Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-06-2023 01:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b0e2b0ea17c15735322434a431534acb899b9b076c4579c5be3dbdf5c69ac579.exe

  • Size

    580KB

  • MD5

    4795feacbabbe87c214e2f02335cbb03

  • SHA1

    4be6946e768a038d68338c7e18424f8ee5e1ad2b

  • SHA256

    b0e2b0ea17c15735322434a431534acb899b9b076c4579c5be3dbdf5c69ac579

  • SHA512

    104963df00dc6e7b556e5c99b8ab4bfcf07790a80e48552860be3825037f448e6b3095ad9ff22e010d13f46b6ad5d0263a8bad5e87bb8e2c2fdf4b66e22db282

  • SSDEEP

    12288:ZMrdy90Ok97Uc9SL3wdD3nmeXZo7mX17zwMOa6by:AyO97U3LgD3nmCoa17LOnby

Score
10/10
redlinemaxidiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b0e2b0ea17c15735322434a431534acb899b9b076c4579c5be3dbdf5c69ac579.exe
    "C:\Users\Admin\AppData\Local\Temp\b0e2b0ea17c15735322434a431534acb899b9b076c4579c5be3dbdf5c69ac579.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2132
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0460788.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0460788.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4176
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8994050.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8994050.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4444
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2787651.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2787651.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1428
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5177993.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5177993.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0460788.exe
    Filesize

    377KB

    MD5

    4bd3b1e67503609a81b141065a3f6a59

    SHA1

    23d1d08253f3cd32187cd8279d8774252d1d6ccd

    SHA256

    ce15132554b58d6e35f5b93fea4fb6df5b7c6cb1ce3d943051f3a5b9a9c74468

    SHA512

    05a45ba07fcbae81b427649ffaaa4afbac7dc800f2d209f8035b01c4e6c442818c624138a39aef0fc85f06ef335572e348c8141302ed16bcbf1598cd39d6a7df

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0460788.exe
    Filesize

    377KB

    MD5

    4bd3b1e67503609a81b141065a3f6a59

    SHA1

    23d1d08253f3cd32187cd8279d8774252d1d6ccd

    SHA256

    ce15132554b58d6e35f5b93fea4fb6df5b7c6cb1ce3d943051f3a5b9a9c74468

    SHA512

    05a45ba07fcbae81b427649ffaaa4afbac7dc800f2d209f8035b01c4e6c442818c624138a39aef0fc85f06ef335572e348c8141302ed16bcbf1598cd39d6a7df

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8994050.exe
    Filesize

    206KB

    MD5

    c4629c19a83d43016818775b834fa3d5

    SHA1

    a4cd468b3ac5663afcd0c124ada94d3a1fb002dd

    SHA256

    beb9a15e0ab1d86cbc7a98158176f65dab39e177f7f01e96d81959efda62d27f

    SHA512

    72729d5aff03d9c2fabd1cedc896a10e132c27f3304ef64114d81e73930bad50fecc63094bdd4c384b8c809c562060d81da58f2f5729d13fc16a8e6c079d370b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8994050.exe
    Filesize

    206KB

    MD5

    c4629c19a83d43016818775b834fa3d5

    SHA1

    a4cd468b3ac5663afcd0c124ada94d3a1fb002dd

    SHA256

    beb9a15e0ab1d86cbc7a98158176f65dab39e177f7f01e96d81959efda62d27f

    SHA512

    72729d5aff03d9c2fabd1cedc896a10e132c27f3304ef64114d81e73930bad50fecc63094bdd4c384b8c809c562060d81da58f2f5729d13fc16a8e6c079d370b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2787651.exe
    Filesize

    11KB

    MD5

    a9a9b032259d39964aefe070a190c7dd

    SHA1

    f33fe4fa32548e45a442266288de7426f35d109b

    SHA256

    05774bd7f40ef00f3143fd3b036894cfb4c549db08436bdbd466082882249458

    SHA512

    20cae14b1eff0c15f78189bdd0d71410edfc707a706e8da68e9476a4a62e0810eae50b74532ba4e1f31bc35e9ad6f58095c1f06680bcc075c364369f88d0b27a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2787651.exe
    Filesize

    11KB

    MD5

    a9a9b032259d39964aefe070a190c7dd

    SHA1

    f33fe4fa32548e45a442266288de7426f35d109b

    SHA256

    05774bd7f40ef00f3143fd3b036894cfb4c549db08436bdbd466082882249458

    SHA512

    20cae14b1eff0c15f78189bdd0d71410edfc707a706e8da68e9476a4a62e0810eae50b74532ba4e1f31bc35e9ad6f58095c1f06680bcc075c364369f88d0b27a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5177993.exe
    Filesize

    172KB

    MD5

    c64a23bf0e989da1fb886927399b0543

    SHA1

    5df3179c80471d444ae76f4d268a6ae73e5b98ec

    SHA256

    d918b90ad545a0074e696bdc57c1b7888c9e57796f42baabbf76d92cb7f7142b

    SHA512

    f9d00797b1cc215bd01cdc6596a865e915830c112c52c25868b41f16d7a1faa3b1825541ede965f7d15c28fba037978cbdeeb18834f980fdbf40ef5c6c317f49

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5177993.exe
    Filesize

    172KB

    MD5

    c64a23bf0e989da1fb886927399b0543

    SHA1

    5df3179c80471d444ae76f4d268a6ae73e5b98ec

    SHA256

    d918b90ad545a0074e696bdc57c1b7888c9e57796f42baabbf76d92cb7f7142b

    SHA512

    f9d00797b1cc215bd01cdc6596a865e915830c112c52c25868b41f16d7a1faa3b1825541ede965f7d15c28fba037978cbdeeb18834f980fdbf40ef5c6c317f49

    Download Submit
  • memory/1428-154-0x0000000000ED0000-0x0000000000EDA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1628-160-0x000000000A710000-0x000000000AD28000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/1628-166-0x000000000A660000-0x000000000A6F2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/1628-161-0x000000000A290000-0x000000000A39A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/1628-162-0x000000000A1D0000-0x000000000A1E2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1628-163-0x0000000004C50000-0x0000000004C60000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1628-164-0x000000000A230000-0x000000000A26C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1628-165-0x000000000A540000-0x000000000A5B6000-memory.dmp
    Filesize

    472KB

    Download
  • memory/1628-159-0x0000000000310000-0x0000000000340000-memory.dmp
    Filesize

    192KB

    Download
  • memory/1628-167-0x000000000B2E0000-0x000000000B884000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/1628-168-0x000000000AD30000-0x000000000AD96000-memory.dmp
    Filesize

    408KB

    Download
  • memory/1628-169-0x000000000B290000-0x000000000B2E0000-memory.dmp
    Filesize

    320KB

    Download
  • memory/1628-170-0x0000000004C50000-0x0000000004C60000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1628-171-0x000000000BB60000-0x000000000BD22000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/1628-172-0x000000000C260000-0x000000000C78C000-memory.dmp
    Filesize

    5.2MB

    Download