Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-04-2023 18:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9942047151a8f0711c60725ce8acb67a8fef7fc335113c428a33e301b92e30b0.exe

  • Size

    522KB

  • MD5

    82de6cb1fd75569e56120d75f552afc7

  • SHA1

    0891d35dc913073f66c8dc2d9e8ec005cd5897ec

  • SHA256

    9942047151a8f0711c60725ce8acb67a8fef7fc335113c428a33e301b92e30b0

  • SHA512

    d92caee70bfda7aa75cdb69611ffddd83db93584f15b6b4d0a4b1afd07fa7d040008385612606250653381444e7c27bf1a87920b6f6394538a0ecfebe66d9877

  • SSDEEP

    12288:nMrFy90yTi3mouTo45H3isr6Osl3LwNz/sr2v8:2yZT7oUR3isGOslcNz/sr/

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9942047151a8f0711c60725ce8acb67a8fef7fc335113c428a33e301b92e30b0.exe
    "C:\Users\Admin\AppData\Local\Temp\9942047151a8f0711c60725ce8acb67a8fef7fc335113c428a33e301b92e30b0.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3736
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zinj2834.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zinj2834.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4672
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr663041.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr663041.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4504
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku974523.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku974523.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3192
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 1724
          4⤵
          • Program crash
          PID:1880
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr046480.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr046480.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:856
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3192 -ip 3192
    1⤵
      PID:2956
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start wuauserv
      1⤵
      • Launches sc.exe
      PID:796

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr046480.exe
      Filesize

      175KB

      MD5

      ee51aec45bb269dc235deb33a5202c64

      SHA1

      9e6b7b5e1ae1dec0d3e6ceb7a48d41962765e64b

      SHA256

      c618d15678b9f43e3ad47d6e24de63bb9abdccf87a7a9aa326307e0c50246f72

      SHA512

      544c036876927be3ddf7c44a66cf294694fdc2e753a14f0e2617a7608f60d4b90a7abe43bace05dd88b38f3366e1329da63a29a5401090bfdc55ade1b8c191e6

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr046480.exe
      Filesize

      175KB

      MD5

      ee51aec45bb269dc235deb33a5202c64

      SHA1

      9e6b7b5e1ae1dec0d3e6ceb7a48d41962765e64b

      SHA256

      c618d15678b9f43e3ad47d6e24de63bb9abdccf87a7a9aa326307e0c50246f72

      SHA512

      544c036876927be3ddf7c44a66cf294694fdc2e753a14f0e2617a7608f60d4b90a7abe43bace05dd88b38f3366e1329da63a29a5401090bfdc55ade1b8c191e6

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zinj2834.exe
      Filesize

      379KB

      MD5

      85c8041b495456eba55de85b572965d8

      SHA1

      d9f005ebca2dea6650ab433b6c7b89baec187f9b

      SHA256

      e6c4f0003cbd0880396a5bfd36194493dc00bb03bf1c76ab5da1c0db12c9a87d

      SHA512

      cbbb634b62c74ed5923908b3c2b96a8e294fd525b5068426ab7d066ce04dd4134cf0c19b1e3daa805025640987c9e2c9e5f6599a0ecb60370f1d9bf7f400dae6

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zinj2834.exe
      Filesize

      379KB

      MD5

      85c8041b495456eba55de85b572965d8

      SHA1

      d9f005ebca2dea6650ab433b6c7b89baec187f9b

      SHA256

      e6c4f0003cbd0880396a5bfd36194493dc00bb03bf1c76ab5da1c0db12c9a87d

      SHA512

      cbbb634b62c74ed5923908b3c2b96a8e294fd525b5068426ab7d066ce04dd4134cf0c19b1e3daa805025640987c9e2c9e5f6599a0ecb60370f1d9bf7f400dae6

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr663041.exe
      Filesize

      11KB

      MD5

      28b357e4981daf3d446be5ed836fcc62

      SHA1

      6266044a8a3c36be470a061b2018b369ee258e6d

      SHA256

      7fb74cdd97c37be1a1aa474755b1ef7026b6da7d54d5010a31f87610a137355b

      SHA512

      29fde37f4b5962ef1a54f5d84bba1c9f8236729d3c4cd85e74a52e646ce466cf340e49764438bf41d35f721bbff77fc1da506ffa101353f6b28829f557b18508

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr663041.exe
      Filesize

      11KB

      MD5

      28b357e4981daf3d446be5ed836fcc62

      SHA1

      6266044a8a3c36be470a061b2018b369ee258e6d

      SHA256

      7fb74cdd97c37be1a1aa474755b1ef7026b6da7d54d5010a31f87610a137355b

      SHA512

      29fde37f4b5962ef1a54f5d84bba1c9f8236729d3c4cd85e74a52e646ce466cf340e49764438bf41d35f721bbff77fc1da506ffa101353f6b28829f557b18508

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku974523.exe
      Filesize

      294KB

      MD5

      7a081a967791e33925d513f3f2d0e128

      SHA1

      1c39d446001bcddb3e26c788449ef28bc7d4f3c9

      SHA256

      37a1b87931796bea7f399e210072cea59fd205548975a165f7b0144594dc96c1

      SHA512

      43163bf89390670d72504ffae14adb4777bd89d02d1454a6321c36cd7a720617532cd0a46c2ea0e3fe9d70c5217eaff6d5834d32579b7075f6a93b24d6795590

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku974523.exe
      Filesize

      294KB

      MD5

      7a081a967791e33925d513f3f2d0e128

      SHA1

      1c39d446001bcddb3e26c788449ef28bc7d4f3c9

      SHA256

      37a1b87931796bea7f399e210072cea59fd205548975a165f7b0144594dc96c1

      SHA512

      43163bf89390670d72504ffae14adb4777bd89d02d1454a6321c36cd7a720617532cd0a46c2ea0e3fe9d70c5217eaff6d5834d32579b7075f6a93b24d6795590

      Download Submit
    • memory/856-1085-0x0000000000CA0000-0x0000000000CD2000-memory.dmp
      Filesize

      200KB

      Download
    • memory/856-1086-0x0000000005890000-0x00000000058A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/856-1087-0x0000000005890000-0x00000000058A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3192-191-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3192-203-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3192-156-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3192-157-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3192-159-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3192-161-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3192-163-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3192-165-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3192-167-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3192-169-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3192-171-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3192-175-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3192-173-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3192-177-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3192-179-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3192-181-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3192-183-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3192-185-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3192-187-0x0000000004C10000-0x0000000004C20000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3192-189-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3192-188-0x0000000004C10000-0x0000000004C20000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3192-154-0x0000000004C10000-0x0000000004C20000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3192-193-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3192-195-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3192-197-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3192-199-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3192-201-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3192-155-0x0000000004C20000-0x00000000051C4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/3192-205-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3192-207-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3192-209-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3192-211-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3192-213-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3192-215-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3192-217-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3192-219-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3192-221-0x0000000004AA0000-0x0000000004ADF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3192-1064-0x00000000052D0000-0x00000000058E8000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/3192-1065-0x00000000058F0000-0x00000000059FA000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/3192-1066-0x0000000004BF0000-0x0000000004C02000-memory.dmp
      Filesize

      72KB

      Download
    • memory/3192-1067-0x0000000005A00000-0x0000000005A3C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/3192-1068-0x0000000004C10000-0x0000000004C20000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3192-1070-0x0000000004C10000-0x0000000004C20000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3192-1071-0x0000000005CF0000-0x0000000005D82000-memory.dmp
      Filesize

      584KB

      Download
    • memory/3192-1072-0x0000000005D90000-0x0000000005DF6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3192-1074-0x0000000004C10000-0x0000000004C20000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3192-1073-0x0000000004C10000-0x0000000004C20000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3192-1075-0x00000000065C0000-0x0000000006782000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/3192-153-0x0000000000850000-0x000000000089B000-memory.dmp
      Filesize

      300KB

      Download
    • memory/3192-1076-0x0000000006790000-0x0000000006CBC000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/3192-1077-0x0000000006DF0000-0x0000000006E66000-memory.dmp
      Filesize

      472KB

      Download
    • memory/3192-1078-0x0000000006E80000-0x0000000006ED0000-memory.dmp
      Filesize

      320KB

      Download
    • memory/3192-1079-0x0000000004C10000-0x0000000004C20000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4504-147-0x0000000000550000-0x000000000055A000-memory.dmp
      Filesize

      40KB

      Download