Overview

overview

10

Static

static

3

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    05-06-2023 03:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c04a0fadd898895d8fcd8fe08a6af9cdd3e08b86f879e2b3e2f45299173ea4a0.exe

  • Size

    581KB

  • MD5

    0bc1143763574d14b6bebcbb92e5a21e

  • SHA1

    793a762006de7749cc6f2b4e9a5e348edef884eb

  • SHA256

    c04a0fadd898895d8fcd8fe08a6af9cdd3e08b86f879e2b3e2f45299173ea4a0

  • SHA512

    b0609a4c3b3eab2a09f15146519d4e4e21e8cb362da755c290d4c346363f51c8f41e75ed6592483b6f3321aff60fd4812724f535cdb5bdfa02ad7080f6dde701

  • SSDEEP

    6144:Kfy+bnr+3p0yN90QE6+NKYMryY8WbevNID0/VFS1Oc55Myy6JKTwck0axV5pLPw4:ZMrny90tNKvuNQV+lmXyHv1g

Score
10/10
redlinemaxievasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c04a0fadd898895d8fcd8fe08a6af9cdd3e08b86f879e2b3e2f45299173ea4a0.exe
    "C:\Users\Admin\AppData\Local\Temp\c04a0fadd898895d8fcd8fe08a6af9cdd3e08b86f879e2b3e2f45299173ea4a0.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1968
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1359070.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1359070.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2152
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7397152.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7397152.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2340
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7842844.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7842844.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2420
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8942636.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8942636.exe
          4⤵
          • Executes dropped EXE
          PID:4960

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1359070.exe
    Filesize

    377KB

    MD5

    10865164b45c32fc85d158cca0037826

    SHA1

    7b6bac11308c48d46620c3cb535b7cb370579c39

    SHA256

    5154580e4ee4e4ffdbddb118ba3e2f34d4f9991bb5c3325531e781ee40e5bf9a

    SHA512

    ea57da4f3edc7679d3bd71e03183f78a05249afb8ca562b5aaa22fc773bd64b8285dc2262d73650933c1187c024cf000fb401125fd9d6c25cfc23897c590c1a6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1359070.exe
    Filesize

    377KB

    MD5

    10865164b45c32fc85d158cca0037826

    SHA1

    7b6bac11308c48d46620c3cb535b7cb370579c39

    SHA256

    5154580e4ee4e4ffdbddb118ba3e2f34d4f9991bb5c3325531e781ee40e5bf9a

    SHA512

    ea57da4f3edc7679d3bd71e03183f78a05249afb8ca562b5aaa22fc773bd64b8285dc2262d73650933c1187c024cf000fb401125fd9d6c25cfc23897c590c1a6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7397152.exe
    Filesize

    206KB

    MD5

    7625d0e137343f96aae87917576c3bf6

    SHA1

    0b4d11bca7bc424be2234bddcfddc3b755b8a3ad

    SHA256

    88853f74f4cc245c1ea236cf5b5a720d6a1cf4c92bd2f19a7e97af553cfa5beb

    SHA512

    4ec3c6e089af55b9c6f2824ecc6f68ccb8b3a88cbbdbf1d2a82324b66cb1f666ab34433f748100ee82230f471678a8ddefc0f999445524140cfb66cf0e340450

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7397152.exe
    Filesize

    206KB

    MD5

    7625d0e137343f96aae87917576c3bf6

    SHA1

    0b4d11bca7bc424be2234bddcfddc3b755b8a3ad

    SHA256

    88853f74f4cc245c1ea236cf5b5a720d6a1cf4c92bd2f19a7e97af553cfa5beb

    SHA512

    4ec3c6e089af55b9c6f2824ecc6f68ccb8b3a88cbbdbf1d2a82324b66cb1f666ab34433f748100ee82230f471678a8ddefc0f999445524140cfb66cf0e340450

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7842844.exe
    Filesize

    11KB

    MD5

    fda150cbbe59c4a15e60691d25397873

    SHA1

    10214422ff569e6b48623d9f73465dab8157d993

    SHA256

    69dbde5c1e79180df44fbbe52a81585cf03b44843610fdff1f0a15fa212046f9

    SHA512

    9a4db3f159a8ba5a950c27edb8b784dafe443561c55c95fbfaf7bf0e120e1dbf1552b5b85025c634d2841ad3e9927394b3072dc5dc2e974bd494e4ff9b38e089

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7842844.exe
    Filesize

    11KB

    MD5

    fda150cbbe59c4a15e60691d25397873

    SHA1

    10214422ff569e6b48623d9f73465dab8157d993

    SHA256

    69dbde5c1e79180df44fbbe52a81585cf03b44843610fdff1f0a15fa212046f9

    SHA512

    9a4db3f159a8ba5a950c27edb8b784dafe443561c55c95fbfaf7bf0e120e1dbf1552b5b85025c634d2841ad3e9927394b3072dc5dc2e974bd494e4ff9b38e089

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8942636.exe
    Filesize

    172KB

    MD5

    287aac2015e8246204b10961c1805668

    SHA1

    90230b5603230ebfae07112b0e3611e02eb3b4d9

    SHA256

    2ef1419e5bec6b4c30e271ae4821a32952f35ac3cb8a399cbbd91323b5e4aaf2

    SHA512

    86c6d35b6b4713e2e75fb38f65c9a0d9c263c777f5723dcecc95c7d47427af5aa46048e863387df040ee09e3756ecaced8f946142f5445f19e489898e742b2c1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8942636.exe
    Filesize

    172KB

    MD5

    287aac2015e8246204b10961c1805668

    SHA1

    90230b5603230ebfae07112b0e3611e02eb3b4d9

    SHA256

    2ef1419e5bec6b4c30e271ae4821a32952f35ac3cb8a399cbbd91323b5e4aaf2

    SHA512

    86c6d35b6b4713e2e75fb38f65c9a0d9c263c777f5723dcecc95c7d47427af5aa46048e863387df040ee09e3756ecaced8f946142f5445f19e489898e742b2c1

    Download Submit

  • memory/2420-142-0x00000000003D0000-0x00000000003DA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4960-147-0x0000000000A70000-0x0000000000AA0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4960-148-0x00000000011C0000-0x00000000011C6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4960-149-0x000000000AE60000-0x000000000B466000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4960-150-0x000000000A9B0000-0x000000000AABA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4960-151-0x000000000A8E0000-0x000000000A8F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4960-152-0x000000000A940000-0x000000000A97E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4960-153-0x00000000052C0000-0x00000000052D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4960-154-0x000000000AAC0000-0x000000000AB0B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4960-155-0x00000000052C0000-0x00000000052D0000-memory.dmp

    Filesize

    64KB

    Download