Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-06-2023 03:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f0fee5483ca4d1aed550c4ef24e3cb6b5a3154432f49eb7afc2ced15271a2f80.exe

  • Size

    580KB

  • MD5

    71be2fdd0bf1806a5e1f62ca79cb9af7

  • SHA1

    3d4366d35d36d02d41a9b661f9fb9d2a70668328

  • SHA256

    f0fee5483ca4d1aed550c4ef24e3cb6b5a3154432f49eb7afc2ced15271a2f80

  • SHA512

    9e68402183016f200a3b3e9fbd0a9f8285b228f6c968a5bcb78111b02cb4d8ff9af762a499d3b46797236d480f2d715fe9545b0f2a6f58733bb704b1897fca84

  • SSDEEP

    12288:/MrDy90dfv7RfXp+f7idwquN6Vy/8s2PIV4UiYk+T:EyYfv7qidw76Vy/8sqIV4Gk0

Score
10/10
redlinemaxievasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f0fee5483ca4d1aed550c4ef24e3cb6b5a3154432f49eb7afc2ced15271a2f80.exe
    "C:\Users\Admin\AppData\Local\Temp\f0fee5483ca4d1aed550c4ef24e3cb6b5a3154432f49eb7afc2ced15271a2f80.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4896
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0978782.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0978782.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4892
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8478812.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8478812.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:5108
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7812375.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7812375.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4432
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9650140.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9650140.exe
          4⤵
          • Executes dropped EXE
          PID:2392

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0978782.exe
    Filesize

    378KB

    MD5

    5092433a8373818af00bd9788e1633f2

    SHA1

    bdd824a1607d6d3a4acea3483f6a86e311f05050

    SHA256

    b4df5062fbc1c508314f26831cb2d9c26bca82f0c2c457742612e8b84378d82b

    SHA512

    818cf3f355e1e87947337288b64db3dbc3d5edefcbf4cb8d21b43e032f9b83daadb62da47d755ef9cb4ff08b3442d409648f4bff90321fe21bf590b2c199b2a5

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0978782.exe
    Filesize

    378KB

    MD5

    5092433a8373818af00bd9788e1633f2

    SHA1

    bdd824a1607d6d3a4acea3483f6a86e311f05050

    SHA256

    b4df5062fbc1c508314f26831cb2d9c26bca82f0c2c457742612e8b84378d82b

    SHA512

    818cf3f355e1e87947337288b64db3dbc3d5edefcbf4cb8d21b43e032f9b83daadb62da47d755ef9cb4ff08b3442d409648f4bff90321fe21bf590b2c199b2a5

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8478812.exe
    Filesize

    206KB

    MD5

    3c62ae167baa459a861ab2e558ddfb9c

    SHA1

    de92a1c929788dee87fcf91369f9d61e3014e6a2

    SHA256

    111f298de439e7632b1d6c7e81e0cd9e5da3704b3e9f5715588de5e213bb7bb9

    SHA512

    c3498c8955cdde4d4e7061bb1e7744de965331c2ac7d0bc66001ccb52af79b326c77e88af9cb668c0b05225721ac21cf3e976e37752a4ab76b9323864cf5d7b0

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8478812.exe
    Filesize

    206KB

    MD5

    3c62ae167baa459a861ab2e558ddfb9c

    SHA1

    de92a1c929788dee87fcf91369f9d61e3014e6a2

    SHA256

    111f298de439e7632b1d6c7e81e0cd9e5da3704b3e9f5715588de5e213bb7bb9

    SHA512

    c3498c8955cdde4d4e7061bb1e7744de965331c2ac7d0bc66001ccb52af79b326c77e88af9cb668c0b05225721ac21cf3e976e37752a4ab76b9323864cf5d7b0

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7812375.exe
    Filesize

    11KB

    MD5

    358b10b8d6f2c9200d41831749fd9d5f

    SHA1

    ab05f699702079c0695e8fd841117cc4ab96bdd9

    SHA256

    674bf59171810555eada8aa33cfe73c62906ff184dbefd6ddec51a12c27e4be9

    SHA512

    e62f405e92be9dfc98cf0ac0e78cddc254aa186d3aa2d88ceb8f76f93cf71796e8a9ff8469a68206646c82b485a2cd68c42e35593742fadc6fa3c82d3a17299e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7812375.exe
    Filesize

    11KB

    MD5

    358b10b8d6f2c9200d41831749fd9d5f

    SHA1

    ab05f699702079c0695e8fd841117cc4ab96bdd9

    SHA256

    674bf59171810555eada8aa33cfe73c62906ff184dbefd6ddec51a12c27e4be9

    SHA512

    e62f405e92be9dfc98cf0ac0e78cddc254aa186d3aa2d88ceb8f76f93cf71796e8a9ff8469a68206646c82b485a2cd68c42e35593742fadc6fa3c82d3a17299e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9650140.exe
    Filesize

    172KB

    MD5

    454ee287b453b7a46265b37895f4e0d6

    SHA1

    c1a07b403f3fead20b2844e1472bd72cde14324b

    SHA256

    7fa93f39a6ed67985ddec971d904a29a529cd4b6063d3e15b7703edf611c75e3

    SHA512

    a1014932af8263e365bf106cea478ca91ecd7ea739c66d5d93e89f8eb14c81394832194bb99d8f1b4ababebe18e85ce812adb283602480fcc7e364e7ae378143

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9650140.exe
    Filesize

    172KB

    MD5

    454ee287b453b7a46265b37895f4e0d6

    SHA1

    c1a07b403f3fead20b2844e1472bd72cde14324b

    SHA256

    7fa93f39a6ed67985ddec971d904a29a529cd4b6063d3e15b7703edf611c75e3

    SHA512

    a1014932af8263e365bf106cea478ca91ecd7ea739c66d5d93e89f8eb14c81394832194bb99d8f1b4ababebe18e85ce812adb283602480fcc7e364e7ae378143

    Download Submit
  • memory/2392-159-0x0000000000DF0000-0x0000000000E20000-memory.dmp
    Filesize

    192KB

    Download
  • memory/2392-160-0x000000000B0C0000-0x000000000B6D8000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/2392-161-0x000000000AC30000-0x000000000AD3A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/2392-162-0x000000000AB70000-0x000000000AB82000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2392-163-0x000000000ABD0000-0x000000000AC0C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/2392-164-0x00000000055D0000-0x00000000055E0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2392-165-0x00000000055D0000-0x00000000055E0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4432-154-0x0000000000270000-0x000000000027A000-memory.dmp
    Filesize

    40KB

    Download