Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    61s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-04-2023 20:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aebab14385825074e263435b09e35030bf6d7d50e6cd465ea5be206abcc60531.exe

  • Size

    658KB

  • MD5

    d2476de9abcdba3f76e85e3d164a2100

  • SHA1

    e2eb08cc8afa2024c810753d4460c841b849e6ed

  • SHA256

    aebab14385825074e263435b09e35030bf6d7d50e6cd465ea5be206abcc60531

  • SHA512

    1e08e87a315ac7826f11be6d4b87224a964b9e5176fcae71d6668df29488a1b80e3a174355bf0194236ccc0156802250841ca2fafd11710fa5aec1cd5660d0c7

  • SSDEEP

    12288:3Mr0y90kn8Gr7VmrmtfdaQdif0URjynm447zWKde8vrLA:3yNNromtFHrURenP4mK/A

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 18 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aebab14385825074e263435b09e35030bf6d7d50e6cd465ea5be206abcc60531.exe
    "C:\Users\Admin\AppData\Local\Temp\aebab14385825074e263435b09e35030bf6d7d50e6cd465ea5be206abcc60531.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2116
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un033335.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un033335.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1904
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6972.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6972.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4256
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 1080
          4⤵
          • Program crash
          PID:3924
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7934.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7934.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1624
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 1348
          4⤵
          • Program crash
          PID:3596
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si927691.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si927691.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3708
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4256 -ip 4256
    1⤵
      PID:3100
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1624 -ip 1624
      1⤵
        PID:3556

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si927691.exe
        Filesize

        175KB

        MD5

        c308f354625963d0fb0b0475210662a0

        SHA1

        325545590608cb720d933b6062f1133729906005

        SHA256

        e3d14138e4144499d3c9a193532be4ad6a879afdf1894668e58a51184b21cca1

        SHA512

        aae102087a8d1cca32bcf86e50184c6b8a637e0f832095ecf2faf1c903dc088dbd5a013094557b560ca4261cf0f609891d09e7ae63ef21ccbb6b3a5e1bdb02b9

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si927691.exe
        Filesize

        175KB

        MD5

        c308f354625963d0fb0b0475210662a0

        SHA1

        325545590608cb720d933b6062f1133729906005

        SHA256

        e3d14138e4144499d3c9a193532be4ad6a879afdf1894668e58a51184b21cca1

        SHA512

        aae102087a8d1cca32bcf86e50184c6b8a637e0f832095ecf2faf1c903dc088dbd5a013094557b560ca4261cf0f609891d09e7ae63ef21ccbb6b3a5e1bdb02b9

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un033335.exe
        Filesize

        516KB

        MD5

        4746e1912a24ff240f9b791f0157e4f9

        SHA1

        7e9890c982114dc6727fec10efff713a1f017f2b

        SHA256

        c22305bd9c89c36f03ea0a65772debfed5279bd83d2c86e93b07836e87ea1a96

        SHA512

        1d8095c511c2f1f60969a62ec2c6f92993bf33c65d6aa64a2b14cc0b34d5f502110c2f98f98dcaf570f882a9ce60e535491580c538ca0b9c724260f5f6e60baf

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un033335.exe
        Filesize

        516KB

        MD5

        4746e1912a24ff240f9b791f0157e4f9

        SHA1

        7e9890c982114dc6727fec10efff713a1f017f2b

        SHA256

        c22305bd9c89c36f03ea0a65772debfed5279bd83d2c86e93b07836e87ea1a96

        SHA512

        1d8095c511c2f1f60969a62ec2c6f92993bf33c65d6aa64a2b14cc0b34d5f502110c2f98f98dcaf570f882a9ce60e535491580c538ca0b9c724260f5f6e60baf

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6972.exe
        Filesize

        235KB

        MD5

        141094c50c6532aa89f248a39932b43f

        SHA1

        fe67f88ce7d3d1d31c05a8f7f9c99c44b0b21646

        SHA256

        95b36bcff5d3cdeac6d314aed8a9e5b4c5b974eedd4191b4cc2ecddf6029a7f5

        SHA512

        860cd147416fe4e691b455ec333fb75837a2e6ddaee53911c04006f6bd384b0cfc968d88bb3711e3af001422de375a3dee557c1d55999e1a585fbad5f3ded8b1

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6972.exe
        Filesize

        235KB

        MD5

        141094c50c6532aa89f248a39932b43f

        SHA1

        fe67f88ce7d3d1d31c05a8f7f9c99c44b0b21646

        SHA256

        95b36bcff5d3cdeac6d314aed8a9e5b4c5b974eedd4191b4cc2ecddf6029a7f5

        SHA512

        860cd147416fe4e691b455ec333fb75837a2e6ddaee53911c04006f6bd384b0cfc968d88bb3711e3af001422de375a3dee557c1d55999e1a585fbad5f3ded8b1

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7934.exe
        Filesize

        294KB

        MD5

        e19a25ec0c9650b95fb150788896c372

        SHA1

        fa2c83e69429542a16cf49e3cca1714dccd1e3c2

        SHA256

        c844492e52f89a60cd1a084b6f48d4d70b8203efee537ea38e3c16f656284e16

        SHA512

        567d177f2c8c2198ca2af2a2b546ab25554007ccb03d3764164477725219316aea8ba8b485c2efc5f9c5deac92ab70822ec730e49ddbd6353d1e99e49c220cee

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7934.exe
        Filesize

        294KB

        MD5

        e19a25ec0c9650b95fb150788896c372

        SHA1

        fa2c83e69429542a16cf49e3cca1714dccd1e3c2

        SHA256

        c844492e52f89a60cd1a084b6f48d4d70b8203efee537ea38e3c16f656284e16

        SHA512

        567d177f2c8c2198ca2af2a2b546ab25554007ccb03d3764164477725219316aea8ba8b485c2efc5f9c5deac92ab70822ec730e49ddbd6353d1e99e49c220cee

        Download Submit
      • memory/1624-1102-0x00000000057A0000-0x00000000058AA000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/1624-1101-0x0000000005180000-0x0000000005798000-memory.dmp
        Filesize

        6.1MB

        Download
      • memory/1624-216-0x0000000004A60000-0x0000000004A9F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/1624-218-0x0000000004BC0000-0x0000000004BD0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1624-204-0x0000000004A60000-0x0000000004A9F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/1624-206-0x0000000004A60000-0x0000000004A9F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/1624-1115-0x0000000006D40000-0x0000000006D90000-memory.dmp
        Filesize

        320KB

        Download
      • memory/1624-1114-0x0000000006CC0000-0x0000000006D36000-memory.dmp
        Filesize

        472KB

        Download
      • memory/1624-1113-0x0000000004BC0000-0x0000000004BD0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1624-1112-0x0000000004BC0000-0x0000000004BD0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1624-208-0x0000000004A60000-0x0000000004A9F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/1624-1111-0x0000000004BC0000-0x0000000004BD0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1624-1110-0x0000000006640000-0x0000000006B6C000-memory.dmp
        Filesize

        5.2MB

        Download
      • memory/1624-1109-0x0000000006470000-0x0000000006632000-memory.dmp
        Filesize

        1.8MB

        Download
      • memory/1624-1107-0x0000000005C50000-0x0000000005CB6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/1624-1106-0x0000000005BB0000-0x0000000005C42000-memory.dmp
        Filesize

        584KB

        Download
      • memory/1624-1105-0x0000000004BC0000-0x0000000004BD0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1624-1104-0x00000000058D0000-0x000000000590C000-memory.dmp
        Filesize

        240KB

        Download
      • memory/1624-1103-0x00000000058B0000-0x00000000058C2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1624-220-0x0000000004A60000-0x0000000004A9F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/1624-228-0x0000000004A60000-0x0000000004A9F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/1624-226-0x0000000004A60000-0x0000000004A9F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/1624-224-0x0000000004A60000-0x0000000004A9F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/1624-191-0x0000000004A60000-0x0000000004A9F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/1624-192-0x0000000004A60000-0x0000000004A9F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/1624-196-0x0000000004A60000-0x0000000004A9F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/1624-194-0x0000000004A60000-0x0000000004A9F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/1624-198-0x0000000004A60000-0x0000000004A9F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/1624-200-0x0000000004A60000-0x0000000004A9F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/1624-202-0x0000000004A60000-0x0000000004A9F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/1624-223-0x0000000004BC0000-0x0000000004BD0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1624-1116-0x0000000004BC0000-0x0000000004BD0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1624-221-0x0000000004BC0000-0x0000000004BD0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1624-210-0x0000000004A60000-0x0000000004A9F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/1624-212-0x0000000004A60000-0x0000000004A9F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/1624-214-0x0000000004A60000-0x0000000004A9F000-memory.dmp
        Filesize

        252KB

        Download
      • memory/1624-217-0x0000000000610000-0x000000000065B000-memory.dmp
        Filesize

        300KB

        Download
      • memory/3708-1122-0x00000000002D0000-0x0000000000302000-memory.dmp
        Filesize

        200KB

        Download
      • memory/3708-1123-0x0000000004F10000-0x0000000004F20000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4256-181-0x0000000000400000-0x00000000004A9000-memory.dmp
        Filesize

        676KB

        Download
      • memory/4256-173-0x0000000004FD0000-0x0000000004FE2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4256-148-0x0000000000640000-0x000000000066D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/4256-151-0x0000000004FD0000-0x0000000004FE2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4256-153-0x0000000004FD0000-0x0000000004FE2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4256-186-0x0000000000400000-0x00000000004A9000-memory.dmp
        Filesize

        676KB

        Download
      • memory/4256-185-0x0000000002360000-0x0000000002370000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4256-150-0x0000000004FD0000-0x0000000004FE2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4256-184-0x0000000002360000-0x0000000002370000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4256-183-0x0000000002360000-0x0000000002370000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4256-155-0x0000000004FD0000-0x0000000004FE2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4256-180-0x0000000002360000-0x0000000002370000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4256-179-0x0000000002360000-0x0000000002370000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4256-178-0x0000000002360000-0x0000000002370000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4256-177-0x0000000004FD0000-0x0000000004FE2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4256-175-0x0000000004FD0000-0x0000000004FE2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4256-171-0x0000000004FD0000-0x0000000004FE2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4256-169-0x0000000004FD0000-0x0000000004FE2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4256-167-0x0000000004FD0000-0x0000000004FE2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4256-165-0x0000000004FD0000-0x0000000004FE2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4256-163-0x0000000004FD0000-0x0000000004FE2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4256-149-0x00000000049E0000-0x0000000004F84000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/4256-161-0x0000000004FD0000-0x0000000004FE2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4256-159-0x0000000004FD0000-0x0000000004FE2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4256-157-0x0000000004FD0000-0x0000000004FE2000-memory.dmp
        Filesize

        72KB

        Download