Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-06-2023 21:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5cb92453d2766c3c6aaa512a17930bbb49345351076913f18ec0f0fbe35be5b4.exe

  • Size

    723KB

  • MD5

    c86549610822ae7ef212b0e8787240d3

  • SHA1

    a8005989483e998874b66b5d39ae2c17f1fd4f32

  • SHA256

    5cb92453d2766c3c6aaa512a17930bbb49345351076913f18ec0f0fbe35be5b4

  • SHA512

    8a3fc68a4d682a702af65ccbb483cbda25cc7e1249926b57b2002a27b3614ae9fa5bec2d73ee19f45aa52bb1e888deaab349fae950c90bfe129d33efef9385a6

  • SSDEEP

    12288:sMrQy9067K78b+xREk54IdxzjiJrWRFKNZqzA5lik0zQCeq1IWYxTxmv1dDTe:syhW4b+xRP54IniyR8NZAnPQuIhnmbS

Score
10/10
redlinemaxidiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19048

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5cb92453d2766c3c6aaa512a17930bbb49345351076913f18ec0f0fbe35be5b4.exe
    "C:\Users\Admin\AppData\Local\Temp\5cb92453d2766c3c6aaa512a17930bbb49345351076913f18ec0f0fbe35be5b4.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1216
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2475087.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2475087.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4856
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1357055.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1357055.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:956
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3170074.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3170074.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:2484
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9185972.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9185972.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3904
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7951013.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7951013.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:408
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2120
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 140
              6⤵
              • Program crash
              PID:924
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1557117.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1557117.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2328
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 408 -ip 408
    1⤵
      PID:3016

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2475087.exe
      Filesize

      523KB

      MD5

      7078de8f4b0aef3fe57c363b69bd08a1

      SHA1

      96f3efb3338b74f41d1c5eed0d0bc655cc7feb88

      SHA256

      0567994c78abfdd58207ac7ca5c309bc27727729619af58279e006ef2e151e88

      SHA512

      2c8500c22754e809011738c2fe821071f6783666201a98ad1bc5fe4368826bfbbb1a7ee4d27ba0affb7a9ea2e310c11ef575a2895858622269b292c6678f8d52

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2475087.exe
      Filesize

      523KB

      MD5

      7078de8f4b0aef3fe57c363b69bd08a1

      SHA1

      96f3efb3338b74f41d1c5eed0d0bc655cc7feb88

      SHA256

      0567994c78abfdd58207ac7ca5c309bc27727729619af58279e006ef2e151e88

      SHA512

      2c8500c22754e809011738c2fe821071f6783666201a98ad1bc5fe4368826bfbbb1a7ee4d27ba0affb7a9ea2e310c11ef575a2895858622269b292c6678f8d52

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1357055.exe
      Filesize

      351KB

      MD5

      8d59c327969a4c788af5e2eebb3e28f1

      SHA1

      6d805f49f93a5833f0f736713d4ef041b08da39e

      SHA256

      792323d38d8047c36b344260cd66edb7e38a9ba2cc848317bf5c50c69ffc6a25

      SHA512

      8046709f902097e18fe175296e53712a3532f21273eeb347db552a58db45e84b7775cbd1450e8b59715598a04ef4fc8554593da1450af8eadb1e88fb26938007

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1357055.exe
      Filesize

      351KB

      MD5

      8d59c327969a4c788af5e2eebb3e28f1

      SHA1

      6d805f49f93a5833f0f736713d4ef041b08da39e

      SHA256

      792323d38d8047c36b344260cd66edb7e38a9ba2cc848317bf5c50c69ffc6a25

      SHA512

      8046709f902097e18fe175296e53712a3532f21273eeb347db552a58db45e84b7775cbd1450e8b59715598a04ef4fc8554593da1450af8eadb1e88fb26938007

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1557117.exe
      Filesize

      172KB

      MD5

      f31b7094529b6ddd9618bcb09a11219b

      SHA1

      721bfcfca35d6bc8f474651117d87922ed73db8d

      SHA256

      eeec80f1f1170f7f645ee90c737244779d1734271de1b0a044b02edf804e869c

      SHA512

      bdb37a9df1287f01b4cd450159b430ad37b04f89318ddafbb32f952963d47158e6dd087d216a4784c0e92a11a631d970bb2a9d1c51446ab5e86457d52adaf590

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1557117.exe
      Filesize

      172KB

      MD5

      f31b7094529b6ddd9618bcb09a11219b

      SHA1

      721bfcfca35d6bc8f474651117d87922ed73db8d

      SHA256

      eeec80f1f1170f7f645ee90c737244779d1734271de1b0a044b02edf804e869c

      SHA512

      bdb37a9df1287f01b4cd450159b430ad37b04f89318ddafbb32f952963d47158e6dd087d216a4784c0e92a11a631d970bb2a9d1c51446ab5e86457d52adaf590

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3170074.exe
      Filesize

      196KB

      MD5

      4adcf57613455bd82d4d0eba2280e4a9

      SHA1

      dcae735a2ba43c923cd05ca196ce8c9265a190b6

      SHA256

      04cd21d9152628e6b5dc519fd76113033263fa528952f359826cb543ef18cb6a

      SHA512

      14e164c11b0870faeeb9e232bb577d014c6b15cf62aafa241d628cfe82012c5876b1206e2fa4b6a1ad579394cf27a465656e2d5c75be91428c5fc370a72b9ac3

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3170074.exe
      Filesize

      196KB

      MD5

      4adcf57613455bd82d4d0eba2280e4a9

      SHA1

      dcae735a2ba43c923cd05ca196ce8c9265a190b6

      SHA256

      04cd21d9152628e6b5dc519fd76113033263fa528952f359826cb543ef18cb6a

      SHA512

      14e164c11b0870faeeb9e232bb577d014c6b15cf62aafa241d628cfe82012c5876b1206e2fa4b6a1ad579394cf27a465656e2d5c75be91428c5fc370a72b9ac3

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9185972.exe
      Filesize

      14KB

      MD5

      446c3070d46239bcfaed5863052c5fe3

      SHA1

      03e97185c296e54176f82d53a2673fbf16d1e2a0

      SHA256

      f9124f1121f65723159ced95c08b1b398d078494724f335d49e6dd151edb2d9d

      SHA512

      37795742d2c6d780ac03d4dcab8ebcfdb742acb3b5599c1add94fcf3a0d31852fb77aeb63ec1e70e9eb57e9cff1b558d2d363f8e15d9fe0fb831f1720160497e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9185972.exe
      Filesize

      14KB

      MD5

      446c3070d46239bcfaed5863052c5fe3

      SHA1

      03e97185c296e54176f82d53a2673fbf16d1e2a0

      SHA256

      f9124f1121f65723159ced95c08b1b398d078494724f335d49e6dd151edb2d9d

      SHA512

      37795742d2c6d780ac03d4dcab8ebcfdb742acb3b5599c1add94fcf3a0d31852fb77aeb63ec1e70e9eb57e9cff1b558d2d363f8e15d9fe0fb831f1720160497e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7951013.exe
      Filesize

      100KB

      MD5

      01b9394ac1a9d519f98e280be5a7e78b

      SHA1

      fdf3e291f10be0b5fef88cbaf469e5b4b8673263

      SHA256

      01dba1d2b8ddc0a6a73c24e600086eb2984c538636f3db600d6a87cc282e2a80

      SHA512

      fd04ce55dc2c500cab49383f45082bacfad96acec9c29be94ab29c8db5a0698db7f9b507b92f430376db3f2d51ee141fca2511ef7519383665eb04c10f9e220f

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7951013.exe
      Filesize

      100KB

      MD5

      01b9394ac1a9d519f98e280be5a7e78b

      SHA1

      fdf3e291f10be0b5fef88cbaf469e5b4b8673263

      SHA256

      01dba1d2b8ddc0a6a73c24e600086eb2984c538636f3db600d6a87cc282e2a80

      SHA512

      fd04ce55dc2c500cab49383f45082bacfad96acec9c29be94ab29c8db5a0698db7f9b507b92f430376db3f2d51ee141fca2511ef7519383665eb04c10f9e220f

      Download Submit
    • memory/2120-167-0x0000000000400000-0x000000000040A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2328-175-0x0000000000A20000-0x0000000000A50000-memory.dmp
      Filesize

      192KB

      Download
    • memory/2328-181-0x00000000056F0000-0x0000000005766000-memory.dmp
      Filesize

      472KB

      Download
    • memory/2328-176-0x00000000059E0000-0x0000000005FF8000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/2328-177-0x00000000054D0000-0x00000000055DA000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/2328-178-0x0000000005270000-0x0000000005282000-memory.dmp
      Filesize

      72KB

      Download
    • memory/2328-179-0x0000000005400000-0x000000000543C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/2328-180-0x00000000052B0000-0x00000000052C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2328-189-0x00000000052B0000-0x00000000052C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2328-182-0x0000000005910000-0x00000000059A2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/2328-183-0x0000000005870000-0x00000000058D6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/2328-184-0x0000000006AA0000-0x0000000007044000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/2328-185-0x00000000066F0000-0x00000000068B2000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/2328-187-0x0000000008C70000-0x000000000919C000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/2328-188-0x00000000069C0000-0x0000000006A10000-memory.dmp
      Filesize

      320KB

      Download
    • memory/3904-161-0x00000000007D0000-0x00000000007DA000-memory.dmp
      Filesize

      40KB

      Download