Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/05/2023, 05:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3aac7d8d5d5fc1cf9b4334638672342fc79b379c214768ae8d10846137002807.exe

  • Size

    981KB

  • MD5

    70affd33075fc31907557f427292f2c3

  • SHA1

    091f3702b1caec8d0841f5b4ca5efd36af45d724

  • SHA256

    3aac7d8d5d5fc1cf9b4334638672342fc79b379c214768ae8d10846137002807

  • SHA512

    cb731bae7ccb31b99e110ef7ce3c6076e55beb7dc26efaad3bc9b0c362dbf3c248ea9baf6e5328f9e68aae9e9eb57139d1af363278cd5382e9e0fe977cd15a7a

  • SSDEEP

    24576:LytlnJS+SnwMT+JUf9TGWShlidzpmWho0IWhOBrff:+jn03FCJ4GDhleho0PM

Score
10/10
redlinehavalmaxidiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.122:19062

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Extracted

Family

redline

Botnet

haval

C2

83.97.73.122:19062

Attributes
  • auth_value

    d23dec6813deb04eb8abd82657a9b0af

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 7 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3aac7d8d5d5fc1cf9b4334638672342fc79b379c214768ae8d10846137002807.exe
    "C:\Users\Admin\AppData\Local\Temp\3aac7d8d5d5fc1cf9b4334638672342fc79b379c214768ae8d10846137002807.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4256
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3053132.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3053132.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4088
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8989295.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8989295.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4276
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6972251.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6972251.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:2520
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:640
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6358432.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6358432.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1332
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1244742.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1244742.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:996
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
          4⤵
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2628
          • C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
            "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"
            5⤵
            • Executes dropped EXE
            PID:1436
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8912929.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8912929.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4380
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3024

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
    Filesize

    226B

    MD5

    916851e072fbabc4796d8916c5131092

    SHA1

    d48a602229a690c512d5fdaf4c8d77547a88e7a2

    SHA256

    7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

    SHA512

    07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8912929.exe
    Filesize

    328KB

    MD5

    d1cf1a458b0d74ee497a74e98c5eb222

    SHA1

    563ef7e8f092cee73b09ae5f5e1d0016a16273e7

    SHA256

    3a5ba93d08b32e575069b812b50dbdbb0249464cc584b3ced8ead3e444bd452a

    SHA512

    d42dca2b0d5e15c801d48eefe0087abaa2d4d5c21c9ce04cce80c7615e0f4e25c0664b6eb5a6640934defe5ca459de587ebb6923aeed998c4c32e8fb137ce39b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8912929.exe
    Filesize

    328KB

    MD5

    d1cf1a458b0d74ee497a74e98c5eb222

    SHA1

    563ef7e8f092cee73b09ae5f5e1d0016a16273e7

    SHA256

    3a5ba93d08b32e575069b812b50dbdbb0249464cc584b3ced8ead3e444bd452a

    SHA512

    d42dca2b0d5e15c801d48eefe0087abaa2d4d5c21c9ce04cce80c7615e0f4e25c0664b6eb5a6640934defe5ca459de587ebb6923aeed998c4c32e8fb137ce39b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3053132.exe
    Filesize

    661KB

    MD5

    e7ceafb51d8d0b19d6697b448063c0a7

    SHA1

    a1ed7dc09c8f1556591f5e1fa56afffcf4ebd54f

    SHA256

    fba970cd92b6dc7c34f6f031c74a90189f01f8539ef94842d95eeba3bb3aedc1

    SHA512

    d0f170fffb8452188ae5cdfead953e9ee0598696ad98346c0a686e981b03e18a6aef7aff3d8670673b359d1d24905dfe085743dfe7210737b03c1dd06e42a049

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3053132.exe
    Filesize

    661KB

    MD5

    e7ceafb51d8d0b19d6697b448063c0a7

    SHA1

    a1ed7dc09c8f1556591f5e1fa56afffcf4ebd54f

    SHA256

    fba970cd92b6dc7c34f6f031c74a90189f01f8539ef94842d95eeba3bb3aedc1

    SHA512

    d0f170fffb8452188ae5cdfead953e9ee0598696ad98346c0a686e981b03e18a6aef7aff3d8670673b359d1d24905dfe085743dfe7210737b03c1dd06e42a049

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1244742.exe
    Filesize

    387KB

    MD5

    69633724577ada814a52222b0916b57e

    SHA1

    41a8f00abc66539d28afc7bca1d28af3254eb300

    SHA256

    699fc6c40db462423adc824c33a9d29ba88c67d63b1ee07a8cba1dad595ede4e

    SHA512

    d6e31894fd2ec1cecbd3201345670ee951f5df6a5658377e0526b97f2a7b95f2e5e764a12bcbbbe4b2df1c1ad9384da1c66676870c44bddd6debd96a0eb3c97a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1244742.exe
    Filesize

    387KB

    MD5

    69633724577ada814a52222b0916b57e

    SHA1

    41a8f00abc66539d28afc7bca1d28af3254eb300

    SHA256

    699fc6c40db462423adc824c33a9d29ba88c67d63b1ee07a8cba1dad595ede4e

    SHA512

    d6e31894fd2ec1cecbd3201345670ee951f5df6a5658377e0526b97f2a7b95f2e5e764a12bcbbbe4b2df1c1ad9384da1c66676870c44bddd6debd96a0eb3c97a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8989295.exe
    Filesize

    280KB

    MD5

    39cb07a50a33ba1aacde92ea73c045d4

    SHA1

    0d22044a2d8027ec15e3f817ff7aa759a290c188

    SHA256

    3d38dca1139794719fdfdfca7ce665b52b544e2ca8f4c60f31152bdfe570ca71

    SHA512

    eb6b0b996650605932e32b8ded51a9a9d71cf5bf1aa66b19a32836386ba16aca72fc63e63ab5378ef42c4881d30acb54b533149604a6fd0795c6fdcf1f445b8e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8989295.exe
    Filesize

    280KB

    MD5

    39cb07a50a33ba1aacde92ea73c045d4

    SHA1

    0d22044a2d8027ec15e3f817ff7aa759a290c188

    SHA256

    3d38dca1139794719fdfdfca7ce665b52b544e2ca8f4c60f31152bdfe570ca71

    SHA512

    eb6b0b996650605932e32b8ded51a9a9d71cf5bf1aa66b19a32836386ba16aca72fc63e63ab5378ef42c4881d30acb54b533149604a6fd0795c6fdcf1f445b8e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6972251.exe
    Filesize

    194KB

    MD5

    034232da3b384f62a84a081bb308b69e

    SHA1

    d5993ef9a9a1c93a19fe52b693ed297e774cbae9

    SHA256

    b50e6039a399b92df26bdf142fbadf9c8d43aeb15228553792785775b1eec6aa

    SHA512

    d93533d1bc12523d1ac3eca198c8c8b2e8a2eb6e0178e22c2cd321ef3879d08ecca939b4ff860282e08addbc3708e9099ca69a228d7bac9a93ff4686420bee8e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6972251.exe
    Filesize

    194KB

    MD5

    034232da3b384f62a84a081bb308b69e

    SHA1

    d5993ef9a9a1c93a19fe52b693ed297e774cbae9

    SHA256

    b50e6039a399b92df26bdf142fbadf9c8d43aeb15228553792785775b1eec6aa

    SHA512

    d93533d1bc12523d1ac3eca198c8c8b2e8a2eb6e0178e22c2cd321ef3879d08ecca939b4ff860282e08addbc3708e9099ca69a228d7bac9a93ff4686420bee8e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6358432.exe
    Filesize

    145KB

    MD5

    0f412217401e2bc56d2202e3a12a148c

    SHA1

    00432fc244d4d3ee33c93b30ce68a4010f1665ab

    SHA256

    5e498b91a2053ec2af3e1c04099f27eb854c5e5e379f4325755dc13a0c00e3e7

    SHA512

    742d0022eb1623cdc0592274866bc9e81c471be275749d0d9ae9510ad78fbeee435a5bb0dc1a384f4c8c22cc3c14b2f23ddd18598a42b41c5bc22f3050eb715d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6358432.exe
    Filesize

    145KB

    MD5

    0f412217401e2bc56d2202e3a12a148c

    SHA1

    00432fc244d4d3ee33c93b30ce68a4010f1665ab

    SHA256

    5e498b91a2053ec2af3e1c04099f27eb854c5e5e379f4325755dc13a0c00e3e7

    SHA512

    742d0022eb1623cdc0592274866bc9e81c471be275749d0d9ae9510ad78fbeee435a5bb0dc1a384f4c8c22cc3c14b2f23ddd18598a42b41c5bc22f3050eb715d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
    Filesize

    101KB

    MD5

    89d41e1cf478a3d3c2c701a27a5692b2

    SHA1

    691e20583ef80cb9a2fd3258560e7f02481d12fd

    SHA256

    dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac

    SHA512

    5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
    Filesize

    101KB

    MD5

    89d41e1cf478a3d3c2c701a27a5692b2

    SHA1

    691e20583ef80cb9a2fd3258560e7f02481d12fd

    SHA256

    dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac

    SHA512

    5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
    Filesize

    101KB

    MD5

    89d41e1cf478a3d3c2c701a27a5692b2

    SHA1

    691e20583ef80cb9a2fd3258560e7f02481d12fd

    SHA256

    dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac

    SHA512

    5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc

    Download Submit

  • memory/640-155-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1332-172-0x0000000006930000-0x00000000069A6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/1332-168-0x0000000005AA0000-0x0000000005AB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1332-173-0x00000000068B0000-0x0000000006900000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1332-175-0x0000000007290000-0x0000000007452000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/1332-176-0x0000000007990000-0x0000000007EBC000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/1332-177-0x0000000005AA0000-0x0000000005AB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1332-170-0x0000000006690000-0x0000000006722000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1332-169-0x0000000005B20000-0x0000000005B86000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1332-163-0x0000000000EE0000-0x0000000000F0A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/1332-171-0x0000000006CE0000-0x0000000007284000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1332-164-0x0000000005CC0000-0x00000000062D8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1332-165-0x0000000005840000-0x000000000594A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1332-167-0x00000000057D0000-0x000000000580C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1332-166-0x0000000005770000-0x0000000005782000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2628-193-0x0000000000620000-0x0000000000658000-memory.dmp

    Filesize

    224KB

    Download

  • memory/2628-192-0x0000000000620000-0x0000000000658000-memory.dmp

    Filesize

    224KB

    Download

  • memory/2628-183-0x0000000000620000-0x0000000000658000-memory.dmp

    Filesize

    224KB

    Download

  • memory/3024-196-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/3024-215-0x0000000005140000-0x0000000005150000-memory.dmp

    Filesize

    64KB

    Download