Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-06-2023 11:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9d277333ea29c5f072f7c9c568153bda91ff02aa10670422afadfa81f193dc81.exe

  • Size

    579KB

  • MD5

    89eada12388ed339d899c5c1a090bf89

  • SHA1

    bf2c437a60d605c492a3c7c31bf8a022728f5969

  • SHA256

    9d277333ea29c5f072f7c9c568153bda91ff02aa10670422afadfa81f193dc81

  • SHA512

    2676cda9881965dc1548b1468d2a8e99fdf3c24a070acc7ecec366b60fc3b005c15d1188cdd03bd1bbd07a6e2b5c622cdeba08324538d26b98040377ae855022

  • SSDEEP

    12288:UMrmy90za1Szd9Eb6TjDWJZlE7U90SuwT2SOxTE01291XpDBEora:KyIaEzTrTjkn9fuwTNo5181XpBa

Score
10/10
redlinedizadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19046

Attributes
  • auth_value

    0d09b419c8bc967f91c68be4a17e92ee

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9d277333ea29c5f072f7c9c568153bda91ff02aa10670422afadfa81f193dc81.exe
    "C:\Users\Admin\AppData\Local\Temp\9d277333ea29c5f072f7c9c568153bda91ff02aa10670422afadfa81f193dc81.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4280
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1090518.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1090518.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1184
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9961832.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9961832.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:636
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0948656.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0948656.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2452
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9974775.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9974775.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:408

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1090518.exe
    Filesize

    377KB

    MD5

    c85372f3319368844d5a5acefb0ff261

    SHA1

    1077ec5daf47479edd59bcfd1ff454a619bfd09c

    SHA256

    46a19a842d835d8b94b7036965c24245f9628e4dfcdc9e49fa4e575c9a5fa3ca

    SHA512

    9cb2d402621ab746de54e036a28a8db7896a72419695bdb886fe2846f0ac8cc6cb9eec165c3e13719b78c759b14028bdbafb31d34079cdec83a1878c1c90914d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1090518.exe
    Filesize

    377KB

    MD5

    c85372f3319368844d5a5acefb0ff261

    SHA1

    1077ec5daf47479edd59bcfd1ff454a619bfd09c

    SHA256

    46a19a842d835d8b94b7036965c24245f9628e4dfcdc9e49fa4e575c9a5fa3ca

    SHA512

    9cb2d402621ab746de54e036a28a8db7896a72419695bdb886fe2846f0ac8cc6cb9eec165c3e13719b78c759b14028bdbafb31d34079cdec83a1878c1c90914d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9961832.exe
    Filesize

    206KB

    MD5

    e3f2b6963c4ba10680646e107e64f0c0

    SHA1

    e9cc88bbe4e1b0173cfc4092bd9618e0cdd15113

    SHA256

    068f283178d20f913813eab0da1a62de4211c86e146f80a3c6fc87846c1c0069

    SHA512

    1eb28074b87d9d0b61f503fde118eef6e332a398969914d157a954838963d8ec4bd9a5c6ff93e5dea42411c8b9d62c2e8be0284d5f1e5144e31dcdb011589b4a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9961832.exe
    Filesize

    206KB

    MD5

    e3f2b6963c4ba10680646e107e64f0c0

    SHA1

    e9cc88bbe4e1b0173cfc4092bd9618e0cdd15113

    SHA256

    068f283178d20f913813eab0da1a62de4211c86e146f80a3c6fc87846c1c0069

    SHA512

    1eb28074b87d9d0b61f503fde118eef6e332a398969914d157a954838963d8ec4bd9a5c6ff93e5dea42411c8b9d62c2e8be0284d5f1e5144e31dcdb011589b4a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0948656.exe
    Filesize

    12KB

    MD5

    749b84703f7bd82df02b77cb5541caa3

    SHA1

    b6b0dc2d2d7088d211a25c4cc6967f5e96eec7c7

    SHA256

    24df2aebf182f714b34eb70e998f4d1f7a8d4669e228217203dca4fec0d22ed2

    SHA512

    9047272db4d41e230facc763fce068fa39a154da425dbebce141796d15013240657233f2b9a219f871192bb6c2fd68e180b61cf9134c080d1d9b3e637a91e3ab

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0948656.exe
    Filesize

    12KB

    MD5

    749b84703f7bd82df02b77cb5541caa3

    SHA1

    b6b0dc2d2d7088d211a25c4cc6967f5e96eec7c7

    SHA256

    24df2aebf182f714b34eb70e998f4d1f7a8d4669e228217203dca4fec0d22ed2

    SHA512

    9047272db4d41e230facc763fce068fa39a154da425dbebce141796d15013240657233f2b9a219f871192bb6c2fd68e180b61cf9134c080d1d9b3e637a91e3ab

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9974775.exe
    Filesize

    173KB

    MD5

    e069360a7326f6a08b0852eebfe4ae2c

    SHA1

    5e8ab3837bca237d088df9c473ff5b0cfe372878

    SHA256

    32821054258ee60d83e25cf7199613728d49acb479fb3e392a8eac9644b61e6d

    SHA512

    a4d80539bd9897202145b2e563aee4844e9b30558925b95d3fe4185fedee19a0bc8627b1fdd3d2da65f1c52920668239e16eea296f575b640f51e8c0a3f57fd3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9974775.exe
    Filesize

    173KB

    MD5

    e069360a7326f6a08b0852eebfe4ae2c

    SHA1

    5e8ab3837bca237d088df9c473ff5b0cfe372878

    SHA256

    32821054258ee60d83e25cf7199613728d49acb479fb3e392a8eac9644b61e6d

    SHA512

    a4d80539bd9897202145b2e563aee4844e9b30558925b95d3fe4185fedee19a0bc8627b1fdd3d2da65f1c52920668239e16eea296f575b640f51e8c0a3f57fd3

    Download Submit

  • memory/408-160-0x000000000ABA0000-0x000000000B1B8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/408-165-0x000000000A9D0000-0x000000000AA46000-memory.dmp

    Filesize

    472KB

    Download

  • memory/408-172-0x000000000C860000-0x000000000CD8C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/408-161-0x000000000A720000-0x000000000A82A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/408-162-0x000000000A660000-0x000000000A672000-memory.dmp

    Filesize

    72KB

    Download

  • memory/408-163-0x000000000A6C0000-0x000000000A6FC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/408-164-0x00000000050F0000-0x0000000005100000-memory.dmp

    Filesize

    64KB

    Download

  • memory/408-159-0x00000000007A0000-0x00000000007D0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/408-166-0x000000000AAF0000-0x000000000AB82000-memory.dmp

    Filesize

    584KB

    Download

  • memory/408-167-0x000000000AA50000-0x000000000AAB6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/408-168-0x000000000BBB0000-0x000000000C154000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/408-169-0x000000000B6E0000-0x000000000B730000-memory.dmp

    Filesize

    320KB

    Download

  • memory/408-170-0x00000000050F0000-0x0000000005100000-memory.dmp

    Filesize

    64KB

    Download

  • memory/408-171-0x000000000C160000-0x000000000C322000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2452-154-0x0000000000580000-0x000000000058A000-memory.dmp

    Filesize

    40KB

    Download