Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    90s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-04-2023 21:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ec7e0be847b78cd2100aa669c004ff7e92d95b20bed8a221b1d3ca14d548227b.exe

  • Size

    658KB

  • MD5

    f3e70e106bfcf7df3ce1c008e297e8fe

  • SHA1

    9419740bf4c85cc7517c3c71a5192e8e584849f7

  • SHA256

    ec7e0be847b78cd2100aa669c004ff7e92d95b20bed8a221b1d3ca14d548227b

  • SHA512

    b9532697c7864225ba30c865d250be8e6b6a29bc1fa50b5a7e99853d6099cee82f7da5d7eaa464109ffa31331ad3a76cc2777cfae9be6888d076d198c8652525

  • SSDEEP

    12288:JMrYy90tBUKU09K27MiD+Mety+dQJHIAUoF9x644xzWKb78vAIMQGAN:NyuqCtMkmtdO3UoDx74EK0h

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 19 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ec7e0be847b78cd2100aa669c004ff7e92d95b20bed8a221b1d3ca14d548227b.exe
    "C:\Users\Admin\AppData\Local\Temp\ec7e0be847b78cd2100aa669c004ff7e92d95b20bed8a221b1d3ca14d548227b.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4412
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un765319.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un765319.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1516
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3505.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3505.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4676
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 1080
          4⤵
          • Program crash
          PID:4804
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0863.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0863.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4240
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 1968
          4⤵
          • Program crash
          PID:1276
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si719538.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si719538.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4564
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4676 -ip 4676
    1⤵
      PID:4448
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4240 -ip 4240
      1⤵
        PID:224

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Modify Existing Service

      1
      T1031

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      3
      T1112

      Disabling Security Tools

      2
      T1089

      Credential Access

      Credentials in Files

      2
      T1081

      Discovery

      Query Registry

      1
      T1012

      Lateral Movement

      Collection

      Data from Local System

      2
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si719538.exe
        Filesize

        175KB

        MD5

        c60488f678115445b48915c75ab2a71b

        SHA1

        2a8cf61201917109d9e1067783536a8dd22e9a7c

        SHA256

        773e94f07ef21dbe05c1c497f53047228f818b31bbe2f8547f1d95d16c44c6f7

        SHA512

        91eabe1f04a42ffff3ac9d6d2217644ff35c20ea8f1bf70656a0ee1090729ab76c34ffc930fe0cb7a75cf517fe470c52cad29ebdce7ec3159c5a809242c591ee

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si719538.exe
        Filesize

        175KB

        MD5

        c60488f678115445b48915c75ab2a71b

        SHA1

        2a8cf61201917109d9e1067783536a8dd22e9a7c

        SHA256

        773e94f07ef21dbe05c1c497f53047228f818b31bbe2f8547f1d95d16c44c6f7

        SHA512

        91eabe1f04a42ffff3ac9d6d2217644ff35c20ea8f1bf70656a0ee1090729ab76c34ffc930fe0cb7a75cf517fe470c52cad29ebdce7ec3159c5a809242c591ee

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un765319.exe
        Filesize

        516KB

        MD5

        21568e6e4f01708bc31205b5ed6cb265

        SHA1

        fbcdfcceb07549117d2527cd44f6fafcffbd5603

        SHA256

        054d9505830f500b557ea5ecd8896dab50c409d0c2fdaa01cfad5bff4463d49d

        SHA512

        3ccc1ae809c97cf4f035729434a9c0e3902b7f552243eecc4a219a2f4c8df709114d37ac37d91ddacc5ae75e36381244f0902300b434d5b0821ad2109dd245ca

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un765319.exe
        Filesize

        516KB

        MD5

        21568e6e4f01708bc31205b5ed6cb265

        SHA1

        fbcdfcceb07549117d2527cd44f6fafcffbd5603

        SHA256

        054d9505830f500b557ea5ecd8896dab50c409d0c2fdaa01cfad5bff4463d49d

        SHA512

        3ccc1ae809c97cf4f035729434a9c0e3902b7f552243eecc4a219a2f4c8df709114d37ac37d91ddacc5ae75e36381244f0902300b434d5b0821ad2109dd245ca

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3505.exe
        Filesize

        235KB

        MD5

        0668182b3cfef9c857b382eaede777d3

        SHA1

        b517788e7cce24005cc4003f7cb4a7499fc61fe0

        SHA256

        f32b0e000f0554bd9f3938e3862f93fc81e5e77cea3bce082856070a543a9891

        SHA512

        572e535035622e955f9afad22fb06e2b44ced49779c9c442248daba9cc3f9e772dda14386c4308d0fa8cbad308db078aa84a2baea4e53cdcd90f4890f4a72694

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3505.exe
        Filesize

        235KB

        MD5

        0668182b3cfef9c857b382eaede777d3

        SHA1

        b517788e7cce24005cc4003f7cb4a7499fc61fe0

        SHA256

        f32b0e000f0554bd9f3938e3862f93fc81e5e77cea3bce082856070a543a9891

        SHA512

        572e535035622e955f9afad22fb06e2b44ced49779c9c442248daba9cc3f9e772dda14386c4308d0fa8cbad308db078aa84a2baea4e53cdcd90f4890f4a72694

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0863.exe
        Filesize

        294KB

        MD5

        5fc5f1e27cd61ca233fdcd5f48ca35dd

        SHA1

        020a376bfc50aa7c8a89a884d2e23dedd1799d52

        SHA256

        bb8919ee01155b61bec6db8bac515c460acd0b57b001319cd1d1ea022b3839e9

        SHA512

        ad8fee1c8aaf209ba14b8a7e4e6fd8c5b0be215ffc8471ff8cf0fdf655e8913c7361ce7be9d011585534485a5ba0f423adce4aef9200d2011b18749a6af6abe0

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0863.exe
        Filesize

        294KB

        MD5

        5fc5f1e27cd61ca233fdcd5f48ca35dd

        SHA1

        020a376bfc50aa7c8a89a884d2e23dedd1799d52

        SHA256

        bb8919ee01155b61bec6db8bac515c460acd0b57b001319cd1d1ea022b3839e9

        SHA512

        ad8fee1c8aaf209ba14b8a7e4e6fd8c5b0be215ffc8471ff8cf0fdf655e8913c7361ce7be9d011585534485a5ba0f423adce4aef9200d2011b18749a6af6abe0

        Download Submit
      • memory/4240-1102-0x0000000005830000-0x000000000593A000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/4240-1103-0x0000000004BB0000-0x0000000004BC2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4240-222-0x0000000004AB0000-0x0000000004AEF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/4240-220-0x0000000004AB0000-0x0000000004AEF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/4240-218-0x0000000004AB0000-0x0000000004AEF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/4240-208-0x0000000004AB0000-0x0000000004AEF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/4240-1116-0x00000000080A0000-0x00000000080F0000-memory.dmp
        Filesize

        320KB

        Download
      • memory/4240-1115-0x0000000002450000-0x00000000024C6000-memory.dmp
        Filesize

        472KB

        Download
      • memory/4240-1114-0x0000000004C50000-0x0000000004C60000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4240-1113-0x0000000007A50000-0x0000000007F7C000-memory.dmp
        Filesize

        5.2MB

        Download
      • memory/4240-1112-0x0000000007870000-0x0000000007A32000-memory.dmp
        Filesize

        1.8MB

        Download
      • memory/4240-1111-0x0000000005C50000-0x0000000005CB6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/4240-1110-0x0000000005BB0000-0x0000000005C42000-memory.dmp
        Filesize

        584KB

        Download
      • memory/4240-210-0x0000000004AB0000-0x0000000004AEF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/4240-1109-0x0000000004C50000-0x0000000004C60000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4240-1108-0x0000000004C50000-0x0000000004C60000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4240-1107-0x0000000004C50000-0x0000000004C60000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4240-1105-0x0000000004C50000-0x0000000004C60000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4240-1104-0x0000000004BD0000-0x0000000004C0C000-memory.dmp
        Filesize

        240KB

        Download
      • memory/4240-224-0x0000000004AB0000-0x0000000004AEF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/4240-1101-0x0000000005210000-0x0000000005828000-memory.dmp
        Filesize

        6.1MB

        Download
      • memory/4240-280-0x0000000004C50000-0x0000000004C60000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4240-276-0x0000000004C50000-0x0000000004C60000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4240-191-0x0000000004AB0000-0x0000000004AEF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/4240-192-0x0000000004AB0000-0x0000000004AEF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/4240-212-0x0000000004AB0000-0x0000000004AEF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/4240-196-0x0000000004AB0000-0x0000000004AEF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/4240-198-0x0000000004AB0000-0x0000000004AEF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/4240-200-0x0000000004AB0000-0x0000000004AEF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/4240-202-0x0000000004AB0000-0x0000000004AEF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/4240-204-0x0000000004AB0000-0x0000000004AEF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/4240-206-0x0000000004AB0000-0x0000000004AEF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/4240-277-0x0000000004C50000-0x0000000004C60000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4240-275-0x0000000000550000-0x000000000059B000-memory.dmp
        Filesize

        300KB

        Download
      • memory/4240-194-0x0000000004AB0000-0x0000000004AEF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/4240-214-0x0000000004AB0000-0x0000000004AEF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/4240-216-0x0000000004AB0000-0x0000000004AEF000-memory.dmp
        Filesize

        252KB

        Download
      • memory/4564-1123-0x0000000000EF0000-0x0000000000F22000-memory.dmp
        Filesize

        200KB

        Download
      • memory/4564-1124-0x0000000005B30000-0x0000000005B40000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4564-1125-0x0000000005B30000-0x0000000005B40000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4676-182-0x0000000004C60000-0x0000000004C70000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4676-176-0x00000000026C0000-0x00000000026D2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4676-160-0x00000000026C0000-0x00000000026D2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4676-151-0x00000000026C0000-0x00000000026D2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4676-152-0x00000000026C0000-0x00000000026D2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4676-186-0x0000000000400000-0x00000000004A9000-memory.dmp
        Filesize

        676KB

        Download
      • memory/4676-150-0x0000000004C70000-0x0000000005214000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/4676-184-0x0000000004C60000-0x0000000004C70000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4676-183-0x0000000004C60000-0x0000000004C70000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4676-154-0x00000000026C0000-0x00000000026D2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4676-181-0x0000000000400000-0x00000000004A9000-memory.dmp
        Filesize

        676KB

        Download
      • memory/4676-180-0x00000000026C0000-0x00000000026D2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4676-178-0x00000000026C0000-0x00000000026D2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4676-174-0x00000000026C0000-0x00000000026D2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4676-172-0x00000000026C0000-0x00000000026D2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4676-170-0x00000000026C0000-0x00000000026D2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4676-168-0x00000000026C0000-0x00000000026D2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4676-166-0x00000000026C0000-0x00000000026D2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4676-164-0x00000000026C0000-0x00000000026D2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4676-162-0x00000000026C0000-0x00000000026D2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4676-149-0x0000000004C60000-0x0000000004C70000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4676-148-0x00000000005D0000-0x00000000005FD000-memory.dmp
        Filesize

        180KB

        Download
      • memory/4676-159-0x0000000004C60000-0x0000000004C70000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4676-156-0x00000000026C0000-0x00000000026D2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4676-157-0x0000000004C60000-0x0000000004C70000-memory.dmp
        Filesize

        64KB

        Download