Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-06-2023 04:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2b12b7a6becbd1b4b2c8e501929bf6ee3fc693381dc634f5027a3206ee96c66f.exe

  • Size

    735KB

  • MD5

    fd55c4e68d8224f9a28886c158854140

  • SHA1

    da5287a1d5d02fbb24ed3f9e23235a255faef685

  • SHA256

    2b12b7a6becbd1b4b2c8e501929bf6ee3fc693381dc634f5027a3206ee96c66f

  • SHA512

    e4387413ba463e05e3c7b9db9561c52144bee55e88234f0ec8330f1fe3b133b3d2444ff1bb4fc447b051c4f6b0a413bbe9de22d0a9a92ac8a6e934f391ea4cb1

  • SSDEEP

    12288:KMr/y90SKFBNpU6oLJswlr+8gr8x1IqEpmfnvqSlD3E1m/RElxQLJ:pysFBNpU6sJDMrXRoHqN0H

Score
10/10
redlinemaxievasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19048

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2b12b7a6becbd1b4b2c8e501929bf6ee3fc693381dc634f5027a3206ee96c66f.exe
    "C:\Users\Admin\AppData\Local\Temp\2b12b7a6becbd1b4b2c8e501929bf6ee3fc693381dc634f5027a3206ee96c66f.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3300
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1452708.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1452708.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2668
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2223929.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2223929.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3944
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9383719.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9383719.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:3800
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4333254.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4333254.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2584
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1967857.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1967857.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:1280
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:796
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 140
              6⤵
              • Program crash
              PID:564
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0831126.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0831126.exe
          4⤵
          • Executes dropped EXE
          PID:3704
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1280 -ip 1280
    1⤵
      PID:1048

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1452708.exe
      Filesize

      529KB

      MD5

      720f309f244d042a375c3a8171c46da7

      SHA1

      0d7d7f454aab4c15ef4e3647ac5131baeec186c1

      SHA256

      ad08dcd32e886a0655c8112df8e154a93c48e860212534b2c9c8e866155bf799

      SHA512

      619b61e01ecdb7bce916e2db535bffefc6b8f8567a2c78ecbfc16a8e341fa158ad89f02f02959e8c0c97d95949a63dabd0249898cd164d5e2a9a047246797ab3

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1452708.exe
      Filesize

      529KB

      MD5

      720f309f244d042a375c3a8171c46da7

      SHA1

      0d7d7f454aab4c15ef4e3647ac5131baeec186c1

      SHA256

      ad08dcd32e886a0655c8112df8e154a93c48e860212534b2c9c8e866155bf799

      SHA512

      619b61e01ecdb7bce916e2db535bffefc6b8f8567a2c78ecbfc16a8e341fa158ad89f02f02959e8c0c97d95949a63dabd0249898cd164d5e2a9a047246797ab3

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2223929.exe
      Filesize

      357KB

      MD5

      6576ed2de72a17f6018de1cb59dbd417

      SHA1

      a1aafbdf61b4569c0282e4dffce71581e708ed9a

      SHA256

      eb5a91b2b4d232ec5f97cf039be59b482e3aa58331ca0e196c989fbd25d8fa3f

      SHA512

      84af7408f252d57fe8df565211824f8794252bbfa6312d3c21d8fb0ce3a760b291fef22fd1f4139bae12421931e6dba75e27c987a33c22b85dcbc9e843d323bf

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2223929.exe
      Filesize

      357KB

      MD5

      6576ed2de72a17f6018de1cb59dbd417

      SHA1

      a1aafbdf61b4569c0282e4dffce71581e708ed9a

      SHA256

      eb5a91b2b4d232ec5f97cf039be59b482e3aa58331ca0e196c989fbd25d8fa3f

      SHA512

      84af7408f252d57fe8df565211824f8794252bbfa6312d3c21d8fb0ce3a760b291fef22fd1f4139bae12421931e6dba75e27c987a33c22b85dcbc9e843d323bf

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0831126.exe
      Filesize

      172KB

      MD5

      4c1379d0aa6bf251fd60128926061126

      SHA1

      fc0e867b32da884e36ee9d6b45c111691f2900c2

      SHA256

      ba9bd035a388b54eb57f68fd28c1e17e54bbcd42f904e864cf8ceace0b27cf92

      SHA512

      a987410d727f01cdef3c923bdf0a805ad1d2fc5febc9fc76a718fdd3cf0695b399cd34e095869be8fdf5e354f17944936d4a67a6fa5f9f526325040ccdf83f32

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c0831126.exe
      Filesize

      172KB

      MD5

      4c1379d0aa6bf251fd60128926061126

      SHA1

      fc0e867b32da884e36ee9d6b45c111691f2900c2

      SHA256

      ba9bd035a388b54eb57f68fd28c1e17e54bbcd42f904e864cf8ceace0b27cf92

      SHA512

      a987410d727f01cdef3c923bdf0a805ad1d2fc5febc9fc76a718fdd3cf0695b399cd34e095869be8fdf5e354f17944936d4a67a6fa5f9f526325040ccdf83f32

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9383719.exe
      Filesize

      202KB

      MD5

      78483fe0345813bb0c3257d8c24f0ffc

      SHA1

      ae33449af590ba3ef17941d6e8ab0d082afa2566

      SHA256

      07f997f058a3efcb0b5ca0cb511840fe44d228f334efb155ea5b7aefdee12011

      SHA512

      323390019bf193e74006463603c1dc986b5589a9e14133283d9b42f52b4cce1c475cc8b0eab3bdfedb589ffc39fe804db99f6b092b46117c173aba1c687acffe

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9383719.exe
      Filesize

      202KB

      MD5

      78483fe0345813bb0c3257d8c24f0ffc

      SHA1

      ae33449af590ba3ef17941d6e8ab0d082afa2566

      SHA256

      07f997f058a3efcb0b5ca0cb511840fe44d228f334efb155ea5b7aefdee12011

      SHA512

      323390019bf193e74006463603c1dc986b5589a9e14133283d9b42f52b4cce1c475cc8b0eab3bdfedb589ffc39fe804db99f6b092b46117c173aba1c687acffe

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4333254.exe
      Filesize

      13KB

      MD5

      420fb341fcce5a34b87ddc41b5bb5d6c

      SHA1

      8ceef26c3dbd0bf74b64327f66add60ec6a93415

      SHA256

      dd482f5caa8a4a0e3a8e3006d3484230404965b5ffc48afaab62014852c0ada3

      SHA512

      34a112c9ba75c062dc7dcc7f015ecf1fb2ccf6af7a2895baf3c05b69c66c85272a7773446896d76ba5faa7169d37de946f0129f1df0fb8e62c12f9d8bf003a62

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4333254.exe
      Filesize

      13KB

      MD5

      420fb341fcce5a34b87ddc41b5bb5d6c

      SHA1

      8ceef26c3dbd0bf74b64327f66add60ec6a93415

      SHA256

      dd482f5caa8a4a0e3a8e3006d3484230404965b5ffc48afaab62014852c0ada3

      SHA512

      34a112c9ba75c062dc7dcc7f015ecf1fb2ccf6af7a2895baf3c05b69c66c85272a7773446896d76ba5faa7169d37de946f0129f1df0fb8e62c12f9d8bf003a62

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1967857.exe
      Filesize

      117KB

      MD5

      2bae5540105a84767675cbc4289cfde6

      SHA1

      d124f62466603ae8f27d67d2eb2baa8f71eb36bc

      SHA256

      5af48dd2d41a2f0297b11114d0a5f5bc62ff2401a430f4ec01d3f9c37be680e4

      SHA512

      ca98c1d0c26cb5a5597ed7c5d789485b1e765094da2b1e7fbbd989f69d993f05f1799aa7b4f5fd4ebfcc4136c25b9f9c4c5f10b4f1184dbc2e373cb1b45917da

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1967857.exe
      Filesize

      117KB

      MD5

      2bae5540105a84767675cbc4289cfde6

      SHA1

      d124f62466603ae8f27d67d2eb2baa8f71eb36bc

      SHA256

      5af48dd2d41a2f0297b11114d0a5f5bc62ff2401a430f4ec01d3f9c37be680e4

      SHA512

      ca98c1d0c26cb5a5597ed7c5d789485b1e765094da2b1e7fbbd989f69d993f05f1799aa7b4f5fd4ebfcc4136c25b9f9c4c5f10b4f1184dbc2e373cb1b45917da

      Download Submit
    • memory/796-167-0x0000000000400000-0x000000000040A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2584-161-0x0000000000740000-0x000000000074A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3704-175-0x00000000007A0000-0x00000000007D0000-memory.dmp
      Filesize

      192KB

      Download
    • memory/3704-176-0x000000000AA60000-0x000000000B078000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/3704-177-0x000000000A5E0000-0x000000000A6EA000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/3704-178-0x000000000A520000-0x000000000A532000-memory.dmp
      Filesize

      72KB

      Download
    • memory/3704-179-0x0000000004F50000-0x0000000004F60000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3704-180-0x000000000A580000-0x000000000A5BC000-memory.dmp
      Filesize

      240KB

      Download
    • memory/3704-182-0x0000000004F50000-0x0000000004F60000-memory.dmp
      Filesize

      64KB

      Download