Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-06-2023 22:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    48b7a4339262c7a533bc2cb07408e5ab4a7b8ee2a0709de3beeac6b08f9b14c9.exe

  • Size

    581KB

  • MD5

    6e6a02cd249d1cffdb8e29513be7c3d4

  • SHA1

    e121bf3cf1dbc825ea84486e9c036386a6d35897

  • SHA256

    48b7a4339262c7a533bc2cb07408e5ab4a7b8ee2a0709de3beeac6b08f9b14c9

  • SHA512

    51e1c41306fdc93ae35eab38486fdd692a2ee494a7b6b0a22613750e6428685fade358449e3f81766c2ea706f7b46d1d1ef1faf0140e12c89170ed1bb3ad9a19

  • SSDEEP

    12288:YMrny90Lq5ZcTWzVzwKMXt1MPJMbDWyV0Q7tqwt8:fyQqjjznMXg+DhvK

Score
10/10
redlinemaxidiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\48b7a4339262c7a533bc2cb07408e5ab4a7b8ee2a0709de3beeac6b08f9b14c9.exe
    "C:\Users\Admin\AppData\Local\Temp\48b7a4339262c7a533bc2cb07408e5ab4a7b8ee2a0709de3beeac6b08f9b14c9.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1828
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9529573.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9529573.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1800
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4728162.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4728162.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2456
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6544935.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6544935.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4236
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1165927.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1165927.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:212

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9529573.exe
    Filesize

    377KB

    MD5

    7d5ec6c58a9adf50a9e8bc1da1d90f79

    SHA1

    8955aacebe83d321d6e06960191084e7d881eeb4

    SHA256

    d1fb6686afd9cb1e303449dbb273ec913d3fe82720cb9b8d8ebc9369a3d60b62

    SHA512

    c0acec37ad256f3dafc4dbef701dd0d42dafc531be3b6e84a5aa1a9a4d69f8ae8a6129b58b8fb20a0c169a43f9f3b92e13cb001a051811f59ad447f9d06e6e25

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9529573.exe
    Filesize

    377KB

    MD5

    7d5ec6c58a9adf50a9e8bc1da1d90f79

    SHA1

    8955aacebe83d321d6e06960191084e7d881eeb4

    SHA256

    d1fb6686afd9cb1e303449dbb273ec913d3fe82720cb9b8d8ebc9369a3d60b62

    SHA512

    c0acec37ad256f3dafc4dbef701dd0d42dafc531be3b6e84a5aa1a9a4d69f8ae8a6129b58b8fb20a0c169a43f9f3b92e13cb001a051811f59ad447f9d06e6e25

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4728162.exe
    Filesize

    206KB

    MD5

    a3b91233c920ad3bfd1c2bba2fd83e37

    SHA1

    612814f8cfbbed85c6658f5bb4562fb2cade4f71

    SHA256

    fb40f3e9fd030878b3456f472b85e778d5014d46820b43c556f22bb632683778

    SHA512

    98f6e4b43416afddb95aa275ebe6e1f72f3eb47d1ff8c46f5c6bbc368200ad89eb7fab7c8f25fc61f88dd28b0b2f93aa115b6b6066a8f809b2b894d152c73663

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4728162.exe
    Filesize

    206KB

    MD5

    a3b91233c920ad3bfd1c2bba2fd83e37

    SHA1

    612814f8cfbbed85c6658f5bb4562fb2cade4f71

    SHA256

    fb40f3e9fd030878b3456f472b85e778d5014d46820b43c556f22bb632683778

    SHA512

    98f6e4b43416afddb95aa275ebe6e1f72f3eb47d1ff8c46f5c6bbc368200ad89eb7fab7c8f25fc61f88dd28b0b2f93aa115b6b6066a8f809b2b894d152c73663

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6544935.exe
    Filesize

    11KB

    MD5

    72f6e5b3d37f8e459aa8d443f0dee42c

    SHA1

    b2bf68250386a762387d32d12fe9034773b3b274

    SHA256

    177dfde9f2a767310111bd9e285cf0b4134bb0753af04033a561fee4d45b817f

    SHA512

    323188ab51bc45876a804acaa2585522a1fd20a468d2b0112f5c90ec439ee63212036e1d892941766ec5abb23c8c2c9b93a8258129767b37455efa78a4230ea4

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6544935.exe
    Filesize

    11KB

    MD5

    72f6e5b3d37f8e459aa8d443f0dee42c

    SHA1

    b2bf68250386a762387d32d12fe9034773b3b274

    SHA256

    177dfde9f2a767310111bd9e285cf0b4134bb0753af04033a561fee4d45b817f

    SHA512

    323188ab51bc45876a804acaa2585522a1fd20a468d2b0112f5c90ec439ee63212036e1d892941766ec5abb23c8c2c9b93a8258129767b37455efa78a4230ea4

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1165927.exe
    Filesize

    172KB

    MD5

    6376d5b5ffc211bf51845ec627531abf

    SHA1

    aa3b960b4410bc97372c3965262e6524264fdd74

    SHA256

    6df8e1ac5b370062a9606fdaa30f380d7b35873f030f8cc5be9c05fc086081e7

    SHA512

    5e0d44b3098d8177aab7b85a98bc15b85272b239b3261da7998d39aec2e68bef950e1421dcd0f8967c5b710cb3bc56c946317a82e95b7d0a9158370eb25c2685

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1165927.exe
    Filesize

    172KB

    MD5

    6376d5b5ffc211bf51845ec627531abf

    SHA1

    aa3b960b4410bc97372c3965262e6524264fdd74

    SHA256

    6df8e1ac5b370062a9606fdaa30f380d7b35873f030f8cc5be9c05fc086081e7

    SHA512

    5e0d44b3098d8177aab7b85a98bc15b85272b239b3261da7998d39aec2e68bef950e1421dcd0f8967c5b710cb3bc56c946317a82e95b7d0a9158370eb25c2685

    Download Submit
  • memory/212-160-0x000000000A9A0000-0x000000000AFB8000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/212-165-0x000000000A750000-0x000000000A7C6000-memory.dmp
    Filesize

    472KB

    Download
  • memory/212-172-0x0000000004EF0000-0x0000000004F00000-memory.dmp
    Filesize

    64KB

    Download
  • memory/212-161-0x000000000A4A0000-0x000000000A5AA000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/212-162-0x000000000A3E0000-0x000000000A3F2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/212-163-0x0000000004EF0000-0x0000000004F00000-memory.dmp
    Filesize

    64KB

    Download
  • memory/212-164-0x000000000A440000-0x000000000A47C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/212-159-0x0000000000520000-0x0000000000550000-memory.dmp
    Filesize

    192KB

    Download
  • memory/212-166-0x000000000A870000-0x000000000A902000-memory.dmp
    Filesize

    584KB

    Download
  • memory/212-167-0x000000000A7D0000-0x000000000A836000-memory.dmp
    Filesize

    408KB

    Download
  • memory/212-168-0x000000000B970000-0x000000000BF14000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/212-169-0x000000000B460000-0x000000000B4B0000-memory.dmp
    Filesize

    320KB

    Download
  • memory/212-170-0x000000000B690000-0x000000000B852000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/212-171-0x000000000C450000-0x000000000C97C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4236-154-0x00000000005A0000-0x00000000005AA000-memory.dmp
    Filesize

    40KB

    Download