Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-06-2023 17:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    226202b4ba98b15724602ef42dfb1e6e0e8f34379b84cd9cca0fb5c51b818d82.exe

  • Size

    628KB

  • MD5

    6155d26477fc0a4edd8605f1dd81f940

  • SHA1

    2806c9c3b58d96c4d8820873ac2c35fd2b91ba13

  • SHA256

    226202b4ba98b15724602ef42dfb1e6e0e8f34379b84cd9cca0fb5c51b818d82

  • SHA512

    080d56c033e37fa96ad4823b0ecb63a4ccface46eac12d537eac543404ed6ff9efdb4c51c97435f47e6f0db4baa404cdf63f2a559f1fdd2ffb5685011bbcea08

  • SSDEEP

    12288:cMrTy90uJ2COxSOjMgxMfhADn9x6xD7HnCrOybe+52YCf:XyLjESOIgxshMn67HCrfK+5K

Score
10/10
redlinemaxidiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\226202b4ba98b15724602ef42dfb1e6e0e8f34379b84cd9cca0fb5c51b818d82.exe
    "C:\Users\Admin\AppData\Local\Temp\226202b4ba98b15724602ef42dfb1e6e0e8f34379b84cd9cca0fb5c51b818d82.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3196
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2095179.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2095179.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4420
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0378991.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0378991.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3480
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6722558.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6722558.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:3572
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3036
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7260344.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7260344.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2260

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Disabling Security Tools

1
T1089

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2095179.exe
    Filesize

    426KB

    MD5

    7d4bce4d50705a9310a0c3583199d585

    SHA1

    4e58dddf5efa71f8e88e04ca301b0845d25072c1

    SHA256

    fc7af0bd1eb525b7f97f738a96d5ab5706eea947a525031dbc12e606784f1dad

    SHA512

    b69b1c57c7065e381cc7a30d911e45754b2152073d79244c92100daeee162dc4670c1d8b5781cb2a8ab5ad53aed037f1c2d566e990953b39586fa3a23e9fd8ce

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2095179.exe
    Filesize

    426KB

    MD5

    7d4bce4d50705a9310a0c3583199d585

    SHA1

    4e58dddf5efa71f8e88e04ca301b0845d25072c1

    SHA256

    fc7af0bd1eb525b7f97f738a96d5ab5706eea947a525031dbc12e606784f1dad

    SHA512

    b69b1c57c7065e381cc7a30d911e45754b2152073d79244c92100daeee162dc4670c1d8b5781cb2a8ab5ad53aed037f1c2d566e990953b39586fa3a23e9fd8ce

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0378991.exe
    Filesize

    254KB

    MD5

    2b6a91155b7650765bfe8c3eb3572148

    SHA1

    70abee7ca92486825358af85c5187dbd1f4760ff

    SHA256

    e190bb1411678b3b9d47f9ff28c7fff9db614dd1eda682212d2abbed85e8cad0

    SHA512

    0a11b59cf384f5016bffcc28d3ea121dfdd3732c43275549d165e17ace8206f7f5d9f39f8287c54341b73dcb5cd3570164852900f9f7d0982b7682e2eae5c745

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0378991.exe
    Filesize

    254KB

    MD5

    2b6a91155b7650765bfe8c3eb3572148

    SHA1

    70abee7ca92486825358af85c5187dbd1f4760ff

    SHA256

    e190bb1411678b3b9d47f9ff28c7fff9db614dd1eda682212d2abbed85e8cad0

    SHA512

    0a11b59cf384f5016bffcc28d3ea121dfdd3732c43275549d165e17ace8206f7f5d9f39f8287c54341b73dcb5cd3570164852900f9f7d0982b7682e2eae5c745

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6722558.exe
    Filesize

    108KB

    MD5

    951569941865f4fb044d87c04ee37846

    SHA1

    17d929227d8870c94c759c8bb55f2a62ee834c45

    SHA256

    9115b251dfb1e9f9f123330133a55f63982b811eb10aa8d1ee0d05d62849ce5c

    SHA512

    e5cfa60faf460419794afd56f50689c0a054048f1803130605d444f3ab198e9ed01298bd34cdcdcd981cac207135c58c12908a87326ed17ab1ef59afd8e7d52c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6722558.exe
    Filesize

    108KB

    MD5

    951569941865f4fb044d87c04ee37846

    SHA1

    17d929227d8870c94c759c8bb55f2a62ee834c45

    SHA256

    9115b251dfb1e9f9f123330133a55f63982b811eb10aa8d1ee0d05d62849ce5c

    SHA512

    e5cfa60faf460419794afd56f50689c0a054048f1803130605d444f3ab198e9ed01298bd34cdcdcd981cac207135c58c12908a87326ed17ab1ef59afd8e7d52c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7260344.exe
    Filesize

    172KB

    MD5

    c826c4cbc117d6d78f0a8dcc51f139b0

    SHA1

    5b84e90e51696a6e898b39f99e6490279761736b

    SHA256

    be165ad36a8574e86b082908486aef293d1066af371970894ecdf58e436cb9df

    SHA512

    369b7280965e6bb5c9acd84329028b4e50c106299b83193f5dae31a3559106e595c8706837909fc5093d9bdcbf0f2939e6daf92d52ae5688e62535f73b7a7e75

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7260344.exe
    Filesize

    172KB

    MD5

    c826c4cbc117d6d78f0a8dcc51f139b0

    SHA1

    5b84e90e51696a6e898b39f99e6490279761736b

    SHA256

    be165ad36a8574e86b082908486aef293d1066af371970894ecdf58e436cb9df

    SHA512

    369b7280965e6bb5c9acd84329028b4e50c106299b83193f5dae31a3559106e595c8706837909fc5093d9bdcbf0f2939e6daf92d52ae5688e62535f73b7a7e75

    Download Submit
  • memory/2260-163-0x000000000A680000-0x000000000AC98000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/2260-168-0x000000000A5B0000-0x000000000A626000-memory.dmp
    Filesize

    472KB

    Download
  • memory/2260-176-0x000000000B3E0000-0x000000000B430000-memory.dmp
    Filesize

    320KB

    Download
  • memory/2260-164-0x000000000A200000-0x000000000A30A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/2260-165-0x000000000A140000-0x000000000A152000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2260-166-0x0000000004CB0000-0x0000000004CC0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2260-167-0x000000000A1A0000-0x000000000A1DC000-memory.dmp
    Filesize

    240KB

    Download
  • memory/2260-162-0x0000000000280000-0x00000000002B0000-memory.dmp
    Filesize

    192KB

    Download
  • memory/2260-169-0x000000000AD40000-0x000000000ADD2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/2260-170-0x000000000ACA0000-0x000000000AD06000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2260-171-0x000000000B690000-0x000000000BC34000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/2260-172-0x000000000B4B0000-0x000000000B672000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/2260-173-0x000000000C170000-0x000000000C69C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/2260-175-0x0000000004CB0000-0x0000000004CC0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3036-154-0x0000000000620000-0x000000000062A000-memory.dmp
    Filesize

    40KB

    Download