Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    55s
  • max time network
    147s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    03-04-2023 19:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    15aac39de8beb3d4c65a57c3d3e10e6f0d9f26e3b181da16e5d3c3ba87da1320.exe

  • Size

    521KB

  • MD5

    b070d31573080774852df2899e917477

  • SHA1

    ba64a1204882a460f29465fdb12472f2b04bda8f

  • SHA256

    15aac39de8beb3d4c65a57c3d3e10e6f0d9f26e3b181da16e5d3c3ba87da1320

  • SHA512

    98583b48e21d58e81b6349805ca6273acc9acfa32b4f10fb9374de7ca8a19c751420a14dc1503cb1375fc6ad1aee924a4e6fdbf28303f3e3adfd8f8585b77d2a

  • SSDEEP

    12288:gMrxy90gkYHn4GJG1EB6BqXAVjiY0tkOv6:ByeYHn4GM1EB6VVjiYSkOC

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 36 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\15aac39de8beb3d4c65a57c3d3e10e6f0d9f26e3b181da16e5d3c3ba87da1320.exe
    "C:\Users\Admin\AppData\Local\Temp\15aac39de8beb3d4c65a57c3d3e10e6f0d9f26e3b181da16e5d3c3ba87da1320.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2136
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDd9867.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDd9867.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2464
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr447057.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr447057.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2528
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku572829.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku572829.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2836
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr817822.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr817822.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1536

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr817822.exe
    Filesize

    175KB

    MD5

    07d79c69c5b56f8259afef1de7a4aefc

    SHA1

    1e3dce2ef4f154bb62590ba8c13466188c01cfcb

    SHA256

    395b5a8444b86a3b66e06bc61c7d86a51054fe94ac65ece1628a5f33db92f639

    SHA512

    ed1aac4ebe39858b81a1709a01d51e281bd5bcde3eba3c9625093e38867d32a3a8d0fbee42919be71e2c2eb0722271fb2a2ad37d0206ab024553ae8bc0baec41

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr817822.exe
    Filesize

    175KB

    MD5

    07d79c69c5b56f8259afef1de7a4aefc

    SHA1

    1e3dce2ef4f154bb62590ba8c13466188c01cfcb

    SHA256

    395b5a8444b86a3b66e06bc61c7d86a51054fe94ac65ece1628a5f33db92f639

    SHA512

    ed1aac4ebe39858b81a1709a01d51e281bd5bcde3eba3c9625093e38867d32a3a8d0fbee42919be71e2c2eb0722271fb2a2ad37d0206ab024553ae8bc0baec41

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDd9867.exe
    Filesize

    379KB

    MD5

    9d35ac104a52eb052159b6ca65904db7

    SHA1

    c5ae4ff3551d108d85d7c7d1b53f55d5fcb7dffd

    SHA256

    2b491d7c5ccdb1cf496f3c1d40d1b67e119fcda303f90726c15c64db4aa74f1d

    SHA512

    7d20e015441c2015b231b7df2853f8e2808c60c1b1c219e7138085b5a06f65475b2bed7d15ee60cf8c3f9b5435df6a6097779684eb4581f16539725e98d2b5a7

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDd9867.exe
    Filesize

    379KB

    MD5

    9d35ac104a52eb052159b6ca65904db7

    SHA1

    c5ae4ff3551d108d85d7c7d1b53f55d5fcb7dffd

    SHA256

    2b491d7c5ccdb1cf496f3c1d40d1b67e119fcda303f90726c15c64db4aa74f1d

    SHA512

    7d20e015441c2015b231b7df2853f8e2808c60c1b1c219e7138085b5a06f65475b2bed7d15ee60cf8c3f9b5435df6a6097779684eb4581f16539725e98d2b5a7

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr447057.exe
    Filesize

    11KB

    MD5

    2b1b67b9bdf8a8a4baf3b544c7016566

    SHA1

    0a63c3af077b24f53a521e1002dd6e022de18291

    SHA256

    a5098da46b4ff46cc863d328db85d4207ded2fa8527c9119964c403ad6c71041

    SHA512

    860ff227f9bf5655ff96dae23d9a1262c25044df47a70f39aa8218c2f52f90f89ccaf6886f60b1445395bae097d847a430a3f20f8f23173579c4dc9822926d99

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr447057.exe
    Filesize

    11KB

    MD5

    2b1b67b9bdf8a8a4baf3b544c7016566

    SHA1

    0a63c3af077b24f53a521e1002dd6e022de18291

    SHA256

    a5098da46b4ff46cc863d328db85d4207ded2fa8527c9119964c403ad6c71041

    SHA512

    860ff227f9bf5655ff96dae23d9a1262c25044df47a70f39aa8218c2f52f90f89ccaf6886f60b1445395bae097d847a430a3f20f8f23173579c4dc9822926d99

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku572829.exe
    Filesize

    294KB

    MD5

    cfd0c911fd226bd094513f523dd04cd8

    SHA1

    05f926d51700af1e3a2f4ae7e50496d844f120cf

    SHA256

    04f18044041586f24189cee658de48efcb74a909315abc1bab789c8ecf2fc09b

    SHA512

    4534c1e233414085a7b4c6c1837bdc10867253a372b195a95237b4bfe8969a5124899683619f170764c8bb2a219d82f38acded2fcd749da7a6471f9ee708e6c3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku572829.exe
    Filesize

    294KB

    MD5

    cfd0c911fd226bd094513f523dd04cd8

    SHA1

    05f926d51700af1e3a2f4ae7e50496d844f120cf

    SHA256

    04f18044041586f24189cee658de48efcb74a909315abc1bab789c8ecf2fc09b

    SHA512

    4534c1e233414085a7b4c6c1837bdc10867253a372b195a95237b4bfe8969a5124899683619f170764c8bb2a219d82f38acded2fcd749da7a6471f9ee708e6c3

    Download Submit
  • memory/1536-1076-0x0000000000F20000-0x0000000000F52000-memory.dmp
    Filesize

    200KB

    Download
  • memory/1536-1077-0x0000000005960000-0x00000000059AB000-memory.dmp
    Filesize

    300KB

    Download
  • memory/1536-1078-0x00000000057C0000-0x00000000057D0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2528-135-0x0000000000A70000-0x0000000000A7A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2836-165-0x00000000022C0000-0x00000000022FF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2836-197-0x00000000022C0000-0x00000000022FF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2836-144-0x00000000022C0000-0x00000000022FF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2836-145-0x00000000022C0000-0x00000000022FF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2836-147-0x00000000022C0000-0x00000000022FF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2836-150-0x0000000004BC0000-0x0000000004BD0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2836-149-0x00000000005E0000-0x000000000062B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/2836-151-0x00000000022C0000-0x00000000022FF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2836-152-0x0000000004BC0000-0x0000000004BD0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2836-155-0x00000000022C0000-0x00000000022FF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2836-154-0x0000000004BC0000-0x0000000004BD0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2836-157-0x00000000022C0000-0x00000000022FF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2836-159-0x00000000022C0000-0x00000000022FF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2836-161-0x00000000022C0000-0x00000000022FF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2836-163-0x00000000022C0000-0x00000000022FF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2836-171-0x00000000022C0000-0x00000000022FF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2836-173-0x00000000022C0000-0x00000000022FF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2836-169-0x00000000022C0000-0x00000000022FF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2836-177-0x00000000022C0000-0x00000000022FF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2836-175-0x00000000022C0000-0x00000000022FF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2836-167-0x00000000022C0000-0x00000000022FF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2836-179-0x00000000022C0000-0x00000000022FF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2836-142-0x0000000004BD0000-0x00000000050CE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2836-181-0x00000000022C0000-0x00000000022FF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2836-191-0x00000000022C0000-0x00000000022FF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2836-193-0x00000000022C0000-0x00000000022FF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2836-195-0x00000000022C0000-0x00000000022FF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2836-143-0x00000000022C0000-0x0000000002304000-memory.dmp
    Filesize

    272KB

    Download
  • memory/2836-203-0x00000000022C0000-0x00000000022FF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2836-211-0x00000000022C0000-0x00000000022FF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2836-209-0x00000000022C0000-0x00000000022FF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2836-207-0x00000000022C0000-0x00000000022FF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2836-205-0x00000000022C0000-0x00000000022FF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2836-201-0x00000000022C0000-0x00000000022FF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2836-199-0x00000000022C0000-0x00000000022FF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2836-189-0x00000000022C0000-0x00000000022FF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2836-187-0x00000000022C0000-0x00000000022FF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2836-185-0x00000000022C0000-0x00000000022FF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2836-183-0x00000000022C0000-0x00000000022FF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2836-1054-0x00000000050D0000-0x00000000056D6000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/2836-1055-0x00000000056E0000-0x00000000057EA000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/2836-1056-0x0000000004B70000-0x0000000004B82000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2836-1057-0x00000000057F0000-0x000000000582E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2836-1058-0x0000000005930000-0x000000000597B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/2836-1059-0x0000000004BC0000-0x0000000004BD0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2836-1061-0x0000000004BC0000-0x0000000004BD0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2836-1062-0x0000000004BC0000-0x0000000004BD0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2836-1063-0x0000000004BC0000-0x0000000004BD0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2836-1064-0x0000000005AA0000-0x0000000005B32000-memory.dmp
    Filesize

    584KB

    Download
  • memory/2836-1065-0x0000000005B40000-0x0000000005BA6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2836-1066-0x0000000006380000-0x00000000063F6000-memory.dmp
    Filesize

    472KB

    Download
  • memory/2836-141-0x0000000002220000-0x0000000002266000-memory.dmp
    Filesize

    280KB

    Download
  • memory/2836-1067-0x0000000006410000-0x0000000006460000-memory.dmp
    Filesize

    320KB

    Download
  • memory/2836-1068-0x0000000006490000-0x0000000006652000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/2836-1069-0x0000000006660000-0x0000000006B8C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/2836-1070-0x0000000004BC0000-0x0000000004BD0000-memory.dmp
    Filesize

    64KB

    Download