Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    107s
  • max time network
    109s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-04-2023 20:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d9725d37c9ad4a2a83c8a7d80004c2f24ca9f1f464732b92fe88fe32fa760738.exe

  • Size

    658KB

  • MD5

    a8218ad88fa977c148d432a96a626bf6

  • SHA1

    d1b33828fa7491a165bc3307d8f6f4f4755df501

  • SHA256

    d9725d37c9ad4a2a83c8a7d80004c2f24ca9f1f464732b92fe88fe32fa760738

  • SHA512

    577696f114c7b0e7d30bcc311bf87ae2c6f9729eb89b6e3a0f20e449711fa1fd9529b58fc485f4899492241be50f6b452312fa264239354a6bf69e30fcdeb6ef

  • SSDEEP

    12288:DMruy90+UdjGJWxf0kiVxkVuLt8/EwkgU44LzWKKf8vU9oE:5yDWjIeUEuhnXgF42KYiE

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 18 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d9725d37c9ad4a2a83c8a7d80004c2f24ca9f1f464732b92fe88fe32fa760738.exe
    "C:\Users\Admin\AppData\Local\Temp\d9725d37c9ad4a2a83c8a7d80004c2f24ca9f1f464732b92fe88fe32fa760738.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4260
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un530290.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un530290.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:5060
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0318.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0318.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1212
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 1088
          4⤵
          • Program crash
          PID:3748
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7572.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7572.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3920
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 1968
          4⤵
          • Program crash
          PID:3388
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si495071.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si495071.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2824
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1212 -ip 1212
    1⤵
      PID:3080
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3920 -ip 3920
      1⤵
        PID:4500

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si495071.exe
        Filesize

        175KB

        MD5

        82b39cf82197f48472369bbd53b49e1b

        SHA1

        6dea5b217765ab1486a2e53511be324adee1b19c

        SHA256

        efafa48b8f3ed96089cff5c4e42b5d82bd9c1012cccbebdc175ed4ec4908b171

        SHA512

        985269eda83f987e5dca8b280a5a639d59cf12e9ac1cf02fe1fee88bbf227d827bc82cb2e2193f2f84f745f2597423c6cf00fc922e25d0908f74e457ec13911f

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si495071.exe
        Filesize

        175KB

        MD5

        82b39cf82197f48472369bbd53b49e1b

        SHA1

        6dea5b217765ab1486a2e53511be324adee1b19c

        SHA256

        efafa48b8f3ed96089cff5c4e42b5d82bd9c1012cccbebdc175ed4ec4908b171

        SHA512

        985269eda83f987e5dca8b280a5a639d59cf12e9ac1cf02fe1fee88bbf227d827bc82cb2e2193f2f84f745f2597423c6cf00fc922e25d0908f74e457ec13911f

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un530290.exe
        Filesize

        516KB

        MD5

        69e08451d317b29cc4ec452fa877491a

        SHA1

        5b6efafa9a95f867a28baf569e91f07d61656193

        SHA256

        d35f42c4c63c7cba0a08c1b2fc498c905b92d9999f0a29daa7e0d19cb1f170b0

        SHA512

        d19f98769def60b2d0afc5de495f4db6c15f7f3a1ccf43d58fb8637bcacc802a7014ad633cb96a7b079f4cbf2fbdbd23c2889632f0655cdea6af10720aeab210

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un530290.exe
        Filesize

        516KB

        MD5

        69e08451d317b29cc4ec452fa877491a

        SHA1

        5b6efafa9a95f867a28baf569e91f07d61656193

        SHA256

        d35f42c4c63c7cba0a08c1b2fc498c905b92d9999f0a29daa7e0d19cb1f170b0

        SHA512

        d19f98769def60b2d0afc5de495f4db6c15f7f3a1ccf43d58fb8637bcacc802a7014ad633cb96a7b079f4cbf2fbdbd23c2889632f0655cdea6af10720aeab210

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0318.exe
        Filesize

        235KB

        MD5

        286043e29340f4e9be8245655cfc5544

        SHA1

        acb4ac67aed93f4868adb55919d1687f5c9c06d6

        SHA256

        70f7ea1b6248622dc2595f828feb244e473e96ab9bdfa8d3032554c802f74daa

        SHA512

        8291b19547eb671c5bb9edadc8a59c2366f4e9ea6bd71681d473d3a8fe3156032d1bcc0765a4a7cfc86beb34b48a71b1cfed2f4326a519bd6ba6fac7172fc90f

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0318.exe
        Filesize

        235KB

        MD5

        286043e29340f4e9be8245655cfc5544

        SHA1

        acb4ac67aed93f4868adb55919d1687f5c9c06d6

        SHA256

        70f7ea1b6248622dc2595f828feb244e473e96ab9bdfa8d3032554c802f74daa

        SHA512

        8291b19547eb671c5bb9edadc8a59c2366f4e9ea6bd71681d473d3a8fe3156032d1bcc0765a4a7cfc86beb34b48a71b1cfed2f4326a519bd6ba6fac7172fc90f

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7572.exe
        Filesize

        294KB

        MD5

        95980a917d5cf6fccefa0382940cf584

        SHA1

        1431f14d21b8dc2acdda68e58b025f08bea94e35

        SHA256

        b108f04a1776fd8397fc21472b789bb59e552e6330cabb2382378377c88fcee3

        SHA512

        2d4d65800783434a7b079d74d952168ec05612633ce4f82f33f52a9e53403c28b7e1c15ef07fa30d015a27ac9bbd5ea32c23db33d19d6c76795d3d975915b7a1

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7572.exe
        Filesize

        294KB

        MD5

        95980a917d5cf6fccefa0382940cf584

        SHA1

        1431f14d21b8dc2acdda68e58b025f08bea94e35

        SHA256

        b108f04a1776fd8397fc21472b789bb59e552e6330cabb2382378377c88fcee3

        SHA512

        2d4d65800783434a7b079d74d952168ec05612633ce4f82f33f52a9e53403c28b7e1c15ef07fa30d015a27ac9bbd5ea32c23db33d19d6c76795d3d975915b7a1

        Download Submit
      • memory/1212-148-0x0000000000620000-0x000000000064D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/1212-149-0x0000000004CA0000-0x0000000004CB0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1212-150-0x0000000004CB0000-0x0000000005254000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/1212-151-0x00000000024B0000-0x00000000024C2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1212-152-0x00000000024B0000-0x00000000024C2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1212-154-0x00000000024B0000-0x00000000024C2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1212-157-0x0000000004CA0000-0x0000000004CB0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1212-156-0x00000000024B0000-0x00000000024C2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1212-159-0x00000000024B0000-0x00000000024C2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1212-161-0x00000000024B0000-0x00000000024C2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1212-163-0x00000000024B0000-0x00000000024C2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1212-165-0x00000000024B0000-0x00000000024C2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1212-167-0x00000000024B0000-0x00000000024C2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1212-169-0x00000000024B0000-0x00000000024C2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1212-171-0x00000000024B0000-0x00000000024C2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1212-173-0x00000000024B0000-0x00000000024C2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1212-175-0x00000000024B0000-0x00000000024C2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1212-177-0x00000000024B0000-0x00000000024C2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1212-179-0x00000000024B0000-0x00000000024C2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1212-180-0x0000000000400000-0x00000000004A9000-memory.dmp
        Filesize

        676KB

        Download
      • memory/1212-181-0x0000000004CA0000-0x0000000004CB0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1212-182-0x0000000004CA0000-0x0000000004CB0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1212-183-0x0000000004CA0000-0x0000000004CB0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1212-185-0x0000000000400000-0x00000000004A9000-memory.dmp
        Filesize

        676KB

        Download
      • memory/2824-1121-0x0000000000620000-0x0000000000652000-memory.dmp
        Filesize

        200KB

        Download
      • memory/2824-1122-0x0000000005280000-0x0000000005290000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3920-191-0x0000000004B30000-0x0000000004B40000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3920-225-0x0000000004A70000-0x0000000004AAF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/3920-193-0x0000000004B30000-0x0000000004B40000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3920-194-0x0000000004A70000-0x0000000004AAF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/3920-195-0x0000000004A70000-0x0000000004AAF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/3920-197-0x0000000004A70000-0x0000000004AAF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/3920-199-0x0000000004A70000-0x0000000004AAF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/3920-201-0x0000000004A70000-0x0000000004AAF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/3920-203-0x0000000004A70000-0x0000000004AAF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/3920-205-0x0000000004A70000-0x0000000004AAF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/3920-207-0x0000000004A70000-0x0000000004AAF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/3920-209-0x0000000004A70000-0x0000000004AAF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/3920-211-0x0000000004A70000-0x0000000004AAF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/3920-213-0x0000000004A70000-0x0000000004AAF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/3920-215-0x0000000004A70000-0x0000000004AAF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/3920-217-0x0000000004A70000-0x0000000004AAF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/3920-219-0x0000000004A70000-0x0000000004AAF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/3920-221-0x0000000004A70000-0x0000000004AAF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/3920-223-0x0000000004A70000-0x0000000004AAF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/3920-192-0x0000000004B30000-0x0000000004B40000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3920-227-0x0000000004A70000-0x0000000004AAF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/3920-1100-0x00000000050F0000-0x0000000005708000-memory.dmp
        Filesize

        6.1MB

        Download
      • memory/3920-1101-0x0000000005760000-0x000000000586A000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/3920-1102-0x00000000058A0000-0x00000000058B2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/3920-1103-0x00000000058C0000-0x00000000058FC000-memory.dmp
        Filesize

        240KB

        Download
      • memory/3920-1104-0x0000000004B30000-0x0000000004B40000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3920-1106-0x0000000004B30000-0x0000000004B40000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3920-1107-0x0000000004B30000-0x0000000004B40000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3920-1108-0x0000000004B30000-0x0000000004B40000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3920-1109-0x0000000005BB0000-0x0000000005C42000-memory.dmp
        Filesize

        584KB

        Download
      • memory/3920-1110-0x0000000005C50000-0x0000000005CB6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/3920-1111-0x0000000006590000-0x0000000006606000-memory.dmp
        Filesize

        472KB

        Download
      • memory/3920-1112-0x0000000006620000-0x0000000006670000-memory.dmp
        Filesize

        320KB

        Download
      • memory/3920-190-0x0000000002130000-0x000000000217B000-memory.dmp
        Filesize

        300KB

        Download
      • memory/3920-1113-0x0000000004B30000-0x0000000004B40000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3920-1114-0x00000000066A0000-0x0000000006862000-memory.dmp
        Filesize

        1.8MB

        Download
      • memory/3920-1115-0x0000000006880000-0x0000000006DAC000-memory.dmp
        Filesize

        5.2MB

        Download