Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-06-2023 08:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6f8b5553336c757b12d4cf49ad22459b52af5dd181fb51a073dad32a905e335d.exe

  • Size

    580KB

  • MD5

    062ea44a244d188028b828ec4ed3ba40

  • SHA1

    c55aa6c4979defc338bf3c4292cc34c6f096d8eb

  • SHA256

    6f8b5553336c757b12d4cf49ad22459b52af5dd181fb51a073dad32a905e335d

  • SHA512

    2a9bc80aae3f174a3bbe492d7c7e21fc60307791a632752e418818720ac93e175c7d49315047aee29a6aa9aec52bd7cd4aac9355b3c73b1355a3ac15b53c5d87

  • SSDEEP

    12288:AMrNy903qOK7fImpawH4rkSPf/PZ6rgpQq5XT+pppIN7qZD:9y1bfIiH4lIrg5lTwIEZD

Score
10/10
redlinemaxievasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6f8b5553336c757b12d4cf49ad22459b52af5dd181fb51a073dad32a905e335d.exe
    "C:\Users\Admin\AppData\Local\Temp\6f8b5553336c757b12d4cf49ad22459b52af5dd181fb51a073dad32a905e335d.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2708
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9632642.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9632642.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1692
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7333810.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7333810.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2920
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3565794.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3565794.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1344
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1013431.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1013431.exe
          4⤵
          • Executes dropped EXE
          PID:3216

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9632642.exe
    Filesize

    377KB

    MD5

    e8d8585c0471751fef61e13ac5936bad

    SHA1

    5ee9705507dbee8c2d5229cd37ca099eadc3fe55

    SHA256

    050711fa6bcbceb38410715b47156ae87b033b943f9ae6818e311877e0feef54

    SHA512

    a4c3188776620777246dc8028892bd2dbfb9f825db5979f2a62690eeb2e825342d760d711e66ab3ed0807f90a858d95f743d954067007f24953ccc3c56ba222d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9632642.exe
    Filesize

    377KB

    MD5

    e8d8585c0471751fef61e13ac5936bad

    SHA1

    5ee9705507dbee8c2d5229cd37ca099eadc3fe55

    SHA256

    050711fa6bcbceb38410715b47156ae87b033b943f9ae6818e311877e0feef54

    SHA512

    a4c3188776620777246dc8028892bd2dbfb9f825db5979f2a62690eeb2e825342d760d711e66ab3ed0807f90a858d95f743d954067007f24953ccc3c56ba222d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7333810.exe
    Filesize

    206KB

    MD5

    740219272b319301c17430da58097b81

    SHA1

    d2da5d524e13e3873ad09284b5cc45f6e72af7dc

    SHA256

    5f257637e6cc36ddaad8ef7be4cda083968be67351bd96701eb2c5e38670b472

    SHA512

    fd082163af67767521eb576ea462a8125a7353309d136465cd7dee8316f8696ec35a0f7e961da7ed777c3194ff3c81c06d10f60e8b69359bd6537d1474ea9579

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7333810.exe
    Filesize

    206KB

    MD5

    740219272b319301c17430da58097b81

    SHA1

    d2da5d524e13e3873ad09284b5cc45f6e72af7dc

    SHA256

    5f257637e6cc36ddaad8ef7be4cda083968be67351bd96701eb2c5e38670b472

    SHA512

    fd082163af67767521eb576ea462a8125a7353309d136465cd7dee8316f8696ec35a0f7e961da7ed777c3194ff3c81c06d10f60e8b69359bd6537d1474ea9579

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3565794.exe
    Filesize

    11KB

    MD5

    04c2742eca149c80aa4052851fa4c3a1

    SHA1

    8e96a155308f16b532c11bef88381d20fb0dd455

    SHA256

    7f229707b2fd91bb23873c123bc523b9c9094832901857f53444e29590a713de

    SHA512

    32cfc2377ee1c06df3f8b2dc709df8dec64786d0d5687a42d8fa5cbd7569ca44640364e01e369c237ee119845a3d7126f9fda68f8c76a19427a4a388f4ff2c25

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3565794.exe
    Filesize

    11KB

    MD5

    04c2742eca149c80aa4052851fa4c3a1

    SHA1

    8e96a155308f16b532c11bef88381d20fb0dd455

    SHA256

    7f229707b2fd91bb23873c123bc523b9c9094832901857f53444e29590a713de

    SHA512

    32cfc2377ee1c06df3f8b2dc709df8dec64786d0d5687a42d8fa5cbd7569ca44640364e01e369c237ee119845a3d7126f9fda68f8c76a19427a4a388f4ff2c25

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1013431.exe
    Filesize

    172KB

    MD5

    10346097bd30b6bc637298d098d3caf1

    SHA1

    11222a9087365bdba5f7e25d4efc0d3bbb9da231

    SHA256

    b9ce025e30d057b43afe1fbc7ccf2c0199abc4a5b98cc93d7bb61c11681797da

    SHA512

    1ee252b4a7704428b8cba4eaf7b564a42454586d5a2c5955481ac9b88bd37e33ffd438fb9de601acd9a20a60c7330364b43b1a64ce4a97fdbcd8f8bd4e800225

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1013431.exe
    Filesize

    172KB

    MD5

    10346097bd30b6bc637298d098d3caf1

    SHA1

    11222a9087365bdba5f7e25d4efc0d3bbb9da231

    SHA256

    b9ce025e30d057b43afe1fbc7ccf2c0199abc4a5b98cc93d7bb61c11681797da

    SHA512

    1ee252b4a7704428b8cba4eaf7b564a42454586d5a2c5955481ac9b88bd37e33ffd438fb9de601acd9a20a60c7330364b43b1a64ce4a97fdbcd8f8bd4e800225

    Download Submit
  • memory/1344-154-0x00000000004F0000-0x00000000004FA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3216-159-0x0000000000CC0000-0x0000000000CF0000-memory.dmp
    Filesize

    192KB

    Download
  • memory/3216-160-0x000000000B110000-0x000000000B728000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/3216-161-0x000000000AC40000-0x000000000AD4A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/3216-162-0x000000000AB80000-0x000000000AB92000-memory.dmp
    Filesize

    72KB

    Download
  • memory/3216-163-0x000000000ABE0000-0x000000000AC1C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/3216-164-0x0000000005660000-0x0000000005670000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3216-165-0x0000000005660000-0x0000000005670000-memory.dmp
    Filesize

    64KB

    Download