Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-06-2023 21:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    78789c5aaf0343c131fc0a3e0c0c411c3633cffbd4f6cfb9928e195cec459eb5.exe

  • Size

    724KB

  • MD5

    0cef1c29a3bbdaf67d2b3655fbc7f8b5

  • SHA1

    2efe7f99da24978bd0cd445ee46e21a1ec710bc7

  • SHA256

    78789c5aaf0343c131fc0a3e0c0c411c3633cffbd4f6cfb9928e195cec459eb5

  • SHA512

    94742f814ac526dd533d79c1b32c696ab8f058b69975420f5cebfc43afd90a57170f4da1fe0ced230d7dac27c5db53c60cd85f924b3fb7fff2e9dccd1d6fb693

  • SSDEEP

    12288:lMr0y90h08i79T2qWpdCEfZEKxZUHAovout+OeKlz0rbmqENFD:tyh8i79k/5feKwHAoQbOe8z8bm1FD

Score
10/10
redlinemaxidiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19048

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\78789c5aaf0343c131fc0a3e0c0c411c3633cffbd4f6cfb9928e195cec459eb5.exe
    "C:\Users\Admin\AppData\Local\Temp\78789c5aaf0343c131fc0a3e0c0c411c3633cffbd4f6cfb9928e195cec459eb5.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4924
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4656787.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4656787.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:372
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8218414.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8218414.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1952
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8028049.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8028049.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:2168
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7601346.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7601346.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4008
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6908917.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6908917.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:3804
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4768
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3804 -s 220
              6⤵
              • Program crash
              PID:1156
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2671895.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2671895.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1240
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3804 -ip 3804
    1⤵
      PID:3996

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4656787.exe
      Filesize

      524KB

      MD5

      7219d654b64230ca20a98f8096a06af9

      SHA1

      379f1bdb4e629e7ca1e3f8245fac2acc1a77fba2

      SHA256

      7c76055fca1d0b6f590816dd8408207e70a0a8e8f562a5544c19782dbb485c01

      SHA512

      931fbcc9565fd3634e66bce46a3408d8b1544cee304eb2d699ed5ca9b76e8f5b38bf2e178a68185f431c2125fadc1b833d59576c66aed368378ec3e6c3479913

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4656787.exe
      Filesize

      524KB

      MD5

      7219d654b64230ca20a98f8096a06af9

      SHA1

      379f1bdb4e629e7ca1e3f8245fac2acc1a77fba2

      SHA256

      7c76055fca1d0b6f590816dd8408207e70a0a8e8f562a5544c19782dbb485c01

      SHA512

      931fbcc9565fd3634e66bce46a3408d8b1544cee304eb2d699ed5ca9b76e8f5b38bf2e178a68185f431c2125fadc1b833d59576c66aed368378ec3e6c3479913

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8218414.exe
      Filesize

      352KB

      MD5

      ed02455fc1775349754e424136d4957e

      SHA1

      a0faee15481fe4c84a52ce06421c5308efbc9475

      SHA256

      b91c8ba3a37b81162eed239a6da942c36fdfe88b4ce83e85750e8dd08064010e

      SHA512

      bd3be531f1864875104be99b94b32cfdcb95b8d9d860af3074f8451173ec01dd97e972c1c6ff947e80eb2ce926a0e8fd2db370286edd0dbe200c987c8aaf2c34

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8218414.exe
      Filesize

      352KB

      MD5

      ed02455fc1775349754e424136d4957e

      SHA1

      a0faee15481fe4c84a52ce06421c5308efbc9475

      SHA256

      b91c8ba3a37b81162eed239a6da942c36fdfe88b4ce83e85750e8dd08064010e

      SHA512

      bd3be531f1864875104be99b94b32cfdcb95b8d9d860af3074f8451173ec01dd97e972c1c6ff947e80eb2ce926a0e8fd2db370286edd0dbe200c987c8aaf2c34

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2671895.exe
      Filesize

      172KB

      MD5

      e75b1e63343fdb114d45cc14d1ea668f

      SHA1

      f7862516a152d4fd90403379757eccc94982b3eb

      SHA256

      1001cc54ae8e964c6644492710762d05b48a9af6f6c623aca0c749fe8e2a5f8e

      SHA512

      4239365787b2199b039835e400eaf56e1ccf2107d029d10bed4c91284bed499079816b572e523eaa6796ffcc5486ff7fc03b66d155f55d3d0c2a8e93612f4bfa

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2671895.exe
      Filesize

      172KB

      MD5

      e75b1e63343fdb114d45cc14d1ea668f

      SHA1

      f7862516a152d4fd90403379757eccc94982b3eb

      SHA256

      1001cc54ae8e964c6644492710762d05b48a9af6f6c623aca0c749fe8e2a5f8e

      SHA512

      4239365787b2199b039835e400eaf56e1ccf2107d029d10bed4c91284bed499079816b572e523eaa6796ffcc5486ff7fc03b66d155f55d3d0c2a8e93612f4bfa

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8028049.exe
      Filesize

      196KB

      MD5

      faf8bc378a17ac7ac2dbf641514e0966

      SHA1

      20cca4b7fd13d1c42e26fd9825dcbdd357729618

      SHA256

      73e32df1d729d1d1066c90d89985f7ace67b9c7da07e3478a803b9b5c896f079

      SHA512

      1a9d4f0b281eff8b00af1c39c064706f9d8caec246ef354f6debb76b6856921f5b878a2134abec7d89dec439c34ce8599340b442f151b3ded1d7c27943ea5c07

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8028049.exe
      Filesize

      196KB

      MD5

      faf8bc378a17ac7ac2dbf641514e0966

      SHA1

      20cca4b7fd13d1c42e26fd9825dcbdd357729618

      SHA256

      73e32df1d729d1d1066c90d89985f7ace67b9c7da07e3478a803b9b5c896f079

      SHA512

      1a9d4f0b281eff8b00af1c39c064706f9d8caec246ef354f6debb76b6856921f5b878a2134abec7d89dec439c34ce8599340b442f151b3ded1d7c27943ea5c07

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7601346.exe
      Filesize

      14KB

      MD5

      a059322d84ec313eee942d05026489aa

      SHA1

      d5a0bb9ba0dd51834b28cab9d3276d78887b713a

      SHA256

      1a26ec1075e3ff55c361e9a0469ca4c1e77f48a8b2f3978468b4378167c7fe4b

      SHA512

      4bd3699249b8e7f15c854002469c87b64e1f22804d7136c9d4d53b8d1f2fb42c2cc02bd7468fd4d8aa0721e106613fd2c272e9d793f432806eef8e68a31f1216

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7601346.exe
      Filesize

      14KB

      MD5

      a059322d84ec313eee942d05026489aa

      SHA1

      d5a0bb9ba0dd51834b28cab9d3276d78887b713a

      SHA256

      1a26ec1075e3ff55c361e9a0469ca4c1e77f48a8b2f3978468b4378167c7fe4b

      SHA512

      4bd3699249b8e7f15c854002469c87b64e1f22804d7136c9d4d53b8d1f2fb42c2cc02bd7468fd4d8aa0721e106613fd2c272e9d793f432806eef8e68a31f1216

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6908917.exe
      Filesize

      100KB

      MD5

      fb59e64e4ec3d1985cc42567a4c1afff

      SHA1

      bf695baffd22eccd359a616ce21fc2dc65f1bc8d

      SHA256

      358ab4522adbb44c30fe17b687a85db820159a8ed9b4371a622842f339c2e9ba

      SHA512

      4716abc2fd6d3d70168be0428069c7941be8fb710f3650d24718e5c4cd22cff5c9ea65a481576644855d0d51aecace001e8d212898e9dca4e5dc3cc494cd6dc2

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6908917.exe
      Filesize

      100KB

      MD5

      fb59e64e4ec3d1985cc42567a4c1afff

      SHA1

      bf695baffd22eccd359a616ce21fc2dc65f1bc8d

      SHA256

      358ab4522adbb44c30fe17b687a85db820159a8ed9b4371a622842f339c2e9ba

      SHA512

      4716abc2fd6d3d70168be0428069c7941be8fb710f3650d24718e5c4cd22cff5c9ea65a481576644855d0d51aecace001e8d212898e9dca4e5dc3cc494cd6dc2

      Download Submit
    • memory/1240-175-0x0000000000560000-0x0000000000590000-memory.dmp
      Filesize

      192KB

      Download
    • memory/1240-180-0x0000000004F00000-0x0000000004F10000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1240-189-0x0000000004F00000-0x0000000004F10000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1240-176-0x000000000A9B0000-0x000000000AFC8000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/1240-177-0x000000000A4E0000-0x000000000A5EA000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/1240-178-0x000000000A420000-0x000000000A432000-memory.dmp
      Filesize

      72KB

      Download
    • memory/1240-179-0x000000000A480000-0x000000000A4BC000-memory.dmp
      Filesize

      240KB

      Download
    • memory/1240-188-0x000000000C4A0000-0x000000000C9CC000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/1240-181-0x000000000A890000-0x000000000A906000-memory.dmp
      Filesize

      472KB

      Download
    • memory/1240-182-0x000000000AFD0000-0x000000000B062000-memory.dmp
      Filesize

      584KB

      Download
    • memory/1240-183-0x000000000B620000-0x000000000BBC4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/1240-184-0x000000000B070000-0x000000000B0D6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1240-185-0x000000000B4B0000-0x000000000B500000-memory.dmp
      Filesize

      320KB

      Download
    • memory/1240-187-0x000000000BDA0000-0x000000000BF62000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/4008-161-0x0000000000BA0000-0x0000000000BAA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4768-167-0x00000000005D0000-0x00000000005DA000-memory.dmp
      Filesize

      40KB

      Download