Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    156s
  • max time network
    165s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-04-2023 21:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9ee709cbbb5d6cfda61f86197ba3b18b11f3268ceafc4c9719a0dbbdf500b2e9.exe

  • Size

    659KB

  • MD5

    98acfd7abaa1eb0e7c402e5a1f47c210

  • SHA1

    f5c01e7129126d5a05a512b0558bd4843face6d9

  • SHA256

    9ee709cbbb5d6cfda61f86197ba3b18b11f3268ceafc4c9719a0dbbdf500b2e9

  • SHA512

    604246fcd84c1ad52cf1d38cb3d384e55ca51536d7888fa87ff6c72afaeefd247bfd722a815d1c1afdaf949d641fb7520243848ff3acc5008c6622b3feb3a09c

  • SSDEEP

    12288:+MrWy90pZiOoMOXlFu6BbTkA3BV0yPWyUkct59OrwEeFCLfeft/juVgLI:UyAFdAdRb3MpyUt5MHeMLWB4H

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 18 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9ee709cbbb5d6cfda61f86197ba3b18b11f3268ceafc4c9719a0dbbdf500b2e9.exe
    "C:\Users\Admin\AppData\Local\Temp\9ee709cbbb5d6cfda61f86197ba3b18b11f3268ceafc4c9719a0dbbdf500b2e9.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3192
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un639115.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un639115.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1596
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4583.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4583.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4892
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 1108
          4⤵
          • Program crash
          PID:2628
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0580.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0580.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:744
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 1352
          4⤵
          • Program crash
          PID:2724
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si935240.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si935240.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:824
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4892 -ip 4892
    1⤵
      PID:3412
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 744 -ip 744
      1⤵
        PID:4368

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Modify Existing Service

      1
      T1031

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      3
      T1112

      Disabling Security Tools

      2
      T1089

      Credential Access

      Credentials in Files

      2
      T1081

      Discovery

      Query Registry

      1
      T1012

      Lateral Movement

      Collection

      Data from Local System

      2
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si935240.exe
        Filesize

        175KB

        MD5

        934f3379f828e0d7316d1929342b4ea7

        SHA1

        525b6ba28a80215871cc29fb8be32a98dd0e9cda

        SHA256

        58575c17f23da487f8c36b31824fc9f9268d348be0c347a076d8b4896232c569

        SHA512

        a090537cf47cfd4d2ad89fb6f5449214965e48b44e0392663ef117b0ca4f5f68fa44904e71fb615e7fa922588cfcb1982a24bd31b2096e15b2091e48b4d36a3d

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si935240.exe
        Filesize

        175KB

        MD5

        934f3379f828e0d7316d1929342b4ea7

        SHA1

        525b6ba28a80215871cc29fb8be32a98dd0e9cda

        SHA256

        58575c17f23da487f8c36b31824fc9f9268d348be0c347a076d8b4896232c569

        SHA512

        a090537cf47cfd4d2ad89fb6f5449214965e48b44e0392663ef117b0ca4f5f68fa44904e71fb615e7fa922588cfcb1982a24bd31b2096e15b2091e48b4d36a3d

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un639115.exe
        Filesize

        517KB

        MD5

        e17be0bf347ebbd647505f3ec06d2859

        SHA1

        cb42db935ee137a12e91b1e96591df939451e250

        SHA256

        f5ed9657ae36619e3b713e71cbb761d8f3886ac043d00005cf9123468e4ca4f0

        SHA512

        de5cec0415560e4a21a3bb84490d0ff27408bfe08895e47dd41f4157fac4d7edeecc3c71c2d55aaaa6b4ff17d1210eca253179af580219f22d364010a6b4fa1b

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un639115.exe
        Filesize

        517KB

        MD5

        e17be0bf347ebbd647505f3ec06d2859

        SHA1

        cb42db935ee137a12e91b1e96591df939451e250

        SHA256

        f5ed9657ae36619e3b713e71cbb761d8f3886ac043d00005cf9123468e4ca4f0

        SHA512

        de5cec0415560e4a21a3bb84490d0ff27408bfe08895e47dd41f4157fac4d7edeecc3c71c2d55aaaa6b4ff17d1210eca253179af580219f22d364010a6b4fa1b

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4583.exe
        Filesize

        237KB

        MD5

        44bee950700feb6d0390886c01379903

        SHA1

        4305a9b967d013d67aae536598344fcc67a9ddd4

        SHA256

        8d63b5289b2cce80ab5f7b5317986a6c355dd4c5b14b16d03ffe1825e01c366c

        SHA512

        7de9c0baca4e6025a621e666137e748e24346a59038d6c42d6b477915e125ea808067fd1314f90e74b0c8571f1445a7e9ff06cf047156bb0b2c35e3ac9ef1ec7

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4583.exe
        Filesize

        237KB

        MD5

        44bee950700feb6d0390886c01379903

        SHA1

        4305a9b967d013d67aae536598344fcc67a9ddd4

        SHA256

        8d63b5289b2cce80ab5f7b5317986a6c355dd4c5b14b16d03ffe1825e01c366c

        SHA512

        7de9c0baca4e6025a621e666137e748e24346a59038d6c42d6b477915e125ea808067fd1314f90e74b0c8571f1445a7e9ff06cf047156bb0b2c35e3ac9ef1ec7

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0580.exe
        Filesize

        295KB

        MD5

        3e1fdb9440a4e2851f230fe980a1c203

        SHA1

        204b00b45a8d2f812e72a9bec11f035511742eb5

        SHA256

        b84811031404510fe2cc8b34c00742e0064f4b8b7985b2a22697a3ea0116bf93

        SHA512

        db6c0fcde01829054f32735a18d80b8ef72c4b0311dee305e0a63345763070cb00f1b20bc86679fd84a564498a6b023efaf23d3d454e79308e20d90cf938b676

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0580.exe
        Filesize

        295KB

        MD5

        3e1fdb9440a4e2851f230fe980a1c203

        SHA1

        204b00b45a8d2f812e72a9bec11f035511742eb5

        SHA256

        b84811031404510fe2cc8b34c00742e0064f4b8b7985b2a22697a3ea0116bf93

        SHA512

        db6c0fcde01829054f32735a18d80b8ef72c4b0311dee305e0a63345763070cb00f1b20bc86679fd84a564498a6b023efaf23d3d454e79308e20d90cf938b676

        Download Submit
      • memory/744-1102-0x00000000058A0000-0x00000000059AA000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/744-1101-0x0000000005250000-0x0000000005868000-memory.dmp
        Filesize

        6.1MB

        Download
      • memory/744-216-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/744-214-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/744-200-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/744-202-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/744-1115-0x0000000007070000-0x00000000070E6000-memory.dmp
        Filesize

        472KB

        Download
      • memory/744-1114-0x0000000004B90000-0x0000000004BA0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/744-1113-0x00000000067C0000-0x0000000006CEC000-memory.dmp
        Filesize

        5.2MB

        Download
      • memory/744-1112-0x00000000065F0000-0x00000000067B2000-memory.dmp
        Filesize

        1.8MB

        Download
      • memory/744-204-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/744-1111-0x0000000004B90000-0x0000000004BA0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/744-1109-0x0000000004B90000-0x0000000004BA0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/744-1110-0x0000000004B90000-0x0000000004BA0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/744-1107-0x0000000005D90000-0x0000000005DF6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/744-1106-0x0000000005CF0000-0x0000000005D82000-memory.dmp
        Filesize

        584KB

        Download
      • memory/744-1105-0x0000000004B90000-0x0000000004BA0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/744-1104-0x0000000005A00000-0x0000000005A3C000-memory.dmp
        Filesize

        240KB

        Download
      • memory/744-1103-0x00000000059E0000-0x00000000059F2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/744-218-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/744-228-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/744-226-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/744-224-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/744-191-0x0000000002170000-0x00000000021BB000-memory.dmp
        Filesize

        300KB

        Download
      • memory/744-193-0x0000000004B90000-0x0000000004BA0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/744-192-0x0000000004B90000-0x0000000004BA0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/744-194-0x0000000004B90000-0x0000000004BA0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/744-195-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/744-196-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/744-198-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/744-222-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/744-1116-0x0000000007100000-0x0000000007150000-memory.dmp
        Filesize

        320KB

        Download
      • memory/744-220-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/744-206-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/744-208-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/744-210-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/744-212-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/824-1122-0x0000000000570000-0x00000000005A2000-memory.dmp
        Filesize

        200KB

        Download
      • memory/824-1123-0x0000000005100000-0x0000000005110000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4892-181-0x0000000000400000-0x00000000004A9000-memory.dmp
        Filesize

        676KB

        Download
      • memory/4892-172-0x0000000002490000-0x00000000024A2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4892-148-0x0000000000660000-0x000000000068D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/4892-151-0x0000000004DB0000-0x0000000004DC0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4892-152-0x0000000004DB0000-0x0000000004DC0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4892-186-0x0000000000400000-0x00000000004A9000-memory.dmp
        Filesize

        676KB

        Download
      • memory/4892-184-0x0000000004DB0000-0x0000000004DC0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4892-150-0x0000000004DB0000-0x0000000004DC0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4892-183-0x0000000004DB0000-0x0000000004DC0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4892-182-0x0000000004DB0000-0x0000000004DC0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4892-153-0x0000000002490000-0x00000000024A2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4892-180-0x0000000002490000-0x00000000024A2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4892-178-0x0000000002490000-0x00000000024A2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4892-176-0x0000000002490000-0x00000000024A2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4892-168-0x0000000002490000-0x00000000024A2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4892-170-0x0000000002490000-0x00000000024A2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4892-174-0x0000000002490000-0x00000000024A2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4892-166-0x0000000002490000-0x00000000024A2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4892-164-0x0000000002490000-0x00000000024A2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4892-162-0x0000000002490000-0x00000000024A2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4892-160-0x0000000002490000-0x00000000024A2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4892-149-0x0000000004DC0000-0x0000000005364000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/4892-158-0x0000000002490000-0x00000000024A2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4892-156-0x0000000002490000-0x00000000024A2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4892-154-0x0000000002490000-0x00000000024A2000-memory.dmp
        Filesize

        72KB

        Download