Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-04-2023 19:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f5757556dbbc461f50410b752a81bb075f500b9b5b2d83d54d61a59ae16a4a63.exe

  • Size

    658KB

  • MD5

    31a583bca9aba6c1fd4c9164340be201

  • SHA1

    e2903e04405b7b9f6787948540721536dcdf5bee

  • SHA256

    f5757556dbbc461f50410b752a81bb075f500b9b5b2d83d54d61a59ae16a4a63

  • SHA512

    b1c8d0932563469d04ac49e1e40304633df5bd97f989d6978bc8acc56df283f086a8653e45512aed7bc796dbf727a9f89fc21da30f35b04553eca855db52cf10

  • SSDEEP

    12288:fMrfy904+zQsxKimtASrVVtuPuQr32VsnU7r449zWKMd8vUMkn:YyyJKxtPVVtG7KVsU704AKyn

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 18 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f5757556dbbc461f50410b752a81bb075f500b9b5b2d83d54d61a59ae16a4a63.exe
    "C:\Users\Admin\AppData\Local\Temp\f5757556dbbc461f50410b752a81bb075f500b9b5b2d83d54d61a59ae16a4a63.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3240
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un353370.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un353370.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2208
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2982.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2982.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:912
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 1080
          4⤵
          • Program crash
          PID:2168
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6513.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6513.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:216
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 1348
          4⤵
          • Program crash
          PID:544
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si523156.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si523156.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2304
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 912 -ip 912
    1⤵
      PID:2776
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 216 -ip 216
      1⤵
        PID:3076

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Modify Existing Service

      1
      T1031

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      3
      T1112

      Disabling Security Tools

      2
      T1089

      Credential Access

      Credentials in Files

      2
      T1081

      Discovery

      Query Registry

      1
      T1012

      Lateral Movement

      Collection

      Data from Local System

      2
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si523156.exe
        Filesize

        175KB

        MD5

        81e3e3477b67e0778f604dac086cc7b1

        SHA1

        dbe4cb472c9b04e89f53083ed96d414e1a39a563

        SHA256

        7e689bb12084e42615f3d1606990678d53e5cec7c7f0e0198c4e88f5b9f7ede1

        SHA512

        c1a68f503e6076d0fc44d64e1d118ac2241ce09bfbfc2aca839ffa63c9e28710f9ac73791f2490943bf4dfdf19f8ca62ea61dcfc5ca694d0196768a66e6eb1d6

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si523156.exe
        Filesize

        175KB

        MD5

        81e3e3477b67e0778f604dac086cc7b1

        SHA1

        dbe4cb472c9b04e89f53083ed96d414e1a39a563

        SHA256

        7e689bb12084e42615f3d1606990678d53e5cec7c7f0e0198c4e88f5b9f7ede1

        SHA512

        c1a68f503e6076d0fc44d64e1d118ac2241ce09bfbfc2aca839ffa63c9e28710f9ac73791f2490943bf4dfdf19f8ca62ea61dcfc5ca694d0196768a66e6eb1d6

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un353370.exe
        Filesize

        516KB

        MD5

        5f13e6393c1461e2fa1b93f812438ce4

        SHA1

        663e496d9be88a5c2f185f70763af4170e6b0ffc

        SHA256

        54226187f758e87c15c3b757a6355fd3079c989a475f2f7bd9ac9a790a6eb69d

        SHA512

        61a17caf223f64975263be0a2b8c150eb8e2ee50e76c1881c4b6c8b2a027ffdc3bde0e2eda26e04b99c12f29d14a85ef68bb1b32ca196a0b83d93641a87cc7be

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un353370.exe
        Filesize

        516KB

        MD5

        5f13e6393c1461e2fa1b93f812438ce4

        SHA1

        663e496d9be88a5c2f185f70763af4170e6b0ffc

        SHA256

        54226187f758e87c15c3b757a6355fd3079c989a475f2f7bd9ac9a790a6eb69d

        SHA512

        61a17caf223f64975263be0a2b8c150eb8e2ee50e76c1881c4b6c8b2a027ffdc3bde0e2eda26e04b99c12f29d14a85ef68bb1b32ca196a0b83d93641a87cc7be

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2982.exe
        Filesize

        235KB

        MD5

        3b548664d3c1152e08fe2ca9c127d252

        SHA1

        b6ea6a0a3db0d0d366974e8d9024abe66af3cce6

        SHA256

        89f16b95068ca295c2cd16e148c2a45d59527fea405eba594df8b51786981f46

        SHA512

        0b057cf6818855da95b2eae53f03aa6595a72405ef07b3b7caec4c2472f52d154f6cef12a2dfe11313ed0cf65a4acffc89f5222bce343a1fffa7d862459839be

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2982.exe
        Filesize

        235KB

        MD5

        3b548664d3c1152e08fe2ca9c127d252

        SHA1

        b6ea6a0a3db0d0d366974e8d9024abe66af3cce6

        SHA256

        89f16b95068ca295c2cd16e148c2a45d59527fea405eba594df8b51786981f46

        SHA512

        0b057cf6818855da95b2eae53f03aa6595a72405ef07b3b7caec4c2472f52d154f6cef12a2dfe11313ed0cf65a4acffc89f5222bce343a1fffa7d862459839be

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6513.exe
        Filesize

        294KB

        MD5

        ac8c798bf5a594c21163f819ea08df7c

        SHA1

        ee9b3db82654dc51110d102c5c1dce0cea5f9105

        SHA256

        7ba318687662a5b2d38e5b00ae824b1f7e48d58cb8ee96b6d1de186dc38c2f7f

        SHA512

        73f563c32f292830c75e93a2b23fb5d34ff9ddb6c78421a89e165a2d197e8a4bbc190cab22b04c583ac2b971f07266ee6336b60380354eec82ed0840e5789989

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6513.exe
        Filesize

        294KB

        MD5

        ac8c798bf5a594c21163f819ea08df7c

        SHA1

        ee9b3db82654dc51110d102c5c1dce0cea5f9105

        SHA256

        7ba318687662a5b2d38e5b00ae824b1f7e48d58cb8ee96b6d1de186dc38c2f7f

        SHA512

        73f563c32f292830c75e93a2b23fb5d34ff9ddb6c78421a89e165a2d197e8a4bbc190cab22b04c583ac2b971f07266ee6336b60380354eec82ed0840e5789989

        Download Submit
      • memory/216-227-0x0000000005070000-0x00000000050AF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/216-1102-0x00000000059E0000-0x00000000059F2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/216-1115-0x00000000026E0000-0x00000000026F0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/216-1114-0x00000000069B0000-0x0000000006EDC000-memory.dmp
        Filesize

        5.2MB

        Download
      • memory/216-1113-0x00000000067E0000-0x00000000069A2000-memory.dmp
        Filesize

        1.8MB

        Download
      • memory/216-1112-0x0000000006780000-0x00000000067D0000-memory.dmp
        Filesize

        320KB

        Download
      • memory/216-1111-0x00000000066F0000-0x0000000006766000-memory.dmp
        Filesize

        472KB

        Download
      • memory/216-1110-0x00000000026E0000-0x00000000026F0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/216-1109-0x00000000026E0000-0x00000000026F0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/216-1108-0x00000000026E0000-0x00000000026F0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/216-1106-0x0000000005D90000-0x0000000005DF6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/216-1105-0x0000000005CF0000-0x0000000005D82000-memory.dmp
        Filesize

        584KB

        Download
      • memory/216-1104-0x00000000026E0000-0x00000000026F0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/216-1103-0x0000000005A00000-0x0000000005A3C000-memory.dmp
        Filesize

        240KB

        Download
      • memory/216-1101-0x00000000058A0000-0x00000000059AA000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/216-1100-0x0000000005200000-0x0000000005818000-memory.dmp
        Filesize

        6.1MB

        Download
      • memory/216-225-0x0000000005070000-0x00000000050AF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/216-223-0x0000000005070000-0x00000000050AF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/216-221-0x0000000005070000-0x00000000050AF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/216-219-0x0000000005070000-0x00000000050AF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/216-214-0x0000000005070000-0x00000000050AF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/216-217-0x0000000005070000-0x00000000050AF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/216-215-0x00000000026E0000-0x00000000026F0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/216-191-0x0000000005070000-0x00000000050AF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/216-192-0x0000000005070000-0x00000000050AF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/216-194-0x0000000005070000-0x00000000050AF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/216-196-0x0000000005070000-0x00000000050AF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/216-198-0x0000000005070000-0x00000000050AF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/216-200-0x0000000005070000-0x00000000050AF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/216-202-0x0000000005070000-0x00000000050AF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/216-204-0x0000000005070000-0x00000000050AF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/216-206-0x0000000005070000-0x00000000050AF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/216-208-0x0000000005070000-0x00000000050AF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/216-210-0x0000000005070000-0x00000000050AF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/216-212-0x0000000002160000-0x00000000021AB000-memory.dmp
        Filesize

        300KB

        Download
      • memory/216-213-0x00000000026E0000-0x00000000026F0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/912-177-0x00000000026D0000-0x00000000026E2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/912-163-0x00000000026D0000-0x00000000026E2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/912-151-0x00000000026D0000-0x00000000026E2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/912-185-0x0000000002570000-0x0000000002580000-memory.dmp
        Filesize

        64KB

        Download
      • memory/912-184-0x0000000002570000-0x0000000002580000-memory.dmp
        Filesize

        64KB

        Download
      • memory/912-183-0x0000000002570000-0x0000000002580000-memory.dmp
        Filesize

        64KB

        Download
      • memory/912-181-0x0000000000400000-0x00000000004A9000-memory.dmp
        Filesize

        676KB

        Download
      • memory/912-150-0x00000000026D0000-0x00000000026E2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/912-180-0x0000000002570000-0x0000000002580000-memory.dmp
        Filesize

        64KB

        Download
      • memory/912-179-0x0000000002570000-0x0000000002580000-memory.dmp
        Filesize

        64KB

        Download
      • memory/912-155-0x00000000026D0000-0x00000000026E2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/912-178-0x0000000002570000-0x0000000002580000-memory.dmp
        Filesize

        64KB

        Download
      • memory/912-186-0x0000000000400000-0x00000000004A9000-memory.dmp
        Filesize

        676KB

        Download
      • memory/912-175-0x00000000026D0000-0x00000000026E2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/912-159-0x00000000026D0000-0x00000000026E2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/912-171-0x00000000026D0000-0x00000000026E2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/912-169-0x00000000026D0000-0x00000000026E2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/912-167-0x00000000026D0000-0x00000000026E2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/912-165-0x00000000026D0000-0x00000000026E2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/912-153-0x00000000026D0000-0x00000000026E2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/912-161-0x00000000026D0000-0x00000000026E2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/912-173-0x00000000026D0000-0x00000000026E2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/912-157-0x00000000026D0000-0x00000000026E2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/912-149-0x0000000004A80000-0x0000000005024000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/912-148-0x0000000000630000-0x000000000065D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/2304-1121-0x0000000000320000-0x0000000000352000-memory.dmp
        Filesize

        200KB

        Download
      • memory/2304-1122-0x0000000004F20000-0x0000000004F30000-memory.dmp
        Filesize

        64KB

        Download