Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    62s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/04/2023, 05:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2388d6c30ef039e51ee71bba1bb3ca5b159123092db6e72cea14e130d5d9c78f.exe

  • Size

    530KB

  • MD5

    0a865ba9c50b969838d8f6209fcdf585

  • SHA1

    7706483e4519cd0499270502f7b95fe7140fd39f

  • SHA256

    2388d6c30ef039e51ee71bba1bb3ca5b159123092db6e72cea14e130d5d9c78f

  • SHA512

    4470df50b8f54be701cf432bbd046c4aad49799f97a8de68dd618da8fe0f0e7dd41367f0fa525d599b82cf915d2225684f2793671d11f8c7ec722563b19c7642

  • SSDEEP

    12288:oMrHy90j77i/jdEeU6TMbwwluXRk2OIBOjBMW/X+iX:vyI7iqeBkw8Ok2VBOjtX

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2388d6c30ef039e51ee71bba1bb3ca5b159123092db6e72cea14e130d5d9c78f.exe
    "C:\Users\Admin\AppData\Local\Temp\2388d6c30ef039e51ee71bba1bb3ca5b159123092db6e72cea14e130d5d9c78f.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2192
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziMK0162.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziMK0162.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1836
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr562006.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr562006.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1164
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku451890.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku451890.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3604
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 1328
          4⤵
          • Program crash
          PID:3312
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr652886.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr652886.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2108
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3604 -ip 3604
    1⤵
      PID:372

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr652886.exe
      Filesize

      176KB

      MD5

      19875be0dffb21ccb2555ebe154640a6

      SHA1

      81b01ffc072f24a57aa4839e81e2860b968d4d31

      SHA256

      6fc8bbbbfb4ffea103a8c41c7f6eaff73dbe626c2945df13206cbe6f55422b2b

      SHA512

      62797bfc7580d66ff34789c4023eb980841c52e7192b0e2e1197a4baa9c861ab829009dd0cb371ca94d0cb0f3ee584312dc11b553b5ae2b6cf25e9d38f8b0fcc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr652886.exe
      Filesize

      176KB

      MD5

      19875be0dffb21ccb2555ebe154640a6

      SHA1

      81b01ffc072f24a57aa4839e81e2860b968d4d31

      SHA256

      6fc8bbbbfb4ffea103a8c41c7f6eaff73dbe626c2945df13206cbe6f55422b2b

      SHA512

      62797bfc7580d66ff34789c4023eb980841c52e7192b0e2e1197a4baa9c861ab829009dd0cb371ca94d0cb0f3ee584312dc11b553b5ae2b6cf25e9d38f8b0fcc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziMK0162.exe
      Filesize

      389KB

      MD5

      ea06f461435d0694f5f0f4b09f9f2170

      SHA1

      bc2b5a11b8af0dbaba55e1d46cd95c924a43482f

      SHA256

      f9fee6e7609ec6a75e650c202c33a4190ad33d7175fa2f8d4713944bc1fae61f

      SHA512

      f3a57284da1b017426fb1c2a872b3e2126d069ee7c860dca126298f95678b6a0f13f68ebf2ffa44c49add6f1dbef36cb3dc98e372e3f7397de48aad1924fbda4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziMK0162.exe
      Filesize

      389KB

      MD5

      ea06f461435d0694f5f0f4b09f9f2170

      SHA1

      bc2b5a11b8af0dbaba55e1d46cd95c924a43482f

      SHA256

      f9fee6e7609ec6a75e650c202c33a4190ad33d7175fa2f8d4713944bc1fae61f

      SHA512

      f3a57284da1b017426fb1c2a872b3e2126d069ee7c860dca126298f95678b6a0f13f68ebf2ffa44c49add6f1dbef36cb3dc98e372e3f7397de48aad1924fbda4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr562006.exe
      Filesize

      12KB

      MD5

      00447b6d03715584cd6b395dcbae18ec

      SHA1

      f2374d606d17fb39ac40e9dc6afe67466d1dfcd1

      SHA256

      40e6fcc94adaa16a1ca6be07a0ee074085bd18c3115af7fae7b8e320f0c37ef8

      SHA512

      fcea47d7227550b2673d3ed4216c1ed7c42bf1aba05a8e91ac4649c2a7a9c378052b218d4e292bc19da154791a1caa969b844ca930db9496bdade85b81591e6f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr562006.exe
      Filesize

      12KB

      MD5

      00447b6d03715584cd6b395dcbae18ec

      SHA1

      f2374d606d17fb39ac40e9dc6afe67466d1dfcd1

      SHA256

      40e6fcc94adaa16a1ca6be07a0ee074085bd18c3115af7fae7b8e320f0c37ef8

      SHA512

      fcea47d7227550b2673d3ed4216c1ed7c42bf1aba05a8e91ac4649c2a7a9c378052b218d4e292bc19da154791a1caa969b844ca930db9496bdade85b81591e6f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku451890.exe
      Filesize

      435KB

      MD5

      f4e8bff69f760eabb80695eec6832064

      SHA1

      62c7a332670553906c87351042ce66c9d89e613a

      SHA256

      da7bf5e12356a217892c15968d5a86fe4b6e89902fce38dff38a8d458b399895

      SHA512

      2e369a23c0c5189282d5e20c2127e1346a2ceef8c52c4aa43c6aa3d4bc77479a9acb5b9a5d55c31f33015e972aa52f4ca9e09eed43dd1a6b3cb2410833bb7fb1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku451890.exe
      Filesize

      435KB

      MD5

      f4e8bff69f760eabb80695eec6832064

      SHA1

      62c7a332670553906c87351042ce66c9d89e613a

      SHA256

      da7bf5e12356a217892c15968d5a86fe4b6e89902fce38dff38a8d458b399895

      SHA512

      2e369a23c0c5189282d5e20c2127e1346a2ceef8c52c4aa43c6aa3d4bc77479a9acb5b9a5d55c31f33015e972aa52f4ca9e09eed43dd1a6b3cb2410833bb7fb1

      Download Submit

    • memory/1164-147-0x0000000000120000-0x000000000012A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2108-1086-0x00000000004B0000-0x00000000004E2000-memory.dmp

      Filesize

      200KB

      Download

    • memory/2108-1087-0x0000000005120000-0x0000000005130000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2108-1088-0x0000000005120000-0x0000000005130000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3604-189-0x0000000006880000-0x00000000068BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3604-203-0x0000000006880000-0x00000000068BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3604-156-0x00000000069B0000-0x00000000069C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3604-157-0x00000000069B0000-0x00000000069C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3604-158-0x0000000006880000-0x00000000068BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3604-161-0x0000000006880000-0x00000000068BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3604-163-0x0000000006880000-0x00000000068BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3604-159-0x0000000006880000-0x00000000068BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3604-165-0x0000000006880000-0x00000000068BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3604-167-0x0000000006880000-0x00000000068BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3604-169-0x0000000006880000-0x00000000068BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3604-171-0x0000000006880000-0x00000000068BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3604-173-0x0000000006880000-0x00000000068BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3604-175-0x0000000006880000-0x00000000068BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3604-177-0x0000000006880000-0x00000000068BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3604-179-0x0000000006880000-0x00000000068BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3604-181-0x0000000006880000-0x00000000068BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3604-183-0x0000000006880000-0x00000000068BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3604-185-0x0000000006880000-0x00000000068BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3604-187-0x0000000006880000-0x00000000068BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3604-154-0x0000000002480000-0x00000000024CB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/3604-191-0x0000000006880000-0x00000000068BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3604-193-0x0000000006880000-0x00000000068BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3604-195-0x0000000006880000-0x00000000068BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3604-197-0x0000000006880000-0x00000000068BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3604-199-0x0000000006880000-0x00000000068BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3604-201-0x0000000006880000-0x00000000068BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3604-155-0x00000000069B0000-0x00000000069C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3604-205-0x0000000006880000-0x00000000068BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3604-207-0x0000000006880000-0x00000000068BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3604-209-0x0000000006880000-0x00000000068BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3604-211-0x0000000006880000-0x00000000068BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3604-213-0x0000000006880000-0x00000000068BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3604-215-0x0000000006880000-0x00000000068BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3604-217-0x0000000006880000-0x00000000068BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3604-219-0x0000000006880000-0x00000000068BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3604-221-0x0000000006880000-0x00000000068BF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3604-1064-0x0000000006F70000-0x0000000007588000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3604-1065-0x0000000007590000-0x000000000769A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3604-1066-0x00000000076C0000-0x00000000076D2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3604-1067-0x00000000069B0000-0x00000000069C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3604-1068-0x00000000076E0000-0x000000000771C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3604-1070-0x00000000069B0000-0x00000000069C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3604-1071-0x00000000069B0000-0x00000000069C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3604-1072-0x00000000069B0000-0x00000000069C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3604-1073-0x00000000079D0000-0x0000000007A36000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3604-1074-0x0000000008080000-0x0000000008112000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3604-1075-0x00000000069B0000-0x00000000069C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3604-153-0x00000000069C0000-0x0000000006F64000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3604-1077-0x00000000083D0000-0x0000000008592000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/3604-1078-0x00000000085B0000-0x0000000008ADC000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/3604-1079-0x0000000009EF0000-0x0000000009F66000-memory.dmp

      Filesize

      472KB

      Download

    • memory/3604-1080-0x0000000009F80000-0x0000000009FD0000-memory.dmp

      Filesize

      320KB

      Download