Overview

overview

10

Static

static

3

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    05-06-2023 00:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6974eb31b59e7d0b610badaee10a75d875f65264bb5383ecf11ba2a81b294702.exe

  • Size

    581KB

  • MD5

    72f91ee85080737bf8003258a3bd461e

  • SHA1

    b4d9c35d7ece04adc9350f816e8b548caf30d1a4

  • SHA256

    6974eb31b59e7d0b610badaee10a75d875f65264bb5383ecf11ba2a81b294702

  • SHA512

    b010ab2621501cbf29af7ea34431382c3038a5c57375c894d50dde1f27f3e101c0068501602d44f0a5b94b8cae7a239c49a040caae71df9458b05772238dd873

  • SSDEEP

    12288:bMr+y90d6ZOyC/YgRuwQbDrwMdxgxQ/XkA7Ly1LoCOPL:tyw6uhgws3gx43Ony

Score
10/10
redlinedizadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19046

Attributes
  • auth_value

    0d09b419c8bc967f91c68be4a17e92ee

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6974eb31b59e7d0b610badaee10a75d875f65264bb5383ecf11ba2a81b294702.exe
    "C:\Users\Admin\AppData\Local\Temp\6974eb31b59e7d0b610badaee10a75d875f65264bb5383ecf11ba2a81b294702.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3228
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9936465.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9936465.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4288
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5963345.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5963345.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4052
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5059738.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5059738.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4296
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8217781.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8217781.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4324

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9936465.exe
    Filesize

    377KB

    MD5

    a63e0e8f2606441d6dbc108d1b21a40f

    SHA1

    8f634f535718bad7b9ba5f69302e6fa8e8db53fd

    SHA256

    153bb3fe89283cff40f746981716feb9cbf21de7a70d5edfb6b8542eac849ae0

    SHA512

    6a00b5617bfc8834814aade565e7b4e2222912966976a33c935c415e154d510bc7d26622aaf6a216e445759500da4c56621c94d880384b7a9b684dd0dbc52361

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9936465.exe
    Filesize

    377KB

    MD5

    a63e0e8f2606441d6dbc108d1b21a40f

    SHA1

    8f634f535718bad7b9ba5f69302e6fa8e8db53fd

    SHA256

    153bb3fe89283cff40f746981716feb9cbf21de7a70d5edfb6b8542eac849ae0

    SHA512

    6a00b5617bfc8834814aade565e7b4e2222912966976a33c935c415e154d510bc7d26622aaf6a216e445759500da4c56621c94d880384b7a9b684dd0dbc52361

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5963345.exe
    Filesize

    206KB

    MD5

    77bc8c891114ec45155759a3be33c2de

    SHA1

    a0adf41c01d1276f04c59446732543198404688c

    SHA256

    3617cb64a0fe80ee0780469c38bf1fb9eac26a73d5d5900126eac349a713184d

    SHA512

    2256a71aea626f74b8162b18859a75a9630ed445040f405082d53034b85b2579ae0fcada5e2f3f1119b4a106140da77d43676c6fe4b71971c06578bf61e52178

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5963345.exe
    Filesize

    206KB

    MD5

    77bc8c891114ec45155759a3be33c2de

    SHA1

    a0adf41c01d1276f04c59446732543198404688c

    SHA256

    3617cb64a0fe80ee0780469c38bf1fb9eac26a73d5d5900126eac349a713184d

    SHA512

    2256a71aea626f74b8162b18859a75a9630ed445040f405082d53034b85b2579ae0fcada5e2f3f1119b4a106140da77d43676c6fe4b71971c06578bf61e52178

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5059738.exe
    Filesize

    11KB

    MD5

    f6c748db35c29339034a1672a6c02f79

    SHA1

    0c6423377f89c8e6d37aa3a6fbdbde986d161b72

    SHA256

    fec4ec9b89ae6ad25ad5dfc58c6455ffdeb8b1b436eb160cbee971500a2a1dd4

    SHA512

    99c98b2df9128892612c8fc33389e88e54e40b840a09c1eba0aae5c87ce84beb9d64f8bb8cd6b920d8c94b09a54a9fd40d5f7691cac7d1ac0f93c8b9370ff2f6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5059738.exe
    Filesize

    11KB

    MD5

    f6c748db35c29339034a1672a6c02f79

    SHA1

    0c6423377f89c8e6d37aa3a6fbdbde986d161b72

    SHA256

    fec4ec9b89ae6ad25ad5dfc58c6455ffdeb8b1b436eb160cbee971500a2a1dd4

    SHA512

    99c98b2df9128892612c8fc33389e88e54e40b840a09c1eba0aae5c87ce84beb9d64f8bb8cd6b920d8c94b09a54a9fd40d5f7691cac7d1ac0f93c8b9370ff2f6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8217781.exe
    Filesize

    172KB

    MD5

    86e018ab1cc01bc62893aac0e1726c17

    SHA1

    e51a046217b430c713078999e4a3438ed52ef6df

    SHA256

    977dc385c20e455225181a1b60782530f3ff80a480b7cc5709ba55131a6fb870

    SHA512

    de3c0992dc67ce730d9fd5e5f2cf3a8eac8120112a20250c30fda41d679d7ea1c2002bc6514a2f88e9b23d734caec8751c378dbe9ba7699cb413db73885b4597

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l8217781.exe
    Filesize

    172KB

    MD5

    86e018ab1cc01bc62893aac0e1726c17

    SHA1

    e51a046217b430c713078999e4a3438ed52ef6df

    SHA256

    977dc385c20e455225181a1b60782530f3ff80a480b7cc5709ba55131a6fb870

    SHA512

    de3c0992dc67ce730d9fd5e5f2cf3a8eac8120112a20250c30fda41d679d7ea1c2002bc6514a2f88e9b23d734caec8751c378dbe9ba7699cb413db73885b4597

    Download Submit

  • memory/4296-138-0x0000000000F40000-0x0000000000F4A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4324-146-0x00000000056C0000-0x00000000057CA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4324-150-0x00000000057D0000-0x000000000581B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4324-145-0x0000000005BC0000-0x00000000061C6000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4324-143-0x0000000000BB0000-0x0000000000BE0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4324-147-0x00000000055F0000-0x0000000005602000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4324-148-0x0000000005650000-0x000000000568E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4324-149-0x00000000055A0000-0x00000000055B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4324-144-0x0000000007930000-0x0000000007936000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4324-151-0x0000000005970000-0x00000000059E6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4324-152-0x0000000005A90000-0x0000000005B22000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4324-153-0x0000000006BE0000-0x00000000070DE000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/4324-154-0x0000000005B30000-0x0000000005B96000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4324-155-0x00000000067E0000-0x0000000006830000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4324-156-0x00000000055A0000-0x00000000055B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4324-157-0x00000000070E0000-0x00000000072A2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4324-158-0x0000000008E70000-0x000000000939C000-memory.dmp

    Filesize

    5.2MB

    Download