Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/06/2023, 09:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b892cd5c413c4a4eea7ba7e916524627e14255ef2da789001a9a5a835bd97218.exe

  • Size

    580KB

  • MD5

    d9cc4773aa8ca82d0e4b0759e2a63ad9

  • SHA1

    353fc6ddbc18540d62abb6b9e419f07c3643dd05

  • SHA256

    b892cd5c413c4a4eea7ba7e916524627e14255ef2da789001a9a5a835bd97218

  • SHA512

    fb59079c4adf181d3b13c22d72731d345014c5a94a75afd68a243db44f1d8ef4fa15a743287fd994b372aba8af9bbc8baccce7570bc3781394bd262fb54e396a

  • SSDEEP

    12288:JMrcy90+LWK3mHC/l6X7v4nTDbp64I6qzSgYFOpLt:1yYNaGvcT04xqzOFOT

Score
10/10
redlinedizadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19046

Attributes
  • auth_value

    0d09b419c8bc967f91c68be4a17e92ee

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b892cd5c413c4a4eea7ba7e916524627e14255ef2da789001a9a5a835bd97218.exe
    "C:\Users\Admin\AppData\Local\Temp\b892cd5c413c4a4eea7ba7e916524627e14255ef2da789001a9a5a835bd97218.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4220
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4835186.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4835186.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4600
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2363710.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2363710.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3920
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0139678.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0139678.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:996
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4390254.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4390254.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5108

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4835186.exe
    Filesize

    377KB

    MD5

    c9f830d7dbbc7f78ed1d7f977467c64b

    SHA1

    2ebc796ed24dff2132c0d5d1e3d595e1c456d3da

    SHA256

    1849ff178121099777a52b308452526a31f828666621f83e4c5c7838fd1b744d

    SHA512

    17a2a6406b316896f7922804f8a017660bd7655304e1df0f58c227eb69d0b8a2f215aad2d036ecbff131ffff82c1b216fb9a6e8c3dfa92e6f294ba080644b32a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4835186.exe
    Filesize

    377KB

    MD5

    c9f830d7dbbc7f78ed1d7f977467c64b

    SHA1

    2ebc796ed24dff2132c0d5d1e3d595e1c456d3da

    SHA256

    1849ff178121099777a52b308452526a31f828666621f83e4c5c7838fd1b744d

    SHA512

    17a2a6406b316896f7922804f8a017660bd7655304e1df0f58c227eb69d0b8a2f215aad2d036ecbff131ffff82c1b216fb9a6e8c3dfa92e6f294ba080644b32a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2363710.exe
    Filesize

    206KB

    MD5

    d6ff90291f748b4185849f11f7c650d3

    SHA1

    fe0ddc50c9cbd324c93478bb7e8c13c890918786

    SHA256

    df5fd04e2c144caab34ee53fbff0fbd376cbdde0c1bd6c6b9fd703e7119dcca2

    SHA512

    ea05de0c8355f3519f7f1676434ff27bb2ebb3f45ca8eab80962037671c1722bee208a4d3f6a5f38f10760ee199b03bf95a5882ac3ef26ca6eb26c67b274e597

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2363710.exe
    Filesize

    206KB

    MD5

    d6ff90291f748b4185849f11f7c650d3

    SHA1

    fe0ddc50c9cbd324c93478bb7e8c13c890918786

    SHA256

    df5fd04e2c144caab34ee53fbff0fbd376cbdde0c1bd6c6b9fd703e7119dcca2

    SHA512

    ea05de0c8355f3519f7f1676434ff27bb2ebb3f45ca8eab80962037671c1722bee208a4d3f6a5f38f10760ee199b03bf95a5882ac3ef26ca6eb26c67b274e597

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0139678.exe
    Filesize

    12KB

    MD5

    b77baf2824ce0be9990b03a6b8978625

    SHA1

    65c4b2b42fd0c59bf3aca2648b2290753893a394

    SHA256

    31adf715be19e8fac757c7c74c6b866ee205c0744728ec2b803dc73238839344

    SHA512

    fef6e8f48daa5efa40b8842818c41edb9730da089dc65d5635cffa309860a7f88eb8b7a7697e3424c40c873a7d6f0f755425756562e5f6c288305d497b336f34

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0139678.exe
    Filesize

    12KB

    MD5

    b77baf2824ce0be9990b03a6b8978625

    SHA1

    65c4b2b42fd0c59bf3aca2648b2290753893a394

    SHA256

    31adf715be19e8fac757c7c74c6b866ee205c0744728ec2b803dc73238839344

    SHA512

    fef6e8f48daa5efa40b8842818c41edb9730da089dc65d5635cffa309860a7f88eb8b7a7697e3424c40c873a7d6f0f755425756562e5f6c288305d497b336f34

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4390254.exe
    Filesize

    173KB

    MD5

    d6cffdac2fd01390cf5c55c3cdf27ae2

    SHA1

    e2bbed931d7339eadd8d4828d82a1737b40b947f

    SHA256

    6b7920622f7eb225354be4f1e99ce769d63d8ada1b413847b3f29509e400bcaf

    SHA512

    dae78b6c992e6af904b38f3b42a4a90e8e5850bd5ab66595ee50bc3b144ed417e0e5cf81d39d99952274023512ae411c7c7124ff0897d175563827f4f16cbe8c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4390254.exe
    Filesize

    173KB

    MD5

    d6cffdac2fd01390cf5c55c3cdf27ae2

    SHA1

    e2bbed931d7339eadd8d4828d82a1737b40b947f

    SHA256

    6b7920622f7eb225354be4f1e99ce769d63d8ada1b413847b3f29509e400bcaf

    SHA512

    dae78b6c992e6af904b38f3b42a4a90e8e5850bd5ab66595ee50bc3b144ed417e0e5cf81d39d99952274023512ae411c7c7124ff0897d175563827f4f16cbe8c

    Download Submit

  • memory/996-154-0x00000000001C0000-0x00000000001CA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/5108-160-0x000000000ADD0000-0x000000000B3E8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/5108-166-0x000000000B490000-0x000000000B522000-memory.dmp

    Filesize

    584KB

    Download

  • memory/5108-161-0x000000000A930000-0x000000000AA3A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/5108-162-0x000000000A870000-0x000000000A882000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5108-163-0x000000000A8D0000-0x000000000A90C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/5108-164-0x00000000052E0000-0x00000000052F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5108-165-0x000000000ACE0000-0x000000000AD56000-memory.dmp

    Filesize

    472KB

    Download

  • memory/5108-159-0x00000000009B0000-0x00000000009E0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/5108-167-0x000000000AD60000-0x000000000ADC6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/5108-168-0x000000000BDE0000-0x000000000C384000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/5108-169-0x00000000052E0000-0x00000000052F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5108-170-0x000000000BAA0000-0x000000000BC62000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/5108-171-0x000000000C8C0000-0x000000000CDEC000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/5108-172-0x000000000BA30000-0x000000000BA80000-memory.dmp

    Filesize

    320KB

    Download