Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    10-04-2023 21:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    01d450f80fda3d1b79bbe074e8eea4ed4182814bf1a64433615dad840b9c1c6e.exe

  • Size

    789KB

  • MD5

    8670ba73af0cbdebfd6589698e3eeb4f

  • SHA1

    e26a6d4279e1812574c5e059a86fd7a2056b0d9c

  • SHA256

    01d450f80fda3d1b79bbe074e8eea4ed4182814bf1a64433615dad840b9c1c6e

  • SHA512

    15028fba64f6b8d7843ded764141d06d8baceb9110bc729d204ee9657d87b06c6a4c7ea303dbf7095b49eb737817747a5a81f25a63eb2bbf80193cbd14a4b3ff

  • SSDEEP

    24576:wyztkmc8DR+I5kjwvlxfN6TZXnnbNHHWp:3ztkT+4wvlx0nR

Score
10/10
amadeyredlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\01d450f80fda3d1b79bbe074e8eea4ed4182814bf1a64433615dad840b9c1c6e.exe
    "C:\Users\Admin\AppData\Local\Temp\01d450f80fda3d1b79bbe074e8eea4ed4182814bf1a64433615dad840b9c1c6e.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:996
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOv5598.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOv5598.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4100
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziFc6855.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziFc6855.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3532
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it649112.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it649112.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3500
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr121192.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr121192.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4936
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp476029.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp476029.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4792
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr630025.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr630025.exe
      2⤵
      • Executes dropped EXE
      PID:3640
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 624
        3⤵
        • Program crash
        PID:3676
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 704
        3⤵
        • Program crash
        PID:3972
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 840
        3⤵
        • Program crash
        PID:4716
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 852
        3⤵
        • Program crash
        PID:2632
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 880
        3⤵
        • Program crash
        PID:4896
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 836
        3⤵
        • Program crash
        PID:2352
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 1068
        3⤵
        • Program crash
        PID:5036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr630025.exe
    Filesize

    231KB

    MD5

    5a531a1495614605383afe7a35731a7a

    SHA1

    f00c58c5745c7adeb14b5b176fc0cd8d6d694bb6

    SHA256

    2aa40e53a153a68c6fd28793fdd06fa3bcbe4658820261607f6f4f8ecd3b8c2d

    SHA512

    906eb4afa865e09a68e5f40e48837bf576ced8218e8545daa25bd1ac0bea2087f77c9905d143c243cb3cbf04b3472c049620e2b51ccf243ac75f7134376e4aa3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr630025.exe
    Filesize

    231KB

    MD5

    5a531a1495614605383afe7a35731a7a

    SHA1

    f00c58c5745c7adeb14b5b176fc0cd8d6d694bb6

    SHA256

    2aa40e53a153a68c6fd28793fdd06fa3bcbe4658820261607f6f4f8ecd3b8c2d

    SHA512

    906eb4afa865e09a68e5f40e48837bf576ced8218e8545daa25bd1ac0bea2087f77c9905d143c243cb3cbf04b3472c049620e2b51ccf243ac75f7134376e4aa3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOv5598.exe
    Filesize

    524KB

    MD5

    3fe6b3202677a6f8bb17655dd6a2814e

    SHA1

    00001802a7360b60c7a4153a2898a2e57bc97458

    SHA256

    64bd379172a239e359dab8a174e3b80356e56e04831f7adc53be6605e825f72c

    SHA512

    bfc12aa93a4935ac92affd31c2879f8416e6351411438735acb12ec3bf2c4cd37f05c5c3079ae2d19d10d37bcc99ff223d09c6874d760e22e4474898a33dcfa5

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOv5598.exe
    Filesize

    524KB

    MD5

    3fe6b3202677a6f8bb17655dd6a2814e

    SHA1

    00001802a7360b60c7a4153a2898a2e57bc97458

    SHA256

    64bd379172a239e359dab8a174e3b80356e56e04831f7adc53be6605e825f72c

    SHA512

    bfc12aa93a4935ac92affd31c2879f8416e6351411438735acb12ec3bf2c4cd37f05c5c3079ae2d19d10d37bcc99ff223d09c6874d760e22e4474898a33dcfa5

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp476029.exe
    Filesize

    176KB

    MD5

    230e545337d56399fd448df0a1545998

    SHA1

    9a868e222ef216e2e0f75715466d410616897455

    SHA256

    d1570713130ad10343b02596f050c7ad4502a41c1cd6826bf95684b597491526

    SHA512

    688a1e7eca63dbf23d69b751df85bb2387ec91062ae7776b8322192ce606e0c6f244b5a6d1026a89456966bb0c3f6f1f37d0168c29b4330c5b636ddbeed25822

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp476029.exe
    Filesize

    176KB

    MD5

    230e545337d56399fd448df0a1545998

    SHA1

    9a868e222ef216e2e0f75715466d410616897455

    SHA256

    d1570713130ad10343b02596f050c7ad4502a41c1cd6826bf95684b597491526

    SHA512

    688a1e7eca63dbf23d69b751df85bb2387ec91062ae7776b8322192ce606e0c6f244b5a6d1026a89456966bb0c3f6f1f37d0168c29b4330c5b636ddbeed25822

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziFc6855.exe
    Filesize

    382KB

    MD5

    a7e05ead7b81b96a35bccfa2ef399a04

    SHA1

    3ca859ff34e705d87d4ee77c9502384627930231

    SHA256

    b142503b239e3da034f0b51054a5711a742d85682bb0f8e45187343da19407dc

    SHA512

    546470a3b4295297b1a9c7245f0d53ec3a68859841ce01d449333a343d6d4d518863ebdf4e3f2c84e26524a8737266775c7c91cf4a423970089ebd1f29a4e2d5

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziFc6855.exe
    Filesize

    382KB

    MD5

    a7e05ead7b81b96a35bccfa2ef399a04

    SHA1

    3ca859ff34e705d87d4ee77c9502384627930231

    SHA256

    b142503b239e3da034f0b51054a5711a742d85682bb0f8e45187343da19407dc

    SHA512

    546470a3b4295297b1a9c7245f0d53ec3a68859841ce01d449333a343d6d4d518863ebdf4e3f2c84e26524a8737266775c7c91cf4a423970089ebd1f29a4e2d5

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it649112.exe
    Filesize

    11KB

    MD5

    95adaa75d1f251936ef35c401701d559

    SHA1

    8b0dc7ca1519fed449e31a232c526c0a16d4a28b

    SHA256

    85b68d17305f0b85c547597acaefe5be746ac4be199c9c0ef74bb2ed16aaf9b5

    SHA512

    dfbda53315891e655b6f9ee107055f06e33fdab03a613514f3f68726a33a77633554c9f280f4c1a0e6aafbf238968c5550f70cfd436dcc3501844a17ae94cc84

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it649112.exe
    Filesize

    11KB

    MD5

    95adaa75d1f251936ef35c401701d559

    SHA1

    8b0dc7ca1519fed449e31a232c526c0a16d4a28b

    SHA256

    85b68d17305f0b85c547597acaefe5be746ac4be199c9c0ef74bb2ed16aaf9b5

    SHA512

    dfbda53315891e655b6f9ee107055f06e33fdab03a613514f3f68726a33a77633554c9f280f4c1a0e6aafbf238968c5550f70cfd436dcc3501844a17ae94cc84

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr121192.exe
    Filesize

    297KB

    MD5

    23cc6c126e551d7a38cf232edeedfd1b

    SHA1

    e9a48b6cbf201f3792d48543b88022f3327e0174

    SHA256

    3a4805da7dd13f54cd97c0795b028005213d8004dae2eb4c7b8e295934036a98

    SHA512

    3b0b235a1343174550cbf7a7cffa7f5a5997a04c04d375b9beba1e82dad2beba9fd72c1fbce8a92906ab0dc85641ff3208858bfd1307542036f3522bd1306136

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr121192.exe
    Filesize

    297KB

    MD5

    23cc6c126e551d7a38cf232edeedfd1b

    SHA1

    e9a48b6cbf201f3792d48543b88022f3327e0174

    SHA256

    3a4805da7dd13f54cd97c0795b028005213d8004dae2eb4c7b8e295934036a98

    SHA512

    3b0b235a1343174550cbf7a7cffa7f5a5997a04c04d375b9beba1e82dad2beba9fd72c1fbce8a92906ab0dc85641ff3208858bfd1307542036f3522bd1306136

    Download Submit
  • memory/3500-141-0x00000000008C0000-0x00000000008CA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3640-1088-0x00000000005D0000-0x000000000060B000-memory.dmp
    Filesize

    236KB

    Download
  • memory/4792-1079-0x00000000008C0000-0x00000000008F2000-memory.dmp
    Filesize

    200KB

    Download
  • memory/4792-1080-0x0000000005300000-0x000000000534B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/4792-1082-0x0000000005470000-0x0000000005480000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4792-1081-0x0000000005470000-0x0000000005480000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4936-182-0x0000000002700000-0x000000000273F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4936-204-0x0000000002700000-0x000000000273F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4936-154-0x0000000002700000-0x000000000273F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4936-156-0x0000000002700000-0x000000000273F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4936-158-0x0000000002700000-0x000000000273F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4936-160-0x0000000002700000-0x000000000273F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4936-162-0x0000000002700000-0x000000000273F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4936-164-0x0000000002700000-0x000000000273F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4936-166-0x0000000002700000-0x000000000273F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4936-168-0x0000000002700000-0x000000000273F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4936-170-0x0000000002700000-0x000000000273F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4936-172-0x0000000002700000-0x000000000273F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4936-174-0x0000000002700000-0x000000000273F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4936-176-0x0000000002700000-0x000000000273F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4936-178-0x0000000002700000-0x000000000273F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4936-180-0x0000000002700000-0x000000000273F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4936-152-0x0000000002700000-0x0000000002744000-memory.dmp
    Filesize

    272KB

    Download
  • memory/4936-184-0x0000000002700000-0x000000000273F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4936-186-0x0000000002700000-0x000000000273F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4936-188-0x0000000002700000-0x000000000273F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4936-190-0x0000000002700000-0x000000000273F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4936-192-0x0000000002700000-0x000000000273F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4936-194-0x0000000002700000-0x000000000273F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4936-196-0x0000000002700000-0x000000000273F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4936-198-0x0000000002700000-0x000000000273F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4936-200-0x0000000002700000-0x000000000273F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4936-202-0x0000000002700000-0x000000000273F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4936-153-0x0000000002700000-0x000000000273F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4936-206-0x0000000002700000-0x000000000273F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4936-208-0x0000000002700000-0x000000000273F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4936-210-0x0000000002700000-0x000000000273F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4936-212-0x0000000002700000-0x000000000273F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4936-214-0x0000000002700000-0x000000000273F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4936-216-0x0000000002700000-0x000000000273F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4936-1059-0x0000000005110000-0x0000000005716000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/4936-1060-0x00000000057A0000-0x00000000058AA000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/4936-1061-0x00000000058E0000-0x00000000058F2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4936-1062-0x00000000023B0000-0x00000000023C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4936-1063-0x0000000005900000-0x000000000593E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4936-1064-0x0000000005A50000-0x0000000005A9B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/4936-1066-0x0000000005BE0000-0x0000000005C46000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4936-1067-0x00000000062A0000-0x0000000006332000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4936-1068-0x00000000023B0000-0x00000000023C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4936-1069-0x00000000023B0000-0x00000000023C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4936-151-0x0000000004AA0000-0x0000000004F9E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/4936-150-0x00000000023B0000-0x00000000023C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4936-149-0x00000000023B0000-0x00000000023C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4936-148-0x00000000004C0000-0x000000000050B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/4936-147-0x00000000021E0000-0x0000000002226000-memory.dmp
    Filesize

    280KB

    Download
  • memory/4936-1070-0x0000000006380000-0x0000000006542000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/4936-1071-0x0000000006550000-0x0000000006A7C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4936-1072-0x0000000006E00000-0x0000000006E76000-memory.dmp
    Filesize

    472KB

    Download
  • memory/4936-1073-0x0000000006E80000-0x0000000006ED0000-memory.dmp
    Filesize

    320KB

    Download