Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    99s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    14-04-2023 03:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2b1422f9326c64146f80c214a67c6f3d2f05c8b3dbfa1336f54ae190239e99bb.exe

  • Size

    1.0MB

  • MD5

    eeac8d746a4fb066769acade12a1bd8d

  • SHA1

    4d3652fc01b386a5c9df541bf7986f0ef3a22e41

  • SHA256

    2b1422f9326c64146f80c214a67c6f3d2f05c8b3dbfa1336f54ae190239e99bb

  • SHA512

    209262dfbbae3224d992553da2b9ce8cf75fc871ea8b4787884758dfbf34f195a39cfc75df36cb33edb42837408077335c1b34e79653c29af18fb18a5651a555

  • SSDEEP

    24576:ryX8cjaEut21gZDm0ZfhHVBJJcGOsPOAWOOgFgXKR:eXPesgZDb1BJJcSGAWOhFga

Score
10/10
amadeyredlinedisaladadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

lada

C2

185.161.248.90:4125

Attributes
  • auth_value

    0b3678897547fedafe314eda5a2015ba

Extracted

Family

redline

Botnet

disa

C2

185.161.248.90:4125

Attributes
  • auth_value

    93f8c4ca7000e3381dd4b6b86434de05

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 7 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2b1422f9326c64146f80c214a67c6f3d2f05c8b3dbfa1336f54ae190239e99bb.exe
    "C:\Users\Admin\AppData\Local\Temp\2b1422f9326c64146f80c214a67c6f3d2f05c8b3dbfa1336f54ae190239e99bb.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4192
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziBr1346.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziBr1346.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3980
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziNO6378.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziNO6378.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4724
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it998318.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it998318.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3092
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr586965.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr586965.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4896
          • C:\Windows\Temp\1.exe
            "C:\Windows\Temp\1.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3328
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp198785.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp198785.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3448
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr410713.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr410713.exe
      2⤵
      • Executes dropped EXE
      PID:4252
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 636
        3⤵
        • Program crash
        PID:4388
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 712
        3⤵
        • Program crash
        PID:5112
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 848
        3⤵
        • Program crash
        PID:4012
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 860
        3⤵
        • Program crash
        PID:4820
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 888
        3⤵
        • Program crash
        PID:3092
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 900
        3⤵
        • Program crash
        PID:4948
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 1128
        3⤵
        • Program crash
        PID:5020
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 1208
        3⤵
        • Program crash
        PID:3912
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 1188
        3⤵
        • Program crash
        PID:3464

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr410713.exe
    Filesize

    397KB

    MD5

    73322119dde2931ef4675da872b6e388

    SHA1

    666909e836d4896520d7b01669820f0e8eb103a1

    SHA256

    a79c5393e57aa37ec1e86e848e11468788a7b9e9f580b8ce551913a3add57cd3

    SHA512

    360a30c047d52828252bb6aa484a900e00f6671bd5efdc27845476701b1c9ffcdbcfc7e5b3dceac05d89b83a66273b9e5b9dbd8e982810ba94fd226af216faef

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr410713.exe
    Filesize

    397KB

    MD5

    73322119dde2931ef4675da872b6e388

    SHA1

    666909e836d4896520d7b01669820f0e8eb103a1

    SHA256

    a79c5393e57aa37ec1e86e848e11468788a7b9e9f580b8ce551913a3add57cd3

    SHA512

    360a30c047d52828252bb6aa484a900e00f6671bd5efdc27845476701b1c9ffcdbcfc7e5b3dceac05d89b83a66273b9e5b9dbd8e982810ba94fd226af216faef

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziBr1346.exe
    Filesize

    723KB

    MD5

    b7ed505776d367322a7e406fceab571a

    SHA1

    c792f963537d4fe099851b9497b606750145ad59

    SHA256

    5004f15683825c6a45cc27e6793e349cdb13e8fb1ced0900dff45b41ad3455b8

    SHA512

    4c3ebb01b16ec33cb4726b78d1851b9d78454999dc137e27d2898e86a673638aabd10a5c188755f14e5960c04ccb45e506e3751334639f85bd01c6c79b07b547

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziBr1346.exe
    Filesize

    723KB

    MD5

    b7ed505776d367322a7e406fceab571a

    SHA1

    c792f963537d4fe099851b9497b606750145ad59

    SHA256

    5004f15683825c6a45cc27e6793e349cdb13e8fb1ced0900dff45b41ad3455b8

    SHA512

    4c3ebb01b16ec33cb4726b78d1851b9d78454999dc137e27d2898e86a673638aabd10a5c188755f14e5960c04ccb45e506e3751334639f85bd01c6c79b07b547

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp198785.exe
    Filesize

    169KB

    MD5

    a61f1cdf754b30e2a932e7f140d66eda

    SHA1

    84c33bf1908a9d5edd3c1c037546f167e84f1d00

    SHA256

    02a2981b1fbb91726ae4caee0d02c295f955d54097a654665608e6b1d5e07249

    SHA512

    82ee4e351563a2ec021827e5338dab40aca073f695d4ed2210f5ba6ca9bcf5c1cb7db98a8619c8caad408114f3afe0925dc20b67cd9d683e26debbd3126abf71

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp198785.exe
    Filesize

    169KB

    MD5

    a61f1cdf754b30e2a932e7f140d66eda

    SHA1

    84c33bf1908a9d5edd3c1c037546f167e84f1d00

    SHA256

    02a2981b1fbb91726ae4caee0d02c295f955d54097a654665608e6b1d5e07249

    SHA512

    82ee4e351563a2ec021827e5338dab40aca073f695d4ed2210f5ba6ca9bcf5c1cb7db98a8619c8caad408114f3afe0925dc20b67cd9d683e26debbd3126abf71

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziNO6378.exe
    Filesize

    569KB

    MD5

    2a7ed85d70e352aaf70274fe1263b79a

    SHA1

    7f9e5109cd200a5651a8bc8f9579a38c2a274b67

    SHA256

    12ef1cbc142c46b794d6ff8232d9efeddcc2c4b5c770b29c5c765a30bb3e003b

    SHA512

    644ac4fc5da446372c3f53e1194e2ac1065473c15edbad32aef04332645d155a943be324176e2e3943a0fc41a657e630295477fbe9e6fe5bf6ae165de6178de8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziNO6378.exe
    Filesize

    569KB

    MD5

    2a7ed85d70e352aaf70274fe1263b79a

    SHA1

    7f9e5109cd200a5651a8bc8f9579a38c2a274b67

    SHA256

    12ef1cbc142c46b794d6ff8232d9efeddcc2c4b5c770b29c5c765a30bb3e003b

    SHA512

    644ac4fc5da446372c3f53e1194e2ac1065473c15edbad32aef04332645d155a943be324176e2e3943a0fc41a657e630295477fbe9e6fe5bf6ae165de6178de8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it998318.exe
    Filesize

    11KB

    MD5

    1cdbf941ccc9de4b1f14c24e1cfaff47

    SHA1

    f63e35492fa97f4b9728546932366314e79b624f

    SHA256

    28379a18f1fefd2841c051f8a3b6da73ef4d8bb2861d0f211ea83c21cad6a56e

    SHA512

    5078a541e90e2addda10dace672170769caf0b25190b4c11d82ae8c0f858d6c0b98e0017087a0d9e206777805c499bb903d858594754952602b9e2fa14e494c5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it998318.exe
    Filesize

    11KB

    MD5

    1cdbf941ccc9de4b1f14c24e1cfaff47

    SHA1

    f63e35492fa97f4b9728546932366314e79b624f

    SHA256

    28379a18f1fefd2841c051f8a3b6da73ef4d8bb2861d0f211ea83c21cad6a56e

    SHA512

    5078a541e90e2addda10dace672170769caf0b25190b4c11d82ae8c0f858d6c0b98e0017087a0d9e206777805c499bb903d858594754952602b9e2fa14e494c5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr586965.exe
    Filesize

    588KB

    MD5

    beb288a3791e39ac762e996f0f5a919e

    SHA1

    fb9b374d11209ee0a70f067fe2c8013531a0504f

    SHA256

    455a9eb993eedee0ca0a5317cb00e1b46811466c3c050046607d84127470e99d

    SHA512

    50952a4e59e15a9e9bdd53be4d8a4a28343abec25407e4e45548e8247abff0cc166b0df78fcd8d9228688edaa2a077b923096d59ed276d444dbc8e7314308874

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr586965.exe
    Filesize

    588KB

    MD5

    beb288a3791e39ac762e996f0f5a919e

    SHA1

    fb9b374d11209ee0a70f067fe2c8013531a0504f

    SHA256

    455a9eb993eedee0ca0a5317cb00e1b46811466c3c050046607d84127470e99d

    SHA512

    50952a4e59e15a9e9bdd53be4d8a4a28343abec25407e4e45548e8247abff0cc166b0df78fcd8d9228688edaa2a077b923096d59ed276d444dbc8e7314308874

    Download Submit

  • C:\Windows\Temp\1.exe
    Filesize

    168KB

    MD5

    03728fed675bcde5256342183b1d6f27

    SHA1

    d13eace7d3d92f93756504b274777cc269b222a2

    SHA256

    f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

    SHA512

    6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

    Download Submit

  • C:\Windows\Temp\1.exe
    Filesize

    168KB

    MD5

    03728fed675bcde5256342183b1d6f27

    SHA1

    d13eace7d3d92f93756504b274777cc269b222a2

    SHA256

    f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

    SHA512

    6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

    Download Submit

  • memory/3092-141-0x00000000003E0000-0x00000000003EA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3328-2306-0x0000000000FB0000-0x0000000000FB6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3328-2324-0x00000000066C0000-0x0000000006710000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3328-2321-0x0000000005800000-0x0000000005866000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3328-2305-0x00000000009B0000-0x00000000009DE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3328-2326-0x0000000005330000-0x0000000005340000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3328-2312-0x0000000005950000-0x0000000005F56000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/3328-2318-0x0000000005380000-0x00000000053CB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3328-2317-0x0000000005330000-0x0000000005340000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3448-2322-0x000000000BFE0000-0x000000000C1A2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/3448-2315-0x0000000005360000-0x0000000005370000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3448-2314-0x0000000005310000-0x0000000005322000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3448-2313-0x000000000A900000-0x000000000AA0A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3448-2316-0x000000000A830000-0x000000000A86E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3448-2311-0x0000000001330000-0x0000000001336000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3448-2310-0x0000000000A70000-0x0000000000AA0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3448-2319-0x000000000AB20000-0x000000000AB96000-memory.dmp

    Filesize

    472KB

    Download

  • memory/3448-2320-0x000000000AC40000-0x000000000ACD2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3448-2323-0x000000000C6E0000-0x000000000CC0C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/3448-2325-0x0000000005360000-0x0000000005370000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4252-2333-0x0000000000960000-0x000000000099B000-memory.dmp

    Filesize

    236KB

    Download

  • memory/4896-159-0x0000000002A10000-0x0000000002A70000-memory.dmp

    Filesize

    384KB

    Download

  • memory/4896-181-0x0000000002A10000-0x0000000002A70000-memory.dmp

    Filesize

    384KB

    Download

  • memory/4896-195-0x0000000002A10000-0x0000000002A70000-memory.dmp

    Filesize

    384KB

    Download

  • memory/4896-197-0x0000000002A10000-0x0000000002A70000-memory.dmp

    Filesize

    384KB

    Download

  • memory/4896-199-0x0000000002A10000-0x0000000002A70000-memory.dmp

    Filesize

    384KB

    Download

  • memory/4896-201-0x0000000002A10000-0x0000000002A70000-memory.dmp

    Filesize

    384KB

    Download

  • memory/4896-203-0x0000000002A10000-0x0000000002A70000-memory.dmp

    Filesize

    384KB

    Download

  • memory/4896-205-0x0000000002A10000-0x0000000002A70000-memory.dmp

    Filesize

    384KB

    Download

  • memory/4896-207-0x0000000002A10000-0x0000000002A70000-memory.dmp

    Filesize

    384KB

    Download

  • memory/4896-209-0x0000000002A10000-0x0000000002A70000-memory.dmp

    Filesize

    384KB

    Download

  • memory/4896-211-0x0000000002A10000-0x0000000002A70000-memory.dmp

    Filesize

    384KB

    Download

  • memory/4896-213-0x0000000002A10000-0x0000000002A70000-memory.dmp

    Filesize

    384KB

    Download

  • memory/4896-215-0x0000000002A10000-0x0000000002A70000-memory.dmp

    Filesize

    384KB

    Download

  • memory/4896-217-0x0000000002A10000-0x0000000002A70000-memory.dmp

    Filesize

    384KB

    Download

  • memory/4896-2296-0x0000000005770000-0x00000000057A2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/4896-2298-0x0000000000A80000-0x0000000000A90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4896-191-0x0000000002A10000-0x0000000002A70000-memory.dmp

    Filesize

    384KB

    Download

  • memory/4896-189-0x0000000002A10000-0x0000000002A70000-memory.dmp

    Filesize

    384KB

    Download

  • memory/4896-187-0x0000000002A10000-0x0000000002A70000-memory.dmp

    Filesize

    384KB

    Download

  • memory/4896-185-0x0000000002A10000-0x0000000002A70000-memory.dmp

    Filesize

    384KB

    Download

  • memory/4896-183-0x0000000002A10000-0x0000000002A70000-memory.dmp

    Filesize

    384KB

    Download

  • memory/4896-193-0x0000000002A10000-0x0000000002A70000-memory.dmp

    Filesize

    384KB

    Download

  • memory/4896-179-0x0000000002A10000-0x0000000002A70000-memory.dmp

    Filesize

    384KB

    Download

  • memory/4896-177-0x0000000002A10000-0x0000000002A70000-memory.dmp

    Filesize

    384KB

    Download

  • memory/4896-175-0x0000000002A10000-0x0000000002A70000-memory.dmp

    Filesize

    384KB

    Download

  • memory/4896-173-0x0000000002A10000-0x0000000002A70000-memory.dmp

    Filesize

    384KB

    Download

  • memory/4896-171-0x0000000002A10000-0x0000000002A70000-memory.dmp

    Filesize

    384KB

    Download

  • memory/4896-169-0x0000000002A10000-0x0000000002A70000-memory.dmp

    Filesize

    384KB

    Download

  • memory/4896-167-0x0000000002A10000-0x0000000002A70000-memory.dmp

    Filesize

    384KB

    Download

  • memory/4896-163-0x0000000002A10000-0x0000000002A70000-memory.dmp

    Filesize

    384KB

    Download

  • memory/4896-165-0x0000000002A10000-0x0000000002A70000-memory.dmp

    Filesize

    384KB

    Download

  • memory/4896-161-0x0000000002A10000-0x0000000002A70000-memory.dmp

    Filesize

    384KB

    Download

  • memory/4896-157-0x0000000002A10000-0x0000000002A70000-memory.dmp

    Filesize

    384KB

    Download

  • memory/4896-155-0x0000000002A10000-0x0000000002A70000-memory.dmp

    Filesize

    384KB

    Download

  • memory/4896-154-0x0000000002A10000-0x0000000002A70000-memory.dmp

    Filesize

    384KB

    Download

  • memory/4896-150-0x0000000000A80000-0x0000000000A90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4896-151-0x0000000000A80000-0x0000000000A90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4896-153-0x0000000000A80000-0x0000000000A90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4896-152-0x0000000002A10000-0x0000000002A76000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4896-149-0x0000000000970000-0x00000000009CB000-memory.dmp

    Filesize

    364KB

    Download

  • memory/4896-148-0x00000000050F0000-0x00000000055EE000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/4896-147-0x0000000002730000-0x0000000002798000-memory.dmp

    Filesize

    416KB

    Download