Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    97s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/05/2023, 03:24

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    ce9ac8bb30bcf226928270644820a3da32f12c530869d120292e4a5ada38c522.exe

  • Size

    982KB

  • MD5

    a00de4597aae894bb3f93de4321918d0

  • SHA1

    a16daff87b73341684e5cbfc655ac2138687c61a

  • SHA256

    ce9ac8bb30bcf226928270644820a3da32f12c530869d120292e4a5ada38c522

  • SHA512

    eeb6ad06e96d8f086fad191bd1a1aaea63d35f8af9e5add4328267c36370784d93e644feb9b0cb47deffacaad3925c3c4a0dca4b655dea74334c85c740e25c88

  • SSDEEP

    24576:Cy1t+/+jhBAcByO/IN8GJwUiTTGL2hEg5LFtkfdAK:pz+/+VeOwN8a/UGChEg5D

Score
10/10
redlinehavalmaxidiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.122:19062

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Extracted

Family

redline

Botnet

haval

C2

83.97.73.122:19062

Attributes
  • auth_value

    d23dec6813deb04eb8abd82657a9b0af

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 7 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ce9ac8bb30bcf226928270644820a3da32f12c530869d120292e4a5ada38c522.exe
    "C:\Users\Admin\AppData\Local\Temp\ce9ac8bb30bcf226928270644820a3da32f12c530869d120292e4a5ada38c522.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4088
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1461132.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1461132.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3560
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2559893.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2559893.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:5040
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6330779.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6330779.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:4500
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4052
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7450523.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7450523.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:364
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2542861.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2542861.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1784
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
          4⤵
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:4672
          • C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
            "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"
            5⤵
            • Executes dropped EXE
            PID:692
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d2908948.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d2908948.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1828
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4760

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
          Filesize

          226B

          MD5

          916851e072fbabc4796d8916c5131092

          SHA1

          d48a602229a690c512d5fdaf4c8d77547a88e7a2

          SHA256

          7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

          SHA512

          07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d2908948.exe
          Filesize

          328KB

          MD5

          b63ac2b93c72e98c666588eea8464f13

          SHA1

          fcfbbc4fe64f7534a6311dd732c751a7794b7205

          SHA256

          d330cb3ef823939b9d0c522938a392e4bfa081d02672d9487dfdf77c85853b36

          SHA512

          4aec5632551cb5737f61deafb9c9eef777edc4a908d21b237b8fcfafeb5ec2609974ef73daebd2aa233d1c95e95475a38b2b6499bfd23224242f9f1204656233

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d2908948.exe
          Filesize

          328KB

          MD5

          b63ac2b93c72e98c666588eea8464f13

          SHA1

          fcfbbc4fe64f7534a6311dd732c751a7794b7205

          SHA256

          d330cb3ef823939b9d0c522938a392e4bfa081d02672d9487dfdf77c85853b36

          SHA512

          4aec5632551cb5737f61deafb9c9eef777edc4a908d21b237b8fcfafeb5ec2609974ef73daebd2aa233d1c95e95475a38b2b6499bfd23224242f9f1204656233

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1461132.exe
          Filesize

          661KB

          MD5

          e68c133ad4bd9a3f1eb3858906012a07

          SHA1

          187d82a08a66ec6f05f3ac734ec064b221881a1b

          SHA256

          29f7b94b0068b50ddd658f213334ccbf12793e332e4e3bbb6cf0090be1c00120

          SHA512

          70b7b0ccc11fb0e4c0405d3f33866790e4909f8ca1dfdfa825a93bd6fcea77dae72b5c40d499695afd0bbd0b883908ffcbbd63c28a6f7291e960e8ac8a3d35e8

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1461132.exe
          Filesize

          661KB

          MD5

          e68c133ad4bd9a3f1eb3858906012a07

          SHA1

          187d82a08a66ec6f05f3ac734ec064b221881a1b

          SHA256

          29f7b94b0068b50ddd658f213334ccbf12793e332e4e3bbb6cf0090be1c00120

          SHA512

          70b7b0ccc11fb0e4c0405d3f33866790e4909f8ca1dfdfa825a93bd6fcea77dae72b5c40d499695afd0bbd0b883908ffcbbd63c28a6f7291e960e8ac8a3d35e8

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2542861.exe
          Filesize

          388KB

          MD5

          b534496b0865e31636c6990c2e45fd09

          SHA1

          8c3d4db3e0be271249f1da44e5b4970c7c18a05e

          SHA256

          bc5fb530f61926058a634fb5d307e71dfd28b1834d77dc22816bae24b7c1fda2

          SHA512

          b303d0133d68882473246b417f3205696a4682a3b15b683b61c9176a4ea4a6f7d8b1134d477fb858d1e9317f9fccfa1217ec12682cdde6c53bf434f81f94f1c4

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2542861.exe
          Filesize

          388KB

          MD5

          b534496b0865e31636c6990c2e45fd09

          SHA1

          8c3d4db3e0be271249f1da44e5b4970c7c18a05e

          SHA256

          bc5fb530f61926058a634fb5d307e71dfd28b1834d77dc22816bae24b7c1fda2

          SHA512

          b303d0133d68882473246b417f3205696a4682a3b15b683b61c9176a4ea4a6f7d8b1134d477fb858d1e9317f9fccfa1217ec12682cdde6c53bf434f81f94f1c4

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2559893.exe
          Filesize

          280KB

          MD5

          1732427c95d36c23ef52955989c290a4

          SHA1

          71dc2ead3442e266a291c10d64840b3c7022ab55

          SHA256

          69655c728d2cac3255e4d79f4f5872dd6f8e05b97a7f911ad7737c33494e7ec0

          SHA512

          a4e5cb9f61410a89e642fdc5a8a49786fa2ad1974fff8c25888194e293338707ef42ab623cc87a0cf1da956567571b89d018e53fb0b386aa32af6c8253a9f967

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2559893.exe
          Filesize

          280KB

          MD5

          1732427c95d36c23ef52955989c290a4

          SHA1

          71dc2ead3442e266a291c10d64840b3c7022ab55

          SHA256

          69655c728d2cac3255e4d79f4f5872dd6f8e05b97a7f911ad7737c33494e7ec0

          SHA512

          a4e5cb9f61410a89e642fdc5a8a49786fa2ad1974fff8c25888194e293338707ef42ab623cc87a0cf1da956567571b89d018e53fb0b386aa32af6c8253a9f967

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6330779.exe
          Filesize

          194KB

          MD5

          7a9e00b53c659baae66ae064a9637384

          SHA1

          a1be8f72beff62cd29989d2c35875f9510572e8a

          SHA256

          1081279332b759179205c88255b1b9a0bbeafbc2ad399238d49028984e4cf4ca

          SHA512

          610d778d6be4d0daf6e1e8344cf89c9dc18e59d8b7603bef35597ca38d2f3dfbab38939377b8e1c18f3e8e979731cf6f0c95073cbcfff187ff6f2e3ca5b2a437

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6330779.exe
          Filesize

          194KB

          MD5

          7a9e00b53c659baae66ae064a9637384

          SHA1

          a1be8f72beff62cd29989d2c35875f9510572e8a

          SHA256

          1081279332b759179205c88255b1b9a0bbeafbc2ad399238d49028984e4cf4ca

          SHA512

          610d778d6be4d0daf6e1e8344cf89c9dc18e59d8b7603bef35597ca38d2f3dfbab38939377b8e1c18f3e8e979731cf6f0c95073cbcfff187ff6f2e3ca5b2a437

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7450523.exe
          Filesize

          145KB

          MD5

          c900215bf123bd6d715a92d1e3b1f602

          SHA1

          dfe99ea079b4a89dec6e77eb62ddad500bf9c00b

          SHA256

          e9477a23d7e4d09b133a82f97273b7d638702f07e9b6050ea4a928e1745f81b5

          SHA512

          09733e29732fb0fd8a219b34dc5a934c11292bde8472d2b433b42793c39a723e31104925856157c7beac28fbc803a6fed449f1386a957c1b6c849af6d3d5b8c2

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7450523.exe
          Filesize

          145KB

          MD5

          c900215bf123bd6d715a92d1e3b1f602

          SHA1

          dfe99ea079b4a89dec6e77eb62ddad500bf9c00b

          SHA256

          e9477a23d7e4d09b133a82f97273b7d638702f07e9b6050ea4a928e1745f81b5

          SHA512

          09733e29732fb0fd8a219b34dc5a934c11292bde8472d2b433b42793c39a723e31104925856157c7beac28fbc803a6fed449f1386a957c1b6c849af6d3d5b8c2

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
          Filesize

          101KB

          MD5

          89d41e1cf478a3d3c2c701a27a5692b2

          SHA1

          691e20583ef80cb9a2fd3258560e7f02481d12fd

          SHA256

          dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac

          SHA512

          5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
          Filesize

          101KB

          MD5

          89d41e1cf478a3d3c2c701a27a5692b2

          SHA1

          691e20583ef80cb9a2fd3258560e7f02481d12fd

          SHA256

          dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac

          SHA512

          5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
          Filesize

          101KB

          MD5

          89d41e1cf478a3d3c2c701a27a5692b2

          SHA1

          691e20583ef80cb9a2fd3258560e7f02481d12fd

          SHA256

          dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac

          SHA512

          5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc

          Download Submit

        • memory/364-172-0x00000000065E0000-0x0000000006656000-memory.dmp

          Filesize

          472KB

          Download

        • memory/364-166-0x0000000004E90000-0x0000000004EA2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/364-170-0x0000000005FB0000-0x0000000006554000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/364-173-0x0000000006560000-0x00000000065B0000-memory.dmp

          Filesize

          320KB

          Download

        • memory/364-175-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/364-176-0x0000000006830000-0x00000000069F2000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/364-177-0x0000000006F30000-0x000000000745C000-memory.dmp

          Filesize

          5.2MB

          Download

        • memory/364-169-0x0000000005230000-0x00000000052C2000-memory.dmp

          Filesize

          584KB

          Download

        • memory/364-168-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/364-163-0x00000000004C0000-0x00000000004EA000-memory.dmp

          Filesize

          168KB

          Download

        • memory/364-167-0x0000000005070000-0x00000000050AC000-memory.dmp

          Filesize

          240KB

          Download

        • memory/364-164-0x00000000053E0000-0x00000000059F8000-memory.dmp

          Filesize

          6.1MB

          Download

        • memory/364-165-0x0000000004F60000-0x000000000506A000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/364-171-0x0000000005A70000-0x0000000005AD6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4052-155-0x0000000000400000-0x000000000040A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/4672-193-0x0000000000380000-0x00000000003B8000-memory.dmp

          Filesize

          224KB

          Download

        • memory/4672-192-0x0000000000380000-0x00000000003B8000-memory.dmp

          Filesize

          224KB

          Download

        • memory/4672-183-0x0000000000380000-0x00000000003B8000-memory.dmp

          Filesize

          224KB

          Download

        • memory/4760-196-0x0000000000400000-0x000000000042A000-memory.dmp

          Filesize

          168KB

          Download

        • memory/4760-215-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

          Filesize

          64KB

          Download