Overview

overview

10

Static

static

3

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    148s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    05-06-2023 04:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    601e2537f321ce891dfc3cbe45ce6c96d0d7208a5bd6f96e8f02be748feb203d.exe

  • Size

    580KB

  • MD5

    199e955416728e56ec9cb5de1a9c021e

  • SHA1

    c5704cac5d66b79fee22be3c1d6955274612e7b8

  • SHA256

    601e2537f321ce891dfc3cbe45ce6c96d0d7208a5bd6f96e8f02be748feb203d

  • SHA512

    c7b23f07caf20b8227291752dd7562dcdc88c3c6f9d39432af1fa0bd3fb2afced407552a764f22f58a832a8510c4f89197e3f1f50cb4b1585681f7ac8ef2732d

  • SSDEEP

    12288:YMrJy90h0lWTSZkmNshyUHvfXllHmNwRXsb+t:hyPWTrUCfXEwOa

Score
10/10
redlinemaxievasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\601e2537f321ce891dfc3cbe45ce6c96d0d7208a5bd6f96e8f02be748feb203d.exe
    "C:\Users\Admin\AppData\Local\Temp\601e2537f321ce891dfc3cbe45ce6c96d0d7208a5bd6f96e8f02be748feb203d.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1608
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1241781.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1241781.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3968
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3800398.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3800398.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4912
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4905426.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4905426.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2064
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4760783.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4760783.exe
          4⤵
          • Executes dropped EXE
          PID:4304

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1241781.exe
    Filesize

    377KB

    MD5

    5ebb2a95f3f2c672095cc9bb039ca15a

    SHA1

    746d8bc131c89a699f5b7357f169b0e1eec0e27b

    SHA256

    5e2c58f47f9644136281dc475bb948f9d1c024efcc080ad77a96c2fb39e0ad26

    SHA512

    0499c04f2efdd207604190fe912f208b5938ec83589cb2a308fedce1dc8bba4f447d12d031bd5bb56d7cdd0bcf74ac4f28ea4454ed466cbee44d346e65674115

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1241781.exe
    Filesize

    377KB

    MD5

    5ebb2a95f3f2c672095cc9bb039ca15a

    SHA1

    746d8bc131c89a699f5b7357f169b0e1eec0e27b

    SHA256

    5e2c58f47f9644136281dc475bb948f9d1c024efcc080ad77a96c2fb39e0ad26

    SHA512

    0499c04f2efdd207604190fe912f208b5938ec83589cb2a308fedce1dc8bba4f447d12d031bd5bb56d7cdd0bcf74ac4f28ea4454ed466cbee44d346e65674115

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3800398.exe
    Filesize

    206KB

    MD5

    d784438018cfd5132c04ca2c77048883

    SHA1

    98c1cafeaa0682fcd55330e434038a16b0454741

    SHA256

    19cba917ce83844be77bd2d01d5deb6db3461f0052d2cc6df24c48cda29bcf2d

    SHA512

    684b4b4a46a4ba8ed5b0adfca5fffa2e2917d290184441f5233f8bfc234b22fbecd5ef89d98d6a226f1cff03608eeeae90011a82b0c1a8ffd4f87305b2377729

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3800398.exe
    Filesize

    206KB

    MD5

    d784438018cfd5132c04ca2c77048883

    SHA1

    98c1cafeaa0682fcd55330e434038a16b0454741

    SHA256

    19cba917ce83844be77bd2d01d5deb6db3461f0052d2cc6df24c48cda29bcf2d

    SHA512

    684b4b4a46a4ba8ed5b0adfca5fffa2e2917d290184441f5233f8bfc234b22fbecd5ef89d98d6a226f1cff03608eeeae90011a82b0c1a8ffd4f87305b2377729

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4905426.exe
    Filesize

    11KB

    MD5

    5fc8b85e5a5a9a8497bb482ad785b940

    SHA1

    092c83d3fbc4f83b6eac6e885e7b36110fd47264

    SHA256

    f6bf6a82e616259c39ce9fe477155fccca0bd0e482b23467d7a334f02e79e10d

    SHA512

    13e09d6ae8ec2263d812bf83a74f891bed88453952b727b51bef2d4a07c2cda752c4f7ba9bee4fe6443f4603ddfd04d294fc6d09867ceae31d4ac4fc52fa81cb

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4905426.exe
    Filesize

    11KB

    MD5

    5fc8b85e5a5a9a8497bb482ad785b940

    SHA1

    092c83d3fbc4f83b6eac6e885e7b36110fd47264

    SHA256

    f6bf6a82e616259c39ce9fe477155fccca0bd0e482b23467d7a334f02e79e10d

    SHA512

    13e09d6ae8ec2263d812bf83a74f891bed88453952b727b51bef2d4a07c2cda752c4f7ba9bee4fe6443f4603ddfd04d294fc6d09867ceae31d4ac4fc52fa81cb

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4760783.exe
    Filesize

    172KB

    MD5

    8d6b81cb0e4eaca3d3b33e0e672a57d6

    SHA1

    e31f4182de6718da963aaf2bce2417bb70e04815

    SHA256

    43209a7e1f0317ffc0642a1f2b474f03d023f20e38a1cf1cfe9059cf5be0f2e8

    SHA512

    0d9ebc854207edbe6c03b2026d9a7aa661d45d381dcadb52871b796089ab6b69e98cfa87530696054c76a5191a9955513ea62a212b223699b21cb56be484273e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4760783.exe
    Filesize

    172KB

    MD5

    8d6b81cb0e4eaca3d3b33e0e672a57d6

    SHA1

    e31f4182de6718da963aaf2bce2417bb70e04815

    SHA256

    43209a7e1f0317ffc0642a1f2b474f03d023f20e38a1cf1cfe9059cf5be0f2e8

    SHA512

    0d9ebc854207edbe6c03b2026d9a7aa661d45d381dcadb52871b796089ab6b69e98cfa87530696054c76a5191a9955513ea62a212b223699b21cb56be484273e

    Download Submit
  • memory/2064-141-0x0000000000350000-0x000000000035A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4304-146-0x0000000000460000-0x0000000000490000-memory.dmp
    Filesize

    192KB

    Download
  • memory/4304-147-0x0000000000BD0000-0x0000000000BD6000-memory.dmp
    Filesize

    24KB

    Download
  • memory/4304-148-0x0000000005510000-0x0000000005B16000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/4304-149-0x0000000005010000-0x000000000511A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/4304-150-0x0000000004CB0000-0x0000000004CC2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4304-151-0x0000000004CF0000-0x0000000004D00000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4304-152-0x0000000004F00000-0x0000000004F3E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4304-153-0x0000000004F40000-0x0000000004F8B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/4304-154-0x0000000004CF0000-0x0000000004D00000-memory.dmp
    Filesize

    64KB

    Download