Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    68s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/04/2023, 04:26

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    c22ec999c86e2bb35782a82b70fd9750666272175974b921b9c1c4d6cd1dc91f.exe

  • Size

    537KB

  • MD5

    d6e177a1a2724bc1c6bcf5647cc569e5

  • SHA1

    cdcd49d9833e10a72ab27416071d509447c3eb8c

  • SHA256

    c22ec999c86e2bb35782a82b70fd9750666272175974b921b9c1c4d6cd1dc91f

  • SHA512

    ff2f5ddceba27fca53a4011f9f77b806e2a1b1e3e619dedbc5e99c13c928e4b83d651b4e5063a0c586fa02188b2cd4cec30b0061b86699d39c2959bf03036e79

  • SSDEEP

    12288:/Mrwy902/FPQ9u0zOxEoPVfN6rUeMHYwCpdWp6:zy69u0zoDN6rc4wYA0

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 34 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c22ec999c86e2bb35782a82b70fd9750666272175974b921b9c1c4d6cd1dc91f.exe
    "C:\Users\Admin\AppData\Local\Temp\c22ec999c86e2bb35782a82b70fd9750666272175974b921b9c1c4d6cd1dc91f.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4876
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziqI2044.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziqI2044.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1788
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr121599.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr121599.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2108
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku147641.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku147641.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:624
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 1348
          4⤵
          • Program crash
          PID:3112
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr486414.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr486414.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3520
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 624 -ip 624
    1⤵
      PID:1068

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr486414.exe
            Filesize

            176KB

            MD5

            233a3fd8865defd8064ff80d1ae6169a

            SHA1

            3847aebcfbf7d81bddaa179cb68368ba6abbbe3f

            SHA256

            30e2b35167b2f5195615cc8781381d256f9089ff900786377c1760c0761474db

            SHA512

            904327e1e2b48cf627951b7f95c1dae4d39406f7b10099df75c04ea436086f6131f46ebc9855ade23381a5007f1763aaa6da3bb97814dee7a0713bab07ae996a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr486414.exe
            Filesize

            176KB

            MD5

            233a3fd8865defd8064ff80d1ae6169a

            SHA1

            3847aebcfbf7d81bddaa179cb68368ba6abbbe3f

            SHA256

            30e2b35167b2f5195615cc8781381d256f9089ff900786377c1760c0761474db

            SHA512

            904327e1e2b48cf627951b7f95c1dae4d39406f7b10099df75c04ea436086f6131f46ebc9855ade23381a5007f1763aaa6da3bb97814dee7a0713bab07ae996a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziqI2044.exe
            Filesize

            395KB

            MD5

            a3007383a2ad0c5490f47612079ddebc

            SHA1

            56836afaf78024c5a064f8a51cdf4cd8dfb13607

            SHA256

            592dc3fb7673cb49a1b7b37012d46a9e6900f0c72723b600b004af60f3beaee5

            SHA512

            03098ba07a47b055e18ecf554088c8b194e14d3bc3bd9d2edc4242286e890ce0b044c9c9ef6c2921fabfde7daeec7d8e42c85eb6f1b3d31f15ed1cb51a23521f

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziqI2044.exe
            Filesize

            395KB

            MD5

            a3007383a2ad0c5490f47612079ddebc

            SHA1

            56836afaf78024c5a064f8a51cdf4cd8dfb13607

            SHA256

            592dc3fb7673cb49a1b7b37012d46a9e6900f0c72723b600b004af60f3beaee5

            SHA512

            03098ba07a47b055e18ecf554088c8b194e14d3bc3bd9d2edc4242286e890ce0b044c9c9ef6c2921fabfde7daeec7d8e42c85eb6f1b3d31f15ed1cb51a23521f

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr121599.exe
            Filesize

            14KB

            MD5

            909234e4f2017f6a0bc7fa2d957f2c0e

            SHA1

            36627450019ea850097dfb8b45b23d9d18dc433b

            SHA256

            6874defdde72f2a084b1fb4ffe54befdc1f9a267833ce63c5c3455d72b8d624c

            SHA512

            4eb9dfadf36ac96686c17150b34d1edeaa99d1b12cb2006f6417b30e3bd83d3c43b75026e167c586e33cf5cfaf01d3105cf2b56b97a20c4b6a1416ca7dd418bb

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr121599.exe
            Filesize

            14KB

            MD5

            909234e4f2017f6a0bc7fa2d957f2c0e

            SHA1

            36627450019ea850097dfb8b45b23d9d18dc433b

            SHA256

            6874defdde72f2a084b1fb4ffe54befdc1f9a267833ce63c5c3455d72b8d624c

            SHA512

            4eb9dfadf36ac96686c17150b34d1edeaa99d1b12cb2006f6417b30e3bd83d3c43b75026e167c586e33cf5cfaf01d3105cf2b56b97a20c4b6a1416ca7dd418bb

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku147641.exe
            Filesize

            352KB

            MD5

            5cb064fd15f3fb0c1b5539c202a94afd

            SHA1

            3b95fb16ebf03367deaef8cf5d9eae27e237dd9b

            SHA256

            b9da3b4eafcc5e760a47056f034ba8f02ba2534f32ff1c8499e18910d0e02873

            SHA512

            4eff799850fdf3188155f070214b98707a4229760cd004bef81e073e9181954e8f19a05ee70d5556bdaafcd01c07a890bb5f3acaa27cb4ba8ed93f03791de3bd

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku147641.exe
            Filesize

            352KB

            MD5

            5cb064fd15f3fb0c1b5539c202a94afd

            SHA1

            3b95fb16ebf03367deaef8cf5d9eae27e237dd9b

            SHA256

            b9da3b4eafcc5e760a47056f034ba8f02ba2534f32ff1c8499e18910d0e02873

            SHA512

            4eff799850fdf3188155f070214b98707a4229760cd004bef81e073e9181954e8f19a05ee70d5556bdaafcd01c07a890bb5f3acaa27cb4ba8ed93f03791de3bd

            Download Submit

          • memory/624-153-0x0000000000990000-0x00000000009DB000-memory.dmp

            Filesize

            300KB

            Download

          • memory/624-154-0x0000000004E20000-0x00000000053C4000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/624-155-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/624-156-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/624-158-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/624-160-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/624-162-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/624-164-0x0000000004E10000-0x0000000004E20000-memory.dmp

            Filesize

            64KB

            Download

          • memory/624-165-0x0000000004E10000-0x0000000004E20000-memory.dmp

            Filesize

            64KB

            Download

          • memory/624-167-0x0000000004E10000-0x0000000004E20000-memory.dmp

            Filesize

            64KB

            Download

          • memory/624-166-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/624-169-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/624-173-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/624-171-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/624-175-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/624-177-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/624-179-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/624-181-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/624-183-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/624-185-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/624-187-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/624-189-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/624-191-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/624-193-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/624-195-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/624-197-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/624-199-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/624-201-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/624-203-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/624-205-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/624-207-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/624-209-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/624-211-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/624-213-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/624-215-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/624-219-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/624-221-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/624-217-0x0000000004DC0000-0x0000000004DFF000-memory.dmp

            Filesize

            252KB

            Download

          • memory/624-1064-0x0000000005410000-0x0000000005A28000-memory.dmp

            Filesize

            6.1MB

            Download

          • memory/624-1065-0x0000000005AB0000-0x0000000005BBA000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/624-1066-0x0000000005BF0000-0x0000000005C02000-memory.dmp

            Filesize

            72KB

            Download

          • memory/624-1067-0x0000000005C10000-0x0000000005C4C000-memory.dmp

            Filesize

            240KB

            Download

          • memory/624-1068-0x0000000004E10000-0x0000000004E20000-memory.dmp

            Filesize

            64KB

            Download

          • memory/624-1070-0x0000000005F00000-0x0000000005F92000-memory.dmp

            Filesize

            584KB

            Download

          • memory/624-1071-0x0000000005FA0000-0x0000000006006000-memory.dmp

            Filesize

            408KB

            Download

          • memory/624-1072-0x0000000004E10000-0x0000000004E20000-memory.dmp

            Filesize

            64KB

            Download

          • memory/624-1073-0x0000000004E10000-0x0000000004E20000-memory.dmp

            Filesize

            64KB

            Download

          • memory/624-1074-0x00000000067A0000-0x0000000006816000-memory.dmp

            Filesize

            472KB

            Download

          • memory/624-1075-0x0000000006830000-0x0000000006880000-memory.dmp

            Filesize

            320KB

            Download

          • memory/624-1076-0x0000000006AB0000-0x0000000006C72000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/624-1077-0x0000000004E10000-0x0000000004E20000-memory.dmp

            Filesize

            64KB

            Download

          • memory/624-1078-0x0000000006C90000-0x00000000071BC000-memory.dmp

            Filesize

            5.2MB

            Download

          • memory/2108-147-0x0000000000780000-0x000000000078A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/3520-1084-0x0000000000730000-0x0000000000762000-memory.dmp

            Filesize

            200KB

            Download

          • memory/3520-1085-0x0000000005040000-0x0000000005050000-memory.dmp

            Filesize

            64KB

            Download