Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    51s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/04/2023, 20:45

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    cc0f454b66b661eff55a13a25bab010651a2d2e5a413f0b914fe2d799d8e15d5.exe

  • Size

    522KB

  • MD5

    8dd55f64a31134724343fa69648041fb

  • SHA1

    8fcb3c3deff9b61118e3965f4f4a8f278640ad08

  • SHA256

    cc0f454b66b661eff55a13a25bab010651a2d2e5a413f0b914fe2d799d8e15d5

  • SHA512

    c1917a0775cd43825100f60baa99d730f4b2acddcc4b449a98e9ab86aee7da4304e7df1aeb7ea4b9fc82258cef106738542f35033cf1fccbc28bd6f9c9cbdb02

  • SSDEEP

    12288:RMrJy90cORox6nx348+8qp4kJzWK5/8vRXpOzJ:oy3mIuqCkMKEXg

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cc0f454b66b661eff55a13a25bab010651a2d2e5a413f0b914fe2d799d8e15d5.exe
    "C:\Users\Admin\AppData\Local\Temp\cc0f454b66b661eff55a13a25bab010651a2d2e5a413f0b914fe2d799d8e15d5.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4852
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zioL7552.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zioL7552.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1940
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr563970.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr563970.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1952
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku871450.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku871450.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4376
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 1336
          4⤵
          • Program crash
          PID:740
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr656578.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr656578.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3704
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4376 -ip 4376
    1⤵
      PID:3364

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr656578.exe
            Filesize

            175KB

            MD5

            9e18740902004ebac0402948b641def3

            SHA1

            b5dfb9f9da5e149e2bb60b71d5ea6a081ff6b7af

            SHA256

            54a3ff84d39002ff9567cc1d85b3a855e40fab8e91bae4fdde5d769966af0f81

            SHA512

            b1128ecadf1fa39f58674df5648a2ce3c5a831cb94e8481d87d854f9685137654e69ba0f977d77b4d8863d97032c280c380772772165582b027fca144df8e78b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr656578.exe
            Filesize

            175KB

            MD5

            9e18740902004ebac0402948b641def3

            SHA1

            b5dfb9f9da5e149e2bb60b71d5ea6a081ff6b7af

            SHA256

            54a3ff84d39002ff9567cc1d85b3a855e40fab8e91bae4fdde5d769966af0f81

            SHA512

            b1128ecadf1fa39f58674df5648a2ce3c5a831cb94e8481d87d854f9685137654e69ba0f977d77b4d8863d97032c280c380772772165582b027fca144df8e78b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zioL7552.exe
            Filesize

            380KB

            MD5

            8a25f9b0bc830b85f6912cf7821286dc

            SHA1

            26865e5502f93c54c281177ddbd262cc9098cdc6

            SHA256

            f92779b70eea857477232ba08dc760ef34c9a675c1baf332223679af2bd0b07e

            SHA512

            a5bd87db48164735b15ad54ee1e4d5d863b68c9ee4c0da1fd1fec39e4d5bbc0758e91567518750cd94511247b167a62ccb1b258cd9c2fa40c7bb52600cbcdab0

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zioL7552.exe
            Filesize

            380KB

            MD5

            8a25f9b0bc830b85f6912cf7821286dc

            SHA1

            26865e5502f93c54c281177ddbd262cc9098cdc6

            SHA256

            f92779b70eea857477232ba08dc760ef34c9a675c1baf332223679af2bd0b07e

            SHA512

            a5bd87db48164735b15ad54ee1e4d5d863b68c9ee4c0da1fd1fec39e4d5bbc0758e91567518750cd94511247b167a62ccb1b258cd9c2fa40c7bb52600cbcdab0

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr563970.exe
            Filesize

            15KB

            MD5

            3f95c368a2f20d435624a7ef6932649d

            SHA1

            379178e177031f71746b102cdc157ab1b3520a1e

            SHA256

            074142582410d24c30522edbf997852d3ee51fa2c2d12a2561dc079c475106ce

            SHA512

            4f7c1ee9085230fc29207e97356b048dd94530920210ca2de6a1b4ac93801ab8a80fc17879a26f18353c2f912d808548c4abde94d2ad892d5c28f0abbc14eb74

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr563970.exe
            Filesize

            15KB

            MD5

            3f95c368a2f20d435624a7ef6932649d

            SHA1

            379178e177031f71746b102cdc157ab1b3520a1e

            SHA256

            074142582410d24c30522edbf997852d3ee51fa2c2d12a2561dc079c475106ce

            SHA512

            4f7c1ee9085230fc29207e97356b048dd94530920210ca2de6a1b4ac93801ab8a80fc17879a26f18353c2f912d808548c4abde94d2ad892d5c28f0abbc14eb74

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku871450.exe
            Filesize

            294KB

            MD5

            7ed635b62b6690c7476799399cbb8979

            SHA1

            164d28451fb081ae1ca3285424abb0849b0e5cc6

            SHA256

            925a2174ee3d930e3835d993bf60bbc8169fed06ed0253845321c89b307e4e95

            SHA512

            27d97b2b76179bb2c242177b207fbe63fe71339310ec507c6bb7d9d03103f6a70d87d34b4e09f2cb79dde2c52cf517ff7df41eaca5e78763ce6ea9e9b1d3ebff

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku871450.exe
            Filesize

            294KB

            MD5

            7ed635b62b6690c7476799399cbb8979

            SHA1

            164d28451fb081ae1ca3285424abb0849b0e5cc6

            SHA256

            925a2174ee3d930e3835d993bf60bbc8169fed06ed0253845321c89b307e4e95

            SHA512

            27d97b2b76179bb2c242177b207fbe63fe71339310ec507c6bb7d9d03103f6a70d87d34b4e09f2cb79dde2c52cf517ff7df41eaca5e78763ce6ea9e9b1d3ebff

            Download Submit

          • memory/1952-147-0x0000000000160000-0x000000000016A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/3704-1085-0x0000000000080000-0x00000000000B2000-memory.dmp

            Filesize

            200KB

            Download

          • memory/3704-1086-0x00000000049E0000-0x00000000049F0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3704-1087-0x00000000049E0000-0x00000000049F0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4376-191-0x0000000004A60000-0x0000000004A9F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4376-203-0x0000000004A60000-0x0000000004A9F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4376-156-0x0000000004A60000-0x0000000004A9F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4376-157-0x0000000004A60000-0x0000000004A9F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4376-159-0x0000000004A60000-0x0000000004A9F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4376-161-0x0000000004A60000-0x0000000004A9F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4376-163-0x0000000004A60000-0x0000000004A9F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4376-165-0x0000000004A60000-0x0000000004A9F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4376-167-0x0000000004A60000-0x0000000004A9F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4376-169-0x0000000004A60000-0x0000000004A9F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4376-171-0x0000000004A60000-0x0000000004A9F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4376-173-0x0000000004A60000-0x0000000004A9F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4376-175-0x0000000004A60000-0x0000000004A9F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4376-177-0x0000000004A60000-0x0000000004A9F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4376-179-0x0000000004A60000-0x0000000004A9F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4376-181-0x0000000004A60000-0x0000000004A9F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4376-183-0x0000000004A60000-0x0000000004A9F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4376-185-0x0000000004A60000-0x0000000004A9F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4376-187-0x0000000004A60000-0x0000000004A9F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4376-189-0x0000000004A60000-0x0000000004A9F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4376-154-0x0000000004B00000-0x0000000004B10000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4376-194-0x0000000004B00000-0x0000000004B10000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4376-195-0x0000000004A60000-0x0000000004A9F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4376-192-0x0000000004B00000-0x0000000004B10000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4376-197-0x0000000004A60000-0x0000000004A9F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4376-199-0x0000000004A60000-0x0000000004A9F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4376-201-0x0000000004A60000-0x0000000004A9F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4376-155-0x0000000004B10000-0x00000000050B4000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/4376-205-0x0000000004A60000-0x0000000004A9F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4376-207-0x0000000004A60000-0x0000000004A9F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4376-209-0x0000000004A60000-0x0000000004A9F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4376-211-0x0000000004A60000-0x0000000004A9F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4376-213-0x0000000004A60000-0x0000000004A9F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4376-215-0x0000000004A60000-0x0000000004A9F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4376-217-0x0000000004A60000-0x0000000004A9F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4376-219-0x0000000004A60000-0x0000000004A9F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4376-221-0x0000000004A60000-0x0000000004A9F000-memory.dmp

            Filesize

            252KB

            Download

          • memory/4376-1064-0x00000000050C0000-0x00000000056D8000-memory.dmp

            Filesize

            6.1MB

            Download

          • memory/4376-1065-0x0000000005760000-0x000000000586A000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/4376-1066-0x00000000058A0000-0x00000000058B2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/4376-1067-0x00000000058C0000-0x00000000058FC000-memory.dmp

            Filesize

            240KB

            Download

          • memory/4376-1068-0x0000000004B00000-0x0000000004B10000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4376-1070-0x0000000005BB0000-0x0000000005C42000-memory.dmp

            Filesize

            584KB

            Download

          • memory/4376-1071-0x0000000005C50000-0x0000000005CB6000-memory.dmp

            Filesize

            408KB

            Download

          • memory/4376-1072-0x0000000004B00000-0x0000000004B10000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4376-1073-0x0000000006450000-0x00000000064C6000-memory.dmp

            Filesize

            472KB

            Download

          • memory/4376-1074-0x00000000064E0000-0x0000000006530000-memory.dmp

            Filesize

            320KB

            Download

          • memory/4376-1075-0x0000000004B00000-0x0000000004B10000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4376-153-0x00000000020F0000-0x000000000213B000-memory.dmp

            Filesize

            300KB

            Download

          • memory/4376-1076-0x0000000004B00000-0x0000000004B10000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4376-1077-0x0000000004B00000-0x0000000004B10000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4376-1078-0x00000000066A0000-0x0000000006862000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/4376-1079-0x0000000006870000-0x0000000006D9C000-memory.dmp

            Filesize

            5.2MB

            Download