Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    53s
  • max time network
    56s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    03-04-2023 20:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f4d1b036c3618815c4a2595d5361f058921f1d31a4f25170d1d98a2872346baf.exe

  • Size

    522KB

  • MD5

    d396e253c892886611acd1cde94f75e7

  • SHA1

    1b6ccdb70dbc3b1e246edd4a2ebb03453637cfe3

  • SHA256

    f4d1b036c3618815c4a2595d5361f058921f1d31a4f25170d1d98a2872346baf

  • SHA512

    3da940adce815e9db8a71c88f5870bff6764eddb023212a160f97f9f84304e0b2e3843a2e0e54012eaede0c4f1bf97f48335c9a4d48891e15dd6e7d3edf68aad

  • SSDEEP

    12288:GMr5y90WfOC61sZ2Zg/FMZUCii8XJ4omzWPQlQuMzd+ruB7GiA:Py7fOn/g/uZHiXiofPYQnYaBBA

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f4d1b036c3618815c4a2595d5361f058921f1d31a4f25170d1d98a2872346baf.exe
    "C:\Users\Admin\AppData\Local\Temp\f4d1b036c3618815c4a2595d5361f058921f1d31a4f25170d1d98a2872346baf.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1952
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPB8283.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPB8283.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2060
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr118670.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr118670.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2440
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku567859.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku567859.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2528
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr339237.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr339237.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4248

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr339237.exe
    Filesize

    175KB

    MD5

    7f0d8feae38a42f66e349efe590b0c2b

    SHA1

    abd0e59a56b74dad0aed9126b48d616731323a51

    SHA256

    816bda5336520d9fa191372b4ef09800a310149c7c63ee1329a6f5febcd0acc6

    SHA512

    4c1fa015cc6b7c47828ae877c27a451ff622588adcf4ae3a26ab3ace53f397e1f6127e56dcf3cb9f9e999ee148312064028f780c39cb5122927865b838d8fe36

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr339237.exe
    Filesize

    175KB

    MD5

    7f0d8feae38a42f66e349efe590b0c2b

    SHA1

    abd0e59a56b74dad0aed9126b48d616731323a51

    SHA256

    816bda5336520d9fa191372b4ef09800a310149c7c63ee1329a6f5febcd0acc6

    SHA512

    4c1fa015cc6b7c47828ae877c27a451ff622588adcf4ae3a26ab3ace53f397e1f6127e56dcf3cb9f9e999ee148312064028f780c39cb5122927865b838d8fe36

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPB8283.exe
    Filesize

    379KB

    MD5

    201062a3d58682775152f2defc88acca

    SHA1

    1381f5f18797c17fd741d6be646baf6d565ce102

    SHA256

    6f5fb09ada46bcce820a80ac1e37595a412bde9ede4fb84fbbcd1b3c18ea3637

    SHA512

    c9c2890c40b14beb8349f7b0e00476ff35f5c9480e62b7ded7b997ed77919311e347d2330c0b6f07cae5a1d076c6b0d134c7d7219633fdcbf89c6724e63f25be

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPB8283.exe
    Filesize

    379KB

    MD5

    201062a3d58682775152f2defc88acca

    SHA1

    1381f5f18797c17fd741d6be646baf6d565ce102

    SHA256

    6f5fb09ada46bcce820a80ac1e37595a412bde9ede4fb84fbbcd1b3c18ea3637

    SHA512

    c9c2890c40b14beb8349f7b0e00476ff35f5c9480e62b7ded7b997ed77919311e347d2330c0b6f07cae5a1d076c6b0d134c7d7219633fdcbf89c6724e63f25be

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr118670.exe
    Filesize

    15KB

    MD5

    f6a1aabb6efebbdc37a54e18a4bbf266

    SHA1

    faa97a34de71057cea37dec52fabb36d314616de

    SHA256

    4fdafd95a8a0a2c279732be6dc2bee371673c08a312325f5443ef1ed635c01c8

    SHA512

    abf8eee79db16981e26262e78692235cab898f350122b36daf522925aaa8cec56ccd8ffba8b7bf43a1d00c6b6b5f76f3600751c3b9809f37ec76f389fc2a4840

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr118670.exe
    Filesize

    15KB

    MD5

    f6a1aabb6efebbdc37a54e18a4bbf266

    SHA1

    faa97a34de71057cea37dec52fabb36d314616de

    SHA256

    4fdafd95a8a0a2c279732be6dc2bee371673c08a312325f5443ef1ed635c01c8

    SHA512

    abf8eee79db16981e26262e78692235cab898f350122b36daf522925aaa8cec56ccd8ffba8b7bf43a1d00c6b6b5f76f3600751c3b9809f37ec76f389fc2a4840

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku567859.exe
    Filesize

    294KB

    MD5

    0a0bff8aa55665bed457221db046e255

    SHA1

    8bb3f07b4376cbc02da80d64636c6399de3918ee

    SHA256

    3f34bc509417c6bd8c4b92ea074dec3c3c30beaeab91c708e5b3e7dbb866f3b6

    SHA512

    bf19bd73d778f790e1851137afdd3b4fa396f10b6ac2de8ac5ec5a8e49d744926888f3081a3377d495b19f3eb7ed9fb04ee7ff4b9de0513fa14b6097f2f61de0

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku567859.exe
    Filesize

    294KB

    MD5

    0a0bff8aa55665bed457221db046e255

    SHA1

    8bb3f07b4376cbc02da80d64636c6399de3918ee

    SHA256

    3f34bc509417c6bd8c4b92ea074dec3c3c30beaeab91c708e5b3e7dbb866f3b6

    SHA512

    bf19bd73d778f790e1851137afdd3b4fa396f10b6ac2de8ac5ec5a8e49d744926888f3081a3377d495b19f3eb7ed9fb04ee7ff4b9de0513fa14b6097f2f61de0

    Download Submit
  • memory/2440-135-0x0000000000990000-0x000000000099A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2528-141-0x0000000000590000-0x00000000005DB000-memory.dmp
    Filesize

    300KB

    Download
  • memory/2528-142-0x0000000002530000-0x0000000002576000-memory.dmp
    Filesize

    280KB

    Download
  • memory/2528-143-0x0000000004C10000-0x0000000004C20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2528-144-0x0000000004C20000-0x000000000511E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2528-145-0x00000000026D0000-0x0000000002714000-memory.dmp
    Filesize

    272KB

    Download
  • memory/2528-146-0x00000000026D0000-0x000000000270F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2528-147-0x00000000026D0000-0x000000000270F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2528-149-0x00000000026D0000-0x000000000270F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2528-151-0x00000000026D0000-0x000000000270F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2528-153-0x00000000026D0000-0x000000000270F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2528-155-0x00000000026D0000-0x000000000270F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2528-157-0x00000000026D0000-0x000000000270F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2528-159-0x00000000026D0000-0x000000000270F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2528-161-0x00000000026D0000-0x000000000270F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2528-163-0x00000000026D0000-0x000000000270F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2528-165-0x00000000026D0000-0x000000000270F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2528-167-0x00000000026D0000-0x000000000270F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2528-169-0x00000000026D0000-0x000000000270F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2528-171-0x00000000026D0000-0x000000000270F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2528-173-0x00000000026D0000-0x000000000270F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2528-175-0x00000000026D0000-0x000000000270F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2528-177-0x00000000026D0000-0x000000000270F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2528-179-0x00000000026D0000-0x000000000270F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2528-181-0x00000000026D0000-0x000000000270F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2528-183-0x00000000026D0000-0x000000000270F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2528-185-0x00000000026D0000-0x000000000270F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2528-187-0x00000000026D0000-0x000000000270F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2528-189-0x00000000026D0000-0x000000000270F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2528-191-0x00000000026D0000-0x000000000270F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2528-193-0x00000000026D0000-0x000000000270F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2528-195-0x00000000026D0000-0x000000000270F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2528-197-0x00000000026D0000-0x000000000270F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2528-199-0x00000000026D0000-0x000000000270F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2528-201-0x00000000026D0000-0x000000000270F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2528-203-0x00000000026D0000-0x000000000270F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2528-205-0x00000000026D0000-0x000000000270F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2528-207-0x00000000026D0000-0x000000000270F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2528-209-0x00000000026D0000-0x000000000270F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2528-1052-0x0000000005730000-0x0000000005D36000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/2528-1053-0x0000000005120000-0x000000000522A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/2528-1054-0x0000000004B70000-0x0000000004B82000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2528-1055-0x0000000004B90000-0x0000000004BCE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/2528-1056-0x0000000004C10000-0x0000000004C20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2528-1057-0x0000000005330000-0x000000000537B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/2528-1059-0x0000000005490000-0x0000000005522000-memory.dmp
    Filesize

    584KB

    Download
  • memory/2528-1060-0x0000000005530000-0x0000000005596000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2528-1061-0x0000000006490000-0x0000000006506000-memory.dmp
    Filesize

    472KB

    Download
  • memory/2528-1062-0x0000000006510000-0x0000000006560000-memory.dmp
    Filesize

    320KB

    Download
  • memory/2528-1063-0x0000000004C10000-0x0000000004C20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2528-1064-0x0000000006580000-0x0000000006742000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/2528-1065-0x0000000006750000-0x0000000006C7C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4248-1072-0x0000000000280000-0x00000000002B2000-memory.dmp
    Filesize

    200KB

    Download
  • memory/4248-1073-0x0000000004BB0000-0x0000000004BFB000-memory.dmp
    Filesize

    300KB

    Download
  • memory/4248-1074-0x0000000002550000-0x0000000002560000-memory.dmp
    Filesize

    64KB

    Download