Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-06-2023 04:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6c1d2239286fca6747797c6fb69f6f2fa0ebd5ef6bfe45d462b803bf9d6fc094.exe

  • Size

    736KB

  • MD5

    6e52587bf938d0e17a7c8a348ba17add

  • SHA1

    eadcdea094a50f23b3c58009b589487c2bb9c651

  • SHA256

    6c1d2239286fca6747797c6fb69f6f2fa0ebd5ef6bfe45d462b803bf9d6fc094

  • SHA512

    d5f51db624649976c76f0d380e0c254bcc44fa3e73c7ee934ee9ef48310cc5b1d65651d945e9295a32fe15134646a6911d8d30f24d00525481d4d1e87f380a68

  • SSDEEP

    12288:wMrwy90IkrhgHqJh3avllMswqivXpsdO4OZaEE4Q9EXz4JbTdTipwz9u1B:Qyjk/ZkMsw3scZm4E+GfdupGm

Score
10/10
redlinemaxievasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19048

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6c1d2239286fca6747797c6fb69f6f2fa0ebd5ef6bfe45d462b803bf9d6fc094.exe
    "C:\Users\Admin\AppData\Local\Temp\6c1d2239286fca6747797c6fb69f6f2fa0ebd5ef6bfe45d462b803bf9d6fc094.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:452
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4541221.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4541221.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:684
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2065349.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2065349.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:812
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1035204.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1035204.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:3600
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2211842.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2211842.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1844
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7260431.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7260431.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:3360
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1956
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 140
              6⤵
              • Program crash
              PID:2000
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8816777.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8816777.exe
          4⤵
          • Executes dropped EXE
          PID:3828
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3360 -ip 3360
    1⤵
      PID:1424

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    3
    T1112

    Disabling Security Tools

    2
    T1089

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4541221.exe
      Filesize

      529KB

      MD5

      eb53445c4739d01fc3077cb3b54d324f

      SHA1

      abae5455fd52275076a9500f91ec738ccb85f008

      SHA256

      ab8757c2d43381305a454716e431b9a2948b8d07f3112ae27b55f692df70af34

      SHA512

      89fff97641cea8af34a38864fdfd97e4e6d4d17fb719ca63084cd346f1b3d5e394aab10dbcb54d2e9b542622831e7edb6175acb4bbf51af60b0348293efb2840

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4541221.exe
      Filesize

      529KB

      MD5

      eb53445c4739d01fc3077cb3b54d324f

      SHA1

      abae5455fd52275076a9500f91ec738ccb85f008

      SHA256

      ab8757c2d43381305a454716e431b9a2948b8d07f3112ae27b55f692df70af34

      SHA512

      89fff97641cea8af34a38864fdfd97e4e6d4d17fb719ca63084cd346f1b3d5e394aab10dbcb54d2e9b542622831e7edb6175acb4bbf51af60b0348293efb2840

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2065349.exe
      Filesize

      357KB

      MD5

      e350ad6e9d74a44a3aa322737e8d0be6

      SHA1

      7a2b2dd7e1674d8d2725b3c38ea1b7a39ee769a2

      SHA256

      e006e2c338e5d6f91d92ee2ff04dfc6669550051b9bc8848c0dddbb28a7fc6b9

      SHA512

      b90795da29f59f0e6ee81e147a5a22977bfb1a67432cfdfa1f7e5e610ba9ff4cbf05a05d01ae5467409de976e51d78c47645ee22f778fd8a20449dcae336a558

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2065349.exe
      Filesize

      357KB

      MD5

      e350ad6e9d74a44a3aa322737e8d0be6

      SHA1

      7a2b2dd7e1674d8d2725b3c38ea1b7a39ee769a2

      SHA256

      e006e2c338e5d6f91d92ee2ff04dfc6669550051b9bc8848c0dddbb28a7fc6b9

      SHA512

      b90795da29f59f0e6ee81e147a5a22977bfb1a67432cfdfa1f7e5e610ba9ff4cbf05a05d01ae5467409de976e51d78c47645ee22f778fd8a20449dcae336a558

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8816777.exe
      Filesize

      172KB

      MD5

      b2a0b4c34b13e2293bcf66bb04d40b01

      SHA1

      b9ba6b418eb7d72493cf8e46dcabf99479a771a6

      SHA256

      dc8af301a2b7a4bbd4565736d2814bed2089bc42daefde5565da58a5c11b9335

      SHA512

      6af73c03726acbe5ecfb1666e584f2a50faf08c938d62989a8c8455919c32276936b2a32611ea0673bd46d663c522f5a6bf1931a90f0cb67434541b457d8a9db

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8816777.exe
      Filesize

      172KB

      MD5

      b2a0b4c34b13e2293bcf66bb04d40b01

      SHA1

      b9ba6b418eb7d72493cf8e46dcabf99479a771a6

      SHA256

      dc8af301a2b7a4bbd4565736d2814bed2089bc42daefde5565da58a5c11b9335

      SHA512

      6af73c03726acbe5ecfb1666e584f2a50faf08c938d62989a8c8455919c32276936b2a32611ea0673bd46d663c522f5a6bf1931a90f0cb67434541b457d8a9db

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1035204.exe
      Filesize

      202KB

      MD5

      bf49d51ef08c5f4bd8764ec72c957d97

      SHA1

      928bbc9d79896d329b61914c2f4e1ee28e5510d8

      SHA256

      24a4eafe929c47aad6b83c2f3a763c1bab20bb1ac56d5d6ffa6a6a189093b588

      SHA512

      df394c7d56d07a21220d697fa810dfd6bb157f2078aa367da535c896225c447072177be555bc03bf966f784d356810c0bd94cc4dd2e2f8648f94557915e745d0

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1035204.exe
      Filesize

      202KB

      MD5

      bf49d51ef08c5f4bd8764ec72c957d97

      SHA1

      928bbc9d79896d329b61914c2f4e1ee28e5510d8

      SHA256

      24a4eafe929c47aad6b83c2f3a763c1bab20bb1ac56d5d6ffa6a6a189093b588

      SHA512

      df394c7d56d07a21220d697fa810dfd6bb157f2078aa367da535c896225c447072177be555bc03bf966f784d356810c0bd94cc4dd2e2f8648f94557915e745d0

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2211842.exe
      Filesize

      13KB

      MD5

      c7934b14f844d1036b56c9a9987d3deb

      SHA1

      41e22580f62d08b1a3f35bd31a147b797c9f0365

      SHA256

      a8a80bc88267f6159d0afd6667c2fa351623f37a5940f445fcc31521b0471c96

      SHA512

      6d9513101d3ae1ec943e67d7fe9a331585c6fad8e6aa757f4ca4eff0fc46eaffb8a33e0e5558655220d437f4b37209613d04cdbfba104dfff6f92b8ad6d18fc7

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2211842.exe
      Filesize

      13KB

      MD5

      c7934b14f844d1036b56c9a9987d3deb

      SHA1

      41e22580f62d08b1a3f35bd31a147b797c9f0365

      SHA256

      a8a80bc88267f6159d0afd6667c2fa351623f37a5940f445fcc31521b0471c96

      SHA512

      6d9513101d3ae1ec943e67d7fe9a331585c6fad8e6aa757f4ca4eff0fc46eaffb8a33e0e5558655220d437f4b37209613d04cdbfba104dfff6f92b8ad6d18fc7

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7260431.exe
      Filesize

      117KB

      MD5

      712dbd5f8431c0e3894aa23f1e098704

      SHA1

      05b6820b41c67668bbcb54b6ef6d7ed2010be22f

      SHA256

      1cd70062c53b8caf0f7b5e540b8a01b0c384e96ff4e02bc8ae1b26e263d0b719

      SHA512

      c39131d8e5a108cbe5e67d49a4272e53144c94a87f1abaf7c581a3711fc6fde3e39cf6b740c14037eb9b00229b7f054766e36523758074fe93c733839fe90164

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7260431.exe
      Filesize

      117KB

      MD5

      712dbd5f8431c0e3894aa23f1e098704

      SHA1

      05b6820b41c67668bbcb54b6ef6d7ed2010be22f

      SHA256

      1cd70062c53b8caf0f7b5e540b8a01b0c384e96ff4e02bc8ae1b26e263d0b719

      SHA512

      c39131d8e5a108cbe5e67d49a4272e53144c94a87f1abaf7c581a3711fc6fde3e39cf6b740c14037eb9b00229b7f054766e36523758074fe93c733839fe90164

      Download Submit
    • memory/1844-161-0x0000000000A40000-0x0000000000A4A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1956-167-0x0000000000400000-0x000000000040A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3828-175-0x00000000007F0000-0x0000000000820000-memory.dmp
      Filesize

      192KB

      Download
    • memory/3828-176-0x00000000057F0000-0x0000000005E08000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/3828-177-0x00000000052E0000-0x00000000053EA000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/3828-178-0x0000000005140000-0x0000000005152000-memory.dmp
      Filesize

      72KB

      Download
    • memory/3828-179-0x00000000051D0000-0x000000000520C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/3828-180-0x00000000051C0000-0x00000000051D0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3828-182-0x00000000051C0000-0x00000000051D0000-memory.dmp
      Filesize

      64KB

      Download