Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/04/2023, 01:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f7dd19d06031f8a8b52b77721c3216d53e249e58c26fb290e98aa84c9ea5e711.exe

  • Size

    666KB

  • MD5

    bcb8de9e53fa651a77a1104f0420c317

  • SHA1

    9ba2d1ec13ccb53b3dfd27c218a89c1d1b337e64

  • SHA256

    f7dd19d06031f8a8b52b77721c3216d53e249e58c26fb290e98aa84c9ea5e711

  • SHA512

    ebb46d95e9c9a3c85073d28d81897529d29ca89a4e45cdf02b2d91d69a68a29b22da3fe4334660d191428a864015dc561a51779edef19c57ce50d10231e8ade6

  • SSDEEP

    12288:aMrGy90+myg0N6OdJsddju4OviXgHAXNrUvpY/w4vIe+2reOp:AyRwa4OviXgg9rI2wD2rnp

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 18 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f7dd19d06031f8a8b52b77721c3216d53e249e58c26fb290e98aa84c9ea5e711.exe
    "C:\Users\Admin\AppData\Local\Temp\f7dd19d06031f8a8b52b77721c3216d53e249e58c26fb290e98aa84c9ea5e711.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3304
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un082371.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un082371.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1120
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2884.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2884.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3788
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 1080
          4⤵
          • Program crash
          PID:2428
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0407.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0407.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2768
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 1328
          4⤵
          • Program crash
          PID:1412
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si345831.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si345831.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2988
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3788 -ip 3788
    1⤵
      PID:2916
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2768 -ip 2768
      1⤵
        PID:2432

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si345831.exe
        Filesize

        176KB

        MD5

        79c77455f002df32fb5ecf8549d6ebf8

        SHA1

        791a93215112411a65b3a4ce651ac073819040fa

        SHA256

        18a6f03c7760ae34810aa01bb9828a28020ccba84e2b000f7bd01b4a72a35461

        SHA512

        e5b527185fee35d92892dffe81007d3d9b7928c7f1d27240098f9fb639ddc1d6c513a2dda484fe476b98e11e77e7120c7eb0670dce3a387437fe7d4a4611e9d7

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si345831.exe
        Filesize

        176KB

        MD5

        79c77455f002df32fb5ecf8549d6ebf8

        SHA1

        791a93215112411a65b3a4ce651ac073819040fa

        SHA256

        18a6f03c7760ae34810aa01bb9828a28020ccba84e2b000f7bd01b4a72a35461

        SHA512

        e5b527185fee35d92892dffe81007d3d9b7928c7f1d27240098f9fb639ddc1d6c513a2dda484fe476b98e11e77e7120c7eb0670dce3a387437fe7d4a4611e9d7

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un082371.exe
        Filesize

        524KB

        MD5

        ff2c268599a3ee0975c42ee22e07efcf

        SHA1

        b0c1e8fcd80d5d953111c4ed0674b254ac7001b9

        SHA256

        b4e5dbe0a345234aab21163cde531585f6c55e35b0e4d33d0c249b3bafd434de

        SHA512

        4786cb558ffffb548bee46818eb5ba0b2d3d2a78cc52fa879da1291591f6d85965449c15a2afe6f53c0abb860f899c5bd2be626e96ff96bc1f4169831525604a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un082371.exe
        Filesize

        524KB

        MD5

        ff2c268599a3ee0975c42ee22e07efcf

        SHA1

        b0c1e8fcd80d5d953111c4ed0674b254ac7001b9

        SHA256

        b4e5dbe0a345234aab21163cde531585f6c55e35b0e4d33d0c249b3bafd434de

        SHA512

        4786cb558ffffb548bee46818eb5ba0b2d3d2a78cc52fa879da1291591f6d85965449c15a2afe6f53c0abb860f899c5bd2be626e96ff96bc1f4169831525604a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2884.exe
        Filesize

        294KB

        MD5

        f82c074ef1ed4a02767be5a173e6dfb6

        SHA1

        7e2257f1cdd60a3aa30756c8deb1cbd4b9c45826

        SHA256

        10021ca64ec82bd15e75f64c3d1b45e9f4d90abcfe939ecde9c0f48087bf4d76

        SHA512

        3bf322ed01fabf065d4789ab97f30268c1ce1fb9b69eb0eeff9d4d7ab6aa464ef318ed5388d6be548463826c049851458c3c4c0b2b86d2b634c86d667f916854

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2884.exe
        Filesize

        294KB

        MD5

        f82c074ef1ed4a02767be5a173e6dfb6

        SHA1

        7e2257f1cdd60a3aa30756c8deb1cbd4b9c45826

        SHA256

        10021ca64ec82bd15e75f64c3d1b45e9f4d90abcfe939ecde9c0f48087bf4d76

        SHA512

        3bf322ed01fabf065d4789ab97f30268c1ce1fb9b69eb0eeff9d4d7ab6aa464ef318ed5388d6be548463826c049851458c3c4c0b2b86d2b634c86d667f916854

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0407.exe
        Filesize

        352KB

        MD5

        79fc02ff25d2998104346f2f62826810

        SHA1

        c6e5f02638a236d9b86435ef862f40f8e8c09b18

        SHA256

        2223e1416f13c027df7d0e776ef38752233dd95db6896a37846a45b5455297f3

        SHA512

        5cb5f23ee40672321268e0a46c1b2f8fbfbcbf042ab7495b6ac9d9301984ca4a74c856fd8e0d7a302916ad36058347af2f096c5d5d2c99d5bb2d2e67c1cd2362

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0407.exe
        Filesize

        352KB

        MD5

        79fc02ff25d2998104346f2f62826810

        SHA1

        c6e5f02638a236d9b86435ef862f40f8e8c09b18

        SHA256

        2223e1416f13c027df7d0e776ef38752233dd95db6896a37846a45b5455297f3

        SHA512

        5cb5f23ee40672321268e0a46c1b2f8fbfbcbf042ab7495b6ac9d9301984ca4a74c856fd8e0d7a302916ad36058347af2f096c5d5d2c99d5bb2d2e67c1cd2362

        Download Submit

      • memory/2768-1102-0x0000000005BF0000-0x0000000005CFA000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/2768-1103-0x0000000005D30000-0x0000000005D42000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2768-1116-0x00000000071E0000-0x0000000007230000-memory.dmp

        Filesize

        320KB

        Download

      • memory/2768-1115-0x0000000007150000-0x00000000071C6000-memory.dmp

        Filesize

        472KB

        Download

      • memory/2768-1114-0x0000000002820000-0x0000000002830000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2768-1113-0x00000000069E0000-0x0000000006F0C000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/2768-1112-0x0000000006800000-0x00000000069C2000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/2768-1111-0x0000000002820000-0x0000000002830000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2768-1110-0x0000000002820000-0x0000000002830000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2768-1109-0x0000000002820000-0x0000000002830000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2768-1108-0x0000000006700000-0x0000000006792000-memory.dmp

        Filesize

        584KB

        Download

      • memory/2768-1107-0x0000000006040000-0x00000000060A6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2768-1105-0x0000000002820000-0x0000000002830000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2768-1104-0x0000000005D50000-0x0000000005D8C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/2768-204-0x00000000053A0000-0x00000000053DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2768-1101-0x0000000005550000-0x0000000005B68000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/2768-467-0x0000000002820000-0x0000000002830000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2768-465-0x0000000002820000-0x0000000002830000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2768-463-0x0000000002820000-0x0000000002830000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2768-462-0x0000000002330000-0x000000000237B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/2768-208-0x00000000053A0000-0x00000000053DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2768-222-0x00000000053A0000-0x00000000053DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2768-220-0x00000000053A0000-0x00000000053DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2768-192-0x00000000053A0000-0x00000000053DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2768-191-0x00000000053A0000-0x00000000053DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2768-194-0x00000000053A0000-0x00000000053DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2768-196-0x00000000053A0000-0x00000000053DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2768-198-0x00000000053A0000-0x00000000053DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2768-200-0x00000000053A0000-0x00000000053DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2768-202-0x00000000053A0000-0x00000000053DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2768-218-0x00000000053A0000-0x00000000053DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2768-210-0x00000000053A0000-0x00000000053DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2768-224-0x00000000053A0000-0x00000000053DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2768-206-0x00000000053A0000-0x00000000053DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2768-212-0x00000000053A0000-0x00000000053DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2768-214-0x00000000053A0000-0x00000000053DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2768-216-0x00000000053A0000-0x00000000053DF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2988-1122-0x0000000000540000-0x0000000000572000-memory.dmp

        Filesize

        200KB

        Download

      • memory/2988-1123-0x0000000005160000-0x0000000005170000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3788-154-0x0000000004EA0000-0x0000000004EB2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3788-149-0x0000000002410000-0x000000000243D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/3788-184-0x0000000004F00000-0x0000000004F10000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3788-183-0x0000000004F00000-0x0000000004F10000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3788-182-0x0000000004F00000-0x0000000004F10000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3788-181-0x0000000000400000-0x00000000007FE000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/3788-180-0x0000000004EA0000-0x0000000004EB2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3788-150-0x0000000004F00000-0x0000000004F10000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3788-178-0x0000000004EA0000-0x0000000004EB2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3788-153-0x0000000004EA0000-0x0000000004EB2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3788-176-0x0000000004EA0000-0x0000000004EB2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3788-186-0x0000000000400000-0x00000000007FE000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/3788-172-0x0000000004EA0000-0x0000000004EB2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3788-166-0x0000000004EA0000-0x0000000004EB2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3788-170-0x0000000004EA0000-0x0000000004EB2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3788-164-0x0000000004EA0000-0x0000000004EB2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3788-162-0x0000000004EA0000-0x0000000004EB2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3788-160-0x0000000004EA0000-0x0000000004EB2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3788-158-0x0000000004EA0000-0x0000000004EB2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3788-156-0x0000000004EA0000-0x0000000004EB2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3788-174-0x0000000004EA0000-0x0000000004EB2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3788-168-0x0000000004EA0000-0x0000000004EB2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3788-148-0x0000000004F10000-0x00000000054B4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/3788-152-0x0000000004F00000-0x0000000004F10000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3788-151-0x0000000004F00000-0x0000000004F10000-memory.dmp

        Filesize

        64KB

        Download