Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-06-2023 07:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2dccea09a33b86f5e770514fedea1b4f4eff4b3136853c28022f36afd1554c26.exe

  • Size

    735KB

  • MD5

    127750909e73ad4bd01c25f5ddf5f667

  • SHA1

    5c764efc7c1d2e30e0cf6e59430c8ea0ab81a968

  • SHA256

    2dccea09a33b86f5e770514fedea1b4f4eff4b3136853c28022f36afd1554c26

  • SHA512

    191d95b80bab0bb2a4c0f68a49023a827cfd2c93bbcfa31d959f6fca184a0b0055fe75aa3d8baca07fb3e3ed1ba89a60f936764ef1a49ec99b24a01d8e13bd7a

  • SSDEEP

    12288:DMr5y90vQe4KwVj+UX8L97glNRsduypBTaoUo2FU3ZnCkTqGJkxZlNWAFRvbL3:Gy3eFwVw7glcVdao92FUFvTqGSzFRvbL

Score
10/10
redlinemaxievasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19048

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2dccea09a33b86f5e770514fedea1b4f4eff4b3136853c28022f36afd1554c26.exe
    "C:\Users\Admin\AppData\Local\Temp\2dccea09a33b86f5e770514fedea1b4f4eff4b3136853c28022f36afd1554c26.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3444
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5581753.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5581753.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1888
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8918610.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8918610.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:380
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0955646.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0955646.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:2628
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7064705.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7064705.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3916
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6716630.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6716630.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:3948
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3296
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 140
              6⤵
              • Program crash
              PID:2388
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9077097.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9077097.exe
          4⤵
          • Executes dropped EXE
          PID:4276
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 3948 -ip 3948
    1⤵
      PID:2760

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5581753.exe
      Filesize

      529KB

      MD5

      529a7eea48dc4d4a8aeb9769c3874079

      SHA1

      5a37504a5e1722cdc266009e300864622804018c

      SHA256

      f90b5c99a73dc8a09c9f5285b0468b49dd20c1ba19d58aba5b001eb87e53e4c1

      SHA512

      1f58d7b9e4acaeb4ca47abd00f25ef50b0d032b8d5c5691387941b53e8911dd83bf14a625bb4d8f5faf45c14c558da296e5b35577b1b5478edf3a2498d5d7491

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5581753.exe
      Filesize

      529KB

      MD5

      529a7eea48dc4d4a8aeb9769c3874079

      SHA1

      5a37504a5e1722cdc266009e300864622804018c

      SHA256

      f90b5c99a73dc8a09c9f5285b0468b49dd20c1ba19d58aba5b001eb87e53e4c1

      SHA512

      1f58d7b9e4acaeb4ca47abd00f25ef50b0d032b8d5c5691387941b53e8911dd83bf14a625bb4d8f5faf45c14c558da296e5b35577b1b5478edf3a2498d5d7491

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8918610.exe
      Filesize

      357KB

      MD5

      d2b24c2622d035ad29d96133c2590fc9

      SHA1

      107f3a3014b8f752daed2c9b4ca3aef374a0ca0d

      SHA256

      c4bd38c81d5d22294bf27b57d0d3d8589741b8fccf238ea602882dbf046f79d9

      SHA512

      65905f7d1fc92c44d5ff43c38b390cdb467ebe825dc5c43738a97e8c1b7826d76e674f54fc0f5b008646b70315d9d980b40746e34bbae5cc6656a416d91fbde6

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8918610.exe
      Filesize

      357KB

      MD5

      d2b24c2622d035ad29d96133c2590fc9

      SHA1

      107f3a3014b8f752daed2c9b4ca3aef374a0ca0d

      SHA256

      c4bd38c81d5d22294bf27b57d0d3d8589741b8fccf238ea602882dbf046f79d9

      SHA512

      65905f7d1fc92c44d5ff43c38b390cdb467ebe825dc5c43738a97e8c1b7826d76e674f54fc0f5b008646b70315d9d980b40746e34bbae5cc6656a416d91fbde6

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9077097.exe
      Filesize

      172KB

      MD5

      56f624e5991f4e448b3853b26971c536

      SHA1

      81ffa5becf7e9d7a5a91c0b6ba1643e300a4b9a9

      SHA256

      4d456e773bc9d560da191638f0ec76e218b0634beaec6f49fe23a9e7b7f51163

      SHA512

      8643aed6bfd75eeab69931f19699bf247f613b57baa9867429eb364a9457bba32f59eb49450b84797f525745e0dc995900f3c1e96f3b45293ed11b179b56ccee

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9077097.exe
      Filesize

      172KB

      MD5

      56f624e5991f4e448b3853b26971c536

      SHA1

      81ffa5becf7e9d7a5a91c0b6ba1643e300a4b9a9

      SHA256

      4d456e773bc9d560da191638f0ec76e218b0634beaec6f49fe23a9e7b7f51163

      SHA512

      8643aed6bfd75eeab69931f19699bf247f613b57baa9867429eb364a9457bba32f59eb49450b84797f525745e0dc995900f3c1e96f3b45293ed11b179b56ccee

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0955646.exe
      Filesize

      202KB

      MD5

      f1a03e9df84d5f7a41c5f41f0f4b31b4

      SHA1

      eff6444df29f5f2622cbb8274c5900ff61951df2

      SHA256

      ba4865fc7920bf4e64fc2a488bf3148ce037330d119ece99f2bf62524a21c85d

      SHA512

      6d78ee98c5ae6fcb9cbcefe46d609c3dfe6480d06b0b83352836b24b68271d3bedd5b44c92d6eeca4d93b46f2317609e8436b78d44ae404e0423f268db4a1df0

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0955646.exe
      Filesize

      202KB

      MD5

      f1a03e9df84d5f7a41c5f41f0f4b31b4

      SHA1

      eff6444df29f5f2622cbb8274c5900ff61951df2

      SHA256

      ba4865fc7920bf4e64fc2a488bf3148ce037330d119ece99f2bf62524a21c85d

      SHA512

      6d78ee98c5ae6fcb9cbcefe46d609c3dfe6480d06b0b83352836b24b68271d3bedd5b44c92d6eeca4d93b46f2317609e8436b78d44ae404e0423f268db4a1df0

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7064705.exe
      Filesize

      13KB

      MD5

      44df6669823b38330ec7b06a9782b830

      SHA1

      4812fd08da1663cf0795d251ef59c3ac7d985010

      SHA256

      8aac8fe8b8956f364274085021a82e3417efbbc7036eb8f7a493a29af0dc35aa

      SHA512

      9d798dcaf5845c6656d18107802935484e17be9e39027159d6a296ebe01a51581e93ae5c174c442d28122fbe45c7f69d11f08008ed02a9732fd199c08f9445f1

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7064705.exe
      Filesize

      13KB

      MD5

      44df6669823b38330ec7b06a9782b830

      SHA1

      4812fd08da1663cf0795d251ef59c3ac7d985010

      SHA256

      8aac8fe8b8956f364274085021a82e3417efbbc7036eb8f7a493a29af0dc35aa

      SHA512

      9d798dcaf5845c6656d18107802935484e17be9e39027159d6a296ebe01a51581e93ae5c174c442d28122fbe45c7f69d11f08008ed02a9732fd199c08f9445f1

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6716630.exe
      Filesize

      117KB

      MD5

      35fcb8d4de61d262de7772d00cb828ce

      SHA1

      64f1a2afd9f759dbce6168aa940face49a78298e

      SHA256

      eb7a54fa16258f9c6a38a2cdb6c6904ade573949f57b83a33ee82fef0acdc9ce

      SHA512

      f5331db200531843f076716177d12f5a8a9681e22ca0b9e522aa7461747c35d83953b0314ac6cb1550161d58b71c3df3a7a93775ecd799e63bba9b9cdf95dc77

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6716630.exe
      Filesize

      117KB

      MD5

      35fcb8d4de61d262de7772d00cb828ce

      SHA1

      64f1a2afd9f759dbce6168aa940face49a78298e

      SHA256

      eb7a54fa16258f9c6a38a2cdb6c6904ade573949f57b83a33ee82fef0acdc9ce

      SHA512

      f5331db200531843f076716177d12f5a8a9681e22ca0b9e522aa7461747c35d83953b0314ac6cb1550161d58b71c3df3a7a93775ecd799e63bba9b9cdf95dc77

      Download Submit
    • memory/3296-167-0x0000000000400000-0x000000000040A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3916-161-0x0000000000160000-0x000000000016A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4276-175-0x0000000000D80000-0x0000000000DB0000-memory.dmp
      Filesize

      192KB

      Download
    • memory/4276-176-0x0000000005E30000-0x0000000006448000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/4276-177-0x0000000005920000-0x0000000005A2A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/4276-178-0x0000000005830000-0x0000000005842000-memory.dmp
      Filesize

      72KB

      Download
    • memory/4276-179-0x0000000005890000-0x00000000058CC000-memory.dmp
      Filesize

      240KB

      Download
    • memory/4276-180-0x0000000005700000-0x0000000005710000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4276-182-0x0000000005700000-0x0000000005710000-memory.dmp
      Filesize

      64KB

      Download