Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-06-2023 20:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    669e03979829733877829c51cef18861992890a015e9954bff1bc854a3ff8d5d.exe

  • Size

    581KB

  • MD5

    8406a310d8bb9b5f2aeae92594ae4923

  • SHA1

    f972f23cff20475e308019221931ebb6f7b30f93

  • SHA256

    669e03979829733877829c51cef18861992890a015e9954bff1bc854a3ff8d5d

  • SHA512

    ff581fecb93cf790e7ecc6ce462799caea278b123d439ade6499c85d4d2b43122b1a657eac215eab9a49639b0981f8efa819c56af892032479a35d8b8ea64104

  • SSDEEP

    12288:tMrny90tuvjd2l2tCMRhV6ROaC/QHNmoyc4FnKGkWLCAdDnY:yyqOjdJtCMs4aC/kNmrFKHWWAdDnY

Score
10/10
redlinemaxidiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 34 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\669e03979829733877829c51cef18861992890a015e9954bff1bc854a3ff8d5d.exe
    "C:\Users\Admin\AppData\Local\Temp\669e03979829733877829c51cef18861992890a015e9954bff1bc854a3ff8d5d.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2772
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2910760.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2910760.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4360
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0543216.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0543216.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1480
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4526248.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4526248.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1428
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0031310.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0031310.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3700

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2910760.exe
    Filesize

    377KB

    MD5

    a93179be0b5c3d930ee2174a36daca27

    SHA1

    ea60dcd109d072e03377ff057e677757d2fba137

    SHA256

    91f01af5fb89053e2b039703679b9cf2643363f08d03e63d7b8e4cfa48583532

    SHA512

    91d3f9a10225b7ae258c2cadd4a4507040dc2b853b93dd0b6eaddd03a164e92c5594a6b5b6b0df40ae56cd063a86f58b75791264c9bf79056ece4fe56ecab4ae

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2910760.exe
    Filesize

    377KB

    MD5

    a93179be0b5c3d930ee2174a36daca27

    SHA1

    ea60dcd109d072e03377ff057e677757d2fba137

    SHA256

    91f01af5fb89053e2b039703679b9cf2643363f08d03e63d7b8e4cfa48583532

    SHA512

    91d3f9a10225b7ae258c2cadd4a4507040dc2b853b93dd0b6eaddd03a164e92c5594a6b5b6b0df40ae56cd063a86f58b75791264c9bf79056ece4fe56ecab4ae

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0543216.exe
    Filesize

    206KB

    MD5

    4fe80b6adc795ad211b218e5540d825b

    SHA1

    bc17d37bc8b277cf932c850018ed4ec8ff597639

    SHA256

    7653309bda46982e9251dad3e599abaa473e22c1e8bba44c872f3e758d723b3e

    SHA512

    fdb20369998ff178ddbdbebe1e708a29b68435674fe6f83429e5dfd324daf5ff30d70d1d72d0b4e528d2e0ce4b37e295637f007dc6f3746b3cc01c0608156c17

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0543216.exe
    Filesize

    206KB

    MD5

    4fe80b6adc795ad211b218e5540d825b

    SHA1

    bc17d37bc8b277cf932c850018ed4ec8ff597639

    SHA256

    7653309bda46982e9251dad3e599abaa473e22c1e8bba44c872f3e758d723b3e

    SHA512

    fdb20369998ff178ddbdbebe1e708a29b68435674fe6f83429e5dfd324daf5ff30d70d1d72d0b4e528d2e0ce4b37e295637f007dc6f3746b3cc01c0608156c17

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4526248.exe
    Filesize

    11KB

    MD5

    558abca574ce4da32f3a0f7c9d6380b4

    SHA1

    35d73a4bf2e5d5c023aef0ccc63e962519d88c9e

    SHA256

    3b59059bf1a4576877993bbcbdbe781abb3191188e40f97c1f84ce0066df95b2

    SHA512

    b133778c1f071073b7e34d3af4a2b801a40165d10f9d54a269858816fde33afd090563e62e17ce29e766eeb34dbf8da56ebf56245aa008803d639dced44bfa42

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4526248.exe
    Filesize

    11KB

    MD5

    558abca574ce4da32f3a0f7c9d6380b4

    SHA1

    35d73a4bf2e5d5c023aef0ccc63e962519d88c9e

    SHA256

    3b59059bf1a4576877993bbcbdbe781abb3191188e40f97c1f84ce0066df95b2

    SHA512

    b133778c1f071073b7e34d3af4a2b801a40165d10f9d54a269858816fde33afd090563e62e17ce29e766eeb34dbf8da56ebf56245aa008803d639dced44bfa42

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0031310.exe
    Filesize

    172KB

    MD5

    994e00b47e285e0fefd6a00147b8dabb

    SHA1

    fb0b39961a512165091992eeb4a206698365f628

    SHA256

    573e09151467b07b1c1651576c7a10f8122e2a2f1250c0eaf3f14a7025fa40cd

    SHA512

    56f043cadd8d2d88fed59db1d7b93be58a4e18dba2523f4a9a158e7caaecd48f3341215c5850dad2e8c506320e21c6a75b12ba9b07adff0658a274abd95e6633

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0031310.exe
    Filesize

    172KB

    MD5

    994e00b47e285e0fefd6a00147b8dabb

    SHA1

    fb0b39961a512165091992eeb4a206698365f628

    SHA256

    573e09151467b07b1c1651576c7a10f8122e2a2f1250c0eaf3f14a7025fa40cd

    SHA512

    56f043cadd8d2d88fed59db1d7b93be58a4e18dba2523f4a9a158e7caaecd48f3341215c5850dad2e8c506320e21c6a75b12ba9b07adff0658a274abd95e6633

    Download Submit

  • memory/1428-154-0x0000000000D50000-0x0000000000D5A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3700-160-0x000000000B1E0000-0x000000000B7F8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3700-166-0x000000000B030000-0x000000000B0C2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3700-161-0x000000000ACD0000-0x000000000ADDA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3700-162-0x0000000005810000-0x0000000005822000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3700-163-0x000000000AC00000-0x000000000AC3C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3700-164-0x0000000005830000-0x0000000005840000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3700-165-0x000000000AF10000-0x000000000AF86000-memory.dmp

    Filesize

    472KB

    Download

  • memory/3700-159-0x0000000000E20000-0x0000000000E50000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3700-167-0x000000000BDB0000-0x000000000C354000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3700-168-0x000000000B800000-0x000000000B866000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3700-169-0x000000000C530000-0x000000000C6F2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/3700-170-0x000000000CC30000-0x000000000D15C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/3700-171-0x000000000C3E0000-0x000000000C430000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3700-172-0x0000000005830000-0x0000000005840000-memory.dmp

    Filesize

    64KB

    Download