Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-06-2023 02:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    19ac755988d43e7a2f5dbb350f42f1b10e2b87769d648fb292b70f711af21945.exe

  • Size

    735KB

  • MD5

    b909e9c251c601a63028d59aa2974f19

  • SHA1

    18300fd5e3c42c23d3bc3af68e547f2e23b47813

  • SHA256

    19ac755988d43e7a2f5dbb350f42f1b10e2b87769d648fb292b70f711af21945

  • SHA512

    4ac4e05cb20b0cafc198df9d5747910f255873769fe6641b30fb2e4412769e19b26ba87ea75f71f86a2d3a70ae846950eee61b531543a3f3585008807946cbb8

  • SSDEEP

    12288:OMrey90NrpOKgGa7D2nf5h/WAbrNBnF98pMj+7fZQZ0Crd3mRuZIQO:kygCGnOAbrvb8p/7fZQm82AqQO

Score
10/10
redlinemaxidiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19048

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\19ac755988d43e7a2f5dbb350f42f1b10e2b87769d648fb292b70f711af21945.exe
    "C:\Users\Admin\AppData\Local\Temp\19ac755988d43e7a2f5dbb350f42f1b10e2b87769d648fb292b70f711af21945.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4340
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1082707.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1082707.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3088
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5771530.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5771530.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4448
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5402290.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5402290.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:4708
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6710118.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6710118.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4648
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9790388.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9790388.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:632
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3804
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 632 -s 572
              6⤵
              • Program crash
              PID:3460
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7682281.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7682281.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:312
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 632 -ip 632
    1⤵
      PID:3872

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1082707.exe
      Filesize

      529KB

      MD5

      5a7d170f1dc2a1f663e989d824b2111d

      SHA1

      15892b12f9d8e60506a902f15ed20e8c2639e73e

      SHA256

      68b926a68381c91cad73b47ab3baad29831800ad9897e4a2589957ca56aa52c8

      SHA512

      8e080a0d1b111603a2eff4ed1b3a199084dfe593db6cffa3c94ea3f12551731356d8bae44236bf5b5e301913d0f8191d992f99e0bb5a443a5855bc3a0dac6cc2

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1082707.exe
      Filesize

      529KB

      MD5

      5a7d170f1dc2a1f663e989d824b2111d

      SHA1

      15892b12f9d8e60506a902f15ed20e8c2639e73e

      SHA256

      68b926a68381c91cad73b47ab3baad29831800ad9897e4a2589957ca56aa52c8

      SHA512

      8e080a0d1b111603a2eff4ed1b3a199084dfe593db6cffa3c94ea3f12551731356d8bae44236bf5b5e301913d0f8191d992f99e0bb5a443a5855bc3a0dac6cc2

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5771530.exe
      Filesize

      357KB

      MD5

      8cfab03f14da1ec7bec9ba8e5e7e383f

      SHA1

      bb37d2b73ea3274e655497dde453f5f3d3b3ffee

      SHA256

      779081bf470254428307aa265f8d53ade6c1a0f263a16eb6ea91dd217f35119e

      SHA512

      723a591a7b4f0797630ea32e22a8690faed34d3cbcb3aea91aaffddccc41e7133a2aabfd446359b8aac1375c0add46e6791ca6ee75e70e721abf986d8793b9f9

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5771530.exe
      Filesize

      357KB

      MD5

      8cfab03f14da1ec7bec9ba8e5e7e383f

      SHA1

      bb37d2b73ea3274e655497dde453f5f3d3b3ffee

      SHA256

      779081bf470254428307aa265f8d53ade6c1a0f263a16eb6ea91dd217f35119e

      SHA512

      723a591a7b4f0797630ea32e22a8690faed34d3cbcb3aea91aaffddccc41e7133a2aabfd446359b8aac1375c0add46e6791ca6ee75e70e721abf986d8793b9f9

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7682281.exe
      Filesize

      172KB

      MD5

      6f7bd36876d5e6f248c5728fa46bbf56

      SHA1

      390663636db202e2c158b72f9014b1106ccd7c9f

      SHA256

      0cdd37d4274d3a9f9444932507d662fda0ed58d4752c05860e4f2aae8e320603

      SHA512

      107bb342e2f89b20489a1d5e52074c9381082c3d477154fc70054701242582b6bb0a0adfa536817014a6919ca6875203a5c1dbaaeb225c5cf97c07c78461c3c8

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7682281.exe
      Filesize

      172KB

      MD5

      6f7bd36876d5e6f248c5728fa46bbf56

      SHA1

      390663636db202e2c158b72f9014b1106ccd7c9f

      SHA256

      0cdd37d4274d3a9f9444932507d662fda0ed58d4752c05860e4f2aae8e320603

      SHA512

      107bb342e2f89b20489a1d5e52074c9381082c3d477154fc70054701242582b6bb0a0adfa536817014a6919ca6875203a5c1dbaaeb225c5cf97c07c78461c3c8

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5402290.exe
      Filesize

      202KB

      MD5

      65cd0eab17f71804e39f8eead4a9f311

      SHA1

      bd90a868a4de06e07351b91961cc2637f5002089

      SHA256

      3826c8e755841406af26abf829c2806428a5ccd038602be4579f54c66aca7809

      SHA512

      f4089505186962a36622daed8efcdec71cb32ef5a6cb30a577aaffa20213feacb3d74dd0fd91148e94aae4ac45f1594899deed1e7af3a6b9af8c2e6c376c40be

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5402290.exe
      Filesize

      202KB

      MD5

      65cd0eab17f71804e39f8eead4a9f311

      SHA1

      bd90a868a4de06e07351b91961cc2637f5002089

      SHA256

      3826c8e755841406af26abf829c2806428a5ccd038602be4579f54c66aca7809

      SHA512

      f4089505186962a36622daed8efcdec71cb32ef5a6cb30a577aaffa20213feacb3d74dd0fd91148e94aae4ac45f1594899deed1e7af3a6b9af8c2e6c376c40be

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6710118.exe
      Filesize

      13KB

      MD5

      dc159fb79c3d3dc53699a33e00641c4f

      SHA1

      19727096e63b8219f29cc8057c0398e581ec5f29

      SHA256

      4a662ac61de46d8ba17ea917ecaa3676f649b9de66836931a5368f31f9895baf

      SHA512

      0dad2886b358f38e53ad89b89d5aa51942a8860c41b4666a6afe44a9bd3aeef218b2eb1c2fe27276a564a4b9472d8f1427e48b7ba37a9aa9d1e4c767e8b5492b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6710118.exe
      Filesize

      13KB

      MD5

      dc159fb79c3d3dc53699a33e00641c4f

      SHA1

      19727096e63b8219f29cc8057c0398e581ec5f29

      SHA256

      4a662ac61de46d8ba17ea917ecaa3676f649b9de66836931a5368f31f9895baf

      SHA512

      0dad2886b358f38e53ad89b89d5aa51942a8860c41b4666a6afe44a9bd3aeef218b2eb1c2fe27276a564a4b9472d8f1427e48b7ba37a9aa9d1e4c767e8b5492b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9790388.exe
      Filesize

      117KB

      MD5

      e70fced11f2f1510550cc78f61d45473

      SHA1

      b1a9e5b5f53fc4b40915359ebaa335757319a137

      SHA256

      51e5077848653103fd198364fd2f6483f3a96ddb4db62847844c7578b1e6a5fb

      SHA512

      657171ffd77c44ecfb62e10c63fe1d21b2c491988675322954bf288af30d7d47e1545066424627115b6536af821b581e2edad3b024be29903df60dc7448c86f4

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9790388.exe
      Filesize

      117KB

      MD5

      e70fced11f2f1510550cc78f61d45473

      SHA1

      b1a9e5b5f53fc4b40915359ebaa335757319a137

      SHA256

      51e5077848653103fd198364fd2f6483f3a96ddb4db62847844c7578b1e6a5fb

      SHA512

      657171ffd77c44ecfb62e10c63fe1d21b2c491988675322954bf288af30d7d47e1545066424627115b6536af821b581e2edad3b024be29903df60dc7448c86f4

      Download Submit
    • memory/312-175-0x0000000000C70000-0x0000000000CA0000-memory.dmp
      Filesize

      192KB

      Download
    • memory/312-180-0x00000000055B0000-0x00000000055C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/312-189-0x000000000BDD0000-0x000000000BE20000-memory.dmp
      Filesize

      320KB

      Download
    • memory/312-176-0x000000000B070000-0x000000000B688000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/312-177-0x000000000ABF0000-0x000000000ACFA000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/312-178-0x000000000AB30000-0x000000000AB42000-memory.dmp
      Filesize

      72KB

      Download
    • memory/312-179-0x000000000AB90000-0x000000000ABCC000-memory.dmp
      Filesize

      240KB

      Download
    • memory/312-188-0x00000000055B0000-0x00000000055C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/312-181-0x000000000AEA0000-0x000000000AF16000-memory.dmp
      Filesize

      472KB

      Download
    • memory/312-182-0x000000000AFC0000-0x000000000B052000-memory.dmp
      Filesize

      584KB

      Download
    • memory/312-183-0x000000000AF20000-0x000000000AF86000-memory.dmp
      Filesize

      408KB

      Download
    • memory/312-184-0x000000000C080000-0x000000000C624000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/312-186-0x000000000C630000-0x000000000C7F2000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/312-187-0x000000000CD30000-0x000000000D25C000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/3804-167-0x0000000000400000-0x000000000040A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4648-161-0x0000000000390000-0x000000000039A000-memory.dmp
      Filesize

      40KB

      Download