Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/06/2023, 09:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    69c2f90a492a1ec30b2594140ba68d2af450cd52b16f162ac866b8d585039315.exe

  • Size

    584KB

  • MD5

    647c1ced324c447f7d396e0861c00516

  • SHA1

    5d86c37e5daa0762ae77cdb32013ad719be54c6b

  • SHA256

    69c2f90a492a1ec30b2594140ba68d2af450cd52b16f162ac866b8d585039315

  • SHA512

    4a03aea8024d90c6faab133711551430403df753dc833784df623f23bea3683e26cab79a63d4e2ff6f3bd5da1d823c78561cb8356e808504ae05a244a79a08d8

  • SSDEEP

    12288:KMrUy90ymdr7aoY9ebxtCDVObYN04dP/OWKxA3sfkwr:qyMrH0DVOsq4dnOH636

Score
10/10
redlinedizadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19048

Attributes
  • auth_value

    0d09b419c8bc967f91c68be4a17e92ee

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\69c2f90a492a1ec30b2594140ba68d2af450cd52b16f162ac866b8d585039315.exe
    "C:\Users\Admin\AppData\Local\Temp\69c2f90a492a1ec30b2594140ba68d2af450cd52b16f162ac866b8d585039315.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1564
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2540326.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2540326.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3980
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4862083.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4862083.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2920
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2718107.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2718107.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1396
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3904473.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3904473.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5044

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2540326.exe
    Filesize

    377KB

    MD5

    a27d9253c5c70f903ba031df80188413

    SHA1

    ede3edf858c70058e5dc54c29168c32308aa28a5

    SHA256

    275a86b514dcb82efde05000bdc2e71616d930323f7f0513af391a64180e6bbb

    SHA512

    f57225f4de01c69b5a9716d6211d273b8f9e7b71d66ee11396168094b4fa49efc97d14f7544a8406f58ddff1b1f4709cbb6895dc54ed402af208f4595e69da3d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2540326.exe
    Filesize

    377KB

    MD5

    a27d9253c5c70f903ba031df80188413

    SHA1

    ede3edf858c70058e5dc54c29168c32308aa28a5

    SHA256

    275a86b514dcb82efde05000bdc2e71616d930323f7f0513af391a64180e6bbb

    SHA512

    f57225f4de01c69b5a9716d6211d273b8f9e7b71d66ee11396168094b4fa49efc97d14f7544a8406f58ddff1b1f4709cbb6895dc54ed402af208f4595e69da3d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4862083.exe
    Filesize

    206KB

    MD5

    0862d36bdd5e3c1cff4f2bc183043fab

    SHA1

    f2cdd7922b841fa6bde521b0938e5b24e77fb75b

    SHA256

    9564f255ea1b1fb29a73f36acbeea512d84162ccbb255951ce48ab39a39dde72

    SHA512

    e121be5daca0e331dc644bc70ad5fa65ce7eff19e16f4d220c041361497aababea0b6e754fd3c7176ecfdeb58aea72d82e133accc5fb8dd4549dd726a8bd0cf6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4862083.exe
    Filesize

    206KB

    MD5

    0862d36bdd5e3c1cff4f2bc183043fab

    SHA1

    f2cdd7922b841fa6bde521b0938e5b24e77fb75b

    SHA256

    9564f255ea1b1fb29a73f36acbeea512d84162ccbb255951ce48ab39a39dde72

    SHA512

    e121be5daca0e331dc644bc70ad5fa65ce7eff19e16f4d220c041361497aababea0b6e754fd3c7176ecfdeb58aea72d82e133accc5fb8dd4549dd726a8bd0cf6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2718107.exe
    Filesize

    13KB

    MD5

    a70ecef3e4acf4232bffa964f905a858

    SHA1

    3fc87dd115ab90a8a1c991eb46829108e50d2031

    SHA256

    6ef22156a68bc69751dca5d2c3dcf0a2a651417529a3a3511382da2e5a0103e1

    SHA512

    2cc85dc3bea6191a63bf50160201947d1f69a414896a120cf48aed029f267f2e9a1141bc3ef025acbd2a76333305c24d5a074e2edae8fc2039780bc5ba832839

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2718107.exe
    Filesize

    13KB

    MD5

    a70ecef3e4acf4232bffa964f905a858

    SHA1

    3fc87dd115ab90a8a1c991eb46829108e50d2031

    SHA256

    6ef22156a68bc69751dca5d2c3dcf0a2a651417529a3a3511382da2e5a0103e1

    SHA512

    2cc85dc3bea6191a63bf50160201947d1f69a414896a120cf48aed029f267f2e9a1141bc3ef025acbd2a76333305c24d5a074e2edae8fc2039780bc5ba832839

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3904473.exe
    Filesize

    172KB

    MD5

    d53c2dba7a9e96cf34c17dc81bf55a22

    SHA1

    d27c0ff90e8a74b1ce5d37a9f9b2d22275f8b987

    SHA256

    af57a35c1a6c4a4eff85fc7a3c34589bfd51345e969c9825f95bc34ee5bd0984

    SHA512

    fc8940ac98e39e96ea3bd4832aa9ff3e5ec3a61d7fd709beb77a30c942b2d0d28a315901d4b0d27dece0672aa2ce4c71c07a241bec421baeeef4e51a77f7c8bf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3904473.exe
    Filesize

    172KB

    MD5

    d53c2dba7a9e96cf34c17dc81bf55a22

    SHA1

    d27c0ff90e8a74b1ce5d37a9f9b2d22275f8b987

    SHA256

    af57a35c1a6c4a4eff85fc7a3c34589bfd51345e969c9825f95bc34ee5bd0984

    SHA512

    fc8940ac98e39e96ea3bd4832aa9ff3e5ec3a61d7fd709beb77a30c942b2d0d28a315901d4b0d27dece0672aa2ce4c71c07a241bec421baeeef4e51a77f7c8bf

    Download Submit

  • memory/1396-154-0x0000000000910000-0x000000000091A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/5044-160-0x000000000AE90000-0x000000000B4A8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/5044-166-0x000000000ADE0000-0x000000000AE72000-memory.dmp

    Filesize

    584KB

    Download

  • memory/5044-161-0x000000000AA10000-0x000000000AB1A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/5044-162-0x000000000A950000-0x000000000A962000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5044-163-0x000000000A9B0000-0x000000000A9EC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/5044-164-0x0000000005370000-0x0000000005380000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5044-165-0x000000000ACC0000-0x000000000AD36000-memory.dmp

    Filesize

    472KB

    Download

  • memory/5044-159-0x0000000000A90000-0x0000000000AC0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/5044-167-0x000000000AD40000-0x000000000ADA6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/5044-168-0x000000000BEA0000-0x000000000C444000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/5044-169-0x000000000B9E0000-0x000000000BA30000-memory.dmp

    Filesize

    320KB

    Download

  • memory/5044-170-0x000000000C450000-0x000000000C612000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/5044-171-0x0000000005370000-0x0000000005380000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5044-172-0x000000000CB50000-0x000000000D07C000-memory.dmp

    Filesize

    5.2MB

    Download