Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    82s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/04/2023, 07:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    92a49a86e99c02674943b5653a1e435d7fcc64c92b9563f83690019b47f53764.exe

  • Size

    521KB

  • MD5

    37b513dd6ae7c4d06f3ec87cc41670d4

  • SHA1

    56ac7987bd27d1edcbcc4e1bcc09634544ffdbc4

  • SHA256

    92a49a86e99c02674943b5653a1e435d7fcc64c92b9563f83690019b47f53764

  • SHA512

    9b881362825d65c48483232b160258ae0a320f91cf68705a0e0f656341ac2b6d5b431f78103bdc2ed3162f200cb47efb0be62f9bb8eed0ed3a6ba5a8c9c8b77c

  • SSDEEP

    6144:KLy+bnr+ap0yN90QE+JIF8hw91bbJTkggLGqI+4KxmU7lhkg32FR3Be4ppBqqZae:hMrOy90EJCISbb+6qEmmKkgmb3TLnkE

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\92a49a86e99c02674943b5653a1e435d7fcc64c92b9563f83690019b47f53764.exe
    "C:\Users\Admin\AppData\Local\Temp\92a49a86e99c02674943b5653a1e435d7fcc64c92b9563f83690019b47f53764.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1340
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDr7809.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDr7809.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:5076
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr616359.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr616359.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3316
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku411962.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku411962.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4356
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 1340
          4⤵
          • Program crash
          PID:3228
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr616185.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr616185.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3920
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4356 -ip 4356
    1⤵
      PID:4304

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr616185.exe
      Filesize

      176KB

      MD5

      5fd9d6edfee350958e4bf7f76c826726

      SHA1

      5d459b04396a60d811dee9a9cd620a40b3fde75b

      SHA256

      b5947e6c3a93cf285f379204fecfcf66a8ffb0f935d1e6e4762924404a6faad0

      SHA512

      fef01211e660d82175e634106ed761451ac86cc4d743296958bfe8f1ee381d6da4ee53a6aa030d4304f96eeddeb85a7ad5135faf645e5c4149003001a91532fe

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr616185.exe
      Filesize

      176KB

      MD5

      5fd9d6edfee350958e4bf7f76c826726

      SHA1

      5d459b04396a60d811dee9a9cd620a40b3fde75b

      SHA256

      b5947e6c3a93cf285f379204fecfcf66a8ffb0f935d1e6e4762924404a6faad0

      SHA512

      fef01211e660d82175e634106ed761451ac86cc4d743296958bfe8f1ee381d6da4ee53a6aa030d4304f96eeddeb85a7ad5135faf645e5c4149003001a91532fe

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDr7809.exe
      Filesize

      379KB

      MD5

      a9692e6bc6cd2058a2388259eb4773c7

      SHA1

      6a70cbe55675d6a5c54f52084abba0860de2401a

      SHA256

      129a0d786f1e47d2964917ffa20c651ade22decc3422d14c56633b8d3f3ec37e

      SHA512

      c5546daf9d6fbc0642049fa7782da92adfd91866663e4ac8a513ba9c1c949eb211ba378f6b195ede4f1d6ee16b713e604819fa0794f1dfe52032203ccb2f8dfd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDr7809.exe
      Filesize

      379KB

      MD5

      a9692e6bc6cd2058a2388259eb4773c7

      SHA1

      6a70cbe55675d6a5c54f52084abba0860de2401a

      SHA256

      129a0d786f1e47d2964917ffa20c651ade22decc3422d14c56633b8d3f3ec37e

      SHA512

      c5546daf9d6fbc0642049fa7782da92adfd91866663e4ac8a513ba9c1c949eb211ba378f6b195ede4f1d6ee16b713e604819fa0794f1dfe52032203ccb2f8dfd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr616359.exe
      Filesize

      14KB

      MD5

      223c89a3a6a88f4135c5f7df69b73d12

      SHA1

      19b67779153d38859758079fadfbdaa54cc2c785

      SHA256

      75ea7b1a58b87ca5e1749e4e99fbfa7a940b11a9d6d9761bc69a2bd8e08c5203

      SHA512

      7f5446a5295c41c5ebeed7d186c8e530b090196f3e4d1be40985d36c85b16d68dcb2e06c986fe5fd71175aa3f454b622752563f4cb46f2e8719d338d4626a5a2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr616359.exe
      Filesize

      14KB

      MD5

      223c89a3a6a88f4135c5f7df69b73d12

      SHA1

      19b67779153d38859758079fadfbdaa54cc2c785

      SHA256

      75ea7b1a58b87ca5e1749e4e99fbfa7a940b11a9d6d9761bc69a2bd8e08c5203

      SHA512

      7f5446a5295c41c5ebeed7d186c8e530b090196f3e4d1be40985d36c85b16d68dcb2e06c986fe5fd71175aa3f454b622752563f4cb46f2e8719d338d4626a5a2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku411962.exe
      Filesize

      295KB

      MD5

      e679b79129843bb0094c28b554e64714

      SHA1

      34674ea53aa396c859cb6afba7cb3054ccfaf100

      SHA256

      1d8ded3811a8c0c58c99c3ebf374dbd6bbb84550c9ee9f9cced829a3bb8f63a5

      SHA512

      d56757ebb6d2daad7bbdcd7cf0774c42c37d5f8294d8f498458f21792c3913cd11036abe81895358a62b41127a8a9bda1a9a37aeb2903778fa620150fe439ac9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku411962.exe
      Filesize

      295KB

      MD5

      e679b79129843bb0094c28b554e64714

      SHA1

      34674ea53aa396c859cb6afba7cb3054ccfaf100

      SHA256

      1d8ded3811a8c0c58c99c3ebf374dbd6bbb84550c9ee9f9cced829a3bb8f63a5

      SHA512

      d56757ebb6d2daad7bbdcd7cf0774c42c37d5f8294d8f498458f21792c3913cd11036abe81895358a62b41127a8a9bda1a9a37aeb2903778fa620150fe439ac9

      Download Submit

    • memory/3316-147-0x00000000009C0000-0x00000000009CA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3920-1085-0x00000000007F0000-0x0000000000822000-memory.dmp

      Filesize

      200KB

      Download

    • memory/3920-1086-0x00000000050E0000-0x00000000050F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4356-189-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4356-201-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4356-155-0x0000000004B00000-0x0000000004B10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4356-156-0x0000000004B00000-0x0000000004B10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4356-157-0x0000000004B00000-0x0000000004B10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4356-158-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4356-159-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4356-161-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4356-163-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4356-165-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4356-167-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4356-169-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4356-171-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4356-173-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4356-175-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4356-177-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4356-179-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4356-181-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4356-183-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4356-185-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4356-187-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4356-153-0x0000000004B10000-0x00000000050B4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4356-191-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4356-193-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4356-195-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4356-197-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4356-199-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4356-154-0x00000000020F0000-0x000000000213B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4356-203-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4356-205-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4356-207-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4356-209-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4356-211-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4356-213-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4356-215-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4356-217-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4356-219-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4356-221-0x0000000004A90000-0x0000000004ACF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/4356-1064-0x0000000005200000-0x0000000005818000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4356-1065-0x00000000058A0000-0x00000000059AA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4356-1066-0x00000000059E0000-0x00000000059F2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4356-1067-0x0000000004B00000-0x0000000004B10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4356-1068-0x0000000005A00000-0x0000000005A3C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4356-1070-0x0000000005CF0000-0x0000000005D56000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4356-1071-0x00000000063B0000-0x0000000006442000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4356-1072-0x0000000004B00000-0x0000000004B10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4356-1073-0x0000000004B00000-0x0000000004B10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4356-1074-0x0000000004B00000-0x0000000004B10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4356-1075-0x0000000004B00000-0x0000000004B10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4356-1076-0x00000000066F0000-0x0000000006766000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4356-1077-0x0000000006790000-0x00000000067E0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4356-1078-0x0000000006810000-0x00000000069D2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/4356-1079-0x00000000069E0000-0x0000000006F0C000-memory.dmp

      Filesize

      5.2MB

      Download