Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    64s
  • max time network
    73s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    03-04-2023 21:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    71bdd53f99660890f5d617c5f15a94a966983f0409f002282bc924d6e4e3ec22.exe

  • Size

    522KB

  • MD5

    fa38f2fc765f39fa951b4521f56dec11

  • SHA1

    b69b5cd8619c5356d90905caff700e0172b5a44d

  • SHA256

    71bdd53f99660890f5d617c5f15a94a966983f0409f002282bc924d6e4e3ec22

  • SHA512

    862a6db1fe8c2043e684231b132ae5b11771ac699156f0b6744ad749bde766e38573b4d1d33bcd993106cfabf7c18c2a2789c5949450ae468f787644f37937cc

  • SSDEEP

    12288:kMrBy90rQOHmqOX6s3QpTQuzRW8IF4SmzWKGOxuHuohezTX:Nyx88X6ZpT7VIWSfKGPueGb

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 38 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\71bdd53f99660890f5d617c5f15a94a966983f0409f002282bc924d6e4e3ec22.exe
    "C:\Users\Admin\AppData\Local\Temp\71bdd53f99660890f5d617c5f15a94a966983f0409f002282bc924d6e4e3ec22.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3520
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitL5736.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitL5736.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4144
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr187398.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr187398.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4568
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku985604.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku985604.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4980
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr473542.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr473542.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr473542.exe
    Filesize

    175KB

    MD5

    b615e62083a0cbe30de9f8ecba74abf9

    SHA1

    1bbdfbc426420ecc6b9e17f73e5a4cb4878bf7e1

    SHA256

    bae14b66513354d3ce58d5ec02242b2bce69488b295268e64c0ae6be982feff3

    SHA512

    d6b5f79c92cff499983750c9a88fbb64e1286d5d74ec342b250e8581de9ea09075bb600fd117614213068b50f6d5737a5e6ac3bb30dad26b898e2f78950162d1

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr473542.exe
    Filesize

    175KB

    MD5

    b615e62083a0cbe30de9f8ecba74abf9

    SHA1

    1bbdfbc426420ecc6b9e17f73e5a4cb4878bf7e1

    SHA256

    bae14b66513354d3ce58d5ec02242b2bce69488b295268e64c0ae6be982feff3

    SHA512

    d6b5f79c92cff499983750c9a88fbb64e1286d5d74ec342b250e8581de9ea09075bb600fd117614213068b50f6d5737a5e6ac3bb30dad26b898e2f78950162d1

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitL5736.exe
    Filesize

    379KB

    MD5

    3f808c208aa5e084fa8a9227a138555c

    SHA1

    d92e3ed59962dea6b423c7ee64ca509829f97a30

    SHA256

    582f28e15ceadee4bcc7283414e6f0866dc3b15cf5ee290f6852aff2b870fe88

    SHA512

    5ecebb4cc878e4e5852cf3072331318b350947b2ac46a2b9a63906e4d4a49ea14c317686bc311588c1acf7ec4612eb646a4506bdc2c2dc91b87adb41f8b1315f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitL5736.exe
    Filesize

    379KB

    MD5

    3f808c208aa5e084fa8a9227a138555c

    SHA1

    d92e3ed59962dea6b423c7ee64ca509829f97a30

    SHA256

    582f28e15ceadee4bcc7283414e6f0866dc3b15cf5ee290f6852aff2b870fe88

    SHA512

    5ecebb4cc878e4e5852cf3072331318b350947b2ac46a2b9a63906e4d4a49ea14c317686bc311588c1acf7ec4612eb646a4506bdc2c2dc91b87adb41f8b1315f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr187398.exe
    Filesize

    15KB

    MD5

    30af13d4ba9671741a2349c77dc6da61

    SHA1

    fb0a5d6693af8f7877bde30865de08d5bc929628

    SHA256

    bfbddbfc382d6e84010ee4ce911391ef8516d4b9da1fb0115c7b01f649c990f7

    SHA512

    de0c676cbc2bdc8edc75b9374c364e8eb758df71f997d915d55fc26ab27ada8ec152db7324e787de72d04607ef45652abf73bdccab2a074a6383f8992a783383

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr187398.exe
    Filesize

    15KB

    MD5

    30af13d4ba9671741a2349c77dc6da61

    SHA1

    fb0a5d6693af8f7877bde30865de08d5bc929628

    SHA256

    bfbddbfc382d6e84010ee4ce911391ef8516d4b9da1fb0115c7b01f649c990f7

    SHA512

    de0c676cbc2bdc8edc75b9374c364e8eb758df71f997d915d55fc26ab27ada8ec152db7324e787de72d04607ef45652abf73bdccab2a074a6383f8992a783383

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku985604.exe
    Filesize

    294KB

    MD5

    779e2a47616a4ea24b506cac55a88150

    SHA1

    c06f23da4e81b3abe97beab76095dd302d85b2d6

    SHA256

    5b7a5f4e986d765fb3dee0b1b855e6bf74c74bbf87c030e378b0a45d2f600961

    SHA512

    48bc2cb343308e0202e1e0348b96d532e810764155c498df4dd1b4f7dc011a0f5ddac2572fd791fa618fc559bfab9304ccf2c6a4b257cca2a8ed9610151c184a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku985604.exe
    Filesize

    294KB

    MD5

    779e2a47616a4ea24b506cac55a88150

    SHA1

    c06f23da4e81b3abe97beab76095dd302d85b2d6

    SHA256

    5b7a5f4e986d765fb3dee0b1b855e6bf74c74bbf87c030e378b0a45d2f600961

    SHA512

    48bc2cb343308e0202e1e0348b96d532e810764155c498df4dd1b4f7dc011a0f5ddac2572fd791fa618fc559bfab9304ccf2c6a4b257cca2a8ed9610151c184a

    Download Submit
  • memory/956-1072-0x0000000000470000-0x00000000004A2000-memory.dmp
    Filesize

    200KB

    Download
  • memory/956-1075-0x0000000004FB0000-0x0000000004FC0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/956-1073-0x0000000004FB0000-0x0000000004FC0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/956-1074-0x0000000004EB0000-0x0000000004EFB000-memory.dmp
    Filesize

    300KB

    Download
  • memory/4568-131-0x0000000000680000-0x000000000068A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4980-177-0x0000000004A80000-0x0000000004ABF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4980-189-0x0000000004A80000-0x0000000004ABF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4980-142-0x0000000004A80000-0x0000000004ABF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4980-144-0x0000000004A80000-0x0000000004ABF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4980-147-0x0000000004BE0000-0x0000000004BF0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4980-146-0x0000000004A80000-0x0000000004ABF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4980-148-0x0000000004BE0000-0x0000000004BF0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4980-150-0x0000000004BE0000-0x0000000004BF0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4980-151-0x0000000004A80000-0x0000000004ABF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4980-153-0x0000000004A80000-0x0000000004ABF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4980-155-0x0000000004A80000-0x0000000004ABF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4980-157-0x0000000004A80000-0x0000000004ABF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4980-159-0x0000000004A80000-0x0000000004ABF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4980-161-0x0000000004A80000-0x0000000004ABF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4980-163-0x0000000004A80000-0x0000000004ABF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4980-165-0x0000000004A80000-0x0000000004ABF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4980-167-0x0000000004A80000-0x0000000004ABF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4980-169-0x0000000004A80000-0x0000000004ABF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4980-171-0x0000000004A80000-0x0000000004ABF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4980-173-0x0000000004A80000-0x0000000004ABF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4980-175-0x0000000004A80000-0x0000000004ABF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4980-140-0x0000000004A80000-0x0000000004AC4000-memory.dmp
    Filesize

    272KB

    Download
  • memory/4980-179-0x0000000004A80000-0x0000000004ABF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4980-181-0x0000000004A80000-0x0000000004ABF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4980-183-0x0000000004A80000-0x0000000004ABF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4980-185-0x0000000004A80000-0x0000000004ABF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4980-187-0x0000000004A80000-0x0000000004ABF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4980-141-0x0000000004A80000-0x0000000004ABF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4980-191-0x0000000004A80000-0x0000000004ABF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4980-193-0x0000000004A80000-0x0000000004ABF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4980-195-0x0000000004A80000-0x0000000004ABF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4980-197-0x0000000004A80000-0x0000000004ABF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4980-199-0x0000000004A80000-0x0000000004ABF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4980-201-0x0000000004A80000-0x0000000004ABF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4980-203-0x0000000004A80000-0x0000000004ABF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4980-205-0x0000000004A80000-0x0000000004ABF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4980-207-0x0000000004A80000-0x0000000004ABF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4980-1050-0x00000000050F0000-0x00000000056F6000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/4980-1051-0x0000000005700000-0x000000000580A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/4980-1052-0x0000000004B70000-0x0000000004B82000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4980-1053-0x0000000004BE0000-0x0000000004BF0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4980-1054-0x0000000004B90000-0x0000000004BCE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4980-1055-0x0000000005910000-0x000000000595B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/4980-1057-0x0000000005AA0000-0x0000000005B06000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4980-1059-0x0000000004BE0000-0x0000000004BF0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4980-1058-0x0000000004BE0000-0x0000000004BF0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4980-1060-0x0000000004BE0000-0x0000000004BF0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4980-1061-0x0000000006170000-0x0000000006202000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4980-1062-0x0000000004BE0000-0x0000000004BF0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4980-1063-0x0000000006480000-0x00000000064F6000-memory.dmp
    Filesize

    472KB

    Download
  • memory/4980-139-0x0000000004BF0000-0x00000000050EE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/4980-138-0x00000000022D0000-0x0000000002316000-memory.dmp
    Filesize

    280KB

    Download
  • memory/4980-137-0x0000000000590000-0x00000000005DB000-memory.dmp
    Filesize

    300KB

    Download
  • memory/4980-1064-0x0000000006510000-0x0000000006560000-memory.dmp
    Filesize

    320KB

    Download
  • memory/4980-1065-0x0000000006580000-0x0000000006742000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/4980-1066-0x0000000006750000-0x0000000006C7C000-memory.dmp
    Filesize

    5.2MB

    Download