Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-04-2023 21:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8db6614ed2a9a2bf941fa6ea3a7aeb309466bfe2ad8d86c55aa5902b249a5de7.exe

  • Size

    659KB

  • MD5

    36b87ba71f8006717551eec759b12629

  • SHA1

    ad968499cd932813633a773569b548b9dd3bb818

  • SHA256

    8db6614ed2a9a2bf941fa6ea3a7aeb309466bfe2ad8d86c55aa5902b249a5de7

  • SHA512

    b4a142126111f255ee4d3d100bbe56c6adc07613c2fa77689dce0df2b36a8f98918e75eae7dc2d71f5871e459e0cff69b11af451645597e3b578cbc17ff60cc5

  • SSDEEP

    12288:qMr8y90ov/KEjqPUpHo0oupwAdGCDw549RgLTCB+2ft/juStREW:Sy7/FfxfDXELOBXB9UW

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 17 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8db6614ed2a9a2bf941fa6ea3a7aeb309466bfe2ad8d86c55aa5902b249a5de7.exe
    "C:\Users\Admin\AppData\Local\Temp\8db6614ed2a9a2bf941fa6ea3a7aeb309466bfe2ad8d86c55aa5902b249a5de7.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2092
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un116927.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un116927.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3476
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0469.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0469.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4120
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 1072
          4⤵
          • Program crash
          PID:612
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0121.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0121.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3340
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3340 -s 1344
          4⤵
          • Program crash
          PID:1288
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si568375.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si568375.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4032
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4120 -ip 4120
    1⤵
      PID:3696
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3340 -ip 3340
      1⤵
        PID:4148

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Modify Existing Service

      1
      T1031

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      3
      T1112

      Disabling Security Tools

      2
      T1089

      Credential Access

      Credentials in Files

      2
      T1081

      Discovery

      Query Registry

      1
      T1012

      Lateral Movement

      Collection

      Data from Local System

      2
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si568375.exe
        Filesize

        175KB

        MD5

        71489a97afe3ad940ce3d31fa70e1437

        SHA1

        d4e30c6d02b0d81d58452408b50f686ff7de68e8

        SHA256

        29fa0a3a29b55d8b3df7d449c9b50d842d070f8730c892d69d53160c4948100c

        SHA512

        2568283dee6f0810ebe1887a9dd74b699f3f1894c7329cc673734077f96fdde97eb8de9159cab5a53cb1efde95992f71e098c57610bfd03aafc7a7c90ef279e2

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si568375.exe
        Filesize

        175KB

        MD5

        71489a97afe3ad940ce3d31fa70e1437

        SHA1

        d4e30c6d02b0d81d58452408b50f686ff7de68e8

        SHA256

        29fa0a3a29b55d8b3df7d449c9b50d842d070f8730c892d69d53160c4948100c

        SHA512

        2568283dee6f0810ebe1887a9dd74b699f3f1894c7329cc673734077f96fdde97eb8de9159cab5a53cb1efde95992f71e098c57610bfd03aafc7a7c90ef279e2

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un116927.exe
        Filesize

        517KB

        MD5

        1246c9afe886a0e0c47168b549e6ee3a

        SHA1

        07b767487c77a2667c6bd56467dc63a55f611a9d

        SHA256

        d2df7fb9333a07c8b9e2bc375fc7a2c6704e79a5a8c8c9107739d3b43e7b5685

        SHA512

        f02341c4a01da448bf5be9c8a08a3722d9ea180e6ea15e4f3d97c772efa345c04c06cfbb70d1787c19099db6d1f44f62c9bc99f4dc2d31ab0c37752066ebd49b

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un116927.exe
        Filesize

        517KB

        MD5

        1246c9afe886a0e0c47168b549e6ee3a

        SHA1

        07b767487c77a2667c6bd56467dc63a55f611a9d

        SHA256

        d2df7fb9333a07c8b9e2bc375fc7a2c6704e79a5a8c8c9107739d3b43e7b5685

        SHA512

        f02341c4a01da448bf5be9c8a08a3722d9ea180e6ea15e4f3d97c772efa345c04c06cfbb70d1787c19099db6d1f44f62c9bc99f4dc2d31ab0c37752066ebd49b

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0469.exe
        Filesize

        237KB

        MD5

        75b031ae06382ee8e3abae666fa3bb87

        SHA1

        56cb26e195384b3b47000e681cdb163f5764bde6

        SHA256

        21bfabe8dacd11230f01a746c16cee5c036cc7e47dfd88c556d96737441e754d

        SHA512

        eb503f3fc11007c8b3f4d5bc144defd8968323a4a1db1980e7ebc48f12889702de8feed85588c3bf8351315f9fb0e8343a6d37109ee7d8cc558df2516c7e24a8

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0469.exe
        Filesize

        237KB

        MD5

        75b031ae06382ee8e3abae666fa3bb87

        SHA1

        56cb26e195384b3b47000e681cdb163f5764bde6

        SHA256

        21bfabe8dacd11230f01a746c16cee5c036cc7e47dfd88c556d96737441e754d

        SHA512

        eb503f3fc11007c8b3f4d5bc144defd8968323a4a1db1980e7ebc48f12889702de8feed85588c3bf8351315f9fb0e8343a6d37109ee7d8cc558df2516c7e24a8

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0121.exe
        Filesize

        295KB

        MD5

        3bb7ed9e0f5ff89e6a7665a419c6a335

        SHA1

        511f062961a7f1d1f31c0b6685089817b8614b75

        SHA256

        b024bf47c83294287d1a4a83d52226362298936bc48abc5f10026cd4ab3a73e1

        SHA512

        4455155f9b585b626234a85a6b38a03a0f7e880b3d97b14f91125d66eaff683ebac5ea0a3173643758877554f4adb3f98c948e5305e9ecfa0d385e38acd2905a

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0121.exe
        Filesize

        295KB

        MD5

        3bb7ed9e0f5ff89e6a7665a419c6a335

        SHA1

        511f062961a7f1d1f31c0b6685089817b8614b75

        SHA256

        b024bf47c83294287d1a4a83d52226362298936bc48abc5f10026cd4ab3a73e1

        SHA512

        4455155f9b585b626234a85a6b38a03a0f7e880b3d97b14f91125d66eaff683ebac5ea0a3173643758877554f4adb3f98c948e5305e9ecfa0d385e38acd2905a

        Download Submit
      • memory/3340-1103-0x0000000005240000-0x0000000005858000-memory.dmp
        Filesize

        6.1MB

        Download
      • memory/3340-1104-0x00000000058A0000-0x00000000059AA000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/3340-212-0x00000000025A0000-0x00000000025DF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/3340-210-0x00000000025A0000-0x00000000025DF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/3340-1118-0x0000000006FD0000-0x0000000007020000-memory.dmp
        Filesize

        320KB

        Download
      • memory/3340-202-0x00000000025A0000-0x00000000025DF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/3340-1117-0x0000000006F40000-0x0000000006FB6000-memory.dmp
        Filesize

        472KB

        Download
      • memory/3340-1116-0x0000000004B80000-0x0000000004B90000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3340-1115-0x00000000068D0000-0x0000000006DFC000-memory.dmp
        Filesize

        5.2MB

        Download
      • memory/3340-1114-0x00000000066F0000-0x00000000068B2000-memory.dmp
        Filesize

        1.8MB

        Download
      • memory/3340-1113-0x0000000004B80000-0x0000000004B90000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3340-1112-0x0000000004B80000-0x0000000004B90000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3340-1111-0x0000000004B80000-0x0000000004B90000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3340-204-0x0000000004B80000-0x0000000004B90000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3340-1110-0x0000000005D90000-0x0000000005DF6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/3340-1109-0x0000000005CF0000-0x0000000005D82000-memory.dmp
        Filesize

        584KB

        Download
      • memory/3340-1107-0x0000000005A00000-0x0000000005A3C000-memory.dmp
        Filesize

        240KB

        Download
      • memory/3340-1106-0x0000000004B80000-0x0000000004B90000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3340-1105-0x00000000059E0000-0x00000000059F2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/3340-214-0x00000000025A0000-0x00000000025DF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/3340-220-0x00000000025A0000-0x00000000025DF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/3340-222-0x00000000025A0000-0x00000000025DF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/3340-224-0x00000000025A0000-0x00000000025DF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/3340-228-0x00000000025A0000-0x00000000025DF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/3340-226-0x00000000025A0000-0x00000000025DF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/3340-206-0x00000000025A0000-0x00000000025DF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/3340-194-0x00000000025A0000-0x00000000025DF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/3340-196-0x00000000025A0000-0x00000000025DF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/3340-198-0x00000000025A0000-0x00000000025DF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/3340-199-0x0000000000750000-0x000000000079B000-memory.dmp
        Filesize

        300KB

        Download
      • memory/3340-201-0x0000000004B80000-0x0000000004B90000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3340-203-0x0000000004B80000-0x0000000004B90000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3340-218-0x00000000025A0000-0x00000000025DF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/3340-216-0x00000000025A0000-0x00000000025DF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/3340-193-0x00000000025A0000-0x00000000025DF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/3340-208-0x00000000025A0000-0x00000000025DF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/4032-1124-0x0000000000500000-0x0000000000532000-memory.dmp
        Filesize

        200KB

        Download
      • memory/4032-1125-0x00000000050D0000-0x00000000050E0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4120-182-0x0000000000400000-0x00000000004A9000-memory.dmp
        Filesize

        676KB

        Download
      • memory/4120-175-0x0000000004B50000-0x0000000004B62000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4120-159-0x0000000004B50000-0x0000000004B62000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4120-151-0x0000000004CA0000-0x0000000004CB0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4120-152-0x0000000004CA0000-0x0000000004CB0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4120-188-0x0000000000400000-0x00000000004A9000-memory.dmp
        Filesize

        676KB

        Download
      • memory/4120-186-0x0000000004CA0000-0x0000000004CB0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4120-185-0x0000000004CA0000-0x0000000004CB0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4120-150-0x0000000004CB0000-0x0000000005254000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/4120-184-0x0000000004CA0000-0x0000000004CB0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4120-183-0x00000000004F0000-0x000000000051D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/4120-153-0x0000000004CA0000-0x0000000004CB0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4120-181-0x0000000004B50000-0x0000000004B62000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4120-179-0x0000000004B50000-0x0000000004B62000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4120-177-0x0000000004B50000-0x0000000004B62000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4120-173-0x0000000004B50000-0x0000000004B62000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4120-171-0x0000000004B50000-0x0000000004B62000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4120-169-0x0000000004B50000-0x0000000004B62000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4120-167-0x0000000004B50000-0x0000000004B62000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4120-165-0x0000000004B50000-0x0000000004B62000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4120-163-0x0000000004B50000-0x0000000004B62000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4120-161-0x0000000004B50000-0x0000000004B62000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4120-157-0x0000000004B50000-0x0000000004B62000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4120-149-0x00000000004F0000-0x000000000051D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/4120-148-0x0000000000400000-0x00000000004A9000-memory.dmp
        Filesize

        676KB

        Download
      • memory/4120-155-0x0000000004B50000-0x0000000004B62000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4120-154-0x0000000004B50000-0x0000000004B62000-memory.dmp
        Filesize

        72KB

        Download