Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    75s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-04-2023 19:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dd33f65cbe1ab734d3bc2f391997262c74c3075047fe748d89e403dafeda229e.exe

  • Size

    522KB

  • MD5

    b61b7ef066e96fda858e2f7ddd381126

  • SHA1

    ef8b203c617707ce3a6a6ea2334d4dbf8ae32afa

  • SHA256

    dd33f65cbe1ab734d3bc2f391997262c74c3075047fe748d89e403dafeda229e

  • SHA512

    d37eda12ca81552c911e7c030dc27af730da8d3cd062af5db1db4dd9ee59557b1d39bfb8c34b47b7b112b4b37980a8c45d2a4eb98e9f51953a082d27a516821f

  • SSDEEP

    12288:FMr9y90aRnDDK7DLRYwwJ558QxbVul6+JYhFn:8ydRDDKqw7QxAsN

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dd33f65cbe1ab734d3bc2f391997262c74c3075047fe748d89e403dafeda229e.exe
    "C:\Users\Admin\AppData\Local\Temp\dd33f65cbe1ab734d3bc2f391997262c74c3075047fe748d89e403dafeda229e.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4772
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zisp1467.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zisp1467.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4504
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr787011.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr787011.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2720
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku467800.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku467800.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1016
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1016 -s 1348
          4⤵
          • Program crash
          PID:2932
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr912476.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr912476.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:628
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1016 -ip 1016
    1⤵
      PID:2188

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    3
    T1112

    Disabling Security Tools

    2
    T1089

    Credential Access

    Credentials in Files

    2
    T1081

    Discovery

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr912476.exe
      Filesize

      175KB

      MD5

      ae044cc414e3075857a4fd718e1525f2

      SHA1

      91c181fdd5e57626e38fd0de3f57bffbeec2433e

      SHA256

      71403213cd6ea2691d43f221fb93d86720310ccf11f01d28349c7ad6faa6fb96

      SHA512

      d363b5777d1ef95ad356bc41dd4014de810b931a6d7c2be4679f20e0eccafd6649af8af1ffdb2e676bcbd15ba3f8edfb17ad52ac4f94c3da8e700b2b0d3381e4

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr912476.exe
      Filesize

      175KB

      MD5

      ae044cc414e3075857a4fd718e1525f2

      SHA1

      91c181fdd5e57626e38fd0de3f57bffbeec2433e

      SHA256

      71403213cd6ea2691d43f221fb93d86720310ccf11f01d28349c7ad6faa6fb96

      SHA512

      d363b5777d1ef95ad356bc41dd4014de810b931a6d7c2be4679f20e0eccafd6649af8af1ffdb2e676bcbd15ba3f8edfb17ad52ac4f94c3da8e700b2b0d3381e4

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zisp1467.exe
      Filesize

      379KB

      MD5

      7b95c2684ef0d91e651bf2550963528e

      SHA1

      c7de07f196f96bd8fac5ab4682505d7c62a63f14

      SHA256

      89a5422c55810bb1bedda70186abd6e990e6faad5e15062820c2b010be0b4a88

      SHA512

      c73ac87749ccbfb79194c9e1dacbb94f66894480005f38ebb6f462fb0a0d5365affe3f29bf969d14442645da2186d3e3bb57978e69a94438ce87ad66f5696303

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zisp1467.exe
      Filesize

      379KB

      MD5

      7b95c2684ef0d91e651bf2550963528e

      SHA1

      c7de07f196f96bd8fac5ab4682505d7c62a63f14

      SHA256

      89a5422c55810bb1bedda70186abd6e990e6faad5e15062820c2b010be0b4a88

      SHA512

      c73ac87749ccbfb79194c9e1dacbb94f66894480005f38ebb6f462fb0a0d5365affe3f29bf969d14442645da2186d3e3bb57978e69a94438ce87ad66f5696303

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr787011.exe
      Filesize

      11KB

      MD5

      5a0c85f1383b99af7d4d3d9a14677347

      SHA1

      78dc7e98ee4033e361e0e70ddd2975b1b5a99c09

      SHA256

      73e11eb7e0e883bf410ced56dcde31392b943d45474740d2a92b0effdf286d58

      SHA512

      1b973c47813216225cb62435fff465890a0a4788a5d26ae2d628c021dd2ba27908f9fa1fc391e6eb7e9eb5c46692334190e9c365fad1e8ef518a510ac219c348

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr787011.exe
      Filesize

      11KB

      MD5

      5a0c85f1383b99af7d4d3d9a14677347

      SHA1

      78dc7e98ee4033e361e0e70ddd2975b1b5a99c09

      SHA256

      73e11eb7e0e883bf410ced56dcde31392b943d45474740d2a92b0effdf286d58

      SHA512

      1b973c47813216225cb62435fff465890a0a4788a5d26ae2d628c021dd2ba27908f9fa1fc391e6eb7e9eb5c46692334190e9c365fad1e8ef518a510ac219c348

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku467800.exe
      Filesize

      294KB

      MD5

      a0b4c4a675d5c726406aa1d2ca1681d4

      SHA1

      88552059205a4d9e405bea5936acac31c0b33707

      SHA256

      eae3baebfd65da143adf0f65c8ab1ad9ad786fe264009be79f29dd9a25f09bb5

      SHA512

      2412696f65fd008bafc168309b339a3ef87b43cdc318442906a80decbed964a5a17ac1ea8b4d562a841bf096c88116c36ae0f8fe1fae12f1d3593fb0edbb15a1

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku467800.exe
      Filesize

      294KB

      MD5

      a0b4c4a675d5c726406aa1d2ca1681d4

      SHA1

      88552059205a4d9e405bea5936acac31c0b33707

      SHA256

      eae3baebfd65da143adf0f65c8ab1ad9ad786fe264009be79f29dd9a25f09bb5

      SHA512

      2412696f65fd008bafc168309b339a3ef87b43cdc318442906a80decbed964a5a17ac1ea8b4d562a841bf096c88116c36ae0f8fe1fae12f1d3593fb0edbb15a1

      Download Submit
    • memory/628-1084-0x0000000000DE0000-0x0000000000E12000-memory.dmp
      Filesize

      200KB

      Download
    • memory/628-1085-0x0000000005960000-0x0000000005970000-memory.dmp
      Filesize

      64KB

      Download
    • memory/628-1086-0x0000000005960000-0x0000000005970000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1016-192-0x00000000025F0000-0x000000000262F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1016-204-0x00000000025F0000-0x000000000262F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1016-156-0x0000000002300000-0x0000000002310000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1016-157-0x00000000025F0000-0x000000000262F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1016-158-0x00000000025F0000-0x000000000262F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1016-160-0x00000000025F0000-0x000000000262F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1016-162-0x00000000025F0000-0x000000000262F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1016-164-0x00000000025F0000-0x000000000262F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1016-166-0x00000000025F0000-0x000000000262F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1016-168-0x00000000025F0000-0x000000000262F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1016-170-0x00000000025F0000-0x000000000262F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1016-172-0x00000000025F0000-0x000000000262F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1016-174-0x00000000025F0000-0x000000000262F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1016-176-0x00000000025F0000-0x000000000262F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1016-178-0x00000000025F0000-0x000000000262F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1016-180-0x00000000025F0000-0x000000000262F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1016-182-0x00000000025F0000-0x000000000262F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1016-184-0x00000000025F0000-0x000000000262F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1016-186-0x00000000025F0000-0x000000000262F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1016-188-0x00000000025F0000-0x000000000262F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1016-190-0x00000000025F0000-0x000000000262F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1016-154-0x0000000004B20000-0x00000000050C4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/1016-194-0x00000000025F0000-0x000000000262F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1016-196-0x00000000025F0000-0x000000000262F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1016-198-0x00000000025F0000-0x000000000262F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1016-202-0x00000000025F0000-0x000000000262F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1016-200-0x00000000025F0000-0x000000000262F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1016-155-0x0000000002300000-0x0000000002310000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1016-206-0x00000000025F0000-0x000000000262F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1016-208-0x00000000025F0000-0x000000000262F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1016-210-0x00000000025F0000-0x000000000262F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1016-212-0x00000000025F0000-0x000000000262F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1016-214-0x00000000025F0000-0x000000000262F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1016-216-0x00000000025F0000-0x000000000262F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1016-218-0x00000000025F0000-0x000000000262F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1016-220-0x00000000025F0000-0x000000000262F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1016-1063-0x0000000005210000-0x0000000005828000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/1016-1064-0x00000000058A0000-0x00000000059AA000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/1016-1065-0x0000000002300000-0x0000000002310000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1016-1066-0x00000000059E0000-0x00000000059F2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/1016-1067-0x0000000005A00000-0x0000000005A3C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/1016-1069-0x0000000005CF0000-0x0000000005D82000-memory.dmp
      Filesize

      584KB

      Download
    • memory/1016-1070-0x0000000005D90000-0x0000000005DF6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1016-1071-0x0000000002300000-0x0000000002310000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1016-1072-0x0000000002300000-0x0000000002310000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1016-1073-0x0000000002300000-0x0000000002310000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1016-1074-0x00000000065B0000-0x0000000006772000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/1016-153-0x0000000000560000-0x00000000005AB000-memory.dmp
      Filesize

      300KB

      Download
    • memory/1016-1075-0x0000000006790000-0x0000000006CBC000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/1016-1076-0x0000000002300000-0x0000000002310000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1016-1077-0x0000000008420000-0x0000000008496000-memory.dmp
      Filesize

      472KB

      Download
    • memory/1016-1078-0x00000000084B0000-0x0000000008500000-memory.dmp
      Filesize

      320KB

      Download
    • memory/2720-147-0x0000000000C60000-0x0000000000C6A000-memory.dmp
      Filesize

      40KB

      Download