Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    61s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-04-2023 20:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    25d6586b4a3ad835e4750a04b5a988fcba9ef06248852ab1d0a914e378b1be5b.exe

  • Size

    657KB

  • MD5

    02d66625f37d126277af901c761ba200

  • SHA1

    e8afa6f81175d7985323f8432234e1c135f29da3

  • SHA256

    25d6586b4a3ad835e4750a04b5a988fcba9ef06248852ab1d0a914e378b1be5b

  • SHA512

    0e20376da712307dc4cd667e8a6fbdaf7c11c347aeadc9b6c5dda03dd59e45d3ecb0967005e6b9d13a2d3b16b435e6ee4840766394becd2d7601f5b2784e3fde

  • SSDEEP

    12288:nMrEy90Mm3WRkDLsZVRbt1RKeQeuNLt8nF7YOm44WzWKRZ8vTC0ad7:/yC3WRk0dbtjuhiEOP4PKUC0ad7

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 18 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\25d6586b4a3ad835e4750a04b5a988fcba9ef06248852ab1d0a914e378b1be5b.exe
    "C:\Users\Admin\AppData\Local\Temp\25d6586b4a3ad835e4750a04b5a988fcba9ef06248852ab1d0a914e378b1be5b.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1908
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un884562.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un884562.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1960
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9610.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9610.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3532
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3532 -s 1080
          4⤵
          • Program crash
          PID:4052
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5019.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5019.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4452
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 1356
          4⤵
          • Program crash
          PID:2112
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si072562.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si072562.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3140
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3532 -ip 3532
    1⤵
      PID:848
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4452 -ip 4452
      1⤵
        PID:1768

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si072562.exe
        Filesize

        175KB

        MD5

        f727263d187ee1e3fd424db10e5eb666

        SHA1

        afbc6e83a7c33148b75d8a20561e682554a73da3

        SHA256

        8aad11c9d22890fb2ddd2b965d043f0918a7ffef9dda41ea740775718035fa94

        SHA512

        5ae9bb8f9d12538aa10d0549eb3751e0754fa40b946f0fb4faddd71f242802a4443102285c55bf2803102c33dd9c24150b118a72a6a0cb82f232e2b55f643ae5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si072562.exe
        Filesize

        175KB

        MD5

        f727263d187ee1e3fd424db10e5eb666

        SHA1

        afbc6e83a7c33148b75d8a20561e682554a73da3

        SHA256

        8aad11c9d22890fb2ddd2b965d043f0918a7ffef9dda41ea740775718035fa94

        SHA512

        5ae9bb8f9d12538aa10d0549eb3751e0754fa40b946f0fb4faddd71f242802a4443102285c55bf2803102c33dd9c24150b118a72a6a0cb82f232e2b55f643ae5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un884562.exe
        Filesize

        515KB

        MD5

        90742f17d740243b534e59204a42048b

        SHA1

        5180fb95a9f64e5c2095bb4746b7c226b1fe6186

        SHA256

        dd4a9e9213029323c0e59b0977e2dfeec5a258d0e2e8cdaecb7afec22c19070e

        SHA512

        bafb67c3b6daa5285d53f40d7c5a2bfe6613d64ea795b64c68d83e51c1e46300f4e7aeb94e5e48440ff73588b273bd9414df0bb4068a7e00cc74b05b2df1c197

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un884562.exe
        Filesize

        515KB

        MD5

        90742f17d740243b534e59204a42048b

        SHA1

        5180fb95a9f64e5c2095bb4746b7c226b1fe6186

        SHA256

        dd4a9e9213029323c0e59b0977e2dfeec5a258d0e2e8cdaecb7afec22c19070e

        SHA512

        bafb67c3b6daa5285d53f40d7c5a2bfe6613d64ea795b64c68d83e51c1e46300f4e7aeb94e5e48440ff73588b273bd9414df0bb4068a7e00cc74b05b2df1c197

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9610.exe
        Filesize

        235KB

        MD5

        8e3e34e94c4464a33000f0b00128b748

        SHA1

        656821d1716a7fa946d1617e3e1cdb4972ec674d

        SHA256

        71aef0cb9611fea7299e9eff0bdee8cfefda86b20a221ad8596901a36ab20ff2

        SHA512

        a0d7cebd4fe8dd8dc130ca9df0278be0083edbd4a098a2511707b4bff0bf267d979254bcc52b1527fbe77b623d1e2b0ac02197d474de7f9d26e8586f7387ed34

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9610.exe
        Filesize

        235KB

        MD5

        8e3e34e94c4464a33000f0b00128b748

        SHA1

        656821d1716a7fa946d1617e3e1cdb4972ec674d

        SHA256

        71aef0cb9611fea7299e9eff0bdee8cfefda86b20a221ad8596901a36ab20ff2

        SHA512

        a0d7cebd4fe8dd8dc130ca9df0278be0083edbd4a098a2511707b4bff0bf267d979254bcc52b1527fbe77b623d1e2b0ac02197d474de7f9d26e8586f7387ed34

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5019.exe
        Filesize

        294KB

        MD5

        c43c12d5cb1cbe99962f085c74eada3c

        SHA1

        f5ffce1905e282d382f665ce4573f7b4ff088f90

        SHA256

        acaba20ade4e6b6fa0aecc512fb6c6752f070c0e20e3e09ef65613ee357cd221

        SHA512

        327fa6eb1ca13a88ff4c48e2da25a082cf0436ad19a9bf80c458f03cca1ea436b7ef8ca3e0d461f5bcdb7dc67e08fae3e47d5b7cceba36f0426c7e670dad5a80

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5019.exe
        Filesize

        294KB

        MD5

        c43c12d5cb1cbe99962f085c74eada3c

        SHA1

        f5ffce1905e282d382f665ce4573f7b4ff088f90

        SHA256

        acaba20ade4e6b6fa0aecc512fb6c6752f070c0e20e3e09ef65613ee357cd221

        SHA512

        327fa6eb1ca13a88ff4c48e2da25a082cf0436ad19a9bf80c458f03cca1ea436b7ef8ca3e0d461f5bcdb7dc67e08fae3e47d5b7cceba36f0426c7e670dad5a80

        Download Submit

      • memory/3140-1119-0x0000000000570000-0x00000000005A2000-memory.dmp

        Filesize

        200KB

        Download

      • memory/3140-1120-0x0000000004E70000-0x0000000004E80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3532-157-0x0000000002420000-0x0000000002432000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3532-167-0x0000000002420000-0x0000000002432000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3532-151-0x00000000023F0000-0x0000000002400000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3532-152-0x0000000002420000-0x0000000002432000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3532-153-0x0000000002420000-0x0000000002432000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3532-155-0x0000000002420000-0x0000000002432000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3532-149-0x0000000000600000-0x000000000062D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/3532-159-0x0000000002420000-0x0000000002432000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3532-161-0x0000000002420000-0x0000000002432000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3532-163-0x0000000002420000-0x0000000002432000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3532-165-0x0000000002420000-0x0000000002432000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3532-150-0x00000000023F0000-0x0000000002400000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3532-169-0x0000000002420000-0x0000000002432000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3532-171-0x0000000002420000-0x0000000002432000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3532-173-0x0000000002420000-0x0000000002432000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3532-175-0x0000000002420000-0x0000000002432000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3532-177-0x0000000002420000-0x0000000002432000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3532-179-0x0000000002420000-0x0000000002432000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3532-180-0x0000000000400000-0x00000000004A9000-memory.dmp

        Filesize

        676KB

        Download

      • memory/3532-181-0x00000000023F0000-0x0000000002400000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3532-182-0x00000000023F0000-0x0000000002400000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3532-184-0x0000000000400000-0x00000000004A9000-memory.dmp

        Filesize

        676KB

        Download

      • memory/3532-148-0x0000000004B90000-0x0000000005134000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4452-192-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4452-320-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4452-194-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4452-196-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4452-198-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4452-200-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4452-202-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4452-204-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4452-206-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4452-208-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4452-210-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4452-212-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4452-214-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4452-216-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4452-218-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4452-220-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4452-222-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4452-190-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4452-322-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4452-318-0x0000000000740000-0x000000000078B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/4452-1098-0x00000000052A0000-0x00000000058B8000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/4452-1099-0x00000000058C0000-0x00000000059CA000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/4452-1100-0x00000000059E0000-0x00000000059F2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4452-1101-0x0000000005A00000-0x0000000005A3C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/4452-1102-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4452-1103-0x0000000005CF0000-0x0000000005D82000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4452-1104-0x0000000005D90000-0x0000000005DF6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4452-1106-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4452-1107-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4452-1108-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4452-1109-0x0000000006600000-0x0000000006676000-memory.dmp

        Filesize

        472KB

        Download

      • memory/4452-1110-0x0000000006680000-0x00000000066D0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/4452-189-0x0000000004AB0000-0x0000000004AEF000-memory.dmp

        Filesize

        252KB

        Download

      • memory/4452-1111-0x00000000066E0000-0x00000000068A2000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/4452-1112-0x00000000068B0000-0x0000000006DDC000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/4452-1113-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

        Filesize

        64KB

        Download