Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-06-2023 09:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    36e6b5c6297bfd9fab4c6c84c7e3e568e305412bfe05c6e6c12bb664d7eecd1a.exe

  • Size

    579KB

  • MD5

    cfd7f2eff9cbb823950b5a28d314a030

  • SHA1

    ce7ecfb28b20d8f5a110c68749c0ba959a064545

  • SHA256

    36e6b5c6297bfd9fab4c6c84c7e3e568e305412bfe05c6e6c12bb664d7eecd1a

  • SHA512

    523f011c9ccf7dfe1dad0a6596e7a1c2663c928cebf32c992446b6f9d4454aa685cf36aa8a8abc669dbc0196d57f690736707f16f773f4c0d33693c0addd9f62

  • SSDEEP

    12288:/MrZy908Pfh1aJdas3WBPqT9MK5FbDV6QiOctieBu:OyfJ1GYUmPqMcLEieBu

Score
10/10
redlinemaxievasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\36e6b5c6297bfd9fab4c6c84c7e3e568e305412bfe05c6e6c12bb664d7eecd1a.exe
    "C:\Users\Admin\AppData\Local\Temp\36e6b5c6297bfd9fab4c6c84c7e3e568e305412bfe05c6e6c12bb664d7eecd1a.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4848
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2272915.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2272915.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3348
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4276499.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4276499.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:60
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3028110.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3028110.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4772
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5784459.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5784459.exe
          4⤵
          • Executes dropped EXE
          PID:1772

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2272915.exe
    Filesize

    377KB

    MD5

    52e205f2b7b1433f815be5426b120f95

    SHA1

    3d74c1708137967449aa57c6d5396f114b6eaf56

    SHA256

    afe1c018c0813e54c4a80e6d6ac8d82187f9c26ec5968c21f4fe6858fdfac260

    SHA512

    ffbdbb8314ca123a07a53e7a990e52fa9dbe1189509b00a16e695634f24d7491711a866b15d9861315cb0cf7f293c6fcc4601952ac10834cb4ed59d8627c547f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2272915.exe
    Filesize

    377KB

    MD5

    52e205f2b7b1433f815be5426b120f95

    SHA1

    3d74c1708137967449aa57c6d5396f114b6eaf56

    SHA256

    afe1c018c0813e54c4a80e6d6ac8d82187f9c26ec5968c21f4fe6858fdfac260

    SHA512

    ffbdbb8314ca123a07a53e7a990e52fa9dbe1189509b00a16e695634f24d7491711a866b15d9861315cb0cf7f293c6fcc4601952ac10834cb4ed59d8627c547f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4276499.exe
    Filesize

    206KB

    MD5

    c5acdbead8c2ccdac036ab36bcc48e02

    SHA1

    960dd8f08d9136075522fc47c4d4ab75c78e1707

    SHA256

    95492a402cac3e92ebb439c2e67a94ce050a26fcc7fb7672e7e528340b05c63b

    SHA512

    93b7bad5561bbb31809a3d62b02d55bef91ab52f2f316142ee31fc850c22e8a86b4a152c8570b9067ebb4f1a41fc36cc31b6d0e950644113231168c59e9c0ed3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4276499.exe
    Filesize

    206KB

    MD5

    c5acdbead8c2ccdac036ab36bcc48e02

    SHA1

    960dd8f08d9136075522fc47c4d4ab75c78e1707

    SHA256

    95492a402cac3e92ebb439c2e67a94ce050a26fcc7fb7672e7e528340b05c63b

    SHA512

    93b7bad5561bbb31809a3d62b02d55bef91ab52f2f316142ee31fc850c22e8a86b4a152c8570b9067ebb4f1a41fc36cc31b6d0e950644113231168c59e9c0ed3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3028110.exe
    Filesize

    12KB

    MD5

    f2d3c56be1564cc85ba7c13881377619

    SHA1

    962b88bf6e41c79cb44c5606b9f9dc7d648f1f45

    SHA256

    892c18f6a918e2c4a21c5ac43701537a84c9e2828f9ef0bb617d807763e3eef6

    SHA512

    972701a8b2fe63a96e5abfa3937e6f83c817cfe7542ab30f03a18dc68b7dfe383faa4af069ca0fa78d3dff3d81b68ef0acafe7648d6f68b44e79f456062ce069

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3028110.exe
    Filesize

    12KB

    MD5

    f2d3c56be1564cc85ba7c13881377619

    SHA1

    962b88bf6e41c79cb44c5606b9f9dc7d648f1f45

    SHA256

    892c18f6a918e2c4a21c5ac43701537a84c9e2828f9ef0bb617d807763e3eef6

    SHA512

    972701a8b2fe63a96e5abfa3937e6f83c817cfe7542ab30f03a18dc68b7dfe383faa4af069ca0fa78d3dff3d81b68ef0acafe7648d6f68b44e79f456062ce069

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5784459.exe
    Filesize

    172KB

    MD5

    53baaf6d1d16e49f6804249ad1f050c1

    SHA1

    df98d928596dd83620c1ffe74721e697fd261b62

    SHA256

    8e696ef539e484d3ebd01db4b5f927ce73678453a24e3f181de42d5a3f294027

    SHA512

    60cf0294be69ecf87a4a83a11d73667f04887341c47e756f8ec7932787bd83c55b2913601d17ea005d5309899edadc5c27f0a84d35b4d4748ddd2f433cd0b6a2

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5784459.exe
    Filesize

    172KB

    MD5

    53baaf6d1d16e49f6804249ad1f050c1

    SHA1

    df98d928596dd83620c1ffe74721e697fd261b62

    SHA256

    8e696ef539e484d3ebd01db4b5f927ce73678453a24e3f181de42d5a3f294027

    SHA512

    60cf0294be69ecf87a4a83a11d73667f04887341c47e756f8ec7932787bd83c55b2913601d17ea005d5309899edadc5c27f0a84d35b4d4748ddd2f433cd0b6a2

    Download Submit
  • memory/1772-159-0x0000000000110000-0x0000000000140000-memory.dmp
    Filesize

    192KB

    Download
  • memory/1772-160-0x000000000A580000-0x000000000AB98000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/1772-161-0x000000000A090000-0x000000000A19A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/1772-162-0x0000000009FD0000-0x0000000009FE2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1772-163-0x000000000A030000-0x000000000A06C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1772-164-0x0000000004AD0000-0x0000000004AE0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1772-165-0x0000000004AD0000-0x0000000004AE0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4772-154-0x0000000000D90000-0x0000000000D9A000-memory.dmp
    Filesize

    40KB

    Download