Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    126s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-04-2023 20:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    17669aebf7908470beaf891b026faefc60be64ddeca822a10a62697357a8f95d.exe

  • Size

    522KB

  • MD5

    1d4b06de21837c4bc37ee379e1360529

  • SHA1

    8be9357037567a0c9524e13246d2e6d8a60b668f

  • SHA256

    17669aebf7908470beaf891b026faefc60be64ddeca822a10a62697357a8f95d

  • SHA512

    53ab1635c932d6e2ee639422dc09f9bff839fbb225fa68f9a00b47b4e20f5cadd95ee073ea592a219319afd79a3ef348fe41173554663bf639fa3580794561a9

  • SSDEEP

    12288:bMrvy90wbReKKcv0DfjXiOpf8kP4HrzWK6hWWM9THx8OhHND:4yBgcsr2OOkQHWK60THxvp

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\17669aebf7908470beaf891b026faefc60be64ddeca822a10a62697357a8f95d.exe
    "C:\Users\Admin\AppData\Local\Temp\17669aebf7908470beaf891b026faefc60be64ddeca822a10a62697357a8f95d.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3504
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zilR5067.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zilR5067.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4596
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr471714.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr471714.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:736
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku535770.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku535770.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:180
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 180 -s 1348
          4⤵
          • Program crash
          PID:552
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr386931.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr386931.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4100
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 180 -ip 180
    1⤵
      PID:4688
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start wuauserv
      1⤵
      • Launches sc.exe
      PID:3536

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    3
    T1112

    Disabling Security Tools

    2
    T1089

    Credential Access

    Credentials in Files

    2
    T1081

    Discovery

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr386931.exe
      Filesize

      175KB

      MD5

      80dcff3c2cdfebcf3c02f2009ad15cf4

      SHA1

      172947bbfeda33439952a4adc2f8eda8ea67fbf3

      SHA256

      235ff838d82d603ccbb07b65d3fe7dcc6313a7b41b1b88235d0a38edcddaab06

      SHA512

      6aff27bf35e63a6dfbf732f621a5a4e827d45090358715cb431d148b5fed92d46b9c336e6ebd4f4860653ff9a1cf39353df6d0ae32615243d1650ea4941b84b7

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr386931.exe
      Filesize

      175KB

      MD5

      80dcff3c2cdfebcf3c02f2009ad15cf4

      SHA1

      172947bbfeda33439952a4adc2f8eda8ea67fbf3

      SHA256

      235ff838d82d603ccbb07b65d3fe7dcc6313a7b41b1b88235d0a38edcddaab06

      SHA512

      6aff27bf35e63a6dfbf732f621a5a4e827d45090358715cb431d148b5fed92d46b9c336e6ebd4f4860653ff9a1cf39353df6d0ae32615243d1650ea4941b84b7

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zilR5067.exe
      Filesize

      380KB

      MD5

      6f88100bec14917d26dce61265de4c64

      SHA1

      64f9287220ab15e994c22c0ac3eac757d7abe0c9

      SHA256

      d400777599d8bead11f7b02240a499c1ad0aa539cbb06bf48db81a43b49eff92

      SHA512

      c93e081d24322fb88b43e772b5168f05afe475a141ff9c4ed5c318a974f4f1318a9aea5f8c0f888ac902f89cf8fdc702ff7cabfc5bdcbe57a9d85f95a71e4508

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zilR5067.exe
      Filesize

      380KB

      MD5

      6f88100bec14917d26dce61265de4c64

      SHA1

      64f9287220ab15e994c22c0ac3eac757d7abe0c9

      SHA256

      d400777599d8bead11f7b02240a499c1ad0aa539cbb06bf48db81a43b49eff92

      SHA512

      c93e081d24322fb88b43e772b5168f05afe475a141ff9c4ed5c318a974f4f1318a9aea5f8c0f888ac902f89cf8fdc702ff7cabfc5bdcbe57a9d85f95a71e4508

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr471714.exe
      Filesize

      15KB

      MD5

      212ce31009677b73279e44790259adb7

      SHA1

      280041c05d1da9dff0fe1295927e70a5fcf991d0

      SHA256

      303572c17708d952912a32fa907791143f2b8d39b0ce49f7d753c7edd69a8a2c

      SHA512

      1473f3487d918c60e163ab72cc0a711647441b9573598859cafc679c99ac7ea84f845b8dd2d60b1492dd982834ee9648388b6790e545ecb16de25b11aa949286

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr471714.exe
      Filesize

      15KB

      MD5

      212ce31009677b73279e44790259adb7

      SHA1

      280041c05d1da9dff0fe1295927e70a5fcf991d0

      SHA256

      303572c17708d952912a32fa907791143f2b8d39b0ce49f7d753c7edd69a8a2c

      SHA512

      1473f3487d918c60e163ab72cc0a711647441b9573598859cafc679c99ac7ea84f845b8dd2d60b1492dd982834ee9648388b6790e545ecb16de25b11aa949286

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku535770.exe
      Filesize

      294KB

      MD5

      4666c68df879fa10e14f35a902fdd3f2

      SHA1

      eaeee69393c997e519f7748afc23dc10f03325a8

      SHA256

      515148d96fd691c3fc8575fc1ceeac4c96fd294d95faf98cb1b8d3b33585e743

      SHA512

      d9a0beeaa4868917adb5e4ad74c37fbc3d5634cc3f41188ffd5f17968a87d52dfa3e1bb11221fa677360512ac33e0766036fab13eb707cad7086e50a917de9d4

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku535770.exe
      Filesize

      294KB

      MD5

      4666c68df879fa10e14f35a902fdd3f2

      SHA1

      eaeee69393c997e519f7748afc23dc10f03325a8

      SHA256

      515148d96fd691c3fc8575fc1ceeac4c96fd294d95faf98cb1b8d3b33585e743

      SHA512

      d9a0beeaa4868917adb5e4ad74c37fbc3d5634cc3f41188ffd5f17968a87d52dfa3e1bb11221fa677360512ac33e0766036fab13eb707cad7086e50a917de9d4

      Download Submit
    • memory/180-153-0x0000000000710000-0x000000000075B000-memory.dmp
      Filesize

      300KB

      Download
    • memory/180-154-0x0000000004AF0000-0x0000000005094000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/180-155-0x0000000002480000-0x0000000002490000-memory.dmp
      Filesize

      64KB

      Download
    • memory/180-156-0x0000000002480000-0x0000000002490000-memory.dmp
      Filesize

      64KB

      Download
    • memory/180-157-0x0000000002480000-0x0000000002490000-memory.dmp
      Filesize

      64KB

      Download
    • memory/180-158-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/180-161-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/180-159-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/180-163-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/180-165-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/180-167-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/180-169-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/180-171-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/180-173-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/180-175-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/180-177-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/180-179-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/180-181-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/180-183-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/180-185-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/180-187-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/180-189-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/180-191-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/180-193-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/180-195-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/180-197-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/180-199-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/180-201-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/180-203-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/180-205-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/180-207-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/180-209-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/180-211-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/180-213-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/180-215-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/180-217-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/180-219-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/180-221-0x0000000002730000-0x000000000276F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/180-1064-0x00000000050C0000-0x00000000056D8000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/180-1065-0x0000000005760000-0x000000000586A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/180-1067-0x00000000058A0000-0x00000000058B2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/180-1066-0x0000000002480000-0x0000000002490000-memory.dmp
      Filesize

      64KB

      Download
    • memory/180-1068-0x00000000058C0000-0x00000000058FC000-memory.dmp
      Filesize

      240KB

      Download
    • memory/180-1070-0x0000000000710000-0x000000000075B000-memory.dmp
      Filesize

      300KB

      Download
    • memory/180-1071-0x0000000005BB0000-0x0000000005C42000-memory.dmp
      Filesize

      584KB

      Download
    • memory/180-1072-0x0000000005C50000-0x0000000005CB6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/180-1073-0x0000000002480000-0x0000000002490000-memory.dmp
      Filesize

      64KB

      Download
    • memory/180-1074-0x0000000002480000-0x0000000002490000-memory.dmp
      Filesize

      64KB

      Download
    • memory/180-1075-0x0000000002480000-0x0000000002490000-memory.dmp
      Filesize

      64KB

      Download
    • memory/180-1076-0x0000000006370000-0x0000000006532000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/180-1077-0x0000000006540000-0x0000000006A6C000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/180-1078-0x0000000006CC0000-0x0000000006D36000-memory.dmp
      Filesize

      472KB

      Download
    • memory/180-1079-0x0000000006D40000-0x0000000006D90000-memory.dmp
      Filesize

      320KB

      Download
    • memory/180-1080-0x0000000002480000-0x0000000002490000-memory.dmp
      Filesize

      64KB

      Download
    • memory/736-147-0x00000000004B0000-0x00000000004BA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4100-1086-0x0000000000A40000-0x0000000000A72000-memory.dmp
      Filesize

      200KB

      Download
    • memory/4100-1087-0x0000000005310000-0x0000000005320000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4100-1088-0x0000000005310000-0x0000000005320000-memory.dmp
      Filesize

      64KB

      Download