Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    52s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-04-2023 21:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e4853bcd15289e5fe6d7c8a314d269286e648a3e54c644ea21fc85f2cac7766d.exe

  • Size

    522KB

  • MD5

    30a330669a67ec0166d86c4b72b3db26

  • SHA1

    80f63748cf2e949b718b3c6cb61855569fd96195

  • SHA256

    e4853bcd15289e5fe6d7c8a314d269286e648a3e54c644ea21fc85f2cac7766d

  • SHA512

    43ddce95eaab5968b346f51c6345f4a50c764ab6d192e35a10766797e2732b885c855df9fe2cd5e29f7d6c990d15b1a14abd6297c7817b5cb3c892cb181e000d

  • SSDEEP

    12288:bMrry90LT1ske4np+8+a4ZhzWhWRhhoaD5:wyYTuV4npX+bZ0hWRnoU

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e4853bcd15289e5fe6d7c8a314d269286e648a3e54c644ea21fc85f2cac7766d.exe
    "C:\Users\Admin\AppData\Local\Temp\e4853bcd15289e5fe6d7c8a314d269286e648a3e54c644ea21fc85f2cac7766d.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1260
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNH8407.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNH8407.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1536
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr577070.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr577070.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1640
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku164269.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku164269.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2820
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 1528
          4⤵
          • Program crash
          PID:3256
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr811180.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr811180.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5068
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2820 -ip 2820
    1⤵
      PID:2504

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    3
    T1112

    Disabling Security Tools

    2
    T1089

    Credential Access

    Credentials in Files

    2
    T1081

    Discovery

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr811180.exe
      Filesize

      175KB

      MD5

      5764dd2dcc7a163331b445aecd9b4108

      SHA1

      bb35c69c413db59f0cafee44a23294d0dd53329b

      SHA256

      6f771f923578a8a3232479b3e01c2fd0ffd0f86d0684fff8138a003fbcf002b8

      SHA512

      cc48ea31178d3001e4a77cd862f2bd4b0891b74e42153aa1d88f5f2c6770ef8533fcdf9967ae24dc41e1adc04c18093b76dde6390a330729710d1895d4a2159f

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr811180.exe
      Filesize

      175KB

      MD5

      5764dd2dcc7a163331b445aecd9b4108

      SHA1

      bb35c69c413db59f0cafee44a23294d0dd53329b

      SHA256

      6f771f923578a8a3232479b3e01c2fd0ffd0f86d0684fff8138a003fbcf002b8

      SHA512

      cc48ea31178d3001e4a77cd862f2bd4b0891b74e42153aa1d88f5f2c6770ef8533fcdf9967ae24dc41e1adc04c18093b76dde6390a330729710d1895d4a2159f

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNH8407.exe
      Filesize

      379KB

      MD5

      98eb699a10d3cace428f028a9dfe5bca

      SHA1

      b508321f5d66aeb0c8baa2fa9a36c848b70050d9

      SHA256

      48030e2b2fd4d9846c101d624c82592b6cee8fca24ce4f561f595582d32c4445

      SHA512

      7e03058f06d66469b4e68432075fcd190dab82b40b6e077e6049deac2296420c8c70b72b6fb91e1696c3b9d56f250611d524df70cfc4c1caa6ec484298c5cccd

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNH8407.exe
      Filesize

      379KB

      MD5

      98eb699a10d3cace428f028a9dfe5bca

      SHA1

      b508321f5d66aeb0c8baa2fa9a36c848b70050d9

      SHA256

      48030e2b2fd4d9846c101d624c82592b6cee8fca24ce4f561f595582d32c4445

      SHA512

      7e03058f06d66469b4e68432075fcd190dab82b40b6e077e6049deac2296420c8c70b72b6fb91e1696c3b9d56f250611d524df70cfc4c1caa6ec484298c5cccd

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr577070.exe
      Filesize

      15KB

      MD5

      eaf1dcf80f0523b179c6f1e69f950e04

      SHA1

      01eed5db569c824cea3947a3e6e9155170633e61

      SHA256

      5e76506a1e4dd4445af5b194188beccdbdb361ab6b8e2fbddbebea2e791f90c7

      SHA512

      32b290aaf412ce7782ae4e9133cde074545bd12f4d8cfe685721c5acf41606d1e4fadff7319583c63c9a9b1c3397bd428b00fc112b2678b82acfad3086549858

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr577070.exe
      Filesize

      15KB

      MD5

      eaf1dcf80f0523b179c6f1e69f950e04

      SHA1

      01eed5db569c824cea3947a3e6e9155170633e61

      SHA256

      5e76506a1e4dd4445af5b194188beccdbdb361ab6b8e2fbddbebea2e791f90c7

      SHA512

      32b290aaf412ce7782ae4e9133cde074545bd12f4d8cfe685721c5acf41606d1e4fadff7319583c63c9a9b1c3397bd428b00fc112b2678b82acfad3086549858

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku164269.exe
      Filesize

      294KB

      MD5

      a31819a0dd45729e06d7a463df24fe5b

      SHA1

      6a9a6522d3d0b203f1cf3025a0e2bd717ead05ff

      SHA256

      f1921ade0f4f3335b99aec467a53b21161a86307b2f21a5aa36f36c3da9d08ba

      SHA512

      6a329d6ed18832bd384e5cec2ceb73ba082a01177c4df1477d9d81a5e0549fb1943a77afea376dcb8bee58c9f277c9f2506dceda174df7115971f9bdb9a4b50e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku164269.exe
      Filesize

      294KB

      MD5

      a31819a0dd45729e06d7a463df24fe5b

      SHA1

      6a9a6522d3d0b203f1cf3025a0e2bd717ead05ff

      SHA256

      f1921ade0f4f3335b99aec467a53b21161a86307b2f21a5aa36f36c3da9d08ba

      SHA512

      6a329d6ed18832bd384e5cec2ceb73ba082a01177c4df1477d9d81a5e0549fb1943a77afea376dcb8bee58c9f277c9f2506dceda174df7115971f9bdb9a4b50e

      Download Submit
    • memory/1640-147-0x0000000000C10000-0x0000000000C1A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2820-153-0x0000000002030000-0x000000000207B000-memory.dmp
      Filesize

      300KB

      Download
    • memory/2820-154-0x0000000004E50000-0x0000000004E60000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2820-155-0x0000000004E50000-0x0000000004E60000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2820-156-0x0000000004E50000-0x0000000004E60000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2820-157-0x0000000004E60000-0x0000000005404000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/2820-158-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-161-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-159-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-163-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-165-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-169-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-171-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-167-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-173-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-175-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-177-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-179-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-181-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-183-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-185-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-187-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-189-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-191-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-193-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-195-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-197-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-199-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-201-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-203-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-205-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-207-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-209-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-211-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-213-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-215-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-217-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-219-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-221-0x00000000024F0000-0x000000000252F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-1064-0x0000000005410000-0x0000000005A28000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/2820-1065-0x0000000004CA0000-0x0000000004DAA000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/2820-1066-0x0000000002660000-0x0000000002672000-memory.dmp
      Filesize

      72KB

      Download
    • memory/2820-1067-0x0000000002680000-0x00000000026BC000-memory.dmp
      Filesize

      240KB

      Download
    • memory/2820-1068-0x0000000004E50000-0x0000000004E60000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2820-1069-0x0000000005BB0000-0x0000000005C16000-memory.dmp
      Filesize

      408KB

      Download
    • memory/2820-1071-0x0000000004E50000-0x0000000004E60000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2820-1072-0x0000000004E50000-0x0000000004E60000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2820-1073-0x0000000006270000-0x0000000006302000-memory.dmp
      Filesize

      584KB

      Download
    • memory/2820-1074-0x0000000006370000-0x0000000006532000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/2820-1075-0x0000000006550000-0x0000000006A7C000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/2820-1076-0x0000000006CC0000-0x0000000006D36000-memory.dmp
      Filesize

      472KB

      Download
    • memory/2820-1077-0x0000000006D40000-0x0000000006D90000-memory.dmp
      Filesize

      320KB

      Download
    • memory/2820-1078-0x0000000004E50000-0x0000000004E60000-memory.dmp
      Filesize

      64KB

      Download
    • memory/5068-1084-0x0000000000740000-0x0000000000772000-memory.dmp
      Filesize

      200KB

      Download
    • memory/5068-1085-0x0000000005370000-0x0000000005380000-memory.dmp
      Filesize

      64KB

      Download