Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    85s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-06-2023 03:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    81768de38ce302d10041c419691a4181c1a26d7bf2b05c94919b277bd91ffd04.exe

  • Size

    735KB

  • MD5

    aeeb8a5443318465235ee20862092762

  • SHA1

    c0fb85a50c87a11203c3429bf626ae596536aaa5

  • SHA256

    81768de38ce302d10041c419691a4181c1a26d7bf2b05c94919b277bd91ffd04

  • SHA512

    885274d14d2444925097e477769e588fba1849054063c203318ad3f0137a13871d15fb65b88c8ab5c736c3e25ae1111b640ba1c4e148ea2207cd86d5f2331241

  • SSDEEP

    12288:oMrSy90HBrqo+p6zX3rW70nIjafx8qozQV626QRB2qiFVqFO/2tsiWm:ayKpnPLfx8J8V62av+OOtDWm

Score
10/10
redlinemaxidiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19048

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\81768de38ce302d10041c419691a4181c1a26d7bf2b05c94919b277bd91ffd04.exe
    "C:\Users\Admin\AppData\Local\Temp\81768de38ce302d10041c419691a4181c1a26d7bf2b05c94919b277bd91ffd04.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2312
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5934584.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5934584.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1380
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1989329.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1989329.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2168
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3955544.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3955544.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:2504
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6655497.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6655497.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2112
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1486320.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1486320.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:3428
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2020
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3428 -s 140
              6⤵
              • Program crash
              PID:1448
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8573938.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8573938.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:308
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3428 -ip 3428
    1⤵
      PID:3436

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5934584.exe
      Filesize

      530KB

      MD5

      c5f01eb78c15ae4005b45c1d7560414f

      SHA1

      f2c58499c2c63b446caa6057f3765cf0f53fc112

      SHA256

      2c76f7057f321b206cfb5b2311f125729dce5cb7ad1988ac45649b93db6b023f

      SHA512

      6e77a650d2bf51a3963ddd9ca4c777b7765320b8db9f4070582c38e16262d66d4be5b1453a13862e2bcd05cfb7deb5356da1d36f11297912d4d9234b53548cfb

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5934584.exe
      Filesize

      530KB

      MD5

      c5f01eb78c15ae4005b45c1d7560414f

      SHA1

      f2c58499c2c63b446caa6057f3765cf0f53fc112

      SHA256

      2c76f7057f321b206cfb5b2311f125729dce5cb7ad1988ac45649b93db6b023f

      SHA512

      6e77a650d2bf51a3963ddd9ca4c777b7765320b8db9f4070582c38e16262d66d4be5b1453a13862e2bcd05cfb7deb5356da1d36f11297912d4d9234b53548cfb

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1989329.exe
      Filesize

      357KB

      MD5

      1547ddfd2e93ed7d208c73215f18f84c

      SHA1

      f1d1195a83cf0a91c34698c85b681699354e1136

      SHA256

      ceff4b11caed895ffe77fe95407ce959d7e39e0f84b538dc0d57f926a99ec43b

      SHA512

      b255e0b6814d1f1dafb9c7971e2db706c0bf862ca9a70f5544b6568a5a2d381740f3e75cf11dea208fedb34cc7041358f7f2cc464529c92d6984f3ac8a72938e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1989329.exe
      Filesize

      357KB

      MD5

      1547ddfd2e93ed7d208c73215f18f84c

      SHA1

      f1d1195a83cf0a91c34698c85b681699354e1136

      SHA256

      ceff4b11caed895ffe77fe95407ce959d7e39e0f84b538dc0d57f926a99ec43b

      SHA512

      b255e0b6814d1f1dafb9c7971e2db706c0bf862ca9a70f5544b6568a5a2d381740f3e75cf11dea208fedb34cc7041358f7f2cc464529c92d6984f3ac8a72938e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8573938.exe
      Filesize

      172KB

      MD5

      84727ed31ac0bfa4a57af897271fadff

      SHA1

      ace03c88c4740d3d580e4097a873195a2e8475b0

      SHA256

      5c4dbd288bb71c6f03e8ad78150b0775502d15419f84fb1c9559a6e9418a30bf

      SHA512

      80e68a6b83fe136a34aae0f2232973ecd6cbaa2770c9c919f7c73cfedd22f6af4c29e2f55732a17a78568e2906c0d2425df2ea99f03a97e75686bb2c5a4b00fc

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8573938.exe
      Filesize

      172KB

      MD5

      84727ed31ac0bfa4a57af897271fadff

      SHA1

      ace03c88c4740d3d580e4097a873195a2e8475b0

      SHA256

      5c4dbd288bb71c6f03e8ad78150b0775502d15419f84fb1c9559a6e9418a30bf

      SHA512

      80e68a6b83fe136a34aae0f2232973ecd6cbaa2770c9c919f7c73cfedd22f6af4c29e2f55732a17a78568e2906c0d2425df2ea99f03a97e75686bb2c5a4b00fc

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3955544.exe
      Filesize

      202KB

      MD5

      f382081437fa69dc0473fd147a359d41

      SHA1

      849f6e855c25134f8338a9787d1278cc06af29c4

      SHA256

      7107e92647a1e19b057d85ff922f7628a3cebb88551be4e5eaeec79bba1a268d

      SHA512

      3eb0fda2e3ecb2ed6074ae10b0e5fb24c1cb35f440be3fd21e21b536bc59c5b39d807f5c6bdc9777f2538ee9c660948d005fdbfff007a38622039694b8964c61

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3955544.exe
      Filesize

      202KB

      MD5

      f382081437fa69dc0473fd147a359d41

      SHA1

      849f6e855c25134f8338a9787d1278cc06af29c4

      SHA256

      7107e92647a1e19b057d85ff922f7628a3cebb88551be4e5eaeec79bba1a268d

      SHA512

      3eb0fda2e3ecb2ed6074ae10b0e5fb24c1cb35f440be3fd21e21b536bc59c5b39d807f5c6bdc9777f2538ee9c660948d005fdbfff007a38622039694b8964c61

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6655497.exe
      Filesize

      13KB

      MD5

      cf4f11298c393d7687009410b8f138c7

      SHA1

      9e6419ba345df7ffe7af1e62f589566cfbcff7ce

      SHA256

      abba528e2227398b6304f64ad152247377d30488b0742b09b48cb7c18caf4821

      SHA512

      cb51ec5e181c01706a9667b1c885ac494248b8cc8a2f2a80e52ba2faba8154c6e45c0db950a05bf99e828b06ae0abebbf3d8bedf077573ea7b28c78e17b778bb

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6655497.exe
      Filesize

      13KB

      MD5

      cf4f11298c393d7687009410b8f138c7

      SHA1

      9e6419ba345df7ffe7af1e62f589566cfbcff7ce

      SHA256

      abba528e2227398b6304f64ad152247377d30488b0742b09b48cb7c18caf4821

      SHA512

      cb51ec5e181c01706a9667b1c885ac494248b8cc8a2f2a80e52ba2faba8154c6e45c0db950a05bf99e828b06ae0abebbf3d8bedf077573ea7b28c78e17b778bb

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1486320.exe
      Filesize

      117KB

      MD5

      aa5d9491b448c05363ef909c28baf92f

      SHA1

      6fa7306df765063c10a190d44f93718af14325b7

      SHA256

      9228ef4c26b3581745e0ce2b0875ef77d041f37acc8a46c7e47d1b78e86e2948

      SHA512

      68bd05c401ec87044a173c79fc80a7543cd6ef13d24431822639b03dad801eb371748574b84e98bd03678ceaa094a14fbcda069687ccef8a0b45e70c69c79552

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1486320.exe
      Filesize

      117KB

      MD5

      aa5d9491b448c05363ef909c28baf92f

      SHA1

      6fa7306df765063c10a190d44f93718af14325b7

      SHA256

      9228ef4c26b3581745e0ce2b0875ef77d041f37acc8a46c7e47d1b78e86e2948

      SHA512

      68bd05c401ec87044a173c79fc80a7543cd6ef13d24431822639b03dad801eb371748574b84e98bd03678ceaa094a14fbcda069687ccef8a0b45e70c69c79552

      Download Submit
    • memory/308-175-0x0000000000F80000-0x0000000000FB0000-memory.dmp
      Filesize

      192KB

      Download
    • memory/308-180-0x0000000005780000-0x0000000005790000-memory.dmp
      Filesize

      64KB

      Download
    • memory/308-189-0x000000000CF10000-0x000000000D43C000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/308-176-0x000000000B380000-0x000000000B998000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/308-177-0x000000000AF00000-0x000000000B00A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/308-178-0x000000000AE40000-0x000000000AE52000-memory.dmp
      Filesize

      72KB

      Download
    • memory/308-179-0x000000000AEA0000-0x000000000AEDC000-memory.dmp
      Filesize

      240KB

      Download
    • memory/308-188-0x000000000C810000-0x000000000C9D2000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/308-181-0x000000000B2B0000-0x000000000B326000-memory.dmp
      Filesize

      472KB

      Download
    • memory/308-182-0x000000000BA40000-0x000000000BAD2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/308-183-0x000000000C090000-0x000000000C634000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/308-184-0x000000000BAE0000-0x000000000BB46000-memory.dmp
      Filesize

      408KB

      Download
    • memory/308-186-0x000000000BFD0000-0x000000000C020000-memory.dmp
      Filesize

      320KB

      Download
    • memory/308-187-0x0000000005780000-0x0000000005790000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2020-167-0x0000000000400000-0x000000000040A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2112-161-0x00000000004C0000-0x00000000004CA000-memory.dmp
      Filesize

      40KB

      Download