Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/06/2023, 22:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    23e5050f56c59eec354be12f922a4a134b59830c8e827b9bcd840d52489d0588.exe

  • Size

    584KB

  • MD5

    a9d43d9f4c543471ec296a17d84fc4aa

  • SHA1

    ab4cea1abb84124539a4e8b5a9ec319940921e47

  • SHA256

    23e5050f56c59eec354be12f922a4a134b59830c8e827b9bcd840d52489d0588

  • SHA512

    434f1e3eca649d967294e16a37e62c35ecfe4452380e766506a69ac7951d117fdf66472ecd646e066d3cb7f76460d1855ecc17de42ec4104fb85b48d10bd03fb

  • SSDEEP

    12288:eMrPy90l8rHiOLBelXY6IzRv0YRJJb+KaVp0l5orZuTb46hJqPRe4ukXis:9yiaiWBFhlhbepc5orUc62ZZXis

Score
10/10
redlinedizadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19048

Attributes
  • auth_value

    0d09b419c8bc967f91c68be4a17e92ee

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 34 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\23e5050f56c59eec354be12f922a4a134b59830c8e827b9bcd840d52489d0588.exe
    "C:\Users\Admin\AppData\Local\Temp\23e5050f56c59eec354be12f922a4a134b59830c8e827b9bcd840d52489d0588.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4616
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6683649.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6683649.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1400
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8421474.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8421474.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2156
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4762878.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4762878.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2080
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l5999444.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l5999444.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1572

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6683649.exe
    Filesize

    377KB

    MD5

    e793d85a8b074be72184c7b06183ca57

    SHA1

    893285e9c11b1f3c4d440c6854761e56e5611c8a

    SHA256

    5b291258c4fb1edb746fb6a33d0c2c384fbb4da8429a12a128cc1485aeeb9a4a

    SHA512

    624e48cc4c471b7a76ceecc02480a775cde278148c77c90d0cf34eb9c2acec884ad8820467c57df67b286e11702fe197f94c26b7990e3dd033bdb869539725e3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6683649.exe
    Filesize

    377KB

    MD5

    e793d85a8b074be72184c7b06183ca57

    SHA1

    893285e9c11b1f3c4d440c6854761e56e5611c8a

    SHA256

    5b291258c4fb1edb746fb6a33d0c2c384fbb4da8429a12a128cc1485aeeb9a4a

    SHA512

    624e48cc4c471b7a76ceecc02480a775cde278148c77c90d0cf34eb9c2acec884ad8820467c57df67b286e11702fe197f94c26b7990e3dd033bdb869539725e3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8421474.exe
    Filesize

    206KB

    MD5

    d48aba1722d4fab5668238beb75af222

    SHA1

    afe116b801f0223284c41eafdf1eaf35da2cf74a

    SHA256

    4e1316148da873df23ecaf66e2d49db95fce12697fa6b502a71fd9d9a0f9206d

    SHA512

    4c548d1e4abe926d76b6f11ec990b05f813226927251df3fb4e531209119abec8daee6020a2b9d663928b4f751b2e8246605b8adcf860d7963bd47187836dfdb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8421474.exe
    Filesize

    206KB

    MD5

    d48aba1722d4fab5668238beb75af222

    SHA1

    afe116b801f0223284c41eafdf1eaf35da2cf74a

    SHA256

    4e1316148da873df23ecaf66e2d49db95fce12697fa6b502a71fd9d9a0f9206d

    SHA512

    4c548d1e4abe926d76b6f11ec990b05f813226927251df3fb4e531209119abec8daee6020a2b9d663928b4f751b2e8246605b8adcf860d7963bd47187836dfdb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4762878.exe
    Filesize

    12KB

    MD5

    e6612c3bbfce6b8c0d47ea85df2d7fb0

    SHA1

    de8103457e88248d1b8b3011c97a8bcaf07c653b

    SHA256

    f78ea2d92d6f62d82b05cbb4387f0f97b2fa67ffb927fa0393a8f52139e2f576

    SHA512

    6ac90335647a1ee29901d4a2b292b38db6380a44ad06f3f12d01eaf5965c9d9c6c3deb8144430fd3516e770e1aef6bb31ab38e3e54b885c72cd0075047b1ae31

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4762878.exe
    Filesize

    12KB

    MD5

    e6612c3bbfce6b8c0d47ea85df2d7fb0

    SHA1

    de8103457e88248d1b8b3011c97a8bcaf07c653b

    SHA256

    f78ea2d92d6f62d82b05cbb4387f0f97b2fa67ffb927fa0393a8f52139e2f576

    SHA512

    6ac90335647a1ee29901d4a2b292b38db6380a44ad06f3f12d01eaf5965c9d9c6c3deb8144430fd3516e770e1aef6bb31ab38e3e54b885c72cd0075047b1ae31

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l5999444.exe
    Filesize

    172KB

    MD5

    0fb2e4c7d1b46d21301235766f1d64af

    SHA1

    53ddbeec1ed0f753c38211215f94568f2ce8ed04

    SHA256

    ae91c91343621ec62a069f288319e8474fa94c0b9e5b39628af4f070ba8fe170

    SHA512

    02437ff62f4a893cfd6d1b835570ea68b60ae3d0d8de1ec0f8534b4d56f89cc61b09ccfa8b3fa4de998666fbd69691c7f87a264be1cc11982e762d9b96cfadea

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l5999444.exe
    Filesize

    172KB

    MD5

    0fb2e4c7d1b46d21301235766f1d64af

    SHA1

    53ddbeec1ed0f753c38211215f94568f2ce8ed04

    SHA256

    ae91c91343621ec62a069f288319e8474fa94c0b9e5b39628af4f070ba8fe170

    SHA512

    02437ff62f4a893cfd6d1b835570ea68b60ae3d0d8de1ec0f8534b4d56f89cc61b09ccfa8b3fa4de998666fbd69691c7f87a264be1cc11982e762d9b96cfadea

    Download Submit

  • memory/1572-160-0x000000000B170000-0x000000000B788000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1572-165-0x000000000AEB0000-0x000000000AF26000-memory.dmp

    Filesize

    472KB

    Download

  • memory/1572-172-0x00000000057C0000-0x00000000057D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1572-161-0x000000000AC60000-0x000000000AD6A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1572-162-0x000000000AB50000-0x000000000AB62000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1572-163-0x000000000ABB0000-0x000000000ABEC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1572-164-0x00000000057C0000-0x00000000057D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1572-159-0x0000000000C80000-0x0000000000CB0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1572-166-0x000000000AFD0000-0x000000000B062000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1572-167-0x000000000AF30000-0x000000000AF96000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1572-168-0x000000000C080000-0x000000000C624000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1572-169-0x000000000BBC0000-0x000000000BC10000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1572-170-0x000000000C630000-0x000000000C7F2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/1572-171-0x000000000CD30000-0x000000000D25C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/2080-154-0x0000000000300000-0x000000000030A000-memory.dmp

    Filesize

    40KB

    Download