Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    108s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    09-04-2023 20:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f43edcef1a5f1968ba5cc538078da37b7cc913e8992d692aa2d83e2a4af9b175.exe

  • Size

    924KB

  • MD5

    8ce7b2c4d83e36af9e187fdec3d30d9e

  • SHA1

    a37012532eb3a4321f91dca57a13bd12c59664c3

  • SHA256

    f43edcef1a5f1968ba5cc538078da37b7cc913e8992d692aa2d83e2a4af9b175

  • SHA512

    b8bee748cf749ce969f9192e1ddeec6ac606d0d3f8da106a50c05dcc6d3a0e0d9bfd4d1e0e24fa0cd5dc06c28b8a591628c52e5307db444d239a0e6a02f73e81

  • SSDEEP

    24576:VyJ1GDH+kocM06dmmd4C2lIyZwWDxhKp:wJcyk5MXPdX29wWLK

Score
10/10
amadeyredlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 21 IoCs
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f43edcef1a5f1968ba5cc538078da37b7cc913e8992d692aa2d83e2a4af9b175.exe
    "C:\Users\Admin\AppData\Local\Temp\f43edcef1a5f1968ba5cc538078da37b7cc913e8992d692aa2d83e2a4af9b175.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3668
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un979877.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un979877.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:988
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un129812.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un129812.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4496
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr893454.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr893454.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4992
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu694301.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu694301.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4828
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk224550.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk224550.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1528
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si241991.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si241991.exe
      2⤵
      • Executes dropped EXE
      PID:4816
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 616
        3⤵
        • Program crash
        PID:3856
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 696
        3⤵
        • Program crash
        PID:2644
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 836
        3⤵
        • Program crash
        PID:3952
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 816
        3⤵
        • Program crash
        PID:5008
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 884
        3⤵
        • Program crash
        PID:3736
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 900
        3⤵
        • Program crash
        PID:3784
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 1072
        3⤵
        • Program crash
        PID:4676

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si241991.exe
    Filesize

    226KB

    MD5

    d8c3f20eef4f33bd865589859629bf41

    SHA1

    3590244f8774ff4ac4e3c54cdbb149363fd9dc7d

    SHA256

    2883beaaf38f654125933398a46d5bd8c9db9fd04793cb50b28eb2343b4dd36f

    SHA512

    52b84685dacaa20eac474ee035ff3302d95324a3bf9deeff447c05a0d8066cda8fa86592e48806c661de4510b83bbae4a76ec121594e4987b27c1f883bfc77cb

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si241991.exe
    Filesize

    226KB

    MD5

    d8c3f20eef4f33bd865589859629bf41

    SHA1

    3590244f8774ff4ac4e3c54cdbb149363fd9dc7d

    SHA256

    2883beaaf38f654125933398a46d5bd8c9db9fd04793cb50b28eb2343b4dd36f

    SHA512

    52b84685dacaa20eac474ee035ff3302d95324a3bf9deeff447c05a0d8066cda8fa86592e48806c661de4510b83bbae4a76ec121594e4987b27c1f883bfc77cb

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un979877.exe
    Filesize

    661KB

    MD5

    9872d439a2b6a4e659a78739e564f88c

    SHA1

    81f4501d3472860b5e009e96e428538687b2e6c1

    SHA256

    73224c24b29548ff1a47df8108f4393923ef44ca2f260a470de6b07a9f918a6a

    SHA512

    4bfa3294c04d9d4f4479f80429b3aaa8810ae550b0a23df60caa116d0f0768b91ed345d64a8e1030671d79a062db1e3c3efad58057450257e1a2ace590212272

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un979877.exe
    Filesize

    661KB

    MD5

    9872d439a2b6a4e659a78739e564f88c

    SHA1

    81f4501d3472860b5e009e96e428538687b2e6c1

    SHA256

    73224c24b29548ff1a47df8108f4393923ef44ca2f260a470de6b07a9f918a6a

    SHA512

    4bfa3294c04d9d4f4479f80429b3aaa8810ae550b0a23df60caa116d0f0768b91ed345d64a8e1030671d79a062db1e3c3efad58057450257e1a2ace590212272

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk224550.exe
    Filesize

    175KB

    MD5

    bb6d43fa4ebafe62b98ec4dea4ff49d9

    SHA1

    d8188e664ac977f59d3ec26589e3cf67b1fab23b

    SHA256

    1d1cdf01afc38fc6784a41fe8aa2f308ec44606d2d16c4edd9445813af33fe89

    SHA512

    679a0e394c5751020c38ceaba6a1bd1a33c558b8c9142fc796fa3570baa0ac082d099891451fde50249e165625b9738ead7321dccf2b2da567f3f7e3d4ee4644

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk224550.exe
    Filesize

    175KB

    MD5

    bb6d43fa4ebafe62b98ec4dea4ff49d9

    SHA1

    d8188e664ac977f59d3ec26589e3cf67b1fab23b

    SHA256

    1d1cdf01afc38fc6784a41fe8aa2f308ec44606d2d16c4edd9445813af33fe89

    SHA512

    679a0e394c5751020c38ceaba6a1bd1a33c558b8c9142fc796fa3570baa0ac082d099891451fde50249e165625b9738ead7321dccf2b2da567f3f7e3d4ee4644

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un129812.exe
    Filesize

    519KB

    MD5

    5f47d507b97c890a207470c92f83d8aa

    SHA1

    0718951d2ac648caeaae3d8fdce0dd58ff48f53f

    SHA256

    22caa96151d92232a4dcbda34e2ed37f4fb622518a8100d23b33915c9b5a95ad

    SHA512

    01d62dff903fda0f592227ff647c429d7fa849196ac95fe7e6b2e8a6db520cb7a98db6422d93564782fbfdfcf0e442e73d6e87734da5657d56e8e2dfb5836a88

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un129812.exe
    Filesize

    519KB

    MD5

    5f47d507b97c890a207470c92f83d8aa

    SHA1

    0718951d2ac648caeaae3d8fdce0dd58ff48f53f

    SHA256

    22caa96151d92232a4dcbda34e2ed37f4fb622518a8100d23b33915c9b5a95ad

    SHA512

    01d62dff903fda0f592227ff647c429d7fa849196ac95fe7e6b2e8a6db520cb7a98db6422d93564782fbfdfcf0e442e73d6e87734da5657d56e8e2dfb5836a88

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr893454.exe
    Filesize

    235KB

    MD5

    ec87ae5a8ea77222b1abac50e03474d1

    SHA1

    cae18a97a8ca74144b68a40a8142c47b6a1c15f0

    SHA256

    5031ebfb23c7c359d79e190c2aa61b0306771fd915d0d9a7eba6495be0c7447e

    SHA512

    a5c03380b70f8bf8e729a992dd6afacb04fb928bc16b5a98ba71355879b9af43772873d6001c3dd16251b95a4ba430852639c3fa3aa46db69bd9d56d099db77f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr893454.exe
    Filesize

    235KB

    MD5

    ec87ae5a8ea77222b1abac50e03474d1

    SHA1

    cae18a97a8ca74144b68a40a8142c47b6a1c15f0

    SHA256

    5031ebfb23c7c359d79e190c2aa61b0306771fd915d0d9a7eba6495be0c7447e

    SHA512

    a5c03380b70f8bf8e729a992dd6afacb04fb928bc16b5a98ba71355879b9af43772873d6001c3dd16251b95a4ba430852639c3fa3aa46db69bd9d56d099db77f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu694301.exe
    Filesize

    292KB

    MD5

    e2cdcedc37aa142cc98d88e1fa3a8aef

    SHA1

    fe0ab69fec3694c664f046d6d1976c59e21226e4

    SHA256

    15a89665194c3d0daa580d6e8838df1e0f308df1a01b3466954633945c5f2e23

    SHA512

    0eede9044bf2117556117b07af1d997cf7888e630399ac79de19e1ff0acdeee520be3a9dff97b4d866e4492c2314ac92aa1b303a5815160453dada3d495a1797

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu694301.exe
    Filesize

    292KB

    MD5

    e2cdcedc37aa142cc98d88e1fa3a8aef

    SHA1

    fe0ab69fec3694c664f046d6d1976c59e21226e4

    SHA256

    15a89665194c3d0daa580d6e8838df1e0f308df1a01b3466954633945c5f2e23

    SHA512

    0eede9044bf2117556117b07af1d997cf7888e630399ac79de19e1ff0acdeee520be3a9dff97b4d866e4492c2314ac92aa1b303a5815160453dada3d495a1797

    Download Submit
  • memory/1528-1119-0x00000000053C0000-0x00000000053D0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1528-1118-0x0000000005370000-0x00000000053BB000-memory.dmp
    Filesize

    300KB

    Download
  • memory/1528-1117-0x0000000000AF0000-0x0000000000B22000-memory.dmp
    Filesize

    200KB

    Download
  • memory/4816-1125-0x00000000004B0000-0x00000000004EB000-memory.dmp
    Filesize

    236KB

    Download
  • memory/4828-1099-0x0000000004C60000-0x0000000004C70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4828-210-0x00000000023C0000-0x00000000023FF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4828-1111-0x0000000006EA0000-0x0000000006EF0000-memory.dmp
    Filesize

    320KB

    Download
  • memory/4828-1110-0x0000000006E20000-0x0000000006E96000-memory.dmp
    Filesize

    472KB

    Download
  • memory/4828-1109-0x0000000004C60000-0x0000000004C70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4828-1108-0x00000000067B0000-0x0000000006CDC000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4828-1107-0x00000000065C0000-0x0000000006782000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/4828-1106-0x0000000004C60000-0x0000000004C70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4828-1105-0x0000000004C60000-0x0000000004C70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4828-1104-0x0000000004C60000-0x0000000004C70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4828-1102-0x0000000005670000-0x00000000056D6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4828-1101-0x00000000055D0000-0x0000000005662000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4828-1100-0x0000000005440000-0x000000000548B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/4828-1098-0x00000000052F0000-0x000000000532E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4828-1097-0x00000000052D0000-0x00000000052E2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4828-1096-0x0000000005190000-0x000000000529A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/4828-183-0x0000000002200000-0x0000000002246000-memory.dmp
    Filesize

    280KB

    Download
  • memory/4828-184-0x00000000023C0000-0x0000000002404000-memory.dmp
    Filesize

    272KB

    Download
  • memory/4828-185-0x00000000023C0000-0x00000000023FF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4828-186-0x00000000023C0000-0x00000000023FF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4828-188-0x00000000023C0000-0x00000000023FF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4828-190-0x00000000023C0000-0x00000000023FF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4828-192-0x00000000023C0000-0x00000000023FF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4828-194-0x00000000023C0000-0x00000000023FF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4828-196-0x00000000023C0000-0x00000000023FF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4828-198-0x00000000023C0000-0x00000000023FF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4828-200-0x00000000023C0000-0x00000000023FF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4828-202-0x00000000023C0000-0x00000000023FF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4828-204-0x00000000023C0000-0x00000000023FF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4828-206-0x00000000023C0000-0x00000000023FF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4828-208-0x00000000023C0000-0x00000000023FF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4828-1095-0x0000000005780000-0x0000000005D86000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/4828-212-0x00000000023C0000-0x00000000023FF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4828-214-0x00000000023C0000-0x00000000023FF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4828-216-0x00000000023C0000-0x00000000023FF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4828-218-0x00000000023C0000-0x00000000023FF000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4828-393-0x00000000004C0000-0x000000000050B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/4828-395-0x0000000004C60000-0x0000000004C70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4828-397-0x0000000004C60000-0x0000000004C70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4828-399-0x0000000004C60000-0x0000000004C70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4992-164-0x00000000023B0000-0x00000000023C2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4992-143-0x0000000004BC0000-0x0000000004BD0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4992-154-0x00000000023B0000-0x00000000023C2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4992-178-0x0000000000400000-0x00000000004A8000-memory.dmp
    Filesize

    672KB

    Download
  • memory/4992-150-0x00000000023B0000-0x00000000023C2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4992-176-0x0000000004BC0000-0x0000000004BD0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4992-175-0x0000000000400000-0x00000000004A8000-memory.dmp
    Filesize

    672KB

    Download
  • memory/4992-174-0x00000000023B0000-0x00000000023C2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4992-172-0x00000000023B0000-0x00000000023C2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4992-170-0x00000000023B0000-0x00000000023C2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4992-141-0x00000000007E0000-0x00000000007FA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/4992-152-0x00000000023B0000-0x00000000023C2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4992-160-0x00000000023B0000-0x00000000023C2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4992-162-0x00000000023B0000-0x00000000023C2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4992-156-0x00000000023B0000-0x00000000023C2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4992-158-0x00000000023B0000-0x00000000023C2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4992-147-0x00000000023B0000-0x00000000023C2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4992-148-0x00000000023B0000-0x00000000023C2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4992-146-0x00000000023B0000-0x00000000023C8000-memory.dmp
    Filesize

    96KB

    Download
  • memory/4992-145-0x0000000004BD0000-0x00000000050CE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/4992-144-0x0000000004BC0000-0x0000000004BD0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4992-166-0x00000000023B0000-0x00000000023C2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4992-142-0x00000000001D0000-0x00000000001FD000-memory.dmp
    Filesize

    180KB

    Download
  • memory/4992-168-0x00000000023B0000-0x00000000023C2000-memory.dmp
    Filesize

    72KB

    Download