Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    60s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-04-2023 18:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    73b7eca13d0d2f5449952abbd007b1e03dbdc4a582d7544486dfe749a7b65fb3.exe

  • Size

    521KB

  • MD5

    c8ac2ce7183437fb6c04d600b1d09640

  • SHA1

    6fe3f68cd20ea3c54205f4ad0bf70e0c0fcbeef8

  • SHA256

    73b7eca13d0d2f5449952abbd007b1e03dbdc4a582d7544486dfe749a7b65fb3

  • SHA512

    a86ae10d286901002ed78ac24da36990e4b48ad70ec6d403045f55f01ece58c686beb5f801565405cd44195b7e4df76cb650b918f43d67da4e688d99c38aad80

  • SSDEEP

    12288:+Mrxy90f++6L1oQIm3X/nzeLs3bSSl6sYgPcN:fy+++6hoe3PAs3nsIw

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\73b7eca13d0d2f5449952abbd007b1e03dbdc4a582d7544486dfe749a7b65fb3.exe
    "C:\Users\Admin\AppData\Local\Temp\73b7eca13d0d2f5449952abbd007b1e03dbdc4a582d7544486dfe749a7b65fb3.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2064
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziyj3867.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziyj3867.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:808
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr821198.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr821198.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1432
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku102330.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku102330.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1300
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 1560
          4⤵
          • Program crash
          PID:4480
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr678721.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr678721.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4980
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 1300 -ip 1300
    1⤵
      PID:1784

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    3
    T1112

    Disabling Security Tools

    2
    T1089

    Credential Access

    Credentials in Files

    2
    T1081

    Discovery

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr678721.exe
      Filesize

      175KB

      MD5

      9a28f128841d40c47f2758096bf08616

      SHA1

      8a05bd73e4be707c21fcbe32d00db8efdb1db0b4

      SHA256

      6afe0077b28941c38dd33e3e9f065033baf214452c30a8ab1c22d5d471706c88

      SHA512

      c3b8fe116166e7903e4c944163c981df6403bba1831a8ac870c25c79d30bcfc0ad6dcc62070731a317f41ca5b65f6504273cbfa47f2d955458ccc18d16982f46

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr678721.exe
      Filesize

      175KB

      MD5

      9a28f128841d40c47f2758096bf08616

      SHA1

      8a05bd73e4be707c21fcbe32d00db8efdb1db0b4

      SHA256

      6afe0077b28941c38dd33e3e9f065033baf214452c30a8ab1c22d5d471706c88

      SHA512

      c3b8fe116166e7903e4c944163c981df6403bba1831a8ac870c25c79d30bcfc0ad6dcc62070731a317f41ca5b65f6504273cbfa47f2d955458ccc18d16982f46

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziyj3867.exe
      Filesize

      379KB

      MD5

      0db4d740998cd996596a78e7b1fe2181

      SHA1

      8809d418c017ac28f4f26d74e9f620c20a40cada

      SHA256

      b74cce96274cc533beebe8f475a0be2c228ed4f70d0aadd1878014ca172f235b

      SHA512

      d574b9b048d3ec52b589677a27bb3b4409499dac09f76be334000d755dd2a81769e84816c49f0e8127fb4f16a290baa23e15f99d6aa09fb8e660888dc159c2ba

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziyj3867.exe
      Filesize

      379KB

      MD5

      0db4d740998cd996596a78e7b1fe2181

      SHA1

      8809d418c017ac28f4f26d74e9f620c20a40cada

      SHA256

      b74cce96274cc533beebe8f475a0be2c228ed4f70d0aadd1878014ca172f235b

      SHA512

      d574b9b048d3ec52b589677a27bb3b4409499dac09f76be334000d755dd2a81769e84816c49f0e8127fb4f16a290baa23e15f99d6aa09fb8e660888dc159c2ba

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr821198.exe
      Filesize

      11KB

      MD5

      dc60f0c6c3c7a8ac4f2a4f95a36f94bc

      SHA1

      5daba85b1a40c2ca8e34ff00612e8070cd426768

      SHA256

      338e974fcfa569f03bc276983ad2ac3d1413e1c492b8efaada49f83442eca3b4

      SHA512

      f56f5cc9652c24716ea8f556027cb2c9c1a9a708b3150b73f174221e639904fea8136edd5c18a27b049b077d8f33c7e9bb6d3df210684686ffa70deb5c7101bd

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr821198.exe
      Filesize

      11KB

      MD5

      dc60f0c6c3c7a8ac4f2a4f95a36f94bc

      SHA1

      5daba85b1a40c2ca8e34ff00612e8070cd426768

      SHA256

      338e974fcfa569f03bc276983ad2ac3d1413e1c492b8efaada49f83442eca3b4

      SHA512

      f56f5cc9652c24716ea8f556027cb2c9c1a9a708b3150b73f174221e639904fea8136edd5c18a27b049b077d8f33c7e9bb6d3df210684686ffa70deb5c7101bd

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku102330.exe
      Filesize

      294KB

      MD5

      9772fdb8af0d88e285bc69173a7b990e

      SHA1

      758cfadbc9fb3bbc9689577dd6f6612aa7801f9c

      SHA256

      d4ca491003766175317125bb9e077a6897c3cbe25c66ca3eeed2bd27f8125f2e

      SHA512

      c95247f4ac92755141dd8aa605f30286059604b2d352ab66b7688ed652b30c064e63c7c66393e57232fc5fef199d0d93351d44d4708073cd63c905952f333bd3

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku102330.exe
      Filesize

      294KB

      MD5

      9772fdb8af0d88e285bc69173a7b990e

      SHA1

      758cfadbc9fb3bbc9689577dd6f6612aa7801f9c

      SHA256

      d4ca491003766175317125bb9e077a6897c3cbe25c66ca3eeed2bd27f8125f2e

      SHA512

      c95247f4ac92755141dd8aa605f30286059604b2d352ab66b7688ed652b30c064e63c7c66393e57232fc5fef199d0d93351d44d4708073cd63c905952f333bd3

      Download Submit
    • memory/1300-153-0x0000000002120000-0x000000000216B000-memory.dmp
      Filesize

      300KB

      Download
    • memory/1300-154-0x0000000004C00000-0x0000000004C10000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1300-155-0x0000000004C00000-0x0000000004C10000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1300-156-0x0000000004C00000-0x0000000004C10000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1300-157-0x0000000004C10000-0x00000000051B4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/1300-158-0x00000000051C0000-0x00000000051FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1300-159-0x00000000051C0000-0x00000000051FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1300-161-0x00000000051C0000-0x00000000051FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1300-163-0x00000000051C0000-0x00000000051FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1300-165-0x00000000051C0000-0x00000000051FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1300-167-0x00000000051C0000-0x00000000051FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1300-169-0x00000000051C0000-0x00000000051FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1300-171-0x00000000051C0000-0x00000000051FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1300-173-0x00000000051C0000-0x00000000051FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1300-175-0x00000000051C0000-0x00000000051FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1300-177-0x00000000051C0000-0x00000000051FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1300-179-0x00000000051C0000-0x00000000051FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1300-181-0x00000000051C0000-0x00000000051FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1300-183-0x00000000051C0000-0x00000000051FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1300-185-0x00000000051C0000-0x00000000051FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1300-187-0x00000000051C0000-0x00000000051FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1300-189-0x00000000051C0000-0x00000000051FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1300-191-0x00000000051C0000-0x00000000051FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1300-193-0x00000000051C0000-0x00000000051FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1300-195-0x00000000051C0000-0x00000000051FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1300-197-0x00000000051C0000-0x00000000051FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1300-199-0x00000000051C0000-0x00000000051FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1300-201-0x00000000051C0000-0x00000000051FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1300-203-0x00000000051C0000-0x00000000051FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1300-205-0x00000000051C0000-0x00000000051FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1300-207-0x00000000051C0000-0x00000000051FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1300-209-0x00000000051C0000-0x00000000051FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1300-211-0x00000000051C0000-0x00000000051FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1300-213-0x00000000051C0000-0x00000000051FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1300-215-0x00000000051C0000-0x00000000051FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1300-217-0x00000000051C0000-0x00000000051FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1300-219-0x00000000051C0000-0x00000000051FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1300-221-0x00000000051C0000-0x00000000051FF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1300-1064-0x0000000005200000-0x0000000005818000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/1300-1065-0x00000000058A0000-0x00000000059AA000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/1300-1066-0x00000000059E0000-0x00000000059F2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/1300-1067-0x0000000005A00000-0x0000000005A3C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/1300-1068-0x0000000004C00000-0x0000000004C10000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1300-1070-0x0000000004C00000-0x0000000004C10000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1300-1071-0x0000000004C00000-0x0000000004C10000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1300-1072-0x0000000004C00000-0x0000000004C10000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1300-1073-0x0000000005CF0000-0x0000000005D82000-memory.dmp
      Filesize

      584KB

      Download
    • memory/1300-1074-0x0000000005D90000-0x0000000005DF6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1300-1075-0x00000000065F0000-0x00000000067B2000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/1300-1076-0x00000000067C0000-0x0000000006CEC000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/1300-1077-0x0000000004C00000-0x0000000004C10000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1300-1078-0x0000000008220000-0x0000000008296000-memory.dmp
      Filesize

      472KB

      Download
    • memory/1300-1079-0x00000000082A0000-0x00000000082F0000-memory.dmp
      Filesize

      320KB

      Download
    • memory/1432-147-0x00000000000A0000-0x00000000000AA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4980-1085-0x0000000000010000-0x0000000000042000-memory.dmp
      Filesize

      200KB

      Download
    • memory/4980-1086-0x0000000004950000-0x0000000004960000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4980-1087-0x0000000004950000-0x0000000004960000-memory.dmp
      Filesize

      64KB

      Download