Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-06-2023 11:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f4da76ffebcab21de638b15536ac6385a0d91ac0a95042cff7bc3defd8aed66b.exe

  • Size

    729KB

  • MD5

    c2c64a4c37bc7924410cccfc059eb36a

  • SHA1

    ccca10d0ec6ebf9adec01ca7ebaec2fe78136dd6

  • SHA256

    f4da76ffebcab21de638b15536ac6385a0d91ac0a95042cff7bc3defd8aed66b

  • SHA512

    529e39258e8e7d87a657ad0a41968a318c1a7cc455558129b12c720fe30ac95130989177085fc16c73f5da0fda7b1b76940596a5e3f117a67c015ff84dd5e4d6

  • SSDEEP

    12288:ZMrwy90PA5ZKqUfbSX8A8S4ZhL8AmmOblw+01aaW2i9mr7tUO:5yIZqmbuwHCFYaaW297tUO

Score
10/10
redlinemaxidiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f4da76ffebcab21de638b15536ac6385a0d91ac0a95042cff7bc3defd8aed66b.exe
    "C:\Users\Admin\AppData\Local\Temp\f4da76ffebcab21de638b15536ac6385a0d91ac0a95042cff7bc3defd8aed66b.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:984
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2651822.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2651822.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3224
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9201808.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9201808.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:532
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7342066.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7342066.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:1204
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6620030.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6620030.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2116
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3954608.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3954608.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:4356
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3820
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1468187.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1468187.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1832

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2651822.exe
    Filesize

    526KB

    MD5

    3d5574a82cad8523a8c3e6633ac1d2ac

    SHA1

    1eb0985aa2dbda9db214056426efdb19acce66d7

    SHA256

    4f425720aabc967e81afb5e6e1c14e50387ecb1908027c5860b82fc76d22aa65

    SHA512

    c4bb635c10ba72a8f4bc125b4b7e1e44d0fe97069701a0074e16494090603e47a4526aad14af76234c028b653e73f59fc658630418e737fca5e19c59490c1785

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2651822.exe
    Filesize

    526KB

    MD5

    3d5574a82cad8523a8c3e6633ac1d2ac

    SHA1

    1eb0985aa2dbda9db214056426efdb19acce66d7

    SHA256

    4f425720aabc967e81afb5e6e1c14e50387ecb1908027c5860b82fc76d22aa65

    SHA512

    c4bb635c10ba72a8f4bc125b4b7e1e44d0fe97069701a0074e16494090603e47a4526aad14af76234c028b653e73f59fc658630418e737fca5e19c59490c1785

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9201808.exe
    Filesize

    354KB

    MD5

    0bde5951f456b099ddf8b1dab968ab28

    SHA1

    71fb9a04e0c45a8b6dc3e507ea35f6b37b6ef948

    SHA256

    75b63473625208367ce89c1a052e721a041785b1ab7e295bc6e57306b10d2331

    SHA512

    027463cc49eee2a908b6fdeb72570d275cce0a8f3fdcc9b348381626da4b73e6687de4d55a6b692f57d78b381a403b353843aed61c489723b6153d0b3923f86f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9201808.exe
    Filesize

    354KB

    MD5

    0bde5951f456b099ddf8b1dab968ab28

    SHA1

    71fb9a04e0c45a8b6dc3e507ea35f6b37b6ef948

    SHA256

    75b63473625208367ce89c1a052e721a041785b1ab7e295bc6e57306b10d2331

    SHA512

    027463cc49eee2a908b6fdeb72570d275cce0a8f3fdcc9b348381626da4b73e6687de4d55a6b692f57d78b381a403b353843aed61c489723b6153d0b3923f86f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1468187.exe
    Filesize

    172KB

    MD5

    0001e7c760035782754bc24ed50d27b0

    SHA1

    5d14a1ef9ed0bb85f6ddca3576b744bc61db49dd

    SHA256

    3e3a27fc77ef26a1f44110bae008ca4c72e0da95254b0cd213e52c64cd1ebc9e

    SHA512

    8b84c25daab703af7a2825f7dad0e9c485cf9424d02613ecf0b692847b601514410818923d52cc678d39edef5b85884d19e09e804af36e66e86eecde96889199

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1468187.exe
    Filesize

    172KB

    MD5

    0001e7c760035782754bc24ed50d27b0

    SHA1

    5d14a1ef9ed0bb85f6ddca3576b744bc61db49dd

    SHA256

    3e3a27fc77ef26a1f44110bae008ca4c72e0da95254b0cd213e52c64cd1ebc9e

    SHA512

    8b84c25daab703af7a2825f7dad0e9c485cf9424d02613ecf0b692847b601514410818923d52cc678d39edef5b85884d19e09e804af36e66e86eecde96889199

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7342066.exe
    Filesize

    199KB

    MD5

    c77b5c83b6aee5aaa7f40fbce8889fdc

    SHA1

    e0449d45ef34edb7c734cf05ad67bc42d061ad27

    SHA256

    37d2c58971e73683b2e0afa0608bbef5432596835a857ac71020bcd1dc31afae

    SHA512

    e5c18e50c5c928f100861aee28905a3e082af629b24efd85df04a2cc17cb4553afdf645783a82824f597a3d8cfe9468cc1cdfd01960044d3107a7a06e2b0cb8e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7342066.exe
    Filesize

    199KB

    MD5

    c77b5c83b6aee5aaa7f40fbce8889fdc

    SHA1

    e0449d45ef34edb7c734cf05ad67bc42d061ad27

    SHA256

    37d2c58971e73683b2e0afa0608bbef5432596835a857ac71020bcd1dc31afae

    SHA512

    e5c18e50c5c928f100861aee28905a3e082af629b24efd85df04a2cc17cb4553afdf645783a82824f597a3d8cfe9468cc1cdfd01960044d3107a7a06e2b0cb8e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6620030.exe
    Filesize

    12KB

    MD5

    69ae814bd0f2f5c008c8c2e086c3e81c

    SHA1

    31a5ca19b25094ed72b287f709e75de8e2d984ea

    SHA256

    254045ce880196020992a144f5f638c2b3367e0def65a90b771db13e37135ed8

    SHA512

    d4253e3520c019b25a0bde87f1aa3af6205e1f63182dc89cf767847a7c8131d2382a907bc8da8c531450348ea0535cbd9ac37f89cd37cd61f6462c83f77459e3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6620030.exe
    Filesize

    12KB

    MD5

    69ae814bd0f2f5c008c8c2e086c3e81c

    SHA1

    31a5ca19b25094ed72b287f709e75de8e2d984ea

    SHA256

    254045ce880196020992a144f5f638c2b3367e0def65a90b771db13e37135ed8

    SHA512

    d4253e3520c019b25a0bde87f1aa3af6205e1f63182dc89cf767847a7c8131d2382a907bc8da8c531450348ea0535cbd9ac37f89cd37cd61f6462c83f77459e3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3954608.exe
    Filesize

    106KB

    MD5

    af544166b40a60556ddaef09b0454750

    SHA1

    e764dbaf795614fd6aed6ca652c0bc8b45b9f6a7

    SHA256

    cb87ca5f4e521cf3a21a83e7a9a81cb67eb57f1f93e1bd67528b42725222aad2

    SHA512

    bb09037f7b796127e2df1841d7062b83627226558c806646df1e7239d4fef3567f2c1d548648c4cf257ebf855a4eb8d3b7e565de0e56b92185608754d9ce2618

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3954608.exe
    Filesize

    106KB

    MD5

    af544166b40a60556ddaef09b0454750

    SHA1

    e764dbaf795614fd6aed6ca652c0bc8b45b9f6a7

    SHA256

    cb87ca5f4e521cf3a21a83e7a9a81cb67eb57f1f93e1bd67528b42725222aad2

    SHA512

    bb09037f7b796127e2df1841d7062b83627226558c806646df1e7239d4fef3567f2c1d548648c4cf257ebf855a4eb8d3b7e565de0e56b92185608754d9ce2618

    Download Submit
  • memory/1832-174-0x0000000000CD0000-0x0000000000D00000-memory.dmp
    Filesize

    192KB

    Download
  • memory/1832-179-0x000000000ABF0000-0x000000000AC2C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1832-188-0x000000000BC20000-0x000000000BC70000-memory.dmp
    Filesize

    320KB

    Download
  • memory/1832-175-0x000000000B120000-0x000000000B738000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/1832-176-0x000000000AC50000-0x000000000AD5A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/1832-177-0x000000000AB90000-0x000000000ABA2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1832-178-0x0000000005670000-0x0000000005680000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1832-187-0x000000000C9D0000-0x000000000CEFC000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/1832-181-0x0000000005670000-0x0000000005680000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1832-182-0x0000000002CD0000-0x0000000002D46000-memory.dmp
    Filesize

    472KB

    Download
  • memory/1832-183-0x000000000B070000-0x000000000B102000-memory.dmp
    Filesize

    584KB

    Download
  • memory/1832-184-0x0000000002D50000-0x0000000002DB6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/1832-185-0x000000000BEF0000-0x000000000C494000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/1832-186-0x000000000BC70000-0x000000000BE32000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/2116-161-0x0000000000030000-0x000000000003A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3820-166-0x0000000000780000-0x000000000078A000-memory.dmp
    Filesize

    40KB

    Download