Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    159s
  • max time network
    161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-06-2023 03:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    21c1e6299e8c8de036ebdaad8e421c7d1331f50e7e9120d598b3de264384c11a.exe

  • Size

    735KB

  • MD5

    70b52288025114add1c4e6b42f84c0bb

  • SHA1

    e7fc0921f0b4443e32903383f775a60269a5f1c3

  • SHA256

    21c1e6299e8c8de036ebdaad8e421c7d1331f50e7e9120d598b3de264384c11a

  • SHA512

    c59a4c64563b895b88d89618431d3ebf89a22b6bcf1ca0b91d4e969c08883c7d7421f7944c4922a987d94a68ea350805b8ffc091813b907fdc8209e1eec26a43

  • SSDEEP

    12288:MMrgy90Fvs8R2S6b65afKr1fd9tFKwbG61As0DUZIeIhBCAEXPJxIHYTuHiuvVW:8yUdR2rMBfdrNiNeIuPfwHYTiw

Score
10/10
redlinemaxidiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19048

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\21c1e6299e8c8de036ebdaad8e421c7d1331f50e7e9120d598b3de264384c11a.exe
    "C:\Users\Admin\AppData\Local\Temp\21c1e6299e8c8de036ebdaad8e421c7d1331f50e7e9120d598b3de264384c11a.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1436
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4144848.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4144848.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3928
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5476553.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5476553.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3384
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3022194.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3022194.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:3352
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5975713.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5975713.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4876
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8173177.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8173177.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:2468
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1752
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 140
              6⤵
              • Program crash
              PID:4836
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4692091.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4692091.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3860
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2468 -ip 2468
    1⤵
      PID:2524

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4144848.exe
      Filesize

      529KB

      MD5

      f4d77473cb99178ae89b51f75363e2a4

      SHA1

      805b5b92a372144af14c5174bf3da224c2df15ff

      SHA256

      c67804f9f5932c9c8e054447a0ba3a1af130a5e9a73cb1a9e4d5015bb3e8ba3d

      SHA512

      dfa25b4595c4af030d86fa4c99c6d8b5d8e10a7b83187cce5efbc65fb4a9278d0133d7015624ad6eede20707035e97d311cf93d33fd9ecce93f49ef1febf669a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4144848.exe
      Filesize

      529KB

      MD5

      f4d77473cb99178ae89b51f75363e2a4

      SHA1

      805b5b92a372144af14c5174bf3da224c2df15ff

      SHA256

      c67804f9f5932c9c8e054447a0ba3a1af130a5e9a73cb1a9e4d5015bb3e8ba3d

      SHA512

      dfa25b4595c4af030d86fa4c99c6d8b5d8e10a7b83187cce5efbc65fb4a9278d0133d7015624ad6eede20707035e97d311cf93d33fd9ecce93f49ef1febf669a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5476553.exe
      Filesize

      357KB

      MD5

      54cce095b6582596d828607081f17e56

      SHA1

      351810afae4f9f2b9cf8d38b6b11193a579486c5

      SHA256

      3ae22335a18d293348ba94bb0090854bcba4d6724b445497d833ec68eb4d8c06

      SHA512

      696de3dc1a1634323d78fad88cf1a173159929a8d861464adcda9fa8dd07135637531e2898d146f927813f8e600ab240b000d23488e140fa91edb94851acf6e3

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5476553.exe
      Filesize

      357KB

      MD5

      54cce095b6582596d828607081f17e56

      SHA1

      351810afae4f9f2b9cf8d38b6b11193a579486c5

      SHA256

      3ae22335a18d293348ba94bb0090854bcba4d6724b445497d833ec68eb4d8c06

      SHA512

      696de3dc1a1634323d78fad88cf1a173159929a8d861464adcda9fa8dd07135637531e2898d146f927813f8e600ab240b000d23488e140fa91edb94851acf6e3

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4692091.exe
      Filesize

      172KB

      MD5

      9689ddcedf6c06b1dadff507da031b16

      SHA1

      ba7ae4dd9462ef95f8f85c43858607b1c3494aa3

      SHA256

      2114b71e12dc4271617819ad8c8555ad1f9290e662bf7f267172c3c3494effc8

      SHA512

      5a44d8873217de26cfc76712f8383291b7a9e95979e64e21476ab9294cc81dc03c0a512faf8b7ce0650197d61ba622f801bba3a490855a1db1cc49fbc5da327e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4692091.exe
      Filesize

      172KB

      MD5

      9689ddcedf6c06b1dadff507da031b16

      SHA1

      ba7ae4dd9462ef95f8f85c43858607b1c3494aa3

      SHA256

      2114b71e12dc4271617819ad8c8555ad1f9290e662bf7f267172c3c3494effc8

      SHA512

      5a44d8873217de26cfc76712f8383291b7a9e95979e64e21476ab9294cc81dc03c0a512faf8b7ce0650197d61ba622f801bba3a490855a1db1cc49fbc5da327e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3022194.exe
      Filesize

      202KB

      MD5

      eafd429fb38131604dbd3e4eb765407c

      SHA1

      37df1ea55e13779e0da4fedd17a2b67e037734a9

      SHA256

      2ebba14dc3f49c87f9285e69c0ab0a76a2a9394186cbaea882e1cce7435816de

      SHA512

      73a6f7762f7bd6e0515762d3525905073dc5e54a044172d0752f0e30472bfb284ceb86a3672795ddf0eec6e994f77c4f9af2448ee391f72619ae1e12099c8f37

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3022194.exe
      Filesize

      202KB

      MD5

      eafd429fb38131604dbd3e4eb765407c

      SHA1

      37df1ea55e13779e0da4fedd17a2b67e037734a9

      SHA256

      2ebba14dc3f49c87f9285e69c0ab0a76a2a9394186cbaea882e1cce7435816de

      SHA512

      73a6f7762f7bd6e0515762d3525905073dc5e54a044172d0752f0e30472bfb284ceb86a3672795ddf0eec6e994f77c4f9af2448ee391f72619ae1e12099c8f37

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5975713.exe
      Filesize

      13KB

      MD5

      ac63fb443a266e25c73186787f4518a4

      SHA1

      7f991ca15be08030d98275620663904e17bd2fa3

      SHA256

      eb85c51cde88042561254ef31c73e666ac421b505f41e104eca54b0e716b5f4b

      SHA512

      8ae90e9e394ac3f386ca9d773e1f52cb3cdce1e7c963284cda184b6147738c157d45feae13cf01025b7a59c5c2703dac8318afb6f6c5c6763350e8b581c1f499

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5975713.exe
      Filesize

      13KB

      MD5

      ac63fb443a266e25c73186787f4518a4

      SHA1

      7f991ca15be08030d98275620663904e17bd2fa3

      SHA256

      eb85c51cde88042561254ef31c73e666ac421b505f41e104eca54b0e716b5f4b

      SHA512

      8ae90e9e394ac3f386ca9d773e1f52cb3cdce1e7c963284cda184b6147738c157d45feae13cf01025b7a59c5c2703dac8318afb6f6c5c6763350e8b581c1f499

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8173177.exe
      Filesize

      117KB

      MD5

      5d2f7a95e523fdd93c3f02a80a72c558

      SHA1

      49986e977887312f454c68427837784ad3250f6e

      SHA256

      4e1a09811d9bc779f622ba3b62d59f151a578403a9ad812002d7d0c90fb76da8

      SHA512

      4d44cddcdbd7dd90f59f78dda8164bde3cc76fd3562b8d7b75a8e85153a3963ab83aa1b8a51858db7e39a22b108bafe7031ac65bc56becf24d83d87faee8978a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8173177.exe
      Filesize

      117KB

      MD5

      5d2f7a95e523fdd93c3f02a80a72c558

      SHA1

      49986e977887312f454c68427837784ad3250f6e

      SHA256

      4e1a09811d9bc779f622ba3b62d59f151a578403a9ad812002d7d0c90fb76da8

      SHA512

      4d44cddcdbd7dd90f59f78dda8164bde3cc76fd3562b8d7b75a8e85153a3963ab83aa1b8a51858db7e39a22b108bafe7031ac65bc56becf24d83d87faee8978a

      Download Submit
    • memory/1752-168-0x0000000000400000-0x000000000040A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3860-176-0x0000000000520000-0x0000000000550000-memory.dmp
      Filesize

      192KB

      Download
    • memory/3860-182-0x000000000A610000-0x000000000A686000-memory.dmp
      Filesize

      472KB

      Download
    • memory/3860-177-0x000000000A840000-0x000000000AE58000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/3860-178-0x000000000A360000-0x000000000A46A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/3860-179-0x000000000A2A0000-0x000000000A2B2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/3860-180-0x0000000004D90000-0x0000000004DA0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3860-181-0x000000000A300000-0x000000000A33C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/3860-190-0x000000000B460000-0x000000000B4B0000-memory.dmp
      Filesize

      320KB

      Download
    • memory/3860-183-0x000000000AE60000-0x000000000AEF2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/3860-184-0x000000000B4B0000-0x000000000BA54000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/3860-185-0x000000000AF00000-0x000000000AF66000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3860-186-0x000000000BA60000-0x000000000BC22000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/3860-188-0x000000000C160000-0x000000000C68C000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/3860-189-0x0000000004D90000-0x0000000004DA0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4876-162-0x0000000000090000-0x000000000009A000-memory.dmp
      Filesize

      40KB

      Download