Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-06-2023 12:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f7f106d576eb1f2e5d7dca4dee8dc4db077900e1607759c932f683f3b6dad99d.exe

  • Size

    580KB

  • MD5

    999de73cc0d142a823b0e3f9e98b8d00

  • SHA1

    2e6cbabec2e7cbf4cae3653b27a955b04a4e9135

  • SHA256

    f7f106d576eb1f2e5d7dca4dee8dc4db077900e1607759c932f683f3b6dad99d

  • SHA512

    101183dff5b0a07e6261c1f35013cacf866b4302510c3b9d443208e25f352cf365a233c9bcfcec0f85133730f476c556398ca70c1a5946d2d6e68a090c290a2c

  • SSDEEP

    12288:ZMrDy90bhEvTpZY6Lz5MFiv/ZRqJwl6DeaIvg:+ySEvTbYWeW//AveaYg

Score
10/10
redlinedizadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19046

Attributes
  • auth_value

    0d09b419c8bc967f91c68be4a17e92ee

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f7f106d576eb1f2e5d7dca4dee8dc4db077900e1607759c932f683f3b6dad99d.exe
    "C:\Users\Admin\AppData\Local\Temp\f7f106d576eb1f2e5d7dca4dee8dc4db077900e1607759c932f683f3b6dad99d.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1612
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1780522.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1780522.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2788
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4745895.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4745895.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4348
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4960388.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4960388.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1776
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7699799.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7699799.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:312

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1780522.exe
    Filesize

    377KB

    MD5

    434e5ae345e0ed6a6b8e16402e4d99a7

    SHA1

    df2bc968fcab71fa157c58ca99d6172cebcf1cd5

    SHA256

    68868718aad605d9d6bfe7a36cabf82c788cc58d2a69c80893c5cec70c598cb8

    SHA512

    2cd58bfe5aa540e6713cd2fdad09cf6c186df02fe5ca2052f8cb8bd093867d4bbaa03cb7a6c18bdd89df0176f00405b645d12b1c55d9d1a6b301a77d8f57fbda

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1780522.exe
    Filesize

    377KB

    MD5

    434e5ae345e0ed6a6b8e16402e4d99a7

    SHA1

    df2bc968fcab71fa157c58ca99d6172cebcf1cd5

    SHA256

    68868718aad605d9d6bfe7a36cabf82c788cc58d2a69c80893c5cec70c598cb8

    SHA512

    2cd58bfe5aa540e6713cd2fdad09cf6c186df02fe5ca2052f8cb8bd093867d4bbaa03cb7a6c18bdd89df0176f00405b645d12b1c55d9d1a6b301a77d8f57fbda

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4745895.exe
    Filesize

    206KB

    MD5

    0b54f990091f9c7fb7df0f777e418b9a

    SHA1

    6d34b9ac4f8687bf38a6fb9256dc35f53332f65b

    SHA256

    8581595b143dd0a73b0776225a7d9da838872069fe8eadcc0727f9f7a8660068

    SHA512

    e3f6ab9447cf822bb57dc3450f682b26a2db38c0ba824a8a229c4cdd742dacc5c501f66d5dfbf064971f27321135d28c2251e6908a57f4157379b11f71fa5ae6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4745895.exe
    Filesize

    206KB

    MD5

    0b54f990091f9c7fb7df0f777e418b9a

    SHA1

    6d34b9ac4f8687bf38a6fb9256dc35f53332f65b

    SHA256

    8581595b143dd0a73b0776225a7d9da838872069fe8eadcc0727f9f7a8660068

    SHA512

    e3f6ab9447cf822bb57dc3450f682b26a2db38c0ba824a8a229c4cdd742dacc5c501f66d5dfbf064971f27321135d28c2251e6908a57f4157379b11f71fa5ae6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4960388.exe
    Filesize

    12KB

    MD5

    b962ecd162a2a4f4a05f7326cb52be3a

    SHA1

    04d204c0931ed409fd3ca00c35d5f818eb0b51be

    SHA256

    3f8d8a68d195ab8d96746dc4807dadc7e36a9c37a2156d89a2068d71039f4f10

    SHA512

    9cff29962e3b043bb1875716b474aabb82f7bd89f3d22f69dd1f4782406f536d1a483bc10e443d5489e239e1d7479ca2291f44d978910bd6bf8fdf301438b69e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4960388.exe
    Filesize

    12KB

    MD5

    b962ecd162a2a4f4a05f7326cb52be3a

    SHA1

    04d204c0931ed409fd3ca00c35d5f818eb0b51be

    SHA256

    3f8d8a68d195ab8d96746dc4807dadc7e36a9c37a2156d89a2068d71039f4f10

    SHA512

    9cff29962e3b043bb1875716b474aabb82f7bd89f3d22f69dd1f4782406f536d1a483bc10e443d5489e239e1d7479ca2291f44d978910bd6bf8fdf301438b69e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7699799.exe
    Filesize

    173KB

    MD5

    426b125f8509750ea6172dc063cefa9d

    SHA1

    8a17d4e6593b872ee7683239176bd8a43f41187f

    SHA256

    20f5f36b802647d86a2318bde4e1e5b8d50e088ef4bf180b35cfa51b076e3cbf

    SHA512

    db90f8d20d94c435793a4bb26595ba1dc2d010ade11429c4845d0bc3e5e7d2d492b1318cab5cf32393d1d2ded2963859870705f4981fd99104e536f7aa59e72b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7699799.exe
    Filesize

    173KB

    MD5

    426b125f8509750ea6172dc063cefa9d

    SHA1

    8a17d4e6593b872ee7683239176bd8a43f41187f

    SHA256

    20f5f36b802647d86a2318bde4e1e5b8d50e088ef4bf180b35cfa51b076e3cbf

    SHA512

    db90f8d20d94c435793a4bb26595ba1dc2d010ade11429c4845d0bc3e5e7d2d492b1318cab5cf32393d1d2ded2963859870705f4981fd99104e536f7aa59e72b

    Download Submit

  • memory/312-160-0x000000000AAD0000-0x000000000B0E8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/312-165-0x000000000AA00000-0x000000000AA76000-memory.dmp

    Filesize

    472KB

    Download

  • memory/312-172-0x000000000C660000-0x000000000CB8C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/312-161-0x000000000A650000-0x000000000A75A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/312-162-0x000000000A590000-0x000000000A5A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/312-163-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/312-164-0x000000000A5F0000-0x000000000A62C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/312-159-0x00000000006D0000-0x0000000000700000-memory.dmp

    Filesize

    192KB

    Download

  • memory/312-166-0x000000000B190000-0x000000000B222000-memory.dmp

    Filesize

    584KB

    Download

  • memory/312-167-0x000000000B7E0000-0x000000000BD84000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/312-168-0x000000000B230000-0x000000000B296000-memory.dmp

    Filesize

    408KB

    Download

  • memory/312-169-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/312-170-0x000000000B750000-0x000000000B7A0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/312-171-0x000000000BF60000-0x000000000C122000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/1776-154-0x0000000000AF0000-0x0000000000AFA000-memory.dmp

    Filesize

    40KB

    Download