Overview

overview

10

Static

static

3

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    05-06-2023 11:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a810aca18e981e329fd28af2fc126ec9f01bb19d09efe47f5b84005c5357b65f.exe

  • Size

    729KB

  • MD5

    6455bda83a3b4aef68a6ac3602e36dc7

  • SHA1

    31379ba51f93ade2ebdc1f058731a327aaca3266

  • SHA256

    a810aca18e981e329fd28af2fc126ec9f01bb19d09efe47f5b84005c5357b65f

  • SHA512

    8ce571ee49a55846e0ce8e93c41959fcd7a4f5d000e039c1c80185014f6ebd86e804973cfd9b88e09edb043c50ce8f538fd8f738da25e54874c0e1b14d51fb26

  • SSDEEP

    12288:4MrMy90vbCjfSluomHWq9MJDE/RKT20LnEZNCEc0d5oUJaLABx9parz53Fxd:kyFzkJDEwa0Loc0diUgEg3d

Score
10/10
redlinemaxidiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a810aca18e981e329fd28af2fc126ec9f01bb19d09efe47f5b84005c5357b65f.exe
    "C:\Users\Admin\AppData\Local\Temp\a810aca18e981e329fd28af2fc126ec9f01bb19d09efe47f5b84005c5357b65f.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2052
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3009449.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3009449.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2268
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1439706.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1439706.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2492
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2012102.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2012102.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:2856
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2831742.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2831742.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4980
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9890641.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9890641.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:4432
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4004
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1852209.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1852209.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3009449.exe
    Filesize

    526KB

    MD5

    ed9903a3f517be8ac57c72424be7ff14

    SHA1

    75c11ff563efc0878f697bd8e5f06144e0b8912d

    SHA256

    925cd6902ba2b172aeaf14df9b9cafa2e93b044ed6754c1ea023fd8c684295c1

    SHA512

    d988e885b9833b403beaadec529ff8c595f8d448c82e1dfbe9799ba15bb4469ecabf3a8a30604ccf4f9f7e33cc5052e1ac6dbee5e841360a9b8560ee8ede1052

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3009449.exe
    Filesize

    526KB

    MD5

    ed9903a3f517be8ac57c72424be7ff14

    SHA1

    75c11ff563efc0878f697bd8e5f06144e0b8912d

    SHA256

    925cd6902ba2b172aeaf14df9b9cafa2e93b044ed6754c1ea023fd8c684295c1

    SHA512

    d988e885b9833b403beaadec529ff8c595f8d448c82e1dfbe9799ba15bb4469ecabf3a8a30604ccf4f9f7e33cc5052e1ac6dbee5e841360a9b8560ee8ede1052

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1439706.exe
    Filesize

    354KB

    MD5

    cd5cfa068db5e2420d5610d4286ebbdb

    SHA1

    635c9ce0ac7e4f22747d234e9d9d91abbcd56ef6

    SHA256

    ef95f13d33c127aa3872375c5b53d6dda25acf08ccfd42b7618dd18e63f5d49b

    SHA512

    b646a70f1d9e12fadf761bafd34d7f2a31da5ae027c98bea558bda153a9510a4b6c1e4bc19a8172659eafef016f8fda0a9c3895c087b09f3607ce46fe8c172fb

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1439706.exe
    Filesize

    354KB

    MD5

    cd5cfa068db5e2420d5610d4286ebbdb

    SHA1

    635c9ce0ac7e4f22747d234e9d9d91abbcd56ef6

    SHA256

    ef95f13d33c127aa3872375c5b53d6dda25acf08ccfd42b7618dd18e63f5d49b

    SHA512

    b646a70f1d9e12fadf761bafd34d7f2a31da5ae027c98bea558bda153a9510a4b6c1e4bc19a8172659eafef016f8fda0a9c3895c087b09f3607ce46fe8c172fb

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1852209.exe
    Filesize

    172KB

    MD5

    31cc2ea764118fe5a9746348e90aa834

    SHA1

    7b9f18501972a389700c12c739278995fb1ef358

    SHA256

    ad082bfec927e22940fd829e26932a68bf9a43d9992636e1e214184ceb02b240

    SHA512

    837aeb13de78f5ab175279cdf387ce28437d50bb53cb3506502b7271ab672f45fdf678a2786f5e3d72f7fa34e6ff19dd3491bfbf4a67c7f22e1449efff78708d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1852209.exe
    Filesize

    172KB

    MD5

    31cc2ea764118fe5a9746348e90aa834

    SHA1

    7b9f18501972a389700c12c739278995fb1ef358

    SHA256

    ad082bfec927e22940fd829e26932a68bf9a43d9992636e1e214184ceb02b240

    SHA512

    837aeb13de78f5ab175279cdf387ce28437d50bb53cb3506502b7271ab672f45fdf678a2786f5e3d72f7fa34e6ff19dd3491bfbf4a67c7f22e1449efff78708d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2012102.exe
    Filesize

    199KB

    MD5

    71963f20a67fba5b0242207934a1adbe

    SHA1

    e19515c675c268203223eb87a5352256f9dc44b5

    SHA256

    ef19b7355b5e16fa21cc863d7315843e8b9d4a7720abac6f552c3d52b6728028

    SHA512

    d0176f97b154dbfcc1c10c0383b1daeba7aac9dbe937731f91eb2ca6623bcc453630bfb19b7a06bfe087debc4adf19c98f9e58f6a7630bd6e247d3896effc827

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2012102.exe
    Filesize

    199KB

    MD5

    71963f20a67fba5b0242207934a1adbe

    SHA1

    e19515c675c268203223eb87a5352256f9dc44b5

    SHA256

    ef19b7355b5e16fa21cc863d7315843e8b9d4a7720abac6f552c3d52b6728028

    SHA512

    d0176f97b154dbfcc1c10c0383b1daeba7aac9dbe937731f91eb2ca6623bcc453630bfb19b7a06bfe087debc4adf19c98f9e58f6a7630bd6e247d3896effc827

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2831742.exe
    Filesize

    12KB

    MD5

    cef9fab97c2e92cdc6b8a78378e5eb3c

    SHA1

    7f4fe229983a3b9e327ab9e9a90ad2133a1f6615

    SHA256

    f9a4615c6157366d520ab9fa5496851902e18ed444e5b32c32a03fb38e04a364

    SHA512

    d1f8c2284e6cd9b749ba2716f08cce1d80698663d1c1241d798266eb802c8c69028a68f403fe80993ab15567e53e770760e2d41a5056ab49297482f2fef7f49f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2831742.exe
    Filesize

    12KB

    MD5

    cef9fab97c2e92cdc6b8a78378e5eb3c

    SHA1

    7f4fe229983a3b9e327ab9e9a90ad2133a1f6615

    SHA256

    f9a4615c6157366d520ab9fa5496851902e18ed444e5b32c32a03fb38e04a364

    SHA512

    d1f8c2284e6cd9b749ba2716f08cce1d80698663d1c1241d798266eb802c8c69028a68f403fe80993ab15567e53e770760e2d41a5056ab49297482f2fef7f49f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9890641.exe
    Filesize

    105KB

    MD5

    0f52360bd0ac17b2dd8797e423df9552

    SHA1

    f59e4443575d3011515555088e4dacbc6a9517b7

    SHA256

    fbe71279bf491c771247ee3f401d44b4ff21d1e9b276192a4349c408116bae11

    SHA512

    1f1a38bc3a1f7dd741a1a91e4d8f794064e60262cb1dd23f83a1885f907cb29fe7cf1c61b125ad5210d6094538574cf0101ca2bd45c15adee9d4079545e84c32

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9890641.exe
    Filesize

    105KB

    MD5

    0f52360bd0ac17b2dd8797e423df9552

    SHA1

    f59e4443575d3011515555088e4dacbc6a9517b7

    SHA256

    fbe71279bf491c771247ee3f401d44b4ff21d1e9b276192a4349c408116bae11

    SHA512

    1f1a38bc3a1f7dd741a1a91e4d8f794064e60262cb1dd23f83a1885f907cb29fe7cf1c61b125ad5210d6094538574cf0101ca2bd45c15adee9d4079545e84c32

    Download Submit
  • memory/1652-165-0x00000000001B0000-0x00000000001E0000-memory.dmp
    Filesize

    192KB

    Download
  • memory/1652-176-0x0000000004A00000-0x0000000004A10000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1652-202-0x00000000083C0000-0x00000000088EC000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/1652-166-0x00000000023C0000-0x00000000023C6000-memory.dmp
    Filesize

    24KB

    Download
  • memory/1652-167-0x0000000005220000-0x0000000005826000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/1652-168-0x0000000004D20000-0x0000000004E2A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/1652-169-0x0000000004C10000-0x0000000004C22000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1652-170-0x0000000004C30000-0x0000000004C6E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1652-175-0x0000000004C70000-0x0000000004CBB000-memory.dmp
    Filesize

    300KB

    Download
  • memory/1652-201-0x0000000006640000-0x0000000006802000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/1652-181-0x0000000004F80000-0x0000000004FF6000-memory.dmp
    Filesize

    472KB

    Download
  • memory/1652-182-0x00000000050A0000-0x0000000005132000-memory.dmp
    Filesize

    584KB

    Download
  • memory/1652-183-0x0000000006140000-0x000000000663E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/1652-184-0x0000000005140000-0x00000000051A6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/1652-199-0x0000000005A80000-0x0000000005AD0000-memory.dmp
    Filesize

    320KB

    Download
  • memory/1652-200-0x0000000004A00000-0x0000000004A10000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4004-154-0x0000000000400000-0x000000000040A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4980-149-0x0000000000F30000-0x0000000000F3A000-memory.dmp
    Filesize

    40KB

    Download