Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-05-2023 10:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c56fe33f51e7075d00ec8f9d4bae4891e1920de9bd4b350e914c44e39be9c218.exe

  • Size

    489KB

  • MD5

    245f5a964e1907ef7625387d2af74fa1

  • SHA1

    5160d53d0040f22772594a38333ef0701f723c97

  • SHA256

    c56fe33f51e7075d00ec8f9d4bae4891e1920de9bd4b350e914c44e39be9c218

  • SHA512

    7f69f8c08e319e9a61b6436346b4d5b278f99c0a2cecc36db46ea5dd2b2203fd05ec38c746e27f686f8db26854f03c2160850e234bd8b9b0026d71075c27ed0b

  • SSDEEP

    12288:KMr6y900bKUM2Sh7bDLkMUN5KDel3bfne7utjKO4k:UypmhrHLFw80Te7utok

Score
10/10
amadeyredlineladadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

lada

C2

217.196.96.101:4132

Attributes
  • auth_value

    0b3678897547fedafe314eda5a2015ba

Extracted

Family

amadey

Version

3.70

C2

212.113.119.255/joomla/index.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c56fe33f51e7075d00ec8f9d4bae4891e1920de9bd4b350e914c44e39be9c218.exe
    "C:\Users\Admin\AppData\Local\Temp\c56fe33f51e7075d00ec8f9d4bae4891e1920de9bd4b350e914c44e39be9c218.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3584
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7443267.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7443267.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3296
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o2860382.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o2860382.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2120
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1911737.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1911737.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4688
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s8428940.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s8428940.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:4944
      • C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
        "C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1424
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe" /F
          4⤵
          • Creates scheduled task(s)
          PID:2792
        • C:\Windows\SysWOW64\rundll32.exe
          "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
          4⤵
          • Loads dropped DLL
          PID:1772
  • C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
    C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
    1⤵
    • Executes dropped EXE
    PID:3580

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
    Filesize

    231KB

    MD5

    4304926efd963e41a5004acec0de3544

    SHA1

    94c32f7f8c40e59d5fa786e032f49c6bf011de27

    SHA256

    2cfd880924488f43206435bbd5b5f6be8224348187c9abea78b2cd887617d603

    SHA512

    371ddb86bd1c01bbc022b0baf0fa72376bab6b2e7e1eb42efcc13e9fbabf91435b066c077ceb3652f7ae39275e37e9005c278df61b48a16b706214a04a9d86e0

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
    Filesize

    231KB

    MD5

    4304926efd963e41a5004acec0de3544

    SHA1

    94c32f7f8c40e59d5fa786e032f49c6bf011de27

    SHA256

    2cfd880924488f43206435bbd5b5f6be8224348187c9abea78b2cd887617d603

    SHA512

    371ddb86bd1c01bbc022b0baf0fa72376bab6b2e7e1eb42efcc13e9fbabf91435b066c077ceb3652f7ae39275e37e9005c278df61b48a16b706214a04a9d86e0

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
    Filesize

    231KB

    MD5

    4304926efd963e41a5004acec0de3544

    SHA1

    94c32f7f8c40e59d5fa786e032f49c6bf011de27

    SHA256

    2cfd880924488f43206435bbd5b5f6be8224348187c9abea78b2cd887617d603

    SHA512

    371ddb86bd1c01bbc022b0baf0fa72376bab6b2e7e1eb42efcc13e9fbabf91435b066c077ceb3652f7ae39275e37e9005c278df61b48a16b706214a04a9d86e0

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
    Filesize

    231KB

    MD5

    4304926efd963e41a5004acec0de3544

    SHA1

    94c32f7f8c40e59d5fa786e032f49c6bf011de27

    SHA256

    2cfd880924488f43206435bbd5b5f6be8224348187c9abea78b2cd887617d603

    SHA512

    371ddb86bd1c01bbc022b0baf0fa72376bab6b2e7e1eb42efcc13e9fbabf91435b066c077ceb3652f7ae39275e37e9005c278df61b48a16b706214a04a9d86e0

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s8428940.exe
    Filesize

    231KB

    MD5

    4304926efd963e41a5004acec0de3544

    SHA1

    94c32f7f8c40e59d5fa786e032f49c6bf011de27

    SHA256

    2cfd880924488f43206435bbd5b5f6be8224348187c9abea78b2cd887617d603

    SHA512

    371ddb86bd1c01bbc022b0baf0fa72376bab6b2e7e1eb42efcc13e9fbabf91435b066c077ceb3652f7ae39275e37e9005c278df61b48a16b706214a04a9d86e0

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s8428940.exe
    Filesize

    231KB

    MD5

    4304926efd963e41a5004acec0de3544

    SHA1

    94c32f7f8c40e59d5fa786e032f49c6bf011de27

    SHA256

    2cfd880924488f43206435bbd5b5f6be8224348187c9abea78b2cd887617d603

    SHA512

    371ddb86bd1c01bbc022b0baf0fa72376bab6b2e7e1eb42efcc13e9fbabf91435b066c077ceb3652f7ae39275e37e9005c278df61b48a16b706214a04a9d86e0

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7443267.exe
    Filesize

    307KB

    MD5

    4004f511d327172eae41fdea7e7c0ac7

    SHA1

    bfd85c0eef8b3af1badcbecdafcff50bb458fe12

    SHA256

    166f6d483805428959f650a02e3717e2d55cef70c33e10b75926a4e5d51c9b44

    SHA512

    e6865f140391031cdccbc11a147203927ff29aece0aa1da827af5b43aef6d8ae7480c6143d36263ecbe29334e557300928584761a14412c9a0bfdac8acb48574

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7443267.exe
    Filesize

    307KB

    MD5

    4004f511d327172eae41fdea7e7c0ac7

    SHA1

    bfd85c0eef8b3af1badcbecdafcff50bb458fe12

    SHA256

    166f6d483805428959f650a02e3717e2d55cef70c33e10b75926a4e5d51c9b44

    SHA512

    e6865f140391031cdccbc11a147203927ff29aece0aa1da827af5b43aef6d8ae7480c6143d36263ecbe29334e557300928584761a14412c9a0bfdac8acb48574

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o2860382.exe
    Filesize

    177KB

    MD5

    0e5da80d38ab680857addb1e54531dad

    SHA1

    59c4adcc6ba9fc3fab1ab9f229f417da94dbb257

    SHA256

    4fc2f2689e37a60587cc9f304accd0b8f9d8ae9aaa4703228872c094d8d4697f

    SHA512

    b8407a2b7d288836568d4124ca6ee268647f728852c26d4cf46ab2efb8a7d3165255ab3bfe3ae6f01cc7ab1893fc486959557cfe8032709f8bf24c4920aac8b0

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o2860382.exe
    Filesize

    177KB

    MD5

    0e5da80d38ab680857addb1e54531dad

    SHA1

    59c4adcc6ba9fc3fab1ab9f229f417da94dbb257

    SHA256

    4fc2f2689e37a60587cc9f304accd0b8f9d8ae9aaa4703228872c094d8d4697f

    SHA512

    b8407a2b7d288836568d4124ca6ee268647f728852c26d4cf46ab2efb8a7d3165255ab3bfe3ae6f01cc7ab1893fc486959557cfe8032709f8bf24c4920aac8b0

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1911737.exe
    Filesize

    168KB

    MD5

    3268f6d63fc4768c6a0e98681d6d7926

    SHA1

    0bf3ad94d4db8d184ef217ab6e41b2f3c6c85218

    SHA256

    eef32a8ca5c462fc42de97b9fc66787ddfc5cc2a390e7ddf95e60afaa3472471

    SHA512

    6981937b41e6759fe1bb10655b7b3baa1ebb2fe027b44824aeac2aae8a542a596c72cbd47799f556ea00e5cfb90dc5bc3e2022df98c59b479945c5a4d9952036

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1911737.exe
    Filesize

    168KB

    MD5

    3268f6d63fc4768c6a0e98681d6d7926

    SHA1

    0bf3ad94d4db8d184ef217ab6e41b2f3c6c85218

    SHA256

    eef32a8ca5c462fc42de97b9fc66787ddfc5cc2a390e7ddf95e60afaa3472471

    SHA512

    6981937b41e6759fe1bb10655b7b3baa1ebb2fe027b44824aeac2aae8a542a596c72cbd47799f556ea00e5cfb90dc5bc3e2022df98c59b479945c5a4d9952036

    Download Submit
  • C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
    Filesize

    89KB

    MD5

    73df88d68a4f5e066784d462788cf695

    SHA1

    e4bfed336848d0b622fa464d40cf4bd9222aab3f

    SHA256

    f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f

    SHA512

    64c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817

    Download Submit
  • C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
    Filesize

    89KB

    MD5

    73df88d68a4f5e066784d462788cf695

    SHA1

    e4bfed336848d0b622fa464d40cf4bd9222aab3f

    SHA256

    f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f

    SHA512

    64c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817

    Download Submit
  • C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
    Filesize

    89KB

    MD5

    73df88d68a4f5e066784d462788cf695

    SHA1

    e4bfed336848d0b622fa464d40cf4bd9222aab3f

    SHA256

    f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f

    SHA512

    64c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817

    Download Submit
  • C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
    Filesize

    162B

    MD5

    1b7c22a214949975556626d7217e9a39

    SHA1

    d01c97e2944166ed23e47e4a62ff471ab8fa031f

    SHA256

    340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

    SHA512

    ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

    Download Submit
  • memory/2120-172-0x0000000004950000-0x0000000004962000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2120-154-0x0000000004950000-0x0000000004962000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2120-160-0x0000000004950000-0x0000000004962000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2120-162-0x0000000004950000-0x0000000004962000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2120-164-0x0000000004950000-0x0000000004962000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2120-166-0x0000000004950000-0x0000000004962000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2120-168-0x0000000004950000-0x0000000004962000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2120-170-0x0000000004950000-0x0000000004962000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2120-156-0x0000000004950000-0x0000000004962000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2120-174-0x0000000004950000-0x0000000004962000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2120-176-0x0000000004950000-0x0000000004962000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2120-178-0x0000000004950000-0x0000000004962000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2120-179-0x00000000049D0000-0x00000000049E0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2120-180-0x00000000049D0000-0x00000000049E0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2120-181-0x00000000049D0000-0x00000000049E0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2120-147-0x00000000049E0000-0x0000000004F84000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/2120-148-0x00000000049D0000-0x00000000049E0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2120-150-0x00000000049D0000-0x00000000049E0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2120-149-0x00000000049D0000-0x00000000049E0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2120-151-0x0000000004950000-0x0000000004962000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2120-152-0x0000000004950000-0x0000000004962000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2120-158-0x0000000004950000-0x0000000004962000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4688-189-0x000000000A7C0000-0x000000000A7D2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4688-194-0x000000000AB50000-0x000000000ABE2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4688-195-0x000000000B390000-0x000000000B3F6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4688-192-0x00000000052C0000-0x00000000052D0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4688-191-0x000000000A820000-0x000000000A85C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/4688-190-0x00000000052C0000-0x00000000052D0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4688-193-0x0000000005350000-0x00000000053C6000-memory.dmp
    Filesize

    472KB

    Download
  • memory/4688-188-0x000000000A890000-0x000000000A99A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/4688-187-0x000000000AD70000-0x000000000B388000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/4688-186-0x0000000000A50000-0x0000000000A80000-memory.dmp
    Filesize

    192KB

    Download
  • memory/4688-196-0x000000000C0C0000-0x000000000C282000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/4688-197-0x000000000C7C0000-0x000000000CCEC000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4688-198-0x000000000BEF0000-0x000000000BF40000-memory.dmp
    Filesize

    320KB

    Download