Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    109s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-04-2023 18:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f5780d4e1ed1a0df341a29259b891de14439a6097492c36ca62c62a225561ed1.exe

  • Size

    521KB

  • MD5

    c465b0501aa1acaebc5a69414fedf4d3

  • SHA1

    04d28be78b9a6a56923814bfd2652937562e14f4

  • SHA256

    f5780d4e1ed1a0df341a29259b891de14439a6097492c36ca62c62a225561ed1

  • SHA512

    7c03364ec83d0590f64745764be05a038d99fa6eec7b6ac8c649438a6f456d31517c1dd84ae5ee72436af7f4e5a9aa225d5c918d4f5ff1719a9eb7eda256bc99

  • SSDEEP

    6144:KNy+bnr+5p0yN90QEgL8+7wKjHxpvnLyIznfwVyy9O4hbfN61Aj46Wp1BG7JK+8N:3Mrhy90g8ewKVRuIbo5x1DUDKK+8N

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f5780d4e1ed1a0df341a29259b891de14439a6097492c36ca62c62a225561ed1.exe
    "C:\Users\Admin\AppData\Local\Temp\f5780d4e1ed1a0df341a29259b891de14439a6097492c36ca62c62a225561ed1.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3204
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziLn7981.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziLn7981.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:648
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr871680.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr871680.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3388
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku710542.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku710542.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4280
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 1344
          4⤵
          • Program crash
          PID:4216
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr934956.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr934956.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2332
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4280 -ip 4280
    1⤵
      PID:1872

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    3
    T1112

    Disabling Security Tools

    2
    T1089

    Credential Access

    Credentials in Files

    2
    T1081

    Discovery

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr934956.exe
      Filesize

      175KB

      MD5

      c6180a24423d105ee0c00d025ea436c0

      SHA1

      8acdf269d57b11c53fe1e714d4e6963f17d1ee3c

      SHA256

      eea3a9dffd88947217b7e9765829e54dde38cd08f55a0b1229fd4a7a280028c2

      SHA512

      4a37ca29f2464acdc6bb3a351e0a36f3e9b2ecd0685449f767bd68d164344e7259e1ad105d01bdf7a4bf8d9974b08e8d36e0cbf0a83cc4aa929e731ee68cbe50

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr934956.exe
      Filesize

      175KB

      MD5

      c6180a24423d105ee0c00d025ea436c0

      SHA1

      8acdf269d57b11c53fe1e714d4e6963f17d1ee3c

      SHA256

      eea3a9dffd88947217b7e9765829e54dde38cd08f55a0b1229fd4a7a280028c2

      SHA512

      4a37ca29f2464acdc6bb3a351e0a36f3e9b2ecd0685449f767bd68d164344e7259e1ad105d01bdf7a4bf8d9974b08e8d36e0cbf0a83cc4aa929e731ee68cbe50

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziLn7981.exe
      Filesize

      379KB

      MD5

      aa0800ae5d9f65147d026b6cbaa03af1

      SHA1

      cc466cff6438dc6cbd9e4071fca4d19dcb021184

      SHA256

      afd3498907324b4fd8bc9be881decefedc76a1a96d20612a759c8ee433ec49a5

      SHA512

      8e19703c5c009cde640f2e01b78ddddc570b299070fa8c12fe25912014d5391a9b5251a006e6d7c7788b07b9503a9f2eeb38b7133c4f4c4c59aa6613510a6c51

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziLn7981.exe
      Filesize

      379KB

      MD5

      aa0800ae5d9f65147d026b6cbaa03af1

      SHA1

      cc466cff6438dc6cbd9e4071fca4d19dcb021184

      SHA256

      afd3498907324b4fd8bc9be881decefedc76a1a96d20612a759c8ee433ec49a5

      SHA512

      8e19703c5c009cde640f2e01b78ddddc570b299070fa8c12fe25912014d5391a9b5251a006e6d7c7788b07b9503a9f2eeb38b7133c4f4c4c59aa6613510a6c51

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr871680.exe
      Filesize

      11KB

      MD5

      652a2440a0a671519e9bda78272a86c9

      SHA1

      c1b6822a48804f30e692d2c58b80e153de9084dd

      SHA256

      e7078d8fe2d896d10f0962dd2b24e74aff7bc5346be6fe23caf7676a273beff9

      SHA512

      657f0ec714a1b8774973abd3ff76c2696f27338d4a20313f518ab4ccfdaba268a8d87b6e7d48d09475f3c6f198096b15a37acd00704e76970207d95980fac747

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr871680.exe
      Filesize

      11KB

      MD5

      652a2440a0a671519e9bda78272a86c9

      SHA1

      c1b6822a48804f30e692d2c58b80e153de9084dd

      SHA256

      e7078d8fe2d896d10f0962dd2b24e74aff7bc5346be6fe23caf7676a273beff9

      SHA512

      657f0ec714a1b8774973abd3ff76c2696f27338d4a20313f518ab4ccfdaba268a8d87b6e7d48d09475f3c6f198096b15a37acd00704e76970207d95980fac747

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku710542.exe
      Filesize

      294KB

      MD5

      b107e04494b68801cc50bd6da66914f2

      SHA1

      cafd7fa2ddf867fec10b1cf5c8a0434fa41fa0c4

      SHA256

      3ab515a7b840f93e861e182a15bc8a56eeec89ddd5eb54e432f5a26d4f840488

      SHA512

      101317ccf10adeed94526762a05501fcdba84f0f8240c7cb9f4486df281c0ce6bb992fe673ca2ce50be8b1c597f197cbc9bf70b5f25617b5e9cc8a68c5490757

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku710542.exe
      Filesize

      294KB

      MD5

      b107e04494b68801cc50bd6da66914f2

      SHA1

      cafd7fa2ddf867fec10b1cf5c8a0434fa41fa0c4

      SHA256

      3ab515a7b840f93e861e182a15bc8a56eeec89ddd5eb54e432f5a26d4f840488

      SHA512

      101317ccf10adeed94526762a05501fcdba84f0f8240c7cb9f4486df281c0ce6bb992fe673ca2ce50be8b1c597f197cbc9bf70b5f25617b5e9cc8a68c5490757

      Download Submit
    • memory/2332-1084-0x00000000003C0000-0x00000000003F2000-memory.dmp
      Filesize

      200KB

      Download
    • memory/2332-1085-0x0000000004F80000-0x0000000004F90000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3388-147-0x0000000000780000-0x000000000078A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4280-186-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4280-198-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4280-155-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4280-156-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4280-158-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4280-160-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4280-162-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4280-164-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4280-167-0x0000000004CC0000-0x0000000004CD0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4280-166-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4280-170-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4280-169-0x0000000004CC0000-0x0000000004CD0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4280-172-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4280-174-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4280-176-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4280-178-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4280-180-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4280-182-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4280-184-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4280-153-0x0000000000620000-0x000000000066B000-memory.dmp
      Filesize

      300KB

      Download
    • memory/4280-188-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4280-190-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4280-192-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4280-194-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4280-196-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4280-154-0x0000000004CD0000-0x0000000005274000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/4280-200-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4280-202-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4280-204-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4280-206-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4280-208-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4280-210-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4280-212-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4280-214-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4280-216-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4280-218-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4280-220-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/4280-1063-0x0000000005280000-0x0000000005898000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/4280-1064-0x00000000058A0000-0x00000000059AA000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/4280-1065-0x00000000059E0000-0x00000000059F2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/4280-1066-0x0000000004CC0000-0x0000000004CD0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4280-1067-0x0000000005A00000-0x0000000005A3C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/4280-1069-0x0000000005CF0000-0x0000000005D82000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4280-1070-0x0000000005D90000-0x0000000005DF6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4280-1071-0x0000000004CC0000-0x0000000004CD0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4280-1073-0x0000000004CC0000-0x0000000004CD0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4280-1072-0x0000000004CC0000-0x0000000004CD0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4280-1074-0x00000000065B0000-0x0000000006772000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/4280-1075-0x0000000006790000-0x0000000006CBC000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/4280-1076-0x0000000006DF0000-0x0000000006E66000-memory.dmp
      Filesize

      472KB

      Download
    • memory/4280-1077-0x0000000006E80000-0x0000000006ED0000-memory.dmp
      Filesize

      320KB

      Download
    • memory/4280-1078-0x0000000004CC0000-0x0000000004CD0000-memory.dmp
      Filesize

      64KB

      Download