Overview

overview

10

Static

static

3

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    05-06-2023 02:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4786f5ac286743e2767c3db84b6068ab27ea710c2e29849833558ab50175650f.exe

  • Size

    581KB

  • MD5

    84a4d35ddc48e0b0e1eb7f1023add60f

  • SHA1

    f866fadd065897722d9cdab05a5dd82f05d87201

  • SHA256

    4786f5ac286743e2767c3db84b6068ab27ea710c2e29849833558ab50175650f

  • SHA512

    3e0ae52fdd32d0a91a621f00fbca0809d7cc9d3e8a141c4457a7a35462450b8b466bd4f0282183deb5c3222ae3280f4358992fce727e6a22011dc2514ad18352

  • SSDEEP

    12288:oMrEy90vPdXvE5jd/n8uvOwLrOM3ins+uLwg1zPKYspdOwszE9XNWT7Y:8y2lXq/nzOy/3inmJ1zopPMY

Score
10/10
redlinemaxievasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4786f5ac286743e2767c3db84b6068ab27ea710c2e29849833558ab50175650f.exe
    "C:\Users\Admin\AppData\Local\Temp\4786f5ac286743e2767c3db84b6068ab27ea710c2e29849833558ab50175650f.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2868
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5694989.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5694989.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3220
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0462908.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0462908.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4268
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9499711.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9499711.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1452
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3684652.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3684652.exe
          4⤵
          • Executes dropped EXE
          PID:5056

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5694989.exe
    Filesize

    378KB

    MD5

    ee0a27acc1d13f7d9f284a0afeb19fb3

    SHA1

    d810ffb976f78d6ba7c772944a71efb3a8cfe39d

    SHA256

    4cff9861a15a4415528ce281709458f28a812c5797ad20435c7f33a48bd3024f

    SHA512

    9ce8929e9321a645f7475c1f358f1a56eb1b577451a1106511fd8d5ee58368c379f906222ea5d17d75f40d16719dbe863abde13cd5cae57bbb06c849c271a1a1

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5694989.exe
    Filesize

    378KB

    MD5

    ee0a27acc1d13f7d9f284a0afeb19fb3

    SHA1

    d810ffb976f78d6ba7c772944a71efb3a8cfe39d

    SHA256

    4cff9861a15a4415528ce281709458f28a812c5797ad20435c7f33a48bd3024f

    SHA512

    9ce8929e9321a645f7475c1f358f1a56eb1b577451a1106511fd8d5ee58368c379f906222ea5d17d75f40d16719dbe863abde13cd5cae57bbb06c849c271a1a1

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0462908.exe
    Filesize

    206KB

    MD5

    4f606dfd137bf66fea4be7b64b3b8477

    SHA1

    52067e214a02d563f2b06be8e2a169d84748d285

    SHA256

    268d062cd3e6086c036f10e6e01f1848ad10134562e698800377e408d9aced52

    SHA512

    a7207140aa03763a77f205ca0bfdf6251f17bf65fe27f65dbe9b5c9c6208eb430c9dabd9b18af0a17bf4772136c0e4422de99a7acb0ce3689ae416c4e320f943

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0462908.exe
    Filesize

    206KB

    MD5

    4f606dfd137bf66fea4be7b64b3b8477

    SHA1

    52067e214a02d563f2b06be8e2a169d84748d285

    SHA256

    268d062cd3e6086c036f10e6e01f1848ad10134562e698800377e408d9aced52

    SHA512

    a7207140aa03763a77f205ca0bfdf6251f17bf65fe27f65dbe9b5c9c6208eb430c9dabd9b18af0a17bf4772136c0e4422de99a7acb0ce3689ae416c4e320f943

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9499711.exe
    Filesize

    11KB

    MD5

    e9ea8c049eef73ff288a4ff484fc2702

    SHA1

    7b27abb9f536dbb7ee362e7d3fd98f864dae15f6

    SHA256

    3be8e30b455caac1797657690f4d3e86fd8c9073889f7f9d556fbb36a09d4bf8

    SHA512

    1fa8326c3dd3020dde1b84ccb595498477c1b5951c87d4da5d00a82ff881d6fc63944bcecf18824f8c355b975892f8b53cca53ab95826a3b68aa84ef8f916bc4

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9499711.exe
    Filesize

    11KB

    MD5

    e9ea8c049eef73ff288a4ff484fc2702

    SHA1

    7b27abb9f536dbb7ee362e7d3fd98f864dae15f6

    SHA256

    3be8e30b455caac1797657690f4d3e86fd8c9073889f7f9d556fbb36a09d4bf8

    SHA512

    1fa8326c3dd3020dde1b84ccb595498477c1b5951c87d4da5d00a82ff881d6fc63944bcecf18824f8c355b975892f8b53cca53ab95826a3b68aa84ef8f916bc4

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3684652.exe
    Filesize

    172KB

    MD5

    9dea40038937e697e86a925df53a0eeb

    SHA1

    9916dbc31ecd6a0795c9731d60825ab05a24757b

    SHA256

    323349ed893690964be38923a06db6fb18ef27cacb4e27e4264d9b16f9899e7e

    SHA512

    9dd2341c74e2f150ecfbf694d4cd8daf1a8f573aa0f50314e04d82456b5560a70807285324fff4f08972446df921dd395de3ade6b6415c025597054bf2038b23

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3684652.exe
    Filesize

    172KB

    MD5

    9dea40038937e697e86a925df53a0eeb

    SHA1

    9916dbc31ecd6a0795c9731d60825ab05a24757b

    SHA256

    323349ed893690964be38923a06db6fb18ef27cacb4e27e4264d9b16f9899e7e

    SHA512

    9dd2341c74e2f150ecfbf694d4cd8daf1a8f573aa0f50314e04d82456b5560a70807285324fff4f08972446df921dd395de3ade6b6415c025597054bf2038b23

    Download Submit
  • memory/1452-142-0x00000000002C0000-0x00000000002CA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/5056-147-0x0000000000890000-0x00000000008C0000-memory.dmp
    Filesize

    192KB

    Download
  • memory/5056-148-0x0000000002BF0000-0x0000000002BF6000-memory.dmp
    Filesize

    24KB

    Download
  • memory/5056-149-0x00000000057D0000-0x0000000005DD6000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/5056-150-0x00000000052D0000-0x00000000053DA000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/5056-151-0x00000000051C0000-0x00000000051D2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/5056-152-0x0000000005220000-0x000000000525E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/5056-153-0x0000000005260000-0x00000000052AB000-memory.dmp
    Filesize

    300KB

    Download
  • memory/5056-154-0x0000000002C30000-0x0000000002C40000-memory.dmp
    Filesize

    64KB

    Download
  • memory/5056-155-0x0000000002C30000-0x0000000002C40000-memory.dmp
    Filesize

    64KB

    Download