Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    89s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-04-2023 21:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    145673b80f8dfa7082193739702e40566349b59e38bd0d2413b93dd9cb569e06.exe

  • Size

    522KB

  • MD5

    6f8bc8c62d187c8f2b8525fde9e6406b

  • SHA1

    ca69236ac0f041d434b9aa0150c2e03c1a7d4ff8

  • SHA256

    145673b80f8dfa7082193739702e40566349b59e38bd0d2413b93dd9cb569e06

  • SHA512

    45bc7211fc5d04e8e80cf7c6c03da38064850f12bea3cb36cee56efde1aeb87e62ea377066704a8633cb94071f0f2ab54d2c6d768b3334cc1aeb6bca0ed80200

  • SSDEEP

    12288:cMrey90py6niTlFb/YXllz42fDBh8gK4wgzWVwrtvV7ntDR:aycODbClZbEgrwpVm7/

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\145673b80f8dfa7082193739702e40566349b59e38bd0d2413b93dd9cb569e06.exe
    "C:\Users\Admin\AppData\Local\Temp\145673b80f8dfa7082193739702e40566349b59e38bd0d2413b93dd9cb569e06.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3548
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziGK0001.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziGK0001.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2476
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr652715.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr652715.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4376
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku696197.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku696197.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2056
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 1636
          4⤵
          • Program crash
          PID:4956
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr951936.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr951936.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2972
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2056 -ip 2056
    1⤵
      PID:4400

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr951936.exe
      Filesize

      175KB

      MD5

      fc97b52caf1e887f51b8e21b2459e60a

      SHA1

      0ea50b3738376ea7a1b0ded18aeec3b0c50b7cdc

      SHA256

      b28067989bae8f240fb97ca57ac27cd0250c595f3846751f5eb8d5530d1e33e8

      SHA512

      37a1ed29b18ef352d022ee9c5e94ccafe8eb6e17b1f78ad0945c86152407f15ce2eebf51a09b3fd3ba30c73a9e3bb52444569f7dbf77ad4162099fb4c33e9254

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr951936.exe
      Filesize

      175KB

      MD5

      fc97b52caf1e887f51b8e21b2459e60a

      SHA1

      0ea50b3738376ea7a1b0ded18aeec3b0c50b7cdc

      SHA256

      b28067989bae8f240fb97ca57ac27cd0250c595f3846751f5eb8d5530d1e33e8

      SHA512

      37a1ed29b18ef352d022ee9c5e94ccafe8eb6e17b1f78ad0945c86152407f15ce2eebf51a09b3fd3ba30c73a9e3bb52444569f7dbf77ad4162099fb4c33e9254

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziGK0001.exe
      Filesize

      380KB

      MD5

      dc2804f5dfe7d2c9c9a12779c4d29407

      SHA1

      e68fe18cb64cbdadb93fbec0ce225487304cfc27

      SHA256

      8efdd164c855b1cb1ee061b47c81677db0dfcecb043f8ca0296c81af5cb7418e

      SHA512

      33a89f18edee5f11e796126f4692ebcf4f691db1760a7c454759efe218fb5864c253e24067ba50e2b07ef96f583febe034019dc5475797dc1fe49d5d077abea1

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziGK0001.exe
      Filesize

      380KB

      MD5

      dc2804f5dfe7d2c9c9a12779c4d29407

      SHA1

      e68fe18cb64cbdadb93fbec0ce225487304cfc27

      SHA256

      8efdd164c855b1cb1ee061b47c81677db0dfcecb043f8ca0296c81af5cb7418e

      SHA512

      33a89f18edee5f11e796126f4692ebcf4f691db1760a7c454759efe218fb5864c253e24067ba50e2b07ef96f583febe034019dc5475797dc1fe49d5d077abea1

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr652715.exe
      Filesize

      15KB

      MD5

      e7349d1544e27d86442462fb9ea5020b

      SHA1

      4b42d89d8dd77bfe91b199d3f8cfabe989e4e408

      SHA256

      66f2ff73aa4760e88b1a6335445eceebafef849cff520c73c7f4157f01a9c09b

      SHA512

      e2da2c06ccfccd9e1a9c27f52f12e036db21d1325570fb40e9cff0d10d3eefcd54584c936c83fc2dc523e6a94c84e608f342afbef7a5a7073bf7c667551055da

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr652715.exe
      Filesize

      15KB

      MD5

      e7349d1544e27d86442462fb9ea5020b

      SHA1

      4b42d89d8dd77bfe91b199d3f8cfabe989e4e408

      SHA256

      66f2ff73aa4760e88b1a6335445eceebafef849cff520c73c7f4157f01a9c09b

      SHA512

      e2da2c06ccfccd9e1a9c27f52f12e036db21d1325570fb40e9cff0d10d3eefcd54584c936c83fc2dc523e6a94c84e608f342afbef7a5a7073bf7c667551055da

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku696197.exe
      Filesize

      294KB

      MD5

      89d0e7d92aa29cf29be76a983bf09d72

      SHA1

      fc4113b72e19c53b61fc4616be8d4f6ac2c75949

      SHA256

      c5e84a7f29f81dbdb6372afdd5ac60c437457cf42281a4942c07ffa29fe0c8e0

      SHA512

      e50e8fc9cf510fc020a19880c9a8e5398a085617e757b21c19fc8a4b971af39645827b99c03a870d1bb3a2a1e99bbc891e2fc813f008d847cb093294e78f1beb

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku696197.exe
      Filesize

      294KB

      MD5

      89d0e7d92aa29cf29be76a983bf09d72

      SHA1

      fc4113b72e19c53b61fc4616be8d4f6ac2c75949

      SHA256

      c5e84a7f29f81dbdb6372afdd5ac60c437457cf42281a4942c07ffa29fe0c8e0

      SHA512

      e50e8fc9cf510fc020a19880c9a8e5398a085617e757b21c19fc8a4b971af39645827b99c03a870d1bb3a2a1e99bbc891e2fc813f008d847cb093294e78f1beb

      Download Submit
    • memory/2056-153-0x0000000000620000-0x000000000066B000-memory.dmp
      Filesize

      300KB

      Download
    • memory/2056-154-0x0000000004AD0000-0x0000000004AE0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2056-155-0x0000000004AE0000-0x0000000005084000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/2056-156-0x0000000004AD0000-0x0000000004AE0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2056-157-0x0000000004AD0000-0x0000000004AE0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2056-158-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2056-159-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2056-161-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2056-163-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2056-165-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2056-167-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2056-169-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2056-171-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2056-173-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2056-175-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2056-177-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2056-179-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2056-181-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2056-183-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2056-185-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2056-187-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2056-189-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2056-191-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2056-193-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2056-195-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2056-197-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2056-199-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2056-201-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2056-203-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2056-205-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2056-207-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2056-209-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2056-211-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2056-213-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2056-215-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2056-217-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2056-219-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2056-221-0x0000000004A60000-0x0000000004A9F000-memory.dmp
      Filesize

      252KB

      Download
    • memory/2056-1064-0x0000000005200000-0x0000000005818000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/2056-1065-0x00000000058A0000-0x00000000059AA000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/2056-1066-0x00000000059E0000-0x00000000059F2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/2056-1067-0x0000000004AD0000-0x0000000004AE0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2056-1068-0x0000000005A00000-0x0000000005A3C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/2056-1070-0x0000000004AD0000-0x0000000004AE0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2056-1071-0x0000000004AD0000-0x0000000004AE0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2056-1072-0x0000000004AD0000-0x0000000004AE0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2056-1073-0x0000000004AD0000-0x0000000004AE0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2056-1074-0x0000000005CF0000-0x0000000005D82000-memory.dmp
      Filesize

      584KB

      Download
    • memory/2056-1075-0x0000000005D90000-0x0000000005DF6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/2056-1077-0x0000000006830000-0x00000000069F2000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/2056-1078-0x0000000006A10000-0x0000000006F3C000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/2056-1079-0x0000000007070000-0x00000000070E6000-memory.dmp
      Filesize

      472KB

      Download
    • memory/2056-1080-0x0000000007100000-0x0000000007150000-memory.dmp
      Filesize

      320KB

      Download
    • memory/2972-1087-0x0000000000BC0000-0x0000000000BF2000-memory.dmp
      Filesize

      200KB

      Download
    • memory/2972-1088-0x0000000005450000-0x0000000005460000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4376-147-0x0000000000F50000-0x0000000000F5A000-memory.dmp
      Filesize

      40KB

      Download