Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-06-2023 09:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eed2210b512bb1ff1ed5934499cbb78b212933832ee1637059a3ecc3e2ab8b65.exe

  • Size

    579KB

  • MD5

    93541ce06aa6137dd0459ad7f633641f

  • SHA1

    cd97cbc52b78d4fcc8bd01f736b610e93003015c

  • SHA256

    eed2210b512bb1ff1ed5934499cbb78b212933832ee1637059a3ecc3e2ab8b65

  • SHA512

    3e853bb1f2d549f020d621cb70356d734c663b1502a3d051d3455a21438d8f8c683d28aec974db3106549d78e4a5d48dc25e27de798bab2740e2f3a3896c29fb

  • SSDEEP

    12288:EMrUy90iBOLNx8Ljn8a4b2WXTzhMFbAIrOa+eP9:YyRB1jnGbLhobjr3+eP9

Score
10/10
redlinemaxidiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eed2210b512bb1ff1ed5934499cbb78b212933832ee1637059a3ecc3e2ab8b65.exe
    "C:\Users\Admin\AppData\Local\Temp\eed2210b512bb1ff1ed5934499cbb78b212933832ee1637059a3ecc3e2ab8b65.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2120
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4834846.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4834846.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2152
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0044522.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0044522.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1436
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5493682.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5493682.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2168
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0858030.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0858030.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2776

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4834846.exe
    Filesize

    377KB

    MD5

    16ea68a3dbfc7d94bcb688f80792d16e

    SHA1

    3c8e9cdd0050742cd5bc6106578b9aa91f9c79c7

    SHA256

    032eac7d44751e1e6db1fc2dd85ebaa71b855653550e68f6e7bae7c49437a1f6

    SHA512

    d494afe12de20550975e5dcb3ff5ca49df5e1140c1e077255b9179c7e4f63248276ab267fa219ec6c8877a7ec3017270c8ed3302bd118debb98f5ef07f2cd4fa

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4834846.exe
    Filesize

    377KB

    MD5

    16ea68a3dbfc7d94bcb688f80792d16e

    SHA1

    3c8e9cdd0050742cd5bc6106578b9aa91f9c79c7

    SHA256

    032eac7d44751e1e6db1fc2dd85ebaa71b855653550e68f6e7bae7c49437a1f6

    SHA512

    d494afe12de20550975e5dcb3ff5ca49df5e1140c1e077255b9179c7e4f63248276ab267fa219ec6c8877a7ec3017270c8ed3302bd118debb98f5ef07f2cd4fa

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0044522.exe
    Filesize

    206KB

    MD5

    7ef90b4355bf101285a195cab89fbd4b

    SHA1

    0969ad67d34db510b05581696090dbaf97672f1e

    SHA256

    cdcdf8a06793b2aa2d77e09d6b41de302596b54ab5959be79a9d1f5f6f843686

    SHA512

    d072c712429efa5465f85e0a0b8279ecd67b7f6051280cde7e7897eb4ca1656bb03bf8f148b366a15d82ed3cb78bcd9a12df27e49949ffa5e0bfbc7de882f660

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0044522.exe
    Filesize

    206KB

    MD5

    7ef90b4355bf101285a195cab89fbd4b

    SHA1

    0969ad67d34db510b05581696090dbaf97672f1e

    SHA256

    cdcdf8a06793b2aa2d77e09d6b41de302596b54ab5959be79a9d1f5f6f843686

    SHA512

    d072c712429efa5465f85e0a0b8279ecd67b7f6051280cde7e7897eb4ca1656bb03bf8f148b366a15d82ed3cb78bcd9a12df27e49949ffa5e0bfbc7de882f660

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5493682.exe
    Filesize

    12KB

    MD5

    27d7361843e2ec141e3a17ffb7a07e0f

    SHA1

    c83c8ade9684c54b417b8d3177e0c80a14bb2a2c

    SHA256

    c77d57c73ded06651cd28804f971f7991431fb439aca7922b64f142abd122987

    SHA512

    fae7e2bfecc1a51cec76f2cff73847222aedb2e79d284d7144ceb518c7fca7e77a9372296f2e187f8cbb2712ce5849f7195a428a4af96ddaf677c20eccf5b5a1

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5493682.exe
    Filesize

    12KB

    MD5

    27d7361843e2ec141e3a17ffb7a07e0f

    SHA1

    c83c8ade9684c54b417b8d3177e0c80a14bb2a2c

    SHA256

    c77d57c73ded06651cd28804f971f7991431fb439aca7922b64f142abd122987

    SHA512

    fae7e2bfecc1a51cec76f2cff73847222aedb2e79d284d7144ceb518c7fca7e77a9372296f2e187f8cbb2712ce5849f7195a428a4af96ddaf677c20eccf5b5a1

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0858030.exe
    Filesize

    172KB

    MD5

    53af360a13867cc209ed436fa384d6d6

    SHA1

    1a636e691c30bcdb19cf3d6925b482d02913a982

    SHA256

    91fc50eb15604b358ba1b4f072068cd9e51596be1063a8eb156a92f2427d61ac

    SHA512

    0e35c61698a1eb1cfb5ad86434df0f703ee681ccd6a9abf88723b8278ac60aac2cfe8f60c939dde6038e678aa5167133b4ff265847875719b216ba9b5ab57854

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0858030.exe
    Filesize

    172KB

    MD5

    53af360a13867cc209ed436fa384d6d6

    SHA1

    1a636e691c30bcdb19cf3d6925b482d02913a982

    SHA256

    91fc50eb15604b358ba1b4f072068cd9e51596be1063a8eb156a92f2427d61ac

    SHA512

    0e35c61698a1eb1cfb5ad86434df0f703ee681ccd6a9abf88723b8278ac60aac2cfe8f60c939dde6038e678aa5167133b4ff265847875719b216ba9b5ab57854

    Download Submit
  • memory/2168-154-0x0000000000CF0000-0x0000000000CFA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2776-160-0x000000000A650000-0x000000000AC68000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/2776-166-0x000000000ACF0000-0x000000000AD66000-memory.dmp
    Filesize

    472KB

    Download
  • memory/2776-161-0x000000000A140000-0x000000000A24A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/2776-162-0x000000000A050000-0x000000000A062000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2776-163-0x000000000A0B0000-0x000000000A0EC000-memory.dmp
    Filesize

    240KB

    Download
  • memory/2776-164-0x0000000004BA0000-0x0000000004BB0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2776-165-0x0000000004BA0000-0x0000000004BB0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2776-159-0x00000000002D0000-0x0000000000300000-memory.dmp
    Filesize

    192KB

    Download
  • memory/2776-167-0x000000000AE10000-0x000000000AEA2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/2776-168-0x000000000AD70000-0x000000000ADD6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2776-169-0x000000000B660000-0x000000000BC04000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/2776-170-0x000000000B3F0000-0x000000000B5B2000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/2776-171-0x000000000C140000-0x000000000C66C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/2776-172-0x000000000BC10000-0x000000000BC60000-memory.dmp
    Filesize

    320KB

    Download