Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-06-2023 06:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bf6f2187eb1f65aa3597a8a8822da3886406d30aaed132cf3d137ccbecf89b10.exe

  • Size

    736KB

  • MD5

    af714950c9d94ccba685d6f9fa5bb211

  • SHA1

    c7203082a8c85bdebdbde81302ce23151ab24e3c

  • SHA256

    bf6f2187eb1f65aa3597a8a8822da3886406d30aaed132cf3d137ccbecf89b10

  • SHA512

    81a53c61cef4d85dff65e7960b9d10a2cba24a566384dd040c84ba1728d03f1cce44cca565884ea1ae33d48105f820e0038deb558b12df367d9c315ec09887ca

  • SSDEEP

    12288:lMrmy90+5YoQQTyu3Xl9N/V8ykbyoocWzfK68yqt0e9bKrzsF8tBe8jPf03:/yUsm0Xl/V8+hn8yi7Krzs0e8jE

Score
10/10
redlinemaxievasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19048

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bf6f2187eb1f65aa3597a8a8822da3886406d30aaed132cf3d137ccbecf89b10.exe
    "C:\Users\Admin\AppData\Local\Temp\bf6f2187eb1f65aa3597a8a8822da3886406d30aaed132cf3d137ccbecf89b10.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2128
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8057323.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8057323.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4536
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5224642.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5224642.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1804
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5827516.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5827516.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:1976
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4206650.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4206650.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4344
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9585049.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9585049.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:4012
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4136
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 220
              6⤵
              • Program crash
              PID:796
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1009988.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1009988.exe
          4⤵
          • Executes dropped EXE
          PID:3812
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4012 -ip 4012
    1⤵
      PID:4204

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8057323.exe
      Filesize

      530KB

      MD5

      514313c1c629ded99f884a319fa41915

      SHA1

      ace53e142cd1851706ad7d8ab5632cfbccdeafb7

      SHA256

      0efbaf24d9abb8f581acc3c4b7143aef7b0eb93c71fbaa3d29082aa0c2355344

      SHA512

      6c1e4d25f89202c7cb2134158c913e3b63acd7ea4836fa02b3078b02e08ac0a811a2a0d54e15e740a79e2e0266189babadda8ddc45de7bc078bc55b7f2f72839

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8057323.exe
      Filesize

      530KB

      MD5

      514313c1c629ded99f884a319fa41915

      SHA1

      ace53e142cd1851706ad7d8ab5632cfbccdeafb7

      SHA256

      0efbaf24d9abb8f581acc3c4b7143aef7b0eb93c71fbaa3d29082aa0c2355344

      SHA512

      6c1e4d25f89202c7cb2134158c913e3b63acd7ea4836fa02b3078b02e08ac0a811a2a0d54e15e740a79e2e0266189babadda8ddc45de7bc078bc55b7f2f72839

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5224642.exe
      Filesize

      357KB

      MD5

      803ff3f5f6d8b9c7db69646c54783a0e

      SHA1

      a005617a048350972bf107b44351b7e10e15aeda

      SHA256

      c9ae3b14f9ee15ed5cd96438737e6ec17862d0a7a0516349e67c32dab398a7a1

      SHA512

      12656e54ec5026db01579464621924ffb03db892f93a3365cdca09254d90811dfbc0d5347eafb10e9c1d854612fcd8f52875e497ab2e27ff352d7d5ba5003b1a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5224642.exe
      Filesize

      357KB

      MD5

      803ff3f5f6d8b9c7db69646c54783a0e

      SHA1

      a005617a048350972bf107b44351b7e10e15aeda

      SHA256

      c9ae3b14f9ee15ed5cd96438737e6ec17862d0a7a0516349e67c32dab398a7a1

      SHA512

      12656e54ec5026db01579464621924ffb03db892f93a3365cdca09254d90811dfbc0d5347eafb10e9c1d854612fcd8f52875e497ab2e27ff352d7d5ba5003b1a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1009988.exe
      Filesize

      172KB

      MD5

      69d2891e785d8608c0a1a5fb0ef5a2f2

      SHA1

      99291f74a040bf000fc426f632758b0c2452c733

      SHA256

      18e6e90e3b18b801f8dfc375bf2f6b2da336a3a062976c9a3627a6ea441b4e77

      SHA512

      d9b6c587f05573df728bdde119f1e68b1e86ada5b961cfe17bd49b80c8f9a056890a8996ec3eb0f449f972614fafc20c16f67f2e0fa36424d64a69a3eee6f480

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1009988.exe
      Filesize

      172KB

      MD5

      69d2891e785d8608c0a1a5fb0ef5a2f2

      SHA1

      99291f74a040bf000fc426f632758b0c2452c733

      SHA256

      18e6e90e3b18b801f8dfc375bf2f6b2da336a3a062976c9a3627a6ea441b4e77

      SHA512

      d9b6c587f05573df728bdde119f1e68b1e86ada5b961cfe17bd49b80c8f9a056890a8996ec3eb0f449f972614fafc20c16f67f2e0fa36424d64a69a3eee6f480

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5827516.exe
      Filesize

      202KB

      MD5

      11d1d767d58fd17960bc75bc4175e783

      SHA1

      ae4690ad353aeb49ffd57dddf18373530880cd46

      SHA256

      201704168be2369ab1c49a699fc763b8cbf267e1180d778d66efa1b986db3e0d

      SHA512

      b7e919e63756ea332813030cc1a2f8747660d63acccbcbd3cf1037fefee0bff5b0e0ebe0239acf5cc65077cee57a369bd092f2a62c9ca3d6806325227db3b2dc

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5827516.exe
      Filesize

      202KB

      MD5

      11d1d767d58fd17960bc75bc4175e783

      SHA1

      ae4690ad353aeb49ffd57dddf18373530880cd46

      SHA256

      201704168be2369ab1c49a699fc763b8cbf267e1180d778d66efa1b986db3e0d

      SHA512

      b7e919e63756ea332813030cc1a2f8747660d63acccbcbd3cf1037fefee0bff5b0e0ebe0239acf5cc65077cee57a369bd092f2a62c9ca3d6806325227db3b2dc

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4206650.exe
      Filesize

      13KB

      MD5

      fd51e27cb7716482855885085db7497d

      SHA1

      ed9698da1cf045f02fa6212da462dee6b77b4669

      SHA256

      4343a66fb441daa12ccfc546f6de58999f0c7c96bea30b99729014c192e0ef83

      SHA512

      fe88ab5c6d2a3159867ea5454720d532b9fba9fea90b18644a0421fc5fbd30592070cbe6a098adb22dd9da266cdfb04664830673588ae2afea43c5007b037b51

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4206650.exe
      Filesize

      13KB

      MD5

      fd51e27cb7716482855885085db7497d

      SHA1

      ed9698da1cf045f02fa6212da462dee6b77b4669

      SHA256

      4343a66fb441daa12ccfc546f6de58999f0c7c96bea30b99729014c192e0ef83

      SHA512

      fe88ab5c6d2a3159867ea5454720d532b9fba9fea90b18644a0421fc5fbd30592070cbe6a098adb22dd9da266cdfb04664830673588ae2afea43c5007b037b51

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9585049.exe
      Filesize

      117KB

      MD5

      d3d0f6d92488f1ca09cfd905de0594bf

      SHA1

      aa4f5367e8773161c405096d633058bf05cf5dc1

      SHA256

      3835a699e55a7275875b15d7dc080d04c0efee10389f1fcea8fcb57619701256

      SHA512

      1232382fef250336e7c5c906100a83fef3897f722b820dd62c95d4f5d3447e5875cb9bf4f9cbf7b404da15e165dadf57399aee2162a2461885200de270ee83f3

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b9585049.exe
      Filesize

      117KB

      MD5

      d3d0f6d92488f1ca09cfd905de0594bf

      SHA1

      aa4f5367e8773161c405096d633058bf05cf5dc1

      SHA256

      3835a699e55a7275875b15d7dc080d04c0efee10389f1fcea8fcb57619701256

      SHA512

      1232382fef250336e7c5c906100a83fef3897f722b820dd62c95d4f5d3447e5875cb9bf4f9cbf7b404da15e165dadf57399aee2162a2461885200de270ee83f3

      Download Submit
    • memory/3812-175-0x0000000000310000-0x0000000000340000-memory.dmp
      Filesize

      192KB

      Download
    • memory/3812-176-0x000000000A730000-0x000000000AD48000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/3812-177-0x000000000A290000-0x000000000A39A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/3812-178-0x000000000A1D0000-0x000000000A1E2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/3812-179-0x000000000A230000-0x000000000A26C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/3812-180-0x0000000004B40000-0x0000000004B50000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3812-182-0x0000000004B40000-0x0000000004B50000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4136-167-0x0000000000140000-0x000000000014A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4344-161-0x0000000000460000-0x000000000046A000-memory.dmp
      Filesize

      40KB

      Download