Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    67s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-04-2023 21:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    73f152b1821d2f46138c20c2989c58a00d7ddee1a1774801a1e12f85f384f164.exe

  • Size

    522KB

  • MD5

    479ab4b494d5e25287a27c7057345bbc

  • SHA1

    cf4fa049e89a4bf9038d1418de2a31296cb731e9

  • SHA256

    73f152b1821d2f46138c20c2989c58a00d7ddee1a1774801a1e12f85f384f164

  • SHA512

    dd3edec41d58c237590cccce74fb928c66e1aa0f2ce5e32f4e3a361edc4bf621ebb883f8698814ce58e4b5ca7be0435e41904cea65d3fe8fbe185f0b992a36f7

  • SSDEEP

    12288:9Mr5y90BKKL2OmyHvGrwvchCSJXubXvphW31oa:4y83myPGkcYS6C31oa

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\73f152b1821d2f46138c20c2989c58a00d7ddee1a1774801a1e12f85f384f164.exe
    "C:\Users\Admin\AppData\Local\Temp\73f152b1821d2f46138c20c2989c58a00d7ddee1a1774801a1e12f85f384f164.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3248
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zieL6555.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zieL6555.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4940
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr757094.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr757094.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4512
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku780106.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku780106.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2820
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 1328
          4⤵
          • Program crash
          PID:2540
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr823359.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr823359.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1232
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2820 -ip 2820
    1⤵
      PID:4068

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    3
    T1112

    Disabling Security Tools

    2
    T1089

    Credential Access

    Credentials in Files

    2
    T1081

    Discovery

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr823359.exe
      Filesize

      175KB

      MD5

      8a3678832328593dcc018431748a6e73

      SHA1

      9a3d015eb5e43662e05ce65fd27c30e3df700c22

      SHA256

      789c76f73267991b62eec85538b144d2e3452ad694408f8c19b924651ed8ddd3

      SHA512

      50c6aaf3d20044a9e8d1b82024ca8bf998685bced0bf33a9da51a00bb44788b41be541c1816005e75efe37b7fbc87605d8ae924e4d33a472e648ed883515d312

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr823359.exe
      Filesize

      175KB

      MD5

      8a3678832328593dcc018431748a6e73

      SHA1

      9a3d015eb5e43662e05ce65fd27c30e3df700c22

      SHA256

      789c76f73267991b62eec85538b144d2e3452ad694408f8c19b924651ed8ddd3

      SHA512

      50c6aaf3d20044a9e8d1b82024ca8bf998685bced0bf33a9da51a00bb44788b41be541c1816005e75efe37b7fbc87605d8ae924e4d33a472e648ed883515d312

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zieL6555.exe
      Filesize

      380KB

      MD5

      051b6e8b9079733518553b2e3764a722

      SHA1

      e5a859990c75df9ff17a4aaeefe4986edb04c0fc

      SHA256

      40092a8b86d6ed47878c0b6f9d8e99acb5f4b8e34efad7a68ac854389f467dfd

      SHA512

      776884f6d8ca04408ecf55d7aae76be3922cee622d57f516ce5b642d591b80ad5c4261e718c7cd910c4b2a03530680002ad80d86c2c87d8582e995e3a61d49a6

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zieL6555.exe
      Filesize

      380KB

      MD5

      051b6e8b9079733518553b2e3764a722

      SHA1

      e5a859990c75df9ff17a4aaeefe4986edb04c0fc

      SHA256

      40092a8b86d6ed47878c0b6f9d8e99acb5f4b8e34efad7a68ac854389f467dfd

      SHA512

      776884f6d8ca04408ecf55d7aae76be3922cee622d57f516ce5b642d591b80ad5c4261e718c7cd910c4b2a03530680002ad80d86c2c87d8582e995e3a61d49a6

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr757094.exe
      Filesize

      15KB

      MD5

      30cc3a815de31093c38d55345c424a50

      SHA1

      63b676e5fd719b07d7efb24f30029b457fc0ab80

      SHA256

      91a062b60f2024d036f39901a8413b9024bfcd8cc5b302430d08ce8f5e620055

      SHA512

      4642fd84e851175ae59e443024f3a618445d8bb3b546d8cd8066d48f220875748396b5f57c296411c19a8091b0a6de0659f106512ec1f396b4331f3c615edffb

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr757094.exe
      Filesize

      15KB

      MD5

      30cc3a815de31093c38d55345c424a50

      SHA1

      63b676e5fd719b07d7efb24f30029b457fc0ab80

      SHA256

      91a062b60f2024d036f39901a8413b9024bfcd8cc5b302430d08ce8f5e620055

      SHA512

      4642fd84e851175ae59e443024f3a618445d8bb3b546d8cd8066d48f220875748396b5f57c296411c19a8091b0a6de0659f106512ec1f396b4331f3c615edffb

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku780106.exe
      Filesize

      295KB

      MD5

      0a246e31bf40d6407d1094d438eba82c

      SHA1

      40897e1c94a614bfb70b4e5bb5cfb4a87d499cd8

      SHA256

      57c03417c082edc993d69f31eb7800110b4f92c4c774cb8f74687884c30e7472

      SHA512

      9b594516c5af14fadc43a260ad4ca1ea64e727b557f3144eef044993d9ec6010c0919d86ef56d38fcf1717223b0ec742abe482a02c2b91414a3e88f8edab106b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku780106.exe
      Filesize

      295KB

      MD5

      0a246e31bf40d6407d1094d438eba82c

      SHA1

      40897e1c94a614bfb70b4e5bb5cfb4a87d499cd8

      SHA256

      57c03417c082edc993d69f31eb7800110b4f92c4c774cb8f74687884c30e7472

      SHA512

      9b594516c5af14fadc43a260ad4ca1ea64e727b557f3144eef044993d9ec6010c0919d86ef56d38fcf1717223b0ec742abe482a02c2b91414a3e88f8edab106b

      Download Submit
    • memory/1232-1087-0x00000000003A0000-0x00000000003D2000-memory.dmp
      Filesize

      200KB

      Download
    • memory/1232-1088-0x0000000004F80000-0x0000000004F90000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2820-191-0x00000000027A0000-0x00000000027DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-201-0x00000000027A0000-0x00000000027DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-155-0x0000000002500000-0x0000000002510000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2820-156-0x0000000002500000-0x0000000002510000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2820-157-0x0000000004CB0000-0x0000000005254000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/2820-158-0x00000000027A0000-0x00000000027DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-159-0x00000000027A0000-0x00000000027DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-161-0x00000000027A0000-0x00000000027DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-163-0x00000000027A0000-0x00000000027DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-165-0x00000000027A0000-0x00000000027DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-167-0x00000000027A0000-0x00000000027DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-169-0x00000000027A0000-0x00000000027DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-171-0x00000000027A0000-0x00000000027DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-173-0x00000000027A0000-0x00000000027DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-175-0x00000000027A0000-0x00000000027DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-177-0x00000000027A0000-0x00000000027DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-179-0x00000000027A0000-0x00000000027DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-181-0x00000000027A0000-0x00000000027DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-183-0x00000000027A0000-0x00000000027DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-185-0x00000000027A0000-0x00000000027DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-187-0x00000000027A0000-0x00000000027DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-189-0x00000000027A0000-0x00000000027DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-153-0x0000000000690000-0x00000000006DB000-memory.dmp
      Filesize

      300KB

      Download
    • memory/2820-193-0x00000000027A0000-0x00000000027DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-195-0x00000000027A0000-0x00000000027DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-197-0x00000000027A0000-0x00000000027DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-199-0x00000000027A0000-0x00000000027DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-154-0x0000000002500000-0x0000000002510000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2820-203-0x00000000027A0000-0x00000000027DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-205-0x00000000027A0000-0x00000000027DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-207-0x00000000027A0000-0x00000000027DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-209-0x00000000027A0000-0x00000000027DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-211-0x00000000027A0000-0x00000000027DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-213-0x00000000027A0000-0x00000000027DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-217-0x00000000027A0000-0x00000000027DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-215-0x00000000027A0000-0x00000000027DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-219-0x00000000027A0000-0x00000000027DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-221-0x00000000027A0000-0x00000000027DF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2820-1065-0x0000000005260000-0x0000000005878000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/2820-1066-0x00000000058A0000-0x00000000059AA000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/2820-1067-0x00000000059E0000-0x00000000059F2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/2820-1068-0x0000000002500000-0x0000000002510000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2820-1069-0x0000000005A00000-0x0000000005A3C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/2820-1070-0x0000000002500000-0x0000000002510000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2820-1071-0x0000000002500000-0x0000000002510000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2820-1072-0x0000000002500000-0x0000000002510000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2820-1073-0x0000000005CF0000-0x0000000005D56000-memory.dmp
      Filesize

      408KB

      Download
    • memory/2820-1074-0x00000000063C0000-0x0000000006452000-memory.dmp
      Filesize

      584KB

      Download
    • memory/2820-1076-0x00000000065C0000-0x0000000006782000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/2820-1077-0x0000000006790000-0x0000000006CBC000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/2820-1078-0x0000000002500000-0x0000000002510000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2820-1079-0x0000000006F40000-0x0000000006FB6000-memory.dmp
      Filesize

      472KB

      Download
    • memory/2820-1080-0x0000000006FC0000-0x0000000007010000-memory.dmp
      Filesize

      320KB

      Download
    • memory/4512-147-0x00000000005E0000-0x00000000005EA000-memory.dmp
      Filesize

      40KB

      Download