Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/06/2023, 18:49

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    da8fcde10abb4d4a5fcf819e839811667795a72a48b07dad24d68f92eca2991e.exe

  • Size

    580KB

  • MD5

    ab03e1d4641686bc329fc2b44f0ab8e5

  • SHA1

    903269a8b77eb0367973d744259578195b23adcf

  • SHA256

    da8fcde10abb4d4a5fcf819e839811667795a72a48b07dad24d68f92eca2991e

  • SHA512

    4aab7a5f54c4a06954a01a332c0c052fb421d51162c45b717778f1742e736bee1e885d1834d2bde114c413d1fcef7ab3c9479d2de5f0ae60590a4927d81cf91d

  • SSDEEP

    12288:+MrGy90nz+X1l5wSqnmqKtZbnVB4zf04QpckU0yRIYY:8y6aX1XkGtJnVBKfkcoyur

Score
10/10
redlinedizadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19046

Attributes
  • auth_value

    0d09b419c8bc967f91c68be4a17e92ee

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\da8fcde10abb4d4a5fcf819e839811667795a72a48b07dad24d68f92eca2991e.exe
    "C:\Users\Admin\AppData\Local\Temp\da8fcde10abb4d4a5fcf819e839811667795a72a48b07dad24d68f92eca2991e.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1468
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4819533.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4819533.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1576
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1880180.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1880180.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1432
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3853368.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3853368.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4828
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2012548.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2012548.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2532

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4819533.exe
          Filesize

          377KB

          MD5

          93e6132750ec1ebd77c635d3a313fe84

          SHA1

          0f52679aad96289af19efb1fd6c2fba741ef4a93

          SHA256

          81ff2e606c8070f5cb65658222519a27fed1b93fc6e85b0c3f8f95db61adce87

          SHA512

          103aa9cee9238bf33fcc7c91fb51554c6cd853cf85e7dedb331a7a4692366b02d9527cc7ab35f25e255370f5fd077f3377f125b5c284bed2dfca23eb5d8587d9

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4819533.exe
          Filesize

          377KB

          MD5

          93e6132750ec1ebd77c635d3a313fe84

          SHA1

          0f52679aad96289af19efb1fd6c2fba741ef4a93

          SHA256

          81ff2e606c8070f5cb65658222519a27fed1b93fc6e85b0c3f8f95db61adce87

          SHA512

          103aa9cee9238bf33fcc7c91fb51554c6cd853cf85e7dedb331a7a4692366b02d9527cc7ab35f25e255370f5fd077f3377f125b5c284bed2dfca23eb5d8587d9

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1880180.exe
          Filesize

          206KB

          MD5

          dc8ac00e69fd60934f8dae584d5d8274

          SHA1

          380ba5ce09e01aeea01f4cd36dd92adb5135c3a9

          SHA256

          e293088998801ce6690124adff1156c55618350bdf033698bd08bd972113003d

          SHA512

          e02d98d33617339db4c6466017a554a908eda23264ccd480b795e250eeb122c2aaa733f91f32f25a0782c51b3e0c884f310bc12d32fd1ca53268975692abf863

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1880180.exe
          Filesize

          206KB

          MD5

          dc8ac00e69fd60934f8dae584d5d8274

          SHA1

          380ba5ce09e01aeea01f4cd36dd92adb5135c3a9

          SHA256

          e293088998801ce6690124adff1156c55618350bdf033698bd08bd972113003d

          SHA512

          e02d98d33617339db4c6466017a554a908eda23264ccd480b795e250eeb122c2aaa733f91f32f25a0782c51b3e0c884f310bc12d32fd1ca53268975692abf863

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3853368.exe
          Filesize

          11KB

          MD5

          015db5a7c065f354e78440f12985421a

          SHA1

          93d5f3e2217c27d2e3692429ed0cee04ccfb7a26

          SHA256

          044fc7993210b7d55ca3f7a13f7d489ee92c0b152e22ea441469a686f0f75024

          SHA512

          f89462aff2d677246ff6f54e585c745817401fc83f1d69a04cf5706d243d31759808cb55d8e0adcff39e2bd46909ed80682e535b38db503c8c563cd2bf628074

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3853368.exe
          Filesize

          11KB

          MD5

          015db5a7c065f354e78440f12985421a

          SHA1

          93d5f3e2217c27d2e3692429ed0cee04ccfb7a26

          SHA256

          044fc7993210b7d55ca3f7a13f7d489ee92c0b152e22ea441469a686f0f75024

          SHA512

          f89462aff2d677246ff6f54e585c745817401fc83f1d69a04cf5706d243d31759808cb55d8e0adcff39e2bd46909ed80682e535b38db503c8c563cd2bf628074

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2012548.exe
          Filesize

          172KB

          MD5

          f09e0bac7aaa041ed01fab10fa9a7ec7

          SHA1

          e528157a96ff1810c0cd291063abfc0d13fe594f

          SHA256

          8181fd04a21791bc59a1d0108c4270c47240d05ade93bc5a1d513d690ee11a73

          SHA512

          d09b3d9a45284a66f3a8777a8f879d13f913cf80b540fc31b63e82db36adfad24ba0ddb77bf50aec2db7b17e45322bf7e0b5e57da04b2f1e02fce7540ba586b8

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2012548.exe
          Filesize

          172KB

          MD5

          f09e0bac7aaa041ed01fab10fa9a7ec7

          SHA1

          e528157a96ff1810c0cd291063abfc0d13fe594f

          SHA256

          8181fd04a21791bc59a1d0108c4270c47240d05ade93bc5a1d513d690ee11a73

          SHA512

          d09b3d9a45284a66f3a8777a8f879d13f913cf80b540fc31b63e82db36adfad24ba0ddb77bf50aec2db7b17e45322bf7e0b5e57da04b2f1e02fce7540ba586b8

          Download Submit

        • memory/2532-160-0x000000000B030000-0x000000000B648000-memory.dmp

          Filesize

          6.1MB

          Download

        • memory/2532-165-0x000000000AE00000-0x000000000AE76000-memory.dmp

          Filesize

          472KB

          Download

        • memory/2532-172-0x0000000005580000-0x0000000005590000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2532-161-0x000000000AB50000-0x000000000AC5A000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/2532-162-0x000000000AA90000-0x000000000AAA2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2532-163-0x000000000AAF0000-0x000000000AB2C000-memory.dmp

          Filesize

          240KB

          Download

        • memory/2532-164-0x0000000005580000-0x0000000005590000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2532-159-0x0000000000D10000-0x0000000000D40000-memory.dmp

          Filesize

          192KB

          Download

        • memory/2532-166-0x000000000AF20000-0x000000000AFB2000-memory.dmp

          Filesize

          584KB

          Download

        • memory/2532-167-0x000000000AE80000-0x000000000AEE6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/2532-168-0x000000000C000000-0x000000000C5A4000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/2532-169-0x000000000BE10000-0x000000000BFD2000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/2532-170-0x000000000CAE0000-0x000000000D00C000-memory.dmp

          Filesize

          5.2MB

          Download

        • memory/2532-171-0x000000000BD40000-0x000000000BD90000-memory.dmp

          Filesize

          320KB

          Download

        • memory/4828-154-0x0000000000070000-0x000000000007A000-memory.dmp

          Filesize

          40KB

          Download