Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    55s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-04-2023 22:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c345f37fe3545a8dc4372d47b648108d734331a8365de35d312b847730566b3b.exe

  • Size

    537KB

  • MD5

    0b67d16a9d76c20a3ce121cff86916d6

  • SHA1

    990cb47f7b2d423f84456fe4c758e8159466dc02

  • SHA256

    c345f37fe3545a8dc4372d47b648108d734331a8365de35d312b847730566b3b

  • SHA512

    540a1c29ec324ba43bb8bee4ba3aec67a167f592299165fe770e6bb1097770332d86a7a774d60a52af36849021c006d566c21ceb79a001156a08b652367b3082

  • SSDEEP

    12288:OMroy90eZoNTvPWbEw0AUP/HHwUekvo9QRmk0vi:6ydUTvuIAInwWfRmkt

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c345f37fe3545a8dc4372d47b648108d734331a8365de35d312b847730566b3b.exe
    "C:\Users\Admin\AppData\Local\Temp\c345f37fe3545a8dc4372d47b648108d734331a8365de35d312b847730566b3b.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4284
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziiT8998.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziiT8998.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4700
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr544529.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr544529.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5004
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku157196.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku157196.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1312
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 1348
          4⤵
          • Program crash
          PID:3960
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr228866.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr228866.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3372
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1312 -ip 1312
    1⤵
      PID:2836

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr228866.exe
      Filesize

      176KB

      MD5

      40aaf597922875689485282e380cc39d

      SHA1

      1dc05e6b8359621dc850d60f47057ff890c464b4

      SHA256

      620b289f6de324817803e665a8d72c04d689de8ef0e740b6a9550a2c9aa392c1

      SHA512

      6cdc737546bafffc48a130b6209174c6e1c8c3c590448eace0275622aa480484238f6af591f24f5e1e6b5160eefc26e80e1903e319392fa637d743db5995feed

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr228866.exe
      Filesize

      176KB

      MD5

      40aaf597922875689485282e380cc39d

      SHA1

      1dc05e6b8359621dc850d60f47057ff890c464b4

      SHA256

      620b289f6de324817803e665a8d72c04d689de8ef0e740b6a9550a2c9aa392c1

      SHA512

      6cdc737546bafffc48a130b6209174c6e1c8c3c590448eace0275622aa480484238f6af591f24f5e1e6b5160eefc26e80e1903e319392fa637d743db5995feed

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziiT8998.exe
      Filesize

      395KB

      MD5

      4a8b5fbe110d07474bf6f567c9cf2724

      SHA1

      1dbeefb2db931ba957d33ff9fe97947a05e2b26c

      SHA256

      81fab7dcfd7110ddf10d1aefbbda9eedf113a3635ff20e9663f5758a5314a7f2

      SHA512

      644c23da510ee12acdbeec3927bc07e2b2eb2f7a352c3c27f9213fc1143bc6c2d993d9dc10eb0be57112933cb532b0329cb465a6d19ebf2fcaa2c3f798c8f628

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziiT8998.exe
      Filesize

      395KB

      MD5

      4a8b5fbe110d07474bf6f567c9cf2724

      SHA1

      1dbeefb2db931ba957d33ff9fe97947a05e2b26c

      SHA256

      81fab7dcfd7110ddf10d1aefbbda9eedf113a3635ff20e9663f5758a5314a7f2

      SHA512

      644c23da510ee12acdbeec3927bc07e2b2eb2f7a352c3c27f9213fc1143bc6c2d993d9dc10eb0be57112933cb532b0329cb465a6d19ebf2fcaa2c3f798c8f628

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr544529.exe
      Filesize

      13KB

      MD5

      585dadaffcc235f7b600b91392ec3a28

      SHA1

      ba1485b713785fbf3cde5234bb04a979e6ff8c2a

      SHA256

      6bb5cce1596133da8718ae5d61dfc375d6135bc0dceee0eb592fef17ac40c37c

      SHA512

      489d6af130e3a8c13ab1bee18d294aabc40c01afad363e6e8cdd2943f25484a38243cc797089786723074d15967a132422f166c8e214f8782924b281ff73b3f2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr544529.exe
      Filesize

      13KB

      MD5

      585dadaffcc235f7b600b91392ec3a28

      SHA1

      ba1485b713785fbf3cde5234bb04a979e6ff8c2a

      SHA256

      6bb5cce1596133da8718ae5d61dfc375d6135bc0dceee0eb592fef17ac40c37c

      SHA512

      489d6af130e3a8c13ab1bee18d294aabc40c01afad363e6e8cdd2943f25484a38243cc797089786723074d15967a132422f166c8e214f8782924b281ff73b3f2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku157196.exe
      Filesize

      352KB

      MD5

      1b289853200dcd1bb4cd276aa1285a85

      SHA1

      01179041b2e532585d4fb602d6124c1534fe4419

      SHA256

      a6b4a53c407aa1acb79047ebd77e7f4ebee5b9a906820f30a10cfba61da6009c

      SHA512

      1135d554ae9da3690c49c3c307102262d71498d8941f5ea93e69b56acf2219b87aa0f5eac6a69c72378ff4dd4f7d4f7d3e29e2eb2680c56a40e5000a4f843641

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku157196.exe
      Filesize

      352KB

      MD5

      1b289853200dcd1bb4cd276aa1285a85

      SHA1

      01179041b2e532585d4fb602d6124c1534fe4419

      SHA256

      a6b4a53c407aa1acb79047ebd77e7f4ebee5b9a906820f30a10cfba61da6009c

      SHA512

      1135d554ae9da3690c49c3c307102262d71498d8941f5ea93e69b56acf2219b87aa0f5eac6a69c72378ff4dd4f7d4f7d3e29e2eb2680c56a40e5000a4f843641

      Download Submit

    • memory/1312-153-0x00000000008D0000-0x000000000091B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/1312-154-0x0000000005000000-0x0000000005010000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1312-155-0x0000000005000000-0x0000000005010000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1312-156-0x0000000005010000-0x00000000055B4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1312-157-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1312-160-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1312-162-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1312-158-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1312-164-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1312-166-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1312-168-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1312-170-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1312-172-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1312-174-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1312-176-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1312-178-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1312-180-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1312-182-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1312-184-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1312-185-0x0000000005000000-0x0000000005010000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1312-187-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1312-189-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1312-191-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1312-193-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1312-195-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1312-197-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1312-199-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1312-201-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1312-203-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1312-205-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1312-207-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1312-209-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1312-211-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1312-213-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1312-215-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1312-217-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1312-219-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1312-221-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1312-1064-0x00000000055C0000-0x0000000005BD8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/1312-1065-0x0000000004EF0000-0x0000000004FFA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1312-1066-0x0000000005BF0000-0x0000000005C02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1312-1067-0x0000000005000000-0x0000000005010000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1312-1068-0x0000000005C10000-0x0000000005C4C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1312-1070-0x0000000005000000-0x0000000005010000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1312-1071-0x0000000005000000-0x0000000005010000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1312-1072-0x0000000005000000-0x0000000005010000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1312-1073-0x0000000005F00000-0x0000000005F92000-memory.dmp

      Filesize

      584KB

      Download

    • memory/1312-1074-0x0000000005FA0000-0x0000000006006000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1312-1075-0x0000000006690000-0x0000000006706000-memory.dmp

      Filesize

      472KB

      Download

    • memory/1312-1076-0x0000000006730000-0x0000000006780000-memory.dmp

      Filesize

      320KB

      Download

    • memory/1312-1077-0x0000000005000000-0x0000000005010000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1312-1078-0x0000000006C20000-0x0000000006DE2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/1312-1079-0x0000000006DF0000-0x000000000731C000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/3372-1086-0x0000000000650000-0x0000000000682000-memory.dmp

      Filesize

      200KB

      Download

    • memory/3372-1087-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3372-1088-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5004-147-0x00000000000B0000-0x00000000000BA000-memory.dmp

      Filesize

      40KB

      Download