Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-06-2023 04:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ad97962cf21b019a9d5a154c3b497a2aebf15786ed51565372938d969cb7694e.exe

  • Size

    734KB

  • MD5

    9efcf13c473aa0a1a0d6f559703bb54b

  • SHA1

    2e3cc4a24e9566188dbb4201484d15ca1aaeee4c

  • SHA256

    ad97962cf21b019a9d5a154c3b497a2aebf15786ed51565372938d969cb7694e

  • SHA512

    1a7d1d07049eca32c2c106e66302aeba27c6002e4db604f16a18abd4b5f9fbabcf81d535fd031596600253f6f6d9d847778e4001cf37c30ef9f2f534563e0da6

  • SSDEEP

    12288:TMrYy90fXmKlDFiMdFD8mUdKxDaf+RFdVoG4Ld4FYrEqjHkUjHD2/YUwjfEun:Dy4PZpbDIdOlDVC54FWhHrUwXn

Score
10/10
redlinemaxievasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19048

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ad97962cf21b019a9d5a154c3b497a2aebf15786ed51565372938d969cb7694e.exe
    "C:\Users\Admin\AppData\Local\Temp\ad97962cf21b019a9d5a154c3b497a2aebf15786ed51565372938d969cb7694e.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1192
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7314635.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7314635.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1624
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4395854.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4395854.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2272
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2632826.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2632826.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:4124
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2289986.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2289986.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4940
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7589688.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7589688.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:656
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1992
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 656 -s 140
              6⤵
              • Program crash
              PID:2208
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1456205.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1456205.exe
          4⤵
          • Executes dropped EXE
          PID:4652
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 656 -ip 656
    1⤵
      PID:224

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    3
    T1112

    Disabling Security Tools

    2
    T1089

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7314635.exe
      Filesize

      529KB

      MD5

      c4028e08259961a9be9a55eb18b6fc58

      SHA1

      e6fc4ca26967ff414e519be6919d5aba00d9aa13

      SHA256

      ae22fb2f7f1b2981e579b52e6765fb7b532fa9a8f6fb20fbf0d628c49fb8efd8

      SHA512

      e8aca447abbccb29f5f7bad6fe2cff296bfc3ee3d8a1e3b8a73c8592dfb3e14053c7c3b3996f6f15e8ae35bf1f5b11260003c99f8b1ff55be613cd8880ca355f

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7314635.exe
      Filesize

      529KB

      MD5

      c4028e08259961a9be9a55eb18b6fc58

      SHA1

      e6fc4ca26967ff414e519be6919d5aba00d9aa13

      SHA256

      ae22fb2f7f1b2981e579b52e6765fb7b532fa9a8f6fb20fbf0d628c49fb8efd8

      SHA512

      e8aca447abbccb29f5f7bad6fe2cff296bfc3ee3d8a1e3b8a73c8592dfb3e14053c7c3b3996f6f15e8ae35bf1f5b11260003c99f8b1ff55be613cd8880ca355f

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4395854.exe
      Filesize

      357KB

      MD5

      111800589d444214502f1381a50e7c5f

      SHA1

      959a51984a60e794414739e314909adf360a1bd8

      SHA256

      ca64819fab613a88d79ed0ca2e40e360cd3069e13a19f53be0f42add7341642e

      SHA512

      e479c07829ff4f98aece20345e1e1a0dc5092429db0d2722beb9b9145c81e5fbefe73bf2295c155b048d9b46de0ac6e638ed8f989434a8470eca6472f77ed8cf

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4395854.exe
      Filesize

      357KB

      MD5

      111800589d444214502f1381a50e7c5f

      SHA1

      959a51984a60e794414739e314909adf360a1bd8

      SHA256

      ca64819fab613a88d79ed0ca2e40e360cd3069e13a19f53be0f42add7341642e

      SHA512

      e479c07829ff4f98aece20345e1e1a0dc5092429db0d2722beb9b9145c81e5fbefe73bf2295c155b048d9b46de0ac6e638ed8f989434a8470eca6472f77ed8cf

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1456205.exe
      Filesize

      172KB

      MD5

      8ea7a7faebfe6547e73b67c1e033ca6e

      SHA1

      92797da3b8f812af2744ae28545e6d1265bcbab3

      SHA256

      e6c5f120099c496f49903127fe17c46a63efc7cad83319c760d39581582f604d

      SHA512

      34d8663f9ac3809dedce3ba36a9accc4f9cc238d9e5898e50aff8e14cf85a50b06ecb961e13a1088a1c4913daf7394573c7d5425b0f3c99b121ea9c7cef86d6d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1456205.exe
      Filesize

      172KB

      MD5

      8ea7a7faebfe6547e73b67c1e033ca6e

      SHA1

      92797da3b8f812af2744ae28545e6d1265bcbab3

      SHA256

      e6c5f120099c496f49903127fe17c46a63efc7cad83319c760d39581582f604d

      SHA512

      34d8663f9ac3809dedce3ba36a9accc4f9cc238d9e5898e50aff8e14cf85a50b06ecb961e13a1088a1c4913daf7394573c7d5425b0f3c99b121ea9c7cef86d6d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2632826.exe
      Filesize

      202KB

      MD5

      06f83cf6119a42f5b1936b5990b783db

      SHA1

      f46bdb9a50aa691777358c3257abc817c9d5000c

      SHA256

      83df1119868c8da93dd8429b21af81e8dfb721109590715085070f034d324b72

      SHA512

      ee7d198857dd067a00967abab4c904ff7bf34ae363e5337a23dc77e62ae809d730f6a81e6a10737faa68d6048f875c1eb7f3b482254b8e6765f39294b0b45a13

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2632826.exe
      Filesize

      202KB

      MD5

      06f83cf6119a42f5b1936b5990b783db

      SHA1

      f46bdb9a50aa691777358c3257abc817c9d5000c

      SHA256

      83df1119868c8da93dd8429b21af81e8dfb721109590715085070f034d324b72

      SHA512

      ee7d198857dd067a00967abab4c904ff7bf34ae363e5337a23dc77e62ae809d730f6a81e6a10737faa68d6048f875c1eb7f3b482254b8e6765f39294b0b45a13

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2289986.exe
      Filesize

      13KB

      MD5

      236defbe5573a4026d42ea8cc41cd7e7

      SHA1

      af626fbfd763bec01bd10008540d7a9905829334

      SHA256

      195ae65217ca0881055e00525b90eaff8a9e814536f7355aa2f140da06acb2dc

      SHA512

      3392bf53b85d4dae7947ed348ea90b7faa95c5f067c16cddee86afe16c42ac38088de428ee2870e9db2b8a8fd6f7d5c6d9458a1e64cbe30403148889f00761a2

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2289986.exe
      Filesize

      13KB

      MD5

      236defbe5573a4026d42ea8cc41cd7e7

      SHA1

      af626fbfd763bec01bd10008540d7a9905829334

      SHA256

      195ae65217ca0881055e00525b90eaff8a9e814536f7355aa2f140da06acb2dc

      SHA512

      3392bf53b85d4dae7947ed348ea90b7faa95c5f067c16cddee86afe16c42ac38088de428ee2870e9db2b8a8fd6f7d5c6d9458a1e64cbe30403148889f00761a2

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7589688.exe
      Filesize

      117KB

      MD5

      4fe308c9f7442ca84f8aa3ae91590488

      SHA1

      161575974094f910a3a8d7e95ca615129552325f

      SHA256

      388e3824dd7171bbbf351acf6266fc6039008ebbceede1e3401340fe6c0d9562

      SHA512

      ebd10deb29eabdafe267812c1d77248899439d456408265b31d4a41111a450868c35240d32ca65568c286eec9a36e1fa0f4e009f8bf9f8d9f22095bd0be80bf1

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7589688.exe
      Filesize

      117KB

      MD5

      4fe308c9f7442ca84f8aa3ae91590488

      SHA1

      161575974094f910a3a8d7e95ca615129552325f

      SHA256

      388e3824dd7171bbbf351acf6266fc6039008ebbceede1e3401340fe6c0d9562

      SHA512

      ebd10deb29eabdafe267812c1d77248899439d456408265b31d4a41111a450868c35240d32ca65568c286eec9a36e1fa0f4e009f8bf9f8d9f22095bd0be80bf1

      Download Submit
    • memory/1992-167-0x0000000000400000-0x000000000040A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4652-175-0x0000000000B90000-0x0000000000BC0000-memory.dmp
      Filesize

      192KB

      Download
    • memory/4652-176-0x000000000AF10000-0x000000000B528000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/4652-177-0x000000000AA00000-0x000000000AB0A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/4652-178-0x000000000A910000-0x000000000A922000-memory.dmp
      Filesize

      72KB

      Download
    • memory/4652-179-0x000000000A970000-0x000000000A9AC000-memory.dmp
      Filesize

      240KB

      Download
    • memory/4652-180-0x0000000005560000-0x0000000005570000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4652-182-0x0000000005560000-0x0000000005570000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4940-161-0x0000000000770000-0x000000000077A000-memory.dmp
      Filesize

      40KB

      Download