Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    148s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    03-04-2023 21:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    05b7e2fd19ab5c1e95ef434153015d1841faa35a333bf728f9b11e0e8d6777af.exe

  • Size

    522KB

  • MD5

    ef6732a82a5411e2a7c59687c065c969

  • SHA1

    c62c7fb3509c3ab12f337005a958160a69d02afa

  • SHA256

    05b7e2fd19ab5c1e95ef434153015d1841faa35a333bf728f9b11e0e8d6777af

  • SHA512

    f16005a199947645fa291b3272d08b4ee1edf0ed5c47d42feff1101d23500f9df25dbedb121c8c613d7037e45143992609370e34403e5f87f37b018b83b4a7f0

  • SSDEEP

    12288:qMrvy90nzQ/lITAmhzFhvnNN7zSO8TB4kTzWdwKyvxTX1NZ:1yKxr9FhvNNnkTqkOdEXfZ

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\05b7e2fd19ab5c1e95ef434153015d1841faa35a333bf728f9b11e0e8d6777af.exe
    "C:\Users\Admin\AppData\Local\Temp\05b7e2fd19ab5c1e95ef434153015d1841faa35a333bf728f9b11e0e8d6777af.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziGy9325.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziGy9325.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2276
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr717678.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr717678.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2392
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku951488.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku951488.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2848
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr221352.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr221352.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4864

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr221352.exe
    Filesize

    175KB

    MD5

    412ff5d140a16e7148c1e2e5c4cff0cd

    SHA1

    fa29bb3954d50cf651f5361de9eec61a2579881e

    SHA256

    37a342b3cc25380bb57fc08b7cbb6433aeef83863922e0ce94d8371de647ccb9

    SHA512

    6273d81e04f0686cdd75a36ea969d04d24cfe4448b4f44f0fe4eb1d5d27df331411e47c36b586e4b2f49b52400dde96127f754d43e0db6a40ede21b4236a5421

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr221352.exe
    Filesize

    175KB

    MD5

    412ff5d140a16e7148c1e2e5c4cff0cd

    SHA1

    fa29bb3954d50cf651f5361de9eec61a2579881e

    SHA256

    37a342b3cc25380bb57fc08b7cbb6433aeef83863922e0ce94d8371de647ccb9

    SHA512

    6273d81e04f0686cdd75a36ea969d04d24cfe4448b4f44f0fe4eb1d5d27df331411e47c36b586e4b2f49b52400dde96127f754d43e0db6a40ede21b4236a5421

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziGy9325.exe
    Filesize

    380KB

    MD5

    4766cbaa7ef3a8f47215b31261b1bdd0

    SHA1

    cc27e187a25474e560e197e555728762eb93d642

    SHA256

    fced4e62845e4c13dc91dc8f4d5590fc6e79d138141bfa540d9553a0e46afd2a

    SHA512

    96c28a056e73178a866165b71c2155a0829d18af053acf0abbc91e3f7618464550448534e6a51c6425296e26e05a6f9da97620b0fe4e44297822d23d3651dfde

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziGy9325.exe
    Filesize

    380KB

    MD5

    4766cbaa7ef3a8f47215b31261b1bdd0

    SHA1

    cc27e187a25474e560e197e555728762eb93d642

    SHA256

    fced4e62845e4c13dc91dc8f4d5590fc6e79d138141bfa540d9553a0e46afd2a

    SHA512

    96c28a056e73178a866165b71c2155a0829d18af053acf0abbc91e3f7618464550448534e6a51c6425296e26e05a6f9da97620b0fe4e44297822d23d3651dfde

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr717678.exe
    Filesize

    15KB

    MD5

    d891163f64773c0f22206222a7b28189

    SHA1

    64c973e319b9fb737fd9c2d8706e2e3b8b8069d9

    SHA256

    c5ff7e8f078c5ef0ae9dd206c0c09737879bfa6d47d674f0223f5d231213e84f

    SHA512

    32a133ace7d0536064b31c85fb60c1674cdbeefe7aa32d26fad0a7a70268ec6513645755c9983c547047507b1fd58d83a9ff44af9457428df6e5d78a0d63713d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr717678.exe
    Filesize

    15KB

    MD5

    d891163f64773c0f22206222a7b28189

    SHA1

    64c973e319b9fb737fd9c2d8706e2e3b8b8069d9

    SHA256

    c5ff7e8f078c5ef0ae9dd206c0c09737879bfa6d47d674f0223f5d231213e84f

    SHA512

    32a133ace7d0536064b31c85fb60c1674cdbeefe7aa32d26fad0a7a70268ec6513645755c9983c547047507b1fd58d83a9ff44af9457428df6e5d78a0d63713d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku951488.exe
    Filesize

    294KB

    MD5

    3fafa0f1192e3291b43aa5ceed2f8ff5

    SHA1

    0f4bea994b45b2175d26183e4e34dc47359655dc

    SHA256

    a46d945192ad73b81ee7e3d847959c3ac43ab9de461d62ad97d3f93f54e7b02c

    SHA512

    36a91752a1e1c17e2fdeddb8d5a5b7750b39c171b2b46a9d87a40e21bdc58f1e04494045d46f722283afbb647beb7911d171b376e7985181ed09cd06198fca29

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku951488.exe
    Filesize

    294KB

    MD5

    3fafa0f1192e3291b43aa5ceed2f8ff5

    SHA1

    0f4bea994b45b2175d26183e4e34dc47359655dc

    SHA256

    a46d945192ad73b81ee7e3d847959c3ac43ab9de461d62ad97d3f93f54e7b02c

    SHA512

    36a91752a1e1c17e2fdeddb8d5a5b7750b39c171b2b46a9d87a40e21bdc58f1e04494045d46f722283afbb647beb7911d171b376e7985181ed09cd06198fca29

    Download Submit
  • memory/2392-135-0x0000000000C50000-0x0000000000C5A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2848-141-0x0000000002090000-0x00000000020D6000-memory.dmp
    Filesize

    280KB

    Download
  • memory/2848-142-0x00000000006A0000-0x00000000006EB000-memory.dmp
    Filesize

    300KB

    Download
  • memory/2848-143-0x0000000004B90000-0x0000000004BA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2848-144-0x0000000004BA0000-0x000000000509E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2848-145-0x0000000004A50000-0x0000000004A94000-memory.dmp
    Filesize

    272KB

    Download
  • memory/2848-146-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2848-147-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2848-149-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2848-151-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2848-153-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2848-155-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2848-159-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2848-157-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2848-161-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2848-163-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2848-165-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2848-171-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2848-173-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2848-175-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2848-185-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2848-187-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2848-183-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2848-191-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2848-189-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2848-194-0x0000000004B90000-0x0000000004BA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2848-193-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2848-196-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2848-198-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2848-181-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2848-200-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2848-179-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2848-208-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2848-206-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2848-210-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2848-204-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2848-202-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2848-177-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2848-169-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2848-167-0x0000000004A50000-0x0000000004A8F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2848-1053-0x00000000056B0000-0x0000000005CB6000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/2848-1054-0x00000000050A0000-0x00000000051AA000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/2848-1055-0x0000000004B70000-0x0000000004B82000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2848-1056-0x0000000004B90000-0x0000000004BA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2848-1057-0x00000000051B0000-0x00000000051EE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2848-1058-0x0000000005300000-0x000000000534B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/2848-1060-0x0000000004B90000-0x0000000004BA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2848-1061-0x0000000004B90000-0x0000000004BA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2848-1062-0x0000000005490000-0x00000000054F6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2848-1063-0x0000000004B90000-0x0000000004BA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2848-1064-0x0000000006160000-0x00000000061F2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/2848-1066-0x0000000006490000-0x0000000006652000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/2848-1067-0x0000000006670000-0x0000000006B9C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/2848-1068-0x0000000002220000-0x0000000002296000-memory.dmp
    Filesize

    472KB

    Download
  • memory/2848-1069-0x0000000008050000-0x00000000080A0000-memory.dmp
    Filesize

    320KB

    Download
  • memory/4864-1075-0x0000000000FC0000-0x0000000000FF2000-memory.dmp
    Filesize

    200KB

    Download
  • memory/4864-1076-0x0000000005A00000-0x0000000005A4B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/4864-1077-0x0000000005BB0000-0x0000000005BC0000-memory.dmp
    Filesize

    64KB

    Download