Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-06-2023 17:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    670c7ea2cdf1c556ef6be7b1f91c49eb25bae63c4e646e8f300609472e54ed0b.exe

  • Size

    735KB

  • MD5

    236c6160a6c82bba4a0e2d1ad23632d9

  • SHA1

    deec3fa40fb1e92c4d30ce582cc2b9cd19e0abc0

  • SHA256

    670c7ea2cdf1c556ef6be7b1f91c49eb25bae63c4e646e8f300609472e54ed0b

  • SHA512

    6810de657a8e4cd42431b716e0cfc1b443b083937852c209d44be14d2f2faf868cb07089a41ee6c6415f3c99392846166197cb9ddaada08e525acd4a8d4019d4

  • SSDEEP

    12288:zMrPy90DM3sdrLw14kMalKtMRS4Sl2VUpf+7uDLOsqt5UQkITOpM7IvP0JcaP1X:UyGM3s/9alK2RS41Z7IHl4OpM72i

Score
10/10
redlinemaxidiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19048

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\670c7ea2cdf1c556ef6be7b1f91c49eb25bae63c4e646e8f300609472e54ed0b.exe
    "C:\Users\Admin\AppData\Local\Temp\670c7ea2cdf1c556ef6be7b1f91c49eb25bae63c4e646e8f300609472e54ed0b.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4632
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2172496.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2172496.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1044
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8770239.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8770239.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:5008
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9301795.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9301795.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:4220
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9445946.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9445946.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4240
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2572306.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2572306.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:3148
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:212
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 140
              6⤵
              • Program crash
              PID:4276
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5074829.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5074829.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1460
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3148 -ip 3148
    1⤵
      PID:4520

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    3
    T1112

    Disabling Security Tools

    2
    T1089

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2172496.exe
      Filesize

      529KB

      MD5

      ef91c9650f6485ae63444869660e4c6a

      SHA1

      a383d13f004ce547b7f3ca0ec8e9074379924fda

      SHA256

      fded6511026e3b14db4c0d1bba4795ff1b533751b966f46e80bee37f466d2647

      SHA512

      390463a8f5639900a9ed0fd41dcb3ee7a102b5d0f89948cc9be681c90de446f3ae603d2e2f1e3ad67bee0ea7e27c029c186c1b81d7836d6ee5dfd7591c0e2ffb

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2172496.exe
      Filesize

      529KB

      MD5

      ef91c9650f6485ae63444869660e4c6a

      SHA1

      a383d13f004ce547b7f3ca0ec8e9074379924fda

      SHA256

      fded6511026e3b14db4c0d1bba4795ff1b533751b966f46e80bee37f466d2647

      SHA512

      390463a8f5639900a9ed0fd41dcb3ee7a102b5d0f89948cc9be681c90de446f3ae603d2e2f1e3ad67bee0ea7e27c029c186c1b81d7836d6ee5dfd7591c0e2ffb

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8770239.exe
      Filesize

      357KB

      MD5

      ddb69a95e759fb7454dff4415e093793

      SHA1

      9e8c4230bb510baae4c869d13b4338ae3ff8940e

      SHA256

      37393af57ef669c737ddbc4219fd795c04fd41c27717dc22807557e941a44177

      SHA512

      e4f8f800ae3da4c53f163aeb1466d4f6a4646e26b84b1d578c3709ce910b6f04a55ad554509b59166a8dec2219a56bf086a0b589884bd733fe0b1acb82e18af6

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8770239.exe
      Filesize

      357KB

      MD5

      ddb69a95e759fb7454dff4415e093793

      SHA1

      9e8c4230bb510baae4c869d13b4338ae3ff8940e

      SHA256

      37393af57ef669c737ddbc4219fd795c04fd41c27717dc22807557e941a44177

      SHA512

      e4f8f800ae3da4c53f163aeb1466d4f6a4646e26b84b1d578c3709ce910b6f04a55ad554509b59166a8dec2219a56bf086a0b589884bd733fe0b1acb82e18af6

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5074829.exe
      Filesize

      172KB

      MD5

      99daf29102f3347036f5f31626529fdc

      SHA1

      c2e9ff56ee0366c035921dc5a4bcd79fb6f99d13

      SHA256

      800594365f4586f2b7269e9807a3411bfc7fa5fb28a081ca8e496c6d89eb7f7c

      SHA512

      b38bd22e3784b7eb7eeeb0d7cd17d1c3bc4f5a53415b7cefa6b3dba7589efd3bf616b27de1a2204ce5141cc9b091ff1ce7c03a92051813116f0c4a3c0a3559e2

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5074829.exe
      Filesize

      172KB

      MD5

      99daf29102f3347036f5f31626529fdc

      SHA1

      c2e9ff56ee0366c035921dc5a4bcd79fb6f99d13

      SHA256

      800594365f4586f2b7269e9807a3411bfc7fa5fb28a081ca8e496c6d89eb7f7c

      SHA512

      b38bd22e3784b7eb7eeeb0d7cd17d1c3bc4f5a53415b7cefa6b3dba7589efd3bf616b27de1a2204ce5141cc9b091ff1ce7c03a92051813116f0c4a3c0a3559e2

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9301795.exe
      Filesize

      202KB

      MD5

      3b370b3246bab0710bf9131813aa64fd

      SHA1

      ffce739845fc31185e67f55f79de64198d71e4a5

      SHA256

      f0106e319d6b2a8a304a2565efd5cf7485ccdbb97496f3006afb5929c6939113

      SHA512

      c902c85b4a613ef1622d7838a52e7cc90b3d67b4033a89efe946f4ff4a94666a9bc1ad67c1dd5062c14a2153439d9fd8b04f9457af05e9afa30ff35a29e83043

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9301795.exe
      Filesize

      202KB

      MD5

      3b370b3246bab0710bf9131813aa64fd

      SHA1

      ffce739845fc31185e67f55f79de64198d71e4a5

      SHA256

      f0106e319d6b2a8a304a2565efd5cf7485ccdbb97496f3006afb5929c6939113

      SHA512

      c902c85b4a613ef1622d7838a52e7cc90b3d67b4033a89efe946f4ff4a94666a9bc1ad67c1dd5062c14a2153439d9fd8b04f9457af05e9afa30ff35a29e83043

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9445946.exe
      Filesize

      12KB

      MD5

      8d96a3a25a93bf7c3cb64233e78d3e3e

      SHA1

      adbbbbfea625b264040bb80ec162911b78df538e

      SHA256

      3338547cde7a5c2eb5db9d7fc3f5af7e10af87f5f1a3622dcd6d85f5d311bba2

      SHA512

      1019d8ff51a87848c56c70e568187dd7ae0b8a3b0123d588ba3770de726e9a10a4b4c5914aa54f84a4a3ecdc1bf6c959df32b2b2a2fb79d7edd4c737f0ef1bde

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9445946.exe
      Filesize

      12KB

      MD5

      8d96a3a25a93bf7c3cb64233e78d3e3e

      SHA1

      adbbbbfea625b264040bb80ec162911b78df538e

      SHA256

      3338547cde7a5c2eb5db9d7fc3f5af7e10af87f5f1a3622dcd6d85f5d311bba2

      SHA512

      1019d8ff51a87848c56c70e568187dd7ae0b8a3b0123d588ba3770de726e9a10a4b4c5914aa54f84a4a3ecdc1bf6c959df32b2b2a2fb79d7edd4c737f0ef1bde

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2572306.exe
      Filesize

      117KB

      MD5

      490445a84ffa0fb1b0bf8491f7929d5d

      SHA1

      cac978801831331a4d353781d4a4fbbf705753e1

      SHA256

      38db49eca117e1a42beb4a87dd24d83d9c7b87efa3af6f4376ac8a386e2aa714

      SHA512

      e77ab53ec9b8995622a74a3ba3ce48acfd2ed9659478392f2a88f98f1c19f49e8eb77d92397319e2de5092dc97268784fc799e8fe0c17e3e526166f9f633d74f

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2572306.exe
      Filesize

      117KB

      MD5

      490445a84ffa0fb1b0bf8491f7929d5d

      SHA1

      cac978801831331a4d353781d4a4fbbf705753e1

      SHA256

      38db49eca117e1a42beb4a87dd24d83d9c7b87efa3af6f4376ac8a386e2aa714

      SHA512

      e77ab53ec9b8995622a74a3ba3ce48acfd2ed9659478392f2a88f98f1c19f49e8eb77d92397319e2de5092dc97268784fc799e8fe0c17e3e526166f9f633d74f

      Download Submit
    • memory/212-167-0x0000000000400000-0x000000000040A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1460-175-0x0000000000C80000-0x0000000000CB0000-memory.dmp
      Filesize

      192KB

      Download
    • memory/1460-181-0x000000000AEB0000-0x000000000AF26000-memory.dmp
      Filesize

      472KB

      Download
    • memory/1460-176-0x000000000B0F0000-0x000000000B708000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/1460-177-0x000000000AC00000-0x000000000AD0A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/1460-178-0x000000000AB40000-0x000000000AB52000-memory.dmp
      Filesize

      72KB

      Download
    • memory/1460-179-0x0000000005540000-0x0000000005550000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1460-180-0x000000000ABA0000-0x000000000ABDC000-memory.dmp
      Filesize

      240KB

      Download
    • memory/1460-189-0x000000000CBE0000-0x000000000D10C000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/1460-182-0x000000000B710000-0x000000000B7A2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/1460-183-0x000000000BD60000-0x000000000C304000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/1460-184-0x000000000B7B0000-0x000000000B816000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1460-186-0x000000000BBF0000-0x000000000BC40000-memory.dmp
      Filesize

      320KB

      Download
    • memory/1460-187-0x0000000005540000-0x0000000005550000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1460-188-0x000000000C4E0000-0x000000000C6A2000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/4240-161-0x0000000000AC0000-0x0000000000ACA000-memory.dmp
      Filesize

      40KB

      Download