Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    62s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-04-2023 09:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2934c2267daf2cf3e6e56ec1a770180c643c0593dd30bc1e041a906342ad1227.exe

  • Size

    529KB

  • MD5

    ddbca691ff154fb33a573b3073b96002

  • SHA1

    91659a920064f02a59c8168538d77c7646530995

  • SHA256

    2934c2267daf2cf3e6e56ec1a770180c643c0593dd30bc1e041a906342ad1227

  • SHA512

    ff41ec5085895b3d3617657b802769004f153475aa2d1c1a89f94827af25418addf506e479e5ceb6bf16edd176173c0411c00e24c60d8b0b7d27b3c34712e61f

  • SSDEEP

    12288:5Mrby905ZNO5HLNzu0FwP+ztqkCXi5geB8hZvOW0ioD:+y+NYrB3uPrkC6iZvPTu

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2934c2267daf2cf3e6e56ec1a770180c643c0593dd30bc1e041a906342ad1227.exe
    "C:\Users\Admin\AppData\Local\Temp\2934c2267daf2cf3e6e56ec1a770180c643c0593dd30bc1e041a906342ad1227.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2116
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAI2403.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAI2403.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2008
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr310230.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr310230.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2516
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku811628.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku811628.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4104
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 1352
          4⤵
          • Program crash
          PID:4844
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr934902.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr934902.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4300
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4104 -ip 4104
    1⤵
      PID:1688

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr934902.exe
      Filesize

      176KB

      MD5

      70fcbb24033c58fe5d397f31416a6c1d

      SHA1

      60854840388aa48dfb49c072f69822e1ecc211a1

      SHA256

      884acda2158099084502103a577ee5b470fe79e97a33377ec552ffe30883f435

      SHA512

      af949e3848252ec632fe660894f9da6e5012961e0bc26495c07c83fc450c35b1d2549d95a15740f351f309505e49b04804d0fc07eff988024db905cf19e6c2da

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr934902.exe
      Filesize

      176KB

      MD5

      70fcbb24033c58fe5d397f31416a6c1d

      SHA1

      60854840388aa48dfb49c072f69822e1ecc211a1

      SHA256

      884acda2158099084502103a577ee5b470fe79e97a33377ec552ffe30883f435

      SHA512

      af949e3848252ec632fe660894f9da6e5012961e0bc26495c07c83fc450c35b1d2549d95a15740f351f309505e49b04804d0fc07eff988024db905cf19e6c2da

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAI2403.exe
      Filesize

      387KB

      MD5

      db67325a1c22afcad17d7a63ab7f39fa

      SHA1

      72aba0ac37e4e83f937bb037bb4a269fdcc88019

      SHA256

      57b5924b73799574934e559b01eec271207f53256a7303aa1a1192bfe4abf319

      SHA512

      79e3b562775df444f7d171a7a56fb6525d9a5e5d70398aef5343db197d85c314f8fec6156a2497004c6fd5ba42798357f4067d47265d9be170ee1145e7ee7624

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAI2403.exe
      Filesize

      387KB

      MD5

      db67325a1c22afcad17d7a63ab7f39fa

      SHA1

      72aba0ac37e4e83f937bb037bb4a269fdcc88019

      SHA256

      57b5924b73799574934e559b01eec271207f53256a7303aa1a1192bfe4abf319

      SHA512

      79e3b562775df444f7d171a7a56fb6525d9a5e5d70398aef5343db197d85c314f8fec6156a2497004c6fd5ba42798357f4067d47265d9be170ee1145e7ee7624

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr310230.exe
      Filesize

      12KB

      MD5

      cd075b967324920c5a66b41714c65adc

      SHA1

      1ba45f7e3d5513bac920558480848e9c3dcfbbd0

      SHA256

      998632d84b91cef6fa7e8eb09b7ab0cb4d837dbc7aff384a05d94c8932c92746

      SHA512

      11b8fcf5cb483c252481bf2eda96fb0e2cb509a8be57b1d727151252c0eff63c49da254b9589a106e0f4d8d408c3e4607fb938cc4e6a770106de1aa799f01cf3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr310230.exe
      Filesize

      12KB

      MD5

      cd075b967324920c5a66b41714c65adc

      SHA1

      1ba45f7e3d5513bac920558480848e9c3dcfbbd0

      SHA256

      998632d84b91cef6fa7e8eb09b7ab0cb4d837dbc7aff384a05d94c8932c92746

      SHA512

      11b8fcf5cb483c252481bf2eda96fb0e2cb509a8be57b1d727151252c0eff63c49da254b9589a106e0f4d8d408c3e4607fb938cc4e6a770106de1aa799f01cf3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku811628.exe
      Filesize

      353KB

      MD5

      cb270463003551b01c01a8b8ef64d81a

      SHA1

      de700e6ce66bfc1eb43feebda2ef804046268c8b

      SHA256

      6321d243160ad3ec6db12229dd6a998cdb52b089de5d4feec7f287eee9b19c20

      SHA512

      74d884b0806765de5b9067ed6a87e68e052ee99bdb3c76362dc1d98a3146dbdf5ddbf82016bb1d98db88d827d5057606774407be61ac8f31d5cc7dec284b2a06

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku811628.exe
      Filesize

      353KB

      MD5

      cb270463003551b01c01a8b8ef64d81a

      SHA1

      de700e6ce66bfc1eb43feebda2ef804046268c8b

      SHA256

      6321d243160ad3ec6db12229dd6a998cdb52b089de5d4feec7f287eee9b19c20

      SHA512

      74d884b0806765de5b9067ed6a87e68e052ee99bdb3c76362dc1d98a3146dbdf5ddbf82016bb1d98db88d827d5057606774407be61ac8f31d5cc7dec284b2a06

      Download Submit

    • memory/2516-147-0x0000000000620000-0x000000000062A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4104-153-0x0000000002320000-0x000000000236B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4104-154-0x0000000002600000-0x0000000002610000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4104-155-0x0000000002600000-0x0000000002610000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4104-156-0x0000000004DB0000-0x0000000005354000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4104-157-0x0000000002600000-0x0000000002610000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4104-158-0x0000000005370000-0x00000000053AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4104-159-0x0000000005370000-0x00000000053AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4104-161-0x0000000005370000-0x00000000053AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4104-163-0x0000000005370000-0x00000000053AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4104-167-0x0000000005370000-0x00000000053AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4104-165-0x0000000005370000-0x00000000053AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4104-169-0x0000000005370000-0x00000000053AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4104-171-0x0000000005370000-0x00000000053AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4104-173-0x0000000005370000-0x00000000053AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4104-175-0x0000000005370000-0x00000000053AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4104-177-0x0000000005370000-0x00000000053AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4104-179-0x0000000005370000-0x00000000053AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4104-183-0x0000000005370000-0x00000000053AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4104-181-0x0000000005370000-0x00000000053AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4104-185-0x0000000005370000-0x00000000053AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4104-187-0x0000000005370000-0x00000000053AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4104-189-0x0000000005370000-0x00000000053AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4104-191-0x0000000005370000-0x00000000053AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4104-193-0x0000000005370000-0x00000000053AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4104-195-0x0000000005370000-0x00000000053AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4104-197-0x0000000005370000-0x00000000053AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4104-199-0x0000000005370000-0x00000000053AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4104-203-0x0000000005370000-0x00000000053AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4104-205-0x0000000005370000-0x00000000053AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4104-201-0x0000000005370000-0x00000000053AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4104-207-0x0000000005370000-0x00000000053AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4104-209-0x0000000005370000-0x00000000053AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4104-211-0x0000000005370000-0x00000000053AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4104-213-0x0000000005370000-0x00000000053AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4104-215-0x0000000005370000-0x00000000053AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4104-219-0x0000000005370000-0x00000000053AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4104-217-0x0000000005370000-0x00000000053AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4104-221-0x0000000005370000-0x00000000053AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4104-1064-0x0000000005410000-0x0000000005A28000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4104-1065-0x0000000005AB0000-0x0000000005BBA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4104-1066-0x0000000005BF0000-0x0000000005C02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4104-1067-0x0000000002600000-0x0000000002610000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4104-1068-0x0000000005C10000-0x0000000005C4C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4104-1070-0x0000000002600000-0x0000000002610000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4104-1071-0x0000000005F00000-0x0000000005F92000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4104-1072-0x0000000005FA0000-0x0000000006006000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4104-1073-0x00000000066D0000-0x0000000006892000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/4104-1074-0x00000000068A0000-0x0000000006DCC000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/4104-1075-0x0000000002600000-0x0000000002610000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4104-1076-0x0000000007280000-0x00000000072F6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4104-1077-0x0000000007310000-0x0000000007360000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4300-1083-0x0000000000F50000-0x0000000000F82000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4300-1084-0x0000000005BA0000-0x0000000005BB0000-memory.dmp

      Filesize

      64KB

      Download