Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-06-2023 08:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2b7af77364d53031bad18f6c713f56575779a5b3cc54f29c2d1ca992df0a2687.exe

  • Size

    737KB

  • MD5

    1d474540a1122e116b1fe4080f2b887f

  • SHA1

    0505ee0b836c2bf37cca82fd3c7e3a8ec81de1ae

  • SHA256

    2b7af77364d53031bad18f6c713f56575779a5b3cc54f29c2d1ca992df0a2687

  • SHA512

    4fde82f4fdf5353363d86be1723ca7d0676d2051e35cd190310dd6cdd1d073cd62cd886585a940b8fb504cebf193dd7313084122c680b5b2bb233d69a1d42d2a

  • SSDEEP

    12288:JMrYy90QSlnzqq1VamqABWhSka6L5Zw48NTdOIIleSRcyqFDJzBB58BBIRTAPZG2:By3SlnzXLWhba6L5+4yhClRcFBBafZl

Score
10/10
redlinemaxidiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19048

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2b7af77364d53031bad18f6c713f56575779a5b3cc54f29c2d1ca992df0a2687.exe
    "C:\Users\Admin\AppData\Local\Temp\2b7af77364d53031bad18f6c713f56575779a5b3cc54f29c2d1ca992df0a2687.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3372
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8489624.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8489624.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3976
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5112260.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5112260.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1960
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4298125.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4298125.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:4528
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3613203.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3613203.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2540
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1937847.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1937847.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:2744
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:5068
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 152
              6⤵
              • Program crash
              PID:736
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1971636.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1971636.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4248
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2744 -ip 2744
    1⤵
      PID:5076

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8489624.exe
      Filesize

      531KB

      MD5

      03942b8bc7c596bdb1197f4f6b665db7

      SHA1

      4c165378989f7738a05b6951036a20e1e459a5b5

      SHA256

      1721df276ec56ca60a6737fefb04aa8b76ee1acb96c894349cb81f63336ed055

      SHA512

      4dece7cb2ea92015b5db6b4efecabee2fd671aff87647c1303333d3d3cd4ab78adb8aa93eca6ab33389557f711868f86268800fa49b3be96b973cabfe49924c4

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8489624.exe
      Filesize

      531KB

      MD5

      03942b8bc7c596bdb1197f4f6b665db7

      SHA1

      4c165378989f7738a05b6951036a20e1e459a5b5

      SHA256

      1721df276ec56ca60a6737fefb04aa8b76ee1acb96c894349cb81f63336ed055

      SHA512

      4dece7cb2ea92015b5db6b4efecabee2fd671aff87647c1303333d3d3cd4ab78adb8aa93eca6ab33389557f711868f86268800fa49b3be96b973cabfe49924c4

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5112260.exe
      Filesize

      358KB

      MD5

      f4f8b512061ccb326d0c4b193c2edb4a

      SHA1

      42148fb83ec037446148a03f1a8c66758e14bfd6

      SHA256

      8d743418f1ad20caafc64473188d6dc8fc329ee4d7c2f3068bc72ee49969149b

      SHA512

      2671a04f816e38926dfac7f06bb6b47848f758f26a109c7f3af184264f43735bdbd50686d66a0be38c4b0a21ad0f4c8228b976467f7658fe23a9fadd32344209

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5112260.exe
      Filesize

      358KB

      MD5

      f4f8b512061ccb326d0c4b193c2edb4a

      SHA1

      42148fb83ec037446148a03f1a8c66758e14bfd6

      SHA256

      8d743418f1ad20caafc64473188d6dc8fc329ee4d7c2f3068bc72ee49969149b

      SHA512

      2671a04f816e38926dfac7f06bb6b47848f758f26a109c7f3af184264f43735bdbd50686d66a0be38c4b0a21ad0f4c8228b976467f7658fe23a9fadd32344209

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1971636.exe
      Filesize

      172KB

      MD5

      8dd5b3a442d9337a3bd710d52e0fcbca

      SHA1

      caf55c56a5722f5e6765156b3a1f4492579c0e1a

      SHA256

      991a5937e597deb0286243fdb0fcea88b1b2aeaad7b4a618900f678d32025f04

      SHA512

      226b4b447ea6acffe3dbcd397e268a83984d037eab006fed58a375702a73e793ddb734a65202647aec6474efd009049fd24afd881ab176c3a2aa4ddda1b851dd

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1971636.exe
      Filesize

      172KB

      MD5

      8dd5b3a442d9337a3bd710d52e0fcbca

      SHA1

      caf55c56a5722f5e6765156b3a1f4492579c0e1a

      SHA256

      991a5937e597deb0286243fdb0fcea88b1b2aeaad7b4a618900f678d32025f04

      SHA512

      226b4b447ea6acffe3dbcd397e268a83984d037eab006fed58a375702a73e793ddb734a65202647aec6474efd009049fd24afd881ab176c3a2aa4ddda1b851dd

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4298125.exe
      Filesize

      203KB

      MD5

      2024852491dadf08f16ff402a4d91c7e

      SHA1

      41982eda60d0514b3a3d3314a2fa910c83f2b318

      SHA256

      c47199eed69b87e8dabd1cc81dde86d420b91ef7bbbdf1d53107080651e11410

      SHA512

      699957242c08d7fc4472310a223935c31376bc14487a7bc4575c16c4f010f22611c2c8cf16c1104e27192f2239c1c0aa78ec5f7ebaa906bd9e27c1e5a6a9e89d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4298125.exe
      Filesize

      203KB

      MD5

      2024852491dadf08f16ff402a4d91c7e

      SHA1

      41982eda60d0514b3a3d3314a2fa910c83f2b318

      SHA256

      c47199eed69b87e8dabd1cc81dde86d420b91ef7bbbdf1d53107080651e11410

      SHA512

      699957242c08d7fc4472310a223935c31376bc14487a7bc4575c16c4f010f22611c2c8cf16c1104e27192f2239c1c0aa78ec5f7ebaa906bd9e27c1e5a6a9e89d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3613203.exe
      Filesize

      13KB

      MD5

      93f1aae2f1fe5bb30a3312c566f15281

      SHA1

      4da51090aa2e49a722306a8384111601f3f86f67

      SHA256

      d290df5bc452eb1c9968552ebf8e243cbc2797233fb7c4ceba7f185b7852bfbb

      SHA512

      de9ea969ed792ce52a02bf00d2437f81bfd26bedf7e04f483bc031ba3303990f65ac269061d8561ffa41f0fd383b0cf742fba9b115295a962b288afb7231216d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3613203.exe
      Filesize

      13KB

      MD5

      93f1aae2f1fe5bb30a3312c566f15281

      SHA1

      4da51090aa2e49a722306a8384111601f3f86f67

      SHA256

      d290df5bc452eb1c9968552ebf8e243cbc2797233fb7c4ceba7f185b7852bfbb

      SHA512

      de9ea969ed792ce52a02bf00d2437f81bfd26bedf7e04f483bc031ba3303990f65ac269061d8561ffa41f0fd383b0cf742fba9b115295a962b288afb7231216d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1937847.exe
      Filesize

      120KB

      MD5

      896e1e72c62b917e2f57ae4a42011795

      SHA1

      ba72ecfa9e3c448c2036912af6e6d011ff653361

      SHA256

      f76e03cc5f2dd5b7329e628cb89f052d76b83cf970819420fb1d7629e742752c

      SHA512

      ab8069095fe8834097e4816617e984780bc01e28567cd71fd2e17530bace70ad079c3ac180597d276ae90c5ea00d1be68e638a0d33b97d3fca299fdc379f7d69

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1937847.exe
      Filesize

      120KB

      MD5

      896e1e72c62b917e2f57ae4a42011795

      SHA1

      ba72ecfa9e3c448c2036912af6e6d011ff653361

      SHA256

      f76e03cc5f2dd5b7329e628cb89f052d76b83cf970819420fb1d7629e742752c

      SHA512

      ab8069095fe8834097e4816617e984780bc01e28567cd71fd2e17530bace70ad079c3ac180597d276ae90c5ea00d1be68e638a0d33b97d3fca299fdc379f7d69

      Download Submit
    • memory/2540-161-0x0000000000B30000-0x0000000000B3A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4248-175-0x0000000000CF0000-0x0000000000D20000-memory.dmp
      Filesize

      192KB

      Download
    • memory/4248-181-0x000000000ADE0000-0x000000000AE56000-memory.dmp
      Filesize

      472KB

      Download
    • memory/4248-176-0x000000000AFE0000-0x000000000B5F8000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/4248-177-0x000000000AB30000-0x000000000AC3A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/4248-178-0x000000000AA70000-0x000000000AA82000-memory.dmp
      Filesize

      72KB

      Download
    • memory/4248-179-0x000000000AAD0000-0x000000000AB0C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/4248-180-0x0000000005630000-0x0000000005640000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4248-189-0x000000000CAD0000-0x000000000CFFC000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/4248-182-0x000000000B6A0000-0x000000000B732000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4248-183-0x000000000AF60000-0x000000000AFC6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4248-185-0x000000000BFF0000-0x000000000C594000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/4248-186-0x0000000005630000-0x0000000005640000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4248-187-0x000000000BC00000-0x000000000BC50000-memory.dmp
      Filesize

      320KB

      Download
    • memory/4248-188-0x000000000BE20000-0x000000000BFE2000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/5068-167-0x0000000000180000-0x000000000018A000-memory.dmp
      Filesize

      40KB

      Download