Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-06-2023 08:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    126c9bdb94a802e34f637812af2f1d753c4a4f6f9733e6ab753535768eea4be0.exe

  • Size

    579KB

  • MD5

    289c797539e006499cfa78e6ba421478

  • SHA1

    acd2518c80d2128ec136da8465e34cde0e81a60b

  • SHA256

    126c9bdb94a802e34f637812af2f1d753c4a4f6f9733e6ab753535768eea4be0

  • SHA512

    6bd58bd613363666b744b5f7025fa6e47e43638362ed797e99c584c29d8d089bcdacce914251a6ac78276d7141ada22a142018da8b86c95c03d4c5944f85eab8

  • SSDEEP

    12288:HMr1y90+ZYWHWkeVzGAvWbIcATYoMqcHKhsVeLIfSbUJt4u:Wy5FqVzGARxT/CqqfS4J+u

Score
10/10
redlinemaxievasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\126c9bdb94a802e34f637812af2f1d753c4a4f6f9733e6ab753535768eea4be0.exe
    "C:\Users\Admin\AppData\Local\Temp\126c9bdb94a802e34f637812af2f1d753c4a4f6f9733e6ab753535768eea4be0.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4216
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8164776.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8164776.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4616
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2598729.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2598729.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4928
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1076701.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1076701.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:456
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3567561.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3567561.exe
          4⤵
          • Executes dropped EXE
          PID:1656

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8164776.exe
    Filesize

    377KB

    MD5

    f41399fcd55cff4a843b4a035b4c2d43

    SHA1

    d241d3357baa8abc65dc97abbea02cc36ead98a1

    SHA256

    6df175969e50571355b65b816ba26ecce0497fd5f54d619864c2fe2273fda344

    SHA512

    f6f85ce15c12e4c773b3057ca2e18dd4eea3042cdf3006414779d6cb14078eda892046cc6f73f49dbe8f8702ddf7c0810c97107380d783a701a168cef4ff9931

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8164776.exe
    Filesize

    377KB

    MD5

    f41399fcd55cff4a843b4a035b4c2d43

    SHA1

    d241d3357baa8abc65dc97abbea02cc36ead98a1

    SHA256

    6df175969e50571355b65b816ba26ecce0497fd5f54d619864c2fe2273fda344

    SHA512

    f6f85ce15c12e4c773b3057ca2e18dd4eea3042cdf3006414779d6cb14078eda892046cc6f73f49dbe8f8702ddf7c0810c97107380d783a701a168cef4ff9931

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2598729.exe
    Filesize

    206KB

    MD5

    529e1c3636e9561fb8a37ed5318a6b25

    SHA1

    df32460fcd2f7d69c499953337c5bf92118b3276

    SHA256

    03dfd551f22256f0116fb66fc254b038fe5820b58fb0712e8cb6d677a65492ae

    SHA512

    27e0fa77f8dc88671b4a2e51ebe0ff5a0b367b6808cc3097364f83a3a82ca59876638de6c13dbaf3d513c697cded8f8ba920c2316493003be093c559bd37d528

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2598729.exe
    Filesize

    206KB

    MD5

    529e1c3636e9561fb8a37ed5318a6b25

    SHA1

    df32460fcd2f7d69c499953337c5bf92118b3276

    SHA256

    03dfd551f22256f0116fb66fc254b038fe5820b58fb0712e8cb6d677a65492ae

    SHA512

    27e0fa77f8dc88671b4a2e51ebe0ff5a0b367b6808cc3097364f83a3a82ca59876638de6c13dbaf3d513c697cded8f8ba920c2316493003be093c559bd37d528

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1076701.exe
    Filesize

    12KB

    MD5

    c2a05bf02a5e6ce6beeb1b747f006b3e

    SHA1

    801edcbef274e47c522bb985467ced3bff296dfb

    SHA256

    cb2b0d97af25b121dd8ef83a7003f3cee9469acd374d0d04986be37c76ed060b

    SHA512

    dc399d61fc7efeea480ef95f008d13c6b040080246eac7efd56e43457af2d0d6a5e89f16c63eb339d98d0b0d2b8ed1879ce4bc707111f5b74f928f1499182d56

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1076701.exe
    Filesize

    12KB

    MD5

    c2a05bf02a5e6ce6beeb1b747f006b3e

    SHA1

    801edcbef274e47c522bb985467ced3bff296dfb

    SHA256

    cb2b0d97af25b121dd8ef83a7003f3cee9469acd374d0d04986be37c76ed060b

    SHA512

    dc399d61fc7efeea480ef95f008d13c6b040080246eac7efd56e43457af2d0d6a5e89f16c63eb339d98d0b0d2b8ed1879ce4bc707111f5b74f928f1499182d56

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3567561.exe
    Filesize

    172KB

    MD5

    c4b60e437ef855048af2f3684b188ae9

    SHA1

    be86f2a356df18fc4fb12df777fe34ca694742ca

    SHA256

    d1ee48e11d4f86c6a40533211fb353ff52d659f72d62278b54cdc388ff29ab02

    SHA512

    bc3e230d4a8dcde20eb96e73c9dbe1852ebadff71342821969e4a5210aba0b20d8e14eeb76e3e1b89dda5947b053097b459dc51ef2a99a2439be574e47bd1035

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3567561.exe
    Filesize

    172KB

    MD5

    c4b60e437ef855048af2f3684b188ae9

    SHA1

    be86f2a356df18fc4fb12df777fe34ca694742ca

    SHA256

    d1ee48e11d4f86c6a40533211fb353ff52d659f72d62278b54cdc388ff29ab02

    SHA512

    bc3e230d4a8dcde20eb96e73c9dbe1852ebadff71342821969e4a5210aba0b20d8e14eeb76e3e1b89dda5947b053097b459dc51ef2a99a2439be574e47bd1035

    Download Submit
  • memory/456-154-0x0000000000DF0000-0x0000000000DFA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1656-159-0x00000000009A0000-0x00000000009D0000-memory.dmp
    Filesize

    192KB

    Download
  • memory/1656-160-0x000000000ADA0000-0x000000000B3B8000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/1656-161-0x000000000A920000-0x000000000AA2A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/1656-162-0x000000000A860000-0x000000000A872000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1656-163-0x0000000002D40000-0x0000000002D50000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1656-164-0x000000000A8C0000-0x000000000A8FC000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1656-165-0x0000000002D40000-0x0000000002D50000-memory.dmp
    Filesize

    64KB

    Download