Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-06-2023 12:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    730deace6c358e0e0e43b75606e3d772210dca4e47acbfa1ceea8cb5b5de1946.exe

  • Size

    729KB

  • MD5

    86bb3505649066771ed53e7b2aeab144

  • SHA1

    3a2f69d5bc9e51883d4c64ab8012fe59fa08d9ce

  • SHA256

    730deace6c358e0e0e43b75606e3d772210dca4e47acbfa1ceea8cb5b5de1946

  • SHA512

    447908dfbce1dbe0e597256bac9e48bcf329df4d6204c058fc23a699a01db35fe395668f1e70c66b031348b214de8abab061d04a9d9b1002f772a8ee4bfd115f

  • SSDEEP

    12288:mMrey90gro3fSKjknwEV0N+CtAaciYHgd5MCSUSPM/Ifz0X2K4clT8uePMvcgn:0yt9KInw80N+OYg5MCS9rfzw2M8ueGc6

Score
10/10
redlinemaxidiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\730deace6c358e0e0e43b75606e3d772210dca4e47acbfa1ceea8cb5b5de1946.exe
    "C:\Users\Admin\AppData\Local\Temp\730deace6c358e0e0e43b75606e3d772210dca4e47acbfa1ceea8cb5b5de1946.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2136
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6865896.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6865896.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:480
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3468142.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3468142.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:388
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5386932.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5386932.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:4380
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0567789.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0567789.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3844
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7248004.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7248004.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:1116
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2192
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5503559.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5503559.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1700

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6865896.exe
    Filesize

    527KB

    MD5

    0b7c7e20e14717827a28693ef98fcdd3

    SHA1

    ba3ae3da118309207ea9565d6ded74d67d6d1a7c

    SHA256

    4235203c6bf5d2975ff43db9148918ed2942d7d90e928f32cee45b056791813e

    SHA512

    ced0fa45ca9f90bdd3479b90dcbb3ce4ab00dd6100897df4561cf4384e1be56b3773c088acbee1a3a0498d1c319c31534fa8f59ecc7442d523145502dc4b2df3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6865896.exe
    Filesize

    527KB

    MD5

    0b7c7e20e14717827a28693ef98fcdd3

    SHA1

    ba3ae3da118309207ea9565d6ded74d67d6d1a7c

    SHA256

    4235203c6bf5d2975ff43db9148918ed2942d7d90e928f32cee45b056791813e

    SHA512

    ced0fa45ca9f90bdd3479b90dcbb3ce4ab00dd6100897df4561cf4384e1be56b3773c088acbee1a3a0498d1c319c31534fa8f59ecc7442d523145502dc4b2df3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3468142.exe
    Filesize

    354KB

    MD5

    7e5dc1df37c5b8002e879b22949317bc

    SHA1

    9f3e6e3fdff797482de1a1e0634f8d490a7836f0

    SHA256

    d3fcaf1640bd2d20432996bd81dabb074c3eee0dfb610a0b2baaa5bef3932ff3

    SHA512

    b37e4b68cbf3d611052bbf4e15a89b4740ca956093fdc67a11f467cba8c9a1f905b852282bcb47400e28006b2d2134432adecc903767bab6b16af3ffe1bc93c1

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3468142.exe
    Filesize

    354KB

    MD5

    7e5dc1df37c5b8002e879b22949317bc

    SHA1

    9f3e6e3fdff797482de1a1e0634f8d490a7836f0

    SHA256

    d3fcaf1640bd2d20432996bd81dabb074c3eee0dfb610a0b2baaa5bef3932ff3

    SHA512

    b37e4b68cbf3d611052bbf4e15a89b4740ca956093fdc67a11f467cba8c9a1f905b852282bcb47400e28006b2d2134432adecc903767bab6b16af3ffe1bc93c1

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5503559.exe
    Filesize

    172KB

    MD5

    b420d5517557953b005ae004bbfb0667

    SHA1

    a4b2be72984616cef18c70db040270745cd11de3

    SHA256

    453aed1544e8978dd69dec0dae846dea186694e323f0a92a1319463204a22d05

    SHA512

    816b06d933a7060ab62b38b1a1b8ef37ef56fb8ec2788520a2a73e2dcf017a55233fc09994c447d2170469a3973ce9cb2c0fb88a884dc33244eee359a6cdf43c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5503559.exe
    Filesize

    172KB

    MD5

    b420d5517557953b005ae004bbfb0667

    SHA1

    a4b2be72984616cef18c70db040270745cd11de3

    SHA256

    453aed1544e8978dd69dec0dae846dea186694e323f0a92a1319463204a22d05

    SHA512

    816b06d933a7060ab62b38b1a1b8ef37ef56fb8ec2788520a2a73e2dcf017a55233fc09994c447d2170469a3973ce9cb2c0fb88a884dc33244eee359a6cdf43c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5386932.exe
    Filesize

    199KB

    MD5

    2cf159b30eb623562f3090db4d285e02

    SHA1

    3202b369053ab7ee62c803ddb7f88e308e7ccbca

    SHA256

    ee38e57c5c66d9c7ff26f428dac5f853931a305f77f3f401675ba678e707f260

    SHA512

    d930052eb70c3965b4ff76f4d583261ab044d6fce48466dcac103a243b4a8183d4132909f62899322d4e50fc2f599d17eea97ef81d290255d83838c79a1e9985

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5386932.exe
    Filesize

    199KB

    MD5

    2cf159b30eb623562f3090db4d285e02

    SHA1

    3202b369053ab7ee62c803ddb7f88e308e7ccbca

    SHA256

    ee38e57c5c66d9c7ff26f428dac5f853931a305f77f3f401675ba678e707f260

    SHA512

    d930052eb70c3965b4ff76f4d583261ab044d6fce48466dcac103a243b4a8183d4132909f62899322d4e50fc2f599d17eea97ef81d290255d83838c79a1e9985

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0567789.exe
    Filesize

    12KB

    MD5

    19e3cba4e8394ec1323ea75c1885196d

    SHA1

    70aa11a9bae7e98bd3bf307f1740db82198b37e1

    SHA256

    827591820bde91adb28413b9115dd7b8199722bf9eb0e77bfdc12ab816a7bfe7

    SHA512

    5ef7537af015c795b82b9438187d743ab8510dd29bc98afb9b96154e372733386babf49e0b55e99a10fb2b49b280324b6596fa185c82f2a812b846b4b30e3c52

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0567789.exe
    Filesize

    12KB

    MD5

    19e3cba4e8394ec1323ea75c1885196d

    SHA1

    70aa11a9bae7e98bd3bf307f1740db82198b37e1

    SHA256

    827591820bde91adb28413b9115dd7b8199722bf9eb0e77bfdc12ab816a7bfe7

    SHA512

    5ef7537af015c795b82b9438187d743ab8510dd29bc98afb9b96154e372733386babf49e0b55e99a10fb2b49b280324b6596fa185c82f2a812b846b4b30e3c52

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7248004.exe
    Filesize

    105KB

    MD5

    833f1b774e7c127c5ccfe8467c677156

    SHA1

    c8ec626573791cdb5ce610989c3328260c451201

    SHA256

    8d893e4e1010beb463297222107e053246eab37329d327f039c9998c4bbdf9cb

    SHA512

    68572c8aea6ec0ed965ef89e457010f56095c9bb5cabae85512f4c78dfb530c589921f62145558d295a7fb0764f4e62b1175eba51cd692bed07f21d8ee83340b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7248004.exe
    Filesize

    105KB

    MD5

    833f1b774e7c127c5ccfe8467c677156

    SHA1

    c8ec626573791cdb5ce610989c3328260c451201

    SHA256

    8d893e4e1010beb463297222107e053246eab37329d327f039c9998c4bbdf9cb

    SHA512

    68572c8aea6ec0ed965ef89e457010f56095c9bb5cabae85512f4c78dfb530c589921f62145558d295a7fb0764f4e62b1175eba51cd692bed07f21d8ee83340b

    Download Submit
  • memory/1700-174-0x00000000000D0000-0x0000000000100000-memory.dmp
    Filesize

    192KB

    Download
  • memory/1700-179-0x00000000021A0000-0x00000000021B0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1700-188-0x00000000021A0000-0x00000000021B0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1700-175-0x000000000A4E0000-0x000000000AAF8000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/1700-176-0x000000000A050000-0x000000000A15A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/1700-177-0x0000000009F90000-0x0000000009FA2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1700-178-0x0000000009FF0000-0x000000000A02C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1700-187-0x000000000C070000-0x000000000C59C000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/1700-180-0x000000000A400000-0x000000000A476000-memory.dmp
    Filesize

    472KB

    Download
  • memory/1700-181-0x000000000ABA0000-0x000000000AC32000-memory.dmp
    Filesize

    584KB

    Download
  • memory/1700-182-0x000000000B1F0000-0x000000000B794000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/1700-183-0x000000000AC40000-0x000000000ACA6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/1700-185-0x000000000B150000-0x000000000B1A0000-memory.dmp
    Filesize

    320KB

    Download
  • memory/1700-186-0x000000000B970000-0x000000000BB32000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/2192-166-0x0000000000400000-0x000000000040A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3844-161-0x0000000000C80000-0x0000000000C8A000-memory.dmp
    Filesize

    40KB

    Download