Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    59s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-04-2023 18:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7e44d182f5eaf84abfd25a600d3566c836db308172c1bbcaf96ecfa11230d1cf.exe

  • Size

    522KB

  • MD5

    718c0fbb4951cc347d9358e3983a2fa2

  • SHA1

    5be3d5f474dbad2eabfc498b910142a3b6270dbc

  • SHA256

    7e44d182f5eaf84abfd25a600d3566c836db308172c1bbcaf96ecfa11230d1cf

  • SHA512

    c4ec76aa0d98e93168befa0108bf1619d97ad4aa7d780ceb6031a6af6839a2cbe8e6ef6cf966eee1498aeb103035177c2b6f7fd135c587d17bf3674857dc1dda

  • SSDEEP

    12288:KMrJy90E7DwMNCz0c0McyI9/6m+trhVuCy9kqb86N5Uhd:LydITT0McyI9/s/uCrm58d

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7e44d182f5eaf84abfd25a600d3566c836db308172c1bbcaf96ecfa11230d1cf.exe
    "C:\Users\Admin\AppData\Local\Temp\7e44d182f5eaf84abfd25a600d3566c836db308172c1bbcaf96ecfa11230d1cf.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1404
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziIw9543.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziIw9543.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1136
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr416650.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr416650.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4480
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku630268.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku630268.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5016
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 1356
          4⤵
          • Program crash
          PID:576
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr772207.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr772207.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3664
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 5016 -ip 5016
    1⤵
      PID:1348

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr772207.exe
      Filesize

      175KB

      MD5

      8ca055fb43e5f33226084ebf069050b4

      SHA1

      f7e670095d289388122a4a35fa1a4af66d3d0596

      SHA256

      71836eb153fbfc74365ac45131cbb85e44db840dc0fe96537020075f5b2acbcb

      SHA512

      3538b18fb1997c3943ee37b5947666413fff303657a7a398d302c9b4ba0fbc531b5507cfc87dd1446b204595605862e72efef8328504c99449a95864d67919b6

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr772207.exe
      Filesize

      175KB

      MD5

      8ca055fb43e5f33226084ebf069050b4

      SHA1

      f7e670095d289388122a4a35fa1a4af66d3d0596

      SHA256

      71836eb153fbfc74365ac45131cbb85e44db840dc0fe96537020075f5b2acbcb

      SHA512

      3538b18fb1997c3943ee37b5947666413fff303657a7a398d302c9b4ba0fbc531b5507cfc87dd1446b204595605862e72efef8328504c99449a95864d67919b6

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziIw9543.exe
      Filesize

      380KB

      MD5

      d6b9c554ff1e264875303751137b1308

      SHA1

      c320e7cfbd8086fc08f74838b3dec04ba67e3749

      SHA256

      a5b42d3b2dbcd81623a8bbe3450474dbbe3c34f25e3dedb793861e1392cf49c0

      SHA512

      ab272543188700915caacd3c6ec2976b6e4b1b28deb018da2aae6cb7fc8a4acce055b0ab4da2430f239e3257760bc75dd63c11b38e701b0aa0e3086336b67f32

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziIw9543.exe
      Filesize

      380KB

      MD5

      d6b9c554ff1e264875303751137b1308

      SHA1

      c320e7cfbd8086fc08f74838b3dec04ba67e3749

      SHA256

      a5b42d3b2dbcd81623a8bbe3450474dbbe3c34f25e3dedb793861e1392cf49c0

      SHA512

      ab272543188700915caacd3c6ec2976b6e4b1b28deb018da2aae6cb7fc8a4acce055b0ab4da2430f239e3257760bc75dd63c11b38e701b0aa0e3086336b67f32

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr416650.exe
      Filesize

      11KB

      MD5

      6636ec7aa9b2d3187ccfd61add9d8215

      SHA1

      1bdb29ac65279fb8f91ad3533452ddc4abf0b3c8

      SHA256

      09453b3ce01f930d0f2e73564c1c269b2995a5a8322f1a846013a97d4f90be8b

      SHA512

      826a0b8fa185aac5231d2156170f2a5e1e4f496f11e2d3d88c717d34d5fbad2fa423bbf51bc32340de8e914b9a9662ecdd6512d592821f64f8c8ee584bb49cb5

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr416650.exe
      Filesize

      11KB

      MD5

      6636ec7aa9b2d3187ccfd61add9d8215

      SHA1

      1bdb29ac65279fb8f91ad3533452ddc4abf0b3c8

      SHA256

      09453b3ce01f930d0f2e73564c1c269b2995a5a8322f1a846013a97d4f90be8b

      SHA512

      826a0b8fa185aac5231d2156170f2a5e1e4f496f11e2d3d88c717d34d5fbad2fa423bbf51bc32340de8e914b9a9662ecdd6512d592821f64f8c8ee584bb49cb5

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku630268.exe
      Filesize

      294KB

      MD5

      ad297e24efc661795e90ae4eb48535ad

      SHA1

      4921b63dff673a91c45ef7af5f02e0c0d2aed334

      SHA256

      e085e7471cd8058e3133949382b65bd776246d4a6e69f33e4ad8a7a096cecaaf

      SHA512

      1e47bac59cd777e06f068014e64bc0a0c6f069f83dea75d734896f441aad9c588455edc14fa4a00ca7d4842cd92fbc90f90fb2c596444e314cdba516ddef111b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku630268.exe
      Filesize

      294KB

      MD5

      ad297e24efc661795e90ae4eb48535ad

      SHA1

      4921b63dff673a91c45ef7af5f02e0c0d2aed334

      SHA256

      e085e7471cd8058e3133949382b65bd776246d4a6e69f33e4ad8a7a096cecaaf

      SHA512

      1e47bac59cd777e06f068014e64bc0a0c6f069f83dea75d734896f441aad9c588455edc14fa4a00ca7d4842cd92fbc90f90fb2c596444e314cdba516ddef111b

      Download Submit
    • memory/3664-1085-0x0000000000960000-0x0000000000992000-memory.dmp
      Filesize

      200KB

      Download
    • memory/3664-1086-0x00000000051F0000-0x0000000005200000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3664-1087-0x00000000051F0000-0x0000000005200000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4480-147-0x0000000000C30000-0x0000000000C3A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/5016-189-0x0000000002480000-0x00000000024BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5016-203-0x0000000002480000-0x00000000024BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5016-156-0x0000000004C60000-0x0000000005204000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/5016-157-0x0000000002480000-0x00000000024BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5016-158-0x0000000002480000-0x00000000024BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5016-160-0x0000000002480000-0x00000000024BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5016-162-0x0000000002480000-0x00000000024BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5016-164-0x0000000002480000-0x00000000024BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5016-166-0x0000000002480000-0x00000000024BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5016-168-0x0000000002480000-0x00000000024BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5016-170-0x0000000002480000-0x00000000024BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5016-172-0x0000000002480000-0x00000000024BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5016-174-0x0000000002480000-0x00000000024BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5016-176-0x0000000002480000-0x00000000024BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5016-178-0x0000000002480000-0x00000000024BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5016-180-0x0000000002480000-0x00000000024BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5016-182-0x0000000002480000-0x00000000024BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5016-184-0x0000000004C50000-0x0000000004C60000-memory.dmp
      Filesize

      64KB

      Download
    • memory/5016-185-0x0000000002480000-0x00000000024BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5016-187-0x0000000002480000-0x00000000024BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5016-154-0x0000000004C50000-0x0000000004C60000-memory.dmp
      Filesize

      64KB

      Download
    • memory/5016-191-0x0000000002480000-0x00000000024BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5016-193-0x0000000002480000-0x00000000024BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5016-195-0x0000000002480000-0x00000000024BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5016-197-0x0000000002480000-0x00000000024BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5016-199-0x0000000002480000-0x00000000024BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5016-201-0x0000000002480000-0x00000000024BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5016-155-0x0000000004C50000-0x0000000004C60000-memory.dmp
      Filesize

      64KB

      Download
    • memory/5016-205-0x0000000002480000-0x00000000024BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5016-207-0x0000000002480000-0x00000000024BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5016-209-0x0000000002480000-0x00000000024BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5016-211-0x0000000002480000-0x00000000024BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5016-213-0x0000000002480000-0x00000000024BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5016-215-0x0000000002480000-0x00000000024BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5016-217-0x0000000002480000-0x00000000024BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5016-219-0x0000000002480000-0x00000000024BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5016-221-0x0000000002480000-0x00000000024BF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/5016-1064-0x0000000005210000-0x0000000005828000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/5016-1065-0x00000000058A0000-0x00000000059AA000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/5016-1066-0x00000000059E0000-0x00000000059F2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/5016-1067-0x0000000005A00000-0x0000000005A3C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/5016-1068-0x0000000004C50000-0x0000000004C60000-memory.dmp
      Filesize

      64KB

      Download
    • memory/5016-1070-0x0000000004C50000-0x0000000004C60000-memory.dmp
      Filesize

      64KB

      Download
    • memory/5016-1071-0x0000000005CF0000-0x0000000005D82000-memory.dmp
      Filesize

      584KB

      Download
    • memory/5016-1072-0x0000000005D90000-0x0000000005DF6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/5016-1073-0x0000000004C50000-0x0000000004C60000-memory.dmp
      Filesize

      64KB

      Download
    • memory/5016-1074-0x0000000004C50000-0x0000000004C60000-memory.dmp
      Filesize

      64KB

      Download
    • memory/5016-1075-0x00000000066F0000-0x00000000068B2000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/5016-153-0x0000000000790000-0x00000000007DB000-memory.dmp
      Filesize

      300KB

      Download
    • memory/5016-1076-0x00000000068D0000-0x0000000006DFC000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/5016-1077-0x0000000006F40000-0x0000000006FB6000-memory.dmp
      Filesize

      472KB

      Download
    • memory/5016-1078-0x0000000006FD0000-0x0000000007020000-memory.dmp
      Filesize

      320KB

      Download
    • memory/5016-1079-0x0000000004C50000-0x0000000004C60000-memory.dmp
      Filesize

      64KB

      Download