Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-06-2023 09:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f5e999b8524832d7c81385f9924bb31548e153a0b6d9f4e6a14fcd2ae5fd27bd.exe

  • Size

    585KB

  • MD5

    e84e20684704e921c47e5c8c51bfefe6

  • SHA1

    4fca20604ccdf9fccbc036b8608b98c8b18f79da

  • SHA256

    f5e999b8524832d7c81385f9924bb31548e153a0b6d9f4e6a14fcd2ae5fd27bd

  • SHA512

    055d1b3aaaf766508ef911c9a4327bc4d1ddf6747ed6b55e07974ba50de659feaf957f778105ec360d9c0d2d53e85c622a2a724cafdc4442d077ad252e181437

  • SSDEEP

    12288:JMrny90EngQXYImyH3xM1PGJ+752ndVdHEtYfEaEOdH3E2XMiwa:CyngM/oPa+752nVYzatdXsa

Score
10/10
redlinedizadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

diza

C2

83.97.73.126:19048

Attributes
  • auth_value

    0d09b419c8bc967f91c68be4a17e92ee

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f5e999b8524832d7c81385f9924bb31548e153a0b6d9f4e6a14fcd2ae5fd27bd.exe
    "C:\Users\Admin\AppData\Local\Temp\f5e999b8524832d7c81385f9924bb31548e153a0b6d9f4e6a14fcd2ae5fd27bd.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4112
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0494671.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0494671.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3080
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0744906.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0744906.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3472
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8286292.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8286292.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3776
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9444029.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9444029.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1796

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0494671.exe
    Filesize

    377KB

    MD5

    a69813656ba7694d7c5d89823e8c992c

    SHA1

    3201b6c39b1e4eae7e01707c9e6f87085bc486ed

    SHA256

    0d9993092cce794a16629d6a68292a39ec9d9464fac4025c51fe225a2a259bd2

    SHA512

    d11ae25b56c4c3ded6e065d0d3ea7dc9059818f226336726af864ad3e46ece4775d4b300d24c11f7a7dc076524cb0a45c2cf9f442749728a4bf50a4d2633d54d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0494671.exe
    Filesize

    377KB

    MD5

    a69813656ba7694d7c5d89823e8c992c

    SHA1

    3201b6c39b1e4eae7e01707c9e6f87085bc486ed

    SHA256

    0d9993092cce794a16629d6a68292a39ec9d9464fac4025c51fe225a2a259bd2

    SHA512

    d11ae25b56c4c3ded6e065d0d3ea7dc9059818f226336726af864ad3e46ece4775d4b300d24c11f7a7dc076524cb0a45c2cf9f442749728a4bf50a4d2633d54d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0744906.exe
    Filesize

    206KB

    MD5

    b7ca62c2edb6e49001c88548b6d54243

    SHA1

    0d5bde80c82ee372ec929aafcb7e0890c7b2f610

    SHA256

    c03d7539d2893a1e3defb57049344269192c97294acad7277fb9afa2a6b9a081

    SHA512

    ace8f1ee1de25786c6e9be4c7b0b5e3e184f9967518102c5c889c527196d41ec7f70c3a9a774c0905edf9f91680196c1542ed40aa79a4b71ba148f651821bb61

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0744906.exe
    Filesize

    206KB

    MD5

    b7ca62c2edb6e49001c88548b6d54243

    SHA1

    0d5bde80c82ee372ec929aafcb7e0890c7b2f610

    SHA256

    c03d7539d2893a1e3defb57049344269192c97294acad7277fb9afa2a6b9a081

    SHA512

    ace8f1ee1de25786c6e9be4c7b0b5e3e184f9967518102c5c889c527196d41ec7f70c3a9a774c0905edf9f91680196c1542ed40aa79a4b71ba148f651821bb61

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8286292.exe
    Filesize

    13KB

    MD5

    e65e0ddb355fc792d217002f05b087ad

    SHA1

    1d7e02c04d8aca04939cc0a0d973811b2f584b9a

    SHA256

    2a28e5b4c20ad8ebd34632c590abeac7ea54e613c0047e0f5bc02055883850a0

    SHA512

    85793b4e3e5035da60ec14f311794be1e8fe0264140fe588c821e0a9102c3196b7c6228f766da343285272c7d4c44f13c91871c59d40c46b01a53fdd99765545

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k8286292.exe
    Filesize

    13KB

    MD5

    e65e0ddb355fc792d217002f05b087ad

    SHA1

    1d7e02c04d8aca04939cc0a0d973811b2f584b9a

    SHA256

    2a28e5b4c20ad8ebd34632c590abeac7ea54e613c0047e0f5bc02055883850a0

    SHA512

    85793b4e3e5035da60ec14f311794be1e8fe0264140fe588c821e0a9102c3196b7c6228f766da343285272c7d4c44f13c91871c59d40c46b01a53fdd99765545

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9444029.exe
    Filesize

    172KB

    MD5

    d45320c3ca316c30a5097989793d9f10

    SHA1

    80a953de540502351a87e8d4ba975965adf2289e

    SHA256

    d81bc641c78ca1ac827f38432d861618911306b7fe4131779e09d5be9b09b9dd

    SHA512

    a583f241d5e5738232f5259d5e31b0cbb8166680fcb8ff48b3bcf7d2758bea79ad14f2bda3940c24f1ff0b7ca7289ef57b812f68dade3ac06c8177e572349923

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9444029.exe
    Filesize

    172KB

    MD5

    d45320c3ca316c30a5097989793d9f10

    SHA1

    80a953de540502351a87e8d4ba975965adf2289e

    SHA256

    d81bc641c78ca1ac827f38432d861618911306b7fe4131779e09d5be9b09b9dd

    SHA512

    a583f241d5e5738232f5259d5e31b0cbb8166680fcb8ff48b3bcf7d2758bea79ad14f2bda3940c24f1ff0b7ca7289ef57b812f68dade3ac06c8177e572349923

    Download Submit

  • memory/1796-160-0x000000000AAA0000-0x000000000B0B8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1796-165-0x00000000050F0000-0x0000000005100000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1796-172-0x000000000C760000-0x000000000CC8C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/1796-161-0x000000000A620000-0x000000000A72A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1796-162-0x000000000A560000-0x000000000A572000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1796-163-0x000000000A5C0000-0x000000000A5FC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1796-164-0x00000000050F0000-0x0000000005100000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1796-159-0x00000000006A0000-0x00000000006D0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1796-166-0x000000000B0C0000-0x000000000B136000-memory.dmp

    Filesize

    472KB

    Download

  • memory/1796-167-0x000000000B140000-0x000000000B1D2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1796-168-0x000000000B790000-0x000000000BD34000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1796-169-0x000000000B2E0000-0x000000000B346000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1796-170-0x000000000BE40000-0x000000000BE90000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1796-171-0x000000000C060000-0x000000000C222000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/3776-154-0x00000000005B0000-0x00000000005BA000-memory.dmp

    Filesize

    40KB

    Download