Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-04-2023 19:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bf7f6edb92cda35f27c0171023062153c9638a45bb250523d0478f917852ef33.exe

  • Size

    658KB

  • MD5

    a9085f3050dacc6d14181d7443ffe305

  • SHA1

    eea690db1f34a67932cea53f5ac3de54b2593353

  • SHA256

    bf7f6edb92cda35f27c0171023062153c9638a45bb250523d0478f917852ef33

  • SHA512

    1924dcc3f00255f637f0abf405c12214d510ead5a8e301fffa6ea1d166fd00689dfc8794bcf2cce143d6c7d5bda5eda42bc7919f76431eaf35447ac487dd1cb5

  • SSDEEP

    12288:KMr/y90TWfyLu5bY/88Ty2fYGeYLt8AErHJ144yzWKuY8vNY/cEBBqj:5ybQabY/8KhgTJm4rKYYkEej

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 19 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bf7f6edb92cda35f27c0171023062153c9638a45bb250523d0478f917852ef33.exe
    "C:\Users\Admin\AppData\Local\Temp\bf7f6edb92cda35f27c0171023062153c9638a45bb250523d0478f917852ef33.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1168
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un368506.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un368506.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3176
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4094.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4094.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3236
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 1080
          4⤵
          • Program crash
          PID:1328
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6658.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6658.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3928
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 1544
          4⤵
          • Program crash
          PID:264
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si618233.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si618233.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2020
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3236 -ip 3236
    1⤵
      PID:4592
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3928 -ip 3928
      1⤵
        PID:836
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe start wuauserv
        1⤵
        • Launches sc.exe
        PID:3884

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si618233.exe
        Filesize

        175KB

        MD5

        6d27d8e60046fd31858d746404fe061e

        SHA1

        8a3217bd4d373a0092d2e8e27f163041a52664a1

        SHA256

        c71b3d7231c1580c95f701eb631528d925b427a8f8bf108aff33d7d2366778a8

        SHA512

        4f5a811a16bea04e621d5336376af96d2120d3b38c7884279ea9f9936518a384446cb0ada7af4ffc019f6b3f2965f0b84181b13d0378706a31156804e251602a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si618233.exe
        Filesize

        175KB

        MD5

        6d27d8e60046fd31858d746404fe061e

        SHA1

        8a3217bd4d373a0092d2e8e27f163041a52664a1

        SHA256

        c71b3d7231c1580c95f701eb631528d925b427a8f8bf108aff33d7d2366778a8

        SHA512

        4f5a811a16bea04e621d5336376af96d2120d3b38c7884279ea9f9936518a384446cb0ada7af4ffc019f6b3f2965f0b84181b13d0378706a31156804e251602a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un368506.exe
        Filesize

        516KB

        MD5

        2c67c46f00aabfba4c9d1e9c73e831f9

        SHA1

        85d3d68b6d41450d4d3117491fcc87dd776a100b

        SHA256

        186b67b2331c0d4ddb963aecb6b92578485399282cc5a90b9e028342d0143d08

        SHA512

        d15d4fbbf514166f77c92a34a13c089e93d49c734b6f0bf6a8b8ea9455d5a850db6bd8502ff132d00a7c200935f5b13ac037fd192aa02344904271d0854363bc

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un368506.exe
        Filesize

        516KB

        MD5

        2c67c46f00aabfba4c9d1e9c73e831f9

        SHA1

        85d3d68b6d41450d4d3117491fcc87dd776a100b

        SHA256

        186b67b2331c0d4ddb963aecb6b92578485399282cc5a90b9e028342d0143d08

        SHA512

        d15d4fbbf514166f77c92a34a13c089e93d49c734b6f0bf6a8b8ea9455d5a850db6bd8502ff132d00a7c200935f5b13ac037fd192aa02344904271d0854363bc

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4094.exe
        Filesize

        235KB

        MD5

        36b18551c385c4567a0a78e43d16a490

        SHA1

        6a3a708d0d527553782a4ae53ce698f5797dd802

        SHA256

        6962f8bca88bb77b14f26dc1974d80e39f566e3a7dbdfc49fbe797b52833446a

        SHA512

        ab79ca99b5dff789eb36a6ae38f015e6ac1fdd1390be4e2f5ad654240a014e3b3849e7240e9703b93e7d0a21b5b774eb915f07668378aee1abcf5604a592136c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4094.exe
        Filesize

        235KB

        MD5

        36b18551c385c4567a0a78e43d16a490

        SHA1

        6a3a708d0d527553782a4ae53ce698f5797dd802

        SHA256

        6962f8bca88bb77b14f26dc1974d80e39f566e3a7dbdfc49fbe797b52833446a

        SHA512

        ab79ca99b5dff789eb36a6ae38f015e6ac1fdd1390be4e2f5ad654240a014e3b3849e7240e9703b93e7d0a21b5b774eb915f07668378aee1abcf5604a592136c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6658.exe
        Filesize

        294KB

        MD5

        c25f8ead2aef105ce3da1d0d44f56a22

        SHA1

        cc82512176b955d4dacf3e70203efcfa43de51cb

        SHA256

        267861a5d9349578b0fd2036c6afe2eb7acf0a561b829d890668339685b7c1b1

        SHA512

        3805b050c89dc1b6ff10508baf0078f28e0e09fb90985d508374d6ecc784a05a0c3086b9e0cc79ceb62c0300d67cf5317aedeac29b39eba6d1b46a14c30b7e0e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6658.exe
        Filesize

        294KB

        MD5

        c25f8ead2aef105ce3da1d0d44f56a22

        SHA1

        cc82512176b955d4dacf3e70203efcfa43de51cb

        SHA256

        267861a5d9349578b0fd2036c6afe2eb7acf0a561b829d890668339685b7c1b1

        SHA512

        3805b050c89dc1b6ff10508baf0078f28e0e09fb90985d508374d6ecc784a05a0c3086b9e0cc79ceb62c0300d67cf5317aedeac29b39eba6d1b46a14c30b7e0e

        Download Submit

      • memory/2020-1122-0x0000000000E40000-0x0000000000E72000-memory.dmp

        Filesize

        200KB

        Download

      • memory/2020-1123-0x00000000056C0000-0x00000000056D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2020-1125-0x00000000056C0000-0x00000000056D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3236-164-0x0000000004A10000-0x0000000004A22000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3236-176-0x0000000004A10000-0x0000000004A22000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3236-154-0x0000000004A10000-0x0000000004A22000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3236-158-0x0000000004A10000-0x0000000004A22000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3236-156-0x0000000004A10000-0x0000000004A22000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3236-160-0x0000000004A10000-0x0000000004A22000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3236-162-0x0000000004A10000-0x0000000004A22000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3236-151-0x0000000004A10000-0x0000000004A22000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3236-166-0x0000000004A10000-0x0000000004A22000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3236-168-0x0000000004A10000-0x0000000004A22000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3236-170-0x0000000004A10000-0x0000000004A22000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3236-172-0x0000000004A10000-0x0000000004A22000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3236-174-0x0000000004A10000-0x0000000004A22000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3236-152-0x0000000004A10000-0x0000000004A22000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3236-178-0x0000000004A10000-0x0000000004A22000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3236-179-0x0000000004A70000-0x0000000004A80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3236-180-0x0000000004A70000-0x0000000004A80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3236-181-0x0000000000400000-0x00000000004A9000-memory.dmp

        Filesize

        676KB

        Download

      • memory/3236-182-0x0000000004A70000-0x0000000004A80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3236-184-0x0000000004A70000-0x0000000004A80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3236-185-0x0000000004A70000-0x0000000004A80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3236-186-0x0000000000400000-0x00000000004A9000-memory.dmp

        Filesize

        676KB

        Download

      • memory/3236-150-0x0000000004A80000-0x0000000005024000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/3236-149-0x0000000004A70000-0x0000000004A80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3236-148-0x0000000000500000-0x000000000052D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/3928-198-0x0000000004A70000-0x0000000004AAF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3928-1101-0x00000000050C0000-0x00000000056D8000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/3928-200-0x0000000004A70000-0x0000000004AAF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3928-201-0x0000000000640000-0x000000000068B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/3928-204-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3928-203-0x0000000004A70000-0x0000000004AAF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3928-206-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3928-208-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3928-210-0x0000000004A70000-0x0000000004AAF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3928-207-0x0000000004A70000-0x0000000004AAF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3928-212-0x0000000004A70000-0x0000000004AAF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3928-214-0x0000000004A70000-0x0000000004AAF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3928-216-0x0000000004A70000-0x0000000004AAF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3928-218-0x0000000004A70000-0x0000000004AAF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3928-220-0x0000000004A70000-0x0000000004AAF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3928-222-0x0000000004A70000-0x0000000004AAF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3928-224-0x0000000004A70000-0x0000000004AAF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3928-226-0x0000000004A70000-0x0000000004AAF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3928-228-0x0000000004A70000-0x0000000004AAF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3928-194-0x0000000004A70000-0x0000000004AAF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3928-1102-0x0000000005760000-0x000000000586A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/3928-1103-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3928-1104-0x00000000058A0000-0x00000000058B2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3928-1105-0x00000000058C0000-0x00000000058FC000-memory.dmp

        Filesize

        240KB

        Download

      • memory/3928-1106-0x0000000005BB0000-0x0000000005C16000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3928-1108-0x0000000006270000-0x0000000006302000-memory.dmp

        Filesize

        584KB

        Download

      • memory/3928-1109-0x0000000006370000-0x0000000006532000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/3928-1110-0x0000000006540000-0x0000000006A6C000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/3928-1111-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3928-1112-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3928-1113-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3928-1114-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3928-196-0x0000000004A70000-0x0000000004AAF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3928-192-0x0000000004A70000-0x0000000004AAF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3928-191-0x0000000004A70000-0x0000000004AAF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/3928-1115-0x0000000006CB0000-0x0000000006D26000-memory.dmp

        Filesize

        472KB

        Download

      • memory/3928-1116-0x0000000006D40000-0x0000000006D90000-memory.dmp

        Filesize

        320KB

        Download