Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    99s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-04-2023 21:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c1cf92434f139cce3edacb7d3e53ee010a617132698089d376c45e6b40d482a0.exe

  • Size

    658KB

  • MD5

    ff3941ae83a22d66cde4f05c3205f15b

  • SHA1

    ad9fb7547f358075477ecf4fe10b36ca61d252ac

  • SHA256

    c1cf92434f139cce3edacb7d3e53ee010a617132698089d376c45e6b40d482a0

  • SHA512

    7ff01f13f3ba0993251bd4d7ed2bc10d8e10191b6f1113fcd306e76ca60ca436be6ddbe3fc8282ebd12a09978d08ea802587a73a5fb3d3d5237c01d0f887c988

  • SSDEEP

    12288:tMrgy902AHCfUa/E141udt+3DQ8jwRrMAdWS44fzWKlV8vrlMLY6:1yMO/mdtoMmC5WD4qKilMLv

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 18 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c1cf92434f139cce3edacb7d3e53ee010a617132698089d376c45e6b40d482a0.exe
    "C:\Users\Admin\AppData\Local\Temp\c1cf92434f139cce3edacb7d3e53ee010a617132698089d376c45e6b40d482a0.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1152
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un598847.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un598847.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4912
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3427.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3427.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2236
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 1016
          4⤵
          • Program crash
          PID:3868
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8623.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8623.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2072
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 1708
          4⤵
          • Program crash
          PID:4016
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si649990.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si649990.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3280
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2236 -ip 2236
    1⤵
      PID:2728
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2072 -ip 2072
      1⤵
        PID:1976

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si649990.exe
        Filesize

        175KB

        MD5

        589dbc73ab01c33abb13ca1864ec6849

        SHA1

        dc5b5be94fdfaa98f05acd81bb23ecb3736f6894

        SHA256

        91120e339286c976d33c040e8ea7173f7be5bf1f4801a0c92a525aca159afb71

        SHA512

        4974505cf0bdf889c02cc9840040d03c764c18064c8c5f0d9178798f6912d0beced51647aa8aef76efc67c544865fc9f53de9df7b3788e05418a0ed4b46fd67b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si649990.exe
        Filesize

        175KB

        MD5

        589dbc73ab01c33abb13ca1864ec6849

        SHA1

        dc5b5be94fdfaa98f05acd81bb23ecb3736f6894

        SHA256

        91120e339286c976d33c040e8ea7173f7be5bf1f4801a0c92a525aca159afb71

        SHA512

        4974505cf0bdf889c02cc9840040d03c764c18064c8c5f0d9178798f6912d0beced51647aa8aef76efc67c544865fc9f53de9df7b3788e05418a0ed4b46fd67b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un598847.exe
        Filesize

        516KB

        MD5

        01f5f9c8e47795be3dc77c4a44782483

        SHA1

        5d4134608aacc476ed3438fd687f1f8f73d0f136

        SHA256

        221dd23fc58e7989df6588ff3e1c39ead16a96de278f03c2a675321284b682f1

        SHA512

        997d8bb7f063bac7a2a24e44fce948cd03ca8fc0d9025f531f758c915ecf30645e5c1217aef29a22b053f43990f2cc6b3238ad5dd8561120046669adf5f5722c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un598847.exe
        Filesize

        516KB

        MD5

        01f5f9c8e47795be3dc77c4a44782483

        SHA1

        5d4134608aacc476ed3438fd687f1f8f73d0f136

        SHA256

        221dd23fc58e7989df6588ff3e1c39ead16a96de278f03c2a675321284b682f1

        SHA512

        997d8bb7f063bac7a2a24e44fce948cd03ca8fc0d9025f531f758c915ecf30645e5c1217aef29a22b053f43990f2cc6b3238ad5dd8561120046669adf5f5722c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3427.exe
        Filesize

        235KB

        MD5

        79d4505bafd0bbe4409973fb28e32801

        SHA1

        f19c2d6bd1cd1f5749f4ee14818d652e6895e9fd

        SHA256

        dd3437ca81b48a2e86d6f7f39656671b742d16039a190907bcb81b0a3d267be1

        SHA512

        69d83f880f2e6cd1f1f8dd85d8f8e857373b9b74c9204c7c7081411274486ee50b8ecdd3e291a0fed766d51b31852907bd80f673e2d69cdfd3be07e018b5bedd

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3427.exe
        Filesize

        235KB

        MD5

        79d4505bafd0bbe4409973fb28e32801

        SHA1

        f19c2d6bd1cd1f5749f4ee14818d652e6895e9fd

        SHA256

        dd3437ca81b48a2e86d6f7f39656671b742d16039a190907bcb81b0a3d267be1

        SHA512

        69d83f880f2e6cd1f1f8dd85d8f8e857373b9b74c9204c7c7081411274486ee50b8ecdd3e291a0fed766d51b31852907bd80f673e2d69cdfd3be07e018b5bedd

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8623.exe
        Filesize

        294KB

        MD5

        cc985748d81be8a98cac37300a425d2b

        SHA1

        1235af3822b2f9e441b604f4da1e4b0bd1294a85

        SHA256

        6764d53b4cfa03f8d11a9f74e26f0dbbc5aae21347ba13b767051edad9b3f220

        SHA512

        c8f5b1738040949c928fc67f7af28fc7b7e3c976339954277eb9ae0d2d582e07f71088522961fab9f9d8116df272ce8a62e51be63afa37de62b7e1573aef1af2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8623.exe
        Filesize

        294KB

        MD5

        cc985748d81be8a98cac37300a425d2b

        SHA1

        1235af3822b2f9e441b604f4da1e4b0bd1294a85

        SHA256

        6764d53b4cfa03f8d11a9f74e26f0dbbc5aae21347ba13b767051edad9b3f220

        SHA512

        c8f5b1738040949c928fc67f7af28fc7b7e3c976339954277eb9ae0d2d582e07f71088522961fab9f9d8116df272ce8a62e51be63afa37de62b7e1573aef1af2

        Download Submit

      • memory/2072-1102-0x00000000059E0000-0x00000000059F2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2072-227-0x0000000004A80000-0x0000000004ABF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2072-201-0x0000000004A80000-0x0000000004ABF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2072-203-0x0000000004A80000-0x0000000004ABF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2072-1115-0x00000000070F0000-0x0000000007140000-memory.dmp

        Filesize

        320KB

        Download

      • memory/2072-1114-0x0000000007060000-0x00000000070D6000-memory.dmp

        Filesize

        472KB

        Download

      • memory/2072-1113-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2072-1111-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2072-1112-0x0000000006690000-0x0000000006BBC000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/2072-1110-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2072-205-0x0000000004A80000-0x0000000004ABF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2072-1109-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2072-1107-0x00000000064C0000-0x0000000006682000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/2072-1106-0x0000000005D90000-0x0000000005DF6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2072-1105-0x0000000005CF0000-0x0000000005D82000-memory.dmp

        Filesize

        584KB

        Download

      • memory/2072-1104-0x0000000005A40000-0x0000000005A7C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/2072-1103-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2072-1101-0x00000000058B0000-0x00000000059BA000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/2072-1100-0x0000000005290000-0x00000000058A8000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/2072-215-0x0000000004A80000-0x0000000004ABF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2072-225-0x0000000004A80000-0x0000000004ABF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2072-223-0x0000000004A80000-0x0000000004ABF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2072-190-0x0000000002130000-0x000000000217B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/2072-191-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2072-192-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2072-193-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2072-194-0x0000000004A80000-0x0000000004ABF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2072-195-0x0000000004A80000-0x0000000004ABF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2072-197-0x0000000004A80000-0x0000000004ABF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2072-199-0x0000000004A80000-0x0000000004ABF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2072-221-0x0000000004A80000-0x0000000004ABF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2072-219-0x0000000004A80000-0x0000000004ABF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2072-217-0x0000000004A80000-0x0000000004ABF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2072-207-0x0000000004A80000-0x0000000004ABF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2072-209-0x0000000004A80000-0x0000000004ABF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2072-211-0x0000000004A80000-0x0000000004ABF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2072-213-0x0000000004A80000-0x0000000004ABF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/2236-181-0x0000000002210000-0x0000000002220000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2236-177-0x00000000025D0000-0x00000000025E2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2236-149-0x0000000000660000-0x000000000068D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/2236-155-0x00000000025D0000-0x00000000025E2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2236-151-0x0000000002210000-0x0000000002220000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2236-152-0x00000000025D0000-0x00000000025E2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2236-185-0x0000000000400000-0x00000000004A9000-memory.dmp

        Filesize

        676KB

        Download

      • memory/2236-183-0x0000000002210000-0x0000000002220000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2236-182-0x0000000002210000-0x0000000002220000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2236-150-0x0000000002210000-0x0000000002220000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2236-153-0x00000000025D0000-0x00000000025E2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2236-180-0x0000000000400000-0x00000000004A9000-memory.dmp

        Filesize

        676KB

        Download

      • memory/2236-179-0x00000000025D0000-0x00000000025E2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2236-171-0x00000000025D0000-0x00000000025E2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2236-175-0x00000000025D0000-0x00000000025E2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2236-173-0x00000000025D0000-0x00000000025E2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2236-169-0x00000000025D0000-0x00000000025E2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2236-167-0x00000000025D0000-0x00000000025E2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2236-165-0x00000000025D0000-0x00000000025E2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2236-163-0x00000000025D0000-0x00000000025E2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2236-161-0x00000000025D0000-0x00000000025E2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2236-159-0x00000000025D0000-0x00000000025E2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2236-157-0x00000000025D0000-0x00000000025E2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2236-148-0x0000000004A70000-0x0000000005014000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/3280-1121-0x00000000009D0000-0x0000000000A02000-memory.dmp

        Filesize

        200KB

        Download

      • memory/3280-1122-0x0000000005320000-0x0000000005330000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3280-1123-0x0000000005320000-0x0000000005330000-memory.dmp

        Filesize

        64KB

        Download