Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-06-2023 21:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    55d8ac5c70ce9c9870ada10c033ffb630f70b53407d1a786ab1e529becee2967.exe

  • Size

    723KB

  • MD5

    a412cd19a656ed6d2e8350401a4915d8

  • SHA1

    177889cddf795c23362ddac7835853dd88248d58

  • SHA256

    55d8ac5c70ce9c9870ada10c033ffb630f70b53407d1a786ab1e529becee2967

  • SHA512

    332d493a759ea429ee660ac5a0529e0df48a4166a08a1084564a70579b44f0f450c1cbcd1a5676c6e007a29d7e527a44369ff80b8659df4fc94c298c33c312cf

  • SSDEEP

    12288:vMrfy90o4C+v001z3XZP43lqVSmc3UmMVDpFU/d24WJl5ZEG7F/BCKQt3Zdds0Aq:MyadvHz3XZA3I5HFAd2D/ZHFNQt3Zdd1

Score
10/10
redlinemaxidiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19048

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\55d8ac5c70ce9c9870ada10c033ffb630f70b53407d1a786ab1e529becee2967.exe
    "C:\Users\Admin\AppData\Local\Temp\55d8ac5c70ce9c9870ada10c033ffb630f70b53407d1a786ab1e529becee2967.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4504
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8208517.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8208517.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4596
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5098588.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5098588.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1616
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3880685.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3880685.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:3816
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1099696.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1099696.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1408
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6214718.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6214718.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:1776
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3316
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 140
              6⤵
              • Program crash
              PID:2968
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7218988.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7218988.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4276
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 1776 -ip 1776
    1⤵
      PID:2400

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8208517.exe
      Filesize

      523KB

      MD5

      e9e7910d4d5122a6f79e478aeafa0b71

      SHA1

      2cb8993e9723b2a8aef183e79c79c6b04cbdc13e

      SHA256

      d65e3069a91b2f17fc117990c73ed5bed37ce7a9d0a0d8aecd0bf86461e8dd97

      SHA512

      4e96de6f72bebe856bf8c23721a51c17559c3f968ce103649c787fac6108b71f3f7b2572e7071a545f94ddd3fe6993dfe902716988371dc1ff6717cbcfcb82f6

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8208517.exe
      Filesize

      523KB

      MD5

      e9e7910d4d5122a6f79e478aeafa0b71

      SHA1

      2cb8993e9723b2a8aef183e79c79c6b04cbdc13e

      SHA256

      d65e3069a91b2f17fc117990c73ed5bed37ce7a9d0a0d8aecd0bf86461e8dd97

      SHA512

      4e96de6f72bebe856bf8c23721a51c17559c3f968ce103649c787fac6108b71f3f7b2572e7071a545f94ddd3fe6993dfe902716988371dc1ff6717cbcfcb82f6

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5098588.exe
      Filesize

      351KB

      MD5

      4e70bb02fb1c4ac7ad87b66a201d9ba8

      SHA1

      f39c48fb2ead730db0b6f04d719acadd22c5ae1f

      SHA256

      516e0ef5b1bf81cca77bb0876991ae2d8c626ef9962c035fb3af3eb8236b6473

      SHA512

      66a924ca09532628744a55013e210a407390554f4cd368a9da8eaea0100a85f13358aa4bfcf648ab7fd47e1cd7e6161e537faa88c14ce3aa8d8b7c697b79781d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5098588.exe
      Filesize

      351KB

      MD5

      4e70bb02fb1c4ac7ad87b66a201d9ba8

      SHA1

      f39c48fb2ead730db0b6f04d719acadd22c5ae1f

      SHA256

      516e0ef5b1bf81cca77bb0876991ae2d8c626ef9962c035fb3af3eb8236b6473

      SHA512

      66a924ca09532628744a55013e210a407390554f4cd368a9da8eaea0100a85f13358aa4bfcf648ab7fd47e1cd7e6161e537faa88c14ce3aa8d8b7c697b79781d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7218988.exe
      Filesize

      172KB

      MD5

      839ebd7675293dbfa63b8fd2be3194a9

      SHA1

      0db6c44256d28964b84c50d3fa4a9c956168502b

      SHA256

      f4a8236529245208e70fdb1c553c73c92614325a74b5e12d6fe7cc8b0f1590f6

      SHA512

      8f5a1dfae025b25673961a75074ba93ffd4c2e6d487cf35b7fb4644e6e75299460e308550eafb6494fddb4ec18635e26bce90037d3e97597c0bdb80d8b01e660

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7218988.exe
      Filesize

      172KB

      MD5

      839ebd7675293dbfa63b8fd2be3194a9

      SHA1

      0db6c44256d28964b84c50d3fa4a9c956168502b

      SHA256

      f4a8236529245208e70fdb1c553c73c92614325a74b5e12d6fe7cc8b0f1590f6

      SHA512

      8f5a1dfae025b25673961a75074ba93ffd4c2e6d487cf35b7fb4644e6e75299460e308550eafb6494fddb4ec18635e26bce90037d3e97597c0bdb80d8b01e660

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3880685.exe
      Filesize

      196KB

      MD5

      adc0eb6743ceb9ad8cd98245c35cea78

      SHA1

      c491c6e9f03d3b61f093a37c57e40edce0b78708

      SHA256

      7576669ebc4d26e7f6ba5f032383487a26008fbd6d0cb47da444b3fd4e3afcce

      SHA512

      144647b4266a3c9cf1c896557112c3ec33fb5c1af2f8033836930cadc33661dd680f64f30f935aa1087683e03d3456cdab0bb64838b6085fb1efbe556454b5f3

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3880685.exe
      Filesize

      196KB

      MD5

      adc0eb6743ceb9ad8cd98245c35cea78

      SHA1

      c491c6e9f03d3b61f093a37c57e40edce0b78708

      SHA256

      7576669ebc4d26e7f6ba5f032383487a26008fbd6d0cb47da444b3fd4e3afcce

      SHA512

      144647b4266a3c9cf1c896557112c3ec33fb5c1af2f8033836930cadc33661dd680f64f30f935aa1087683e03d3456cdab0bb64838b6085fb1efbe556454b5f3

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1099696.exe
      Filesize

      14KB

      MD5

      c5a72362ced300a7c4aa9a6e484b60ae

      SHA1

      37536539b0e75b637208b368baadad443478365f

      SHA256

      eaf544fa9f35779f8394792312f7a0d6da30b2054ce6bdbd5b6f8cb02716bd1a

      SHA512

      62bdb95bb8777d8a6a806c732c2fceea081dac51a8ac885b7f94da985d9fc8c21924cb46bfecf2df7cd428121ff21fdcf7c7a2961f1afd2f7239c626bb8738d4

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1099696.exe
      Filesize

      14KB

      MD5

      c5a72362ced300a7c4aa9a6e484b60ae

      SHA1

      37536539b0e75b637208b368baadad443478365f

      SHA256

      eaf544fa9f35779f8394792312f7a0d6da30b2054ce6bdbd5b6f8cb02716bd1a

      SHA512

      62bdb95bb8777d8a6a806c732c2fceea081dac51a8ac885b7f94da985d9fc8c21924cb46bfecf2df7cd428121ff21fdcf7c7a2961f1afd2f7239c626bb8738d4

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6214718.exe
      Filesize

      100KB

      MD5

      ad581a4f388fb2a3ad0c2d4ba2e6146a

      SHA1

      eb5f802e4f50bdbc27e9cfa2185af1a505313f70

      SHA256

      449d4395de2c6df6f9296c68595e587f2993bd0651fb5d3147c60ccb6666146e

      SHA512

      f06a9d7c09c6250e8cd3c85664a26f2a8306ffc7bdb135deb9aaf1cca01d08776914eae5d9179d04f76f71ebaccc2706a4cb033a594a3bd337a35486702d3431

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6214718.exe
      Filesize

      100KB

      MD5

      ad581a4f388fb2a3ad0c2d4ba2e6146a

      SHA1

      eb5f802e4f50bdbc27e9cfa2185af1a505313f70

      SHA256

      449d4395de2c6df6f9296c68595e587f2993bd0651fb5d3147c60ccb6666146e

      SHA512

      f06a9d7c09c6250e8cd3c85664a26f2a8306ffc7bdb135deb9aaf1cca01d08776914eae5d9179d04f76f71ebaccc2706a4cb033a594a3bd337a35486702d3431

      Download Submit
    • memory/1408-161-0x0000000000790000-0x000000000079A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3316-167-0x0000000000400000-0x000000000040A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4276-175-0x0000000000F20000-0x0000000000F50000-memory.dmp
      Filesize

      192KB

      Download
    • memory/4276-176-0x000000000B390000-0x000000000B9A8000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/4276-177-0x000000000AEA0000-0x000000000AFAA000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/4276-178-0x000000000ADE0000-0x000000000ADF2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/4276-179-0x000000000AE40000-0x000000000AE7C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/4276-180-0x00000000057E0000-0x00000000057F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4276-181-0x000000000B250000-0x000000000B2C6000-memory.dmp
      Filesize

      472KB

      Download
    • memory/4276-182-0x000000000B9B0000-0x000000000BA42000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4276-183-0x000000000C000000-0x000000000C5A4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/4276-184-0x000000000BA50000-0x000000000BAB6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4276-186-0x000000000C780000-0x000000000C942000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/4276-187-0x000000000CE80000-0x000000000D3AC000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/4276-188-0x000000000C630000-0x000000000C680000-memory.dmp
      Filesize

      320KB

      Download
    • memory/4276-189-0x00000000057E0000-0x00000000057F0000-memory.dmp
      Filesize

      64KB

      Download