Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    180s
  • max time network
    190s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-05-2023 22:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d6ac2965b772025cbbb37e2fe6504fbcc2ee1f1916e5c46733218d49ec31fe1d.exe

  • Size

    480KB

  • MD5

    12a4ecbe0bc0b0c3159ba7dee38d1eee

  • SHA1

    725890476a2b0418bd23fca3f2f84e9bea3f4317

  • SHA256

    d6ac2965b772025cbbb37e2fe6504fbcc2ee1f1916e5c46733218d49ec31fe1d

  • SHA512

    6255659cf65bd58ea3a6ff2dd5c6bf545e10ec38b3b9e179a64dcf6463c1727e18ecdc32f2c1838e108c5d6e6499eea53852d2d3b7763eaa38642374c5824511

  • SSDEEP

    12288:dMr8y90fknZC+uPx1l61YILdzvK7T2RsacWMqJpBa:dyF76EYONvKTmhp4

Score
10/10
redlinedariydiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

dariy

C2

217.196.96.101:4132

Attributes
  • auth_value

    2f34aa0d1cb1023a826825b68ebedcc8

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d6ac2965b772025cbbb37e2fe6504fbcc2ee1f1916e5c46733218d49ec31fe1d.exe
    "C:\Users\Admin\AppData\Local\Temp\d6ac2965b772025cbbb37e2fe6504fbcc2ee1f1916e5c46733218d49ec31fe1d.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:588
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5930199.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5930199.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2008
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4850392.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4850392.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2304
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8667707.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8667707.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1260
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m7269822.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m7269822.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:4800
      • C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
        "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2832
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe" /F
          4⤵
          • Creates scheduled task(s)
          PID:2516
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c3912af058" /P "Admin:N"&&CACLS "..\c3912af058" /P "Admin:R" /E&&Exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4164
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" echo Y"
            5⤵
              PID:1684
            • C:\Windows\SysWOW64\cacls.exe
              CACLS "oneetx.exe" /P "Admin:N"
              5⤵
                PID:3596
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "oneetx.exe" /P "Admin:R" /E
                5⤵
                  PID:4100
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                  5⤵
                    PID:1856
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "..\c3912af058" /P "Admin:N"
                    5⤵
                      PID:4364
                    • C:\Windows\SysWOW64\cacls.exe
                      CACLS "..\c3912af058" /P "Admin:R" /E
                      5⤵
                        PID:808

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m7269822.exe
                Filesize

                208KB

                MD5

                63677709f365fac4b135497a154fafda

                SHA1

                da56a31d4c729d71b23500099890d87b424dcda8

                SHA256

                fd3d3621166f5e5247cd886b72b397216837f6673282311f5ae1ab3afcaeb267

                SHA512

                790cebf65e78393e57c0da0775c79472c25418dcae5aa404e8f1a8a83e383228359d8897c7917f0d3c889bdb07237f1a1c2d129ff16db6a7990e7cd7d2e58a35

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m7269822.exe
                Filesize

                208KB

                MD5

                63677709f365fac4b135497a154fafda

                SHA1

                da56a31d4c729d71b23500099890d87b424dcda8

                SHA256

                fd3d3621166f5e5247cd886b72b397216837f6673282311f5ae1ab3afcaeb267

                SHA512

                790cebf65e78393e57c0da0775c79472c25418dcae5aa404e8f1a8a83e383228359d8897c7917f0d3c889bdb07237f1a1c2d129ff16db6a7990e7cd7d2e58a35

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5930199.exe
                Filesize

                309KB

                MD5

                bb9a755625d9a83697b0f24755f9acd7

                SHA1

                902005870f478fa416fb69063aa4b3f8f19aa5e1

                SHA256

                e3a7b3db75ef2e295c74042cf393773dc78f600510f917916f01ba6f67e7bc90

                SHA512

                127c0e210c5bb13d21a88fc81fe5db74454fe5bd626fe790dcdf927697dcfd1a87efe6f66afceed0e5691bf5b679c28421fd17ae132447caed62896980c46e51

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5930199.exe
                Filesize

                309KB

                MD5

                bb9a755625d9a83697b0f24755f9acd7

                SHA1

                902005870f478fa416fb69063aa4b3f8f19aa5e1

                SHA256

                e3a7b3db75ef2e295c74042cf393773dc78f600510f917916f01ba6f67e7bc90

                SHA512

                127c0e210c5bb13d21a88fc81fe5db74454fe5bd626fe790dcdf927697dcfd1a87efe6f66afceed0e5691bf5b679c28421fd17ae132447caed62896980c46e51

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4850392.exe
                Filesize

                176KB

                MD5

                bf976d486668015ee28685c6760c57b6

                SHA1

                a28b576d2a225da83176ad2f0c0ce518e382cff4

                SHA256

                79a7535cc81e1117f665c74931a4c4cd1b8c2a2c33f6cb50582586a1839c6ea8

                SHA512

                954555c0715596e7a437dc3dc9c6efda9293273a2b92adc8e94edb77108513f69d424fadb20b4238890b3db805615c1c1a348ce533b287ceab6a992def9f54d1

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4850392.exe
                Filesize

                176KB

                MD5

                bf976d486668015ee28685c6760c57b6

                SHA1

                a28b576d2a225da83176ad2f0c0ce518e382cff4

                SHA256

                79a7535cc81e1117f665c74931a4c4cd1b8c2a2c33f6cb50582586a1839c6ea8

                SHA512

                954555c0715596e7a437dc3dc9c6efda9293273a2b92adc8e94edb77108513f69d424fadb20b4238890b3db805615c1c1a348ce533b287ceab6a992def9f54d1

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8667707.exe
                Filesize

                168KB

                MD5

                ec9ded14e9294caf84f4c3db868ddf1c

                SHA1

                99d9ef67706df37e94e8c954ea602814a1e3b378

                SHA256

                fb1dc45288588aaf7a2d062819a9d86844d3a1ec5a2f5a0c6b68dc47a5e62d43

                SHA512

                0a4c86b73a0cd5e080efb8af45ee5a91f7d61d5ef7b7182bab3b39e48bb2a69025b572082813d0301d00e2b60f01e2ce46b15868b883a29bcea260e7be75e939

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8667707.exe
                Filesize

                168KB

                MD5

                ec9ded14e9294caf84f4c3db868ddf1c

                SHA1

                99d9ef67706df37e94e8c954ea602814a1e3b378

                SHA256

                fb1dc45288588aaf7a2d062819a9d86844d3a1ec5a2f5a0c6b68dc47a5e62d43

                SHA512

                0a4c86b73a0cd5e080efb8af45ee5a91f7d61d5ef7b7182bab3b39e48bb2a69025b572082813d0301d00e2b60f01e2ce46b15868b883a29bcea260e7be75e939

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
                Filesize

                208KB

                MD5

                63677709f365fac4b135497a154fafda

                SHA1

                da56a31d4c729d71b23500099890d87b424dcda8

                SHA256

                fd3d3621166f5e5247cd886b72b397216837f6673282311f5ae1ab3afcaeb267

                SHA512

                790cebf65e78393e57c0da0775c79472c25418dcae5aa404e8f1a8a83e383228359d8897c7917f0d3c889bdb07237f1a1c2d129ff16db6a7990e7cd7d2e58a35

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
                Filesize

                208KB

                MD5

                63677709f365fac4b135497a154fafda

                SHA1

                da56a31d4c729d71b23500099890d87b424dcda8

                SHA256

                fd3d3621166f5e5247cd886b72b397216837f6673282311f5ae1ab3afcaeb267

                SHA512

                790cebf65e78393e57c0da0775c79472c25418dcae5aa404e8f1a8a83e383228359d8897c7917f0d3c889bdb07237f1a1c2d129ff16db6a7990e7cd7d2e58a35

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
                Filesize

                208KB

                MD5

                63677709f365fac4b135497a154fafda

                SHA1

                da56a31d4c729d71b23500099890d87b424dcda8

                SHA256

                fd3d3621166f5e5247cd886b72b397216837f6673282311f5ae1ab3afcaeb267

                SHA512

                790cebf65e78393e57c0da0775c79472c25418dcae5aa404e8f1a8a83e383228359d8897c7917f0d3c889bdb07237f1a1c2d129ff16db6a7990e7cd7d2e58a35

                Download Submit

              • memory/1260-196-0x000000000BAB0000-0x000000000BC72000-memory.dmp

                Filesize

                1.8MB

                Download

              • memory/1260-197-0x000000000C1B0000-0x000000000C6DC000-memory.dmp

                Filesize

                5.2MB

                Download

              • memory/1260-195-0x0000000002580000-0x0000000002590000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1260-194-0x000000000ACC0000-0x000000000AD26000-memory.dmp

                Filesize

                408KB

                Download

              • memory/1260-193-0x000000000A4D0000-0x000000000A562000-memory.dmp

                Filesize

                584KB

                Download

              • memory/1260-192-0x000000000A3B0000-0x000000000A426000-memory.dmp

                Filesize

                472KB

                Download

              • memory/1260-191-0x000000000A0A0000-0x000000000A0DC000-memory.dmp

                Filesize

                240KB

                Download

              • memory/1260-190-0x0000000002580000-0x0000000002590000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1260-189-0x000000000A040000-0x000000000A052000-memory.dmp

                Filesize

                72KB

                Download

              • memory/1260-188-0x000000000A110000-0x000000000A21A000-memory.dmp

                Filesize

                1.0MB

                Download

              • memory/1260-187-0x000000000A5A0000-0x000000000ABB8000-memory.dmp

                Filesize

                6.1MB

                Download

              • memory/1260-186-0x0000000000190000-0x00000000001BE000-memory.dmp

                Filesize

                184KB

                Download

              • memory/1260-198-0x000000000B970000-0x000000000B9C0000-memory.dmp

                Filesize

                320KB

                Download

              • memory/2304-156-0x00000000024D0000-0x00000000024E2000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2304-181-0x0000000004A10000-0x0000000004A20000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2304-180-0x0000000004A10000-0x0000000004A20000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2304-179-0x0000000004A10000-0x0000000004A20000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2304-178-0x00000000024D0000-0x00000000024E2000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2304-176-0x00000000024D0000-0x00000000024E2000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2304-174-0x00000000024D0000-0x00000000024E2000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2304-172-0x00000000024D0000-0x00000000024E2000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2304-170-0x00000000024D0000-0x00000000024E2000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2304-168-0x00000000024D0000-0x00000000024E2000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2304-166-0x00000000024D0000-0x00000000024E2000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2304-164-0x00000000024D0000-0x00000000024E2000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2304-162-0x00000000024D0000-0x00000000024E2000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2304-160-0x00000000024D0000-0x00000000024E2000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2304-158-0x00000000024D0000-0x00000000024E2000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2304-154-0x00000000024D0000-0x00000000024E2000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2304-152-0x00000000024D0000-0x00000000024E2000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2304-151-0x00000000024D0000-0x00000000024E2000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2304-150-0x0000000004A10000-0x0000000004A20000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2304-149-0x0000000004A10000-0x0000000004A20000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2304-148-0x0000000004A10000-0x0000000004A20000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2304-147-0x0000000004A20000-0x0000000004FC4000-memory.dmp

                Filesize

                5.6MB

                Download