Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-06-2023 03:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    320cbfaa24aefd9e739ad48926f700ad689f39354a6f5268c14d2761d0486377.exe

  • Size

    580KB

  • MD5

    344f0a434e359bc6a06745a78d57e388

  • SHA1

    3edd2a8e9b9254da4a5027907a165cdba84790df

  • SHA256

    320cbfaa24aefd9e739ad48926f700ad689f39354a6f5268c14d2761d0486377

  • SHA512

    0b4267c8632615dad12064acfd86187dcd3ed5126464bb9c871c6915640ab771346b28753d7986b8adcba63453d15e3370a8cf3f6d0d1e5f233cf5aa1436d6a1

  • SSDEEP

    12288:pMr/y90DQQ11FxkVje5sEwjkjWW4VKRQ/LwwK66MOM:aysQQ11772n6WJVKRQTweOM

Score
10/10
redlinemaxievasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\320cbfaa24aefd9e739ad48926f700ad689f39354a6f5268c14d2761d0486377.exe
    "C:\Users\Admin\AppData\Local\Temp\320cbfaa24aefd9e739ad48926f700ad689f39354a6f5268c14d2761d0486377.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1924
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0527811.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0527811.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1432
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4475342.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4475342.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4656
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5635110.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5635110.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4628
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6197124.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6197124.exe
          4⤵
          • Executes dropped EXE
          PID:3808

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0527811.exe
    Filesize

    377KB

    MD5

    878f8df81651618c7e35c01927551b6d

    SHA1

    c1a79fe03a6666bf8a2a3f1a4a05b0a8861db5da

    SHA256

    ddbd7b2892f6e74c0da50d8486ba0346dfde3b61eda85798a243fbcf94321afb

    SHA512

    02727b95e8446ee0eb735df2b138ab7445c85219a47ff58698cb0adb4e26f65699a03444dee572184c89baec92e0a493050a54e76c3b45d2b2c1d5296df69234

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0527811.exe
    Filesize

    377KB

    MD5

    878f8df81651618c7e35c01927551b6d

    SHA1

    c1a79fe03a6666bf8a2a3f1a4a05b0a8861db5da

    SHA256

    ddbd7b2892f6e74c0da50d8486ba0346dfde3b61eda85798a243fbcf94321afb

    SHA512

    02727b95e8446ee0eb735df2b138ab7445c85219a47ff58698cb0adb4e26f65699a03444dee572184c89baec92e0a493050a54e76c3b45d2b2c1d5296df69234

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4475342.exe
    Filesize

    206KB

    MD5

    71584bafa3bd041579db8adc5abd7ba4

    SHA1

    b41011685b21716bda2b2a9f6986a5f265dd9f32

    SHA256

    97dbba7d1d29954415bbd3b3d30ac16b8ca4065da6b24e27a4b28f9840aff423

    SHA512

    b4cb839d76bc48d41224dddec2e4bcd095f9a02b5d98ae877be6b63c067a3764c045aa754a2e04b3683fb5a9f77a631667176f61d39d910d32e1d6b0c2fff5e6

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4475342.exe
    Filesize

    206KB

    MD5

    71584bafa3bd041579db8adc5abd7ba4

    SHA1

    b41011685b21716bda2b2a9f6986a5f265dd9f32

    SHA256

    97dbba7d1d29954415bbd3b3d30ac16b8ca4065da6b24e27a4b28f9840aff423

    SHA512

    b4cb839d76bc48d41224dddec2e4bcd095f9a02b5d98ae877be6b63c067a3764c045aa754a2e04b3683fb5a9f77a631667176f61d39d910d32e1d6b0c2fff5e6

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5635110.exe
    Filesize

    11KB

    MD5

    6f3d82ba66b148340aaed46b2583e1d9

    SHA1

    531bca927a9375e1a0addcdb2fde53b52de5c24d

    SHA256

    816e9cec678fe3557dbb774e91184c35ba80eb5f7a9530350b5bd22013939b92

    SHA512

    801b34bbba36019b8da07cd4136e1ea0a9b034b43cd2e3d6cf86d1a10c522b3fe84062883ec21bdbe56ffe4650b6f45f02ea7dadfdf6589d19031b315d14b93e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5635110.exe
    Filesize

    11KB

    MD5

    6f3d82ba66b148340aaed46b2583e1d9

    SHA1

    531bca927a9375e1a0addcdb2fde53b52de5c24d

    SHA256

    816e9cec678fe3557dbb774e91184c35ba80eb5f7a9530350b5bd22013939b92

    SHA512

    801b34bbba36019b8da07cd4136e1ea0a9b034b43cd2e3d6cf86d1a10c522b3fe84062883ec21bdbe56ffe4650b6f45f02ea7dadfdf6589d19031b315d14b93e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6197124.exe
    Filesize

    172KB

    MD5

    dde03324bfbec204927e4a1859629c58

    SHA1

    874e6890fc637758c73d5b71783323f61a172b51

    SHA256

    2eb2230e4ed0793136fbfc14157c1878cce71d199948f4af61a43fb22fe135ea

    SHA512

    3c44e029ae0875c7adaa3cc8085bc4d4ef0ba084d8a961b973840e8146b5848d598b0e4de1dc8ee410ebf850beef742d64d95a0df768eac6ff159f7e11edd708

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6197124.exe
    Filesize

    172KB

    MD5

    dde03324bfbec204927e4a1859629c58

    SHA1

    874e6890fc637758c73d5b71783323f61a172b51

    SHA256

    2eb2230e4ed0793136fbfc14157c1878cce71d199948f4af61a43fb22fe135ea

    SHA512

    3c44e029ae0875c7adaa3cc8085bc4d4ef0ba084d8a961b973840e8146b5848d598b0e4de1dc8ee410ebf850beef742d64d95a0df768eac6ff159f7e11edd708

    Download Submit
  • memory/3808-159-0x0000000000D00000-0x0000000000D30000-memory.dmp
    Filesize

    192KB

    Download
  • memory/3808-160-0x000000000B160000-0x000000000B778000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/3808-161-0x000000000AC80000-0x000000000AD8A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/3808-162-0x000000000ABC0000-0x000000000ABD2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/3808-163-0x000000000AC20000-0x000000000AC5C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/3808-164-0x00000000055B0000-0x00000000055C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3808-165-0x00000000055B0000-0x00000000055C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4628-154-0x0000000000B70000-0x0000000000B7A000-memory.dmp
    Filesize

    40KB

    Download