000000049C0000-0x00000000049D2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/5056-159-0x00000000049C0000-0x00000000049D2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/5056-157-0x00000000049C0000-0x00000000049D2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/5056-155-0x00000000049C0000-0x00000000049D2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/5056-149-0x00000000073C0000-0x00000000073D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5056-148-0x0000000002CD0000-0x0000000002CFD000-memory.dmp

        Filesize

        180KB

        Download

      • memory/5056-180-0x0000000000400000-0x0000000002B78000-memory.dmp

        Filesize

        39.5MB

        Download

      • memory/5056-182-0x0000000000400000-0x0000000002B78000-memory.dmp

        Filesize

        39.5MB

        Download

      • memory/5056-152-0x00000000049C0000-0x00000000049D2000-memory.dmp

        Filesize

        72KB

        Download