Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    193s
  • max time network
    210s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-05-2023 09:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3bf207dfed8e18fe10d53c6b8cda1d2123f33be8945230ec5cdbf94213a90e34.exe

  • Size

    490KB

  • MD5

    640427557f9d7f81d7106f3e74d52be2

  • SHA1

    3aa1f5efe2637a3d2d16aac2118b31f13165caa7

  • SHA256

    3bf207dfed8e18fe10d53c6b8cda1d2123f33be8945230ec5cdbf94213a90e34

  • SHA512

    e61cc31d6474705a73d8a1bce5662e46ea36043ffccfbaaa35886e94ff41b9337631774b828cce51f833f2e9e801fe8fe8dcf5b91021bb599752f2b0acec6282

  • SSDEEP

    12288:bMr2y90VyaSCtFFPQwObak+iV6/Pz7IuNE+ukO5:dy4SHwAV+l4+Y

Score
10/10
amadeyredlineladadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

lada

C2

217.196.96.101:4132

Attributes
  • auth_value

    0b3678897547fedafe314eda5a2015ba

Extracted

Family

amadey

Version

3.70

C2

212.113.119.255/joomla/index.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3bf207dfed8e18fe10d53c6b8cda1d2123f33be8945230ec5cdbf94213a90e34.exe
    "C:\Users\Admin\AppData\Local\Temp\3bf207dfed8e18fe10d53c6b8cda1d2123f33be8945230ec5cdbf94213a90e34.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2164
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8491927.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8491927.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3396
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o8282720.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o8282720.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1436
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7815827.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7815827.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2596
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s8256508.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s8256508.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2948
      • C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
        "C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3252
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe" /F
          4⤵
          • Creates scheduled task(s)
          PID:4568
        • C:\Windows\SysWOW64\rundll32.exe
          "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
          4⤵
          • Loads dropped DLL
          PID:3632
  • C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
    C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
    1⤵
    • Executes dropped EXE
    PID:3340

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
    Filesize

    231KB

    MD5

    f5571d5b7ed2fa69d726c30a06b294de

    SHA1

    c4273b77d932bc69300245d26965e9bde5679001

    SHA256

    e676b50f98841d4270c1d2fa0799187fa850757187a837ddc1adbd746d5b2d39

    SHA512

    4c1f85e20ba5dd13b16feb8f958517942af319231a2b2cd9afbddeca9bc62491465d6d5be020bf4e40d2b8fc5dce4556fc1a89c76556e47e8c27ad5e80e37d72

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
    Filesize

    231KB

    MD5

    f5571d5b7ed2fa69d726c30a06b294de

    SHA1

    c4273b77d932bc69300245d26965e9bde5679001

    SHA256

    e676b50f98841d4270c1d2fa0799187fa850757187a837ddc1adbd746d5b2d39

    SHA512

    4c1f85e20ba5dd13b16feb8f958517942af319231a2b2cd9afbddeca9bc62491465d6d5be020bf4e40d2b8fc5dce4556fc1a89c76556e47e8c27ad5e80e37d72

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
    Filesize

    231KB

    MD5

    f5571d5b7ed2fa69d726c30a06b294de

    SHA1

    c4273b77d932bc69300245d26965e9bde5679001

    SHA256

    e676b50f98841d4270c1d2fa0799187fa850757187a837ddc1adbd746d5b2d39

    SHA512

    4c1f85e20ba5dd13b16feb8f958517942af319231a2b2cd9afbddeca9bc62491465d6d5be020bf4e40d2b8fc5dce4556fc1a89c76556e47e8c27ad5e80e37d72

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
    Filesize

    231KB

    MD5

    f5571d5b7ed2fa69d726c30a06b294de

    SHA1

    c4273b77d932bc69300245d26965e9bde5679001

    SHA256

    e676b50f98841d4270c1d2fa0799187fa850757187a837ddc1adbd746d5b2d39

    SHA512

    4c1f85e20ba5dd13b16feb8f958517942af319231a2b2cd9afbddeca9bc62491465d6d5be020bf4e40d2b8fc5dce4556fc1a89c76556e47e8c27ad5e80e37d72

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s8256508.exe
    Filesize

    231KB

    MD5

    f5571d5b7ed2fa69d726c30a06b294de

    SHA1

    c4273b77d932bc69300245d26965e9bde5679001

    SHA256

    e676b50f98841d4270c1d2fa0799187fa850757187a837ddc1adbd746d5b2d39

    SHA512

    4c1f85e20ba5dd13b16feb8f958517942af319231a2b2cd9afbddeca9bc62491465d6d5be020bf4e40d2b8fc5dce4556fc1a89c76556e47e8c27ad5e80e37d72

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s8256508.exe
    Filesize

    231KB

    MD5

    f5571d5b7ed2fa69d726c30a06b294de

    SHA1

    c4273b77d932bc69300245d26965e9bde5679001

    SHA256

    e676b50f98841d4270c1d2fa0799187fa850757187a837ddc1adbd746d5b2d39

    SHA512

    4c1f85e20ba5dd13b16feb8f958517942af319231a2b2cd9afbddeca9bc62491465d6d5be020bf4e40d2b8fc5dce4556fc1a89c76556e47e8c27ad5e80e37d72

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8491927.exe
    Filesize

    307KB

    MD5

    0825ba6bd5d8b80a04b045814b7a3c1f

    SHA1

    184593f72765502cfc96f8cb52198987e3ed1a36

    SHA256

    55290742f12323d8ccfa2278f2213cdfa21fc212754ebc8073b500fb680b93b5

    SHA512

    84d8e14e3e9136a9e0e0759677e8d48dcbc22c876f0e5b4fd071887f0f840b46fd0b95f45230b8236cbb2830cfea1819ff5d76764819ec2f0cf049442f7e5f7e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8491927.exe
    Filesize

    307KB

    MD5

    0825ba6bd5d8b80a04b045814b7a3c1f

    SHA1

    184593f72765502cfc96f8cb52198987e3ed1a36

    SHA256

    55290742f12323d8ccfa2278f2213cdfa21fc212754ebc8073b500fb680b93b5

    SHA512

    84d8e14e3e9136a9e0e0759677e8d48dcbc22c876f0e5b4fd071887f0f840b46fd0b95f45230b8236cbb2830cfea1819ff5d76764819ec2f0cf049442f7e5f7e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o8282720.exe
    Filesize

    177KB

    MD5

    5c34ee1302746ea137faefa57b73dcea

    SHA1

    b0a463bb1ae5fe1b900147ef9235dfcab283d4bc

    SHA256

    3fee38540f4b2e2b1cb146a4730ccf91e3f35170cdd3c520ebcc22ba8e668f43

    SHA512

    ba4720d24297e656ec68d1aefc39ccfd542c0e96bb1a222235b6a9108d54c44c632fcaa94c60e2a83bd3500be7ba4b30394bed6123a36064d51c103b72e5f234

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o8282720.exe
    Filesize

    177KB

    MD5

    5c34ee1302746ea137faefa57b73dcea

    SHA1

    b0a463bb1ae5fe1b900147ef9235dfcab283d4bc

    SHA256

    3fee38540f4b2e2b1cb146a4730ccf91e3f35170cdd3c520ebcc22ba8e668f43

    SHA512

    ba4720d24297e656ec68d1aefc39ccfd542c0e96bb1a222235b6a9108d54c44c632fcaa94c60e2a83bd3500be7ba4b30394bed6123a36064d51c103b72e5f234

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7815827.exe
    Filesize

    168KB

    MD5

    4d9881758dbe75e9c17e13eb7f6980b9

    SHA1

    8be68b5cd7a79e91112adfd6f605d19a3dcfa476

    SHA256

    f9117942a334c89be54db10fe9a10aab3c40982a8dfa47031588f17be0b38baa

    SHA512

    3eea9c43d4e85b7b73b08607e0f3500645e172893d3fbe99664da549f2a30f8db41d817e8c146930471cb30c2026b73cccef051e99965a0f5a4da94a87080e98

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7815827.exe
    Filesize

    168KB

    MD5

    4d9881758dbe75e9c17e13eb7f6980b9

    SHA1

    8be68b5cd7a79e91112adfd6f605d19a3dcfa476

    SHA256

    f9117942a334c89be54db10fe9a10aab3c40982a8dfa47031588f17be0b38baa

    SHA512

    3eea9c43d4e85b7b73b08607e0f3500645e172893d3fbe99664da549f2a30f8db41d817e8c146930471cb30c2026b73cccef051e99965a0f5a4da94a87080e98

    Download Submit
  • C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
    Filesize

    89KB

    MD5

    73df88d68a4f5e066784d462788cf695

    SHA1

    e4bfed336848d0b622fa464d40cf4bd9222aab3f

    SHA256

    f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f

    SHA512

    64c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817

    Download Submit
  • C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
    Filesize

    89KB

    MD5

    73df88d68a4f5e066784d462788cf695

    SHA1

    e4bfed336848d0b622fa464d40cf4bd9222aab3f

    SHA256

    f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f

    SHA512

    64c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817

    Download Submit
  • C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
    Filesize

    89KB

    MD5

    73df88d68a4f5e066784d462788cf695

    SHA1

    e4bfed336848d0b622fa464d40cf4bd9222aab3f

    SHA256

    f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f

    SHA512

    64c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817

    Download Submit
  • C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
    Filesize

    162B

    MD5

    1b7c22a214949975556626d7217e9a39

    SHA1

    d01c97e2944166ed23e47e4a62ff471ab8fa031f

    SHA256

    340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

    SHA512

    ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

    Download Submit
  • memory/1436-157-0x0000000002570000-0x0000000002582000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1436-155-0x0000000002570000-0x0000000002582000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1436-169-0x0000000002570000-0x0000000002582000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1436-171-0x0000000002570000-0x0000000002582000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1436-173-0x0000000002570000-0x0000000002582000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1436-175-0x0000000002570000-0x0000000002582000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1436-177-0x0000000002570000-0x0000000002582000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1436-179-0x0000000002570000-0x0000000002582000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1436-165-0x0000000002570000-0x0000000002582000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1436-163-0x0000000002570000-0x0000000002582000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1436-147-0x0000000004AC0000-0x0000000004AD0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1436-148-0x0000000004AC0000-0x0000000004AD0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1436-149-0x0000000004AD0000-0x0000000005074000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/1436-150-0x0000000004AC0000-0x0000000004AD0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1436-151-0x0000000004AC0000-0x0000000004AD0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1436-152-0x0000000002570000-0x0000000002582000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1436-153-0x0000000002570000-0x0000000002582000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1436-167-0x0000000002570000-0x0000000002582000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1436-159-0x0000000002570000-0x0000000002582000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1436-161-0x0000000002570000-0x0000000002582000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2596-190-0x0000000004A30000-0x0000000004A40000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2596-195-0x000000000BFE0000-0x000000000C50C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/2596-196-0x000000000B110000-0x000000000B160000-memory.dmp
    Filesize

    320KB

    Download
  • memory/2596-193-0x000000000A390000-0x000000000A3F6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2596-192-0x000000000A430000-0x000000000A4C2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/2596-191-0x000000000A310000-0x000000000A386000-memory.dmp
    Filesize

    472KB

    Download
  • memory/2596-194-0x000000000B220000-0x000000000B3E2000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/2596-189-0x000000000A000000-0x000000000A03C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/2596-188-0x0000000004A30000-0x0000000004A40000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2596-187-0x0000000009FA0000-0x0000000009FB2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2596-186-0x000000000A070000-0x000000000A17A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/2596-185-0x000000000A4F0000-0x000000000AB08000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/2596-184-0x0000000000230000-0x0000000000260000-memory.dmp
    Filesize

    192KB

    Download