Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    141s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    10-04-2023 20:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    00c60bb7948af8a0ca450ea8118c7d7453bf64e0d1ce1725f8dfbfa36be96d2c.exe

  • Size

    801KB

  • MD5

    cc9c31e4f0098250714921f82f4d82c6

  • SHA1

    dc73134f2290baa777cc0248d84a2d4ed196f094

  • SHA256

    00c60bb7948af8a0ca450ea8118c7d7453bf64e0d1ce1725f8dfbfa36be96d2c

  • SHA512

    2b1c2754db288168622fccda1182facf1f674832fc7d71ad0f972873a9e655a76410f65d07c2f26da419683adf8eb2b909f38041c624795323c9775c2ac1532b

  • SSDEEP

    12288:WMrMy90AZiGktDA2Bw3ZF8kS1neIUbORM9L19xK7CvGgxWL7uX0CEbhW0f/9OaLt:eyjizeB3ZS8NbHN3xfhMu3EUEoUt

Score
10/10
amadeyredlinerosnzimadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

zima

C2

176.113.115.145:4125

Attributes
  • auth_value

    2ef701d510c0d27e8a8e3270281678b1

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 36 IoCs
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\00c60bb7948af8a0ca450ea8118c7d7453bf64e0d1ce1725f8dfbfa36be96d2c.exe
    "C:\Users\Admin\AppData\Local\Temp\00c60bb7948af8a0ca450ea8118c7d7453bf64e0d1ce1725f8dfbfa36be96d2c.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4604
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziVI4738.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziVI4738.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:5116
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziNs2379.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziNs2379.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2140
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it097443.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it097443.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4700
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr874386.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr874386.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4808
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp367829.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp367829.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4408
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr985919.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr985919.exe
      2⤵
      • Executes dropped EXE
      PID:4512
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 616
        3⤵
        • Program crash
        PID:3628
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 696
        3⤵
        • Program crash
        PID:4100
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 836
        3⤵
        • Program crash
        PID:3084
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 848
        3⤵
        • Program crash
        PID:4672
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 876
        3⤵
        • Program crash
        PID:3236
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 900
        3⤵
        • Program crash
        PID:4928
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 1052
        3⤵
        • Program crash
        PID:4308

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr985919.exe
    Filesize

    231KB

    MD5

    f8117f396c10315824172b564d08490e

    SHA1

    96c20a6f156aa6e75f75fa9038a8878d75401138

    SHA256

    7f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba

    SHA512

    60606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr985919.exe
    Filesize

    231KB

    MD5

    f8117f396c10315824172b564d08490e

    SHA1

    96c20a6f156aa6e75f75fa9038a8878d75401138

    SHA256

    7f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba

    SHA512

    60606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziVI4738.exe
    Filesize

    536KB

    MD5

    56224c703e91a694e952de6b5bea49f6

    SHA1

    9d95e40a7f6a71f880f5e867c8dd76140d51c9c0

    SHA256

    9d7b0259a69d5b8f6a0f26a4c78ccaff8abfbd995c06bb4b20a8528cf1cffb38

    SHA512

    d90dadc58d7535eb4431d36b28d752153820e5163a700fbd08d6d95dd7bc93638abcd5edea634c10df437c7342f145e2cd8d3f94711d1c78deedfa1d8aff2c00

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziVI4738.exe
    Filesize

    536KB

    MD5

    56224c703e91a694e952de6b5bea49f6

    SHA1

    9d95e40a7f6a71f880f5e867c8dd76140d51c9c0

    SHA256

    9d7b0259a69d5b8f6a0f26a4c78ccaff8abfbd995c06bb4b20a8528cf1cffb38

    SHA512

    d90dadc58d7535eb4431d36b28d752153820e5163a700fbd08d6d95dd7bc93638abcd5edea634c10df437c7342f145e2cd8d3f94711d1c78deedfa1d8aff2c00

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp367829.exe
    Filesize

    169KB

    MD5

    a9eaf58d689a358a176f11de536f524e

    SHA1

    969ddfa32b951ba3b863ff225838a2561f7ba081

    SHA256

    b431f25bd5ad8ac7a726b9d072460c8f400b7192443b243266f29495b69e08a5

    SHA512

    c4d32352bf5950b0789646d31b4bf71dff59932e880fc947a874c5498f44f02b72d405a465c9e4df145d3e5caa945ed65c185a3356ae2cf6e206a49056441bf7

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp367829.exe
    Filesize

    169KB

    MD5

    a9eaf58d689a358a176f11de536f524e

    SHA1

    969ddfa32b951ba3b863ff225838a2561f7ba081

    SHA256

    b431f25bd5ad8ac7a726b9d072460c8f400b7192443b243266f29495b69e08a5

    SHA512

    c4d32352bf5950b0789646d31b4bf71dff59932e880fc947a874c5498f44f02b72d405a465c9e4df145d3e5caa945ed65c185a3356ae2cf6e206a49056441bf7

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziNs2379.exe
    Filesize

    382KB

    MD5

    8d5650f1b1931464de3bf5583a5c5941

    SHA1

    edc03489a0fd8121ead2c23741bf0314bfa46b9e

    SHA256

    167d72b613ae062d28f17af9cf89d8cb9b0394dead425b60d75b323f9a34f7d1

    SHA512

    a039f2cd34dfcc2134736a3a8de354b706438aee84eba11468d5f31f76ab1dec9584f78e10c63c0fc86c89b90de75c2e8fc11b212bba802ef3b0504357633188

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziNs2379.exe
    Filesize

    382KB

    MD5

    8d5650f1b1931464de3bf5583a5c5941

    SHA1

    edc03489a0fd8121ead2c23741bf0314bfa46b9e

    SHA256

    167d72b613ae062d28f17af9cf89d8cb9b0394dead425b60d75b323f9a34f7d1

    SHA512

    a039f2cd34dfcc2134736a3a8de354b706438aee84eba11468d5f31f76ab1dec9584f78e10c63c0fc86c89b90de75c2e8fc11b212bba802ef3b0504357633188

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it097443.exe
    Filesize

    11KB

    MD5

    00c3a211cce32ef589e698c633c7a07f

    SHA1

    2cbe58c7c27676fe434b35a4453baf4526654a85

    SHA256

    931a91fa7d476470c6609e09cdcf0844e7f8d031d6ac09bbd59346730f2f6d43

    SHA512

    4aececa2572ccd918de7b5502044db2fc6dfc9c13e2820ed68ea38bbc882f861297dd8d2707375208c27281323b3b33cda24968e572738b45e9b6c6299b8712c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it097443.exe
    Filesize

    11KB

    MD5

    00c3a211cce32ef589e698c633c7a07f

    SHA1

    2cbe58c7c27676fe434b35a4453baf4526654a85

    SHA256

    931a91fa7d476470c6609e09cdcf0844e7f8d031d6ac09bbd59346730f2f6d43

    SHA512

    4aececa2572ccd918de7b5502044db2fc6dfc9c13e2820ed68ea38bbc882f861297dd8d2707375208c27281323b3b33cda24968e572738b45e9b6c6299b8712c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr874386.exe
    Filesize

    297KB

    MD5

    18bc6310e2e8982a19f9f2f670dde9e2

    SHA1

    fe79fb0a051f47124a3b3da0a6c10963848c2ac6

    SHA256

    257c2ae275152f0598609d760c60808b983376713e492c8bf1f93668ba98f902

    SHA512

    e095ccf0e14eae8d5dc556229f8d65e40d2232286c016e47c5e13ba9748484c3a24d737c2f700ef3aedc56cbdea99342773675302eec7673ecac2968d491e0cf

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr874386.exe
    Filesize

    297KB

    MD5

    18bc6310e2e8982a19f9f2f670dde9e2

    SHA1

    fe79fb0a051f47124a3b3da0a6c10963848c2ac6

    SHA256

    257c2ae275152f0598609d760c60808b983376713e492c8bf1f93668ba98f902

    SHA512

    e095ccf0e14eae8d5dc556229f8d65e40d2232286c016e47c5e13ba9748484c3a24d737c2f700ef3aedc56cbdea99342773675302eec7673ecac2968d491e0cf

    Download Submit
  • memory/4408-1082-0x0000000007750000-0x0000000007756000-memory.dmp
    Filesize

    24KB

    Download
  • memory/4408-1081-0x0000000000B10000-0x0000000000B40000-memory.dmp
    Filesize

    192KB

    Download
  • memory/4408-1085-0x00000000053C0000-0x00000000053D0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4408-1084-0x00000000053C0000-0x00000000053D0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4408-1083-0x000000000AA20000-0x000000000AA6B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/4512-1091-0x00000000004B0000-0x00000000004EB000-memory.dmp
    Filesize

    236KB

    Download
  • memory/4700-140-0x00000000005E0000-0x00000000005EA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4808-184-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4808-204-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4808-156-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4808-158-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4808-160-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4808-162-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4808-164-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4808-166-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4808-168-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4808-170-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4808-172-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4808-174-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4808-176-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4808-178-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4808-179-0x0000000004B40000-0x0000000004B50000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4808-181-0x0000000004B40000-0x0000000004B50000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4808-182-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4808-152-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4808-186-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4808-188-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4808-190-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4808-192-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4808-194-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4808-196-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4808-198-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4808-200-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4808-202-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4808-154-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4808-206-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4808-208-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4808-210-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4808-212-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4808-214-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4808-216-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4808-1059-0x0000000005050000-0x0000000005656000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/4808-1060-0x0000000005660000-0x000000000576A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/4808-1061-0x00000000057A0000-0x00000000057B2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4808-1062-0x00000000057C0000-0x00000000057FE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4808-1063-0x0000000005910000-0x000000000595B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/4808-1064-0x0000000004B40000-0x0000000004B50000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4808-1066-0x0000000005AA0000-0x0000000005B32000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4808-1067-0x0000000005B40000-0x0000000005BA6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4808-1068-0x0000000004B40000-0x0000000004B50000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4808-1069-0x0000000004B40000-0x0000000004B50000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4808-1070-0x0000000004B40000-0x0000000004B50000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4808-1071-0x0000000006390000-0x0000000006406000-memory.dmp
    Filesize

    472KB

    Download
  • memory/4808-151-0x0000000004A20000-0x0000000004A5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4808-150-0x0000000004A20000-0x0000000004A64000-memory.dmp
    Filesize

    272KB

    Download
  • memory/4808-149-0x0000000004B50000-0x000000000504E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/4808-147-0x0000000004B40000-0x0000000004B50000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4808-148-0x0000000002090000-0x00000000020D6000-memory.dmp
    Filesize

    280KB

    Download
  • memory/4808-146-0x00000000004C0000-0x000000000050B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/4808-1072-0x0000000006410000-0x0000000006460000-memory.dmp
    Filesize

    320KB

    Download
  • memory/4808-1073-0x0000000006480000-0x0000000006642000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/4808-1074-0x0000000004B40000-0x0000000004B50000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4808-1075-0x0000000006650000-0x0000000006B7C000-memory.dmp
    Filesize

    5.2MB

    Download