Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    134s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-04-2023 19:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    20463cb45b69afe8e259f2f04a5196dad45ac8d50b6d7d9ba2a6465381a0987b.exe

  • Size

    522KB

  • MD5

    af6ab3fcf238702875d956d68521fef6

  • SHA1

    4c6f33f3b5c287d112decffa003149ce57213cd2

  • SHA256

    20463cb45b69afe8e259f2f04a5196dad45ac8d50b6d7d9ba2a6465381a0987b

  • SHA512

    1b5b7cb87a5640b6d163fa73a0afab4959b0a486133e59a16f289c5b350528fdb51ce19d2394151f20bcc9c73dd937a71afd3ff6a4d8e8c12604e4eb0233f2d7

  • SSDEEP

    12288:0MrRy90zPwCtQM1M7mUEbSlmy8/Q4LyzWK/c9v3QKl:Vy9EMFEbb/5LrKBKl

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 34 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\20463cb45b69afe8e259f2f04a5196dad45ac8d50b6d7d9ba2a6465381a0987b.exe
    "C:\Users\Admin\AppData\Local\Temp\20463cb45b69afe8e259f2f04a5196dad45ac8d50b6d7d9ba2a6465381a0987b.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4296
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAN5332.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAN5332.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4820
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr806557.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr806557.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3996
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku042040.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku042040.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3972
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 1184
          4⤵
          • Program crash
          PID:2228
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr112749.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr112749.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4212
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3972 -ip 3972
    1⤵
      PID:1960
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start wuauserv
      1⤵
      • Launches sc.exe
      PID:5100

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    3
    T1112

    Disabling Security Tools

    2
    T1089

    Credential Access

    Credentials in Files

    2
    T1081

    Discovery

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr112749.exe
      Filesize

      175KB

      MD5

      4b78aacd0680ccbbd11397bf13771462

      SHA1

      fa8e8bd75d2defb2807fe0fce6ff6b8dbe1e9447

      SHA256

      ebc1838741b358037e8f35ecd1a6b956e108d1baf92693b6e81e7cdfb09ce249

      SHA512

      edf36f161a42daefd0810569b384de80cf75c8166d0460427530669c856baac3ef862a326f2310073fe8c26fba61e5289ecc4b7ad407f5d59ba841586fba394d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr112749.exe
      Filesize

      175KB

      MD5

      4b78aacd0680ccbbd11397bf13771462

      SHA1

      fa8e8bd75d2defb2807fe0fce6ff6b8dbe1e9447

      SHA256

      ebc1838741b358037e8f35ecd1a6b956e108d1baf92693b6e81e7cdfb09ce249

      SHA512

      edf36f161a42daefd0810569b384de80cf75c8166d0460427530669c856baac3ef862a326f2310073fe8c26fba61e5289ecc4b7ad407f5d59ba841586fba394d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAN5332.exe
      Filesize

      380KB

      MD5

      e19dd58246e3e602e19335ed1af8e4ab

      SHA1

      6e246c1b6272a1a91ebc3c58609617cbac09d8cc

      SHA256

      7609d736cbd0052dc6e7b51c33279a8503a3e12474f4930b0ffa1e05bb276193

      SHA512

      1c7d17fdfe49eb46f71e8ee8f8eb42e2596555aa2313c26acdcab90932da41d5eb6126583165acc71a750d3a8ae07149a24b0778193bf61fe1ec60e40d75ca0c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziAN5332.exe
      Filesize

      380KB

      MD5

      e19dd58246e3e602e19335ed1af8e4ab

      SHA1

      6e246c1b6272a1a91ebc3c58609617cbac09d8cc

      SHA256

      7609d736cbd0052dc6e7b51c33279a8503a3e12474f4930b0ffa1e05bb276193

      SHA512

      1c7d17fdfe49eb46f71e8ee8f8eb42e2596555aa2313c26acdcab90932da41d5eb6126583165acc71a750d3a8ae07149a24b0778193bf61fe1ec60e40d75ca0c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr806557.exe
      Filesize

      11KB

      MD5

      7ff7f59c78621e9d890f2e8d39f93515

      SHA1

      5cf6ed189d7596fe70b6f22c12b779111465e6ee

      SHA256

      8700df064a040d8f4a072cdf5d6c387f89e282ad5635926e06e0a03ff44a7c7e

      SHA512

      5ec75547dc45ad694126fc15bf4c4849bce5dc51db3ea751774d151039757f2aabbc64d280686c3f32802d14bb37cdecd432ec46d3bc2949b4bccb34764a6f8f

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr806557.exe
      Filesize

      11KB

      MD5

      7ff7f59c78621e9d890f2e8d39f93515

      SHA1

      5cf6ed189d7596fe70b6f22c12b779111465e6ee

      SHA256

      8700df064a040d8f4a072cdf5d6c387f89e282ad5635926e06e0a03ff44a7c7e

      SHA512

      5ec75547dc45ad694126fc15bf4c4849bce5dc51db3ea751774d151039757f2aabbc64d280686c3f32802d14bb37cdecd432ec46d3bc2949b4bccb34764a6f8f

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku042040.exe
      Filesize

      294KB

      MD5

      468413db982b69473cf326ec3540e655

      SHA1

      3d4f661616344b7ebfe96743adff4448e2c9cd48

      SHA256

      2eaa4edd27237a15c42643b671dc7d2001c775d239fb8c5363ec203c1e3ee2d7

      SHA512

      38116a5cf88806e59a6e49e9739ad2a3935eebfe9e81c8cf55889be3aab6edad5e24973989b260534cf8beb698209e7dd946179c622f1eed84739a9f5cc3bd77

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku042040.exe
      Filesize

      294KB

      MD5

      468413db982b69473cf326ec3540e655

      SHA1

      3d4f661616344b7ebfe96743adff4448e2c9cd48

      SHA256

      2eaa4edd27237a15c42643b671dc7d2001c775d239fb8c5363ec203c1e3ee2d7

      SHA512

      38116a5cf88806e59a6e49e9739ad2a3935eebfe9e81c8cf55889be3aab6edad5e24973989b260534cf8beb698209e7dd946179c622f1eed84739a9f5cc3bd77

      Download Submit
    • memory/3972-153-0x0000000000550000-0x000000000059B000-memory.dmp
      Filesize

      300KB

      Download
    • memory/3972-154-0x0000000004BB0000-0x0000000004BC0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3972-155-0x0000000004BC0000-0x0000000005164000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/3972-156-0x0000000004A80000-0x0000000004ABF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3972-157-0x0000000004A80000-0x0000000004ABF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3972-159-0x0000000004A80000-0x0000000004ABF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3972-161-0x0000000004A80000-0x0000000004ABF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3972-163-0x0000000004A80000-0x0000000004ABF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3972-165-0x0000000004A80000-0x0000000004ABF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3972-167-0x0000000004A80000-0x0000000004ABF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3972-171-0x0000000004A80000-0x0000000004ABF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3972-169-0x0000000004A80000-0x0000000004ABF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3972-173-0x0000000004A80000-0x0000000004ABF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3972-175-0x0000000004A80000-0x0000000004ABF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3972-177-0x0000000004A80000-0x0000000004ABF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3972-179-0x0000000004A80000-0x0000000004ABF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3972-181-0x0000000004A80000-0x0000000004ABF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3972-183-0x0000000004A80000-0x0000000004ABF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3972-187-0x0000000004A80000-0x0000000004ABF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3972-185-0x0000000004A80000-0x0000000004ABF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3972-189-0x0000000004A80000-0x0000000004ABF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3972-191-0x0000000004BB0000-0x0000000004BC0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3972-192-0x0000000004A80000-0x0000000004ABF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3972-193-0x0000000004BB0000-0x0000000004BC0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3972-195-0x0000000004A80000-0x0000000004ABF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3972-199-0x0000000004A80000-0x0000000004ABF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3972-197-0x0000000004A80000-0x0000000004ABF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3972-201-0x0000000004A80000-0x0000000004ABF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3972-203-0x0000000004A80000-0x0000000004ABF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3972-205-0x0000000004A80000-0x0000000004ABF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3972-207-0x0000000004A80000-0x0000000004ABF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3972-209-0x0000000004A80000-0x0000000004ABF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3972-211-0x0000000004A80000-0x0000000004ABF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3972-213-0x0000000004A80000-0x0000000004ABF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3972-215-0x0000000004A80000-0x0000000004ABF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3972-219-0x0000000004A80000-0x0000000004ABF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3972-221-0x0000000004A80000-0x0000000004ABF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3972-217-0x0000000004A80000-0x0000000004ABF000-memory.dmp
      Filesize

      252KB

      Download
    • memory/3972-1064-0x0000000005170000-0x0000000005788000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/3972-1065-0x0000000005790000-0x000000000589A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/3972-1066-0x00000000058A0000-0x00000000058B2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/3972-1067-0x00000000058C0000-0x00000000058FC000-memory.dmp
      Filesize

      240KB

      Download
    • memory/3972-1068-0x0000000004BB0000-0x0000000004BC0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3972-1070-0x0000000004BB0000-0x0000000004BC0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3972-1071-0x0000000005BB0000-0x0000000005C42000-memory.dmp
      Filesize

      584KB

      Download
    • memory/3972-1072-0x0000000005C50000-0x0000000005CB6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3972-1073-0x0000000004BB0000-0x0000000004BC0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3972-1074-0x0000000004BB0000-0x0000000004BC0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3972-1075-0x0000000006450000-0x00000000064C6000-memory.dmp
      Filesize

      472KB

      Download
    • memory/3972-1076-0x00000000064E0000-0x0000000006530000-memory.dmp
      Filesize

      320KB

      Download
    • memory/3972-1077-0x0000000006560000-0x0000000006722000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/3972-1078-0x0000000006730000-0x0000000006C5C000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/3972-1079-0x0000000004BB0000-0x0000000004BC0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3996-147-0x0000000000780000-0x000000000078A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4212-1085-0x00000000000D0000-0x0000000000102000-memory.dmp
      Filesize

      200KB

      Download
    • memory/4212-1086-0x0000000004970000-0x0000000004980000-memory.dmp
      Filesize

      64KB

      Download