Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    82s
  • max time network
    104s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-04-2023 21:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    645a10f0bb7c4655f04cef3ba2d49771a2ca463cf4d77f7922515ebbe72d011c.exe

  • Size

    522KB

  • MD5

    94101b9af08097b91f9e0a6df7fb55fb

  • SHA1

    1b87ac47b958f2a6d53b53c5fe54f8658d7ba284

  • SHA256

    645a10f0bb7c4655f04cef3ba2d49771a2ca463cf4d77f7922515ebbe72d011c

  • SHA512

    2bfb46b0003bf074c6879651b3f1a9d28b5b4de0d04953b9cdc2487c973c6e2e7654bb01a5c098f7f50a3e91e1bd6f5ed9bc4d415f5ee2325d5aaaaaba3be5e2

  • SSDEEP

    12288:OMr2y9061k0shlcr6m0N38r64sbzWKAe/QvCf4KS5I:gyONhl26m0Nsr7sGKAeII4Z5I

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\645a10f0bb7c4655f04cef3ba2d49771a2ca463cf4d77f7922515ebbe72d011c.exe
    "C:\Users\Admin\AppData\Local\Temp\645a10f0bb7c4655f04cef3ba2d49771a2ca463cf4d77f7922515ebbe72d011c.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1240
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNx9267.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNx9267.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:780
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr201401.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr201401.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4488
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku904783.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku904783.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1456
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 1152
          4⤵
          • Program crash
          PID:3196
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr378936.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr378936.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5092
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1456 -ip 1456
    1⤵
      PID:2132

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    3
    T1112

    Disabling Security Tools

    2
    T1089

    Credential Access

    Credentials in Files

    2
    T1081

    Discovery

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr378936.exe
      Filesize

      175KB

      MD5

      31b80a32e8683abf5f7db282efef6b7b

      SHA1

      9b00ccb5d04e87a4a07a29940ce6e9edc4a19502

      SHA256

      a2dd5b67b18035fc9066f621cdd1dc728d0be9bebfe3e789554223f42de0c732

      SHA512

      0bf24cb6b235a8b9ff1f55bf8479622de75db422f56242560ea8da4f2b46dc23817b75b6239cc05a1572405982f8cd2fe3cae01c15427bc98abad3ce79f41b62

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr378936.exe
      Filesize

      175KB

      MD5

      31b80a32e8683abf5f7db282efef6b7b

      SHA1

      9b00ccb5d04e87a4a07a29940ce6e9edc4a19502

      SHA256

      a2dd5b67b18035fc9066f621cdd1dc728d0be9bebfe3e789554223f42de0c732

      SHA512

      0bf24cb6b235a8b9ff1f55bf8479622de75db422f56242560ea8da4f2b46dc23817b75b6239cc05a1572405982f8cd2fe3cae01c15427bc98abad3ce79f41b62

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNx9267.exe
      Filesize

      379KB

      MD5

      189cc4edf7f6d32e0341655a6f57367c

      SHA1

      c2dfaf4aea3bf2fddb7da1d538e1c8e343447574

      SHA256

      42aedaa41928857b08b2a1706a50e39ddca5fe36ee6c8ff6750139faba153dc4

      SHA512

      2e09818ec113d036340ee786afd23c5f13ed3504a87f99e193f7c5200345d74967948d0b59c01139d74fd605ecf9c184573b33dd46c8b4192a7ab2ca06634e0e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNx9267.exe
      Filesize

      379KB

      MD5

      189cc4edf7f6d32e0341655a6f57367c

      SHA1

      c2dfaf4aea3bf2fddb7da1d538e1c8e343447574

      SHA256

      42aedaa41928857b08b2a1706a50e39ddca5fe36ee6c8ff6750139faba153dc4

      SHA512

      2e09818ec113d036340ee786afd23c5f13ed3504a87f99e193f7c5200345d74967948d0b59c01139d74fd605ecf9c184573b33dd46c8b4192a7ab2ca06634e0e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr201401.exe
      Filesize

      15KB

      MD5

      c564ded650ad8dd9117ed70d33fb7d59

      SHA1

      ba3e58e19abd92adaff58b7b2cff051bf2f51efe

      SHA256

      db88048ae4c160a86bb5f0675e34439170b522233d4068e4d9aac88576e7830e

      SHA512

      1a2af27c359de30a32ef086cc4d4b93e2b191870b784f4f1a0777ecc505a3ba58614ad7cc3c5aafc838464d5073345ba1a68f3b6087c62616201e03f6ccba868

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr201401.exe
      Filesize

      15KB

      MD5

      c564ded650ad8dd9117ed70d33fb7d59

      SHA1

      ba3e58e19abd92adaff58b7b2cff051bf2f51efe

      SHA256

      db88048ae4c160a86bb5f0675e34439170b522233d4068e4d9aac88576e7830e

      SHA512

      1a2af27c359de30a32ef086cc4d4b93e2b191870b784f4f1a0777ecc505a3ba58614ad7cc3c5aafc838464d5073345ba1a68f3b6087c62616201e03f6ccba868

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku904783.exe
      Filesize

      294KB

      MD5

      25dd7ed8bc6c79813651b300c41857e6

      SHA1

      9cc0673192fad6b31c5329c4fb303a124fb9359b

      SHA256

      113e8bb754d456e0e972d78bbc0bf117d6ac7fa3177aaa4c8c7704d669e07c73

      SHA512

      82c495aa3b9d0dde1058e73bdee97379a0161ccca02ef2068018f814273264a8a34c947b7355aa05c99a4a7ee6a3d5efc17de9a9d8c9ffb0074ec0395b65d8dd

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku904783.exe
      Filesize

      294KB

      MD5

      25dd7ed8bc6c79813651b300c41857e6

      SHA1

      9cc0673192fad6b31c5329c4fb303a124fb9359b

      SHA256

      113e8bb754d456e0e972d78bbc0bf117d6ac7fa3177aaa4c8c7704d669e07c73

      SHA512

      82c495aa3b9d0dde1058e73bdee97379a0161ccca02ef2068018f814273264a8a34c947b7355aa05c99a4a7ee6a3d5efc17de9a9d8c9ffb0074ec0395b65d8dd

      Download Submit
    • memory/1456-153-0x0000000001FD0000-0x000000000201B000-memory.dmp
      Filesize

      300KB

      Download
    • memory/1456-154-0x0000000004B70000-0x0000000004B80000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1456-155-0x0000000004B80000-0x0000000005124000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/1456-156-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1456-159-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1456-157-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1456-161-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1456-163-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1456-165-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1456-167-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1456-169-0x0000000004B70000-0x0000000004B80000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1456-170-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1456-172-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1456-174-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1456-176-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1456-178-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1456-180-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1456-182-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1456-184-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1456-186-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1456-188-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1456-190-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1456-192-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1456-194-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1456-196-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1456-198-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1456-200-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1456-202-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1456-204-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1456-208-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1456-206-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1456-210-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1456-212-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1456-214-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1456-216-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1456-218-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1456-220-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/1456-1063-0x0000000005230000-0x0000000005848000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/1456-1064-0x00000000058A0000-0x00000000059AA000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/1456-1065-0x00000000059E0000-0x00000000059F2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/1456-1066-0x0000000004B70000-0x0000000004B80000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1456-1067-0x0000000005A00000-0x0000000005A3C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/1456-1069-0x0000000004B70000-0x0000000004B80000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1456-1070-0x0000000004B70000-0x0000000004B80000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1456-1071-0x0000000004B70000-0x0000000004B80000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1456-1072-0x0000000005CF0000-0x0000000005D82000-memory.dmp
      Filesize

      584KB

      Download
    • memory/1456-1073-0x0000000005D90000-0x0000000005DF6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1456-1074-0x00000000065B0000-0x0000000006772000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/1456-1075-0x0000000006790000-0x0000000006CBC000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/1456-1076-0x0000000004B70000-0x0000000004B80000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1456-1078-0x0000000007080000-0x00000000070F6000-memory.dmp
      Filesize

      472KB

      Download
    • memory/1456-1079-0x0000000007100000-0x0000000007150000-memory.dmp
      Filesize

      320KB

      Download
    • memory/4488-147-0x0000000000060000-0x000000000006A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/5092-1085-0x0000000000DB0000-0x0000000000DE2000-memory.dmp
      Filesize

      200KB

      Download
    • memory/5092-1086-0x0000000005970000-0x0000000005980000-memory.dmp
      Filesize

      64KB

      Download