Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    89s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-04-2023 22:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ca560ddd53cf6d764044aaccdd707f971e076dc864927f191e5b92e2f04b9683.exe

  • Size

    660KB

  • MD5

    3ff2a06d73f6a9253baa59e3195e7f93

  • SHA1

    8ea51d6e736412eae7487561c47506aa325f8a30

  • SHA256

    ca560ddd53cf6d764044aaccdd707f971e076dc864927f191e5b92e2f04b9683

  • SHA512

    5665fd3527178c6254502ac9d180ee8a122668c8b92162beeeb3de097ad1c1b5403ba5ae3ba81410964f0452f69e18217e54af858f0b09293103288516d63f40

  • SSDEEP

    12288:hMrOy90fC4xhaU30+078p8POR+4MLPtLel9CJfqft/juKJum:zy3+w+dR+TLPtOEJyBDum

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 18 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ca560ddd53cf6d764044aaccdd707f971e076dc864927f191e5b92e2f04b9683.exe
    "C:\Users\Admin\AppData\Local\Temp\ca560ddd53cf6d764044aaccdd707f971e076dc864927f191e5b92e2f04b9683.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:852
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un464449.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un464449.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4284
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0226.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0226.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2164
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 1088
          4⤵
          • Program crash
          PID:1468
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4791.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4791.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2628
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 1608
          4⤵
          • Program crash
          PID:3768
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si706977.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si706977.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4756
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2164 -ip 2164
    1⤵
      PID:100
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2628 -ip 2628
      1⤵
        PID:3076

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Modify Existing Service

      1
      T1031

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      3
      T1112

      Disabling Security Tools

      2
      T1089

      Credential Access

      Credentials in Files

      2
      T1081

      Discovery

      Query Registry

      1
      T1012

      Lateral Movement

      Collection

      Data from Local System

      2
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si706977.exe
        Filesize

        175KB

        MD5

        e03c39323ca06905aa9d8b23e254a6a4

        SHA1

        0d81b138f0bc2e5803990ab82688cae48c140599

        SHA256

        33f0374b07d8909607c6c561352cd785bef7d011774a238d5677de60e761e7dd

        SHA512

        b83f179ba298e632c9cea70dc84dae767ecbe44b52d4f6fe7a33f386a372f80804a098709d104a9293c52aa21556340ec11e1b2010d44832b94004bd4a1cecb8

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si706977.exe
        Filesize

        175KB

        MD5

        e03c39323ca06905aa9d8b23e254a6a4

        SHA1

        0d81b138f0bc2e5803990ab82688cae48c140599

        SHA256

        33f0374b07d8909607c6c561352cd785bef7d011774a238d5677de60e761e7dd

        SHA512

        b83f179ba298e632c9cea70dc84dae767ecbe44b52d4f6fe7a33f386a372f80804a098709d104a9293c52aa21556340ec11e1b2010d44832b94004bd4a1cecb8

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un464449.exe
        Filesize

        517KB

        MD5

        4ea4370b29d26c05fd50f322e3d0cf81

        SHA1

        47b6d200cbb1b0b48823b88ac5ad6d3e21028574

        SHA256

        aee3d00cf59b0255f55cad3d73261718e3deaaa30e4d3663ac7bed068035518c

        SHA512

        e5f9d053147c2798540db95236e0cc48fa4f094fe0ec15ba825678dd55b6000ae8e4d5940c7390bc7792d61f0e9e51301b13a288a47d329b47c7f4ed49cddcc1

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un464449.exe
        Filesize

        517KB

        MD5

        4ea4370b29d26c05fd50f322e3d0cf81

        SHA1

        47b6d200cbb1b0b48823b88ac5ad6d3e21028574

        SHA256

        aee3d00cf59b0255f55cad3d73261718e3deaaa30e4d3663ac7bed068035518c

        SHA512

        e5f9d053147c2798540db95236e0cc48fa4f094fe0ec15ba825678dd55b6000ae8e4d5940c7390bc7792d61f0e9e51301b13a288a47d329b47c7f4ed49cddcc1

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0226.exe
        Filesize

        237KB

        MD5

        71f4d453eb47f6a4cea3d26e292ddbe0

        SHA1

        22912062bee00f604f546292bac17747f79732f6

        SHA256

        3928f40a893f03e94ebe1557902937f66bf9f3ee2958de0f34050f516c23b5c4

        SHA512

        e7fa568c0e130d80cb355f123df460a97c195d4543547bd793a9e8188632824aeb459d1a12f4783af0559e4240900b60eccb0e85a3bc9d86e82e2ffadf3530a9

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0226.exe
        Filesize

        237KB

        MD5

        71f4d453eb47f6a4cea3d26e292ddbe0

        SHA1

        22912062bee00f604f546292bac17747f79732f6

        SHA256

        3928f40a893f03e94ebe1557902937f66bf9f3ee2958de0f34050f516c23b5c4

        SHA512

        e7fa568c0e130d80cb355f123df460a97c195d4543547bd793a9e8188632824aeb459d1a12f4783af0559e4240900b60eccb0e85a3bc9d86e82e2ffadf3530a9

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4791.exe
        Filesize

        295KB

        MD5

        4a04d897d060ffe81ad1ea3cda6cbf54

        SHA1

        c02144bc3aa9cfaaf119400fe68687a374defc3e

        SHA256

        b3a6663782971fdf790698dc0f2bdf95139baac382116545dde686687857733d

        SHA512

        4be5e2f77a7a98294fea04848b49537e892cb68bfd15b952a9e4fae74e3e84f971177a304092714ff07895b5fdea11abd88b2c111ed0dbbf404ffbf0847dd7b6

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4791.exe
        Filesize

        295KB

        MD5

        4a04d897d060ffe81ad1ea3cda6cbf54

        SHA1

        c02144bc3aa9cfaaf119400fe68687a374defc3e

        SHA256

        b3a6663782971fdf790698dc0f2bdf95139baac382116545dde686687857733d

        SHA512

        4be5e2f77a7a98294fea04848b49537e892cb68bfd15b952a9e4fae74e3e84f971177a304092714ff07895b5fdea11abd88b2c111ed0dbbf404ffbf0847dd7b6

        Download Submit
      • memory/2164-148-0x0000000000620000-0x000000000064D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/2164-149-0x0000000004BC0000-0x0000000004BD0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2164-150-0x0000000004BC0000-0x0000000004BD0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2164-151-0x0000000004BC0000-0x0000000004BD0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2164-152-0x0000000004BD0000-0x0000000005174000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/2164-153-0x0000000000400000-0x00000000004A9000-memory.dmp
        Filesize

        676KB

        Download
      • memory/2164-155-0x0000000002420000-0x0000000002432000-memory.dmp
        Filesize

        72KB

        Download
      • memory/2164-156-0x0000000002420000-0x0000000002432000-memory.dmp
        Filesize

        72KB

        Download
      • memory/2164-158-0x0000000002420000-0x0000000002432000-memory.dmp
        Filesize

        72KB

        Download
      • memory/2164-160-0x0000000002420000-0x0000000002432000-memory.dmp
        Filesize

        72KB

        Download
      • memory/2164-162-0x0000000002420000-0x0000000002432000-memory.dmp
        Filesize

        72KB

        Download
      • memory/2164-166-0x0000000002420000-0x0000000002432000-memory.dmp
        Filesize

        72KB

        Download
      • memory/2164-164-0x0000000002420000-0x0000000002432000-memory.dmp
        Filesize

        72KB

        Download
      • memory/2164-168-0x0000000002420000-0x0000000002432000-memory.dmp
        Filesize

        72KB

        Download
      • memory/2164-170-0x0000000002420000-0x0000000002432000-memory.dmp
        Filesize

        72KB

        Download
      • memory/2164-172-0x0000000002420000-0x0000000002432000-memory.dmp
        Filesize

        72KB

        Download
      • memory/2164-174-0x0000000002420000-0x0000000002432000-memory.dmp
        Filesize

        72KB

        Download
      • memory/2164-176-0x0000000002420000-0x0000000002432000-memory.dmp
        Filesize

        72KB

        Download
      • memory/2164-178-0x0000000002420000-0x0000000002432000-memory.dmp
        Filesize

        72KB

        Download
      • memory/2164-182-0x0000000002420000-0x0000000002432000-memory.dmp
        Filesize

        72KB

        Download
      • memory/2164-180-0x0000000002420000-0x0000000002432000-memory.dmp
        Filesize

        72KB

        Download
      • memory/2164-183-0x0000000000620000-0x000000000064D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/2164-184-0x0000000004BC0000-0x0000000004BD0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2164-185-0x0000000004BC0000-0x0000000004BD0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2164-188-0x0000000000400000-0x00000000004A9000-memory.dmp
        Filesize

        676KB

        Download
      • memory/2628-193-0x0000000005180000-0x00000000051BF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/2628-194-0x0000000005180000-0x00000000051BF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/2628-196-0x0000000005180000-0x00000000051BF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/2628-198-0x0000000005180000-0x00000000051BF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/2628-202-0x0000000005180000-0x00000000051BF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/2628-200-0x0000000005180000-0x00000000051BF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/2628-204-0x0000000005180000-0x00000000051BF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/2628-206-0x0000000005180000-0x00000000051BF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/2628-208-0x0000000005180000-0x00000000051BF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/2628-210-0x0000000005180000-0x00000000051BF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/2628-212-0x0000000005180000-0x00000000051BF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/2628-214-0x0000000005180000-0x00000000051BF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/2628-216-0x0000000005180000-0x00000000051BF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/2628-218-0x0000000005180000-0x00000000051BF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/2628-220-0x0000000005180000-0x00000000051BF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/2628-222-0x0000000005180000-0x00000000051BF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/2628-224-0x0000000005180000-0x00000000051BF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/2628-444-0x0000000000620000-0x000000000066B000-memory.dmp
        Filesize

        300KB

        Download
      • memory/2628-445-0x00000000022E0000-0x00000000022F0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2628-448-0x00000000022E0000-0x00000000022F0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2628-1102-0x0000000005200000-0x0000000005818000-memory.dmp
        Filesize

        6.1MB

        Download
      • memory/2628-1103-0x00000000058A0000-0x00000000059AA000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/2628-1104-0x00000000059E0000-0x00000000059F2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/2628-1105-0x0000000005A00000-0x0000000005A3C000-memory.dmp
        Filesize

        240KB

        Download
      • memory/2628-1106-0x00000000022E0000-0x00000000022F0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2628-1108-0x0000000005CF0000-0x0000000005D82000-memory.dmp
        Filesize

        584KB

        Download
      • memory/2628-1109-0x0000000005D90000-0x0000000005DF6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/2628-1110-0x00000000022E0000-0x00000000022F0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2628-1111-0x00000000022E0000-0x00000000022F0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2628-1112-0x00000000064B0000-0x0000000006672000-memory.dmp
        Filesize

        1.8MB

        Download
      • memory/2628-1113-0x0000000006690000-0x0000000006BBC000-memory.dmp
        Filesize

        5.2MB

        Download
      • memory/2628-1114-0x00000000022E0000-0x00000000022F0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2628-1115-0x0000000006F40000-0x0000000006FB6000-memory.dmp
        Filesize

        472KB

        Download
      • memory/2628-1116-0x0000000006FD0000-0x0000000007020000-memory.dmp
        Filesize

        320KB

        Download
      • memory/4756-1122-0x00000000003A0000-0x00000000003D2000-memory.dmp
        Filesize

        200KB

        Download
      • memory/4756-1123-0x0000000004FF0000-0x0000000005000000-memory.dmp
        Filesize

        64KB

        Download