Overview

overview

10

Static

static

3

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    152s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    04/05/2023, 04:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3f0be2e066bc14366b99f43ceb885e5f05fdc18b88afcc15006b08ecc567a79e.exe

  • Size

    567KB

  • MD5

    8d1f322de47d7a5c8be9f01041e5f0b9

  • SHA1

    f2aaffffcd7330f7024294aaded8b67a7068066d

  • SHA256

    3f0be2e066bc14366b99f43ceb885e5f05fdc18b88afcc15006b08ecc567a79e

  • SHA512

    df3ca2e0c118c885d5d1299c5c0ca019c990e46a9d625978dd746a1479a2740a20e5f436fae107ba894205e46686a127579babd914914d3d47b07bd6b340a6ee

  • SSDEEP

    12288:AMrCy90SbHmWQAt4giajmpvOWQ5McekES3E4hbo1O5:Sy9ixgiajOvOWQehV1e

Score
10/10
redlinedarisdiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

daris

C2

217.196.96.56:4138

Attributes
  • auth_value

    3491f24ae0250969cd45ce4b3fe77549

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3f0be2e066bc14366b99f43ceb885e5f05fdc18b88afcc15006b08ecc567a79e.exe
    "C:\Users\Admin\AppData\Local\Temp\3f0be2e066bc14366b99f43ceb885e5f05fdc18b88afcc15006b08ecc567a79e.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:5048
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2106230.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2106230.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1184
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7492477.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7492477.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1372
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9692280.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9692280.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2056
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i5724722.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i5724722.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:3768
      • C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
        "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4028
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe" /F
          4⤵
          • Creates scheduled task(s)
          PID:4136
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c3912af058" /P "Admin:N"&&CACLS "..\c3912af058" /P "Admin:R" /E&&Exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4956
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" echo Y"
            5⤵
              PID:4868
            • C:\Windows\SysWOW64\cacls.exe
              CACLS "oneetx.exe" /P "Admin:N"
              5⤵
                PID:516
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "oneetx.exe" /P "Admin:R" /E
                5⤵
                  PID:3208
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                  5⤵
                    PID:784
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "..\c3912af058" /P "Admin:N"
                    5⤵
                      PID:4588
                    • C:\Windows\SysWOW64\cacls.exe
                      CACLS "..\c3912af058" /P "Admin:R" /E
                      5⤵
                        PID:4508
                    • C:\Windows\SysWOW64\rundll32.exe
                      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
                      4⤵
                      • Loads dropped DLL
                      PID:4444
              • C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
                C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
                1⤵
                • Executes dropped EXE
                PID:4536
              • C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
                C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
                1⤵
                • Executes dropped EXE
                PID:5116

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i5724722.exe
                Filesize

                206KB

                MD5

                858da9dbd1c79222cff4ab985b874b29

                SHA1

                e991851ca063cddc8e51915623759bcf7163a039

                SHA256

                f2943217de6806811240308f562bc4e66f14d9c1e53b5746516475323fa3572a

                SHA512

                e64e1b5fbcd1dc8706c19b390d4584087fc2de3f6567483eb737c4843288115ae861de9a4da6c2c2da5e7cefd67c9d372063676b364488a15bc005fbcfba48d2

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i5724722.exe
                Filesize

                206KB

                MD5

                858da9dbd1c79222cff4ab985b874b29

                SHA1

                e991851ca063cddc8e51915623759bcf7163a039

                SHA256

                f2943217de6806811240308f562bc4e66f14d9c1e53b5746516475323fa3572a

                SHA512

                e64e1b5fbcd1dc8706c19b390d4584087fc2de3f6567483eb737c4843288115ae861de9a4da6c2c2da5e7cefd67c9d372063676b364488a15bc005fbcfba48d2

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2106230.exe
                Filesize

                395KB

                MD5

                b7a059cfec861959f3f840db0f664774

                SHA1

                5721ef8e7500b362fcc97e7615a2aba4c6c88e63

                SHA256

                18a1e20a265fb41b929e73fdae3d8779bc32e282507c80a16e2b99d46f85e5f3

                SHA512

                b922a348d521f1b238826cfb0dce9b9eae11180f605a9e77aaa3996715388a4a8974cb4391bfebf4084b9aa102513970ea445b99661e22d66d4cd39d9fd8303b

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2106230.exe
                Filesize

                395KB

                MD5

                b7a059cfec861959f3f840db0f664774

                SHA1

                5721ef8e7500b362fcc97e7615a2aba4c6c88e63

                SHA256

                18a1e20a265fb41b929e73fdae3d8779bc32e282507c80a16e2b99d46f85e5f3

                SHA512

                b922a348d521f1b238826cfb0dce9b9eae11180f605a9e77aaa3996715388a4a8974cb4391bfebf4084b9aa102513970ea445b99661e22d66d4cd39d9fd8303b

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7492477.exe
                Filesize

                168KB

                MD5

                86928935115764abe77ad9a09a8c98f4

                SHA1

                6336027fe8d843da2fd17eb5cad04efecc6caca8

                SHA256

                363e7b87fca26dd43b99fb1786f695ee64aa50f2abb7d67cdc36456beec91a7b

                SHA512

                0ab5ce96fec0ed76c5428900acf46bf63bb9bf27297056cae4dbf5b6e2505ea146558c5b82aa485c417754fc0a2be9d9c05bd441a2c5a0be027e2a6e06f11f04

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7492477.exe
                Filesize

                168KB

                MD5

                86928935115764abe77ad9a09a8c98f4

                SHA1

                6336027fe8d843da2fd17eb5cad04efecc6caca8

                SHA256

                363e7b87fca26dd43b99fb1786f695ee64aa50f2abb7d67cdc36456beec91a7b

                SHA512

                0ab5ce96fec0ed76c5428900acf46bf63bb9bf27297056cae4dbf5b6e2505ea146558c5b82aa485c417754fc0a2be9d9c05bd441a2c5a0be027e2a6e06f11f04

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9692280.exe
                Filesize

                315KB

                MD5

                ba183998c7fd311ee23aca317a107edb

                SHA1

                43c0dbb0dd787dcc2df4fd4076e0f9d5a4b6e55d

                SHA256

                5140918e2d090a6abeb69479c2d414ec72819dbe126981834d046a40ae8c5dd6

                SHA512

                f28e397384a1cae52582d771ba4210783c064e34d0ab81ba173da554b30a34c00bb3d9bd8dfe572841562a89c5fdbc54cdadfa7ec9c9fdad111e647bf7305895

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9692280.exe
                Filesize

                315KB

                MD5

                ba183998c7fd311ee23aca317a107edb

                SHA1

                43c0dbb0dd787dcc2df4fd4076e0f9d5a4b6e55d

                SHA256

                5140918e2d090a6abeb69479c2d414ec72819dbe126981834d046a40ae8c5dd6

                SHA512

                f28e397384a1cae52582d771ba4210783c064e34d0ab81ba173da554b30a34c00bb3d9bd8dfe572841562a89c5fdbc54cdadfa7ec9c9fdad111e647bf7305895

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
                Filesize

                206KB

                MD5

                858da9dbd1c79222cff4ab985b874b29

                SHA1

                e991851ca063cddc8e51915623759bcf7163a039

                SHA256

                f2943217de6806811240308f562bc4e66f14d9c1e53b5746516475323fa3572a

                SHA512

                e64e1b5fbcd1dc8706c19b390d4584087fc2de3f6567483eb737c4843288115ae861de9a4da6c2c2da5e7cefd67c9d372063676b364488a15bc005fbcfba48d2

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
                Filesize

                206KB

                MD5

                858da9dbd1c79222cff4ab985b874b29

                SHA1

                e991851ca063cddc8e51915623759bcf7163a039

                SHA256

                f2943217de6806811240308f562bc4e66f14d9c1e53b5746516475323fa3572a

                SHA512

                e64e1b5fbcd1dc8706c19b390d4584087fc2de3f6567483eb737c4843288115ae861de9a4da6c2c2da5e7cefd67c9d372063676b364488a15bc005fbcfba48d2

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
                Filesize

                206KB

                MD5

                858da9dbd1c79222cff4ab985b874b29

                SHA1

                e991851ca063cddc8e51915623759bcf7163a039

                SHA256

                f2943217de6806811240308f562bc4e66f14d9c1e53b5746516475323fa3572a

                SHA512

                e64e1b5fbcd1dc8706c19b390d4584087fc2de3f6567483eb737c4843288115ae861de9a4da6c2c2da5e7cefd67c9d372063676b364488a15bc005fbcfba48d2

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
                Filesize

                206KB

                MD5

                858da9dbd1c79222cff4ab985b874b29

                SHA1

                e991851ca063cddc8e51915623759bcf7163a039

                SHA256

                f2943217de6806811240308f562bc4e66f14d9c1e53b5746516475323fa3572a

                SHA512

                e64e1b5fbcd1dc8706c19b390d4584087fc2de3f6567483eb737c4843288115ae861de9a4da6c2c2da5e7cefd67c9d372063676b364488a15bc005fbcfba48d2

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
                Filesize

                206KB

                MD5

                858da9dbd1c79222cff4ab985b874b29

                SHA1

                e991851ca063cddc8e51915623759bcf7163a039

                SHA256

                f2943217de6806811240308f562bc4e66f14d9c1e53b5746516475323fa3572a

                SHA512

                e64e1b5fbcd1dc8706c19b390d4584087fc2de3f6567483eb737c4843288115ae861de9a4da6c2c2da5e7cefd67c9d372063676b364488a15bc005fbcfba48d2

                Download Submit

              • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
                Filesize

                89KB

                MD5

                8451a2c5daa42b25333b1b2089c5ea39

                SHA1

                700cc99ec8d3113435e657070d2d6bde0a833adc

                SHA256

                b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0

                SHA512

                6d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53

                Download Submit

              • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
                Filesize

                89KB

                MD5

                8451a2c5daa42b25333b1b2089c5ea39

                SHA1

                700cc99ec8d3113435e657070d2d6bde0a833adc

                SHA256

                b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0

                SHA512

                6d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53

                Download Submit

              • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
                Filesize

                162B

                MD5

                1b7c22a214949975556626d7217e9a39

                SHA1

                d01c97e2944166ed23e47e4a62ff471ab8fa031f

                SHA256

                340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

                SHA512

                ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

                Download Submit

              • \Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
                Filesize

                89KB

                MD5

                8451a2c5daa42b25333b1b2089c5ea39

                SHA1

                700cc99ec8d3113435e657070d2d6bde0a833adc

                SHA256

                b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0

                SHA512

                6d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53

                Download Submit

              • memory/1372-142-0x0000000004DE0000-0x0000000004E2B000-memory.dmp

                Filesize

                300KB

                Download

              • memory/1372-144-0x0000000005090000-0x0000000005122000-memory.dmp

                Filesize

                584KB

                Download

              • memory/1372-145-0x00000000061F0000-0x00000000066EE000-memory.dmp

                Filesize

                5.0MB

                Download

              • memory/1372-146-0x0000000005130000-0x0000000005196000-memory.dmp

                Filesize

                408KB

                Download

              • memory/1372-147-0x0000000005FE0000-0x00000000061A2000-memory.dmp

                Filesize

                1.8MB

                Download

              • memory/1372-148-0x0000000007F40000-0x000000000846C000-memory.dmp

                Filesize

                5.2MB

                Download

              • memory/1372-149-0x0000000002410000-0x0000000002420000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1372-150-0x0000000006740000-0x0000000006790000-memory.dmp

                Filesize

                320KB

                Download

              • memory/1372-143-0x0000000004F70000-0x0000000004FE6000-memory.dmp

                Filesize

                472KB

                Download

              • memory/1372-141-0x0000000002410000-0x0000000002420000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1372-140-0x0000000004C50000-0x0000000004C8E000-memory.dmp

                Filesize

                248KB

                Download

              • memory/1372-139-0x0000000004BF0000-0x0000000004C02000-memory.dmp

                Filesize

                72KB

                Download

              • memory/1372-138-0x0000000004CD0000-0x0000000004DDA000-memory.dmp

                Filesize

                1.0MB

                Download

              • memory/1372-137-0x00000000051D0000-0x00000000057D6000-memory.dmp

                Filesize

                6.0MB

                Download

              • memory/1372-136-0x0000000002420000-0x0000000002426000-memory.dmp

                Filesize

                24KB

                Download

              • memory/1372-135-0x00000000002E0000-0x000000000030E000-memory.dmp

                Filesize

                184KB

                Download

              • memory/2056-159-0x00000000022C0000-0x00000000022D2000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2056-171-0x00000000022C0000-0x00000000022D2000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2056-173-0x00000000022C0000-0x00000000022D2000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2056-176-0x0000000000490000-0x00000000004BD000-memory.dmp

                Filesize

                180KB

                Download

              • memory/2056-175-0x00000000022C0000-0x00000000022D2000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2056-177-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2056-179-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2056-180-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2056-183-0x00000000022C0000-0x00000000022D2000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2056-181-0x00000000022C0000-0x00000000022D2000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2056-185-0x00000000022C0000-0x00000000022D2000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2056-187-0x00000000022C0000-0x00000000022D2000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2056-189-0x00000000022C0000-0x00000000022D2000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2056-190-0x0000000000400000-0x0000000000485000-memory.dmp

                Filesize

                532KB

                Download

              • memory/2056-191-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2056-169-0x00000000022C0000-0x00000000022D2000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2056-167-0x00000000022C0000-0x00000000022D2000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2056-165-0x00000000022C0000-0x00000000022D2000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2056-163-0x00000000022C0000-0x00000000022D2000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2056-161-0x00000000022C0000-0x00000000022D2000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2056-158-0x00000000022C0000-0x00000000022D2000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2056-157-0x00000000022C0000-0x00000000022D8000-memory.dmp

                Filesize

                96KB

                Download

              • memory/2056-156-0x0000000001F70000-0x0000000001F8A000-memory.dmp

                Filesize

                104KB

                Download

              • memory/2056-192-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2056-193-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2056-195-0x0000000000400000-0x0000000000485000-memory.dmp

                Filesize

                532KB

                Download