Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    126s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-06-2023 01:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    47bb8c81f5e779ab01a217714cb444ac59a0c98be91d792d35aac4f84fb443f0.exe

  • Size

    735KB

  • MD5

    7df7f6020c08870cc7fb2650584da149

  • SHA1

    dfc4575f999bf51c071ae28857bffb217bd875d9

  • SHA256

    47bb8c81f5e779ab01a217714cb444ac59a0c98be91d792d35aac4f84fb443f0

  • SHA512

    8ff004797e7b9e379005c138de2b3b963860fcbd1a57ef1735cc9ab59f4274f142b3bcd5e3302bd9f7df8d3c8f2c1bf00689eef104f97635d50f0df44bd9e203

  • SSDEEP

    12288:KMrgy90PIem2BUzewFXCvgL2wiB9mibLVXIaGVM7Ungis7iYgVsmuDQb8H5BBbgG:eyPOUaIC4L2w6J5CkUgis7iYa78Z3bT

Score
10/10
redlinemaxidiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19048

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\47bb8c81f5e779ab01a217714cb444ac59a0c98be91d792d35aac4f84fb443f0.exe
    "C:\Users\Admin\AppData\Local\Temp\47bb8c81f5e779ab01a217714cb444ac59a0c98be91d792d35aac4f84fb443f0.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4580
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5546564.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5546564.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4504
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0770827.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0770827.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4668
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8276272.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8276272.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:4368
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5063625.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5063625.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4252
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7427421.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7427421.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:4124
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3428
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 140
              6⤵
              • Program crash
              PID:556
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1875728.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1875728.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:224
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4124 -ip 4124
    1⤵
      PID:2016

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5546564.exe
      Filesize

      529KB

      MD5

      9e0c899a8178d2ff98126aa3fc0dc580

      SHA1

      aaf01844d6591b02a8993cc5bf0d9d7b1b2c24d9

      SHA256

      e81542e44d60e283862c183275d327911f80f331585d3b0c1ca7a4010d901318

      SHA512

      5d43adf41438a4772df7ffdc0816d17bec90de92ffd40e8b62aaa76677c55272892732e2867f311877a9e00cd4a899275d392218c9b06251f66e90e8920b5ab1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5546564.exe
      Filesize

      529KB

      MD5

      9e0c899a8178d2ff98126aa3fc0dc580

      SHA1

      aaf01844d6591b02a8993cc5bf0d9d7b1b2c24d9

      SHA256

      e81542e44d60e283862c183275d327911f80f331585d3b0c1ca7a4010d901318

      SHA512

      5d43adf41438a4772df7ffdc0816d17bec90de92ffd40e8b62aaa76677c55272892732e2867f311877a9e00cd4a899275d392218c9b06251f66e90e8920b5ab1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0770827.exe
      Filesize

      357KB

      MD5

      d390f0a55200a978a5c76c650d19da41

      SHA1

      e3a2541a7783e2e60631b17108b1cc4460420890

      SHA256

      730c3299030ab70b0837e0aea63451003336e11738da614408920492fce30d29

      SHA512

      539e81d88ff27a1ba945a57990c643e3073af4797476168e5e761bb605bc0bc6d380351256d4a925b32f3c10d60464e9c2c67390a6887752268547d4d02a8615

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0770827.exe
      Filesize

      357KB

      MD5

      d390f0a55200a978a5c76c650d19da41

      SHA1

      e3a2541a7783e2e60631b17108b1cc4460420890

      SHA256

      730c3299030ab70b0837e0aea63451003336e11738da614408920492fce30d29

      SHA512

      539e81d88ff27a1ba945a57990c643e3073af4797476168e5e761bb605bc0bc6d380351256d4a925b32f3c10d60464e9c2c67390a6887752268547d4d02a8615

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1875728.exe
      Filesize

      172KB

      MD5

      90cd1697bbaf045198d11f4d1972d8fc

      SHA1

      ff3963115e943f348f7ce9e7746cd649f2c8280b

      SHA256

      25d35a2e963d7d2681d25e511831fe4a868d41ed344a3f619b0f097b7427574a

      SHA512

      2f1d98365ec7b3a953d3773232d138aa20aa26cbfe6b91f6b2c4095dfd4ad7925481a293a7eaff780897698f2c846789139e4758f4b5787a952491e5cba45a19

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1875728.exe
      Filesize

      172KB

      MD5

      90cd1697bbaf045198d11f4d1972d8fc

      SHA1

      ff3963115e943f348f7ce9e7746cd649f2c8280b

      SHA256

      25d35a2e963d7d2681d25e511831fe4a868d41ed344a3f619b0f097b7427574a

      SHA512

      2f1d98365ec7b3a953d3773232d138aa20aa26cbfe6b91f6b2c4095dfd4ad7925481a293a7eaff780897698f2c846789139e4758f4b5787a952491e5cba45a19

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8276272.exe
      Filesize

      202KB

      MD5

      d8d142cb141a1791acc45a7e97731871

      SHA1

      a507539e3bf893467c574f0d2601d7855834eaad

      SHA256

      a31eb0c1d85c6894897ea99283b58fef5158b287ac8c33f093fa80d12ac31313

      SHA512

      24b5073a983200ddfa75fbf86b926531fb01f897c864e09d42ca477a717ad9e827741acadb3ba0711f434fd53078f16be80c1c124f93f3096a04efdddcb9a379

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8276272.exe
      Filesize

      202KB

      MD5

      d8d142cb141a1791acc45a7e97731871

      SHA1

      a507539e3bf893467c574f0d2601d7855834eaad

      SHA256

      a31eb0c1d85c6894897ea99283b58fef5158b287ac8c33f093fa80d12ac31313

      SHA512

      24b5073a983200ddfa75fbf86b926531fb01f897c864e09d42ca477a717ad9e827741acadb3ba0711f434fd53078f16be80c1c124f93f3096a04efdddcb9a379

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5063625.exe
      Filesize

      13KB

      MD5

      16352b42517bc0e9d0582ef5aaa546fb

      SHA1

      f95f4127f6fc1caaafa0334c7522b2af2dbcdb5c

      SHA256

      36bfef347c8ed554d265daaae65e9289392487ebe4157f7cbe86a5fb44aacd27

      SHA512

      0b5151c5ba00e72e7c4a01b8b93d93bcd970dc204c0a8dad3df58a09c2a88517dc0c925bc755279e3e033aa17d84a40a3955e58f52576aca9b9adf4329c35b48

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5063625.exe
      Filesize

      13KB

      MD5

      16352b42517bc0e9d0582ef5aaa546fb

      SHA1

      f95f4127f6fc1caaafa0334c7522b2af2dbcdb5c

      SHA256

      36bfef347c8ed554d265daaae65e9289392487ebe4157f7cbe86a5fb44aacd27

      SHA512

      0b5151c5ba00e72e7c4a01b8b93d93bcd970dc204c0a8dad3df58a09c2a88517dc0c925bc755279e3e033aa17d84a40a3955e58f52576aca9b9adf4329c35b48

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7427421.exe
      Filesize

      117KB

      MD5

      14457a02c016aa574ab87c43d654ddd8

      SHA1

      4c54bc12e5ecac39cbdcde4f31b86a30fd9165df

      SHA256

      4cd4af00bb16de3804cc4dde683dab9a02663cdb13e2778451ebbbfe672ba8aa

      SHA512

      019f3fb0c2b39d82a29f35a1a710d58fcd7e798d2af3db912db64fcc482548c663ac2038e55f01358f64f330e839d8ef9942cabd2d9e2e75a802fe479fdb3c7a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7427421.exe
      Filesize

      117KB

      MD5

      14457a02c016aa574ab87c43d654ddd8

      SHA1

      4c54bc12e5ecac39cbdcde4f31b86a30fd9165df

      SHA256

      4cd4af00bb16de3804cc4dde683dab9a02663cdb13e2778451ebbbfe672ba8aa

      SHA512

      019f3fb0c2b39d82a29f35a1a710d58fcd7e798d2af3db912db64fcc482548c663ac2038e55f01358f64f330e839d8ef9942cabd2d9e2e75a802fe479fdb3c7a

      Download Submit

    • memory/224-175-0x00000000007B0000-0x00000000007E0000-memory.dmp

      Filesize

      192KB

      Download

    • memory/224-180-0x000000000A5A0000-0x000000000A5DC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/224-189-0x000000000BEC0000-0x000000000BF10000-memory.dmp

      Filesize

      320KB

      Download

    • memory/224-176-0x000000000AB40000-0x000000000B158000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/224-177-0x000000000A630000-0x000000000A73A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/224-178-0x000000000A540000-0x000000000A552000-memory.dmp

      Filesize

      72KB

      Download

    • memory/224-179-0x0000000005190000-0x00000000051A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/224-188-0x0000000005190000-0x00000000051A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/224-181-0x000000000A8A0000-0x000000000A916000-memory.dmp

      Filesize

      472KB

      Download

    • memory/224-182-0x000000000A9C0000-0x000000000AA52000-memory.dmp

      Filesize

      584KB

      Download

    • memory/224-183-0x000000000B710000-0x000000000BCB4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/224-184-0x000000000AA60000-0x000000000AAC6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/224-185-0x000000000BF90000-0x000000000C152000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/224-186-0x000000000C690000-0x000000000CBBC000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/3428-167-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4252-161-0x0000000000550000-0x000000000055A000-memory.dmp

      Filesize

      40KB

      Download