Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-04-2023 13:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dad8be73cb1576ce3132a60a8a12a8b100432ac4e92417c9ed99f0f1a2106015.exe

  • Size

    658KB

  • MD5

    5358cec708bb0d674158b1dc6466baf5

  • SHA1

    426dc82b6a30d1fb4b6c1e1471e60dce2381cb2a

  • SHA256

    dad8be73cb1576ce3132a60a8a12a8b100432ac4e92417c9ed99f0f1a2106015

  • SHA512

    854a86b053e1fd28a536d6c6d7a9c1fd679957df360e057f891a60a59cd89edc549426a93fd281edade4ec815f2414a26236c43e4d7d792fc53ed42985459fb9

  • SSDEEP

    12288:oMr6y90S9jkZ7syDooLVF4fHW+QxM9ohUgt8msqCKNjyjpU0j8RUgcwew2rW:yyDFM7L74nUztdjyBaUXwek

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 19 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dad8be73cb1576ce3132a60a8a12a8b100432ac4e92417c9ed99f0f1a2106015.exe
    "C:\Users\Admin\AppData\Local\Temp\dad8be73cb1576ce3132a60a8a12a8b100432ac4e92417c9ed99f0f1a2106015.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1304
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un252004.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un252004.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4776
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5734.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5734.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2416
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 1080
          4⤵
          • Program crash
          PID:1284
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1187.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1187.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2592
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 1096
          4⤵
          • Program crash
          PID:2364
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si352052.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si352052.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3560
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2416 -ip 2416
    1⤵
      PID:3176
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2592 -ip 2592
      1⤵
        PID:2040

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si352052.exe
        Filesize

        175KB

        MD5

        bb6d43fa4ebafe62b98ec4dea4ff49d9

        SHA1

        d8188e664ac977f59d3ec26589e3cf67b1fab23b

        SHA256

        1d1cdf01afc38fc6784a41fe8aa2f308ec44606d2d16c4edd9445813af33fe89

        SHA512

        679a0e394c5751020c38ceaba6a1bd1a33c558b8c9142fc796fa3570baa0ac082d099891451fde50249e165625b9738ead7321dccf2b2da567f3f7e3d4ee4644

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si352052.exe
        Filesize

        175KB

        MD5

        bb6d43fa4ebafe62b98ec4dea4ff49d9

        SHA1

        d8188e664ac977f59d3ec26589e3cf67b1fab23b

        SHA256

        1d1cdf01afc38fc6784a41fe8aa2f308ec44606d2d16c4edd9445813af33fe89

        SHA512

        679a0e394c5751020c38ceaba6a1bd1a33c558b8c9142fc796fa3570baa0ac082d099891451fde50249e165625b9738ead7321dccf2b2da567f3f7e3d4ee4644

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un252004.exe
        Filesize

        516KB

        MD5

        2bba071fdf6ed3579048362816027564

        SHA1

        50349eb8152407b56ffae879d0436d90df6242ba

        SHA256

        daee381528b7e1896869dd8e5240613ad6a234f667120c9bb2ccae26fcbae278

        SHA512

        c6f99f5f627fd3d52f0e5ff68d4690504a6b0dbb75337eff0119fe4645aa7a46864719bc39bc8d9f902778bd713b0ccaad310af8cae1df7d12624dcdd62950ba

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un252004.exe
        Filesize

        516KB

        MD5

        2bba071fdf6ed3579048362816027564

        SHA1

        50349eb8152407b56ffae879d0436d90df6242ba

        SHA256

        daee381528b7e1896869dd8e5240613ad6a234f667120c9bb2ccae26fcbae278

        SHA512

        c6f99f5f627fd3d52f0e5ff68d4690504a6b0dbb75337eff0119fe4645aa7a46864719bc39bc8d9f902778bd713b0ccaad310af8cae1df7d12624dcdd62950ba

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5734.exe
        Filesize

        236KB

        MD5

        953fbde73a2b92414bd6002c858a4ba2

        SHA1

        971c931969fba8289e255e87c98568f26180b7fb

        SHA256

        c95c5763e884b8f65f7916fb286e187e53fc9f384952e9382f26a008e5112536

        SHA512

        2c64024ac6fb5f1cf870cb1766f5927c2ed69733fcdb0ce9ab33b10b85c25aa5b6bf5b1550cd8ce291962d8d4e51471874a9a398d145e231fca429e055930e4b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5734.exe
        Filesize

        236KB

        MD5

        953fbde73a2b92414bd6002c858a4ba2

        SHA1

        971c931969fba8289e255e87c98568f26180b7fb

        SHA256

        c95c5763e884b8f65f7916fb286e187e53fc9f384952e9382f26a008e5112536

        SHA512

        2c64024ac6fb5f1cf870cb1766f5927c2ed69733fcdb0ce9ab33b10b85c25aa5b6bf5b1550cd8ce291962d8d4e51471874a9a398d145e231fca429e055930e4b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1187.exe
        Filesize

        294KB

        MD5

        ccfda434c43f6801067b1263783c5bbc

        SHA1

        5d991425b3d1ba6ef4a5fa0948011a313f44e315

        SHA256

        bb50b78a196d8e9d48be0623e621109d2992b9e9e87551cc179de74f1218a8ac

        SHA512

        0e90024047b3ed84bad70e8ff92568cab89119b6500f42c4745679b865e43514758dc47cc85b08266c9226800050b011ceba9879727b77e7adfb9e7f2a57f3d1

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1187.exe
        Filesize

        294KB

        MD5

        ccfda434c43f6801067b1263783c5bbc

        SHA1

        5d991425b3d1ba6ef4a5fa0948011a313f44e315

        SHA256

        bb50b78a196d8e9d48be0623e621109d2992b9e9e87551cc179de74f1218a8ac

        SHA512

        0e90024047b3ed84bad70e8ff92568cab89119b6500f42c4745679b865e43514758dc47cc85b08266c9226800050b011ceba9879727b77e7adfb9e7f2a57f3d1

        Download Submit

      • memory/2416-148-0x00000000005C0000-0x00000000005ED000-memory.dmp

        Filesize

        180KB

        Download

      • memory/2416-149-0x0000000004CF0000-0x0000000004D00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2416-150-0x0000000004D00000-0x00000000052A4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/2416-151-0x0000000002400000-0x0000000002412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2416-152-0x0000000002400000-0x0000000002412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2416-154-0x0000000002400000-0x0000000002412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2416-156-0x0000000002400000-0x0000000002412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2416-158-0x0000000002400000-0x0000000002412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2416-160-0x0000000002400000-0x0000000002412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2416-162-0x0000000002400000-0x0000000002412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2416-164-0x0000000002400000-0x0000000002412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2416-166-0x0000000002400000-0x0000000002412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2416-168-0x0000000002400000-0x0000000002412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2416-170-0x0000000002400000-0x0000000002412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2416-172-0x0000000002400000-0x0000000002412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2416-174-0x0000000002400000-0x0000000002412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2416-176-0x0000000002400000-0x0000000002412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2416-178-0x0000000002400000-0x0000000002412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2416-179-0x0000000004CF0000-0x0000000004D00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2416-180-0x0000000004CF0000-0x0000000004D00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2416-181-0x0000000000400000-0x00000000004AA000-memory.dmp

        Filesize

        680KB

        Download

      • memory/2416-182-0x0000000004CF0000-0x0000000004D00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2416-184-0x0000000004CF0000-0x0000000004D00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2416-185-0x0000000004CF0000-0x0000000004D00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2416-186-0x0000000000400000-0x00000000004AA000-memory.dmp

        Filesize

        680KB

        Download

      • memory/2592-191-0x0000000004A70000-0x0000000004AAF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2592-192-0x0000000004A70000-0x0000000004AAF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2592-194-0x0000000004A70000-0x0000000004AAF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2592-196-0x0000000004A70000-0x0000000004AAF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2592-198-0x0000000004A70000-0x0000000004AAF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2592-200-0x0000000004A70000-0x0000000004AAF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2592-202-0x0000000004A70000-0x0000000004AAF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2592-204-0x0000000004A70000-0x0000000004AAF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2592-206-0x0000000004A70000-0x0000000004AAF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2592-208-0x0000000004A70000-0x0000000004AAF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2592-210-0x0000000004A70000-0x0000000004AAF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2592-212-0x0000000004A70000-0x0000000004AAF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2592-214-0x0000000004A70000-0x0000000004AAF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2592-216-0x0000000004A70000-0x0000000004AAF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2592-218-0x0000000004A70000-0x0000000004AAF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2592-220-0x0000000004A70000-0x0000000004AAF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2592-222-0x0000000004A70000-0x0000000004AAF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2592-224-0x0000000004A70000-0x0000000004AAF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2592-388-0x0000000002160000-0x00000000021AB000-memory.dmp

        Filesize

        300KB

        Download

      • memory/2592-393-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2592-391-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2592-1100-0x0000000005200000-0x0000000005818000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/2592-1101-0x00000000058A0000-0x00000000059AA000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/2592-1102-0x00000000059E0000-0x00000000059F2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2592-1103-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2592-1104-0x0000000005A00000-0x0000000005A3C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/2592-1105-0x0000000005CF0000-0x0000000005D82000-memory.dmp

        Filesize

        584KB

        Download

      • memory/2592-1106-0x0000000005D90000-0x0000000005DF6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2592-1108-0x00000000065A0000-0x0000000006616000-memory.dmp

        Filesize

        472KB

        Download

      • memory/2592-1110-0x0000000006620000-0x0000000006670000-memory.dmp

        Filesize

        320KB

        Download

      • memory/2592-1111-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2592-1109-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2592-1112-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2592-1113-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2592-1114-0x00000000066D0000-0x0000000006892000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/2592-1115-0x00000000068A0000-0x0000000006DCC000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/3560-1121-0x0000000000B30000-0x0000000000B62000-memory.dmp

        Filesize

        200KB

        Download

      • memory/3560-1122-0x0000000005500000-0x0000000005510000-memory.dmp

        Filesize

        64KB

        Download