Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    63s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/04/2023, 03:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    76a941f0443ce5e1e048068f73f5fe7be14950468f5caa8def5c01bdf2ddca6b.exe

  • Size

    538KB

  • MD5

    ea7bd5ee554b36087e987347ac9b5041

  • SHA1

    f9f5212979a3a69dea340466f8281b73a2097470

  • SHA256

    76a941f0443ce5e1e048068f73f5fe7be14950468f5caa8def5c01bdf2ddca6b

  • SHA512

    cce84f604b2acd6a036a20bbb1fdce91b38d49aaf78d0a546e3b1b88ffa1ed17f8bfa72a331fe5294062e9761f9904631f888221ba932ee03038b9f28e53fa6f

  • SSDEEP

    12288:uMrcy90FAHp7NB4PjerUyaHTwW54beitgnVhNM:OymAl4berIzwWNC

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\76a941f0443ce5e1e048068f73f5fe7be14950468f5caa8def5c01bdf2ddca6b.exe
    "C:\Users\Admin\AppData\Local\Temp\76a941f0443ce5e1e048068f73f5fe7be14950468f5caa8def5c01bdf2ddca6b.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2088
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibA5955.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibA5955.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:332
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr828524.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr828524.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4128
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku429007.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku429007.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2288
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 1204
          4⤵
          • Program crash
          PID:1892
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr167969.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr167969.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4656
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2288 -ip 2288
    1⤵
      PID:4704

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr167969.exe
      Filesize

      176KB

      MD5

      17c056d13f71188386aa2ca4bab52a36

      SHA1

      43b4d0dc47c4cf15ac83cd1be6f18d99e07bf886

      SHA256

      9dcd247d1c519bc953cb0b465e3adeb76fcd0657b286e3c6f09b6202d64b16e7

      SHA512

      08174cfd9a39dfe5786dee253c46c1ea926362056093e834eecdcd6751d79f54549cad2826b3c28aa470b66c96a913e0a169b5cd265ad1053e1dceb8a5ae523f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr167969.exe
      Filesize

      176KB

      MD5

      17c056d13f71188386aa2ca4bab52a36

      SHA1

      43b4d0dc47c4cf15ac83cd1be6f18d99e07bf886

      SHA256

      9dcd247d1c519bc953cb0b465e3adeb76fcd0657b286e3c6f09b6202d64b16e7

      SHA512

      08174cfd9a39dfe5786dee253c46c1ea926362056093e834eecdcd6751d79f54549cad2826b3c28aa470b66c96a913e0a169b5cd265ad1053e1dceb8a5ae523f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibA5955.exe
      Filesize

      395KB

      MD5

      9c28aa0051abb85cf83b75f5229c3cef

      SHA1

      1c9efd77c131dda8c78d5600c7526f5cdda40bbd

      SHA256

      1173d4b35958125e3996b13dd3f639cdd66976ca2bf04a1cad9cf0a7f3dcb2a2

      SHA512

      de037c2c24c40e1f8c6f850c1d137074790cb9da4b816d2c03d4304eab16ad115fa47d572db1bab11c211da62215a60fc3dd36a959aac97fd0b4dcc967c8cd64

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibA5955.exe
      Filesize

      395KB

      MD5

      9c28aa0051abb85cf83b75f5229c3cef

      SHA1

      1c9efd77c131dda8c78d5600c7526f5cdda40bbd

      SHA256

      1173d4b35958125e3996b13dd3f639cdd66976ca2bf04a1cad9cf0a7f3dcb2a2

      SHA512

      de037c2c24c40e1f8c6f850c1d137074790cb9da4b816d2c03d4304eab16ad115fa47d572db1bab11c211da62215a60fc3dd36a959aac97fd0b4dcc967c8cd64

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr828524.exe
      Filesize

      14KB

      MD5

      2ff4786e9fb7dfa887d20cab88e10bde

      SHA1

      2443e17062e30eac4234d6f869380ffc222cfe97

      SHA256

      910e8893fc239f0c54dce8019cc2a56f6628a989301f364d2fe2121d200caa4b

      SHA512

      2feeb06984c83885757feea2fac5b96ba1ef05db0c9149c744b222fb3030577c49559c06f9765c99b8534a61f6881f16b26c0da884e4bab4eb3e9898f2d5bc3d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr828524.exe
      Filesize

      14KB

      MD5

      2ff4786e9fb7dfa887d20cab88e10bde

      SHA1

      2443e17062e30eac4234d6f869380ffc222cfe97

      SHA256

      910e8893fc239f0c54dce8019cc2a56f6628a989301f364d2fe2121d200caa4b

      SHA512

      2feeb06984c83885757feea2fac5b96ba1ef05db0c9149c744b222fb3030577c49559c06f9765c99b8534a61f6881f16b26c0da884e4bab4eb3e9898f2d5bc3d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku429007.exe
      Filesize

      352KB

      MD5

      11ce895ab16d9896b8ad41a3bbf7cf8e

      SHA1

      862449c61d74144a4c1dfbe83479527facc998e8

      SHA256

      db8474b72a37af660d1b70eba3726720d883ee66ccec712614ca478d250b4845

      SHA512

      67f2e6899e3ce7947c754d7b4a1354234fe4402661a61deab686cd720e0e8308a31429949ccc5771ba482309bccd8b9993ed4f86588e54b8b74117c306d25a03

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku429007.exe
      Filesize

      352KB

      MD5

      11ce895ab16d9896b8ad41a3bbf7cf8e

      SHA1

      862449c61d74144a4c1dfbe83479527facc998e8

      SHA256

      db8474b72a37af660d1b70eba3726720d883ee66ccec712614ca478d250b4845

      SHA512

      67f2e6899e3ce7947c754d7b4a1354234fe4402661a61deab686cd720e0e8308a31429949ccc5771ba482309bccd8b9993ed4f86588e54b8b74117c306d25a03

      Download Submit

    • memory/2288-153-0x0000000005070000-0x0000000005614000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2288-154-0x0000000000970000-0x00000000009BB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/2288-156-0x0000000005060000-0x0000000005070000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2288-155-0x0000000005060000-0x0000000005070000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2288-157-0x0000000005060000-0x0000000005070000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2288-158-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2288-159-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2288-161-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2288-163-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2288-165-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2288-167-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2288-169-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2288-171-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2288-173-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2288-175-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2288-177-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2288-179-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2288-181-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2288-183-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2288-185-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2288-187-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2288-189-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2288-191-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2288-193-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2288-195-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2288-197-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2288-199-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2288-201-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2288-203-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2288-205-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2288-207-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2288-209-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2288-211-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2288-213-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2288-215-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2288-217-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2288-219-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2288-221-0x0000000002970000-0x00000000029AF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2288-1064-0x0000000005620000-0x0000000005C38000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2288-1065-0x0000000005C40000-0x0000000005D4A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2288-1066-0x0000000005040000-0x0000000005052000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2288-1067-0x0000000005D50000-0x0000000005D8C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2288-1068-0x0000000005060000-0x0000000005070000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2288-1070-0x0000000006040000-0x00000000060D2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2288-1071-0x00000000060E0000-0x0000000006146000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2288-1073-0x0000000005060000-0x0000000005070000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2288-1072-0x0000000005060000-0x0000000005070000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2288-1074-0x0000000005060000-0x0000000005070000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2288-1075-0x00000000067E0000-0x0000000006856000-memory.dmp

      Filesize

      472KB

      Download

    • memory/2288-1076-0x0000000006870000-0x00000000068C0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/2288-1077-0x00000000069F0000-0x0000000006BB2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2288-1078-0x0000000006BC0000-0x00000000070EC000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/2288-1079-0x0000000005060000-0x0000000005070000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4128-147-0x00000000007B0000-0x00000000007BA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4656-1085-0x0000000000EA0000-0x0000000000ED2000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4656-1086-0x0000000005BF0000-0x0000000005C00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4656-1087-0x0000000005BF0000-0x0000000005C00000-memory.dmp

      Filesize

      64KB

      Download