Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    137s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-06-2023 22:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a0bf2e9cda112a33e01e538a27e0eeffee84dfd1e71edcf063ba591b992a4670.exe

  • Size

    716KB

  • MD5

    406c5556d8c40ba45aa8e0384cda586e

  • SHA1

    fdc42dfc3f5f0d391529c410162e71995cbc481d

  • SHA256

    a0bf2e9cda112a33e01e538a27e0eeffee84dfd1e71edcf063ba591b992a4670

  • SHA512

    4ff29899e5dfee2f409d58fc864beb826899e0aa5b99ec30062c1bce09a9ca885d53ccc50e17b832eea5336de297dcd81bbaf04c6222fffef2a5429c2b1456de

  • SSDEEP

    12288:5MrFy90AKLb99P6XbZdpNVkzsCzrbXGVoy/apDu:sysb8ZLNVkzsCzPvyP

Score
10/10
redlinemaxidiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19048

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a0bf2e9cda112a33e01e538a27e0eeffee84dfd1e71edcf063ba591b992a4670.exe
    "C:\Users\Admin\AppData\Local\Temp\a0bf2e9cda112a33e01e538a27e0eeffee84dfd1e71edcf063ba591b992a4670.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2676
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8546992.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8546992.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1968
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2277681.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2277681.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2436
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3381671.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3381671.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:4520
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5126794.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5126794.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4032
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7073516.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7073516.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:4512
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1576
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 220
              6⤵
              • Program crash
              PID:1956
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9839190.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9839190.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3384
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4512 -ip 4512
    1⤵
      PID:100

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8546992.exe
      Filesize

      523KB

      MD5

      ed4c3fa0d0fe838f1baae7fc8c05da8b

      SHA1

      4c745ef744e9054b39881359f85de74cf77221e7

      SHA256

      94aa709a4b01424a69f781fcd3c2550f41266a2b9fe154cabebe59b257a16063

      SHA512

      8a77ef5326f30e1d95d87cee6d104b954cd6de59adfb5ee1aaefd7212c6985c2d2b74699f0ccd3b742f2da49d85ecb4c0c644894a433af04dfbf8790d39bef2f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8546992.exe
      Filesize

      523KB

      MD5

      ed4c3fa0d0fe838f1baae7fc8c05da8b

      SHA1

      4c745ef744e9054b39881359f85de74cf77221e7

      SHA256

      94aa709a4b01424a69f781fcd3c2550f41266a2b9fe154cabebe59b257a16063

      SHA512

      8a77ef5326f30e1d95d87cee6d104b954cd6de59adfb5ee1aaefd7212c6985c2d2b74699f0ccd3b742f2da49d85ecb4c0c644894a433af04dfbf8790d39bef2f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2277681.exe
      Filesize

      351KB

      MD5

      34acbaf6480cdbfe0b640805398f4c37

      SHA1

      f18722c5b6df9eae69f9b00d75e278014c8ccfe0

      SHA256

      43a283d8f76436f4aea972597cec5a133b3ddbf0dcfec9a11cf6928de3c19184

      SHA512

      3f127e87271a88346d29dbcc12efd02ff148276d60866b4cf5466c2f97f2f223cf821d3754615e0bb100ca002eebd8d02aec5d77fb3215b3d60f37d573de3cbf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2277681.exe
      Filesize

      351KB

      MD5

      34acbaf6480cdbfe0b640805398f4c37

      SHA1

      f18722c5b6df9eae69f9b00d75e278014c8ccfe0

      SHA256

      43a283d8f76436f4aea972597cec5a133b3ddbf0dcfec9a11cf6928de3c19184

      SHA512

      3f127e87271a88346d29dbcc12efd02ff148276d60866b4cf5466c2f97f2f223cf821d3754615e0bb100ca002eebd8d02aec5d77fb3215b3d60f37d573de3cbf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9839190.exe
      Filesize

      172KB

      MD5

      d29ce149b28ddd90ed4f555db80a62be

      SHA1

      5787eb3af832f9bb474a03af765bd3b84cc008f9

      SHA256

      5fd7843800900acdc7ea0b2a32a0748c54c1c519a948e61d8e89dbd1fb7069d6

      SHA512

      2d293aa9c7b26d9c1756b0c9d21747c3106f24ed05571523ea235ef78dda6fe7b4fe4ea4bf34cdb32f0f170706bddc0e1a0e34d3621eb9382f240feebdc52adc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9839190.exe
      Filesize

      172KB

      MD5

      d29ce149b28ddd90ed4f555db80a62be

      SHA1

      5787eb3af832f9bb474a03af765bd3b84cc008f9

      SHA256

      5fd7843800900acdc7ea0b2a32a0748c54c1c519a948e61d8e89dbd1fb7069d6

      SHA512

      2d293aa9c7b26d9c1756b0c9d21747c3106f24ed05571523ea235ef78dda6fe7b4fe4ea4bf34cdb32f0f170706bddc0e1a0e34d3621eb9382f240feebdc52adc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3381671.exe
      Filesize

      196KB

      MD5

      0963c88bd06b1b1c831ad632d475e1af

      SHA1

      df34621659ec6ba01e06d048dd28f2d62395151e

      SHA256

      1aca2328156a8a841fe0dd49a0761e08f8c0feb8e15990ab44ba6a68c6aa2688

      SHA512

      ebd9b7ae085e1cbcbed18a3a3c9b6447490483d9fe271bdd504947d53652db5214e42134afe3df778d9462eacf603912e5e4153b684c1526a9bb851e7386e857

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3381671.exe
      Filesize

      196KB

      MD5

      0963c88bd06b1b1c831ad632d475e1af

      SHA1

      df34621659ec6ba01e06d048dd28f2d62395151e

      SHA256

      1aca2328156a8a841fe0dd49a0761e08f8c0feb8e15990ab44ba6a68c6aa2688

      SHA512

      ebd9b7ae085e1cbcbed18a3a3c9b6447490483d9fe271bdd504947d53652db5214e42134afe3df778d9462eacf603912e5e4153b684c1526a9bb851e7386e857

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5126794.exe
      Filesize

      14KB

      MD5

      c07d66690f9a8e25e09db3e1aa38d0b6

      SHA1

      0d6771353c0943bfff56d970aad61b6f859282ee

      SHA256

      0516e9acdae728f4b635e15f73ecd8dc44358416b77c41155974a75ffb69b302

      SHA512

      9cc37bd721b691db2f8ed34092e237aa52683746e4c34193c0dd2d24b566b3fceb9ac419b30698a94f1c31aec6fb0b53af5e19ce5e6cfccd1ee346f77a72ca9c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5126794.exe
      Filesize

      14KB

      MD5

      c07d66690f9a8e25e09db3e1aa38d0b6

      SHA1

      0d6771353c0943bfff56d970aad61b6f859282ee

      SHA256

      0516e9acdae728f4b635e15f73ecd8dc44358416b77c41155974a75ffb69b302

      SHA512

      9cc37bd721b691db2f8ed34092e237aa52683746e4c34193c0dd2d24b566b3fceb9ac419b30698a94f1c31aec6fb0b53af5e19ce5e6cfccd1ee346f77a72ca9c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7073516.exe
      Filesize

      100KB

      MD5

      4b7d470dbe19739036bf3e25df5a925d

      SHA1

      7b1f65ff53124a156157ff2733789d6152f2627a

      SHA256

      1d30a600fca53187b39cfdf8b670a975bfd5b70f908943d5a73b2ea2d714eb29

      SHA512

      00f54bfa706fcb16e792313742b6d9253f4300896f8f7e7cb5fe797cec2216db2548a40826aedb9dc680489fb286490bab87e10ffa89b21afe7285071bfbd446

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7073516.exe
      Filesize

      100KB

      MD5

      4b7d470dbe19739036bf3e25df5a925d

      SHA1

      7b1f65ff53124a156157ff2733789d6152f2627a

      SHA256

      1d30a600fca53187b39cfdf8b670a975bfd5b70f908943d5a73b2ea2d714eb29

      SHA512

      00f54bfa706fcb16e792313742b6d9253f4300896f8f7e7cb5fe797cec2216db2548a40826aedb9dc680489fb286490bab87e10ffa89b21afe7285071bfbd446

      Download Submit

    • memory/1576-167-0x0000000000240000-0x000000000024A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3384-175-0x00000000003A0000-0x00000000003D0000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3384-181-0x000000000A5D0000-0x000000000A646000-memory.dmp

      Filesize

      472KB

      Download

    • memory/3384-176-0x000000000A7E0000-0x000000000ADF8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3384-177-0x000000000A320000-0x000000000A42A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3384-178-0x000000000A260000-0x000000000A272000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3384-179-0x000000000A2C0000-0x000000000A2FC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3384-180-0x0000000004D30000-0x0000000004D40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3384-189-0x000000000BD00000-0x000000000BD50000-memory.dmp

      Filesize

      320KB

      Download

    • memory/3384-182-0x000000000A6F0000-0x000000000A782000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3384-183-0x000000000B3B0000-0x000000000B954000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3384-184-0x000000000AE70000-0x000000000AED6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3384-185-0x000000000BB30000-0x000000000BCF2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/3384-186-0x000000000C230000-0x000000000C75C000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/3384-188-0x0000000004D30000-0x0000000004D40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4032-161-0x0000000000330000-0x000000000033A000-memory.dmp

      Filesize

      40KB

      Download