Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-06-2023 20:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c8e3066ab822f34eaeeffec4022d61503f87395cba1f5645cef25133f5b64f00.exe

  • Size

    736KB

  • MD5

    48cc4253ca1886c1340b31e397bc51c3

  • SHA1

    003d1c6bb9b105c93a5b66a163786b6fe82edffb

  • SHA256

    c8e3066ab822f34eaeeffec4022d61503f87395cba1f5645cef25133f5b64f00

  • SHA512

    1cca6ac0dadca86195506b95516799cba6b31342508cda204511e6a747f22a5a725ac598d5d997cdc108a511c81d53e9b174c5394887d286fa2269e9a8d89f03

  • SSDEEP

    12288:9MrCy90KEZbTk+F22+EvKMlIhO0x364hv6jx0ZDh8+jkWkiRwKTXWnC9E8y:7yu19+D/3Thy9ul8qk7M791y

Score
10/10
redlinemaxievasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19048

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c8e3066ab822f34eaeeffec4022d61503f87395cba1f5645cef25133f5b64f00.exe
    "C:\Users\Admin\AppData\Local\Temp\c8e3066ab822f34eaeeffec4022d61503f87395cba1f5645cef25133f5b64f00.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:384
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3672886.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3672886.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3800
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5485840.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5485840.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4744
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8871597.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8871597.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:1016
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5771448.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5771448.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3740
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7848338.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7848338.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:4732
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4428
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 140
              6⤵
              • Program crash
              PID:3292
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3935179.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3935179.exe
          4⤵
          • Executes dropped EXE
          PID:2348
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4732 -ip 4732
    1⤵
      PID:4412

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    3
    T1112

    Disabling Security Tools

    2
    T1089

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3672886.exe
      Filesize

      529KB

      MD5

      db848e9178309b49e06884a80b296460

      SHA1

      ea3385d6c04c33a276827706b2824ee5fb99761f

      SHA256

      e8febf5d7d06141abce39338e93b399a8732e80c8aa6717afee6ac997a76c5f8

      SHA512

      0027eb0e3aab96066b70466c18b01678372519e6f55b4a5a2c9cc469a9a48378093c35a704b1f868f636b6376e23f2ca13191fa52c26a7c7658cd5705630f422

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3672886.exe
      Filesize

      529KB

      MD5

      db848e9178309b49e06884a80b296460

      SHA1

      ea3385d6c04c33a276827706b2824ee5fb99761f

      SHA256

      e8febf5d7d06141abce39338e93b399a8732e80c8aa6717afee6ac997a76c5f8

      SHA512

      0027eb0e3aab96066b70466c18b01678372519e6f55b4a5a2c9cc469a9a48378093c35a704b1f868f636b6376e23f2ca13191fa52c26a7c7658cd5705630f422

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5485840.exe
      Filesize

      357KB

      MD5

      a0525adf9a117a619395bdf31e333dad

      SHA1

      3000621987af5c5ef7df80df453d47bc7c609349

      SHA256

      812bae200f97e4e50936e49485ebf2f5018f2995361c2fb309e51520ad631d91

      SHA512

      046efe0bb1b4efa9c08d2fa9cf37f2b35ca57160f464c46ff474866d1345828052c6c25f4bca711c9b74455c5f16ec0d76ef7b54ab7611c943a8900237c33320

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5485840.exe
      Filesize

      357KB

      MD5

      a0525adf9a117a619395bdf31e333dad

      SHA1

      3000621987af5c5ef7df80df453d47bc7c609349

      SHA256

      812bae200f97e4e50936e49485ebf2f5018f2995361c2fb309e51520ad631d91

      SHA512

      046efe0bb1b4efa9c08d2fa9cf37f2b35ca57160f464c46ff474866d1345828052c6c25f4bca711c9b74455c5f16ec0d76ef7b54ab7611c943a8900237c33320

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3935179.exe
      Filesize

      172KB

      MD5

      baf16a158f75ac24ae1997cb569e2a1a

      SHA1

      ffb978f5f893b4d019341b3451f99658ccb1d87d

      SHA256

      7715e135148d76f26452354e50701b174377dce847556fa51f37fdf8b6763ebe

      SHA512

      7aa946d2c827322a0a4c3666202c681992ac3280ce027aadb8ce59fca721af2375a443b8a0e4e5cd82ace5796a8344cc362488cd474f582ca8a6c8e74871a510

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3935179.exe
      Filesize

      172KB

      MD5

      baf16a158f75ac24ae1997cb569e2a1a

      SHA1

      ffb978f5f893b4d019341b3451f99658ccb1d87d

      SHA256

      7715e135148d76f26452354e50701b174377dce847556fa51f37fdf8b6763ebe

      SHA512

      7aa946d2c827322a0a4c3666202c681992ac3280ce027aadb8ce59fca721af2375a443b8a0e4e5cd82ace5796a8344cc362488cd474f582ca8a6c8e74871a510

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8871597.exe
      Filesize

      202KB

      MD5

      e8f3b5e0072a8fc15e11b880c7dd56d7

      SHA1

      068ef5627c1de19e38675c7e2ddb46ba93284d7f

      SHA256

      b9f7d7af1e400518fe040c0b39a10036fe2fe0fd6b7959c215c85e97df36246b

      SHA512

      5c33b7d6c21db653dcbee4b67706887e0abdab1077cc48b79bb33f7bcb264e98682b1574bd627caefceb52fa76e3f4e7acf1fa3e7ee08cfab7395fff47f51164

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8871597.exe
      Filesize

      202KB

      MD5

      e8f3b5e0072a8fc15e11b880c7dd56d7

      SHA1

      068ef5627c1de19e38675c7e2ddb46ba93284d7f

      SHA256

      b9f7d7af1e400518fe040c0b39a10036fe2fe0fd6b7959c215c85e97df36246b

      SHA512

      5c33b7d6c21db653dcbee4b67706887e0abdab1077cc48b79bb33f7bcb264e98682b1574bd627caefceb52fa76e3f4e7acf1fa3e7ee08cfab7395fff47f51164

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5771448.exe
      Filesize

      12KB

      MD5

      50d0ca1c0932722371f7c99fc472c9dd

      SHA1

      c5a906dd2afbc85bf662ec9b31c6c6ff077d711e

      SHA256

      d54eaa0246a19cc54be3c2236c0f3ffcb8ee9d91655df6c71f9ef3b31bf8904f

      SHA512

      dd486393037c1d3c475ee01899a45816c28376c5535928d880ee7d3d2e61642edb810d8b14caa5db5e73bf8761507202a588fb6677580b1dcdc5ca800b92a702

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5771448.exe
      Filesize

      12KB

      MD5

      50d0ca1c0932722371f7c99fc472c9dd

      SHA1

      c5a906dd2afbc85bf662ec9b31c6c6ff077d711e

      SHA256

      d54eaa0246a19cc54be3c2236c0f3ffcb8ee9d91655df6c71f9ef3b31bf8904f

      SHA512

      dd486393037c1d3c475ee01899a45816c28376c5535928d880ee7d3d2e61642edb810d8b14caa5db5e73bf8761507202a588fb6677580b1dcdc5ca800b92a702

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7848338.exe
      Filesize

      117KB

      MD5

      7bda4dea047104a4ed0e2ba96f32bf7e

      SHA1

      0504f6ccabde31df24819b8aff83812584518c41

      SHA256

      582c7c80def14e493f8e41791c3b801cfeda6828d13546597c0ea40f66bb416c

      SHA512

      333cc818cff9de334c72e4196ad279d3d7686f4e898e71817ef6fdafc94dc032c3afed95aa3f1b92c409a1d27a94c8b02ad5ea26bdb14f1c04496aa106870c18

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7848338.exe
      Filesize

      117KB

      MD5

      7bda4dea047104a4ed0e2ba96f32bf7e

      SHA1

      0504f6ccabde31df24819b8aff83812584518c41

      SHA256

      582c7c80def14e493f8e41791c3b801cfeda6828d13546597c0ea40f66bb416c

      SHA512

      333cc818cff9de334c72e4196ad279d3d7686f4e898e71817ef6fdafc94dc032c3afed95aa3f1b92c409a1d27a94c8b02ad5ea26bdb14f1c04496aa106870c18

      Download Submit
    • memory/2348-175-0x00000000007C0000-0x00000000007F0000-memory.dmp
      Filesize

      192KB

      Download
    • memory/2348-176-0x000000000ABE0000-0x000000000B1F8000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/2348-177-0x000000000A740000-0x000000000A84A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/2348-178-0x000000000A680000-0x000000000A692000-memory.dmp
      Filesize

      72KB

      Download
    • memory/2348-179-0x000000000A6E0000-0x000000000A71C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/2348-180-0x0000000004FF0000-0x0000000005000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2348-182-0x0000000004FF0000-0x0000000005000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3740-161-0x0000000000B40000-0x0000000000B4A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4428-167-0x0000000000400000-0x000000000040A000-memory.dmp
      Filesize

      40KB

      Download