Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    56s
  • max time network
    71s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    03-04-2023 19:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    50cd137f04c9bd20a6c27709dcea17199611988066ea090df365c549aaa9f738.exe

  • Size

    522KB

  • MD5

    cc36e4f74f64b36598b560749d6692d6

  • SHA1

    c4d68a4939237352f1876767ac984178dc03e2f6

  • SHA256

    50cd137f04c9bd20a6c27709dcea17199611988066ea090df365c549aaa9f738

  • SHA512

    2592e12ec391de08317cca25d832feedfb742a4bca3dbc2d4b7794d5e9425555a81ef8fe6463277d86e85ede91babc0743e2542483731c0f841a2555dc3ba6e3

  • SSDEEP

    12288:CMrdy90D2ZTDg+DEI3kDKdcCl3sXZmfu8Hq:/y5gG1HcC3sy3Hq

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\50cd137f04c9bd20a6c27709dcea17199611988066ea090df365c549aaa9f738.exe
    "C:\Users\Admin\AppData\Local\Temp\50cd137f04c9bd20a6c27709dcea17199611988066ea090df365c549aaa9f738.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1764
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zicS0995.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zicS0995.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2056
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr194765.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr194765.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4308
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku651132.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku651132.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4244
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr355426.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr355426.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1132

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr355426.exe
    Filesize

    175KB

    MD5

    1d9b3e6244d47b0e217535ca018aa62a

    SHA1

    f2a7b6a102362d816917410c950600ec6e8db5ab

    SHA256

    831830652fc9616663df1c32515b9dac07312d52f8cc7ccff5e07757435f8589

    SHA512

    9846ba3e671544b9282dd676d4daea317fe808d346de8a64579d770c737c2bafd06983e316ae4dad8cbb303e356668fd442687df4940c90f0d0fc376e4ae7fd2

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr355426.exe
    Filesize

    175KB

    MD5

    1d9b3e6244d47b0e217535ca018aa62a

    SHA1

    f2a7b6a102362d816917410c950600ec6e8db5ab

    SHA256

    831830652fc9616663df1c32515b9dac07312d52f8cc7ccff5e07757435f8589

    SHA512

    9846ba3e671544b9282dd676d4daea317fe808d346de8a64579d770c737c2bafd06983e316ae4dad8cbb303e356668fd442687df4940c90f0d0fc376e4ae7fd2

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zicS0995.exe
    Filesize

    379KB

    MD5

    6eab4add26d8cbf96125919ae3cc04df

    SHA1

    96f10a2f1bd25adedb5f9c400016e17ce366612f

    SHA256

    979b1869ba9c6c2836c4c2c6ed87d520df575cd76d577e5c009a6dc94aafa574

    SHA512

    a71b5633cdfcc2aa25c3540346a145eed60277811a07dbe8e8178d9b2a9e77b0dc332ed229482f2cadedcae4ce81a3c2d52e2d553f1938f6aa64e5f7d60a8444

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zicS0995.exe
    Filesize

    379KB

    MD5

    6eab4add26d8cbf96125919ae3cc04df

    SHA1

    96f10a2f1bd25adedb5f9c400016e17ce366612f

    SHA256

    979b1869ba9c6c2836c4c2c6ed87d520df575cd76d577e5c009a6dc94aafa574

    SHA512

    a71b5633cdfcc2aa25c3540346a145eed60277811a07dbe8e8178d9b2a9e77b0dc332ed229482f2cadedcae4ce81a3c2d52e2d553f1938f6aa64e5f7d60a8444

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr194765.exe
    Filesize

    11KB

    MD5

    caaa69b72a6310930160e8d9afc7dd4e

    SHA1

    41bff04ef8f5721faa638eac999dfd7081f895ca

    SHA256

    a4d2ccd6a0a982b569a8702a7f9fdd5d083dc276f1c325b958df9ed8ced626f6

    SHA512

    2140be6c992250a29160bc8ec2fd1ad684ed251665db3cb9bf8edae2ed3210f28469fa0d6825d59a39c2c3cd7e6e009adeb839d656b91dcc915b6aba23b95321

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr194765.exe
    Filesize

    11KB

    MD5

    caaa69b72a6310930160e8d9afc7dd4e

    SHA1

    41bff04ef8f5721faa638eac999dfd7081f895ca

    SHA256

    a4d2ccd6a0a982b569a8702a7f9fdd5d083dc276f1c325b958df9ed8ced626f6

    SHA512

    2140be6c992250a29160bc8ec2fd1ad684ed251665db3cb9bf8edae2ed3210f28469fa0d6825d59a39c2c3cd7e6e009adeb839d656b91dcc915b6aba23b95321

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku651132.exe
    Filesize

    294KB

    MD5

    a94d226880a3abb254ea8cc1d6ce19fa

    SHA1

    4b32ede4a5699501ea62e95ab1f50ec4e4a432da

    SHA256

    3ecb3d06abe58fcab91f782f4bcc059b6cd8293523d9030978c1fc70a20493e2

    SHA512

    3f12d78972b37d576fb815b208d6b912b77e02db546a969f25a1a5b4c42a65fee3dcb4cbf3b5ae58f931a9c04df13f3da3db29a7ad4bcee45eee0625663c7a60

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku651132.exe
    Filesize

    294KB

    MD5

    a94d226880a3abb254ea8cc1d6ce19fa

    SHA1

    4b32ede4a5699501ea62e95ab1f50ec4e4a432da

    SHA256

    3ecb3d06abe58fcab91f782f4bcc059b6cd8293523d9030978c1fc70a20493e2

    SHA512

    3f12d78972b37d576fb815b208d6b912b77e02db546a969f25a1a5b4c42a65fee3dcb4cbf3b5ae58f931a9c04df13f3da3db29a7ad4bcee45eee0625663c7a60

    Download Submit
  • memory/1132-1076-0x0000000000840000-0x0000000000872000-memory.dmp
    Filesize

    200KB

    Download
  • memory/1132-1077-0x0000000005280000-0x00000000052CB000-memory.dmp
    Filesize

    300KB

    Download
  • memory/1132-1078-0x0000000005150000-0x0000000005160000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4244-181-0x0000000004FA0000-0x0000000004FDF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-193-0x0000000004FA0000-0x0000000004FDF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-144-0x00000000004C0000-0x000000000050B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/4244-145-0x0000000002520000-0x0000000002530000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4244-146-0x0000000002520000-0x0000000002530000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4244-147-0x0000000002520000-0x0000000002530000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4244-148-0x0000000004FA0000-0x0000000004FDF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-149-0x0000000004FA0000-0x0000000004FDF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-151-0x0000000004FA0000-0x0000000004FDF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-153-0x0000000004FA0000-0x0000000004FDF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-155-0x0000000004FA0000-0x0000000004FDF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-157-0x0000000004FA0000-0x0000000004FDF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-159-0x0000000004FA0000-0x0000000004FDF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-161-0x0000000004FA0000-0x0000000004FDF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-163-0x0000000004FA0000-0x0000000004FDF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-165-0x0000000004FA0000-0x0000000004FDF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-167-0x0000000004FA0000-0x0000000004FDF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-169-0x0000000004FA0000-0x0000000004FDF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-171-0x0000000004FA0000-0x0000000004FDF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-173-0x0000000004FA0000-0x0000000004FDF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-175-0x0000000004FA0000-0x0000000004FDF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-177-0x0000000004FA0000-0x0000000004FDF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-179-0x0000000004FA0000-0x0000000004FDF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-142-0x0000000004AA0000-0x0000000004F9E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/4244-183-0x0000000004FA0000-0x0000000004FDF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-185-0x0000000004FA0000-0x0000000004FDF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-187-0x0000000004FA0000-0x0000000004FDF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-189-0x0000000004FA0000-0x0000000004FDF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-191-0x0000000004FA0000-0x0000000004FDF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-143-0x0000000004FA0000-0x0000000004FE4000-memory.dmp
    Filesize

    272KB

    Download
  • memory/4244-195-0x0000000004FA0000-0x0000000004FDF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-197-0x0000000004FA0000-0x0000000004FDF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-199-0x0000000004FA0000-0x0000000004FDF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-201-0x0000000004FA0000-0x0000000004FDF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-203-0x0000000004FA0000-0x0000000004FDF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-205-0x0000000004FA0000-0x0000000004FDF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-207-0x0000000004FA0000-0x0000000004FDF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-209-0x0000000004FA0000-0x0000000004FDF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-211-0x0000000004FA0000-0x0000000004FDF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4244-1054-0x0000000005120000-0x0000000005726000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/4244-1055-0x00000000057A0000-0x00000000058AA000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/4244-1056-0x00000000058E0000-0x00000000058F2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4244-1057-0x0000000005900000-0x000000000593E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4244-1058-0x0000000005A50000-0x0000000005A9B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/4244-1059-0x0000000002520000-0x0000000002530000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4244-1061-0x0000000002520000-0x0000000002530000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4244-1062-0x0000000002520000-0x0000000002530000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4244-1063-0x0000000002520000-0x0000000002530000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4244-1064-0x0000000005BE0000-0x0000000005C46000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4244-1065-0x00000000062A0000-0x0000000006332000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4244-1066-0x00000000065B0000-0x0000000006626000-memory.dmp
    Filesize

    472KB

    Download
  • memory/4244-141-0x00000000024A0000-0x00000000024E6000-memory.dmp
    Filesize

    280KB

    Download
  • memory/4244-1067-0x0000000006630000-0x0000000006680000-memory.dmp
    Filesize

    320KB

    Download
  • memory/4244-1068-0x0000000002520000-0x0000000002530000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4244-1069-0x0000000007970000-0x0000000007B32000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/4244-1070-0x0000000007B40000-0x000000000806C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4308-135-0x0000000000100000-0x000000000010A000-memory.dmp
    Filesize

    40KB

    Download