Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    102s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-04-2023 20:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f8d742f5df0a80fd70369f7b82fe212025758e0543c75262e4696738174b3431.exe

  • Size

    521KB

  • MD5

    2c5929ed3f55331be70b29f098bb5b0e

  • SHA1

    d0b325af88e64495f93e83f087916c03707f9076

  • SHA256

    f8d742f5df0a80fd70369f7b82fe212025758e0543c75262e4696738174b3431

  • SHA512

    0f614fa6813be8169ddeb9c177abf89ae5f0d325adeab84acd551a1baf8d94a701eb2e67d4441f8379e85d5092e394aa69591d2e790b705d33ad35e7250e54d1

  • SSDEEP

    12288:dMrPy90nDEzZrxZbuSEWzhc8Vak8EI44tzWgyDJdpv:WyflrDqWzuxFEB4w5Jr

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f8d742f5df0a80fd70369f7b82fe212025758e0543c75262e4696738174b3431.exe
    "C:\Users\Admin\AppData\Local\Temp\f8d742f5df0a80fd70369f7b82fe212025758e0543c75262e4696738174b3431.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4348
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zinm1727.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zinm1727.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3548
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr769718.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr769718.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:64
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku302874.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku302874.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2240
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 1460
          4⤵
          • Program crash
          PID:2004
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr823225.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr823225.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4360
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2240 -ip 2240
    1⤵
      PID:3092

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr823225.exe
      Filesize

      175KB

      MD5

      ac06f47f3787ad344caa5a5ab818cb91

      SHA1

      a2c4fbe84b3ab11da7af400aec8d0ac02e733277

      SHA256

      f3b4b78699b595ae7b170be5d9f003773413d3d7f1c3bae59af5417688787373

      SHA512

      e61fb91de3b895d0a1aa97eac998cf2f9ccb08c076d2578180937a8d2e6480a41060825703a0de2369633883dd73d4da79d90a2c60ad8649361ebd2fe663f3b1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr823225.exe
      Filesize

      175KB

      MD5

      ac06f47f3787ad344caa5a5ab818cb91

      SHA1

      a2c4fbe84b3ab11da7af400aec8d0ac02e733277

      SHA256

      f3b4b78699b595ae7b170be5d9f003773413d3d7f1c3bae59af5417688787373

      SHA512

      e61fb91de3b895d0a1aa97eac998cf2f9ccb08c076d2578180937a8d2e6480a41060825703a0de2369633883dd73d4da79d90a2c60ad8649361ebd2fe663f3b1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zinm1727.exe
      Filesize

      379KB

      MD5

      f5a58a173c35eceec03981452fb5fae8

      SHA1

      df07f123e75c4ddd2917b761f979ef23600b576a

      SHA256

      4777e2c1578cb9c3c2893ef82a5c957b1e0871a95288b83683e0a47e0f9d72ed

      SHA512

      6b2b6a67e9ff712bb81233bd9adf6b997fa264530210d8e92f73aaca4194a00dcd8131376a52307ab9367e2dc8a8ec551ba02433c5bf8c423cd650e75bcb4e03

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zinm1727.exe
      Filesize

      379KB

      MD5

      f5a58a173c35eceec03981452fb5fae8

      SHA1

      df07f123e75c4ddd2917b761f979ef23600b576a

      SHA256

      4777e2c1578cb9c3c2893ef82a5c957b1e0871a95288b83683e0a47e0f9d72ed

      SHA512

      6b2b6a67e9ff712bb81233bd9adf6b997fa264530210d8e92f73aaca4194a00dcd8131376a52307ab9367e2dc8a8ec551ba02433c5bf8c423cd650e75bcb4e03

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr769718.exe
      Filesize

      15KB

      MD5

      1b34bf35618ce32a960eaaeadd04d75d

      SHA1

      0b7b99d34441e76d63837545c5e067343a9baf40

      SHA256

      40508f3e93425b88ea30a2035103e100f99f63c8259a2759a51340da6dfad5c8

      SHA512

      61f126f99b75e45e49eaf063a94e976f6308ea280c9de2d06f8318d5b297686070afab523124e97cc76a29ab7f44a5e79f7ab1d0f3ddae54a945723a7ca12d21

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr769718.exe
      Filesize

      15KB

      MD5

      1b34bf35618ce32a960eaaeadd04d75d

      SHA1

      0b7b99d34441e76d63837545c5e067343a9baf40

      SHA256

      40508f3e93425b88ea30a2035103e100f99f63c8259a2759a51340da6dfad5c8

      SHA512

      61f126f99b75e45e49eaf063a94e976f6308ea280c9de2d06f8318d5b297686070afab523124e97cc76a29ab7f44a5e79f7ab1d0f3ddae54a945723a7ca12d21

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku302874.exe
      Filesize

      294KB

      MD5

      88bd09f63d02c1bfff3c578b8da07f79

      SHA1

      0fe70f47c13a3e3d0ec9cf2c7cd528e0e9ad65c3

      SHA256

      2db084a7a20f3bb771d2e77b2d2c90b9e82bd2c726fadb8ac71dbb74bbc4c406

      SHA512

      7015e7dcca8b35762bcf2359bc89941d63e396ef6b7980024aa47681b70f5a2ccd3518c4d1d688ac42fb79485ffad41921eee61af344a7aa255c21f544f8aa88

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku302874.exe
      Filesize

      294KB

      MD5

      88bd09f63d02c1bfff3c578b8da07f79

      SHA1

      0fe70f47c13a3e3d0ec9cf2c7cd528e0e9ad65c3

      SHA256

      2db084a7a20f3bb771d2e77b2d2c90b9e82bd2c726fadb8ac71dbb74bbc4c406

      SHA512

      7015e7dcca8b35762bcf2359bc89941d63e396ef6b7980024aa47681b70f5a2ccd3518c4d1d688ac42fb79485ffad41921eee61af344a7aa255c21f544f8aa88

      Download Submit

    • memory/64-147-0x0000000000260000-0x000000000026A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2240-153-0x0000000004D00000-0x00000000052A4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2240-159-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2240-157-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2240-155-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2240-154-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2240-161-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2240-163-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2240-165-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2240-167-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2240-170-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2240-172-0x0000000004CF0000-0x0000000004D00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2240-173-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2240-169-0x0000000002190000-0x00000000021DB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/2240-176-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2240-174-0x0000000004CF0000-0x0000000004D00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2240-178-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2240-180-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2240-182-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2240-184-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2240-186-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2240-188-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2240-190-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2240-192-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2240-194-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2240-196-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2240-198-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2240-200-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2240-202-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2240-204-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2240-206-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2240-208-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2240-210-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2240-212-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2240-216-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2240-218-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2240-214-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2240-220-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2240-1063-0x00000000052B0000-0x00000000058C8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2240-1064-0x00000000058D0000-0x00000000059DA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2240-1065-0x00000000059E0000-0x00000000059F2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2240-1066-0x0000000005A00000-0x0000000005A3C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2240-1067-0x0000000004CF0000-0x0000000004D00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2240-1069-0x0000000005CF0000-0x0000000005D82000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2240-1070-0x0000000005D90000-0x0000000005DF6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2240-1071-0x0000000004CF0000-0x0000000004D00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2240-1072-0x0000000004CF0000-0x0000000004D00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2240-1073-0x0000000004CF0000-0x0000000004D00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2240-1074-0x0000000006700000-0x0000000006776000-memory.dmp

      Filesize

      472KB

      Download

    • memory/2240-1075-0x0000000006780000-0x00000000067D0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/2240-1076-0x0000000004CF0000-0x0000000004D00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2240-1077-0x00000000067F0000-0x00000000069B2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2240-1078-0x00000000069C0000-0x0000000006EEC000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/4360-1084-0x0000000000AF0000-0x0000000000B22000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4360-1085-0x0000000005460000-0x0000000005470000-memory.dmp

      Filesize

      64KB

      Download