Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    78s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-04-2023 20:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bd433ed8a96c6a7f0348f5e5187b5259e96d287db34d5b4593c0e51088dd4415.exe

  • Size

    530KB

  • MD5

    802d18b1cbe4f0b6032305ade1b25cf9

  • SHA1

    b62245faee6830e48353b53093eafe9de0a3202e

  • SHA256

    bd433ed8a96c6a7f0348f5e5187b5259e96d287db34d5b4593c0e51088dd4415

  • SHA512

    a0a78d7a3c2a726861b821eb298206a63d1f4b3b730a7579cfd8ed8ff83c2f6923f62cdbc3d9dd2300d9fbbcf19933a8286f9b888e4f9b5e52b51d6ab9cd57dd

  • SSDEEP

    12288:cMr+y9083uFiKZfoCWwkpJeLMeTytRaE8WxAk1ar7WRH:yy33uF7RWwmeMeTytRaE8cAk1aet

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bd433ed8a96c6a7f0348f5e5187b5259e96d287db34d5b4593c0e51088dd4415.exe
    "C:\Users\Admin\AppData\Local\Temp\bd433ed8a96c6a7f0348f5e5187b5259e96d287db34d5b4593c0e51088dd4415.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4496
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNR9133.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNR9133.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1816
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr284532.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr284532.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3740
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku204590.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku204590.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:336
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 336 -s 1784
          4⤵
          • Program crash
          PID:1664
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr450733.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr450733.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2244
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 336 -ip 336
    1⤵
      PID:4148

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr450733.exe
      Filesize

      175KB

      MD5

      3757edc0192ad080aecd1fae5f6ae89a

      SHA1

      f4cef8698c729e14cbecf20fb71cebb0ba8f2b61

      SHA256

      a7f23be4cd59d49ec5d14576d42c6add542abac2122bfd156bba5bf1fe288920

      SHA512

      9be3e897d8c5dad2092ea3fe5f02ee5ea4ff5953862dcc69e4dd7a125ec8527a0e06a303fb1e15eb95436aef548cd051ff2b17ee6d70e3bab0b2cef2dfd3c49f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr450733.exe
      Filesize

      175KB

      MD5

      3757edc0192ad080aecd1fae5f6ae89a

      SHA1

      f4cef8698c729e14cbecf20fb71cebb0ba8f2b61

      SHA256

      a7f23be4cd59d49ec5d14576d42c6add542abac2122bfd156bba5bf1fe288920

      SHA512

      9be3e897d8c5dad2092ea3fe5f02ee5ea4ff5953862dcc69e4dd7a125ec8527a0e06a303fb1e15eb95436aef548cd051ff2b17ee6d70e3bab0b2cef2dfd3c49f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNR9133.exe
      Filesize

      388KB

      MD5

      026b01e6e137f2c4265ec0cfa582a5d5

      SHA1

      01a161497ddebd255e7de3e16486a78bfc649d8b

      SHA256

      b2cd976f7604c2de3e80da55750459e34942ed924fb75bba69ba4a721132234a

      SHA512

      8982e15fc82f2bdd1278a56a322ad9a1f419280a44652fd4fd5c2fa3d8c871ceba02d760f3c31be48d0a7ccbc4c6c203d96f73691e3ffd3a4f94ef92474af141

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNR9133.exe
      Filesize

      388KB

      MD5

      026b01e6e137f2c4265ec0cfa582a5d5

      SHA1

      01a161497ddebd255e7de3e16486a78bfc649d8b

      SHA256

      b2cd976f7604c2de3e80da55750459e34942ed924fb75bba69ba4a721132234a

      SHA512

      8982e15fc82f2bdd1278a56a322ad9a1f419280a44652fd4fd5c2fa3d8c871ceba02d760f3c31be48d0a7ccbc4c6c203d96f73691e3ffd3a4f94ef92474af141

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr284532.exe
      Filesize

      11KB

      MD5

      8ae9a28dc8e090b3f455032427e65a99

      SHA1

      07f120d19ec3522a9ff8ec35237d748cda1b8450

      SHA256

      34a987981c8737cd20c925ab2ed8df0e4977acfcf12d5432c3118cd9af7f2a05

      SHA512

      a192629f7f4e1136b7703c20ef3b23091f3d79e5732d870518b51167bf08ae654b64617b3ba08265c6b159de1a6fbfb0f4579292fbd07acd65144fa4c3653fd5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr284532.exe
      Filesize

      11KB

      MD5

      8ae9a28dc8e090b3f455032427e65a99

      SHA1

      07f120d19ec3522a9ff8ec35237d748cda1b8450

      SHA256

      34a987981c8737cd20c925ab2ed8df0e4977acfcf12d5432c3118cd9af7f2a05

      SHA512

      a192629f7f4e1136b7703c20ef3b23091f3d79e5732d870518b51167bf08ae654b64617b3ba08265c6b159de1a6fbfb0f4579292fbd07acd65144fa4c3653fd5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku204590.exe
      Filesize

      354KB

      MD5

      d764ab131a147f5e5f337603e0349c8a

      SHA1

      28580698fecdefa59fe0f8645563663f38c0399e

      SHA256

      9c3b79afa761db065fcae65b0fdd1b08f2e253740033f7767d9985826e92bcd2

      SHA512

      4f5a3fc6e69c2ab636d21db2bba34b16f1f20c97391753a0a6bcc36080efe386013647c28bc676c53156a384d0ce2717df1e91e42f5fecd1e661caa4766ec3bd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku204590.exe
      Filesize

      354KB

      MD5

      d764ab131a147f5e5f337603e0349c8a

      SHA1

      28580698fecdefa59fe0f8645563663f38c0399e

      SHA256

      9c3b79afa761db065fcae65b0fdd1b08f2e253740033f7767d9985826e92bcd2

      SHA512

      4f5a3fc6e69c2ab636d21db2bba34b16f1f20c97391753a0a6bcc36080efe386013647c28bc676c53156a384d0ce2717df1e91e42f5fecd1e661caa4766ec3bd

      Download Submit

    • memory/336-153-0x0000000002D00000-0x0000000002D4B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/336-154-0x0000000007410000-0x00000000079B4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/336-155-0x00000000072A0000-0x00000000072DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/336-156-0x00000000072A0000-0x00000000072DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/336-158-0x00000000072A0000-0x00000000072DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/336-160-0x00000000072A0000-0x00000000072DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/336-162-0x00000000072A0000-0x00000000072DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/336-164-0x00000000072A0000-0x00000000072DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/336-166-0x00000000072A0000-0x00000000072DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/336-168-0x00000000072A0000-0x00000000072DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/336-170-0x0000000007400000-0x0000000007410000-memory.dmp

      Filesize

      64KB

      Download

    • memory/336-171-0x0000000007400000-0x0000000007410000-memory.dmp

      Filesize

      64KB

      Download

    • memory/336-173-0x0000000007400000-0x0000000007410000-memory.dmp

      Filesize

      64KB

      Download

    • memory/336-175-0x00000000072A0000-0x00000000072DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/336-172-0x00000000072A0000-0x00000000072DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/336-177-0x00000000072A0000-0x00000000072DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/336-179-0x00000000072A0000-0x00000000072DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/336-181-0x00000000072A0000-0x00000000072DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/336-183-0x00000000072A0000-0x00000000072DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/336-185-0x00000000072A0000-0x00000000072DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/336-187-0x00000000072A0000-0x00000000072DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/336-189-0x00000000072A0000-0x00000000072DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/336-191-0x00000000072A0000-0x00000000072DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/336-193-0x00000000072A0000-0x00000000072DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/336-195-0x00000000072A0000-0x00000000072DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/336-197-0x00000000072A0000-0x00000000072DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/336-199-0x00000000072A0000-0x00000000072DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/336-201-0x00000000072A0000-0x00000000072DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/336-203-0x00000000072A0000-0x00000000072DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/336-205-0x00000000072A0000-0x00000000072DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/336-207-0x00000000072A0000-0x00000000072DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/336-209-0x00000000072A0000-0x00000000072DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/336-211-0x00000000072A0000-0x00000000072DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/336-213-0x00000000072A0000-0x00000000072DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/336-215-0x00000000072A0000-0x00000000072DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/336-217-0x00000000072A0000-0x00000000072DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/336-219-0x00000000072A0000-0x00000000072DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/336-221-0x00000000072A0000-0x00000000072DF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/336-1064-0x00000000079C0000-0x0000000007FD8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/336-1065-0x0000000007FE0000-0x00000000080EA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/336-1066-0x00000000073C0000-0x00000000073D2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/336-1067-0x00000000080F0000-0x000000000812C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/336-1068-0x0000000007400000-0x0000000007410000-memory.dmp

      Filesize

      64KB

      Download

    • memory/336-1070-0x0000000007400000-0x0000000007410000-memory.dmp

      Filesize

      64KB

      Download

    • memory/336-1071-0x0000000007400000-0x0000000007410000-memory.dmp

      Filesize

      64KB

      Download

    • memory/336-1072-0x00000000083C0000-0x0000000008426000-memory.dmp

      Filesize

      408KB

      Download

    • memory/336-1073-0x0000000008A90000-0x0000000008B22000-memory.dmp

      Filesize

      584KB

      Download

    • memory/336-1074-0x0000000008B60000-0x0000000008BD6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/336-1075-0x0000000008BF0000-0x0000000008C40000-memory.dmp

      Filesize

      320KB

      Download

    • memory/336-1076-0x0000000008C60000-0x0000000008E22000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/336-1077-0x0000000008E30000-0x000000000935C000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/336-1078-0x0000000007400000-0x0000000007410000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2244-1085-0x0000000000DA0000-0x0000000000DD2000-memory.dmp

      Filesize

      200KB

      Download

    • memory/2244-1086-0x0000000005690000-0x00000000056A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2244-1087-0x0000000005690000-0x00000000056A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3740-147-0x0000000000070000-0x000000000007A000-memory.dmp

      Filesize

      40KB

      Download