Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/04/2023, 07:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f6b18415a409b19147d5e469a5112011af5b7d8c604b6606defa461d98a89d9d.exe

  • Size

    659KB

  • MD5

    00e06b8733fccf123e281a99f760382e

  • SHA1

    36230f11049c1ac9d4a86ae20a9b6957231a8ecb

  • SHA256

    f6b18415a409b19147d5e469a5112011af5b7d8c604b6606defa461d98a89d9d

  • SHA512

    16c145d0b51feffe1c7f59fed3a4b1d5987c7c52913587b5ee35d8ca353d10632eb54f2ea787dc77f19f1d63903012ebaaa3ab328fcf8d35ed7e7970174fa78a

  • SSDEEP

    12288:0MrOy90wb2bqhQdUXG3cVXu/3JL6mW18J2uOuRiAH:Ky/b41MV0eme8nyAH

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 18 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f6b18415a409b19147d5e469a5112011af5b7d8c604b6606defa461d98a89d9d.exe
    "C:\Users\Admin\AppData\Local\Temp\f6b18415a409b19147d5e469a5112011af5b7d8c604b6606defa461d98a89d9d.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4824
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un755919.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un755919.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2064
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1012.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1012.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2776
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 1100
          4⤵
          • Program crash
          PID:5100
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2867.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2867.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5028
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1348
          4⤵
          • Program crash
          PID:1128
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si320263.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si320263.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4420
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2776 -ip 2776
    1⤵
      PID:560
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5028 -ip 5028
      1⤵
        PID:1044
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe start wuauserv
        1⤵
        • Launches sc.exe
        PID:1476

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si320263.exe
        Filesize

        176KB

        MD5

        3482116c45e660725f1b9ff65fcbf6f8

        SHA1

        242bba9421f8148b4cfef671829147597c7a4139

        SHA256

        2a77089601862f0d7500152f37f32b4c5f73099d8016559de2356f7798d819da

        SHA512

        ca3ae2c4418fa85a8703641e6565516fe6ef1ca50f3647dd52d8bb5fc5d49ab258ee84574a29f4db3ca486abf4b3dc96e676227ab4142bcb7d6e25c6cd56bffd

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si320263.exe
        Filesize

        176KB

        MD5

        3482116c45e660725f1b9ff65fcbf6f8

        SHA1

        242bba9421f8148b4cfef671829147597c7a4139

        SHA256

        2a77089601862f0d7500152f37f32b4c5f73099d8016559de2356f7798d819da

        SHA512

        ca3ae2c4418fa85a8703641e6565516fe6ef1ca50f3647dd52d8bb5fc5d49ab258ee84574a29f4db3ca486abf4b3dc96e676227ab4142bcb7d6e25c6cd56bffd

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un755919.exe
        Filesize

        517KB

        MD5

        0788657fa8de30cb606b4e91481d64e2

        SHA1

        bf159d912ff4e5cf1b3c15210ffc091183b3e7a3

        SHA256

        168e97179ce1e3f861e4035090bd561b481b61c77ee28834da092e6023cb43f3

        SHA512

        3695ea08f161b3ac7962c798701ca0a14c95d006062fe78a12eff18aaeed2f15c198432c395014ddd7fb2f3f743f4e35a2b05915b38a5b62d5910da4c3f3376c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un755919.exe
        Filesize

        517KB

        MD5

        0788657fa8de30cb606b4e91481d64e2

        SHA1

        bf159d912ff4e5cf1b3c15210ffc091183b3e7a3

        SHA256

        168e97179ce1e3f861e4035090bd561b481b61c77ee28834da092e6023cb43f3

        SHA512

        3695ea08f161b3ac7962c798701ca0a14c95d006062fe78a12eff18aaeed2f15c198432c395014ddd7fb2f3f743f4e35a2b05915b38a5b62d5910da4c3f3376c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1012.exe
        Filesize

        376KB

        MD5

        b01794ee8134f55f28620c0305532995

        SHA1

        3d9e6369c263fd0d39f97e2d72ec2edb912786a5

        SHA256

        9935e7beebeb1b7840acbba4e2b48741eb661ae5b869e3399eae38403bbe6e9e

        SHA512

        f229b2e69d5d2342104797510318ff1891566b2f297602ee1744720c3b749141b143cef6ba3840a7fa6080146e07218480ae78526c43fea43b7fa869daa4e966

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1012.exe
        Filesize

        376KB

        MD5

        b01794ee8134f55f28620c0305532995

        SHA1

        3d9e6369c263fd0d39f97e2d72ec2edb912786a5

        SHA256

        9935e7beebeb1b7840acbba4e2b48741eb661ae5b869e3399eae38403bbe6e9e

        SHA512

        f229b2e69d5d2342104797510318ff1891566b2f297602ee1744720c3b749141b143cef6ba3840a7fa6080146e07218480ae78526c43fea43b7fa869daa4e966

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2867.exe
        Filesize

        434KB

        MD5

        6d228a9f2d4d2de4e093030c3ae25984

        SHA1

        8c846fcdf17d35b85f82a5c57f8e7de4e1a2256f

        SHA256

        c0d0a9beec744b3b9e006863eaff2060f8d086d25fc9eba6237e946e410c2207

        SHA512

        cbc3ee9b97d4238cfe452a3a4ab6c22624905abdc0f50d09f69016162df596a23d5f9c7fc1e9cee4636e64bd2692b269d6cf821eafd5c8f6923697e6078476de

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2867.exe
        Filesize

        434KB

        MD5

        6d228a9f2d4d2de4e093030c3ae25984

        SHA1

        8c846fcdf17d35b85f82a5c57f8e7de4e1a2256f

        SHA256

        c0d0a9beec744b3b9e006863eaff2060f8d086d25fc9eba6237e946e410c2207

        SHA512

        cbc3ee9b97d4238cfe452a3a4ab6c22624905abdc0f50d09f69016162df596a23d5f9c7fc1e9cee4636e64bd2692b269d6cf821eafd5c8f6923697e6078476de

        Download Submit

      • memory/2776-160-0x0000000002920000-0x0000000002932000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2776-168-0x0000000002920000-0x0000000002932000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2776-149-0x0000000002920000-0x0000000002932000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2776-152-0x0000000002920000-0x0000000002932000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2776-154-0x0000000002920000-0x0000000002932000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2776-157-0x0000000000AE0000-0x0000000000B0D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/2776-156-0x0000000002920000-0x0000000002932000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2776-159-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2776-148-0x0000000004EB0000-0x0000000005454000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/2776-162-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2776-163-0x0000000002920000-0x0000000002932000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2776-164-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2776-166-0x0000000002920000-0x0000000002932000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2776-150-0x0000000002920000-0x0000000002932000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2776-170-0x0000000002920000-0x0000000002932000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2776-172-0x0000000002920000-0x0000000002932000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2776-174-0x0000000002920000-0x0000000002932000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2776-176-0x0000000002920000-0x0000000002932000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2776-178-0x0000000002920000-0x0000000002932000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2776-180-0x0000000002920000-0x0000000002932000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2776-181-0x0000000000400000-0x0000000000813000-memory.dmp

        Filesize

        4.1MB

        Download

      • memory/2776-184-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2776-183-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2776-185-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2776-186-0x0000000000400000-0x0000000000813000-memory.dmp

        Filesize

        4.1MB

        Download

      • memory/4420-1121-0x0000000000F00000-0x0000000000F32000-memory.dmp

        Filesize

        200KB

        Download

      • memory/4420-1122-0x0000000005AE0000-0x0000000005AF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5028-191-0x00000000028B0000-0x00000000028EF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5028-228-0x0000000000AA0000-0x0000000000AEB000-memory.dmp

        Filesize

        300KB

        Download

      • memory/5028-198-0x00000000028B0000-0x00000000028EF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5028-196-0x00000000028B0000-0x00000000028EF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5028-200-0x00000000028B0000-0x00000000028EF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5028-202-0x00000000028B0000-0x00000000028EF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5028-204-0x00000000028B0000-0x00000000028EF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5028-206-0x00000000028B0000-0x00000000028EF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5028-208-0x00000000028B0000-0x00000000028EF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5028-210-0x00000000028B0000-0x00000000028EF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5028-212-0x00000000028B0000-0x00000000028EF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5028-214-0x00000000028B0000-0x00000000028EF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5028-216-0x00000000028B0000-0x00000000028EF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5028-218-0x00000000028B0000-0x00000000028EF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5028-220-0x00000000028B0000-0x00000000028EF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5028-222-0x00000000028B0000-0x00000000028EF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5028-224-0x00000000028B0000-0x00000000028EF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5028-194-0x00000000028B0000-0x00000000028EF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5028-230-0x0000000005100000-0x0000000005110000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5028-232-0x0000000005100000-0x0000000005110000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5028-234-0x0000000005100000-0x0000000005110000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5028-1101-0x00000000056C0000-0x0000000005CD8000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/5028-1102-0x0000000005CE0000-0x0000000005DEA000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/5028-1103-0x0000000005060000-0x0000000005072000-memory.dmp

        Filesize

        72KB

        Download

      • memory/5028-1104-0x0000000005100000-0x0000000005110000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5028-1105-0x0000000005080000-0x00000000050BC000-memory.dmp

        Filesize

        240KB

        Download

      • memory/5028-1106-0x0000000006060000-0x00000000060F2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/5028-1107-0x0000000006100000-0x0000000006166000-memory.dmp

        Filesize

        408KB

        Download

      • memory/5028-1109-0x0000000005100000-0x0000000005110000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5028-1110-0x0000000005100000-0x0000000005110000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5028-1111-0x0000000006960000-0x00000000069D6000-memory.dmp

        Filesize

        472KB

        Download

      • memory/5028-1112-0x00000000069E0000-0x0000000006A30000-memory.dmp

        Filesize

        320KB

        Download

      • memory/5028-192-0x00000000028B0000-0x00000000028EF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/5028-1113-0x0000000005100000-0x0000000005110000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5028-1114-0x0000000006CC0000-0x0000000006E82000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/5028-1115-0x0000000006E90000-0x00000000073BC000-memory.dmp

        Filesize

        5.2MB

        Download